1/* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "utils/state_machine.h" 14#include "utils/bitfield.h" 15#include "common/ieee802_11_defs.h" 16#include "crypto/aes.h" 17#include "crypto/aes_wrap.h" 18#include "crypto/aes_siv.h" 19#include "crypto/crypto.h" 20#include "crypto/sha1.h" 21#include "crypto/sha256.h" 22#include "crypto/random.h" 23#include "eapol_auth/eapol_auth_sm.h" 24#include "ap_config.h" 25#include "ieee802_11.h" 26#include "wpa_auth.h" 27#include "pmksa_cache_auth.h" 28#include "wpa_auth_i.h" 29#include "wpa_auth_ie.h" 30 31#define STATE_MACHINE_DATA struct wpa_state_machine 32#define STATE_MACHINE_DEBUG_PREFIX "WPA" 33#define STATE_MACHINE_ADDR sm->addr 34 35 36static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 37static int wpa_sm_step(struct wpa_state_machine *sm); 38static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data, 39 size_t data_len); 40#ifdef CONFIG_FILS 41static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 42 u8 *buf, size_t buf_len, u16 *_key_data_len); 43#endif /* CONFIG_FILS */ 44static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 45static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 46 struct wpa_group *group); 47static void wpa_request_new_ptk(struct wpa_state_machine *sm); 48static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 49 struct wpa_group *group); 50static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 51 struct wpa_group *group); 52static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 53 const u8 *pmk, unsigned int pmk_len, 54 struct wpa_ptk *ptk); 55static void wpa_group_free(struct wpa_authenticator *wpa_auth, 56 struct wpa_group *group); 57static void wpa_group_get(struct wpa_authenticator *wpa_auth, 58 struct wpa_group *group); 59static void wpa_group_put(struct wpa_authenticator *wpa_auth, 60 struct wpa_group *group); 61static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); 62 63static const u32 eapol_key_timeout_first = 100; /* ms */ 64static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 65static const u32 eapol_key_timeout_first_group = 500; /* ms */ 66 67/* TODO: make these configurable */ 68static const int dot11RSNAConfigPMKLifetime = 43200; 69static const int dot11RSNAConfigPMKReauthThreshold = 70; 70static const int dot11RSNAConfigSATimeout = 60; 71 72 73static inline int wpa_auth_mic_failure_report( 74 struct wpa_authenticator *wpa_auth, const u8 *addr) 75{ 76 if (wpa_auth->cb->mic_failure_report) 77 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr); 78 return 0; 79} 80 81 82static inline void wpa_auth_psk_failure_report( 83 struct wpa_authenticator *wpa_auth, const u8 *addr) 84{ 85 if (wpa_auth->cb->psk_failure_report) 86 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr); 87} 88 89 90static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 91 const u8 *addr, wpa_eapol_variable var, 92 int value) 93{ 94 if (wpa_auth->cb->set_eapol) 95 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value); 96} 97 98 99static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 100 const u8 *addr, wpa_eapol_variable var) 101{ 102 if (wpa_auth->cb->get_eapol == NULL) 103 return -1; 104 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var); 105} 106 107 108static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 109 const u8 *addr, 110 const u8 *p2p_dev_addr, 111 const u8 *prev_psk) 112{ 113 if (wpa_auth->cb->get_psk == NULL) 114 return NULL; 115 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr, 116 prev_psk); 117} 118 119 120static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 121 const u8 *addr, u8 *msk, size_t *len) 122{ 123 if (wpa_auth->cb->get_msk == NULL) 124 return -1; 125 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len); 126} 127 128 129static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 130 int vlan_id, 131 enum wpa_alg alg, const u8 *addr, int idx, 132 u8 *key, size_t key_len) 133{ 134 if (wpa_auth->cb->set_key == NULL) 135 return -1; 136 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx, 137 key, key_len); 138} 139 140 141static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 142 const u8 *addr, int idx, u8 *seq) 143{ 144 if (wpa_auth->cb->get_seqnum == NULL) 145 return -1; 146 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq); 147} 148 149 150static inline int 151wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 152 const u8 *data, size_t data_len, int encrypt) 153{ 154 if (wpa_auth->cb->send_eapol == NULL) 155 return -1; 156 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len, 157 encrypt); 158} 159 160 161#ifdef CONFIG_MESH 162static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth, 163 const u8 *addr) 164{ 165 if (wpa_auth->cb->start_ampe == NULL) 166 return -1; 167 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr); 168} 169#endif /* CONFIG_MESH */ 170 171 172int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 173 int (*cb)(struct wpa_state_machine *sm, void *ctx), 174 void *cb_ctx) 175{ 176 if (wpa_auth->cb->for_each_sta == NULL) 177 return 0; 178 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx); 179} 180 181 182int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 183 int (*cb)(struct wpa_authenticator *a, void *ctx), 184 void *cb_ctx) 185{ 186 if (wpa_auth->cb->for_each_auth == NULL) 187 return 0; 188 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx); 189} 190 191 192void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 193 logger_level level, const char *txt) 194{ 195 if (wpa_auth->cb->logger == NULL) 196 return; 197 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt); 198} 199 200 201void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 202 logger_level level, const char *fmt, ...) 203{ 204 char *format; 205 int maxlen; 206 va_list ap; 207 208 if (wpa_auth->cb->logger == NULL) 209 return; 210 211 maxlen = os_strlen(fmt) + 100; 212 format = os_malloc(maxlen); 213 if (!format) 214 return; 215 216 va_start(ap, fmt); 217 vsnprintf(format, maxlen, fmt, ap); 218 va_end(ap); 219 220 wpa_auth_logger(wpa_auth, addr, level, format); 221 222 os_free(format); 223} 224 225 226static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 227 const u8 *addr) 228{ 229 if (wpa_auth->cb->disconnect == NULL) 230 return; 231 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr)); 232 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, 233 WLAN_REASON_PREV_AUTH_NOT_VALID); 234} 235 236 237static int wpa_use_aes_cmac(struct wpa_state_machine *sm) 238{ 239 int ret = 0; 240#ifdef CONFIG_IEEE80211R_AP 241 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 242 ret = 1; 243#endif /* CONFIG_IEEE80211R_AP */ 244#ifdef CONFIG_IEEE80211W 245 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt)) 246 ret = 1; 247#endif /* CONFIG_IEEE80211W */ 248 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) 249 ret = 1; 250 return ret; 251} 252 253 254static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 255{ 256 struct wpa_authenticator *wpa_auth = eloop_ctx; 257 258 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 259 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 260 "initialization."); 261 } else { 262 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 263 wpa_hexdump_key(MSG_DEBUG, "GMK", 264 wpa_auth->group->GMK, WPA_GMK_LEN); 265 } 266 267 if (wpa_auth->conf.wpa_gmk_rekey) { 268 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 269 wpa_rekey_gmk, wpa_auth, NULL); 270 } 271} 272 273 274static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 275{ 276 struct wpa_authenticator *wpa_auth = eloop_ctx; 277 struct wpa_group *group, *next; 278 279 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 280 group = wpa_auth->group; 281 while (group) { 282 wpa_group_get(wpa_auth, group); 283 284 group->GTKReKey = TRUE; 285 do { 286 group->changed = FALSE; 287 wpa_group_sm_step(wpa_auth, group); 288 } while (group->changed); 289 290 next = group->next; 291 wpa_group_put(wpa_auth, group); 292 group = next; 293 } 294 295 if (wpa_auth->conf.wpa_group_rekey) { 296 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 297 0, wpa_rekey_gtk, wpa_auth, NULL); 298 } 299} 300 301 302static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 303{ 304 struct wpa_authenticator *wpa_auth = eloop_ctx; 305 struct wpa_state_machine *sm = timeout_ctx; 306 307 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 308 wpa_request_new_ptk(sm); 309 wpa_sm_step(sm); 310} 311 312 313static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 314{ 315 if (sm->pmksa == ctx) 316 sm->pmksa = NULL; 317 return 0; 318} 319 320 321static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 322 void *ctx) 323{ 324 struct wpa_authenticator *wpa_auth = ctx; 325 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 326} 327 328 329static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 330 struct wpa_group *group) 331{ 332 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 333 u8 rkey[32]; 334 unsigned long ptr; 335 336 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 337 return -1; 338 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 339 340 /* 341 * Counter = PRF-256(Random number, "Init Counter", 342 * Local MAC Address || Time) 343 */ 344 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 345 wpa_get_ntp_timestamp(buf + ETH_ALEN); 346 ptr = (unsigned long) group; 347 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 348 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 349 return -1; 350 351 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 352 group->Counter, WPA_NONCE_LEN) < 0) 353 return -1; 354 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 355 group->Counter, WPA_NONCE_LEN); 356 357 return 0; 358} 359 360 361static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 362 int vlan_id, int delay_init) 363{ 364 struct wpa_group *group; 365 366 group = os_zalloc(sizeof(struct wpa_group)); 367 if (group == NULL) 368 return NULL; 369 370 group->GTKAuthenticator = TRUE; 371 group->vlan_id = vlan_id; 372 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 373 374 if (random_pool_ready() != 1) { 375 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 376 "for secure operations - update keys later when " 377 "the first station connects"); 378 } 379 380 /* 381 * Set initial GMK/Counter value here. The actual values that will be 382 * used in negotiations will be set once the first station tries to 383 * connect. This allows more time for collecting additional randomness 384 * on embedded devices. 385 */ 386 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 387 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 388 "initialization."); 389 os_free(group); 390 return NULL; 391 } 392 393 group->GInit = TRUE; 394 if (delay_init) { 395 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 396 "until Beacon frames have been configured"); 397 /* Initialization is completed in wpa_init_keys(). */ 398 } else { 399 wpa_group_sm_step(wpa_auth, group); 400 group->GInit = FALSE; 401 wpa_group_sm_step(wpa_auth, group); 402 } 403 404 return group; 405} 406 407 408/** 409 * wpa_init - Initialize WPA authenticator 410 * @addr: Authenticator address 411 * @conf: Configuration for WPA authenticator 412 * @cb: Callback functions for WPA authenticator 413 * Returns: Pointer to WPA authenticator data or %NULL on failure 414 */ 415struct wpa_authenticator * wpa_init(const u8 *addr, 416 struct wpa_auth_config *conf, 417 const struct wpa_auth_callbacks *cb, 418 void *cb_ctx) 419{ 420 struct wpa_authenticator *wpa_auth; 421 422 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 423 if (wpa_auth == NULL) 424 return NULL; 425 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 426 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 427 wpa_auth->cb = cb; 428 wpa_auth->cb_ctx = cb_ctx; 429 430 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 431 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 432 os_free(wpa_auth); 433 return NULL; 434 } 435 436 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 437 if (wpa_auth->group == NULL) { 438 os_free(wpa_auth->wpa_ie); 439 os_free(wpa_auth); 440 return NULL; 441 } 442 443 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 444 wpa_auth); 445 if (wpa_auth->pmksa == NULL) { 446 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 447 os_free(wpa_auth->group); 448 os_free(wpa_auth->wpa_ie); 449 os_free(wpa_auth); 450 return NULL; 451 } 452 453#ifdef CONFIG_IEEE80211R_AP 454 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 455 if (wpa_auth->ft_pmk_cache == NULL) { 456 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 457 os_free(wpa_auth->group); 458 os_free(wpa_auth->wpa_ie); 459 pmksa_cache_auth_deinit(wpa_auth->pmksa); 460 os_free(wpa_auth); 461 return NULL; 462 } 463#endif /* CONFIG_IEEE80211R_AP */ 464 465 if (wpa_auth->conf.wpa_gmk_rekey) { 466 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 467 wpa_rekey_gmk, wpa_auth, NULL); 468 } 469 470 if (wpa_auth->conf.wpa_group_rekey) { 471 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 472 wpa_rekey_gtk, wpa_auth, NULL); 473 } 474 475#ifdef CONFIG_P2P 476 if (WPA_GET_BE32(conf->ip_addr_start)) { 477 int count = WPA_GET_BE32(conf->ip_addr_end) - 478 WPA_GET_BE32(conf->ip_addr_start) + 1; 479 if (count > 1000) 480 count = 1000; 481 if (count > 0) 482 wpa_auth->ip_pool = bitfield_alloc(count); 483 } 484#endif /* CONFIG_P2P */ 485 486 return wpa_auth; 487} 488 489 490int wpa_init_keys(struct wpa_authenticator *wpa_auth) 491{ 492 struct wpa_group *group = wpa_auth->group; 493 494 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 495 "keys"); 496 wpa_group_sm_step(wpa_auth, group); 497 group->GInit = FALSE; 498 wpa_group_sm_step(wpa_auth, group); 499 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 500 return -1; 501 return 0; 502} 503 504 505/** 506 * wpa_deinit - Deinitialize WPA authenticator 507 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 508 */ 509void wpa_deinit(struct wpa_authenticator *wpa_auth) 510{ 511 struct wpa_group *group, *prev; 512 513 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 514 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 515 516 pmksa_cache_auth_deinit(wpa_auth->pmksa); 517 518#ifdef CONFIG_IEEE80211R_AP 519 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 520 wpa_auth->ft_pmk_cache = NULL; 521#endif /* CONFIG_IEEE80211R_AP */ 522 523#ifdef CONFIG_P2P 524 bitfield_free(wpa_auth->ip_pool); 525#endif /* CONFIG_P2P */ 526 527 528 os_free(wpa_auth->wpa_ie); 529 530 group = wpa_auth->group; 531 while (group) { 532 prev = group; 533 group = group->next; 534 os_free(prev); 535 } 536 537 os_free(wpa_auth); 538} 539 540 541/** 542 * wpa_reconfig - Update WPA authenticator configuration 543 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 544 * @conf: Configuration for WPA authenticator 545 */ 546int wpa_reconfig(struct wpa_authenticator *wpa_auth, 547 struct wpa_auth_config *conf) 548{ 549 struct wpa_group *group; 550 if (wpa_auth == NULL) 551 return 0; 552 553 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 554 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 555 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 556 return -1; 557 } 558 559 /* 560 * Reinitialize GTK to make sure it is suitable for the new 561 * configuration. 562 */ 563 group = wpa_auth->group; 564 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 565 group->GInit = TRUE; 566 wpa_group_sm_step(wpa_auth, group); 567 group->GInit = FALSE; 568 wpa_group_sm_step(wpa_auth, group); 569 570 return 0; 571} 572 573 574struct wpa_state_machine * 575wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 576 const u8 *p2p_dev_addr) 577{ 578 struct wpa_state_machine *sm; 579 580 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 581 return NULL; 582 583 sm = os_zalloc(sizeof(struct wpa_state_machine)); 584 if (sm == NULL) 585 return NULL; 586 os_memcpy(sm->addr, addr, ETH_ALEN); 587 if (p2p_dev_addr) 588 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 589 590 sm->wpa_auth = wpa_auth; 591 sm->group = wpa_auth->group; 592 wpa_group_get(sm->wpa_auth, sm->group); 593 594 return sm; 595} 596 597 598int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 599 struct wpa_state_machine *sm) 600{ 601 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 602 return -1; 603 604#ifdef CONFIG_IEEE80211R_AP 605 if (sm->ft_completed) { 606 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 607 "FT authentication already completed - do not " 608 "start 4-way handshake"); 609 /* Go to PTKINITDONE state to allow GTK rekeying */ 610 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 611 sm->Pair = TRUE; 612 return 0; 613 } 614#endif /* CONFIG_IEEE80211R_AP */ 615 616#ifdef CONFIG_FILS 617 if (sm->fils_completed) { 618 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 619 "FILS authentication already completed - do not start 4-way handshake"); 620 /* Go to PTKINITDONE state to allow GTK rekeying */ 621 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 622 sm->Pair = TRUE; 623 return 0; 624 } 625#endif /* CONFIG_FILS */ 626 627 if (sm->started) { 628 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 629 sm->ReAuthenticationRequest = TRUE; 630 return wpa_sm_step(sm); 631 } 632 633 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 634 "start authentication"); 635 sm->started = 1; 636 637 sm->Init = TRUE; 638 if (wpa_sm_step(sm) == 1) 639 return 1; /* should not really happen */ 640 sm->Init = FALSE; 641 sm->AuthenticationRequest = TRUE; 642 return wpa_sm_step(sm); 643} 644 645 646void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 647{ 648 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 649 * reassociates back to the same AP while the previous entry for the 650 * STA has not yet been removed. */ 651 if (sm == NULL) 652 return; 653 654 sm->wpa_key_mgmt = 0; 655} 656 657 658static void wpa_free_sta_sm(struct wpa_state_machine *sm) 659{ 660#ifdef CONFIG_P2P 661 if (WPA_GET_BE32(sm->ip_addr)) { 662 u32 start; 663 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP " 664 "address %u.%u.%u.%u from " MACSTR, 665 sm->ip_addr[0], sm->ip_addr[1], 666 sm->ip_addr[2], sm->ip_addr[3], 667 MAC2STR(sm->addr)); 668 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start); 669 bitfield_clear(sm->wpa_auth->ip_pool, 670 WPA_GET_BE32(sm->ip_addr) - start); 671 } 672#endif /* CONFIG_P2P */ 673 if (sm->GUpdateStationKeys) { 674 sm->group->GKeyDoneStations--; 675 sm->GUpdateStationKeys = FALSE; 676 } 677#ifdef CONFIG_IEEE80211R_AP 678 os_free(sm->assoc_resp_ftie); 679 wpabuf_free(sm->ft_pending_req_ies); 680#endif /* CONFIG_IEEE80211R_AP */ 681 os_free(sm->last_rx_eapol_key); 682 os_free(sm->wpa_ie); 683 wpa_group_put(sm->wpa_auth, sm->group); 684 os_free(sm); 685} 686 687 688void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 689{ 690 if (sm == NULL) 691 return; 692 693 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 694 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 695 "strict rekeying - force GTK rekey since STA " 696 "is leaving"); 697 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL); 698 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 699 NULL); 700 } 701 702 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 703 sm->pending_1_of_4_timeout = 0; 704 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 705 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 706 if (sm->in_step_loop) { 707 /* Must not free state machine while wpa_sm_step() is running. 708 * Freeing will be completed in the end of wpa_sm_step(). */ 709 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 710 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 711 sm->pending_deinit = 1; 712 } else 713 wpa_free_sta_sm(sm); 714} 715 716 717static void wpa_request_new_ptk(struct wpa_state_machine *sm) 718{ 719 if (sm == NULL) 720 return; 721 722 sm->PTKRequest = TRUE; 723 sm->PTK_valid = 0; 724} 725 726 727static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 728 const u8 *replay_counter) 729{ 730 int i; 731 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 732 if (!ctr[i].valid) 733 break; 734 if (os_memcmp(replay_counter, ctr[i].counter, 735 WPA_REPLAY_COUNTER_LEN) == 0) 736 return 1; 737 } 738 return 0; 739} 740 741 742static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 743 const u8 *replay_counter) 744{ 745 int i; 746 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 747 if (ctr[i].valid && 748 (replay_counter == NULL || 749 os_memcmp(replay_counter, ctr[i].counter, 750 WPA_REPLAY_COUNTER_LEN) == 0)) 751 ctr[i].valid = FALSE; 752 } 753} 754 755 756#ifdef CONFIG_IEEE80211R_AP 757static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 758 struct wpa_state_machine *sm, 759 struct wpa_eapol_ie_parse *kde) 760{ 761 struct wpa_ie_data ie; 762 struct rsn_mdie *mdie; 763 764 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 765 ie.num_pmkid != 1 || ie.pmkid == NULL) { 766 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 767 "FT 4-way handshake message 2/4"); 768 return -1; 769 } 770 771 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 772 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 773 sm->sup_pmk_r1_name, PMKID_LEN); 774 775 if (!kde->mdie || !kde->ftie) { 776 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 777 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 778 return -1; 779 } 780 781 mdie = (struct rsn_mdie *) (kde->mdie + 2); 782 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 783 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 784 MOBILITY_DOMAIN_ID_LEN) != 0) { 785 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 786 return -1; 787 } 788 789 if (sm->assoc_resp_ftie && 790 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 791 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 792 2 + sm->assoc_resp_ftie[1]) != 0)) { 793 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 794 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 795 kde->ftie, kde->ftie_len); 796 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 797 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 798 return -1; 799 } 800 801 return 0; 802} 803#endif /* CONFIG_IEEE80211R_AP */ 804 805 806static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 807 struct wpa_state_machine *sm, int group) 808{ 809 /* Supplicant reported a Michael MIC error */ 810 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 811 "received EAPOL-Key Error Request " 812 "(STA detected Michael MIC failure (group=%d))", 813 group); 814 815 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 816 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 817 "ignore Michael MIC failure report since " 818 "group cipher is not TKIP"); 819 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 820 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 821 "ignore Michael MIC failure report since " 822 "pairwise cipher is not TKIP"); 823 } else { 824 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 825 return 1; /* STA entry was removed */ 826 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 827 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 828 } 829 830 /* 831 * Error report is not a request for a new key handshake, but since 832 * Authenticator may do it, let's change the keys now anyway. 833 */ 834 wpa_request_new_ptk(sm); 835 return 0; 836} 837 838 839static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, 840 size_t data_len) 841{ 842 struct wpa_ptk PTK; 843 int ok = 0; 844 const u8 *pmk = NULL; 845 unsigned int pmk_len; 846 847 os_memset(&PTK, 0, sizeof(PTK)); 848 for (;;) { 849 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 850 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 851 sm->p2p_dev_addr, pmk); 852 if (pmk == NULL) 853 break; 854 pmk_len = PMK_LEN; 855 } else { 856 pmk = sm->PMK; 857 pmk_len = sm->pmk_len; 858 } 859 860 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0) 861 break; 862 863 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, data, data_len) 864 == 0) { 865 ok = 1; 866 break; 867 } 868 869 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 870 break; 871 } 872 873 if (!ok) { 874 wpa_printf(MSG_DEBUG, 875 "WPA: Earlier SNonce did not result in matching MIC"); 876 return -1; 877 } 878 879 wpa_printf(MSG_DEBUG, 880 "WPA: Earlier SNonce resulted in matching MIC"); 881 sm->alt_snonce_valid = 0; 882 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN); 883 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 884 sm->PTK_valid = TRUE; 885 886 return 0; 887} 888 889 890void wpa_receive(struct wpa_authenticator *wpa_auth, 891 struct wpa_state_machine *sm, 892 u8 *data, size_t data_len) 893{ 894 struct ieee802_1x_hdr *hdr; 895 struct wpa_eapol_key *key; 896 u16 key_info, key_data_length; 897 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST, 898 SMK_M1, SMK_M3, SMK_ERROR } msg; 899 char *msgtxt; 900 struct wpa_eapol_ie_parse kde; 901 const u8 *key_data; 902 size_t keyhdrlen, mic_len; 903 u8 *mic; 904 905 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 906 return; 907 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len); 908 909 mic_len = wpa_mic_len(sm->wpa_key_mgmt); 910 keyhdrlen = sizeof(*key) + mic_len + 2; 911 912 if (data_len < sizeof(*hdr) + keyhdrlen) { 913 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame"); 914 return; 915 } 916 917 hdr = (struct ieee802_1x_hdr *) data; 918 key = (struct wpa_eapol_key *) (hdr + 1); 919 mic = (u8 *) (key + 1); 920 key_info = WPA_GET_BE16(key->key_info); 921 key_data = mic + mic_len + 2; 922 key_data_length = WPA_GET_BE16(mic + mic_len); 923 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 924 " key_info=0x%x type=%u mic_len=%u key_data_length=%u", 925 MAC2STR(sm->addr), key_info, key->type, 926 (unsigned int) mic_len, key_data_length); 927 wpa_hexdump(MSG_MSGDUMP, 928 "WPA: EAPOL-Key header (ending before Key MIC)", 929 key, sizeof(*key)); 930 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC", 931 mic, mic_len); 932 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) { 933 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 934 "key_data overflow (%d > %lu)", 935 key_data_length, 936 (unsigned long) (data_len - sizeof(*hdr) - 937 keyhdrlen)); 938 return; 939 } 940 941 if (sm->wpa == WPA_VERSION_WPA2) { 942 if (key->type == EAPOL_KEY_TYPE_WPA) { 943 /* 944 * Some deployed station implementations seem to send 945 * msg 4/4 with incorrect type value in WPA2 mode. 946 */ 947 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 948 "with unexpected WPA type in RSN mode"); 949 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 950 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 951 "unexpected type %d in RSN mode", 952 key->type); 953 return; 954 } 955 } else { 956 if (key->type != EAPOL_KEY_TYPE_WPA) { 957 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 958 "unexpected type %d in WPA mode", 959 key->type); 960 return; 961 } 962 } 963 964 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 965 WPA_NONCE_LEN); 966 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 967 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 968 969 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 970 * are set */ 971 972 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) == 973 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) { 974 if (key_info & WPA_KEY_INFO_ERROR) { 975 msg = SMK_ERROR; 976 msgtxt = "SMK Error"; 977 } else { 978 msg = SMK_M1; 979 msgtxt = "SMK M1"; 980 } 981 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 982 msg = SMK_M3; 983 msgtxt = "SMK M3"; 984 } else if (key_info & WPA_KEY_INFO_REQUEST) { 985 msg = REQUEST; 986 msgtxt = "Request"; 987 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 988 msg = GROUP_2; 989 msgtxt = "2/2 Group"; 990 } else if (key_data_length == 0 || 991 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && 992 key_data_length == AES_BLOCK_SIZE)) { 993 msg = PAIRWISE_4; 994 msgtxt = "4/4 Pairwise"; 995 } else { 996 msg = PAIRWISE_2; 997 msgtxt = "2/4 Pairwise"; 998 } 999 1000 /* TODO: key_info type validation for PeerKey */ 1001 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 1002 msg == GROUP_2) { 1003 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 1004 if (sm->pairwise == WPA_CIPHER_CCMP || 1005 sm->pairwise == WPA_CIPHER_GCMP) { 1006 if (wpa_use_aes_cmac(sm) && 1007 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN && 1008 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) && 1009 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1010 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1011 wpa_auth_logger(wpa_auth, sm->addr, 1012 LOGGER_WARNING, 1013 "advertised support for " 1014 "AES-128-CMAC, but did not " 1015 "use it"); 1016 return; 1017 } 1018 1019 if (!wpa_use_aes_cmac(sm) && 1020 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1021 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1022 wpa_auth_logger(wpa_auth, sm->addr, 1023 LOGGER_WARNING, 1024 "did not use HMAC-SHA1-AES " 1025 "with CCMP/GCMP"); 1026 return; 1027 } 1028 } 1029 1030 if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1031 wpa_key_mgmt_fils(sm->wpa_key_mgmt)) && 1032 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 1033 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1034 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases"); 1035 return; 1036 } 1037 } 1038 1039 if (key_info & WPA_KEY_INFO_REQUEST) { 1040 if (sm->req_replay_counter_used && 1041 os_memcmp(key->replay_counter, sm->req_replay_counter, 1042 WPA_REPLAY_COUNTER_LEN) <= 0) { 1043 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1044 "received EAPOL-Key request with " 1045 "replayed counter"); 1046 return; 1047 } 1048 } 1049 1050 if (!(key_info & WPA_KEY_INFO_REQUEST) && 1051 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 1052 int i; 1053 1054 if (msg == PAIRWISE_2 && 1055 wpa_replay_counter_valid(sm->prev_key_replay, 1056 key->replay_counter) && 1057 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1058 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 1059 { 1060 /* 1061 * Some supplicant implementations (e.g., Windows XP 1062 * WZC) update SNonce for each EAPOL-Key 2/4. This 1063 * breaks the workaround on accepting any of the 1064 * pending requests, so allow the SNonce to be updated 1065 * even if we have already sent out EAPOL-Key 3/4. 1066 */ 1067 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1068 "Process SNonce update from STA " 1069 "based on retransmitted EAPOL-Key " 1070 "1/4"); 1071 sm->update_snonce = 1; 1072 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN); 1073 sm->alt_snonce_valid = TRUE; 1074 os_memcpy(sm->alt_replay_counter, 1075 sm->key_replay[0].counter, 1076 WPA_REPLAY_COUNTER_LEN); 1077 goto continue_processing; 1078 } 1079 1080 if (msg == PAIRWISE_4 && sm->alt_snonce_valid && 1081 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1082 os_memcmp(key->replay_counter, sm->alt_replay_counter, 1083 WPA_REPLAY_COUNTER_LEN) == 0) { 1084 /* 1085 * Supplicant may still be using the old SNonce since 1086 * there was two EAPOL-Key 2/4 messages and they had 1087 * different SNonce values. 1088 */ 1089 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1090 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4"); 1091 goto continue_processing; 1092 } 1093 1094 if (msg == PAIRWISE_2 && 1095 wpa_replay_counter_valid(sm->prev_key_replay, 1096 key->replay_counter) && 1097 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 1098 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1099 "ignore retransmitted EAPOL-Key %s - " 1100 "SNonce did not change", msgtxt); 1101 } else { 1102 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1103 "received EAPOL-Key %s with " 1104 "unexpected replay counter", msgtxt); 1105 } 1106 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 1107 if (!sm->key_replay[i].valid) 1108 break; 1109 wpa_hexdump(MSG_DEBUG, "pending replay counter", 1110 sm->key_replay[i].counter, 1111 WPA_REPLAY_COUNTER_LEN); 1112 } 1113 wpa_hexdump(MSG_DEBUG, "received replay counter", 1114 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1115 return; 1116 } 1117 1118continue_processing: 1119#ifdef CONFIG_FILS 1120 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 && 1121 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1122 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1123 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame"); 1124 return; 1125 } 1126#endif /* CONFIG_FILS */ 1127 1128 switch (msg) { 1129 case PAIRWISE_2: 1130 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 1131 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 1132 (!sm->update_snonce || 1133 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 1134 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1135 "received EAPOL-Key msg 2/4 in " 1136 "invalid state (%d) - dropped", 1137 sm->wpa_ptk_state); 1138 return; 1139 } 1140 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 1141 if (sm->group->reject_4way_hs_for_entropy) { 1142 /* 1143 * The system did not have enough entropy to generate 1144 * strong random numbers. Reject the first 4-way 1145 * handshake(s) and collect some entropy based on the 1146 * information from it. Once enough entropy is 1147 * available, the next atempt will trigger GMK/Key 1148 * Counter update and the station will be allowed to 1149 * continue. 1150 */ 1151 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 1152 "collect more entropy for random number " 1153 "generation"); 1154 random_mark_pool_ready(); 1155 wpa_sta_disconnect(wpa_auth, sm->addr); 1156 return; 1157 } 1158 break; 1159 case PAIRWISE_4: 1160 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1161 !sm->PTK_valid) { 1162 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1163 "received EAPOL-Key msg 4/4 in " 1164 "invalid state (%d) - dropped", 1165 sm->wpa_ptk_state); 1166 return; 1167 } 1168 break; 1169 case GROUP_2: 1170 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1171 || !sm->PTK_valid) { 1172 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1173 "received EAPOL-Key msg 2/2 in " 1174 "invalid state (%d) - dropped", 1175 sm->wpa_ptk_group_state); 1176 return; 1177 } 1178 break; 1179#ifdef CONFIG_PEERKEY 1180 case SMK_M1: 1181 case SMK_M3: 1182 case SMK_ERROR: 1183 if (!wpa_auth->conf.peerkey) { 1184 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but " 1185 "PeerKey use disabled - ignoring message"); 1186 return; 1187 } 1188 if (!sm->PTK_valid) { 1189 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1190 "received EAPOL-Key msg SMK in " 1191 "invalid state - dropped"); 1192 return; 1193 } 1194 break; 1195#else /* CONFIG_PEERKEY */ 1196 case SMK_M1: 1197 case SMK_M3: 1198 case SMK_ERROR: 1199 return; /* STSL disabled - ignore SMK messages */ 1200#endif /* CONFIG_PEERKEY */ 1201 case REQUEST: 1202 break; 1203 } 1204 1205 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1206 "received EAPOL-Key frame (%s)", msgtxt); 1207 1208 if (key_info & WPA_KEY_INFO_ACK) { 1209 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1210 "received invalid EAPOL-Key: Key Ack set"); 1211 return; 1212 } 1213 1214 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1215 !(key_info & WPA_KEY_INFO_MIC)) { 1216 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1217 "received invalid EAPOL-Key: Key MIC not set"); 1218 return; 1219 } 1220 1221#ifdef CONFIG_FILS 1222 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1223 (key_info & WPA_KEY_INFO_MIC)) { 1224 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1225 "received invalid EAPOL-Key: Key MIC set"); 1226 return; 1227 } 1228#endif /* CONFIG_FILS */ 1229 1230 sm->MICVerified = FALSE; 1231 if (sm->PTK_valid && !sm->update_snonce) { 1232 if (mic_len && 1233 wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data, 1234 data_len) && 1235 (msg != PAIRWISE_4 || !sm->alt_snonce_valid || 1236 wpa_try_alt_snonce(sm, data, data_len))) { 1237 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1238 "received EAPOL-Key with invalid MIC"); 1239 return; 1240 } 1241#ifdef CONFIG_FILS 1242 if (!mic_len && 1243 wpa_aead_decrypt(sm, &sm->PTK, data, data_len, 1244 &key_data_length) < 0) { 1245 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1246 "received EAPOL-Key with invalid MIC"); 1247 return; 1248 } 1249#endif /* CONFIG_FILS */ 1250 sm->MICVerified = TRUE; 1251 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1252 sm->pending_1_of_4_timeout = 0; 1253 } 1254 1255 if (key_info & WPA_KEY_INFO_REQUEST) { 1256 if (sm->MICVerified) { 1257 sm->req_replay_counter_used = 1; 1258 os_memcpy(sm->req_replay_counter, key->replay_counter, 1259 WPA_REPLAY_COUNTER_LEN); 1260 } else { 1261 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1262 "received EAPOL-Key request with " 1263 "invalid MIC"); 1264 return; 1265 } 1266 1267 /* 1268 * TODO: should decrypt key data field if encryption was used; 1269 * even though MAC address KDE is not normally encrypted, 1270 * supplicant is allowed to encrypt it. 1271 */ 1272 if (msg == SMK_ERROR) { 1273#ifdef CONFIG_PEERKEY 1274 wpa_smk_error(wpa_auth, sm, key_data, key_data_length); 1275#endif /* CONFIG_PEERKEY */ 1276 return; 1277 } else if (key_info & WPA_KEY_INFO_ERROR) { 1278 if (wpa_receive_error_report( 1279 wpa_auth, sm, 1280 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1281 return; /* STA entry was removed */ 1282 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1283 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1284 "received EAPOL-Key Request for new " 1285 "4-Way Handshake"); 1286 wpa_request_new_ptk(sm); 1287#ifdef CONFIG_PEERKEY 1288 } else if (msg == SMK_M1) { 1289 wpa_smk_m1(wpa_auth, sm, key, key_data, 1290 key_data_length); 1291#endif /* CONFIG_PEERKEY */ 1292 } else if (key_data_length > 0 && 1293 wpa_parse_kde_ies(key_data, key_data_length, 1294 &kde) == 0 && 1295 kde.mac_addr) { 1296 } else { 1297 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1298 "received EAPOL-Key Request for GTK " 1299 "rekeying"); 1300 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1301 wpa_rekey_gtk(wpa_auth, NULL); 1302 } 1303 } else { 1304 /* Do not allow the same key replay counter to be reused. */ 1305 wpa_replay_counter_mark_invalid(sm->key_replay, 1306 key->replay_counter); 1307 1308 if (msg == PAIRWISE_2) { 1309 /* 1310 * Maintain a copy of the pending EAPOL-Key frames in 1311 * case the EAPOL-Key frame was retransmitted. This is 1312 * needed to allow EAPOL-Key msg 2/4 reply to another 1313 * pending msg 1/4 to update the SNonce to work around 1314 * unexpected supplicant behavior. 1315 */ 1316 os_memcpy(sm->prev_key_replay, sm->key_replay, 1317 sizeof(sm->key_replay)); 1318 } else { 1319 os_memset(sm->prev_key_replay, 0, 1320 sizeof(sm->prev_key_replay)); 1321 } 1322 1323 /* 1324 * Make sure old valid counters are not accepted anymore and 1325 * do not get copied again. 1326 */ 1327 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1328 } 1329 1330#ifdef CONFIG_PEERKEY 1331 if (msg == SMK_M3) { 1332 wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length); 1333 return; 1334 } 1335#endif /* CONFIG_PEERKEY */ 1336 1337 os_free(sm->last_rx_eapol_key); 1338 sm->last_rx_eapol_key = os_malloc(data_len); 1339 if (sm->last_rx_eapol_key == NULL) 1340 return; 1341 os_memcpy(sm->last_rx_eapol_key, data, data_len); 1342 sm->last_rx_eapol_key_len = data_len; 1343 1344 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1345 sm->EAPOLKeyReceived = TRUE; 1346 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1347 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1348 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1349 wpa_sm_step(sm); 1350} 1351 1352 1353static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1354 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1355{ 1356 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16]; 1357 u8 *pos; 1358 int ret = 0; 1359 1360 /* GTK = PRF-X(GMK, "Group key expansion", 1361 * AA || GNonce || Time || random data) 1362 * The example described in the IEEE 802.11 standard uses only AA and 1363 * GNonce as inputs here. Add some more entropy since this derivation 1364 * is done only at the Authenticator and as such, does not need to be 1365 * exactly same. 1366 */ 1367 os_memcpy(data, addr, ETH_ALEN); 1368 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1369 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1370 wpa_get_ntp_timestamp(pos); 1371 pos += 8; 1372 if (random_get_bytes(pos, 16) < 0) 1373 ret = -1; 1374 1375#ifdef CONFIG_IEEE80211W 1376 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len); 1377#else /* CONFIG_IEEE80211W */ 1378 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len) 1379 < 0) 1380 ret = -1; 1381#endif /* CONFIG_IEEE80211W */ 1382 1383 return ret; 1384} 1385 1386 1387static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1388{ 1389 struct wpa_authenticator *wpa_auth = eloop_ctx; 1390 struct wpa_state_machine *sm = timeout_ctx; 1391 1392 sm->pending_1_of_4_timeout = 0; 1393 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1394 sm->TimeoutEvt = TRUE; 1395 wpa_sm_step(sm); 1396} 1397 1398 1399void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1400 struct wpa_state_machine *sm, int key_info, 1401 const u8 *key_rsc, const u8 *nonce, 1402 const u8 *kde, size_t kde_len, 1403 int keyidx, int encr, int force_version) 1404{ 1405 struct ieee802_1x_hdr *hdr; 1406 struct wpa_eapol_key *key; 1407 size_t len, mic_len, keyhdrlen; 1408 int alg; 1409 int key_data_len, pad_len = 0; 1410 u8 *buf, *pos; 1411 int version, pairwise; 1412 int i; 1413 u8 *key_mic, *key_data; 1414 1415 mic_len = wpa_mic_len(sm->wpa_key_mgmt); 1416 keyhdrlen = sizeof(*key) + mic_len + 2; 1417 1418 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen; 1419 1420 if (force_version) 1421 version = force_version; 1422 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1423 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1424 wpa_key_mgmt_fils(sm->wpa_key_mgmt)) 1425 version = WPA_KEY_INFO_TYPE_AKM_DEFINED; 1426 else if (wpa_use_aes_cmac(sm)) 1427 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1428 else if (sm->pairwise != WPA_CIPHER_TKIP) 1429 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1430 else 1431 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1432 1433 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1434 1435 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1436 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1437 "encr=%d)", 1438 version, 1439 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1440 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1441 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1442 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1443 pairwise, (unsigned long) kde_len, keyidx, encr); 1444 1445 key_data_len = kde_len; 1446 1447 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1448 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1449 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1450 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1451 pad_len = key_data_len % 8; 1452 if (pad_len) 1453 pad_len = 8 - pad_len; 1454 key_data_len += pad_len + 8; 1455 } 1456 1457 len += key_data_len; 1458 if (!mic_len && encr) 1459 len += AES_BLOCK_SIZE; 1460 1461 hdr = os_zalloc(len); 1462 if (hdr == NULL) 1463 return; 1464 hdr->version = wpa_auth->conf.eapol_version; 1465 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1466 hdr->length = host_to_be16(len - sizeof(*hdr)); 1467 key = (struct wpa_eapol_key *) (hdr + 1); 1468 key_mic = (u8 *) (key + 1); 1469 key_data = ((u8 *) (hdr + 1)) + keyhdrlen; 1470 1471 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1472 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1473 key_info |= version; 1474 if (encr && sm->wpa == WPA_VERSION_WPA2) 1475 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1476 if (sm->wpa != WPA_VERSION_WPA2) 1477 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1478 WPA_PUT_BE16(key->key_info, key_info); 1479 1480 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1481 if ((key_info & WPA_KEY_INFO_SMK_MESSAGE) || 1482 (sm->wpa == WPA_VERSION_WPA2 && !pairwise)) 1483 WPA_PUT_BE16(key->key_length, 0); 1484 else 1485 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1486 1487 /* FIX: STSL: what to use as key_replay_counter? */ 1488 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1489 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1490 os_memcpy(sm->key_replay[i].counter, 1491 sm->key_replay[i - 1].counter, 1492 WPA_REPLAY_COUNTER_LEN); 1493 } 1494 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1495 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1496 WPA_REPLAY_COUNTER_LEN); 1497 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", 1498 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1499 sm->key_replay[0].valid = TRUE; 1500 1501 if (nonce) 1502 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1503 1504 if (key_rsc) 1505 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1506 1507 if (kde && !encr) { 1508 os_memcpy(key_data, kde, kde_len); 1509 WPA_PUT_BE16(key_mic + mic_len, kde_len); 1510#ifdef CONFIG_FILS 1511 } else if (!mic_len) { 1512 const u8 *aad[1]; 1513 size_t aad_len[1]; 1514 1515 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len); 1516 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1517 kde, kde_len); 1518 1519 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", 1520 sm->PTK.kek, sm->PTK.kek_len); 1521 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 1522 * to Key Data (exclusive). */ 1523 aad[0] = (u8 *) hdr; 1524 aad_len[0] = key_mic + 2 - (u8 *) hdr; 1525 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len, 1526 1, aad, aad_len, key_mic + 2) < 0) { 1527 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed"); 1528 return; 1529 } 1530 1531 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV", 1532 key_mic + 2, AES_BLOCK_SIZE + kde_len); 1533#endif /* CONFIG_FILS */ 1534 } else if (encr && kde) { 1535 buf = os_zalloc(key_data_len); 1536 if (buf == NULL) { 1537 os_free(hdr); 1538 return; 1539 } 1540 pos = buf; 1541 os_memcpy(pos, kde, kde_len); 1542 pos += kde_len; 1543 1544 if (pad_len) 1545 *pos++ = 0xdd; 1546 1547 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1548 buf, key_data_len); 1549 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1550 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1551 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1552 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1553 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len, 1554 (key_data_len - 8) / 8, buf, key_data)) { 1555 os_free(hdr); 1556 os_free(buf); 1557 return; 1558 } 1559 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1560#ifndef CONFIG_NO_RC4 1561 } else if (sm->PTK.kek_len == 16) { 1562 u8 ek[32]; 1563 os_memcpy(key->key_iv, 1564 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1565 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1566 os_memcpy(ek, key->key_iv, 16); 1567 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len); 1568 os_memcpy(key_data, buf, key_data_len); 1569 rc4_skip(ek, 32, 256, key_data, key_data_len); 1570 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1571#endif /* CONFIG_NO_RC4 */ 1572 } else { 1573 os_free(hdr); 1574 os_free(buf); 1575 return; 1576 } 1577 os_free(buf); 1578 } 1579 1580 if (key_info & WPA_KEY_INFO_MIC) { 1581 if (!sm->PTK_valid || !mic_len) { 1582 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1583 "PTK not valid when sending EAPOL-Key " 1584 "frame"); 1585 os_free(hdr); 1586 return; 1587 } 1588 1589 wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len, 1590 sm->wpa_key_mgmt, version, 1591 (u8 *) hdr, len, key_mic); 1592#ifdef CONFIG_TESTING_OPTIONS 1593 if (!pairwise && 1594 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 && 1595 drand48() < 1596 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) { 1597 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1598 "Corrupting group EAPOL-Key Key MIC"); 1599 key_mic[0]++; 1600 } 1601#endif /* CONFIG_TESTING_OPTIONS */ 1602 } 1603 1604 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1605 1); 1606 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1607 sm->pairwise_set); 1608 os_free(hdr); 1609} 1610 1611 1612static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1613 struct wpa_state_machine *sm, int key_info, 1614 const u8 *key_rsc, const u8 *nonce, 1615 const u8 *kde, size_t kde_len, 1616 int keyidx, int encr) 1617{ 1618 int timeout_ms; 1619 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1620 u32 ctr; 1621 1622 if (sm == NULL) 1623 return; 1624 1625 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1626 keyidx, encr, 0); 1627 1628 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1629 if (ctr == 1 && wpa_auth->conf.tx_status) 1630 timeout_ms = pairwise ? eapol_key_timeout_first : 1631 eapol_key_timeout_first_group; 1632 else 1633 timeout_ms = eapol_key_timeout_subseq; 1634 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1635 sm->pending_1_of_4_timeout = 1; 1636 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1637 "counter %u)", timeout_ms, ctr); 1638 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1639 wpa_send_eapol_timeout, wpa_auth, sm); 1640} 1641 1642 1643static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data, 1644 size_t data_len) 1645{ 1646 struct ieee802_1x_hdr *hdr; 1647 struct wpa_eapol_key *key; 1648 u16 key_info; 1649 int ret = 0; 1650 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos; 1651 size_t mic_len = wpa_mic_len(akmp); 1652 1653 if (data_len < sizeof(*hdr) + sizeof(*key)) 1654 return -1; 1655 1656 hdr = (struct ieee802_1x_hdr *) data; 1657 key = (struct wpa_eapol_key *) (hdr + 1); 1658 mic_pos = (u8 *) (key + 1); 1659 key_info = WPA_GET_BE16(key->key_info); 1660 os_memcpy(mic, mic_pos, mic_len); 1661 os_memset(mic_pos, 0, mic_len); 1662 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp, 1663 key_info & WPA_KEY_INFO_TYPE_MASK, 1664 data, data_len, mic_pos) || 1665 os_memcmp_const(mic, mic_pos, mic_len) != 0) 1666 ret = -1; 1667 os_memcpy(mic_pos, mic, mic_len); 1668 return ret; 1669} 1670 1671 1672void wpa_remove_ptk(struct wpa_state_machine *sm) 1673{ 1674 sm->PTK_valid = FALSE; 1675 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1676 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 1677 0)) 1678 wpa_printf(MSG_DEBUG, 1679 "RSN: PTK removal from the driver failed"); 1680 sm->pairwise_set = FALSE; 1681 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1682} 1683 1684 1685int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) 1686{ 1687 int remove_ptk = 1; 1688 1689 if (sm == NULL) 1690 return -1; 1691 1692 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1693 "event %d notification", event); 1694 1695 switch (event) { 1696 case WPA_AUTH: 1697#ifdef CONFIG_MESH 1698 /* PTKs are derived through AMPE */ 1699 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) { 1700 /* not mesh */ 1701 break; 1702 } 1703 return 0; 1704#endif /* CONFIG_MESH */ 1705 case WPA_ASSOC: 1706 break; 1707 case WPA_DEAUTH: 1708 case WPA_DISASSOC: 1709 sm->DeauthenticationRequest = TRUE; 1710 break; 1711 case WPA_REAUTH: 1712 case WPA_REAUTH_EAPOL: 1713 if (!sm->started) { 1714 /* 1715 * When using WPS, we may end up here if the STA 1716 * manages to re-associate without the previous STA 1717 * entry getting removed. Consequently, we need to make 1718 * sure that the WPA state machines gets initialized 1719 * properly at this point. 1720 */ 1721 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1722 "started - initialize now"); 1723 sm->started = 1; 1724 sm->Init = TRUE; 1725 if (wpa_sm_step(sm) == 1) 1726 return 1; /* should not really happen */ 1727 sm->Init = FALSE; 1728 sm->AuthenticationRequest = TRUE; 1729 break; 1730 } 1731 if (sm->GUpdateStationKeys) { 1732 /* 1733 * Reauthentication cancels the pending group key 1734 * update for this STA. 1735 */ 1736 sm->group->GKeyDoneStations--; 1737 sm->GUpdateStationKeys = FALSE; 1738 sm->PtkGroupInit = TRUE; 1739 } 1740 sm->ReAuthenticationRequest = TRUE; 1741 break; 1742 case WPA_ASSOC_FT: 1743#ifdef CONFIG_IEEE80211R_AP 1744 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1745 "after association"); 1746 wpa_ft_install_ptk(sm); 1747 1748 /* Using FT protocol, not WPA auth state machine */ 1749 sm->ft_completed = 1; 1750 return 0; 1751#else /* CONFIG_IEEE80211R_AP */ 1752 break; 1753#endif /* CONFIG_IEEE80211R_AP */ 1754 } 1755 1756#ifdef CONFIG_IEEE80211R_AP 1757 sm->ft_completed = 0; 1758#endif /* CONFIG_IEEE80211R_AP */ 1759 1760#ifdef CONFIG_IEEE80211W 1761 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1762 remove_ptk = 0; 1763#endif /* CONFIG_IEEE80211W */ 1764#ifdef CONFIG_FILS 1765 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1766 (event == WPA_AUTH || event == WPA_ASSOC)) 1767 remove_ptk = 0; 1768#endif /* CONFIG_FILS */ 1769 1770 if (remove_ptk) { 1771 sm->PTK_valid = FALSE; 1772 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1773 1774 if (event != WPA_REAUTH_EAPOL) 1775 wpa_remove_ptk(sm); 1776 } 1777 1778 if (sm->in_step_loop) { 1779 /* 1780 * wpa_sm_step() is already running - avoid recursive call to 1781 * it by making the existing loop process the new update. 1782 */ 1783 sm->changed = TRUE; 1784 return 0; 1785 } 1786 return wpa_sm_step(sm); 1787} 1788 1789 1790SM_STATE(WPA_PTK, INITIALIZE) 1791{ 1792 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1793 if (sm->Init) { 1794 /* Init flag is not cleared here, so avoid busy 1795 * loop by claiming nothing changed. */ 1796 sm->changed = FALSE; 1797 } 1798 1799 sm->keycount = 0; 1800 if (sm->GUpdateStationKeys) 1801 sm->group->GKeyDoneStations--; 1802 sm->GUpdateStationKeys = FALSE; 1803 if (sm->wpa == WPA_VERSION_WPA) 1804 sm->PInitAKeys = FALSE; 1805 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1806 * Local AA > Remote AA)) */) { 1807 sm->Pair = TRUE; 1808 } 1809 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1810 wpa_remove_ptk(sm); 1811 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1812 sm->TimeoutCtr = 0; 1813 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 1814 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1815 WPA_EAPOL_authorized, 0); 1816 } 1817} 1818 1819 1820SM_STATE(WPA_PTK, DISCONNECT) 1821{ 1822 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1823 sm->Disconnect = FALSE; 1824 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 1825} 1826 1827 1828SM_STATE(WPA_PTK, DISCONNECTED) 1829{ 1830 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1831 sm->DeauthenticationRequest = FALSE; 1832} 1833 1834 1835SM_STATE(WPA_PTK, AUTHENTICATION) 1836{ 1837 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1838 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1839 sm->PTK_valid = FALSE; 1840 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1841 1); 1842 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1843 sm->AuthenticationRequest = FALSE; 1844} 1845 1846 1847static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1848 struct wpa_group *group) 1849{ 1850 if (group->first_sta_seen) 1851 return; 1852 /* 1853 * System has run bit further than at the time hostapd was started 1854 * potentially very early during boot up. This provides better chances 1855 * of collecting more randomness on embedded systems. Re-initialize the 1856 * GMK and Counter here to improve their strength if there was not 1857 * enough entropy available immediately after system startup. 1858 */ 1859 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1860 "station"); 1861 if (random_pool_ready() != 1) { 1862 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1863 "to proceed - reject first 4-way handshake"); 1864 group->reject_4way_hs_for_entropy = TRUE; 1865 } else { 1866 group->first_sta_seen = TRUE; 1867 group->reject_4way_hs_for_entropy = FALSE; 1868 } 1869 1870 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 || 1871 wpa_gtk_update(wpa_auth, group) < 0 || 1872 wpa_group_config_group_keys(wpa_auth, group) < 0) { 1873 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed"); 1874 group->first_sta_seen = FALSE; 1875 group->reject_4way_hs_for_entropy = TRUE; 1876 } 1877} 1878 1879 1880SM_STATE(WPA_PTK, AUTHENTICATION2) 1881{ 1882 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1883 1884 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1885 sm->ReAuthenticationRequest = FALSE; 1886 1887 /* 1888 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1889 * ambiguous. The Authenticator state machine uses a counter that is 1890 * incremented by one for each 4-way handshake. However, the security 1891 * analysis of 4-way handshake points out that unpredictable nonces 1892 * help in preventing precomputation attacks. Instead of the state 1893 * machine definition, use an unpredictable nonce value here to provide 1894 * stronger protection against potential precomputation attacks. 1895 */ 1896 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1897 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1898 "ANonce."); 1899 sm->Disconnect = TRUE; 1900 return; 1901 } 1902 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1903 WPA_NONCE_LEN); 1904 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1905 * logical place than INITIALIZE since AUTHENTICATION2 can be 1906 * re-entered on ReAuthenticationRequest without going through 1907 * INITIALIZE. */ 1908 sm->TimeoutCtr = 0; 1909} 1910 1911 1912SM_STATE(WPA_PTK, INITPMK) 1913{ 1914 u8 msk[2 * PMK_LEN]; 1915 size_t len = 2 * PMK_LEN; 1916 1917 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1918#ifdef CONFIG_IEEE80211R_AP 1919 sm->xxkey_len = 0; 1920#endif /* CONFIG_IEEE80211R_AP */ 1921 if (sm->pmksa) { 1922 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1923 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 1924 sm->pmk_len = sm->pmksa->pmk_len; 1925 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1926 unsigned int pmk_len; 1927 1928 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) 1929 pmk_len = PMK_LEN_SUITE_B_192; 1930 else 1931 pmk_len = PMK_LEN; 1932 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1933 "(MSK len=%lu PMK len=%u)", (unsigned long) len, 1934 pmk_len); 1935 if (len < pmk_len) { 1936 wpa_printf(MSG_DEBUG, 1937 "WPA: MSK not long enough (%u) to create PMK (%u)", 1938 (unsigned int) len, (unsigned int) pmk_len); 1939 sm->Disconnect = TRUE; 1940 return; 1941 } 1942 os_memcpy(sm->PMK, msk, pmk_len); 1943 sm->pmk_len = pmk_len; 1944#ifdef CONFIG_IEEE80211R_AP 1945 if (len >= 2 * PMK_LEN) { 1946 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1947 sm->xxkey_len = PMK_LEN; 1948 } 1949#endif /* CONFIG_IEEE80211R_AP */ 1950 } else { 1951 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p", 1952 sm->wpa_auth->cb->get_msk); 1953 sm->Disconnect = TRUE; 1954 return; 1955 } 1956 os_memset(msk, 0, sizeof(msk)); 1957 1958 sm->req_replay_counter_used = 0; 1959 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1960 * will break reauthentication since EAPOL state machines may not be 1961 * get into AUTHENTICATING state that clears keyRun before WPA state 1962 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1963 * state and takes PMK from the previously used AAA Key. This will 1964 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1965 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1966 * be good workaround for this issue. */ 1967 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1968} 1969 1970 1971SM_STATE(WPA_PTK, INITPSK) 1972{ 1973 const u8 *psk; 1974 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1975 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL); 1976 if (psk) { 1977 os_memcpy(sm->PMK, psk, PMK_LEN); 1978 sm->pmk_len = PMK_LEN; 1979#ifdef CONFIG_IEEE80211R_AP 1980 os_memcpy(sm->xxkey, psk, PMK_LEN); 1981 sm->xxkey_len = PMK_LEN; 1982#endif /* CONFIG_IEEE80211R_AP */ 1983 } 1984 sm->req_replay_counter_used = 0; 1985} 1986 1987 1988SM_STATE(WPA_PTK, PTKSTART) 1989{ 1990 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 1991 size_t pmkid_len = 0; 1992 1993 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 1994 sm->PTKRequest = FALSE; 1995 sm->TimeoutEvt = FALSE; 1996 sm->alt_snonce_valid = FALSE; 1997 1998 sm->TimeoutCtr++; 1999 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 2000 /* No point in sending the EAPOL-Key - we will disconnect 2001 * immediately following this. */ 2002 return; 2003 } 2004 2005 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2006 "sending 1/4 msg of 4-Way Handshake"); 2007 /* 2008 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only 2009 * one possible PSK for this STA. 2010 */ 2011 if (sm->wpa == WPA_VERSION_WPA2 && 2012 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2013 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) { 2014 pmkid = buf; 2015 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 2016 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 2017 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 2018 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 2019 if (sm->pmksa) { 2020 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2021 sm->pmksa->pmkid, PMKID_LEN); 2022 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) { 2023 /* No KCK available to derive PMKID */ 2024 pmkid = NULL; 2025 } else { 2026 /* 2027 * Calculate PMKID since no PMKSA cache entry was 2028 * available with pre-calculated PMKID. 2029 */ 2030 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr, 2031 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 2032 wpa_key_mgmt_sha256(sm->wpa_key_mgmt)); 2033 } 2034 } 2035 wpa_send_eapol(sm->wpa_auth, sm, 2036 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 2037 sm->ANonce, pmkid, pmkid_len, 0, 0); 2038} 2039 2040 2041static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 2042 const u8 *pmk, unsigned int pmk_len, 2043 struct wpa_ptk *ptk) 2044{ 2045#ifdef CONFIG_IEEE80211R_AP 2046 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 2047 return wpa_auth_derive_ptk_ft(sm, pmk, ptk); 2048#endif /* CONFIG_IEEE80211R_AP */ 2049 2050 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion", 2051 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce, 2052 ptk, sm->wpa_key_mgmt, sm->pairwise); 2053} 2054 2055 2056#ifdef CONFIG_FILS 2057 2058int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, 2059 size_t pmk_len, const u8 *snonce, const u8 *anonce) 2060{ 2061 u8 ick[FILS_ICK_MAX_LEN]; 2062 size_t ick_len; 2063 int res; 2064 2065 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr, 2066 snonce, anonce, &sm->PTK, ick, &ick_len, 2067 sm->wpa_key_mgmt, sm->pairwise); 2068 if (res < 0) 2069 return res; 2070 sm->PTK_valid = TRUE; 2071 2072 res = fils_key_auth_sk(ick, ick_len, snonce, anonce, 2073 sm->addr, sm->wpa_auth->addr, 2074 NULL, 0, NULL, 0, /* TODO: SK+PFS */ 2075 sm->wpa_key_mgmt, sm->fils_key_auth_sta, 2076 sm->fils_key_auth_ap, 2077 &sm->fils_key_auth_len); 2078 os_memset(ick, 0, sizeof(ick)); 2079 2080 /* Store nonces for (Re)Association Request/Response frame processing */ 2081 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN); 2082 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN); 2083 2084 return res; 2085} 2086 2087 2088static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 2089 u8 *buf, size_t buf_len, u16 *_key_data_len) 2090{ 2091 struct ieee802_1x_hdr *hdr; 2092 struct wpa_eapol_key *key; 2093 u8 *pos; 2094 u16 key_data_len; 2095 u8 *tmp; 2096 const u8 *aad[1]; 2097 size_t aad_len[1]; 2098 2099 hdr = (struct ieee802_1x_hdr *) buf; 2100 key = (struct wpa_eapol_key *) (hdr + 1); 2101 pos = (u8 *) (key + 1); 2102 key_data_len = WPA_GET_BE16(pos); 2103 if (key_data_len < AES_BLOCK_SIZE || 2104 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) { 2105 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2106 "No room for AES-SIV data in the frame"); 2107 return -1; 2108 } 2109 pos += 2; /* Pointing at the Encrypted Key Data field */ 2110 2111 tmp = os_malloc(key_data_len); 2112 if (!tmp) 2113 return -1; 2114 2115 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 2116 * to Key Data (exclusive). */ 2117 aad[0] = buf; 2118 aad_len[0] = pos - buf; 2119 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len, 2120 1, aad, aad_len, tmp) < 0) { 2121 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2122 "Invalid AES-SIV data in the frame"); 2123 bin_clear_free(tmp, key_data_len); 2124 return -1; 2125 } 2126 2127 /* AEAD decryption and validation completed successfully */ 2128 key_data_len -= AES_BLOCK_SIZE; 2129 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data", 2130 tmp, key_data_len); 2131 2132 /* Replace Key Data field with the decrypted version */ 2133 os_memcpy(pos, tmp, key_data_len); 2134 pos -= 2; /* Key Data Length field */ 2135 WPA_PUT_BE16(pos, key_data_len); 2136 bin_clear_free(tmp, key_data_len); 2137 if (_key_data_len) 2138 *_key_data_len = key_data_len; 2139 return 0; 2140} 2141 2142 2143int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session, 2144 const struct ieee80211_mgmt *mgmt, size_t frame_len, 2145 u8 *pos, size_t left) 2146{ 2147 u16 fc, stype; 2148 const u8 *end, *ie_start, *ie, *session, *crypt; 2149 struct ieee802_11_elems elems; 2150 const u8 *aad[5]; 2151 size_t aad_len[5]; 2152 2153 if (!sm || !sm->PTK_valid) { 2154 wpa_printf(MSG_DEBUG, 2155 "FILS: No KEK to decrypt Assocication Request frame"); 2156 return -1; 2157 } 2158 2159 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2160 wpa_printf(MSG_DEBUG, 2161 "FILS: Not a FILS AKM - reject association"); 2162 return -1; 2163 } 2164 2165 end = ((const u8 *) mgmt) + frame_len; 2166 fc = le_to_host16(mgmt->frame_control); 2167 stype = WLAN_FC_GET_STYPE(fc); 2168 if (stype == WLAN_FC_STYPE_REASSOC_REQ) 2169 ie_start = mgmt->u.reassoc_req.variable; 2170 else 2171 ie_start = mgmt->u.assoc_req.variable; 2172 ie = ie_start; 2173 2174 /* 2175 * Find FILS Session element which is the last unencrypted element in 2176 * the frame. 2177 */ 2178 session = NULL; 2179 while (ie + 1 < end) { 2180 if (ie + 2 + ie[1] > end) 2181 break; 2182 if (ie[0] == WLAN_EID_EXTENSION && 2183 ie[1] >= 1 + FILS_SESSION_LEN && 2184 ie[2] == WLAN_EID_EXT_FILS_SESSION) { 2185 session = ie; 2186 break; 2187 } 2188 ie += 2 + ie[1]; 2189 } 2190 2191 if (!session) { 2192 wpa_printf(MSG_DEBUG, 2193 "FILS: Could not find FILS Session element in Association Request frame - reject"); 2194 return -1; 2195 } 2196 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) { 2197 wpa_printf(MSG_DEBUG, "FILS: Session mismatch"); 2198 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 2199 fils_session, FILS_SESSION_LEN); 2200 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session", 2201 session + 3, FILS_SESSION_LEN); 2202 return -1; 2203 } 2204 crypt = session + 2 + session[1]; 2205 2206 if (end - crypt < AES_BLOCK_SIZE) { 2207 wpa_printf(MSG_DEBUG, 2208 "FILS: Too short frame to include AES-SIV data"); 2209 return -1; 2210 } 2211 2212 /* AES-SIV AAD vectors */ 2213 2214 /* The STA's MAC address */ 2215 aad[0] = mgmt->sa; 2216 aad_len[0] = ETH_ALEN; 2217 /* The AP's BSSID */ 2218 aad[1] = mgmt->da; 2219 aad_len[1] = ETH_ALEN; 2220 /* The STA's nonce */ 2221 aad[2] = sm->SNonce; 2222 aad_len[2] = FILS_NONCE_LEN; 2223 /* The AP's nonce */ 2224 aad[3] = sm->ANonce; 2225 aad_len[3] = FILS_NONCE_LEN; 2226 /* 2227 * The (Re)Association Request frame from the Capability Information 2228 * field to the FILS Session element (both inclusive). 2229 */ 2230 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info; 2231 aad_len[4] = crypt - aad[4]; 2232 2233 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt, 2234 5, aad, aad_len, pos + (crypt - ie_start)) < 0) { 2235 wpa_printf(MSG_DEBUG, 2236 "FILS: Invalid AES-SIV data in the frame"); 2237 return -1; 2238 } 2239 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements", 2240 pos, left - AES_BLOCK_SIZE); 2241 2242 if (ieee802_11_parse_elems(pos, left - AES_BLOCK_SIZE, &elems, 1) == 2243 ParseFailed) { 2244 wpa_printf(MSG_DEBUG, 2245 "FILS: Failed to parse decrypted elements"); 2246 return -1; 2247 } 2248 if (!elems.fils_key_confirm) { 2249 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element"); 2250 return -1; 2251 } 2252 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) { 2253 wpa_printf(MSG_DEBUG, 2254 "FILS: Unexpected Key-Auth length %d (expected %d)", 2255 elems.fils_key_confirm_len, 2256 (int) sm->fils_key_auth_len); 2257 return -1; 2258 } 2259 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta, 2260 sm->fils_key_auth_len) != 0) { 2261 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch"); 2262 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth", 2263 elems.fils_key_confirm, 2264 elems.fils_key_confirm_len); 2265 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth", 2266 sm->fils_key_auth_sta, sm->fils_key_auth_len); 2267 return -1; 2268 } 2269 2270 return left - AES_BLOCK_SIZE; 2271} 2272 2273 2274int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf, 2275 size_t current_len, size_t max_len, 2276 const struct wpabuf *hlp) 2277{ 2278 u8 *end = buf + max_len; 2279 u8 *pos = buf + current_len; 2280 struct ieee80211_mgmt *mgmt; 2281 struct wpabuf *plain; 2282 u8 *len, *tmp, *tmp2; 2283 u8 hdr[2]; 2284 u8 *gtk, dummy_gtk[32]; 2285 size_t gtk_len; 2286 struct wpa_group *gsm; 2287 const u8 *aad[5]; 2288 size_t aad_len[5]; 2289 2290 if (!sm || !sm->PTK_valid) 2291 return -1; 2292 2293 wpa_hexdump(MSG_DEBUG, 2294 "FILS: Association Response frame before FILS processing", 2295 buf, current_len); 2296 2297 mgmt = (struct ieee80211_mgmt *) buf; 2298 2299 /* AES-SIV AAD vectors */ 2300 2301 /* The AP's BSSID */ 2302 aad[0] = mgmt->sa; 2303 aad_len[0] = ETH_ALEN; 2304 /* The STA's MAC address */ 2305 aad[1] = mgmt->da; 2306 aad_len[1] = ETH_ALEN; 2307 /* The AP's nonce */ 2308 aad[2] = sm->ANonce; 2309 aad_len[2] = FILS_NONCE_LEN; 2310 /* The STA's nonce */ 2311 aad[3] = sm->SNonce; 2312 aad_len[3] = FILS_NONCE_LEN; 2313 /* 2314 * The (Re)Association Response frame from the Capability Information 2315 * field (the same offset in both Association and Reassociation 2316 * Response frames) to the FILS Session element (both inclusive). 2317 */ 2318 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info; 2319 aad_len[4] = pos - aad[4]; 2320 2321 /* The following elements will be encrypted with AES-SIV */ 2322 2323 plain = wpabuf_alloc(1000); 2324 if (!plain) 2325 return -1; 2326 2327 /* TODO: FILS Public Key */ 2328 2329 /* FILS Key Confirmation */ 2330 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2331 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */ 2332 /* Element ID Extension */ 2333 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM); 2334 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len); 2335 2336 /* FILS HLP Container */ 2337 if (hlp) 2338 wpabuf_put_buf(plain, hlp); 2339 2340 /* TODO: FILS IP Address Assignment */ 2341 2342 /* Key Delivery */ 2343 gsm = sm->group; 2344 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2345 len = wpabuf_put(plain, 1); 2346 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY); 2347 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, 2348 wpabuf_put(plain, WPA_KEY_RSC_LEN)); 2349 /* GTK KDE */ 2350 gtk = gsm->GTK[gsm->GN - 1]; 2351 gtk_len = gsm->GTK_len; 2352 if (sm->wpa_auth->conf.disable_gtk) { 2353 /* 2354 * Provide unique random GTK to each STA to prevent use 2355 * of GTK in the BSS. 2356 */ 2357 if (random_get_bytes(dummy_gtk, gtk_len) < 0) { 2358 wpabuf_free(plain); 2359 return -1; 2360 } 2361 gtk = dummy_gtk; 2362 } 2363 hdr[0] = gsm->GN & 0x03; 2364 hdr[1] = 0; 2365 tmp = wpabuf_put(plain, 0); 2366 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2367 gtk, gtk_len); 2368 wpabuf_put(plain, tmp2 - tmp); 2369 2370 /* IGTK KDE */ 2371 tmp = wpabuf_put(plain, 0); 2372 tmp2 = ieee80211w_kde_add(sm, tmp); 2373 wpabuf_put(plain, tmp2 - tmp); 2374 2375 *len = (u8 *) wpabuf_put(plain, 0) - len - 1; 2376 2377 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) { 2378 wpa_printf(MSG_DEBUG, 2379 "FILS: Not enough room for FILS elements"); 2380 wpabuf_free(plain); 2381 return -1; 2382 } 2383 2384 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext", 2385 plain); 2386 2387 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, 2388 wpabuf_head(plain), wpabuf_len(plain), 2389 5, aad, aad_len, pos) < 0) { 2390 wpabuf_free(plain); 2391 return -1; 2392 } 2393 2394 wpa_hexdump(MSG_DEBUG, 2395 "FILS: Encrypted Association Response elements", 2396 pos, AES_BLOCK_SIZE + wpabuf_len(plain)); 2397 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE; 2398 wpabuf_free(plain); 2399 2400 sm->fils_completed = 1; 2401 2402 return current_len; 2403} 2404 2405 2406int fils_set_tk(struct wpa_state_machine *sm) 2407{ 2408 enum wpa_alg alg; 2409 int klen; 2410 2411 if (!sm || !sm->PTK_valid) 2412 return -1; 2413 2414 alg = wpa_cipher_to_alg(sm->pairwise); 2415 klen = wpa_cipher_key_len(sm->pairwise); 2416 2417 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver"); 2418 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2419 sm->PTK.tk, klen)) { 2420 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver"); 2421 return -1; 2422 } 2423 2424 return 0; 2425} 2426 2427#endif /* CONFIG_FILS */ 2428 2429 2430SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 2431{ 2432 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2433 struct wpa_ptk PTK; 2434 int ok = 0, psk_found = 0; 2435 const u8 *pmk = NULL; 2436 unsigned int pmk_len; 2437 int ft; 2438 const u8 *eapol_key_ie, *key_data, *mic; 2439 u16 key_data_length; 2440 size_t mic_len, eapol_key_ie_len; 2441 struct ieee802_1x_hdr *hdr; 2442 struct wpa_eapol_key *key; 2443 struct wpa_eapol_ie_parse kde; 2444 2445 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 2446 sm->EAPOLKeyReceived = FALSE; 2447 sm->update_snonce = FALSE; 2448 os_memset(&PTK, 0, sizeof(PTK)); 2449 2450 mic_len = wpa_mic_len(sm->wpa_key_mgmt); 2451 2452 /* WPA with IEEE 802.1X: use the derived PMK from EAP 2453 * WPA-PSK: iterate through possible PSKs and select the one matching 2454 * the packet */ 2455 for (;;) { 2456 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2457 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 2458 sm->p2p_dev_addr, pmk); 2459 if (pmk == NULL) 2460 break; 2461 psk_found = 1; 2462 pmk_len = PMK_LEN; 2463 } else { 2464 pmk = sm->PMK; 2465 pmk_len = sm->pmk_len; 2466 } 2467 2468 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0) 2469 break; 2470 2471 if (mic_len && 2472 wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, 2473 sm->last_rx_eapol_key, 2474 sm->last_rx_eapol_key_len) == 0) { 2475 ok = 1; 2476 break; 2477 } 2478 2479#ifdef CONFIG_FILS 2480 if (!mic_len && 2481 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key, 2482 sm->last_rx_eapol_key_len, NULL) == 0) { 2483 ok = 1; 2484 break; 2485 } 2486#endif /* CONFIG_FILS */ 2487 2488 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 2489 break; 2490 } 2491 2492 if (!ok) { 2493 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2494 "invalid MIC in msg 2/4 of 4-Way Handshake"); 2495 if (psk_found) 2496 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr); 2497 return; 2498 } 2499 2500 /* 2501 * Note: last_rx_eapol_key length fields have already been validated in 2502 * wpa_receive(). 2503 */ 2504 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key; 2505 key = (struct wpa_eapol_key *) (hdr + 1); 2506 mic = (u8 *) (key + 1); 2507 key_data = mic + mic_len + 2; 2508 key_data_length = WPA_GET_BE16(mic + mic_len); 2509 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) - 2510 sizeof(*key) - mic_len - 2) 2511 return; 2512 2513 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 2514 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 2515 "received EAPOL-Key msg 2/4 with invalid Key Data contents"); 2516 return; 2517 } 2518 if (kde.rsn_ie) { 2519 eapol_key_ie = kde.rsn_ie; 2520 eapol_key_ie_len = kde.rsn_ie_len; 2521 } else if (kde.osen) { 2522 eapol_key_ie = kde.osen; 2523 eapol_key_ie_len = kde.osen_len; 2524 } else { 2525 eapol_key_ie = kde.wpa_ie; 2526 eapol_key_ie_len = kde.wpa_ie_len; 2527 } 2528 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt); 2529 if (sm->wpa_ie == NULL || 2530 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len, 2531 eapol_key_ie, eapol_key_ie_len)) { 2532 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 2533 "WPA IE from (Re)AssocReq did not match with msg 2/4"); 2534 if (sm->wpa_ie) { 2535 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 2536 sm->wpa_ie, sm->wpa_ie_len); 2537 } 2538 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 2539 eapol_key_ie, eapol_key_ie_len); 2540 /* MLME-DEAUTHENTICATE.request */ 2541 wpa_sta_disconnect(wpa_auth, sm->addr); 2542 return; 2543 } 2544#ifdef CONFIG_IEEE80211R_AP 2545 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 2546 wpa_sta_disconnect(wpa_auth, sm->addr); 2547 return; 2548 } 2549#endif /* CONFIG_IEEE80211R_AP */ 2550#ifdef CONFIG_P2P 2551 if (kde.ip_addr_req && kde.ip_addr_req[0] && 2552 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) { 2553 int idx; 2554 wpa_printf(MSG_DEBUG, 2555 "P2P: IP address requested in EAPOL-Key exchange"); 2556 idx = bitfield_get_first_zero(wpa_auth->ip_pool); 2557 if (idx >= 0) { 2558 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start); 2559 bitfield_set(wpa_auth->ip_pool, idx); 2560 WPA_PUT_BE32(sm->ip_addr, start + idx); 2561 wpa_printf(MSG_DEBUG, 2562 "P2P: Assigned IP address %u.%u.%u.%u to " 2563 MACSTR, sm->ip_addr[0], sm->ip_addr[1], 2564 sm->ip_addr[2], sm->ip_addr[3], 2565 MAC2STR(sm->addr)); 2566 } 2567 } 2568#endif /* CONFIG_P2P */ 2569 2570#ifdef CONFIG_IEEE80211R_AP 2571 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2572 /* 2573 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 2574 * with the value we derived. 2575 */ 2576 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name, 2577 WPA_PMK_NAME_LEN) != 0) { 2578 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2579 "PMKR1Name mismatch in FT 4-way " 2580 "handshake"); 2581 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 2582 "Supplicant", 2583 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 2584 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 2585 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 2586 return; 2587 } 2588 } 2589#endif /* CONFIG_IEEE80211R_AP */ 2590 2591 sm->pending_1_of_4_timeout = 0; 2592 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 2593 2594 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2595 /* PSK may have changed from the previous choice, so update 2596 * state machine data based on whatever PSK was selected here. 2597 */ 2598 os_memcpy(sm->PMK, pmk, PMK_LEN); 2599 sm->pmk_len = PMK_LEN; 2600 } 2601 2602 sm->MICVerified = TRUE; 2603 2604 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 2605 sm->PTK_valid = TRUE; 2606} 2607 2608 2609SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 2610{ 2611 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 2612 sm->TimeoutCtr = 0; 2613} 2614 2615 2616#ifdef CONFIG_IEEE80211W 2617 2618static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2619{ 2620 if (sm->mgmt_frame_prot) { 2621 size_t len; 2622 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2623 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len; 2624 } 2625 2626 return 0; 2627} 2628 2629 2630static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2631{ 2632 struct wpa_igtk_kde igtk; 2633 struct wpa_group *gsm = sm->group; 2634 u8 rsc[WPA_KEY_RSC_LEN]; 2635 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2636 2637 if (!sm->mgmt_frame_prot) 2638 return pos; 2639 2640 igtk.keyid[0] = gsm->GN_igtk; 2641 igtk.keyid[1] = 0; 2642 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 2643 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) 2644 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 2645 else 2646 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); 2647 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len); 2648 if (sm->wpa_auth->conf.disable_gtk) { 2649 /* 2650 * Provide unique random IGTK to each STA to prevent use of 2651 * IGTK in the BSS. 2652 */ 2653 if (random_get_bytes(igtk.igtk, len) < 0) 2654 return pos; 2655 } 2656 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 2657 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len, 2658 NULL, 0); 2659 2660 return pos; 2661} 2662 2663#else /* CONFIG_IEEE80211W */ 2664 2665static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2666{ 2667 return 0; 2668} 2669 2670 2671static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2672{ 2673 return pos; 2674} 2675 2676#endif /* CONFIG_IEEE80211W */ 2677 2678 2679SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 2680{ 2681 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 2682 size_t gtk_len, kde_len; 2683 struct wpa_group *gsm = sm->group; 2684 u8 *wpa_ie; 2685 int wpa_ie_len, secure, keyidx, encr = 0; 2686 2687 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 2688 sm->TimeoutEvt = FALSE; 2689 2690 sm->TimeoutCtr++; 2691 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 2692 /* No point in sending the EAPOL-Key - we will disconnect 2693 * immediately following this. */ 2694 return; 2695 } 2696 2697 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 2698 GTK[GN], IGTK, [FTIE], [TIE * 2]) 2699 */ 2700 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2701 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2702 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 2703 wpa_ie = sm->wpa_auth->wpa_ie; 2704 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 2705 if (sm->wpa == WPA_VERSION_WPA && 2706 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 2707 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 2708 /* WPA-only STA, remove RSN IE and possible MDIE */ 2709 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2710 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 2711 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2712 wpa_ie_len = wpa_ie[1] + 2; 2713 } 2714 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2715 "sending 3/4 msg of 4-Way Handshake"); 2716 if (sm->wpa == WPA_VERSION_WPA2) { 2717 /* WPA2 send GTK in the 4-way handshake */ 2718 secure = 1; 2719 gtk = gsm->GTK[gsm->GN - 1]; 2720 gtk_len = gsm->GTK_len; 2721 if (sm->wpa_auth->conf.disable_gtk) { 2722 /* 2723 * Provide unique random GTK to each STA to prevent use 2724 * of GTK in the BSS. 2725 */ 2726 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 2727 return; 2728 gtk = dummy_gtk; 2729 } 2730 keyidx = gsm->GN; 2731 _rsc = rsc; 2732 encr = 1; 2733 } else { 2734 /* WPA does not include GTK in msg 3/4 */ 2735 secure = 0; 2736 gtk = NULL; 2737 gtk_len = 0; 2738 keyidx = 0; 2739 _rsc = NULL; 2740 if (sm->rx_eapol_key_secure) { 2741 /* 2742 * It looks like Windows 7 supplicant tries to use 2743 * Secure bit in msg 2/4 after having reported Michael 2744 * MIC failure and it then rejects the 4-way handshake 2745 * if msg 3/4 does not set Secure bit. Work around this 2746 * by setting the Secure bit here even in the case of 2747 * WPA if the supplicant used it first. 2748 */ 2749 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2750 "STA used Secure bit in WPA msg 2/4 - " 2751 "set Secure for 3/4 as workaround"); 2752 secure = 1; 2753 } 2754 } 2755 2756 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 2757 if (gtk) 2758 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 2759#ifdef CONFIG_IEEE80211R_AP 2760 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2761 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 2762 kde_len += 300; /* FTIE + 2 * TIE */ 2763 } 2764#endif /* CONFIG_IEEE80211R_AP */ 2765#ifdef CONFIG_P2P 2766 if (WPA_GET_BE32(sm->ip_addr) > 0) 2767 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4; 2768#endif /* CONFIG_P2P */ 2769 kde = os_malloc(kde_len); 2770 if (kde == NULL) 2771 return; 2772 2773 pos = kde; 2774 os_memcpy(pos, wpa_ie, wpa_ie_len); 2775 pos += wpa_ie_len; 2776#ifdef CONFIG_IEEE80211R_AP 2777 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2778 int res; 2779 size_t elen; 2780 2781 elen = pos - kde; 2782 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 2783 if (res < 0) { 2784 wpa_printf(MSG_ERROR, "FT: Failed to insert " 2785 "PMKR1Name into RSN IE in EAPOL-Key data"); 2786 os_free(kde); 2787 return; 2788 } 2789 pos -= wpa_ie_len; 2790 pos += elen; 2791 } 2792#endif /* CONFIG_IEEE80211R_AP */ 2793 if (gtk) { 2794 u8 hdr[2]; 2795 hdr[0] = keyidx & 0x03; 2796 hdr[1] = 0; 2797 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2798 gtk, gtk_len); 2799 } 2800 pos = ieee80211w_kde_add(sm, pos); 2801 2802#ifdef CONFIG_IEEE80211R_AP 2803 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2804 int res; 2805 struct wpa_auth_config *conf; 2806 2807 conf = &sm->wpa_auth->conf; 2808 if (sm->assoc_resp_ftie && 2809 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 2810 os_memcpy(pos, sm->assoc_resp_ftie, 2811 2 + sm->assoc_resp_ftie[1]); 2812 res = 2 + sm->assoc_resp_ftie[1]; 2813 } else { 2814 res = wpa_write_ftie(conf, conf->r0_key_holder, 2815 conf->r0_key_holder_len, 2816 NULL, NULL, pos, 2817 kde + kde_len - pos, 2818 NULL, 0); 2819 } 2820 if (res < 0) { 2821 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 2822 "into EAPOL-Key Key Data"); 2823 os_free(kde); 2824 return; 2825 } 2826 pos += res; 2827 2828 /* TIE[ReassociationDeadline] (TU) */ 2829 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2830 *pos++ = 5; 2831 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 2832 WPA_PUT_LE32(pos, conf->reassociation_deadline); 2833 pos += 4; 2834 2835 /* TIE[KeyLifetime] (seconds) */ 2836 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 2837 *pos++ = 5; 2838 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 2839 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 2840 pos += 4; 2841 } 2842#endif /* CONFIG_IEEE80211R_AP */ 2843#ifdef CONFIG_P2P 2844 if (WPA_GET_BE32(sm->ip_addr) > 0) { 2845 u8 addr[3 * 4]; 2846 os_memcpy(addr, sm->ip_addr, 4); 2847 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4); 2848 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4); 2849 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC, 2850 addr, sizeof(addr), NULL, 0); 2851 } 2852#endif /* CONFIG_P2P */ 2853 2854 wpa_send_eapol(sm->wpa_auth, sm, 2855 (secure ? WPA_KEY_INFO_SECURE : 0) | 2856 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) | 2857 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 2858 WPA_KEY_INFO_KEY_TYPE, 2859 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 2860 os_free(kde); 2861} 2862 2863 2864SM_STATE(WPA_PTK, PTKINITDONE) 2865{ 2866 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 2867 sm->EAPOLKeyReceived = FALSE; 2868 if (sm->Pair) { 2869 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 2870 int klen = wpa_cipher_key_len(sm->pairwise); 2871 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2872 sm->PTK.tk, klen)) { 2873 wpa_sta_disconnect(sm->wpa_auth, sm->addr); 2874 return; 2875 } 2876 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 2877 sm->pairwise_set = TRUE; 2878 2879 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 2880 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 2881 eloop_register_timeout(sm->wpa_auth->conf. 2882 wpa_ptk_rekey, 0, wpa_rekey_ptk, 2883 sm->wpa_auth, sm); 2884 } 2885 2886 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2887 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2888 WPA_EAPOL_authorized, 1); 2889 } 2890 } 2891 2892 if (0 /* IBSS == TRUE */) { 2893 sm->keycount++; 2894 if (sm->keycount == 2) { 2895 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 2896 WPA_EAPOL_portValid, 1); 2897 } 2898 } else { 2899 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 2900 1); 2901 } 2902 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 2903 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 2904 if (sm->wpa == WPA_VERSION_WPA) 2905 sm->PInitAKeys = TRUE; 2906 else 2907 sm->has_GTK = TRUE; 2908 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2909 "pairwise key handshake completed (%s)", 2910 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 2911 2912#ifdef CONFIG_IEEE80211R_AP 2913 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 2914#endif /* CONFIG_IEEE80211R_AP */ 2915} 2916 2917 2918SM_STEP(WPA_PTK) 2919{ 2920 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2921 2922 if (sm->Init) 2923 SM_ENTER(WPA_PTK, INITIALIZE); 2924 else if (sm->Disconnect 2925 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 2926 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 2927 "WPA_PTK: sm->Disconnect"); 2928 SM_ENTER(WPA_PTK, DISCONNECT); 2929 } 2930 else if (sm->DeauthenticationRequest) 2931 SM_ENTER(WPA_PTK, DISCONNECTED); 2932 else if (sm->AuthenticationRequest) 2933 SM_ENTER(WPA_PTK, AUTHENTICATION); 2934 else if (sm->ReAuthenticationRequest) 2935 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2936 else if (sm->PTKRequest) 2937 SM_ENTER(WPA_PTK, PTKSTART); 2938 else switch (sm->wpa_ptk_state) { 2939 case WPA_PTK_INITIALIZE: 2940 break; 2941 case WPA_PTK_DISCONNECT: 2942 SM_ENTER(WPA_PTK, DISCONNECTED); 2943 break; 2944 case WPA_PTK_DISCONNECTED: 2945 SM_ENTER(WPA_PTK, INITIALIZE); 2946 break; 2947 case WPA_PTK_AUTHENTICATION: 2948 SM_ENTER(WPA_PTK, AUTHENTICATION2); 2949 break; 2950 case WPA_PTK_AUTHENTICATION2: 2951 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 2952 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2953 WPA_EAPOL_keyRun) > 0) 2954 SM_ENTER(WPA_PTK, INITPMK); 2955 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) 2956 /* FIX: && 802.1X::keyRun */) 2957 SM_ENTER(WPA_PTK, INITPSK); 2958 break; 2959 case WPA_PTK_INITPMK: 2960 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 2961 WPA_EAPOL_keyAvailable) > 0) 2962 SM_ENTER(WPA_PTK, PTKSTART); 2963 else { 2964 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2965 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2966 "INITPMK - keyAvailable = false"); 2967 SM_ENTER(WPA_PTK, DISCONNECT); 2968 } 2969 break; 2970 case WPA_PTK_INITPSK: 2971 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, 2972 NULL)) 2973 SM_ENTER(WPA_PTK, PTKSTART); 2974 else { 2975 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2976 "no PSK configured for the STA"); 2977 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2978 SM_ENTER(WPA_PTK, DISCONNECT); 2979 } 2980 break; 2981 case WPA_PTK_PTKSTART: 2982 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 2983 sm->EAPOLKeyPairwise) 2984 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 2985 else if (sm->TimeoutCtr > 2986 sm->wpa_auth->conf.wpa_pairwise_update_count) { 2987 wpa_auth->dot11RSNA4WayHandshakeFailures++; 2988 wpa_auth_vlogger( 2989 sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2990 "PTKSTART: Retry limit %u reached", 2991 sm->wpa_auth->conf.wpa_pairwise_update_count); 2992 SM_ENTER(WPA_PTK, DISCONNECT); 2993 } else if (sm->TimeoutEvt) 2994 SM_ENTER(WPA_PTK, PTKSTART); 2995 break; 2996 case WPA_PTK_PTKCALCNEGOTIATING: 2997 if (sm->MICVerified) 2998 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 2999 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3000 sm->EAPOLKeyPairwise) 3001 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3002 else if (sm->TimeoutEvt) 3003 SM_ENTER(WPA_PTK, PTKSTART); 3004 break; 3005 case WPA_PTK_PTKCALCNEGOTIATING2: 3006 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3007 break; 3008 case WPA_PTK_PTKINITNEGOTIATING: 3009 if (sm->update_snonce) 3010 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3011 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3012 sm->EAPOLKeyPairwise && sm->MICVerified) 3013 SM_ENTER(WPA_PTK, PTKINITDONE); 3014 else if (sm->TimeoutCtr > 3015 sm->wpa_auth->conf.wpa_pairwise_update_count) { 3016 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3017 wpa_auth_vlogger( 3018 sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3019 "PTKINITNEGOTIATING: Retry limit %u reached", 3020 sm->wpa_auth->conf.wpa_pairwise_update_count); 3021 SM_ENTER(WPA_PTK, DISCONNECT); 3022 } else if (sm->TimeoutEvt) 3023 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3024 break; 3025 case WPA_PTK_PTKINITDONE: 3026 break; 3027 } 3028} 3029 3030 3031SM_STATE(WPA_PTK_GROUP, IDLE) 3032{ 3033 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 3034 if (sm->Init) { 3035 /* Init flag is not cleared here, so avoid busy 3036 * loop by claiming nothing changed. */ 3037 sm->changed = FALSE; 3038 } 3039 sm->GTimeoutCtr = 0; 3040} 3041 3042 3043SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 3044{ 3045 u8 rsc[WPA_KEY_RSC_LEN]; 3046 struct wpa_group *gsm = sm->group; 3047 const u8 *kde; 3048 u8 *kde_buf = NULL, *pos, hdr[2]; 3049 size_t kde_len; 3050 u8 *gtk, dummy_gtk[32]; 3051 3052 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 3053 3054 sm->GTimeoutCtr++; 3055 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) { 3056 /* No point in sending the EAPOL-Key - we will disconnect 3057 * immediately following this. */ 3058 return; 3059 } 3060 3061 if (sm->wpa == WPA_VERSION_WPA) 3062 sm->PInitAKeys = FALSE; 3063 sm->TimeoutEvt = FALSE; 3064 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 3065 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 3066 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 3067 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 3068 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3069 "sending 1/2 msg of Group Key Handshake"); 3070 3071 gtk = gsm->GTK[gsm->GN - 1]; 3072 if (sm->wpa_auth->conf.disable_gtk) { 3073 /* 3074 * Provide unique random GTK to each STA to prevent use 3075 * of GTK in the BSS. 3076 */ 3077 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 3078 return; 3079 gtk = dummy_gtk; 3080 } 3081 if (sm->wpa == WPA_VERSION_WPA2) { 3082 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 3083 ieee80211w_kde_len(sm); 3084 kde_buf = os_malloc(kde_len); 3085 if (kde_buf == NULL) 3086 return; 3087 3088 kde = pos = kde_buf; 3089 hdr[0] = gsm->GN & 0x03; 3090 hdr[1] = 0; 3091 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 3092 gtk, gsm->GTK_len); 3093 pos = ieee80211w_kde_add(sm, pos); 3094 kde_len = pos - kde; 3095 } else { 3096 kde = gtk; 3097 kde_len = gsm->GTK_len; 3098 } 3099 3100 wpa_send_eapol(sm->wpa_auth, sm, 3101 WPA_KEY_INFO_SECURE | 3102 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) | 3103 WPA_KEY_INFO_ACK | 3104 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 3105 rsc, NULL, kde, kde_len, gsm->GN, 1); 3106 3107 os_free(kde_buf); 3108} 3109 3110 3111SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 3112{ 3113 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 3114 sm->EAPOLKeyReceived = FALSE; 3115 if (sm->GUpdateStationKeys) 3116 sm->group->GKeyDoneStations--; 3117 sm->GUpdateStationKeys = FALSE; 3118 sm->GTimeoutCtr = 0; 3119 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 3120 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3121 "group key handshake completed (%s)", 3122 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 3123 sm->has_GTK = TRUE; 3124} 3125 3126 3127SM_STATE(WPA_PTK_GROUP, KEYERROR) 3128{ 3129 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 3130 if (sm->GUpdateStationKeys) 3131 sm->group->GKeyDoneStations--; 3132 sm->GUpdateStationKeys = FALSE; 3133 sm->Disconnect = TRUE; 3134 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3135 "group key handshake failed (%s) after %u tries", 3136 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN", 3137 sm->wpa_auth->conf.wpa_group_update_count); 3138} 3139 3140 3141SM_STEP(WPA_PTK_GROUP) 3142{ 3143 if (sm->Init || sm->PtkGroupInit) { 3144 SM_ENTER(WPA_PTK_GROUP, IDLE); 3145 sm->PtkGroupInit = FALSE; 3146 } else switch (sm->wpa_ptk_group_state) { 3147 case WPA_PTK_GROUP_IDLE: 3148 if (sm->GUpdateStationKeys || 3149 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 3150 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 3151 break; 3152 case WPA_PTK_GROUP_REKEYNEGOTIATING: 3153 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3154 !sm->EAPOLKeyPairwise && sm->MICVerified) 3155 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 3156 else if (sm->GTimeoutCtr > 3157 sm->wpa_auth->conf.wpa_group_update_count) 3158 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 3159 else if (sm->TimeoutEvt) 3160 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 3161 break; 3162 case WPA_PTK_GROUP_KEYERROR: 3163 SM_ENTER(WPA_PTK_GROUP, IDLE); 3164 break; 3165 case WPA_PTK_GROUP_REKEYESTABLISHED: 3166 SM_ENTER(WPA_PTK_GROUP, IDLE); 3167 break; 3168 } 3169} 3170 3171 3172static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 3173 struct wpa_group *group) 3174{ 3175 int ret = 0; 3176 3177 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 3178 inc_byte_array(group->Counter, WPA_NONCE_LEN); 3179 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 3180 wpa_auth->addr, group->GNonce, 3181 group->GTK[group->GN - 1], group->GTK_len) < 0) 3182 ret = -1; 3183 wpa_hexdump_key(MSG_DEBUG, "GTK", 3184 group->GTK[group->GN - 1], group->GTK_len); 3185 3186#ifdef CONFIG_IEEE80211W 3187 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3188 size_t len; 3189 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 3190 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 3191 inc_byte_array(group->Counter, WPA_NONCE_LEN); 3192 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 3193 wpa_auth->addr, group->GNonce, 3194 group->IGTK[group->GN_igtk - 4], len) < 0) 3195 ret = -1; 3196 wpa_hexdump_key(MSG_DEBUG, "IGTK", 3197 group->IGTK[group->GN_igtk - 4], len); 3198 } 3199#endif /* CONFIG_IEEE80211W */ 3200 3201 return ret; 3202} 3203 3204 3205static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 3206 struct wpa_group *group) 3207{ 3208 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3209 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 3210 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 3211 group->wpa_group_state = WPA_GROUP_GTK_INIT; 3212 3213 /* GTK[0..N] = 0 */ 3214 os_memset(group->GTK, 0, sizeof(group->GTK)); 3215 group->GN = 1; 3216 group->GM = 2; 3217#ifdef CONFIG_IEEE80211W 3218 group->GN_igtk = 4; 3219 group->GM_igtk = 5; 3220#endif /* CONFIG_IEEE80211W */ 3221 /* GTK[GN] = CalcGTK() */ 3222 wpa_gtk_update(wpa_auth, group); 3223} 3224 3225 3226static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 3227{ 3228 if (ctx != NULL && ctx != sm->group) 3229 return 0; 3230 3231 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 3232 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3233 "Not in PTKINITDONE; skip Group Key update"); 3234 sm->GUpdateStationKeys = FALSE; 3235 return 0; 3236 } 3237 if (sm->GUpdateStationKeys) { 3238 /* 3239 * This should not really happen, so add a debug log entry. 3240 * Since we clear the GKeyDoneStations before the loop, the 3241 * station needs to be counted here anyway. 3242 */ 3243 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3244 "GUpdateStationKeys was already set when " 3245 "marking station for GTK rekeying"); 3246 } 3247 3248 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 3249 if (sm->is_wnmsleep) 3250 return 0; 3251 3252 sm->group->GKeyDoneStations++; 3253 sm->GUpdateStationKeys = TRUE; 3254 3255 wpa_sm_step(sm); 3256 return 0; 3257} 3258 3259 3260#ifdef CONFIG_WNM 3261/* update GTK when exiting WNM-Sleep Mode */ 3262void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 3263{ 3264 if (sm == NULL || sm->is_wnmsleep) 3265 return; 3266 3267 wpa_group_update_sta(sm, NULL); 3268} 3269 3270 3271void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 3272{ 3273 if (sm) 3274 sm->is_wnmsleep = !!flag; 3275} 3276 3277 3278int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 3279{ 3280 struct wpa_group *gsm = sm->group; 3281 u8 *start = pos; 3282 3283 /* 3284 * GTK subelement: 3285 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 3286 * Key[5..32] 3287 */ 3288 *pos++ = WNM_SLEEP_SUBELEM_GTK; 3289 *pos++ = 11 + gsm->GTK_len; 3290 /* Key ID in B0-B1 of Key Info */ 3291 WPA_PUT_LE16(pos, gsm->GN & 0x03); 3292 pos += 2; 3293 *pos++ = gsm->GTK_len; 3294 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 3295 return 0; 3296 pos += 8; 3297 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 3298 pos += gsm->GTK_len; 3299 3300 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 3301 gsm->GN); 3302 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 3303 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 3304 3305 return pos - start; 3306} 3307 3308 3309#ifdef CONFIG_IEEE80211W 3310int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 3311{ 3312 struct wpa_group *gsm = sm->group; 3313 u8 *start = pos; 3314 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 3315 3316 /* 3317 * IGTK subelement: 3318 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 3319 */ 3320 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 3321 *pos++ = 2 + 6 + len; 3322 WPA_PUT_LE16(pos, gsm->GN_igtk); 3323 pos += 2; 3324 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 3325 return 0; 3326 pos += 6; 3327 3328 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len); 3329 pos += len; 3330 3331 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 3332 gsm->GN_igtk); 3333 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 3334 gsm->IGTK[gsm->GN_igtk - 4], len); 3335 3336 return pos - start; 3337} 3338#endif /* CONFIG_IEEE80211W */ 3339#endif /* CONFIG_WNM */ 3340 3341 3342static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 3343 struct wpa_group *group) 3344{ 3345 int tmp; 3346 3347 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3348 "SETKEYS (VLAN-ID %d)", group->vlan_id); 3349 group->changed = TRUE; 3350 group->wpa_group_state = WPA_GROUP_SETKEYS; 3351 group->GTKReKey = FALSE; 3352 tmp = group->GM; 3353 group->GM = group->GN; 3354 group->GN = tmp; 3355#ifdef CONFIG_IEEE80211W 3356 tmp = group->GM_igtk; 3357 group->GM_igtk = group->GN_igtk; 3358 group->GN_igtk = tmp; 3359#endif /* CONFIG_IEEE80211W */ 3360 /* "GKeyDoneStations = GNoStations" is done in more robust way by 3361 * counting the STAs that are marked with GUpdateStationKeys instead of 3362 * including all STAs that could be in not-yet-completed state. */ 3363 wpa_gtk_update(wpa_auth, group); 3364 3365 if (group->GKeyDoneStations) { 3366 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 3367 "GKeyDoneStations=%d when starting new GTK rekey", 3368 group->GKeyDoneStations); 3369 group->GKeyDoneStations = 0; 3370 } 3371 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 3372 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 3373 group->GKeyDoneStations); 3374} 3375 3376 3377static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 3378 struct wpa_group *group) 3379{ 3380 int ret = 0; 3381 3382 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 3383 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 3384 broadcast_ether_addr, group->GN, 3385 group->GTK[group->GN - 1], group->GTK_len) < 0) 3386 ret = -1; 3387 3388#ifdef CONFIG_IEEE80211W 3389 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3390 enum wpa_alg alg; 3391 size_t len; 3392 3393 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher); 3394 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 3395 3396 if (ret == 0 && 3397 wpa_auth_set_key(wpa_auth, group->vlan_id, alg, 3398 broadcast_ether_addr, group->GN_igtk, 3399 group->IGTK[group->GN_igtk - 4], len) < 0) 3400 ret = -1; 3401 } 3402#endif /* CONFIG_IEEE80211W */ 3403 3404 return ret; 3405} 3406 3407 3408static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx) 3409{ 3410 if (sm->group == ctx) { 3411 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR 3412 " for discconnection due to fatal failure", 3413 MAC2STR(sm->addr)); 3414 sm->Disconnect = TRUE; 3415 } 3416 3417 return 0; 3418} 3419 3420 3421static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth, 3422 struct wpa_group *group) 3423{ 3424 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE"); 3425 group->changed = TRUE; 3426 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE; 3427 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group); 3428} 3429 3430 3431static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 3432 struct wpa_group *group) 3433{ 3434 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3435 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 3436 group->changed = TRUE; 3437 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 3438 3439 if (wpa_group_config_group_keys(wpa_auth, group) < 0) { 3440 wpa_group_fatal_failure(wpa_auth, group); 3441 return -1; 3442 } 3443 3444 return 0; 3445} 3446 3447 3448static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 3449 struct wpa_group *group) 3450{ 3451 if (group->GInit) { 3452 wpa_group_gtk_init(wpa_auth, group); 3453 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) { 3454 /* Do not allow group operations */ 3455 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 3456 group->GTKAuthenticator) { 3457 wpa_group_setkeysdone(wpa_auth, group); 3458 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 3459 group->GTKReKey) { 3460 wpa_group_setkeys(wpa_auth, group); 3461 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 3462 if (group->GKeyDoneStations == 0) 3463 wpa_group_setkeysdone(wpa_auth, group); 3464 else if (group->GTKReKey) 3465 wpa_group_setkeys(wpa_auth, group); 3466 } 3467} 3468 3469 3470static int wpa_sm_step(struct wpa_state_machine *sm) 3471{ 3472 if (sm == NULL) 3473 return 0; 3474 3475 if (sm->in_step_loop) { 3476 /* This should not happen, but if it does, make sure we do not 3477 * end up freeing the state machine too early by exiting the 3478 * recursive call. */ 3479 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 3480 return 0; 3481 } 3482 3483 sm->in_step_loop = 1; 3484 do { 3485 if (sm->pending_deinit) 3486 break; 3487 3488 sm->changed = FALSE; 3489 sm->wpa_auth->group->changed = FALSE; 3490 3491 SM_STEP_RUN(WPA_PTK); 3492 if (sm->pending_deinit) 3493 break; 3494 SM_STEP_RUN(WPA_PTK_GROUP); 3495 if (sm->pending_deinit) 3496 break; 3497 wpa_group_sm_step(sm->wpa_auth, sm->group); 3498 } while (sm->changed || sm->wpa_auth->group->changed); 3499 sm->in_step_loop = 0; 3500 3501 if (sm->pending_deinit) { 3502 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 3503 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 3504 wpa_free_sta_sm(sm); 3505 return 1; 3506 } 3507 return 0; 3508} 3509 3510 3511static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 3512{ 3513 struct wpa_state_machine *sm = eloop_ctx; 3514 wpa_sm_step(sm); 3515} 3516 3517 3518void wpa_auth_sm_notify(struct wpa_state_machine *sm) 3519{ 3520 if (sm == NULL) 3521 return; 3522 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 3523} 3524 3525 3526void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 3527{ 3528 int tmp, i; 3529 struct wpa_group *group; 3530 3531 if (wpa_auth == NULL) 3532 return; 3533 3534 group = wpa_auth->group; 3535 3536 for (i = 0; i < 2; i++) { 3537 tmp = group->GM; 3538 group->GM = group->GN; 3539 group->GN = tmp; 3540#ifdef CONFIG_IEEE80211W 3541 tmp = group->GM_igtk; 3542 group->GM_igtk = group->GN_igtk; 3543 group->GN_igtk = tmp; 3544#endif /* CONFIG_IEEE80211W */ 3545 wpa_gtk_update(wpa_auth, group); 3546 wpa_group_config_group_keys(wpa_auth, group); 3547 } 3548} 3549 3550 3551static const char * wpa_bool_txt(int val) 3552{ 3553 return val ? "TRUE" : "FALSE"; 3554} 3555 3556 3557#define RSN_SUITE "%02x-%02x-%02x-%d" 3558#define RSN_SUITE_ARG(s) \ 3559((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 3560 3561int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 3562{ 3563 int len = 0, ret; 3564 char pmkid_txt[PMKID_LEN * 2 + 1]; 3565#ifdef CONFIG_RSN_PREAUTH 3566 const int preauth = 1; 3567#else /* CONFIG_RSN_PREAUTH */ 3568 const int preauth = 0; 3569#endif /* CONFIG_RSN_PREAUTH */ 3570 3571 if (wpa_auth == NULL) 3572 return len; 3573 3574 ret = os_snprintf(buf + len, buflen - len, 3575 "dot11RSNAOptionImplemented=TRUE\n" 3576 "dot11RSNAPreauthenticationImplemented=%s\n" 3577 "dot11RSNAEnabled=%s\n" 3578 "dot11RSNAPreauthenticationEnabled=%s\n", 3579 wpa_bool_txt(preauth), 3580 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 3581 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 3582 if (os_snprintf_error(buflen - len, ret)) 3583 return len; 3584 len += ret; 3585 3586 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 3587 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 3588 3589 ret = os_snprintf( 3590 buf + len, buflen - len, 3591 "dot11RSNAConfigVersion=%u\n" 3592 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 3593 /* FIX: dot11RSNAConfigGroupCipher */ 3594 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 3595 /* FIX: dot11RSNAConfigGroupRekeyTime */ 3596 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 3597 "dot11RSNAConfigGroupRekeyStrict=%u\n" 3598 "dot11RSNAConfigGroupUpdateCount=%u\n" 3599 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 3600 "dot11RSNAConfigGroupCipherSize=%u\n" 3601 "dot11RSNAConfigPMKLifetime=%u\n" 3602 "dot11RSNAConfigPMKReauthThreshold=%u\n" 3603 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 3604 "dot11RSNAConfigSATimeout=%u\n" 3605 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 3606 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 3607 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 3608 "dot11RSNAPMKIDUsed=%s\n" 3609 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 3610 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 3611 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 3612 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 3613 "dot11RSNA4WayHandshakeFailures=%u\n" 3614 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 3615 RSN_VERSION, 3616 !!wpa_auth->conf.wpa_strict_rekey, 3617 wpa_auth->conf.wpa_group_update_count, 3618 wpa_auth->conf.wpa_pairwise_update_count, 3619 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 3620 dot11RSNAConfigPMKLifetime, 3621 dot11RSNAConfigPMKReauthThreshold, 3622 dot11RSNAConfigSATimeout, 3623 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 3624 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 3625 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 3626 pmkid_txt, 3627 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 3628 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 3629 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 3630 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 3631 wpa_auth->dot11RSNA4WayHandshakeFailures); 3632 if (os_snprintf_error(buflen - len, ret)) 3633 return len; 3634 len += ret; 3635 3636 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 3637 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 3638 3639 /* Private MIB */ 3640 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 3641 wpa_auth->group->wpa_group_state); 3642 if (os_snprintf_error(buflen - len, ret)) 3643 return len; 3644 len += ret; 3645 3646 return len; 3647} 3648 3649 3650int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 3651{ 3652 int len = 0, ret; 3653 u32 pairwise = 0; 3654 3655 if (sm == NULL) 3656 return 0; 3657 3658 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 3659 3660 /* dot11RSNAStatsEntry */ 3661 3662 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 3663 WPA_PROTO_RSN : WPA_PROTO_WPA, 3664 sm->pairwise); 3665 if (pairwise == 0) 3666 return 0; 3667 3668 ret = os_snprintf( 3669 buf + len, buflen - len, 3670 /* TODO: dot11RSNAStatsIndex */ 3671 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 3672 "dot11RSNAStatsVersion=1\n" 3673 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 3674 /* TODO: dot11RSNAStatsTKIPICVErrors */ 3675 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 3676 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 3677 /* TODO: dot11RSNAStatsCCMPReplays */ 3678 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 3679 /* TODO: dot11RSNAStatsTKIPReplays */, 3680 MAC2STR(sm->addr), 3681 RSN_SUITE_ARG(pairwise), 3682 sm->dot11RSNAStatsTKIPLocalMICFailures, 3683 sm->dot11RSNAStatsTKIPRemoteMICFailures); 3684 if (os_snprintf_error(buflen - len, ret)) 3685 return len; 3686 len += ret; 3687 3688 /* Private MIB */ 3689 ret = os_snprintf(buf + len, buflen - len, 3690 "hostapdWPAPTKState=%d\n" 3691 "hostapdWPAPTKGroupState=%d\n", 3692 sm->wpa_ptk_state, 3693 sm->wpa_ptk_group_state); 3694 if (os_snprintf_error(buflen - len, ret)) 3695 return len; 3696 len += ret; 3697 3698 return len; 3699} 3700 3701 3702void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 3703{ 3704 if (wpa_auth) 3705 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 3706} 3707 3708 3709int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 3710{ 3711 return sm && sm->pairwise_set; 3712} 3713 3714 3715int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 3716{ 3717 return sm->pairwise; 3718} 3719 3720 3721int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 3722{ 3723 if (sm == NULL) 3724 return -1; 3725 return sm->wpa_key_mgmt; 3726} 3727 3728 3729int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 3730{ 3731 if (sm == NULL) 3732 return 0; 3733 return sm->wpa; 3734} 3735 3736 3737int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 3738 struct rsn_pmksa_cache_entry *entry) 3739{ 3740 if (sm == NULL || sm->pmksa != entry) 3741 return -1; 3742 sm->pmksa = NULL; 3743 return 0; 3744} 3745 3746 3747struct rsn_pmksa_cache_entry * 3748wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 3749{ 3750 return sm ? sm->pmksa : NULL; 3751} 3752 3753 3754void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 3755{ 3756 if (sm) 3757 sm->dot11RSNAStatsTKIPLocalMICFailures++; 3758} 3759 3760 3761const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 3762{ 3763 if (wpa_auth == NULL) 3764 return NULL; 3765 *len = wpa_auth->wpa_ie_len; 3766 return wpa_auth->wpa_ie; 3767} 3768 3769 3770int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 3771 unsigned int pmk_len, 3772 int session_timeout, struct eapol_state_machine *eapol) 3773{ 3774 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 3775 sm->wpa_auth->conf.disable_pmksa_caching) 3776 return -1; 3777 3778 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 3779 if (pmk_len > PMK_LEN_SUITE_B_192) 3780 pmk_len = PMK_LEN_SUITE_B_192; 3781 } else if (pmk_len > PMK_LEN) { 3782 pmk_len = PMK_LEN; 3783 } 3784 3785 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL, 3786 sm->PTK.kck, sm->PTK.kck_len, 3787 sm->wpa_auth->addr, sm->addr, session_timeout, 3788 eapol, sm->wpa_key_mgmt)) 3789 return 0; 3790 3791 return -1; 3792} 3793 3794 3795int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 3796 const u8 *pmk, size_t len, const u8 *sta_addr, 3797 int session_timeout, 3798 struct eapol_state_machine *eapol) 3799{ 3800 if (wpa_auth == NULL) 3801 return -1; 3802 3803 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL, 3804 NULL, 0, 3805 wpa_auth->addr, 3806 sta_addr, session_timeout, eapol, 3807 WPA_KEY_MGMT_IEEE8021X)) 3808 return 0; 3809 3810 return -1; 3811} 3812 3813 3814int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, 3815 const u8 *pmk, const u8 *pmkid) 3816{ 3817 if (wpa_auth->conf.disable_pmksa_caching) 3818 return -1; 3819 3820 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid, 3821 NULL, 0, 3822 wpa_auth->addr, addr, 0, NULL, 3823 WPA_KEY_MGMT_SAE)) 3824 return 0; 3825 3826 return -1; 3827} 3828 3829 3830void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 3831 const u8 *sta_addr) 3832{ 3833 struct rsn_pmksa_cache_entry *pmksa; 3834 3835 if (wpa_auth == NULL || wpa_auth->pmksa == NULL) 3836 return; 3837 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 3838 if (pmksa) { 3839 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 3840 MACSTR " based on request", MAC2STR(sta_addr)); 3841 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 3842 } 3843} 3844 3845 3846int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf, 3847 size_t len) 3848{ 3849 if (!wpa_auth || !wpa_auth->pmksa) 3850 return 0; 3851 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len); 3852} 3853 3854 3855void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth) 3856{ 3857 if (wpa_auth && wpa_auth->pmksa) 3858 pmksa_cache_auth_flush(wpa_auth->pmksa); 3859} 3860 3861 3862#ifdef CONFIG_PMKSA_CACHE_EXTERNAL 3863#ifdef CONFIG_MESH 3864 3865int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr, 3866 char *buf, size_t len) 3867{ 3868 if (!wpa_auth || !wpa_auth->pmksa) 3869 return 0; 3870 3871 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len); 3872} 3873 3874 3875struct rsn_pmksa_cache_entry * 3876wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk, 3877 const u8 *pmkid, int expiration) 3878{ 3879 struct rsn_pmksa_cache_entry *entry; 3880 struct os_reltime now; 3881 3882 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa, 3883 spa, 0, NULL, WPA_KEY_MGMT_SAE); 3884 if (!entry) 3885 return NULL; 3886 3887 os_get_reltime(&now); 3888 entry->expiration = now.sec + expiration; 3889 return entry; 3890} 3891 3892 3893int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth, 3894 struct rsn_pmksa_cache_entry *entry) 3895{ 3896 int ret; 3897 3898 if (!wpa_auth || !wpa_auth->pmksa) 3899 return -1; 3900 3901 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry); 3902 if (ret < 0) 3903 wpa_printf(MSG_DEBUG, 3904 "RSN: Failed to store external PMKSA cache for " 3905 MACSTR, MAC2STR(entry->spa)); 3906 3907 return ret; 3908} 3909 3910#endif /* CONFIG_MESH */ 3911#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */ 3912 3913 3914struct rsn_pmksa_cache_entry * 3915wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, 3916 const u8 *pmkid) 3917{ 3918 if (!wpa_auth || !wpa_auth->pmksa) 3919 return NULL; 3920 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid); 3921} 3922 3923 3924void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa, 3925 struct wpa_state_machine *sm, 3926 struct wpa_authenticator *wpa_auth, 3927 u8 *pmkid, u8 *pmk) 3928{ 3929 if (!sm) 3930 return; 3931 3932 sm->pmksa = pmksa; 3933 os_memcpy(pmk, pmksa->pmk, PMK_LEN); 3934 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN); 3935 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN); 3936} 3937 3938 3939/* 3940 * Remove and free the group from wpa_authenticator. This is triggered by a 3941 * callback to make sure nobody is currently iterating the group list while it 3942 * gets modified. 3943 */ 3944static void wpa_group_free(struct wpa_authenticator *wpa_auth, 3945 struct wpa_group *group) 3946{ 3947 struct wpa_group *prev = wpa_auth->group; 3948 3949 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d", 3950 group->vlan_id); 3951 3952 while (prev) { 3953 if (prev->next == group) { 3954 /* This never frees the special first group as needed */ 3955 prev->next = group->next; 3956 os_free(group); 3957 break; 3958 } 3959 prev = prev->next; 3960 } 3961 3962} 3963 3964 3965/* Increase the reference counter for group */ 3966static void wpa_group_get(struct wpa_authenticator *wpa_auth, 3967 struct wpa_group *group) 3968{ 3969 /* Skip the special first group */ 3970 if (wpa_auth->group == group) 3971 return; 3972 3973 group->references++; 3974} 3975 3976 3977/* Decrease the reference counter and maybe free the group */ 3978static void wpa_group_put(struct wpa_authenticator *wpa_auth, 3979 struct wpa_group *group) 3980{ 3981 /* Skip the special first group */ 3982 if (wpa_auth->group == group) 3983 return; 3984 3985 group->references--; 3986 if (group->references) 3987 return; 3988 wpa_group_free(wpa_auth, group); 3989} 3990 3991 3992/* 3993 * Add a group that has its references counter set to zero. Caller needs to 3994 * call wpa_group_get() on the return value to mark the entry in use. 3995 */ 3996static struct wpa_group * 3997wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 3998{ 3999 struct wpa_group *group; 4000 4001 if (wpa_auth == NULL || wpa_auth->group == NULL) 4002 return NULL; 4003 4004 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 4005 vlan_id); 4006 group = wpa_group_init(wpa_auth, vlan_id, 0); 4007 if (group == NULL) 4008 return NULL; 4009 4010 group->next = wpa_auth->group->next; 4011 wpa_auth->group->next = group; 4012 4013 return group; 4014} 4015 4016 4017/* 4018 * Enforce that the group state machine for the VLAN is running, increase 4019 * reference counter as interface is up. References might have been increased 4020 * even if a negative value is returned. 4021 * Returns: -1 on error (group missing, group already failed); otherwise, 0 4022 */ 4023int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4024{ 4025 struct wpa_group *group; 4026 4027 if (wpa_auth == NULL) 4028 return 0; 4029 4030 group = wpa_auth->group; 4031 while (group) { 4032 if (group->vlan_id == vlan_id) 4033 break; 4034 group = group->next; 4035 } 4036 4037 if (group == NULL) { 4038 group = wpa_auth_add_group(wpa_auth, vlan_id); 4039 if (group == NULL) 4040 return -1; 4041 } 4042 4043 wpa_printf(MSG_DEBUG, 4044 "WPA: Ensure group state machine running for VLAN ID %d", 4045 vlan_id); 4046 4047 wpa_group_get(wpa_auth, group); 4048 group->num_setup_iface++; 4049 4050 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4051 return -1; 4052 4053 return 0; 4054} 4055 4056 4057/* 4058 * Decrease reference counter, expected to be zero afterwards. 4059 * returns: -1 on error (group not found, group in fail state) 4060 * -2 if wpa_group is still referenced 4061 * 0 else 4062 */ 4063int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4064{ 4065 struct wpa_group *group; 4066 int ret = 0; 4067 4068 if (wpa_auth == NULL) 4069 return 0; 4070 4071 group = wpa_auth->group; 4072 while (group) { 4073 if (group->vlan_id == vlan_id) 4074 break; 4075 group = group->next; 4076 } 4077 4078 if (group == NULL) 4079 return -1; 4080 4081 wpa_printf(MSG_DEBUG, 4082 "WPA: Try stopping group state machine for VLAN ID %d", 4083 vlan_id); 4084 4085 if (group->num_setup_iface <= 0) { 4086 wpa_printf(MSG_ERROR, 4087 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.", 4088 vlan_id); 4089 return -1; 4090 } 4091 group->num_setup_iface--; 4092 4093 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4094 ret = -1; 4095 4096 if (group->references > 1) { 4097 wpa_printf(MSG_DEBUG, 4098 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold", 4099 vlan_id); 4100 ret = -2; 4101 } 4102 4103 wpa_group_put(wpa_auth, group); 4104 4105 return ret; 4106} 4107 4108 4109int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 4110{ 4111 struct wpa_group *group; 4112 4113 if (sm == NULL || sm->wpa_auth == NULL) 4114 return 0; 4115 4116 group = sm->wpa_auth->group; 4117 while (group) { 4118 if (group->vlan_id == vlan_id) 4119 break; 4120 group = group->next; 4121 } 4122 4123 if (group == NULL) { 4124 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 4125 if (group == NULL) 4126 return -1; 4127 } 4128 4129 if (sm->group == group) 4130 return 0; 4131 4132 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4133 return -1; 4134 4135 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 4136 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 4137 4138 wpa_group_get(sm->wpa_auth, group); 4139 wpa_group_put(sm->wpa_auth, sm->group); 4140 sm->group = group; 4141 4142 return 0; 4143} 4144 4145 4146void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 4147 struct wpa_state_machine *sm, int ack) 4148{ 4149 if (wpa_auth == NULL || sm == NULL) 4150 return; 4151 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 4152 " ack=%d", MAC2STR(sm->addr), ack); 4153 if (sm->pending_1_of_4_timeout && ack) { 4154 /* 4155 * Some deployed supplicant implementations update their SNonce 4156 * for each EAPOL-Key 2/4 message even within the same 4-way 4157 * handshake and then fail to use the first SNonce when 4158 * deriving the PTK. This results in unsuccessful 4-way 4159 * handshake whenever the relatively short initial timeout is 4160 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 4161 * around this by increasing the timeout now that we know that 4162 * the station has received the frame. 4163 */ 4164 int timeout_ms = eapol_key_timeout_subseq; 4165 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 4166 "timeout by %u ms because of acknowledged frame", 4167 timeout_ms); 4168 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 4169 eloop_register_timeout(timeout_ms / 1000, 4170 (timeout_ms % 1000) * 1000, 4171 wpa_send_eapol_timeout, wpa_auth, sm); 4172 } 4173} 4174 4175 4176int wpa_auth_uses_sae(struct wpa_state_machine *sm) 4177{ 4178 if (sm == NULL) 4179 return 0; 4180 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 4181} 4182 4183 4184int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm) 4185{ 4186 if (sm == NULL) 4187 return 0; 4188 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; 4189} 4190 4191 4192#ifdef CONFIG_P2P 4193int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr) 4194{ 4195 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0) 4196 return -1; 4197 os_memcpy(addr, sm->ip_addr, 4); 4198 return 0; 4199} 4200#endif /* CONFIG_P2P */ 4201 4202 4203int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth, 4204 struct radius_das_attrs *attr) 4205{ 4206 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr); 4207} 4208 4209 4210void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth) 4211{ 4212 struct wpa_group *group; 4213 4214 if (!wpa_auth) 4215 return; 4216 for (group = wpa_auth->group; group; group = group->next) 4217 wpa_group_config_group_keys(wpa_auth, group); 4218} 4219