1/* 2 * IEEE 802.11 RSN / WPA Authenticator 3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "utils/state_machine.h" 14#include "utils/bitfield.h" 15#include "common/ieee802_11_defs.h" 16#include "crypto/aes.h" 17#include "crypto/aes_wrap.h" 18#include "crypto/aes_siv.h" 19#include "crypto/crypto.h" 20#include "crypto/sha1.h" 21#include "crypto/sha256.h" 22#include "crypto/random.h" 23#include "eapol_auth/eapol_auth_sm.h" 24#include "ap_config.h" 25#include "ieee802_11.h" 26#include "wpa_auth.h" 27#include "pmksa_cache_auth.h" 28#include "wpa_auth_i.h" 29#include "wpa_auth_ie.h" 30 31#define STATE_MACHINE_DATA struct wpa_state_machine 32#define STATE_MACHINE_DEBUG_PREFIX "WPA" 33#define STATE_MACHINE_ADDR sm->addr 34 35 36static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx); 37static int wpa_sm_step(struct wpa_state_machine *sm); 38static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK, 39 u8 *data, size_t data_len); 40#ifdef CONFIG_FILS 41static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 42 u8 *buf, size_t buf_len, u16 *_key_data_len); 43static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm, 44 const struct wpabuf *hlp); 45#endif /* CONFIG_FILS */ 46static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx); 47static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 48 struct wpa_group *group); 49static void wpa_request_new_ptk(struct wpa_state_machine *sm); 50static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 51 struct wpa_group *group); 52static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 53 struct wpa_group *group); 54static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 55 const u8 *pmk, unsigned int pmk_len, 56 struct wpa_ptk *ptk); 57static void wpa_group_free(struct wpa_authenticator *wpa_auth, 58 struct wpa_group *group); 59static void wpa_group_get(struct wpa_authenticator *wpa_auth, 60 struct wpa_group *group); 61static void wpa_group_put(struct wpa_authenticator *wpa_auth, 62 struct wpa_group *group); 63static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); 64 65static const u32 eapol_key_timeout_first = 100; /* ms */ 66static const u32 eapol_key_timeout_subseq = 1000; /* ms */ 67static const u32 eapol_key_timeout_first_group = 500; /* ms */ 68static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */ 69 70/* TODO: make these configurable */ 71static const int dot11RSNAConfigPMKLifetime = 43200; 72static const int dot11RSNAConfigPMKReauthThreshold = 70; 73static const int dot11RSNAConfigSATimeout = 60; 74 75 76static inline int wpa_auth_mic_failure_report( 77 struct wpa_authenticator *wpa_auth, const u8 *addr) 78{ 79 if (wpa_auth->cb->mic_failure_report) 80 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr); 81 return 0; 82} 83 84 85static inline void wpa_auth_psk_failure_report( 86 struct wpa_authenticator *wpa_auth, const u8 *addr) 87{ 88 if (wpa_auth->cb->psk_failure_report) 89 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr); 90} 91 92 93static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth, 94 const u8 *addr, wpa_eapol_variable var, 95 int value) 96{ 97 if (wpa_auth->cb->set_eapol) 98 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value); 99} 100 101 102static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth, 103 const u8 *addr, wpa_eapol_variable var) 104{ 105 if (wpa_auth->cb->get_eapol == NULL) 106 return -1; 107 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var); 108} 109 110 111static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth, 112 const u8 *addr, 113 const u8 *p2p_dev_addr, 114 const u8 *prev_psk, size_t *psk_len) 115{ 116 if (wpa_auth->cb->get_psk == NULL) 117 return NULL; 118 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr, 119 prev_psk, psk_len); 120} 121 122 123static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth, 124 const u8 *addr, u8 *msk, size_t *len) 125{ 126 if (wpa_auth->cb->get_msk == NULL) 127 return -1; 128 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len); 129} 130 131 132static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth, 133 int vlan_id, 134 enum wpa_alg alg, const u8 *addr, int idx, 135 u8 *key, size_t key_len) 136{ 137 if (wpa_auth->cb->set_key == NULL) 138 return -1; 139 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx, 140 key, key_len); 141} 142 143 144static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth, 145 const u8 *addr, int idx, u8 *seq) 146{ 147 if (wpa_auth->cb->get_seqnum == NULL) 148 return -1; 149 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq); 150} 151 152 153static inline int 154wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr, 155 const u8 *data, size_t data_len, int encrypt) 156{ 157 if (wpa_auth->cb->send_eapol == NULL) 158 return -1; 159 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len, 160 encrypt); 161} 162 163 164#ifdef CONFIG_MESH 165static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth, 166 const u8 *addr) 167{ 168 if (wpa_auth->cb->start_ampe == NULL) 169 return -1; 170 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr); 171} 172#endif /* CONFIG_MESH */ 173 174 175int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth, 176 int (*cb)(struct wpa_state_machine *sm, void *ctx), 177 void *cb_ctx) 178{ 179 if (wpa_auth->cb->for_each_sta == NULL) 180 return 0; 181 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx); 182} 183 184 185int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, 186 int (*cb)(struct wpa_authenticator *a, void *ctx), 187 void *cb_ctx) 188{ 189 if (wpa_auth->cb->for_each_auth == NULL) 190 return 0; 191 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx); 192} 193 194 195void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, 196 logger_level level, const char *txt) 197{ 198 if (wpa_auth->cb->logger == NULL) 199 return; 200 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt); 201} 202 203 204void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr, 205 logger_level level, const char *fmt, ...) 206{ 207 char *format; 208 int maxlen; 209 va_list ap; 210 211 if (wpa_auth->cb->logger == NULL) 212 return; 213 214 maxlen = os_strlen(fmt) + 100; 215 format = os_malloc(maxlen); 216 if (!format) 217 return; 218 219 va_start(ap, fmt); 220 vsnprintf(format, maxlen, fmt, ap); 221 va_end(ap); 222 223 wpa_auth_logger(wpa_auth, addr, level, format); 224 225 os_free(format); 226} 227 228 229static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth, 230 const u8 *addr, u16 reason) 231{ 232 if (wpa_auth->cb->disconnect == NULL) 233 return; 234 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)", 235 MAC2STR(addr), reason); 236 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason); 237} 238 239 240static int wpa_use_aes_cmac(struct wpa_state_machine *sm) 241{ 242 int ret = 0; 243#ifdef CONFIG_IEEE80211R_AP 244 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 245 ret = 1; 246#endif /* CONFIG_IEEE80211R_AP */ 247#ifdef CONFIG_IEEE80211W 248 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt)) 249 ret = 1; 250#endif /* CONFIG_IEEE80211W */ 251 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) 252 ret = 1; 253 return ret; 254} 255 256 257static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx) 258{ 259 struct wpa_authenticator *wpa_auth = eloop_ctx; 260 261 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) { 262 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 263 "initialization."); 264 } else { 265 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd"); 266 wpa_hexdump_key(MSG_DEBUG, "GMK", 267 wpa_auth->group->GMK, WPA_GMK_LEN); 268 } 269 270 if (wpa_auth->conf.wpa_gmk_rekey) { 271 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 272 wpa_rekey_gmk, wpa_auth, NULL); 273 } 274} 275 276 277static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx) 278{ 279 struct wpa_authenticator *wpa_auth = eloop_ctx; 280 struct wpa_group *group, *next; 281 282 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK"); 283 group = wpa_auth->group; 284 while (group) { 285 wpa_group_get(wpa_auth, group); 286 287 group->GTKReKey = TRUE; 288 do { 289 group->changed = FALSE; 290 wpa_group_sm_step(wpa_auth, group); 291 } while (group->changed); 292 293 next = group->next; 294 wpa_group_put(wpa_auth, group); 295 group = next; 296 } 297 298 if (wpa_auth->conf.wpa_group_rekey) { 299 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 300 0, wpa_rekey_gtk, wpa_auth, NULL); 301 } 302} 303 304 305static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 306{ 307 struct wpa_authenticator *wpa_auth = eloop_ctx; 308 struct wpa_state_machine *sm = timeout_ctx; 309 310 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); 311 wpa_request_new_ptk(sm); 312 wpa_sm_step(sm); 313} 314 315 316static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx) 317{ 318 if (sm->pmksa == ctx) 319 sm->pmksa = NULL; 320 return 0; 321} 322 323 324static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 325 void *ctx) 326{ 327 struct wpa_authenticator *wpa_auth = ctx; 328 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); 329} 330 331 332static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth, 333 struct wpa_group *group) 334{ 335 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)]; 336 u8 rkey[32]; 337 unsigned long ptr; 338 339 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0) 340 return -1; 341 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN); 342 343 /* 344 * Counter = PRF-256(Random number, "Init Counter", 345 * Local MAC Address || Time) 346 */ 347 os_memcpy(buf, wpa_auth->addr, ETH_ALEN); 348 wpa_get_ntp_timestamp(buf + ETH_ALEN); 349 ptr = (unsigned long) group; 350 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr)); 351 if (random_get_bytes(rkey, sizeof(rkey)) < 0) 352 return -1; 353 354 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf), 355 group->Counter, WPA_NONCE_LEN) < 0) 356 return -1; 357 wpa_hexdump_key(MSG_DEBUG, "Key Counter", 358 group->Counter, WPA_NONCE_LEN); 359 360 return 0; 361} 362 363 364static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth, 365 int vlan_id, int delay_init) 366{ 367 struct wpa_group *group; 368 369 group = os_zalloc(sizeof(struct wpa_group)); 370 if (group == NULL) 371 return NULL; 372 373 group->GTKAuthenticator = TRUE; 374 group->vlan_id = vlan_id; 375 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 376 377 if (random_pool_ready() != 1) { 378 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 379 "for secure operations - update keys later when " 380 "the first station connects"); 381 } 382 383 /* 384 * Set initial GMK/Counter value here. The actual values that will be 385 * used in negotiations will be set once the first station tries to 386 * connect. This allows more time for collecting additional randomness 387 * on embedded devices. 388 */ 389 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) { 390 wpa_printf(MSG_ERROR, "Failed to get random data for WPA " 391 "initialization."); 392 os_free(group); 393 return NULL; 394 } 395 396 group->GInit = TRUE; 397 if (delay_init) { 398 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start " 399 "until Beacon frames have been configured"); 400 /* Initialization is completed in wpa_init_keys(). */ 401 } else { 402 wpa_group_sm_step(wpa_auth, group); 403 group->GInit = FALSE; 404 wpa_group_sm_step(wpa_auth, group); 405 } 406 407 return group; 408} 409 410 411/** 412 * wpa_init - Initialize WPA authenticator 413 * @addr: Authenticator address 414 * @conf: Configuration for WPA authenticator 415 * @cb: Callback functions for WPA authenticator 416 * Returns: Pointer to WPA authenticator data or %NULL on failure 417 */ 418struct wpa_authenticator * wpa_init(const u8 *addr, 419 struct wpa_auth_config *conf, 420 const struct wpa_auth_callbacks *cb, 421 void *cb_ctx) 422{ 423 struct wpa_authenticator *wpa_auth; 424 425 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator)); 426 if (wpa_auth == NULL) 427 return NULL; 428 os_memcpy(wpa_auth->addr, addr, ETH_ALEN); 429 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 430 wpa_auth->cb = cb; 431 wpa_auth->cb_ctx = cb_ctx; 432 433 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 434 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 435 os_free(wpa_auth); 436 return NULL; 437 } 438 439 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1); 440 if (wpa_auth->group == NULL) { 441 os_free(wpa_auth->wpa_ie); 442 os_free(wpa_auth); 443 return NULL; 444 } 445 446 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb, 447 wpa_auth); 448 if (wpa_auth->pmksa == NULL) { 449 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed."); 450 os_free(wpa_auth->group); 451 os_free(wpa_auth->wpa_ie); 452 os_free(wpa_auth); 453 return NULL; 454 } 455 456#ifdef CONFIG_IEEE80211R_AP 457 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init(); 458 if (wpa_auth->ft_pmk_cache == NULL) { 459 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed."); 460 os_free(wpa_auth->group); 461 os_free(wpa_auth->wpa_ie); 462 pmksa_cache_auth_deinit(wpa_auth->pmksa); 463 os_free(wpa_auth); 464 return NULL; 465 } 466#endif /* CONFIG_IEEE80211R_AP */ 467 468 if (wpa_auth->conf.wpa_gmk_rekey) { 469 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0, 470 wpa_rekey_gmk, wpa_auth, NULL); 471 } 472 473 if (wpa_auth->conf.wpa_group_rekey) { 474 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0, 475 wpa_rekey_gtk, wpa_auth, NULL); 476 } 477 478#ifdef CONFIG_P2P 479 if (WPA_GET_BE32(conf->ip_addr_start)) { 480 int count = WPA_GET_BE32(conf->ip_addr_end) - 481 WPA_GET_BE32(conf->ip_addr_start) + 1; 482 if (count > 1000) 483 count = 1000; 484 if (count > 0) 485 wpa_auth->ip_pool = bitfield_alloc(count); 486 } 487#endif /* CONFIG_P2P */ 488 489 return wpa_auth; 490} 491 492 493int wpa_init_keys(struct wpa_authenticator *wpa_auth) 494{ 495 struct wpa_group *group = wpa_auth->group; 496 497 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial " 498 "keys"); 499 wpa_group_sm_step(wpa_auth, group); 500 group->GInit = FALSE; 501 wpa_group_sm_step(wpa_auth, group); 502 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 503 return -1; 504 return 0; 505} 506 507 508/** 509 * wpa_deinit - Deinitialize WPA authenticator 510 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 511 */ 512void wpa_deinit(struct wpa_authenticator *wpa_auth) 513{ 514 struct wpa_group *group, *prev; 515 516 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL); 517 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 518 519 pmksa_cache_auth_deinit(wpa_auth->pmksa); 520 521#ifdef CONFIG_IEEE80211R_AP 522 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache); 523 wpa_auth->ft_pmk_cache = NULL; 524 wpa_ft_deinit(wpa_auth); 525#endif /* CONFIG_IEEE80211R_AP */ 526 527#ifdef CONFIG_P2P 528 bitfield_free(wpa_auth->ip_pool); 529#endif /* CONFIG_P2P */ 530 531 532 os_free(wpa_auth->wpa_ie); 533 534 group = wpa_auth->group; 535 while (group) { 536 prev = group; 537 group = group->next; 538 os_free(prev); 539 } 540 541 os_free(wpa_auth); 542} 543 544 545/** 546 * wpa_reconfig - Update WPA authenticator configuration 547 * @wpa_auth: Pointer to WPA authenticator data from wpa_init() 548 * @conf: Configuration for WPA authenticator 549 */ 550int wpa_reconfig(struct wpa_authenticator *wpa_auth, 551 struct wpa_auth_config *conf) 552{ 553 struct wpa_group *group; 554 if (wpa_auth == NULL) 555 return 0; 556 557 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf)); 558 if (wpa_auth_gen_wpa_ie(wpa_auth)) { 559 wpa_printf(MSG_ERROR, "Could not generate WPA IE."); 560 return -1; 561 } 562 563 /* 564 * Reinitialize GTK to make sure it is suitable for the new 565 * configuration. 566 */ 567 group = wpa_auth->group; 568 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group); 569 group->GInit = TRUE; 570 wpa_group_sm_step(wpa_auth, group); 571 group->GInit = FALSE; 572 wpa_group_sm_step(wpa_auth, group); 573 574 return 0; 575} 576 577 578struct wpa_state_machine * 579wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr, 580 const u8 *p2p_dev_addr) 581{ 582 struct wpa_state_machine *sm; 583 584 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 585 return NULL; 586 587 sm = os_zalloc(sizeof(struct wpa_state_machine)); 588 if (sm == NULL) 589 return NULL; 590 os_memcpy(sm->addr, addr, ETH_ALEN); 591 if (p2p_dev_addr) 592 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN); 593 594 sm->wpa_auth = wpa_auth; 595 sm->group = wpa_auth->group; 596 wpa_group_get(sm->wpa_auth, sm->group); 597 598 return sm; 599} 600 601 602int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth, 603 struct wpa_state_machine *sm) 604{ 605 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 606 return -1; 607 608#ifdef CONFIG_IEEE80211R_AP 609 if (sm->ft_completed) { 610 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 611 "FT authentication already completed - do not " 612 "start 4-way handshake"); 613 /* Go to PTKINITDONE state to allow GTK rekeying */ 614 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 615 sm->Pair = TRUE; 616 return 0; 617 } 618#endif /* CONFIG_IEEE80211R_AP */ 619 620#ifdef CONFIG_FILS 621 if (sm->fils_completed) { 622 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 623 "FILS authentication already completed - do not start 4-way handshake"); 624 /* Go to PTKINITDONE state to allow GTK rekeying */ 625 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE; 626 sm->Pair = TRUE; 627 return 0; 628 } 629#endif /* CONFIG_FILS */ 630 631 if (sm->started) { 632 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay)); 633 sm->ReAuthenticationRequest = TRUE; 634 return wpa_sm_step(sm); 635 } 636 637 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 638 "start authentication"); 639 sm->started = 1; 640 641 sm->Init = TRUE; 642 if (wpa_sm_step(sm) == 1) 643 return 1; /* should not really happen */ 644 sm->Init = FALSE; 645 sm->AuthenticationRequest = TRUE; 646 return wpa_sm_step(sm); 647} 648 649 650void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm) 651{ 652 /* WPA/RSN was not used - clear WPA state. This is needed if the STA 653 * reassociates back to the same AP while the previous entry for the 654 * STA has not yet been removed. */ 655 if (sm == NULL) 656 return; 657 658 sm->wpa_key_mgmt = 0; 659} 660 661 662static void wpa_free_sta_sm(struct wpa_state_machine *sm) 663{ 664#ifdef CONFIG_P2P 665 if (WPA_GET_BE32(sm->ip_addr)) { 666 u32 start; 667 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP " 668 "address %u.%u.%u.%u from " MACSTR, 669 sm->ip_addr[0], sm->ip_addr[1], 670 sm->ip_addr[2], sm->ip_addr[3], 671 MAC2STR(sm->addr)); 672 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start); 673 bitfield_clear(sm->wpa_auth->ip_pool, 674 WPA_GET_BE32(sm->ip_addr) - start); 675 } 676#endif /* CONFIG_P2P */ 677 if (sm->GUpdateStationKeys) { 678 sm->group->GKeyDoneStations--; 679 sm->GUpdateStationKeys = FALSE; 680 } 681#ifdef CONFIG_IEEE80211R_AP 682 os_free(sm->assoc_resp_ftie); 683 wpabuf_free(sm->ft_pending_req_ies); 684#endif /* CONFIG_IEEE80211R_AP */ 685 os_free(sm->last_rx_eapol_key); 686 os_free(sm->wpa_ie); 687 wpa_group_put(sm->wpa_auth, sm->group); 688 os_free(sm); 689} 690 691 692void wpa_auth_sta_deinit(struct wpa_state_machine *sm) 693{ 694 if (sm == NULL) 695 return; 696 697 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) { 698 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 699 "strict rekeying - force GTK rekey since STA " 700 "is leaving"); 701 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL); 702 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth, 703 NULL); 704 } 705 706 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 707 sm->pending_1_of_4_timeout = 0; 708 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL); 709 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 710#ifdef CONFIG_IEEE80211R_AP 711 wpa_ft_sta_deinit(sm); 712#endif /* CONFIG_IEEE80211R_AP */ 713 if (sm->in_step_loop) { 714 /* Must not free state machine while wpa_sm_step() is running. 715 * Freeing will be completed in the end of wpa_sm_step(). */ 716 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state " 717 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 718 sm->pending_deinit = 1; 719 } else 720 wpa_free_sta_sm(sm); 721} 722 723 724static void wpa_request_new_ptk(struct wpa_state_machine *sm) 725{ 726 if (sm == NULL) 727 return; 728 729 sm->PTKRequest = TRUE; 730 sm->PTK_valid = 0; 731} 732 733 734static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr, 735 const u8 *replay_counter) 736{ 737 int i; 738 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 739 if (!ctr[i].valid) 740 break; 741 if (os_memcmp(replay_counter, ctr[i].counter, 742 WPA_REPLAY_COUNTER_LEN) == 0) 743 return 1; 744 } 745 return 0; 746} 747 748 749static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr, 750 const u8 *replay_counter) 751{ 752 int i; 753 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 754 if (ctr[i].valid && 755 (replay_counter == NULL || 756 os_memcmp(replay_counter, ctr[i].counter, 757 WPA_REPLAY_COUNTER_LEN) == 0)) 758 ctr[i].valid = FALSE; 759 } 760} 761 762 763#ifdef CONFIG_IEEE80211R_AP 764static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth, 765 struct wpa_state_machine *sm, 766 struct wpa_eapol_ie_parse *kde) 767{ 768 struct wpa_ie_data ie; 769 struct rsn_mdie *mdie; 770 771 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 || 772 ie.num_pmkid != 1 || ie.pmkid == NULL) { 773 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in " 774 "FT 4-way handshake message 2/4"); 775 return -1; 776 } 777 778 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN); 779 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant", 780 sm->sup_pmk_r1_name, PMKID_LEN); 781 782 if (!kde->mdie || !kde->ftie) { 783 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake " 784 "message 2/4", kde->mdie ? "FTIE" : "MDIE"); 785 return -1; 786 } 787 788 mdie = (struct rsn_mdie *) (kde->mdie + 2); 789 if (kde->mdie[1] < sizeof(struct rsn_mdie) || 790 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain, 791 MOBILITY_DOMAIN_ID_LEN) != 0) { 792 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch"); 793 return -1; 794 } 795 796 if (sm->assoc_resp_ftie && 797 (kde->ftie[1] != sm->assoc_resp_ftie[1] || 798 os_memcmp(kde->ftie, sm->assoc_resp_ftie, 799 2 + sm->assoc_resp_ftie[1]) != 0)) { 800 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch"); 801 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4", 802 kde->ftie, kde->ftie_len); 803 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp", 804 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]); 805 return -1; 806 } 807 808 return 0; 809} 810#endif /* CONFIG_IEEE80211R_AP */ 811 812 813static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth, 814 struct wpa_state_machine *sm, int group) 815{ 816 /* Supplicant reported a Michael MIC error */ 817 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 818 "received EAPOL-Key Error Request " 819 "(STA detected Michael MIC failure (group=%d))", 820 group); 821 822 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) { 823 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 824 "ignore Michael MIC failure report since " 825 "group cipher is not TKIP"); 826 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) { 827 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 828 "ignore Michael MIC failure report since " 829 "pairwise cipher is not TKIP"); 830 } else { 831 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0) 832 return 1; /* STA entry was removed */ 833 sm->dot11RSNAStatsTKIPRemoteMICFailures++; 834 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++; 835 } 836 837 /* 838 * Error report is not a request for a new key handshake, but since 839 * Authenticator may do it, let's change the keys now anyway. 840 */ 841 wpa_request_new_ptk(sm); 842 return 0; 843} 844 845 846static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, 847 size_t data_len) 848{ 849 struct wpa_ptk PTK; 850 int ok = 0; 851 const u8 *pmk = NULL; 852 size_t pmk_len; 853 854 os_memset(&PTK, 0, sizeof(PTK)); 855 for (;;) { 856 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 857 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 858 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 859 sm->p2p_dev_addr, pmk, &pmk_len); 860 if (pmk == NULL) 861 break; 862 } else { 863 pmk = sm->PMK; 864 pmk_len = sm->pmk_len; 865 } 866 867 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0) 868 break; 869 870 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK, 871 data, data_len) == 0) { 872 ok = 1; 873 break; 874 } 875 876 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 877 break; 878 } 879 880 if (!ok) { 881 wpa_printf(MSG_DEBUG, 882 "WPA: Earlier SNonce did not result in matching MIC"); 883 return -1; 884 } 885 886 wpa_printf(MSG_DEBUG, 887 "WPA: Earlier SNonce resulted in matching MIC"); 888 sm->alt_snonce_valid = 0; 889 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN); 890 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 891 sm->PTK_valid = TRUE; 892 893 return 0; 894} 895 896 897void wpa_receive(struct wpa_authenticator *wpa_auth, 898 struct wpa_state_machine *sm, 899 u8 *data, size_t data_len) 900{ 901 struct ieee802_1x_hdr *hdr; 902 struct wpa_eapol_key *key; 903 u16 key_info, key_data_length; 904 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg; 905 char *msgtxt; 906 struct wpa_eapol_ie_parse kde; 907 const u8 *key_data; 908 size_t keyhdrlen, mic_len; 909 u8 *mic; 910 911 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL) 912 return; 913 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len); 914 915 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 916 keyhdrlen = sizeof(*key) + mic_len + 2; 917 918 if (data_len < sizeof(*hdr) + keyhdrlen) { 919 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame"); 920 return; 921 } 922 923 hdr = (struct ieee802_1x_hdr *) data; 924 key = (struct wpa_eapol_key *) (hdr + 1); 925 mic = (u8 *) (key + 1); 926 key_info = WPA_GET_BE16(key->key_info); 927 key_data = mic + mic_len + 2; 928 key_data_length = WPA_GET_BE16(mic + mic_len); 929 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR 930 " key_info=0x%x type=%u mic_len=%u key_data_length=%u", 931 MAC2STR(sm->addr), key_info, key->type, 932 (unsigned int) mic_len, key_data_length); 933 wpa_hexdump(MSG_MSGDUMP, 934 "WPA: EAPOL-Key header (ending before Key MIC)", 935 key, sizeof(*key)); 936 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC", 937 mic, mic_len); 938 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) { 939 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " 940 "key_data overflow (%d > %lu)", 941 key_data_length, 942 (unsigned long) (data_len - sizeof(*hdr) - 943 keyhdrlen)); 944 return; 945 } 946 947 if (sm->wpa == WPA_VERSION_WPA2) { 948 if (key->type == EAPOL_KEY_TYPE_WPA) { 949 /* 950 * Some deployed station implementations seem to send 951 * msg 4/4 with incorrect type value in WPA2 mode. 952 */ 953 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key " 954 "with unexpected WPA type in RSN mode"); 955 } else if (key->type != EAPOL_KEY_TYPE_RSN) { 956 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 957 "unexpected type %d in RSN mode", 958 key->type); 959 return; 960 } 961 } else { 962 if (key->type != EAPOL_KEY_TYPE_WPA) { 963 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with " 964 "unexpected type %d in WPA mode", 965 key->type); 966 return; 967 } 968 } 969 970 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce, 971 WPA_NONCE_LEN); 972 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter", 973 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 974 975 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys 976 * are set */ 977 978 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 979 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message"); 980 return; 981 } 982 983 if (key_info & WPA_KEY_INFO_REQUEST) { 984 msg = REQUEST; 985 msgtxt = "Request"; 986 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) { 987 msg = GROUP_2; 988 msgtxt = "2/2 Group"; 989 } else if (key_data_length == 0 || 990 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && 991 key_data_length == AES_BLOCK_SIZE)) { 992 msg = PAIRWISE_4; 993 msgtxt = "4/4 Pairwise"; 994 } else { 995 msg = PAIRWISE_2; 996 msgtxt = "2/4 Pairwise"; 997 } 998 999 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 || 1000 msg == GROUP_2) { 1001 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 1002 if (sm->pairwise == WPA_CIPHER_CCMP || 1003 sm->pairwise == WPA_CIPHER_GCMP) { 1004 if (wpa_use_aes_cmac(sm) && 1005 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN && 1006 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) && 1007 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1008 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1009 wpa_auth_logger(wpa_auth, sm->addr, 1010 LOGGER_WARNING, 1011 "advertised support for " 1012 "AES-128-CMAC, but did not " 1013 "use it"); 1014 return; 1015 } 1016 1017 if (!wpa_use_aes_cmac(sm) && 1018 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) && 1019 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1020 sm->wpa_key_mgmt != WPA_KEY_MGMT_OWE && 1021 sm->wpa_key_mgmt != WPA_KEY_MGMT_DPP && 1022 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1023 wpa_auth_logger(wpa_auth, sm->addr, 1024 LOGGER_WARNING, 1025 "did not use HMAC-SHA1-AES " 1026 "with CCMP/GCMP"); 1027 return; 1028 } 1029 } 1030 1031 if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1032 wpa_key_mgmt_fils(sm->wpa_key_mgmt) || 1033 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 1034 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) && 1035 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 1036 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1037 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases"); 1038 return; 1039 } 1040 } 1041 1042 if (key_info & WPA_KEY_INFO_REQUEST) { 1043 if (sm->req_replay_counter_used && 1044 os_memcmp(key->replay_counter, sm->req_replay_counter, 1045 WPA_REPLAY_COUNTER_LEN) <= 0) { 1046 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING, 1047 "received EAPOL-Key request with " 1048 "replayed counter"); 1049 return; 1050 } 1051 } 1052 1053 if (!(key_info & WPA_KEY_INFO_REQUEST) && 1054 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) { 1055 int i; 1056 1057 if (msg == PAIRWISE_2 && 1058 wpa_replay_counter_valid(sm->prev_key_replay, 1059 key->replay_counter) && 1060 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1061 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) 1062 { 1063 /* 1064 * Some supplicant implementations (e.g., Windows XP 1065 * WZC) update SNonce for each EAPOL-Key 2/4. This 1066 * breaks the workaround on accepting any of the 1067 * pending requests, so allow the SNonce to be updated 1068 * even if we have already sent out EAPOL-Key 3/4. 1069 */ 1070 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1071 "Process SNonce update from STA " 1072 "based on retransmitted EAPOL-Key " 1073 "1/4"); 1074 sm->update_snonce = 1; 1075 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN); 1076 sm->alt_snonce_valid = TRUE; 1077 os_memcpy(sm->alt_replay_counter, 1078 sm->key_replay[0].counter, 1079 WPA_REPLAY_COUNTER_LEN); 1080 goto continue_processing; 1081 } 1082 1083 if (msg == PAIRWISE_4 && sm->alt_snonce_valid && 1084 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING && 1085 os_memcmp(key->replay_counter, sm->alt_replay_counter, 1086 WPA_REPLAY_COUNTER_LEN) == 0) { 1087 /* 1088 * Supplicant may still be using the old SNonce since 1089 * there was two EAPOL-Key 2/4 messages and they had 1090 * different SNonce values. 1091 */ 1092 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1093 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4"); 1094 goto continue_processing; 1095 } 1096 1097 if (msg == PAIRWISE_2 && 1098 wpa_replay_counter_valid(sm->prev_key_replay, 1099 key->replay_counter) && 1100 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) { 1101 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1102 "ignore retransmitted EAPOL-Key %s - " 1103 "SNonce did not change", msgtxt); 1104 } else { 1105 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1106 "received EAPOL-Key %s with " 1107 "unexpected replay counter", msgtxt); 1108 } 1109 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) { 1110 if (!sm->key_replay[i].valid) 1111 break; 1112 wpa_hexdump(MSG_DEBUG, "pending replay counter", 1113 sm->key_replay[i].counter, 1114 WPA_REPLAY_COUNTER_LEN); 1115 } 1116 wpa_hexdump(MSG_DEBUG, "received replay counter", 1117 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1118 return; 1119 } 1120 1121continue_processing: 1122#ifdef CONFIG_FILS 1123 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 && 1124 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1125 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1126 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame"); 1127 return; 1128 } 1129#endif /* CONFIG_FILS */ 1130 1131 switch (msg) { 1132 case PAIRWISE_2: 1133 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART && 1134 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING && 1135 (!sm->update_snonce || 1136 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) { 1137 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1138 "received EAPOL-Key msg 2/4 in " 1139 "invalid state (%d) - dropped", 1140 sm->wpa_ptk_state); 1141 return; 1142 } 1143 random_add_randomness(key->key_nonce, WPA_NONCE_LEN); 1144 if (sm->group->reject_4way_hs_for_entropy) { 1145 /* 1146 * The system did not have enough entropy to generate 1147 * strong random numbers. Reject the first 4-way 1148 * handshake(s) and collect some entropy based on the 1149 * information from it. Once enough entropy is 1150 * available, the next atempt will trigger GMK/Key 1151 * Counter update and the station will be allowed to 1152 * continue. 1153 */ 1154 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to " 1155 "collect more entropy for random number " 1156 "generation"); 1157 random_mark_pool_ready(); 1158 wpa_sta_disconnect(wpa_auth, sm->addr, 1159 WLAN_REASON_PREV_AUTH_NOT_VALID); 1160 return; 1161 } 1162 break; 1163 case PAIRWISE_4: 1164 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING || 1165 !sm->PTK_valid) { 1166 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1167 "received EAPOL-Key msg 4/4 in " 1168 "invalid state (%d) - dropped", 1169 sm->wpa_ptk_state); 1170 return; 1171 } 1172 break; 1173 case GROUP_2: 1174 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING 1175 || !sm->PTK_valid) { 1176 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 1177 "received EAPOL-Key msg 2/2 in " 1178 "invalid state (%d) - dropped", 1179 sm->wpa_ptk_group_state); 1180 return; 1181 } 1182 break; 1183 case REQUEST: 1184 break; 1185 } 1186 1187 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, 1188 "received EAPOL-Key frame (%s)", msgtxt); 1189 1190 if (key_info & WPA_KEY_INFO_ACK) { 1191 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1192 "received invalid EAPOL-Key: Key Ack set"); 1193 return; 1194 } 1195 1196 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1197 !(key_info & WPA_KEY_INFO_MIC)) { 1198 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1199 "received invalid EAPOL-Key: Key MIC not set"); 1200 return; 1201 } 1202 1203#ifdef CONFIG_FILS 1204 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1205 (key_info & WPA_KEY_INFO_MIC)) { 1206 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1207 "received invalid EAPOL-Key: Key MIC set"); 1208 return; 1209 } 1210#endif /* CONFIG_FILS */ 1211 1212 sm->MICVerified = FALSE; 1213 if (sm->PTK_valid && !sm->update_snonce) { 1214 if (mic_len && 1215 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK, 1216 data, data_len) && 1217 (msg != PAIRWISE_4 || !sm->alt_snonce_valid || 1218 wpa_try_alt_snonce(sm, data, data_len))) { 1219 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1220 "received EAPOL-Key with invalid MIC"); 1221 return; 1222 } 1223#ifdef CONFIG_FILS 1224 if (!mic_len && 1225 wpa_aead_decrypt(sm, &sm->PTK, data, data_len, 1226 &key_data_length) < 0) { 1227 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1228 "received EAPOL-Key with invalid MIC"); 1229 return; 1230 } 1231#endif /* CONFIG_FILS */ 1232 sm->MICVerified = TRUE; 1233 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 1234 sm->pending_1_of_4_timeout = 0; 1235 } 1236 1237 if (key_info & WPA_KEY_INFO_REQUEST) { 1238 if (sm->MICVerified) { 1239 sm->req_replay_counter_used = 1; 1240 os_memcpy(sm->req_replay_counter, key->replay_counter, 1241 WPA_REPLAY_COUNTER_LEN); 1242 } else { 1243 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1244 "received EAPOL-Key request with " 1245 "invalid MIC"); 1246 return; 1247 } 1248 1249 /* 1250 * TODO: should decrypt key data field if encryption was used; 1251 * even though MAC address KDE is not normally encrypted, 1252 * supplicant is allowed to encrypt it. 1253 */ 1254 if (key_info & WPA_KEY_INFO_ERROR) { 1255 if (wpa_receive_error_report( 1256 wpa_auth, sm, 1257 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0) 1258 return; /* STA entry was removed */ 1259 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) { 1260 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1261 "received EAPOL-Key Request for new " 1262 "4-Way Handshake"); 1263 wpa_request_new_ptk(sm); 1264 } else if (key_data_length > 0 && 1265 wpa_parse_kde_ies(key_data, key_data_length, 1266 &kde) == 0 && 1267 kde.mac_addr) { 1268 } else { 1269 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1270 "received EAPOL-Key Request for GTK " 1271 "rekeying"); 1272 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL); 1273 wpa_rekey_gtk(wpa_auth, NULL); 1274 } 1275 } else { 1276 /* Do not allow the same key replay counter to be reused. */ 1277 wpa_replay_counter_mark_invalid(sm->key_replay, 1278 key->replay_counter); 1279 1280 if (msg == PAIRWISE_2) { 1281 /* 1282 * Maintain a copy of the pending EAPOL-Key frames in 1283 * case the EAPOL-Key frame was retransmitted. This is 1284 * needed to allow EAPOL-Key msg 2/4 reply to another 1285 * pending msg 1/4 to update the SNonce to work around 1286 * unexpected supplicant behavior. 1287 */ 1288 os_memcpy(sm->prev_key_replay, sm->key_replay, 1289 sizeof(sm->key_replay)); 1290 } else { 1291 os_memset(sm->prev_key_replay, 0, 1292 sizeof(sm->prev_key_replay)); 1293 } 1294 1295 /* 1296 * Make sure old valid counters are not accepted anymore and 1297 * do not get copied again. 1298 */ 1299 wpa_replay_counter_mark_invalid(sm->key_replay, NULL); 1300 } 1301 1302 os_free(sm->last_rx_eapol_key); 1303 sm->last_rx_eapol_key = os_memdup(data, data_len); 1304 if (sm->last_rx_eapol_key == NULL) 1305 return; 1306 sm->last_rx_eapol_key_len = data_len; 1307 1308 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE); 1309 sm->EAPOLKeyReceived = TRUE; 1310 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1311 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST); 1312 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN); 1313 wpa_sm_step(sm); 1314} 1315 1316 1317static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr, 1318 const u8 *gnonce, u8 *gtk, size_t gtk_len) 1319{ 1320 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16]; 1321 u8 *pos; 1322 int ret = 0; 1323 1324 /* GTK = PRF-X(GMK, "Group key expansion", 1325 * AA || GNonce || Time || random data) 1326 * The example described in the IEEE 802.11 standard uses only AA and 1327 * GNonce as inputs here. Add some more entropy since this derivation 1328 * is done only at the Authenticator and as such, does not need to be 1329 * exactly same. 1330 */ 1331 os_memcpy(data, addr, ETH_ALEN); 1332 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN); 1333 pos = data + ETH_ALEN + WPA_NONCE_LEN; 1334 wpa_get_ntp_timestamp(pos); 1335 pos += 8; 1336 if (random_get_bytes(pos, 16) < 0) 1337 ret = -1; 1338 1339#ifdef CONFIG_IEEE80211W 1340 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len); 1341#else /* CONFIG_IEEE80211W */ 1342 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len) 1343 < 0) 1344 ret = -1; 1345#endif /* CONFIG_IEEE80211W */ 1346 1347 return ret; 1348} 1349 1350 1351static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx) 1352{ 1353 struct wpa_authenticator *wpa_auth = eloop_ctx; 1354 struct wpa_state_machine *sm = timeout_ctx; 1355 1356 sm->pending_1_of_4_timeout = 0; 1357 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout"); 1358 sm->TimeoutEvt = TRUE; 1359 wpa_sm_step(sm); 1360} 1361 1362 1363void __wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1364 struct wpa_state_machine *sm, int key_info, 1365 const u8 *key_rsc, const u8 *nonce, 1366 const u8 *kde, size_t kde_len, 1367 int keyidx, int encr, int force_version) 1368{ 1369 struct ieee802_1x_hdr *hdr; 1370 struct wpa_eapol_key *key; 1371 size_t len, mic_len, keyhdrlen; 1372 int alg; 1373 int key_data_len, pad_len = 0; 1374 u8 *buf, *pos; 1375 int version, pairwise; 1376 int i; 1377 u8 *key_mic, *key_data; 1378 1379 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 1380 keyhdrlen = sizeof(*key) + mic_len + 2; 1381 1382 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen; 1383 1384 if (force_version) 1385 version = force_version; 1386 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1387 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE || 1388 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 1389 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1390 wpa_key_mgmt_fils(sm->wpa_key_mgmt)) 1391 version = WPA_KEY_INFO_TYPE_AKM_DEFINED; 1392 else if (wpa_use_aes_cmac(sm)) 1393 version = WPA_KEY_INFO_TYPE_AES_128_CMAC; 1394 else if (sm->pairwise != WPA_CIPHER_TKIP) 1395 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1396 else 1397 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1398 1399 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE); 1400 1401 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d " 1402 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d " 1403 "encr=%d)", 1404 version, 1405 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0, 1406 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0, 1407 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0, 1408 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0, 1409 pairwise, (unsigned long) kde_len, keyidx, encr); 1410 1411 key_data_len = kde_len; 1412 1413 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1414 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE || 1415 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 1416 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1417 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1418 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) { 1419 pad_len = key_data_len % 8; 1420 if (pad_len) 1421 pad_len = 8 - pad_len; 1422 key_data_len += pad_len + 8; 1423 } 1424 1425 len += key_data_len; 1426 if (!mic_len && encr) 1427 len += AES_BLOCK_SIZE; 1428 1429 hdr = os_zalloc(len); 1430 if (hdr == NULL) 1431 return; 1432 hdr->version = wpa_auth->conf.eapol_version; 1433 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 1434 hdr->length = host_to_be16(len - sizeof(*hdr)); 1435 key = (struct wpa_eapol_key *) (hdr + 1); 1436 key_mic = (u8 *) (key + 1); 1437 key_data = ((u8 *) (hdr + 1)) + keyhdrlen; 1438 1439 key->type = sm->wpa == WPA_VERSION_WPA2 ? 1440 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1441 key_info |= version; 1442 if (encr && sm->wpa == WPA_VERSION_WPA2) 1443 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1444 if (sm->wpa != WPA_VERSION_WPA2) 1445 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT; 1446 WPA_PUT_BE16(key->key_info, key_info); 1447 1448 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group; 1449 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise) 1450 WPA_PUT_BE16(key->key_length, 0); 1451 else 1452 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg)); 1453 1454 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) { 1455 sm->key_replay[i].valid = sm->key_replay[i - 1].valid; 1456 os_memcpy(sm->key_replay[i].counter, 1457 sm->key_replay[i - 1].counter, 1458 WPA_REPLAY_COUNTER_LEN); 1459 } 1460 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN); 1461 os_memcpy(key->replay_counter, sm->key_replay[0].counter, 1462 WPA_REPLAY_COUNTER_LEN); 1463 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", 1464 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 1465 sm->key_replay[0].valid = TRUE; 1466 1467 if (nonce) 1468 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN); 1469 1470 if (key_rsc) 1471 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN); 1472 1473 if (kde && !encr) { 1474 os_memcpy(key_data, kde, kde_len); 1475 WPA_PUT_BE16(key_mic + mic_len, kde_len); 1476#ifdef CONFIG_FILS 1477 } else if (!mic_len) { 1478 const u8 *aad[1]; 1479 size_t aad_len[1]; 1480 1481 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len); 1482 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1483 kde, kde_len); 1484 1485 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", 1486 sm->PTK.kek, sm->PTK.kek_len); 1487 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 1488 * to Key Data (exclusive). */ 1489 aad[0] = (u8 *) hdr; 1490 aad_len[0] = key_mic + 2 - (u8 *) hdr; 1491 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len, 1492 1, aad, aad_len, key_mic + 2) < 0) { 1493 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed"); 1494 return; 1495 } 1496 1497 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV", 1498 key_mic + 2, AES_BLOCK_SIZE + kde_len); 1499#endif /* CONFIG_FILS */ 1500 } else if (encr && kde) { 1501 buf = os_zalloc(key_data_len); 1502 if (buf == NULL) { 1503 os_free(hdr); 1504 return; 1505 } 1506 pos = buf; 1507 os_memcpy(pos, kde, kde_len); 1508 pos += kde_len; 1509 1510 if (pad_len) 1511 *pos++ = 0xdd; 1512 1513 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data", 1514 buf, key_data_len); 1515 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 1516 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE || 1517 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 1518 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN || 1519 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) || 1520 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 1521 wpa_printf(MSG_DEBUG, 1522 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)", 1523 (unsigned int) sm->PTK.kek_len); 1524 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len, 1525 (key_data_len - 8) / 8, buf, key_data)) { 1526 os_free(hdr); 1527 os_free(buf); 1528 return; 1529 } 1530 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1531#ifndef CONFIG_NO_RC4 1532 } else if (sm->PTK.kek_len == 16) { 1533 u8 ek[32]; 1534 1535 wpa_printf(MSG_DEBUG, 1536 "WPA: Encrypt Key Data using RC4"); 1537 os_memcpy(key->key_iv, 1538 sm->group->Counter + WPA_NONCE_LEN - 16, 16); 1539 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN); 1540 os_memcpy(ek, key->key_iv, 16); 1541 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len); 1542 os_memcpy(key_data, buf, key_data_len); 1543 rc4_skip(ek, 32, 256, key_data, key_data_len); 1544 WPA_PUT_BE16(key_mic + mic_len, key_data_len); 1545#endif /* CONFIG_NO_RC4 */ 1546 } else { 1547 os_free(hdr); 1548 os_free(buf); 1549 return; 1550 } 1551 os_free(buf); 1552 } 1553 1554 if (key_info & WPA_KEY_INFO_MIC) { 1555 if (!sm->PTK_valid || !mic_len) { 1556 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 1557 "PTK not valid when sending EAPOL-Key " 1558 "frame"); 1559 os_free(hdr); 1560 return; 1561 } 1562 1563 wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len, 1564 sm->wpa_key_mgmt, version, 1565 (u8 *) hdr, len, key_mic); 1566#ifdef CONFIG_TESTING_OPTIONS 1567 if (!pairwise && 1568 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 && 1569 drand48() < 1570 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) { 1571 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 1572 "Corrupting group EAPOL-Key Key MIC"); 1573 key_mic[0]++; 1574 } 1575#endif /* CONFIG_TESTING_OPTIONS */ 1576 } 1577 1578 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1579 1); 1580 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len, 1581 sm->pairwise_set); 1582 os_free(hdr); 1583} 1584 1585 1586static void wpa_send_eapol(struct wpa_authenticator *wpa_auth, 1587 struct wpa_state_machine *sm, int key_info, 1588 const u8 *key_rsc, const u8 *nonce, 1589 const u8 *kde, size_t kde_len, 1590 int keyidx, int encr) 1591{ 1592 int timeout_ms; 1593 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE; 1594 u32 ctr; 1595 1596 if (sm == NULL) 1597 return; 1598 1599 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len, 1600 keyidx, encr, 0); 1601 1602 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr; 1603 if (ctr == 1 && wpa_auth->conf.tx_status) 1604 timeout_ms = pairwise ? eapol_key_timeout_first : 1605 eapol_key_timeout_first_group; 1606 else 1607 timeout_ms = eapol_key_timeout_subseq; 1608 if (wpa_auth->conf.wpa_disable_eapol_key_retries && 1609 (!pairwise || (key_info & WPA_KEY_INFO_MIC))) 1610 timeout_ms = eapol_key_timeout_no_retrans; 1611 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC)) 1612 sm->pending_1_of_4_timeout = 1; 1613 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry " 1614 "counter %u)", timeout_ms, ctr); 1615 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000, 1616 wpa_send_eapol_timeout, wpa_auth, sm); 1617} 1618 1619 1620static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK, 1621 u8 *data, size_t data_len) 1622{ 1623 struct ieee802_1x_hdr *hdr; 1624 struct wpa_eapol_key *key; 1625 u16 key_info; 1626 int ret = 0; 1627 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos; 1628 size_t mic_len = wpa_mic_len(akmp, pmk_len); 1629 1630 if (data_len < sizeof(*hdr) + sizeof(*key)) 1631 return -1; 1632 1633 hdr = (struct ieee802_1x_hdr *) data; 1634 key = (struct wpa_eapol_key *) (hdr + 1); 1635 mic_pos = (u8 *) (key + 1); 1636 key_info = WPA_GET_BE16(key->key_info); 1637 os_memcpy(mic, mic_pos, mic_len); 1638 os_memset(mic_pos, 0, mic_len); 1639 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp, 1640 key_info & WPA_KEY_INFO_TYPE_MASK, 1641 data, data_len, mic_pos) || 1642 os_memcmp_const(mic, mic_pos, mic_len) != 0) 1643 ret = -1; 1644 os_memcpy(mic_pos, mic, mic_len); 1645 return ret; 1646} 1647 1648 1649void wpa_remove_ptk(struct wpa_state_machine *sm) 1650{ 1651 sm->PTK_valid = FALSE; 1652 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1653 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 1654 0)) 1655 wpa_printf(MSG_DEBUG, 1656 "RSN: PTK removal from the driver failed"); 1657 sm->pairwise_set = FALSE; 1658 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 1659} 1660 1661 1662int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) 1663{ 1664 int remove_ptk = 1; 1665 1666 if (sm == NULL) 1667 return -1; 1668 1669 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 1670 "event %d notification", event); 1671 1672 switch (event) { 1673 case WPA_AUTH: 1674#ifdef CONFIG_MESH 1675 /* PTKs are derived through AMPE */ 1676 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) { 1677 /* not mesh */ 1678 break; 1679 } 1680 return 0; 1681#endif /* CONFIG_MESH */ 1682 case WPA_ASSOC: 1683 break; 1684 case WPA_DEAUTH: 1685 case WPA_DISASSOC: 1686 sm->DeauthenticationRequest = TRUE; 1687 break; 1688 case WPA_REAUTH: 1689 case WPA_REAUTH_EAPOL: 1690 if (!sm->started) { 1691 /* 1692 * When using WPS, we may end up here if the STA 1693 * manages to re-associate without the previous STA 1694 * entry getting removed. Consequently, we need to make 1695 * sure that the WPA state machines gets initialized 1696 * properly at this point. 1697 */ 1698 wpa_printf(MSG_DEBUG, "WPA state machine had not been " 1699 "started - initialize now"); 1700 sm->started = 1; 1701 sm->Init = TRUE; 1702 if (wpa_sm_step(sm) == 1) 1703 return 1; /* should not really happen */ 1704 sm->Init = FALSE; 1705 sm->AuthenticationRequest = TRUE; 1706 break; 1707 } 1708 if (sm->GUpdateStationKeys) { 1709 /* 1710 * Reauthentication cancels the pending group key 1711 * update for this STA. 1712 */ 1713 sm->group->GKeyDoneStations--; 1714 sm->GUpdateStationKeys = FALSE; 1715 sm->PtkGroupInit = TRUE; 1716 } 1717 sm->ReAuthenticationRequest = TRUE; 1718 break; 1719 case WPA_ASSOC_FT: 1720#ifdef CONFIG_IEEE80211R_AP 1721 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration " 1722 "after association"); 1723 wpa_ft_install_ptk(sm); 1724 1725 /* Using FT protocol, not WPA auth state machine */ 1726 sm->ft_completed = 1; 1727 return 0; 1728#else /* CONFIG_IEEE80211R_AP */ 1729 break; 1730#endif /* CONFIG_IEEE80211R_AP */ 1731 case WPA_ASSOC_FILS: 1732#ifdef CONFIG_FILS 1733 wpa_printf(MSG_DEBUG, 1734 "FILS: TK configuration after association"); 1735 fils_set_tk(sm); 1736 sm->fils_completed = 1; 1737 return 0; 1738#else /* CONFIG_FILS */ 1739 break; 1740#endif /* CONFIG_FILS */ 1741 case WPA_DRV_STA_REMOVED: 1742 sm->tk_already_set = FALSE; 1743 return 0; 1744 } 1745 1746#ifdef CONFIG_IEEE80211R_AP 1747 sm->ft_completed = 0; 1748#endif /* CONFIG_IEEE80211R_AP */ 1749 1750#ifdef CONFIG_IEEE80211W 1751 if (sm->mgmt_frame_prot && event == WPA_AUTH) 1752 remove_ptk = 0; 1753#endif /* CONFIG_IEEE80211W */ 1754#ifdef CONFIG_FILS 1755 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) && 1756 (event == WPA_AUTH || event == WPA_ASSOC)) 1757 remove_ptk = 0; 1758#endif /* CONFIG_FILS */ 1759 1760 if (remove_ptk) { 1761 sm->PTK_valid = FALSE; 1762 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1763 1764 if (event != WPA_REAUTH_EAPOL) 1765 wpa_remove_ptk(sm); 1766 } 1767 1768 if (sm->in_step_loop) { 1769 /* 1770 * wpa_sm_step() is already running - avoid recursive call to 1771 * it by making the existing loop process the new update. 1772 */ 1773 sm->changed = TRUE; 1774 return 0; 1775 } 1776 return wpa_sm_step(sm); 1777} 1778 1779 1780SM_STATE(WPA_PTK, INITIALIZE) 1781{ 1782 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk); 1783 if (sm->Init) { 1784 /* Init flag is not cleared here, so avoid busy 1785 * loop by claiming nothing changed. */ 1786 sm->changed = FALSE; 1787 } 1788 1789 sm->keycount = 0; 1790 if (sm->GUpdateStationKeys) 1791 sm->group->GKeyDoneStations--; 1792 sm->GUpdateStationKeys = FALSE; 1793 if (sm->wpa == WPA_VERSION_WPA) 1794 sm->PInitAKeys = FALSE; 1795 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and 1796 * Local AA > Remote AA)) */) { 1797 sm->Pair = TRUE; 1798 } 1799 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0); 1800 wpa_remove_ptk(sm); 1801 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0); 1802 sm->TimeoutCtr = 0; 1803 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 1804 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 1805 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) { 1806 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 1807 WPA_EAPOL_authorized, 0); 1808 } 1809} 1810 1811 1812SM_STATE(WPA_PTK, DISCONNECT) 1813{ 1814 u16 reason = sm->disconnect_reason; 1815 1816 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk); 1817 sm->Disconnect = FALSE; 1818 sm->disconnect_reason = 0; 1819 if (!reason) 1820 reason = WLAN_REASON_PREV_AUTH_NOT_VALID; 1821 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason); 1822} 1823 1824 1825SM_STATE(WPA_PTK, DISCONNECTED) 1826{ 1827 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk); 1828 sm->DeauthenticationRequest = FALSE; 1829} 1830 1831 1832SM_STATE(WPA_PTK, AUTHENTICATION) 1833{ 1834 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk); 1835 os_memset(&sm->PTK, 0, sizeof(sm->PTK)); 1836 sm->PTK_valid = FALSE; 1837 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto, 1838 1); 1839 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1); 1840 sm->AuthenticationRequest = FALSE; 1841} 1842 1843 1844static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth, 1845 struct wpa_group *group) 1846{ 1847 if (group->first_sta_seen) 1848 return; 1849 /* 1850 * System has run bit further than at the time hostapd was started 1851 * potentially very early during boot up. This provides better chances 1852 * of collecting more randomness on embedded systems. Re-initialize the 1853 * GMK and Counter here to improve their strength if there was not 1854 * enough entropy available immediately after system startup. 1855 */ 1856 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first " 1857 "station"); 1858 if (random_pool_ready() != 1) { 1859 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool " 1860 "to proceed - reject first 4-way handshake"); 1861 group->reject_4way_hs_for_entropy = TRUE; 1862 } else { 1863 group->first_sta_seen = TRUE; 1864 group->reject_4way_hs_for_entropy = FALSE; 1865 } 1866 1867 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 || 1868 wpa_gtk_update(wpa_auth, group) < 0 || 1869 wpa_group_config_group_keys(wpa_auth, group) < 0) { 1870 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed"); 1871 group->first_sta_seen = FALSE; 1872 group->reject_4way_hs_for_entropy = TRUE; 1873 } 1874} 1875 1876 1877SM_STATE(WPA_PTK, AUTHENTICATION2) 1878{ 1879 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk); 1880 1881 wpa_group_ensure_init(sm->wpa_auth, sm->group); 1882 sm->ReAuthenticationRequest = FALSE; 1883 1884 /* 1885 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat 1886 * ambiguous. The Authenticator state machine uses a counter that is 1887 * incremented by one for each 4-way handshake. However, the security 1888 * analysis of 4-way handshake points out that unpredictable nonces 1889 * help in preventing precomputation attacks. Instead of the state 1890 * machine definition, use an unpredictable nonce value here to provide 1891 * stronger protection against potential precomputation attacks. 1892 */ 1893 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1894 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for " 1895 "ANonce."); 1896 sm->Disconnect = TRUE; 1897 return; 1898 } 1899 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce, 1900 WPA_NONCE_LEN); 1901 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more 1902 * logical place than INITIALIZE since AUTHENTICATION2 can be 1903 * re-entered on ReAuthenticationRequest without going through 1904 * INITIALIZE. */ 1905 sm->TimeoutCtr = 0; 1906} 1907 1908 1909static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm) 1910{ 1911 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) { 1912 wpa_printf(MSG_ERROR, 1913 "WPA: Failed to get random data for ANonce"); 1914 sm->Disconnect = TRUE; 1915 return -1; 1916 } 1917 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce, 1918 WPA_NONCE_LEN); 1919 sm->TimeoutCtr = 0; 1920 return 0; 1921} 1922 1923 1924SM_STATE(WPA_PTK, INITPMK) 1925{ 1926 u8 msk[2 * PMK_LEN]; 1927 size_t len = 2 * PMK_LEN; 1928 1929 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk); 1930#ifdef CONFIG_IEEE80211R_AP 1931 sm->xxkey_len = 0; 1932#endif /* CONFIG_IEEE80211R_AP */ 1933 if (sm->pmksa) { 1934 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache"); 1935 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 1936 sm->pmk_len = sm->pmksa->pmk_len; 1937#ifdef CONFIG_DPP 1938 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) { 1939 wpa_printf(MSG_DEBUG, 1940 "DPP: No PMKSA cache entry for STA - reject connection"); 1941 sm->Disconnect = TRUE; 1942 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID; 1943 return; 1944#endif /* CONFIG_DPP */ 1945 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) { 1946 unsigned int pmk_len; 1947 1948 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) 1949 pmk_len = PMK_LEN_SUITE_B_192; 1950 else 1951 pmk_len = PMK_LEN; 1952 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine " 1953 "(MSK len=%lu PMK len=%u)", (unsigned long) len, 1954 pmk_len); 1955 if (len < pmk_len) { 1956 wpa_printf(MSG_DEBUG, 1957 "WPA: MSK not long enough (%u) to create PMK (%u)", 1958 (unsigned int) len, (unsigned int) pmk_len); 1959 sm->Disconnect = TRUE; 1960 return; 1961 } 1962 os_memcpy(sm->PMK, msk, pmk_len); 1963 sm->pmk_len = pmk_len; 1964#ifdef CONFIG_IEEE80211R_AP 1965 if (len >= 2 * PMK_LEN) { 1966 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN); 1967 sm->xxkey_len = PMK_LEN; 1968 } 1969#endif /* CONFIG_IEEE80211R_AP */ 1970 } else { 1971 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p", 1972 sm->wpa_auth->cb->get_msk); 1973 sm->Disconnect = TRUE; 1974 return; 1975 } 1976 os_memset(msk, 0, sizeof(msk)); 1977 1978 sm->req_replay_counter_used = 0; 1979 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this 1980 * will break reauthentication since EAPOL state machines may not be 1981 * get into AUTHENTICATING state that clears keyRun before WPA state 1982 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK 1983 * state and takes PMK from the previously used AAA Key. This will 1984 * eventually fail in 4-Way Handshake because Supplicant uses PMK 1985 * derived from the new AAA Key. Setting keyRun = FALSE here seems to 1986 * be good workaround for this issue. */ 1987 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0); 1988} 1989 1990 1991SM_STATE(WPA_PTK, INITPSK) 1992{ 1993 const u8 *psk; 1994 size_t psk_len; 1995 1996 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk); 1997 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL, 1998 &psk_len); 1999 if (psk) { 2000 os_memcpy(sm->PMK, psk, psk_len); 2001 sm->pmk_len = psk_len; 2002#ifdef CONFIG_IEEE80211R_AP 2003 os_memcpy(sm->xxkey, psk, PMK_LEN); 2004 sm->xxkey_len = PMK_LEN; 2005#endif /* CONFIG_IEEE80211R_AP */ 2006 } 2007#ifdef CONFIG_SAE 2008 if (wpa_auth_uses_sae(sm) && sm->pmksa) { 2009 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache"); 2010 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len); 2011 sm->pmk_len = sm->pmksa->pmk_len; 2012 } 2013#endif /* CONFIG_SAE */ 2014 sm->req_replay_counter_used = 0; 2015} 2016 2017 2018SM_STATE(WPA_PTK, PTKSTART) 2019{ 2020 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL; 2021 size_t pmkid_len = 0; 2022 2023 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk); 2024 sm->PTKRequest = FALSE; 2025 sm->TimeoutEvt = FALSE; 2026 sm->alt_snonce_valid = FALSE; 2027 2028 sm->TimeoutCtr++; 2029 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 2030 /* No point in sending the EAPOL-Key - we will disconnect 2031 * immediately following this. */ 2032 return; 2033 } 2034 2035 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2036 "sending 1/4 msg of 4-Way Handshake"); 2037 /* 2038 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only 2039 * one possible PSK for this STA. 2040 */ 2041 if (sm->wpa == WPA_VERSION_WPA2 && 2042 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) || 2043 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) || 2044 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) && 2045 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) { 2046 pmkid = buf; 2047 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 2048 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC; 2049 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN; 2050 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID); 2051 if (sm->pmksa) { 2052 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN], 2053 sm->pmksa->pmkid, PMKID_LEN); 2054 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) { 2055 /* No KCK available to derive PMKID */ 2056 pmkid = NULL; 2057 } else { 2058 /* 2059 * Calculate PMKID since no PMKSA cache entry was 2060 * available with pre-calculated PMKID. 2061 */ 2062 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr, 2063 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN], 2064 sm->wpa_key_mgmt); 2065 } 2066 } 2067 wpa_send_eapol(sm->wpa_auth, sm, 2068 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 2069 sm->ANonce, pmkid, pmkid_len, 0, 0); 2070} 2071 2072 2073static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce, 2074 const u8 *pmk, unsigned int pmk_len, 2075 struct wpa_ptk *ptk) 2076{ 2077#ifdef CONFIG_IEEE80211R_AP 2078 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 2079 return wpa_auth_derive_ptk_ft(sm, pmk, ptk); 2080#endif /* CONFIG_IEEE80211R_AP */ 2081 2082 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion", 2083 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce, 2084 ptk, sm->wpa_key_mgmt, sm->pairwise); 2085} 2086 2087 2088#ifdef CONFIG_FILS 2089 2090int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, 2091 size_t pmk_len, const u8 *snonce, const u8 *anonce, 2092 const u8 *dhss, size_t dhss_len, 2093 struct wpabuf *g_sta, struct wpabuf *g_ap) 2094{ 2095 u8 ick[FILS_ICK_MAX_LEN]; 2096 size_t ick_len; 2097 int res; 2098 u8 fils_ft[FILS_FT_MAX_LEN]; 2099 size_t fils_ft_len = 0; 2100 2101 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr, 2102 snonce, anonce, dhss, dhss_len, 2103 &sm->PTK, ick, &ick_len, 2104 sm->wpa_key_mgmt, sm->pairwise, 2105 fils_ft, &fils_ft_len); 2106 if (res < 0) 2107 return res; 2108 sm->PTK_valid = TRUE; 2109 sm->tk_already_set = FALSE; 2110 2111#ifdef CONFIG_IEEE80211R_AP 2112 if (fils_ft_len) { 2113 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2114 struct wpa_auth_config *conf = &wpa_auth->conf; 2115 u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN]; 2116 2117 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len, 2118 conf->ssid, conf->ssid_len, 2119 conf->mobility_domain, 2120 conf->r0_key_holder, 2121 conf->r0_key_holder_len, 2122 sm->addr, pmk_r0, pmk_r0_name) < 0) 2123 return -1; 2124 2125 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0", pmk_r0, PMK_LEN); 2126 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name", 2127 pmk_r0_name, WPA_PMK_NAME_LEN); 2128 wpa_ft_store_pmk_r0(wpa_auth, sm->addr, pmk_r0, pmk_r0_name, 2129 sm->pairwise); 2130 os_memset(fils_ft, 0, sizeof(fils_ft)); 2131 } 2132#endif /* CONFIG_IEEE80211R_AP */ 2133 2134 res = fils_key_auth_sk(ick, ick_len, snonce, anonce, 2135 sm->addr, sm->wpa_auth->addr, 2136 g_sta ? wpabuf_head(g_sta) : NULL, 2137 g_sta ? wpabuf_len(g_sta) : 0, 2138 g_ap ? wpabuf_head(g_ap) : NULL, 2139 g_ap ? wpabuf_len(g_ap) : 0, 2140 sm->wpa_key_mgmt, sm->fils_key_auth_sta, 2141 sm->fils_key_auth_ap, 2142 &sm->fils_key_auth_len); 2143 os_memset(ick, 0, sizeof(ick)); 2144 2145 /* Store nonces for (Re)Association Request/Response frame processing */ 2146 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN); 2147 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN); 2148 2149 return res; 2150} 2151 2152 2153static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk, 2154 u8 *buf, size_t buf_len, u16 *_key_data_len) 2155{ 2156 struct ieee802_1x_hdr *hdr; 2157 struct wpa_eapol_key *key; 2158 u8 *pos; 2159 u16 key_data_len; 2160 u8 *tmp; 2161 const u8 *aad[1]; 2162 size_t aad_len[1]; 2163 2164 hdr = (struct ieee802_1x_hdr *) buf; 2165 key = (struct wpa_eapol_key *) (hdr + 1); 2166 pos = (u8 *) (key + 1); 2167 key_data_len = WPA_GET_BE16(pos); 2168 if (key_data_len < AES_BLOCK_SIZE || 2169 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) { 2170 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2171 "No room for AES-SIV data in the frame"); 2172 return -1; 2173 } 2174 pos += 2; /* Pointing at the Encrypted Key Data field */ 2175 2176 tmp = os_malloc(key_data_len); 2177 if (!tmp) 2178 return -1; 2179 2180 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 2181 * to Key Data (exclusive). */ 2182 aad[0] = buf; 2183 aad_len[0] = pos - buf; 2184 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len, 2185 1, aad, aad_len, tmp) < 0) { 2186 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 2187 "Invalid AES-SIV data in the frame"); 2188 bin_clear_free(tmp, key_data_len); 2189 return -1; 2190 } 2191 2192 /* AEAD decryption and validation completed successfully */ 2193 key_data_len -= AES_BLOCK_SIZE; 2194 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data", 2195 tmp, key_data_len); 2196 2197 /* Replace Key Data field with the decrypted version */ 2198 os_memcpy(pos, tmp, key_data_len); 2199 pos -= 2; /* Key Data Length field */ 2200 WPA_PUT_BE16(pos, key_data_len); 2201 bin_clear_free(tmp, key_data_len); 2202 if (_key_data_len) 2203 *_key_data_len = key_data_len; 2204 return 0; 2205} 2206 2207 2208const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm, 2209 const u8 *ies, size_t ies_len, 2210 const u8 *fils_session) 2211{ 2212 const u8 *ie, *end; 2213 const u8 *session = NULL; 2214 2215 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2216 wpa_printf(MSG_DEBUG, 2217 "FILS: Not a FILS AKM - reject association"); 2218 return NULL; 2219 } 2220 2221 /* Verify Session element */ 2222 ie = ies; 2223 end = ((const u8 *) ie) + ies_len; 2224 while (ie + 1 < end) { 2225 if (ie + 2 + ie[1] > end) 2226 break; 2227 if (ie[0] == WLAN_EID_EXTENSION && 2228 ie[1] >= 1 + FILS_SESSION_LEN && 2229 ie[2] == WLAN_EID_EXT_FILS_SESSION) { 2230 session = ie; 2231 break; 2232 } 2233 ie += 2 + ie[1]; 2234 } 2235 2236 if (!session) { 2237 wpa_printf(MSG_DEBUG, 2238 "FILS: %s: Could not find FILS Session element in Assoc Req - reject", 2239 __func__); 2240 return NULL; 2241 } 2242 2243 if (!fils_session) { 2244 wpa_printf(MSG_DEBUG, 2245 "FILS: %s: Could not find FILS Session element in STA entry - reject", 2246 __func__); 2247 return NULL; 2248 } 2249 2250 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) { 2251 wpa_printf(MSG_DEBUG, "FILS: Session mismatch"); 2252 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 2253 fils_session, FILS_SESSION_LEN); 2254 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session", 2255 session + 3, FILS_SESSION_LEN); 2256 return NULL; 2257 } 2258 return session; 2259} 2260 2261 2262int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies, 2263 size_t ies_len) 2264{ 2265 struct ieee802_11_elems elems; 2266 2267 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) { 2268 wpa_printf(MSG_DEBUG, 2269 "FILS: Failed to parse decrypted elements"); 2270 return -1; 2271 } 2272 2273 if (!elems.fils_session) { 2274 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 2275 return -1; 2276 } 2277 2278 if (!elems.fils_key_confirm) { 2279 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element"); 2280 return -1; 2281 } 2282 2283 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) { 2284 wpa_printf(MSG_DEBUG, 2285 "FILS: Unexpected Key-Auth length %d (expected %d)", 2286 elems.fils_key_confirm_len, 2287 (int) sm->fils_key_auth_len); 2288 return -1; 2289 } 2290 2291 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta, 2292 sm->fils_key_auth_len) != 0) { 2293 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch"); 2294 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth", 2295 elems.fils_key_confirm, elems.fils_key_confirm_len); 2296 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth", 2297 sm->fils_key_auth_sta, sm->fils_key_auth_len); 2298 return -1; 2299 } 2300 2301 return 0; 2302} 2303 2304 2305int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session, 2306 const struct ieee80211_mgmt *mgmt, size_t frame_len, 2307 u8 *pos, size_t left) 2308{ 2309 u16 fc, stype; 2310 const u8 *end, *ie_start, *ie, *session, *crypt; 2311 const u8 *aad[5]; 2312 size_t aad_len[5]; 2313 2314 if (!sm || !sm->PTK_valid) { 2315 wpa_printf(MSG_DEBUG, 2316 "FILS: No KEK to decrypt Assocication Request frame"); 2317 return -1; 2318 } 2319 2320 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) { 2321 wpa_printf(MSG_DEBUG, 2322 "FILS: Not a FILS AKM - reject association"); 2323 return -1; 2324 } 2325 2326 end = ((const u8 *) mgmt) + frame_len; 2327 fc = le_to_host16(mgmt->frame_control); 2328 stype = WLAN_FC_GET_STYPE(fc); 2329 if (stype == WLAN_FC_STYPE_REASSOC_REQ) 2330 ie_start = mgmt->u.reassoc_req.variable; 2331 else 2332 ie_start = mgmt->u.assoc_req.variable; 2333 ie = ie_start; 2334 2335 /* 2336 * Find FILS Session element which is the last unencrypted element in 2337 * the frame. 2338 */ 2339 session = wpa_fils_validate_fils_session(sm, ie, end - ie, 2340 fils_session); 2341 if (!session) { 2342 wpa_printf(MSG_DEBUG, "FILS: Session validation failed"); 2343 return -1; 2344 } 2345 2346 crypt = session + 2 + session[1]; 2347 2348 if (end - crypt < AES_BLOCK_SIZE) { 2349 wpa_printf(MSG_DEBUG, 2350 "FILS: Too short frame to include AES-SIV data"); 2351 return -1; 2352 } 2353 2354 /* AES-SIV AAD vectors */ 2355 2356 /* The STA's MAC address */ 2357 aad[0] = mgmt->sa; 2358 aad_len[0] = ETH_ALEN; 2359 /* The AP's BSSID */ 2360 aad[1] = mgmt->da; 2361 aad_len[1] = ETH_ALEN; 2362 /* The STA's nonce */ 2363 aad[2] = sm->SNonce; 2364 aad_len[2] = FILS_NONCE_LEN; 2365 /* The AP's nonce */ 2366 aad[3] = sm->ANonce; 2367 aad_len[3] = FILS_NONCE_LEN; 2368 /* 2369 * The (Re)Association Request frame from the Capability Information 2370 * field to the FILS Session element (both inclusive). 2371 */ 2372 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info; 2373 aad_len[4] = crypt - aad[4]; 2374 2375 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt, 2376 5, aad, aad_len, pos + (crypt - ie_start)) < 0) { 2377 wpa_printf(MSG_DEBUG, 2378 "FILS: Invalid AES-SIV data in the frame"); 2379 return -1; 2380 } 2381 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements", 2382 pos, left - AES_BLOCK_SIZE); 2383 2384 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) { 2385 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed"); 2386 return -1; 2387 } 2388 2389 return left - AES_BLOCK_SIZE; 2390} 2391 2392 2393int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf, 2394 size_t current_len, size_t max_len, 2395 const struct wpabuf *hlp) 2396{ 2397 u8 *end = buf + max_len; 2398 u8 *pos = buf + current_len; 2399 struct ieee80211_mgmt *mgmt; 2400 struct wpabuf *plain; 2401 const u8 *aad[5]; 2402 size_t aad_len[5]; 2403 2404 if (!sm || !sm->PTK_valid) 2405 return -1; 2406 2407 wpa_hexdump(MSG_DEBUG, 2408 "FILS: Association Response frame before FILS processing", 2409 buf, current_len); 2410 2411 mgmt = (struct ieee80211_mgmt *) buf; 2412 2413 /* AES-SIV AAD vectors */ 2414 2415 /* The AP's BSSID */ 2416 aad[0] = mgmt->sa; 2417 aad_len[0] = ETH_ALEN; 2418 /* The STA's MAC address */ 2419 aad[1] = mgmt->da; 2420 aad_len[1] = ETH_ALEN; 2421 /* The AP's nonce */ 2422 aad[2] = sm->ANonce; 2423 aad_len[2] = FILS_NONCE_LEN; 2424 /* The STA's nonce */ 2425 aad[3] = sm->SNonce; 2426 aad_len[3] = FILS_NONCE_LEN; 2427 /* 2428 * The (Re)Association Response frame from the Capability Information 2429 * field (the same offset in both Association and Reassociation 2430 * Response frames) to the FILS Session element (both inclusive). 2431 */ 2432 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info; 2433 aad_len[4] = pos - aad[4]; 2434 2435 /* The following elements will be encrypted with AES-SIV */ 2436 plain = fils_prepare_plainbuf(sm, hlp); 2437 if (!plain) { 2438 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed"); 2439 return -1; 2440 } 2441 2442 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) { 2443 wpa_printf(MSG_DEBUG, 2444 "FILS: Not enough room for FILS elements"); 2445 wpabuf_free(plain); 2446 return -1; 2447 } 2448 2449 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext", 2450 plain); 2451 2452 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, 2453 wpabuf_head(plain), wpabuf_len(plain), 2454 5, aad, aad_len, pos) < 0) { 2455 wpabuf_free(plain); 2456 return -1; 2457 } 2458 2459 wpa_hexdump(MSG_DEBUG, 2460 "FILS: Encrypted Association Response elements", 2461 pos, AES_BLOCK_SIZE + wpabuf_len(plain)); 2462 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE; 2463 wpabuf_free(plain); 2464 2465 sm->fils_completed = 1; 2466 2467 return current_len; 2468} 2469 2470 2471static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm, 2472 const struct wpabuf *hlp) 2473{ 2474 struct wpabuf *plain; 2475 u8 *len, *tmp, *tmp2; 2476 u8 hdr[2]; 2477 u8 *gtk, dummy_gtk[32]; 2478 size_t gtk_len; 2479 struct wpa_group *gsm; 2480 2481 plain = wpabuf_alloc(1000); 2482 if (!plain) 2483 return NULL; 2484 2485 /* TODO: FILS Public Key */ 2486 2487 /* FILS Key Confirmation */ 2488 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2489 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */ 2490 /* Element ID Extension */ 2491 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM); 2492 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len); 2493 2494 /* FILS HLP Container */ 2495 if (hlp) 2496 wpabuf_put_buf(plain, hlp); 2497 2498 /* TODO: FILS IP Address Assignment */ 2499 2500 /* Key Delivery */ 2501 gsm = sm->group; 2502 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */ 2503 len = wpabuf_put(plain, 1); 2504 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY); 2505 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, 2506 wpabuf_put(plain, WPA_KEY_RSC_LEN)); 2507 /* GTK KDE */ 2508 gtk = gsm->GTK[gsm->GN - 1]; 2509 gtk_len = gsm->GTK_len; 2510 if (sm->wpa_auth->conf.disable_gtk) { 2511 /* 2512 * Provide unique random GTK to each STA to prevent use 2513 * of GTK in the BSS. 2514 */ 2515 if (random_get_bytes(dummy_gtk, gtk_len) < 0) { 2516 wpabuf_free(plain); 2517 return NULL; 2518 } 2519 gtk = dummy_gtk; 2520 } 2521 hdr[0] = gsm->GN & 0x03; 2522 hdr[1] = 0; 2523 tmp = wpabuf_put(plain, 0); 2524 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2525 gtk, gtk_len); 2526 wpabuf_put(plain, tmp2 - tmp); 2527 2528 /* IGTK KDE */ 2529 tmp = wpabuf_put(plain, 0); 2530 tmp2 = ieee80211w_kde_add(sm, tmp); 2531 wpabuf_put(plain, tmp2 - tmp); 2532 2533 *len = (u8 *) wpabuf_put(plain, 0) - len - 1; 2534 return plain; 2535} 2536 2537 2538int fils_set_tk(struct wpa_state_machine *sm) 2539{ 2540 enum wpa_alg alg; 2541 int klen; 2542 2543 if (!sm || !sm->PTK_valid) { 2544 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK"); 2545 return -1; 2546 } 2547 if (sm->tk_already_set) { 2548 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver"); 2549 return -1; 2550 } 2551 2552 alg = wpa_cipher_to_alg(sm->pairwise); 2553 klen = wpa_cipher_key_len(sm->pairwise); 2554 2555 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver"); 2556 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 2557 sm->PTK.tk, klen)) { 2558 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver"); 2559 return -1; 2560 } 2561 sm->tk_already_set = TRUE; 2562 2563 return 0; 2564} 2565 2566 2567u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf, 2568 const u8 *fils_session, struct wpabuf *hlp) 2569{ 2570 struct wpabuf *plain; 2571 u8 *pos = buf; 2572 2573 /* FILS Session */ 2574 *pos++ = WLAN_EID_EXTENSION; /* Element ID */ 2575 *pos++ = 1 + FILS_SESSION_LEN; /* Length */ 2576 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */ 2577 os_memcpy(pos, fils_session, FILS_SESSION_LEN); 2578 pos += FILS_SESSION_LEN; 2579 2580 plain = fils_prepare_plainbuf(sm, hlp); 2581 if (!plain) { 2582 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed"); 2583 return NULL; 2584 } 2585 2586 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain)); 2587 pos += wpabuf_len(plain); 2588 2589 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__, 2590 (unsigned int) wpabuf_len(plain)); 2591 wpabuf_free(plain); 2592 sm->fils_completed = 1; 2593 return pos; 2594} 2595 2596#endif /* CONFIG_FILS */ 2597 2598 2599SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) 2600{ 2601 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 2602 struct wpa_ptk PTK; 2603 int ok = 0, psk_found = 0; 2604 const u8 *pmk = NULL; 2605 size_t pmk_len; 2606 int ft; 2607 const u8 *eapol_key_ie, *key_data, *mic; 2608 u16 key_data_length; 2609 size_t mic_len, eapol_key_ie_len; 2610 struct ieee802_1x_hdr *hdr; 2611 struct wpa_eapol_key *key; 2612 struct wpa_eapol_ie_parse kde; 2613 2614 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk); 2615 sm->EAPOLKeyReceived = FALSE; 2616 sm->update_snonce = FALSE; 2617 os_memset(&PTK, 0, sizeof(PTK)); 2618 2619 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len); 2620 2621 /* WPA with IEEE 802.1X: use the derived PMK from EAP 2622 * WPA-PSK: iterate through possible PSKs and select the one matching 2623 * the packet */ 2624 for (;;) { 2625 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && 2626 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) { 2627 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, 2628 sm->p2p_dev_addr, pmk, &pmk_len); 2629 if (pmk == NULL) 2630 break; 2631 psk_found = 1; 2632 } else { 2633 pmk = sm->PMK; 2634 pmk_len = sm->pmk_len; 2635 } 2636 2637 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0) 2638 break; 2639 2640 if (mic_len && 2641 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK, 2642 sm->last_rx_eapol_key, 2643 sm->last_rx_eapol_key_len) == 0) { 2644 ok = 1; 2645 break; 2646 } 2647 2648#ifdef CONFIG_FILS 2649 if (!mic_len && 2650 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key, 2651 sm->last_rx_eapol_key_len, NULL) == 0) { 2652 ok = 1; 2653 break; 2654 } 2655#endif /* CONFIG_FILS */ 2656 2657 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) 2658 break; 2659 } 2660 2661 if (!ok) { 2662 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2663 "invalid MIC in msg 2/4 of 4-Way Handshake"); 2664 if (psk_found) 2665 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr); 2666 return; 2667 } 2668 2669 /* 2670 * Note: last_rx_eapol_key length fields have already been validated in 2671 * wpa_receive(). 2672 */ 2673 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key; 2674 key = (struct wpa_eapol_key *) (hdr + 1); 2675 mic = (u8 *) (key + 1); 2676 key_data = mic + mic_len + 2; 2677 key_data_length = WPA_GET_BE16(mic + mic_len); 2678 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) - 2679 sizeof(*key) - mic_len - 2) 2680 return; 2681 2682 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) { 2683 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO, 2684 "received EAPOL-Key msg 2/4 with invalid Key Data contents"); 2685 return; 2686 } 2687 if (kde.rsn_ie) { 2688 eapol_key_ie = kde.rsn_ie; 2689 eapol_key_ie_len = kde.rsn_ie_len; 2690 } else if (kde.osen) { 2691 eapol_key_ie = kde.osen; 2692 eapol_key_ie_len = kde.osen_len; 2693 } else { 2694 eapol_key_ie = kde.wpa_ie; 2695 eapol_key_ie_len = kde.wpa_ie_len; 2696 } 2697 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt); 2698 if (sm->wpa_ie == NULL || 2699 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len, 2700 eapol_key_ie, eapol_key_ie_len)) { 2701 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO, 2702 "WPA IE from (Re)AssocReq did not match with msg 2/4"); 2703 if (sm->wpa_ie) { 2704 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq", 2705 sm->wpa_ie, sm->wpa_ie_len); 2706 } 2707 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4", 2708 eapol_key_ie, eapol_key_ie_len); 2709 /* MLME-DEAUTHENTICATE.request */ 2710 wpa_sta_disconnect(wpa_auth, sm->addr, 2711 WLAN_REASON_PREV_AUTH_NOT_VALID); 2712 return; 2713 } 2714#ifdef CONFIG_IEEE80211R_AP 2715 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) { 2716 wpa_sta_disconnect(wpa_auth, sm->addr, 2717 WLAN_REASON_PREV_AUTH_NOT_VALID); 2718 return; 2719 } 2720#endif /* CONFIG_IEEE80211R_AP */ 2721#ifdef CONFIG_P2P 2722 if (kde.ip_addr_req && kde.ip_addr_req[0] && 2723 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) { 2724 int idx; 2725 wpa_printf(MSG_DEBUG, 2726 "P2P: IP address requested in EAPOL-Key exchange"); 2727 idx = bitfield_get_first_zero(wpa_auth->ip_pool); 2728 if (idx >= 0) { 2729 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start); 2730 bitfield_set(wpa_auth->ip_pool, idx); 2731 WPA_PUT_BE32(sm->ip_addr, start + idx); 2732 wpa_printf(MSG_DEBUG, 2733 "P2P: Assigned IP address %u.%u.%u.%u to " 2734 MACSTR, sm->ip_addr[0], sm->ip_addr[1], 2735 sm->ip_addr[2], sm->ip_addr[3], 2736 MAC2STR(sm->addr)); 2737 } 2738 } 2739#endif /* CONFIG_P2P */ 2740 2741#ifdef CONFIG_IEEE80211R_AP 2742 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2743 /* 2744 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches 2745 * with the value we derived. 2746 */ 2747 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name, 2748 WPA_PMK_NAME_LEN) != 0) { 2749 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2750 "PMKR1Name mismatch in FT 4-way " 2751 "handshake"); 2752 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from " 2753 "Supplicant", 2754 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN); 2755 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 2756 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 2757 return; 2758 } 2759 } 2760#endif /* CONFIG_IEEE80211R_AP */ 2761 2762 sm->pending_1_of_4_timeout = 0; 2763 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm); 2764 2765 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) { 2766 /* PSK may have changed from the previous choice, so update 2767 * state machine data based on whatever PSK was selected here. 2768 */ 2769 os_memcpy(sm->PMK, pmk, PMK_LEN); 2770 sm->pmk_len = PMK_LEN; 2771 } 2772 2773 sm->MICVerified = TRUE; 2774 2775 os_memcpy(&sm->PTK, &PTK, sizeof(PTK)); 2776 sm->PTK_valid = TRUE; 2777} 2778 2779 2780SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2) 2781{ 2782 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk); 2783 sm->TimeoutCtr = 0; 2784} 2785 2786 2787#ifdef CONFIG_IEEE80211W 2788 2789static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2790{ 2791 if (sm->mgmt_frame_prot) { 2792 size_t len; 2793 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2794 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len; 2795 } 2796 2797 return 0; 2798} 2799 2800 2801static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2802{ 2803 struct wpa_igtk_kde igtk; 2804 struct wpa_group *gsm = sm->group; 2805 u8 rsc[WPA_KEY_RSC_LEN]; 2806 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 2807 2808 if (!sm->mgmt_frame_prot) 2809 return pos; 2810 2811 igtk.keyid[0] = gsm->GN_igtk; 2812 igtk.keyid[1] = 0; 2813 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE || 2814 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0) 2815 os_memset(igtk.pn, 0, sizeof(igtk.pn)); 2816 else 2817 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn)); 2818 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len); 2819 if (sm->wpa_auth->conf.disable_gtk) { 2820 /* 2821 * Provide unique random IGTK to each STA to prevent use of 2822 * IGTK in the BSS. 2823 */ 2824 if (random_get_bytes(igtk.igtk, len) < 0) 2825 return pos; 2826 } 2827 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK, 2828 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len, 2829 NULL, 0); 2830 2831 return pos; 2832} 2833 2834#else /* CONFIG_IEEE80211W */ 2835 2836static int ieee80211w_kde_len(struct wpa_state_machine *sm) 2837{ 2838 return 0; 2839} 2840 2841 2842static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos) 2843{ 2844 return pos; 2845} 2846 2847#endif /* CONFIG_IEEE80211W */ 2848 2849 2850SM_STATE(WPA_PTK, PTKINITNEGOTIATING) 2851{ 2852 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32]; 2853 size_t gtk_len, kde_len; 2854 struct wpa_group *gsm = sm->group; 2855 u8 *wpa_ie; 2856 int wpa_ie_len, secure, keyidx, encr = 0; 2857 2858 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk); 2859 sm->TimeoutEvt = FALSE; 2860 2861 sm->TimeoutCtr++; 2862 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 2863 sm->TimeoutCtr > 1) { 2864 /* Do not allow retransmission of EAPOL-Key msg 3/4 */ 2865 return; 2866 } 2867 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) { 2868 /* No point in sending the EAPOL-Key - we will disconnect 2869 * immediately following this. */ 2870 return; 2871 } 2872 2873 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 2874 GTK[GN], IGTK, [FTIE], [TIE * 2]) 2875 */ 2876 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 2877 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 2878 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 2879 wpa_ie = sm->wpa_auth->wpa_ie; 2880 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 2881 if (sm->wpa == WPA_VERSION_WPA && 2882 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 2883 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 2884 /* WPA-only STA, remove RSN IE and possible MDIE */ 2885 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2886 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 2887 wpa_ie = wpa_ie + wpa_ie[1] + 2; 2888 wpa_ie_len = wpa_ie[1] + 2; 2889 } 2890 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2891 "sending 3/4 msg of 4-Way Handshake"); 2892 if (sm->wpa == WPA_VERSION_WPA2) { 2893 /* WPA2 send GTK in the 4-way handshake */ 2894 secure = 1; 2895 gtk = gsm->GTK[gsm->GN - 1]; 2896 gtk_len = gsm->GTK_len; 2897 if (sm->wpa_auth->conf.disable_gtk) { 2898 /* 2899 * Provide unique random GTK to each STA to prevent use 2900 * of GTK in the BSS. 2901 */ 2902 if (random_get_bytes(dummy_gtk, gtk_len) < 0) 2903 return; 2904 gtk = dummy_gtk; 2905 } 2906 keyidx = gsm->GN; 2907 _rsc = rsc; 2908 encr = 1; 2909 } else { 2910 /* WPA does not include GTK in msg 3/4 */ 2911 secure = 0; 2912 gtk = NULL; 2913 gtk_len = 0; 2914 keyidx = 0; 2915 _rsc = NULL; 2916 if (sm->rx_eapol_key_secure) { 2917 /* 2918 * It looks like Windows 7 supplicant tries to use 2919 * Secure bit in msg 2/4 after having reported Michael 2920 * MIC failure and it then rejects the 4-way handshake 2921 * if msg 3/4 does not set Secure bit. Work around this 2922 * by setting the Secure bit here even in the case of 2923 * WPA if the supplicant used it first. 2924 */ 2925 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 2926 "STA used Secure bit in WPA msg 2/4 - " 2927 "set Secure for 3/4 as workaround"); 2928 secure = 1; 2929 } 2930 } 2931 2932 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 2933 if (gtk) 2934 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 2935#ifdef CONFIG_IEEE80211R_AP 2936 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2937 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 2938 kde_len += 300; /* FTIE + 2 * TIE */ 2939 } 2940#endif /* CONFIG_IEEE80211R_AP */ 2941#ifdef CONFIG_P2P 2942 if (WPA_GET_BE32(sm->ip_addr) > 0) 2943 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4; 2944#endif /* CONFIG_P2P */ 2945 kde = os_malloc(kde_len); 2946 if (kde == NULL) 2947 return; 2948 2949 pos = kde; 2950 os_memcpy(pos, wpa_ie, wpa_ie_len); 2951 pos += wpa_ie_len; 2952#ifdef CONFIG_IEEE80211R_AP 2953 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2954 int res; 2955 size_t elen; 2956 2957 elen = pos - kde; 2958 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 2959 if (res < 0) { 2960 wpa_printf(MSG_ERROR, "FT: Failed to insert " 2961 "PMKR1Name into RSN IE in EAPOL-Key data"); 2962 os_free(kde); 2963 return; 2964 } 2965 pos -= wpa_ie_len; 2966 pos += elen; 2967 } 2968#endif /* CONFIG_IEEE80211R_AP */ 2969 if (gtk) { 2970 u8 hdr[2]; 2971 hdr[0] = keyidx & 0x03; 2972 hdr[1] = 0; 2973 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 2974 gtk, gtk_len); 2975 } 2976 pos = ieee80211w_kde_add(sm, pos); 2977 2978#ifdef CONFIG_IEEE80211R_AP 2979 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 2980 int res; 2981 struct wpa_auth_config *conf; 2982 2983 conf = &sm->wpa_auth->conf; 2984 if (sm->assoc_resp_ftie && 2985 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 2986 os_memcpy(pos, sm->assoc_resp_ftie, 2987 2 + sm->assoc_resp_ftie[1]); 2988 res = 2 + sm->assoc_resp_ftie[1]; 2989 } else { 2990 res = wpa_write_ftie(conf, conf->r0_key_holder, 2991 conf->r0_key_holder_len, 2992 NULL, NULL, pos, 2993 kde + kde_len - pos, 2994 NULL, 0); 2995 } 2996 if (res < 0) { 2997 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 2998 "into EAPOL-Key Key Data"); 2999 os_free(kde); 3000 return; 3001 } 3002 pos += res; 3003 3004 /* TIE[ReassociationDeadline] (TU) */ 3005 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 3006 *pos++ = 5; 3007 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 3008 WPA_PUT_LE32(pos, conf->reassociation_deadline); 3009 pos += 4; 3010 3011 /* TIE[KeyLifetime] (seconds) */ 3012 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 3013 *pos++ = 5; 3014 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 3015 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 3016 pos += 4; 3017 } 3018#endif /* CONFIG_IEEE80211R_AP */ 3019#ifdef CONFIG_P2P 3020 if (WPA_GET_BE32(sm->ip_addr) > 0) { 3021 u8 addr[3 * 4]; 3022 os_memcpy(addr, sm->ip_addr, 4); 3023 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4); 3024 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4); 3025 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC, 3026 addr, sizeof(addr), NULL, 0); 3027 } 3028#endif /* CONFIG_P2P */ 3029 3030 wpa_send_eapol(sm->wpa_auth, sm, 3031 (secure ? WPA_KEY_INFO_SECURE : 0) | 3032 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 3033 WPA_KEY_INFO_MIC : 0) | 3034 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 3035 WPA_KEY_INFO_KEY_TYPE, 3036 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 3037 os_free(kde); 3038} 3039 3040 3041SM_STATE(WPA_PTK, PTKINITDONE) 3042{ 3043 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk); 3044 sm->EAPOLKeyReceived = FALSE; 3045 if (sm->Pair) { 3046 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise); 3047 int klen = wpa_cipher_key_len(sm->pairwise); 3048 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0, 3049 sm->PTK.tk, klen)) { 3050 wpa_sta_disconnect(sm->wpa_auth, sm->addr, 3051 WLAN_REASON_PREV_AUTH_NOT_VALID); 3052 return; 3053 } 3054 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */ 3055 sm->pairwise_set = TRUE; 3056 3057 if (sm->wpa_auth->conf.wpa_ptk_rekey) { 3058 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm); 3059 eloop_register_timeout(sm->wpa_auth->conf. 3060 wpa_ptk_rekey, 0, wpa_rekey_ptk, 3061 sm->wpa_auth, sm); 3062 } 3063 3064 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 3065 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || 3066 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) { 3067 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 3068 WPA_EAPOL_authorized, 1); 3069 } 3070 } 3071 3072 if (0 /* IBSS == TRUE */) { 3073 sm->keycount++; 3074 if (sm->keycount == 2) { 3075 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, 3076 WPA_EAPOL_portValid, 1); 3077 } 3078 } else { 3079 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 3080 1); 3081 } 3082 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0); 3083 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1); 3084 if (sm->wpa == WPA_VERSION_WPA) 3085 sm->PInitAKeys = TRUE; 3086 else 3087 sm->has_GTK = TRUE; 3088 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3089 "pairwise key handshake completed (%s)", 3090 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 3091 3092#ifdef CONFIG_IEEE80211R_AP 3093 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr); 3094#endif /* CONFIG_IEEE80211R_AP */ 3095} 3096 3097 3098SM_STEP(WPA_PTK) 3099{ 3100 struct wpa_authenticator *wpa_auth = sm->wpa_auth; 3101 3102 if (sm->Init) 3103 SM_ENTER(WPA_PTK, INITIALIZE); 3104 else if (sm->Disconnect 3105 /* || FIX: dot11RSNAConfigSALifetime timeout */) { 3106 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, 3107 "WPA_PTK: sm->Disconnect"); 3108 SM_ENTER(WPA_PTK, DISCONNECT); 3109 } 3110 else if (sm->DeauthenticationRequest) 3111 SM_ENTER(WPA_PTK, DISCONNECTED); 3112 else if (sm->AuthenticationRequest) 3113 SM_ENTER(WPA_PTK, AUTHENTICATION); 3114 else if (sm->ReAuthenticationRequest) 3115 SM_ENTER(WPA_PTK, AUTHENTICATION2); 3116 else if (sm->PTKRequest) { 3117 if (wpa_auth_sm_ptk_update(sm) < 0) 3118 SM_ENTER(WPA_PTK, DISCONNECTED); 3119 else 3120 SM_ENTER(WPA_PTK, PTKSTART); 3121 } else switch (sm->wpa_ptk_state) { 3122 case WPA_PTK_INITIALIZE: 3123 break; 3124 case WPA_PTK_DISCONNECT: 3125 SM_ENTER(WPA_PTK, DISCONNECTED); 3126 break; 3127 case WPA_PTK_DISCONNECTED: 3128 SM_ENTER(WPA_PTK, INITIALIZE); 3129 break; 3130 case WPA_PTK_AUTHENTICATION: 3131 SM_ENTER(WPA_PTK, AUTHENTICATION2); 3132 break; 3133 case WPA_PTK_AUTHENTICATION2: 3134 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) && 3135 wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 3136 WPA_EAPOL_keyRun) > 0) 3137 SM_ENTER(WPA_PTK, INITPMK); 3138 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || 3139 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE 3140 /* FIX: && 802.1X::keyRun */) 3141 SM_ENTER(WPA_PTK, INITPSK); 3142 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) 3143 SM_ENTER(WPA_PTK, INITPMK); 3144 break; 3145 case WPA_PTK_INITPMK: 3146 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr, 3147 WPA_EAPOL_keyAvailable) > 0) { 3148 SM_ENTER(WPA_PTK, PTKSTART); 3149#ifdef CONFIG_DPP 3150 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) { 3151 SM_ENTER(WPA_PTK, PTKSTART); 3152#endif /* CONFIG_DPP */ 3153 } else { 3154 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3155 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3156 "INITPMK - keyAvailable = false"); 3157 SM_ENTER(WPA_PTK, DISCONNECT); 3158 } 3159 break; 3160 case WPA_PTK_INITPSK: 3161 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, 3162 NULL, NULL)) { 3163 SM_ENTER(WPA_PTK, PTKSTART); 3164#ifdef CONFIG_SAE 3165 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) { 3166 SM_ENTER(WPA_PTK, PTKSTART); 3167#endif /* CONFIG_SAE */ 3168 } else { 3169 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3170 "no PSK configured for the STA"); 3171 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3172 SM_ENTER(WPA_PTK, DISCONNECT); 3173 } 3174 break; 3175 case WPA_PTK_PTKSTART: 3176 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3177 sm->EAPOLKeyPairwise) 3178 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3179 else if (sm->TimeoutCtr > 3180 sm->wpa_auth->conf.wpa_pairwise_update_count) { 3181 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3182 wpa_auth_vlogger( 3183 sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3184 "PTKSTART: Retry limit %u reached", 3185 sm->wpa_auth->conf.wpa_pairwise_update_count); 3186 SM_ENTER(WPA_PTK, DISCONNECT); 3187 } else if (sm->TimeoutEvt) 3188 SM_ENTER(WPA_PTK, PTKSTART); 3189 break; 3190 case WPA_PTK_PTKCALCNEGOTIATING: 3191 if (sm->MICVerified) 3192 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2); 3193 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3194 sm->EAPOLKeyPairwise) 3195 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3196 else if (sm->TimeoutEvt) 3197 SM_ENTER(WPA_PTK, PTKSTART); 3198 break; 3199 case WPA_PTK_PTKCALCNEGOTIATING2: 3200 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3201 break; 3202 case WPA_PTK_PTKINITNEGOTIATING: 3203 if (sm->update_snonce) 3204 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING); 3205 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3206 sm->EAPOLKeyPairwise && sm->MICVerified) 3207 SM_ENTER(WPA_PTK, PTKINITDONE); 3208 else if (sm->TimeoutCtr > 3209 sm->wpa_auth->conf.wpa_pairwise_update_count || 3210 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3211 sm->TimeoutCtr > 1)) { 3212 wpa_auth->dot11RSNA4WayHandshakeFailures++; 3213 wpa_auth_vlogger( 3214 sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3215 "PTKINITNEGOTIATING: Retry limit %u reached", 3216 sm->wpa_auth->conf.wpa_pairwise_update_count); 3217 SM_ENTER(WPA_PTK, DISCONNECT); 3218 } else if (sm->TimeoutEvt) 3219 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING); 3220 break; 3221 case WPA_PTK_PTKINITDONE: 3222 break; 3223 } 3224} 3225 3226 3227SM_STATE(WPA_PTK_GROUP, IDLE) 3228{ 3229 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group); 3230 if (sm->Init) { 3231 /* Init flag is not cleared here, so avoid busy 3232 * loop by claiming nothing changed. */ 3233 sm->changed = FALSE; 3234 } 3235 sm->GTimeoutCtr = 0; 3236} 3237 3238 3239SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING) 3240{ 3241 u8 rsc[WPA_KEY_RSC_LEN]; 3242 struct wpa_group *gsm = sm->group; 3243 const u8 *kde; 3244 u8 *kde_buf = NULL, *pos, hdr[2]; 3245 size_t kde_len; 3246 u8 *gtk, dummy_gtk[32]; 3247 3248 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group); 3249 3250 sm->GTimeoutCtr++; 3251 if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3252 sm->GTimeoutCtr > 1) { 3253 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */ 3254 return; 3255 } 3256 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) { 3257 /* No point in sending the EAPOL-Key - we will disconnect 3258 * immediately following this. */ 3259 return; 3260 } 3261 3262 if (sm->wpa == WPA_VERSION_WPA) 3263 sm->PInitAKeys = FALSE; 3264 sm->TimeoutEvt = FALSE; 3265 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 3266 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 3267 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE) 3268 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc); 3269 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3270 "sending 1/2 msg of Group Key Handshake"); 3271 3272 gtk = gsm->GTK[gsm->GN - 1]; 3273 if (sm->wpa_auth->conf.disable_gtk) { 3274 /* 3275 * Provide unique random GTK to each STA to prevent use 3276 * of GTK in the BSS. 3277 */ 3278 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0) 3279 return; 3280 gtk = dummy_gtk; 3281 } 3282 if (sm->wpa == WPA_VERSION_WPA2) { 3283 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 3284 ieee80211w_kde_len(sm); 3285 kde_buf = os_malloc(kde_len); 3286 if (kde_buf == NULL) 3287 return; 3288 3289 kde = pos = kde_buf; 3290 hdr[0] = gsm->GN & 0x03; 3291 hdr[1] = 0; 3292 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 3293 gtk, gsm->GTK_len); 3294 pos = ieee80211w_kde_add(sm, pos); 3295 kde_len = pos - kde; 3296 } else { 3297 kde = gtk; 3298 kde_len = gsm->GTK_len; 3299 } 3300 3301 wpa_send_eapol(sm->wpa_auth, sm, 3302 WPA_KEY_INFO_SECURE | 3303 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 3304 WPA_KEY_INFO_MIC : 0) | 3305 WPA_KEY_INFO_ACK | 3306 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 3307 rsc, NULL, kde, kde_len, gsm->GN, 1); 3308 3309 os_free(kde_buf); 3310} 3311 3312 3313SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED) 3314{ 3315 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group); 3316 sm->EAPOLKeyReceived = FALSE; 3317 if (sm->GUpdateStationKeys) 3318 sm->group->GKeyDoneStations--; 3319 sm->GUpdateStationKeys = FALSE; 3320 sm->GTimeoutCtr = 0; 3321 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */ 3322 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3323 "group key handshake completed (%s)", 3324 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN"); 3325 sm->has_GTK = TRUE; 3326} 3327 3328 3329SM_STATE(WPA_PTK_GROUP, KEYERROR) 3330{ 3331 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group); 3332 if (sm->GUpdateStationKeys) 3333 sm->group->GKeyDoneStations--; 3334 sm->GUpdateStationKeys = FALSE; 3335 sm->Disconnect = TRUE; 3336 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO, 3337 "group key handshake failed (%s) after %u tries", 3338 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN", 3339 sm->wpa_auth->conf.wpa_group_update_count); 3340} 3341 3342 3343SM_STEP(WPA_PTK_GROUP) 3344{ 3345 if (sm->Init || sm->PtkGroupInit) { 3346 SM_ENTER(WPA_PTK_GROUP, IDLE); 3347 sm->PtkGroupInit = FALSE; 3348 } else switch (sm->wpa_ptk_group_state) { 3349 case WPA_PTK_GROUP_IDLE: 3350 if (sm->GUpdateStationKeys || 3351 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys)) 3352 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 3353 break; 3354 case WPA_PTK_GROUP_REKEYNEGOTIATING: 3355 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest && 3356 !sm->EAPOLKeyPairwise && sm->MICVerified) 3357 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED); 3358 else if (sm->GTimeoutCtr > 3359 sm->wpa_auth->conf.wpa_group_update_count || 3360 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries && 3361 sm->GTimeoutCtr > 1)) 3362 SM_ENTER(WPA_PTK_GROUP, KEYERROR); 3363 else if (sm->TimeoutEvt) 3364 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING); 3365 break; 3366 case WPA_PTK_GROUP_KEYERROR: 3367 SM_ENTER(WPA_PTK_GROUP, IDLE); 3368 break; 3369 case WPA_PTK_GROUP_REKEYESTABLISHED: 3370 SM_ENTER(WPA_PTK_GROUP, IDLE); 3371 break; 3372 } 3373} 3374 3375 3376static int wpa_gtk_update(struct wpa_authenticator *wpa_auth, 3377 struct wpa_group *group) 3378{ 3379 int ret = 0; 3380 3381 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 3382 inc_byte_array(group->Counter, WPA_NONCE_LEN); 3383 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion", 3384 wpa_auth->addr, group->GNonce, 3385 group->GTK[group->GN - 1], group->GTK_len) < 0) 3386 ret = -1; 3387 wpa_hexdump_key(MSG_DEBUG, "GTK", 3388 group->GTK[group->GN - 1], group->GTK_len); 3389 3390#ifdef CONFIG_IEEE80211W 3391 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3392 size_t len; 3393 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 3394 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN); 3395 inc_byte_array(group->Counter, WPA_NONCE_LEN); 3396 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion", 3397 wpa_auth->addr, group->GNonce, 3398 group->IGTK[group->GN_igtk - 4], len) < 0) 3399 ret = -1; 3400 wpa_hexdump_key(MSG_DEBUG, "IGTK", 3401 group->IGTK[group->GN_igtk - 4], len); 3402 } 3403#endif /* CONFIG_IEEE80211W */ 3404 3405 return ret; 3406} 3407 3408 3409static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth, 3410 struct wpa_group *group) 3411{ 3412 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3413 "GTK_INIT (VLAN-ID %d)", group->vlan_id); 3414 group->changed = FALSE; /* GInit is not cleared here; avoid loop */ 3415 group->wpa_group_state = WPA_GROUP_GTK_INIT; 3416 3417 /* GTK[0..N] = 0 */ 3418 os_memset(group->GTK, 0, sizeof(group->GTK)); 3419 group->GN = 1; 3420 group->GM = 2; 3421#ifdef CONFIG_IEEE80211W 3422 group->GN_igtk = 4; 3423 group->GM_igtk = 5; 3424#endif /* CONFIG_IEEE80211W */ 3425 /* GTK[GN] = CalcGTK() */ 3426 wpa_gtk_update(wpa_auth, group); 3427} 3428 3429 3430static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx) 3431{ 3432 if (ctx != NULL && ctx != sm->group) 3433 return 0; 3434 3435 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) { 3436 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3437 "Not in PTKINITDONE; skip Group Key update"); 3438 sm->GUpdateStationKeys = FALSE; 3439 return 0; 3440 } 3441 if (sm->GUpdateStationKeys) { 3442 /* 3443 * This should not really happen, so add a debug log entry. 3444 * Since we clear the GKeyDoneStations before the loop, the 3445 * station needs to be counted here anyway. 3446 */ 3447 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 3448 "GUpdateStationKeys was already set when " 3449 "marking station for GTK rekeying"); 3450 } 3451 3452 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */ 3453 if (sm->is_wnmsleep) 3454 return 0; 3455 3456 sm->group->GKeyDoneStations++; 3457 sm->GUpdateStationKeys = TRUE; 3458 3459 wpa_sm_step(sm); 3460 return 0; 3461} 3462 3463 3464#ifdef CONFIG_WNM_AP 3465/* update GTK when exiting WNM-Sleep Mode */ 3466void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm) 3467{ 3468 if (sm == NULL || sm->is_wnmsleep) 3469 return; 3470 3471 wpa_group_update_sta(sm, NULL); 3472} 3473 3474 3475void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag) 3476{ 3477 if (sm) 3478 sm->is_wnmsleep = !!flag; 3479} 3480 3481 3482int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos) 3483{ 3484 struct wpa_group *gsm = sm->group; 3485 u8 *start = pos; 3486 3487 /* 3488 * GTK subelement: 3489 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] | 3490 * Key[5..32] 3491 */ 3492 *pos++ = WNM_SLEEP_SUBELEM_GTK; 3493 *pos++ = 11 + gsm->GTK_len; 3494 /* Key ID in B0-B1 of Key Info */ 3495 WPA_PUT_LE16(pos, gsm->GN & 0x03); 3496 pos += 2; 3497 *pos++ = gsm->GTK_len; 3498 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0) 3499 return 0; 3500 pos += 8; 3501 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len); 3502 pos += gsm->GTK_len; 3503 3504 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit", 3505 gsm->GN); 3506 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit", 3507 gsm->GTK[gsm->GN - 1], gsm->GTK_len); 3508 3509 return pos - start; 3510} 3511 3512 3513#ifdef CONFIG_IEEE80211W 3514int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos) 3515{ 3516 struct wpa_group *gsm = sm->group; 3517 u8 *start = pos; 3518 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher); 3519 3520 /* 3521 * IGTK subelement: 3522 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16] 3523 */ 3524 *pos++ = WNM_SLEEP_SUBELEM_IGTK; 3525 *pos++ = 2 + 6 + len; 3526 WPA_PUT_LE16(pos, gsm->GN_igtk); 3527 pos += 2; 3528 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0) 3529 return 0; 3530 pos += 6; 3531 3532 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len); 3533 pos += len; 3534 3535 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit", 3536 gsm->GN_igtk); 3537 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit", 3538 gsm->IGTK[gsm->GN_igtk - 4], len); 3539 3540 return pos - start; 3541} 3542#endif /* CONFIG_IEEE80211W */ 3543#endif /* CONFIG_WNM_AP */ 3544 3545 3546static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth, 3547 struct wpa_group *group) 3548{ 3549 int tmp; 3550 3551 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3552 "SETKEYS (VLAN-ID %d)", group->vlan_id); 3553 group->changed = TRUE; 3554 group->wpa_group_state = WPA_GROUP_SETKEYS; 3555 group->GTKReKey = FALSE; 3556 tmp = group->GM; 3557 group->GM = group->GN; 3558 group->GN = tmp; 3559#ifdef CONFIG_IEEE80211W 3560 tmp = group->GM_igtk; 3561 group->GM_igtk = group->GN_igtk; 3562 group->GN_igtk = tmp; 3563#endif /* CONFIG_IEEE80211W */ 3564 /* "GKeyDoneStations = GNoStations" is done in more robust way by 3565 * counting the STAs that are marked with GUpdateStationKeys instead of 3566 * including all STAs that could be in not-yet-completed state. */ 3567 wpa_gtk_update(wpa_auth, group); 3568 3569 if (group->GKeyDoneStations) { 3570 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected " 3571 "GKeyDoneStations=%d when starting new GTK rekey", 3572 group->GKeyDoneStations); 3573 group->GKeyDoneStations = 0; 3574 } 3575 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group); 3576 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d", 3577 group->GKeyDoneStations); 3578} 3579 3580 3581static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth, 3582 struct wpa_group *group) 3583{ 3584 int ret = 0; 3585 3586 if (wpa_auth_set_key(wpa_auth, group->vlan_id, 3587 wpa_cipher_to_alg(wpa_auth->conf.wpa_group), 3588 broadcast_ether_addr, group->GN, 3589 group->GTK[group->GN - 1], group->GTK_len) < 0) 3590 ret = -1; 3591 3592#ifdef CONFIG_IEEE80211W 3593 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) { 3594 enum wpa_alg alg; 3595 size_t len; 3596 3597 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher); 3598 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher); 3599 3600 if (ret == 0 && 3601 wpa_auth_set_key(wpa_auth, group->vlan_id, alg, 3602 broadcast_ether_addr, group->GN_igtk, 3603 group->IGTK[group->GN_igtk - 4], len) < 0) 3604 ret = -1; 3605 } 3606#endif /* CONFIG_IEEE80211W */ 3607 3608 return ret; 3609} 3610 3611 3612static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx) 3613{ 3614 if (sm->group == ctx) { 3615 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR 3616 " for discconnection due to fatal failure", 3617 MAC2STR(sm->addr)); 3618 sm->Disconnect = TRUE; 3619 } 3620 3621 return 0; 3622} 3623 3624 3625static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth, 3626 struct wpa_group *group) 3627{ 3628 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE"); 3629 group->changed = TRUE; 3630 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE; 3631 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group); 3632} 3633 3634 3635static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth, 3636 struct wpa_group *group) 3637{ 3638 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state " 3639 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id); 3640 group->changed = TRUE; 3641 group->wpa_group_state = WPA_GROUP_SETKEYSDONE; 3642 3643 if (wpa_group_config_group_keys(wpa_auth, group) < 0) { 3644 wpa_group_fatal_failure(wpa_auth, group); 3645 return -1; 3646 } 3647 3648 return 0; 3649} 3650 3651 3652static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth, 3653 struct wpa_group *group) 3654{ 3655 if (group->GInit) { 3656 wpa_group_gtk_init(wpa_auth, group); 3657 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) { 3658 /* Do not allow group operations */ 3659 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT && 3660 group->GTKAuthenticator) { 3661 wpa_group_setkeysdone(wpa_auth, group); 3662 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE && 3663 group->GTKReKey) { 3664 wpa_group_setkeys(wpa_auth, group); 3665 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) { 3666 if (group->GKeyDoneStations == 0) 3667 wpa_group_setkeysdone(wpa_auth, group); 3668 else if (group->GTKReKey) 3669 wpa_group_setkeys(wpa_auth, group); 3670 } 3671} 3672 3673 3674static int wpa_sm_step(struct wpa_state_machine *sm) 3675{ 3676 if (sm == NULL) 3677 return 0; 3678 3679 if (sm->in_step_loop) { 3680 /* This should not happen, but if it does, make sure we do not 3681 * end up freeing the state machine too early by exiting the 3682 * recursive call. */ 3683 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively"); 3684 return 0; 3685 } 3686 3687 sm->in_step_loop = 1; 3688 do { 3689 if (sm->pending_deinit) 3690 break; 3691 3692 sm->changed = FALSE; 3693 sm->wpa_auth->group->changed = FALSE; 3694 3695 SM_STEP_RUN(WPA_PTK); 3696 if (sm->pending_deinit) 3697 break; 3698 SM_STEP_RUN(WPA_PTK_GROUP); 3699 if (sm->pending_deinit) 3700 break; 3701 wpa_group_sm_step(sm->wpa_auth, sm->group); 3702 } while (sm->changed || sm->wpa_auth->group->changed); 3703 sm->in_step_loop = 0; 3704 3705 if (sm->pending_deinit) { 3706 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state " 3707 "machine deinit for " MACSTR, MAC2STR(sm->addr)); 3708 wpa_free_sta_sm(sm); 3709 return 1; 3710 } 3711 return 0; 3712} 3713 3714 3715static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx) 3716{ 3717 struct wpa_state_machine *sm = eloop_ctx; 3718 wpa_sm_step(sm); 3719} 3720 3721 3722void wpa_auth_sm_notify(struct wpa_state_machine *sm) 3723{ 3724 if (sm == NULL) 3725 return; 3726 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL); 3727} 3728 3729 3730void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth) 3731{ 3732 int tmp, i; 3733 struct wpa_group *group; 3734 3735 if (wpa_auth == NULL) 3736 return; 3737 3738 group = wpa_auth->group; 3739 3740 for (i = 0; i < 2; i++) { 3741 tmp = group->GM; 3742 group->GM = group->GN; 3743 group->GN = tmp; 3744#ifdef CONFIG_IEEE80211W 3745 tmp = group->GM_igtk; 3746 group->GM_igtk = group->GN_igtk; 3747 group->GN_igtk = tmp; 3748#endif /* CONFIG_IEEE80211W */ 3749 wpa_gtk_update(wpa_auth, group); 3750 wpa_group_config_group_keys(wpa_auth, group); 3751 } 3752} 3753 3754 3755static const char * wpa_bool_txt(int val) 3756{ 3757 return val ? "TRUE" : "FALSE"; 3758} 3759 3760 3761#define RSN_SUITE "%02x-%02x-%02x-%d" 3762#define RSN_SUITE_ARG(s) \ 3763((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 3764 3765int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen) 3766{ 3767 int len = 0, ret; 3768 char pmkid_txt[PMKID_LEN * 2 + 1]; 3769#ifdef CONFIG_RSN_PREAUTH 3770 const int preauth = 1; 3771#else /* CONFIG_RSN_PREAUTH */ 3772 const int preauth = 0; 3773#endif /* CONFIG_RSN_PREAUTH */ 3774 3775 if (wpa_auth == NULL) 3776 return len; 3777 3778 ret = os_snprintf(buf + len, buflen - len, 3779 "dot11RSNAOptionImplemented=TRUE\n" 3780 "dot11RSNAPreauthenticationImplemented=%s\n" 3781 "dot11RSNAEnabled=%s\n" 3782 "dot11RSNAPreauthenticationEnabled=%s\n", 3783 wpa_bool_txt(preauth), 3784 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN), 3785 wpa_bool_txt(wpa_auth->conf.rsn_preauth)); 3786 if (os_snprintf_error(buflen - len, ret)) 3787 return len; 3788 len += ret; 3789 3790 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 3791 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN); 3792 3793 ret = os_snprintf( 3794 buf + len, buflen - len, 3795 "dot11RSNAConfigVersion=%u\n" 3796 "dot11RSNAConfigPairwiseKeysSupported=9999\n" 3797 /* FIX: dot11RSNAConfigGroupCipher */ 3798 /* FIX: dot11RSNAConfigGroupRekeyMethod */ 3799 /* FIX: dot11RSNAConfigGroupRekeyTime */ 3800 /* FIX: dot11RSNAConfigGroupRekeyPackets */ 3801 "dot11RSNAConfigGroupRekeyStrict=%u\n" 3802 "dot11RSNAConfigGroupUpdateCount=%u\n" 3803 "dot11RSNAConfigPairwiseUpdateCount=%u\n" 3804 "dot11RSNAConfigGroupCipherSize=%u\n" 3805 "dot11RSNAConfigPMKLifetime=%u\n" 3806 "dot11RSNAConfigPMKReauthThreshold=%u\n" 3807 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n" 3808 "dot11RSNAConfigSATimeout=%u\n" 3809 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 3810 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 3811 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 3812 "dot11RSNAPMKIDUsed=%s\n" 3813 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 3814 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 3815 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 3816 "dot11RSNATKIPCounterMeasuresInvoked=%u\n" 3817 "dot11RSNA4WayHandshakeFailures=%u\n" 3818 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n", 3819 RSN_VERSION, 3820 !!wpa_auth->conf.wpa_strict_rekey, 3821 wpa_auth->conf.wpa_group_update_count, 3822 wpa_auth->conf.wpa_pairwise_update_count, 3823 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8, 3824 dot11RSNAConfigPMKLifetime, 3825 dot11RSNAConfigPMKReauthThreshold, 3826 dot11RSNAConfigSATimeout, 3827 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected), 3828 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected), 3829 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected), 3830 pmkid_txt, 3831 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested), 3832 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested), 3833 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested), 3834 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked, 3835 wpa_auth->dot11RSNA4WayHandshakeFailures); 3836 if (os_snprintf_error(buflen - len, ret)) 3837 return len; 3838 len += ret; 3839 3840 /* TODO: dot11RSNAConfigPairwiseCiphersTable */ 3841 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */ 3842 3843 /* Private MIB */ 3844 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n", 3845 wpa_auth->group->wpa_group_state); 3846 if (os_snprintf_error(buflen - len, ret)) 3847 return len; 3848 len += ret; 3849 3850 return len; 3851} 3852 3853 3854int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen) 3855{ 3856 int len = 0, ret; 3857 u32 pairwise = 0; 3858 3859 if (sm == NULL) 3860 return 0; 3861 3862 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */ 3863 3864 /* dot11RSNAStatsEntry */ 3865 3866 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ? 3867 WPA_PROTO_RSN : WPA_PROTO_WPA, 3868 sm->pairwise); 3869 if (pairwise == 0) 3870 return 0; 3871 3872 ret = os_snprintf( 3873 buf + len, buflen - len, 3874 /* TODO: dot11RSNAStatsIndex */ 3875 "dot11RSNAStatsSTAAddress=" MACSTR "\n" 3876 "dot11RSNAStatsVersion=1\n" 3877 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n" 3878 /* TODO: dot11RSNAStatsTKIPICVErrors */ 3879 "dot11RSNAStatsTKIPLocalMICFailures=%u\n" 3880 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n" 3881 /* TODO: dot11RSNAStatsCCMPReplays */ 3882 /* TODO: dot11RSNAStatsCCMPDecryptErrors */ 3883 /* TODO: dot11RSNAStatsTKIPReplays */, 3884 MAC2STR(sm->addr), 3885 RSN_SUITE_ARG(pairwise), 3886 sm->dot11RSNAStatsTKIPLocalMICFailures, 3887 sm->dot11RSNAStatsTKIPRemoteMICFailures); 3888 if (os_snprintf_error(buflen - len, ret)) 3889 return len; 3890 len += ret; 3891 3892 /* Private MIB */ 3893 ret = os_snprintf(buf + len, buflen - len, 3894 "hostapdWPAPTKState=%d\n" 3895 "hostapdWPAPTKGroupState=%d\n", 3896 sm->wpa_ptk_state, 3897 sm->wpa_ptk_group_state); 3898 if (os_snprintf_error(buflen - len, ret)) 3899 return len; 3900 len += ret; 3901 3902 return len; 3903} 3904 3905 3906void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth) 3907{ 3908 if (wpa_auth) 3909 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++; 3910} 3911 3912 3913int wpa_auth_pairwise_set(struct wpa_state_machine *sm) 3914{ 3915 return sm && sm->pairwise_set; 3916} 3917 3918 3919int wpa_auth_get_pairwise(struct wpa_state_machine *sm) 3920{ 3921 return sm->pairwise; 3922} 3923 3924 3925int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm) 3926{ 3927 if (sm == NULL) 3928 return -1; 3929 return sm->wpa_key_mgmt; 3930} 3931 3932 3933int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm) 3934{ 3935 if (sm == NULL) 3936 return 0; 3937 return sm->wpa; 3938} 3939 3940 3941int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm) 3942{ 3943 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt)) 3944 return 0; 3945 return sm->tk_already_set; 3946} 3947 3948 3949int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm) 3950{ 3951 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt)) 3952 return 0; 3953 return sm->tk_already_set; 3954} 3955 3956 3957int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm, 3958 struct rsn_pmksa_cache_entry *entry) 3959{ 3960 if (sm == NULL || sm->pmksa != entry) 3961 return -1; 3962 sm->pmksa = NULL; 3963 return 0; 3964} 3965 3966 3967struct rsn_pmksa_cache_entry * 3968wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm) 3969{ 3970 return sm ? sm->pmksa : NULL; 3971} 3972 3973 3974void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm) 3975{ 3976 if (sm) 3977 sm->dot11RSNAStatsTKIPLocalMICFailures++; 3978} 3979 3980 3981const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) 3982{ 3983 if (wpa_auth == NULL) 3984 return NULL; 3985 *len = wpa_auth->wpa_ie_len; 3986 return wpa_auth->wpa_ie; 3987} 3988 3989 3990int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, 3991 unsigned int pmk_len, 3992 int session_timeout, struct eapol_state_machine *eapol) 3993{ 3994 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || 3995 sm->wpa_auth->conf.disable_pmksa_caching) 3996 return -1; 3997 3998 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) { 3999 if (pmk_len > PMK_LEN_SUITE_B_192) 4000 pmk_len = PMK_LEN_SUITE_B_192; 4001 } else if (pmk_len > PMK_LEN) { 4002 pmk_len = PMK_LEN; 4003 } 4004 4005 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL, 4006 sm->PTK.kck, sm->PTK.kck_len, 4007 sm->wpa_auth->addr, sm->addr, session_timeout, 4008 eapol, sm->wpa_key_mgmt)) 4009 return 0; 4010 4011 return -1; 4012} 4013 4014 4015int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, 4016 const u8 *pmk, size_t len, const u8 *sta_addr, 4017 int session_timeout, 4018 struct eapol_state_machine *eapol) 4019{ 4020 if (wpa_auth == NULL) 4021 return -1; 4022 4023 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL, 4024 NULL, 0, 4025 wpa_auth->addr, 4026 sta_addr, session_timeout, eapol, 4027 WPA_KEY_MGMT_IEEE8021X)) 4028 return 0; 4029 4030 return -1; 4031} 4032 4033 4034int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, 4035 const u8 *pmk, const u8 *pmkid) 4036{ 4037 if (wpa_auth->conf.disable_pmksa_caching) 4038 return -1; 4039 4040 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid, 4041 NULL, 0, 4042 wpa_auth->addr, addr, 0, NULL, 4043 WPA_KEY_MGMT_SAE)) 4044 return 0; 4045 4046 return -1; 4047} 4048 4049 4050int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr, 4051 const u8 *pmk, size_t pmk_len, const u8 *pmkid, 4052 int session_timeout, int akmp) 4053{ 4054 if (wpa_auth->conf.disable_pmksa_caching) 4055 return -1; 4056 4057 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid, 4058 NULL, 0, wpa_auth->addr, addr, session_timeout, 4059 NULL, akmp)) 4060 return 0; 4061 4062 return -1; 4063} 4064 4065 4066void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth, 4067 const u8 *sta_addr) 4068{ 4069 struct rsn_pmksa_cache_entry *pmksa; 4070 4071 if (wpa_auth == NULL || wpa_auth->pmksa == NULL) 4072 return; 4073 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL); 4074 if (pmksa) { 4075 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for " 4076 MACSTR " based on request", MAC2STR(sta_addr)); 4077 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa); 4078 } 4079} 4080 4081 4082int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf, 4083 size_t len) 4084{ 4085 if (!wpa_auth || !wpa_auth->pmksa) 4086 return 0; 4087 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len); 4088} 4089 4090 4091void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth) 4092{ 4093 if (wpa_auth && wpa_auth->pmksa) 4094 pmksa_cache_auth_flush(wpa_auth->pmksa); 4095} 4096 4097 4098#ifdef CONFIG_PMKSA_CACHE_EXTERNAL 4099#ifdef CONFIG_MESH 4100 4101int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr, 4102 char *buf, size_t len) 4103{ 4104 if (!wpa_auth || !wpa_auth->pmksa) 4105 return 0; 4106 4107 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len); 4108} 4109 4110 4111struct rsn_pmksa_cache_entry * 4112wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk, 4113 const u8 *pmkid, int expiration) 4114{ 4115 struct rsn_pmksa_cache_entry *entry; 4116 struct os_reltime now; 4117 4118 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa, 4119 spa, 0, NULL, WPA_KEY_MGMT_SAE); 4120 if (!entry) 4121 return NULL; 4122 4123 os_get_reltime(&now); 4124 entry->expiration = now.sec + expiration; 4125 return entry; 4126} 4127 4128 4129int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth, 4130 struct rsn_pmksa_cache_entry *entry) 4131{ 4132 int ret; 4133 4134 if (!wpa_auth || !wpa_auth->pmksa) 4135 return -1; 4136 4137 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry); 4138 if (ret < 0) 4139 wpa_printf(MSG_DEBUG, 4140 "RSN: Failed to store external PMKSA cache for " 4141 MACSTR, MAC2STR(entry->spa)); 4142 4143 return ret; 4144} 4145 4146#endif /* CONFIG_MESH */ 4147#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */ 4148 4149 4150struct rsn_pmksa_cache_entry * 4151wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, 4152 const u8 *pmkid) 4153{ 4154 if (!wpa_auth || !wpa_auth->pmksa) 4155 return NULL; 4156 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid); 4157} 4158 4159 4160void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa, 4161 struct wpa_state_machine *sm, 4162 struct wpa_authenticator *wpa_auth, 4163 u8 *pmkid, u8 *pmk) 4164{ 4165 if (!sm) 4166 return; 4167 4168 sm->pmksa = pmksa; 4169 os_memcpy(pmk, pmksa->pmk, PMK_LEN); 4170 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN); 4171 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN); 4172} 4173 4174 4175/* 4176 * Remove and free the group from wpa_authenticator. This is triggered by a 4177 * callback to make sure nobody is currently iterating the group list while it 4178 * gets modified. 4179 */ 4180static void wpa_group_free(struct wpa_authenticator *wpa_auth, 4181 struct wpa_group *group) 4182{ 4183 struct wpa_group *prev = wpa_auth->group; 4184 4185 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d", 4186 group->vlan_id); 4187 4188 while (prev) { 4189 if (prev->next == group) { 4190 /* This never frees the special first group as needed */ 4191 prev->next = group->next; 4192 os_free(group); 4193 break; 4194 } 4195 prev = prev->next; 4196 } 4197 4198} 4199 4200 4201/* Increase the reference counter for group */ 4202static void wpa_group_get(struct wpa_authenticator *wpa_auth, 4203 struct wpa_group *group) 4204{ 4205 /* Skip the special first group */ 4206 if (wpa_auth->group == group) 4207 return; 4208 4209 group->references++; 4210} 4211 4212 4213/* Decrease the reference counter and maybe free the group */ 4214static void wpa_group_put(struct wpa_authenticator *wpa_auth, 4215 struct wpa_group *group) 4216{ 4217 /* Skip the special first group */ 4218 if (wpa_auth->group == group) 4219 return; 4220 4221 group->references--; 4222 if (group->references) 4223 return; 4224 wpa_group_free(wpa_auth, group); 4225} 4226 4227 4228/* 4229 * Add a group that has its references counter set to zero. Caller needs to 4230 * call wpa_group_get() on the return value to mark the entry in use. 4231 */ 4232static struct wpa_group * 4233wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4234{ 4235 struct wpa_group *group; 4236 4237 if (wpa_auth == NULL || wpa_auth->group == NULL) 4238 return NULL; 4239 4240 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d", 4241 vlan_id); 4242 group = wpa_group_init(wpa_auth, vlan_id, 0); 4243 if (group == NULL) 4244 return NULL; 4245 4246 group->next = wpa_auth->group->next; 4247 wpa_auth->group->next = group; 4248 4249 return group; 4250} 4251 4252 4253/* 4254 * Enforce that the group state machine for the VLAN is running, increase 4255 * reference counter as interface is up. References might have been increased 4256 * even if a negative value is returned. 4257 * Returns: -1 on error (group missing, group already failed); otherwise, 0 4258 */ 4259int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4260{ 4261 struct wpa_group *group; 4262 4263 if (wpa_auth == NULL) 4264 return 0; 4265 4266 group = wpa_auth->group; 4267 while (group) { 4268 if (group->vlan_id == vlan_id) 4269 break; 4270 group = group->next; 4271 } 4272 4273 if (group == NULL) { 4274 group = wpa_auth_add_group(wpa_auth, vlan_id); 4275 if (group == NULL) 4276 return -1; 4277 } 4278 4279 wpa_printf(MSG_DEBUG, 4280 "WPA: Ensure group state machine running for VLAN ID %d", 4281 vlan_id); 4282 4283 wpa_group_get(wpa_auth, group); 4284 group->num_setup_iface++; 4285 4286 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4287 return -1; 4288 4289 return 0; 4290} 4291 4292 4293/* 4294 * Decrease reference counter, expected to be zero afterwards. 4295 * returns: -1 on error (group not found, group in fail state) 4296 * -2 if wpa_group is still referenced 4297 * 0 else 4298 */ 4299int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id) 4300{ 4301 struct wpa_group *group; 4302 int ret = 0; 4303 4304 if (wpa_auth == NULL) 4305 return 0; 4306 4307 group = wpa_auth->group; 4308 while (group) { 4309 if (group->vlan_id == vlan_id) 4310 break; 4311 group = group->next; 4312 } 4313 4314 if (group == NULL) 4315 return -1; 4316 4317 wpa_printf(MSG_DEBUG, 4318 "WPA: Try stopping group state machine for VLAN ID %d", 4319 vlan_id); 4320 4321 if (group->num_setup_iface <= 0) { 4322 wpa_printf(MSG_ERROR, 4323 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.", 4324 vlan_id); 4325 return -1; 4326 } 4327 group->num_setup_iface--; 4328 4329 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4330 ret = -1; 4331 4332 if (group->references > 1) { 4333 wpa_printf(MSG_DEBUG, 4334 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold", 4335 vlan_id); 4336 ret = -2; 4337 } 4338 4339 wpa_group_put(wpa_auth, group); 4340 4341 return ret; 4342} 4343 4344 4345int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id) 4346{ 4347 struct wpa_group *group; 4348 4349 if (sm == NULL || sm->wpa_auth == NULL) 4350 return 0; 4351 4352 group = sm->wpa_auth->group; 4353 while (group) { 4354 if (group->vlan_id == vlan_id) 4355 break; 4356 group = group->next; 4357 } 4358 4359 if (group == NULL) { 4360 group = wpa_auth_add_group(sm->wpa_auth, vlan_id); 4361 if (group == NULL) 4362 return -1; 4363 } 4364 4365 if (sm->group == group) 4366 return 0; 4367 4368 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) 4369 return -1; 4370 4371 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state " 4372 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id); 4373 4374 wpa_group_get(sm->wpa_auth, group); 4375 wpa_group_put(sm->wpa_auth, sm->group); 4376 sm->group = group; 4377 4378 return 0; 4379} 4380 4381 4382void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth, 4383 struct wpa_state_machine *sm, int ack) 4384{ 4385 if (wpa_auth == NULL || sm == NULL) 4386 return; 4387 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR 4388 " ack=%d", MAC2STR(sm->addr), ack); 4389 if (sm->pending_1_of_4_timeout && ack) { 4390 /* 4391 * Some deployed supplicant implementations update their SNonce 4392 * for each EAPOL-Key 2/4 message even within the same 4-way 4393 * handshake and then fail to use the first SNonce when 4394 * deriving the PTK. This results in unsuccessful 4-way 4395 * handshake whenever the relatively short initial timeout is 4396 * reached and EAPOL-Key 1/4 is retransmitted. Try to work 4397 * around this by increasing the timeout now that we know that 4398 * the station has received the frame. 4399 */ 4400 int timeout_ms = eapol_key_timeout_subseq; 4401 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 " 4402 "timeout by %u ms because of acknowledged frame", 4403 timeout_ms); 4404 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm); 4405 eloop_register_timeout(timeout_ms / 1000, 4406 (timeout_ms % 1000) * 1000, 4407 wpa_send_eapol_timeout, wpa_auth, sm); 4408 } 4409 4410#ifdef CONFIG_TESTING_OPTIONS 4411 if (sm->eapol_status_cb) { 4412 sm->eapol_status_cb(sm->eapol_status_cb_ctx1, 4413 sm->eapol_status_cb_ctx2); 4414 sm->eapol_status_cb = NULL; 4415 } 4416#endif /* CONFIG_TESTING_OPTIONS */ 4417} 4418 4419 4420int wpa_auth_uses_sae(struct wpa_state_machine *sm) 4421{ 4422 if (sm == NULL) 4423 return 0; 4424 return wpa_key_mgmt_sae(sm->wpa_key_mgmt); 4425} 4426 4427 4428int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm) 4429{ 4430 if (sm == NULL) 4431 return 0; 4432 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE; 4433} 4434 4435 4436#ifdef CONFIG_P2P 4437int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr) 4438{ 4439 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0) 4440 return -1; 4441 os_memcpy(addr, sm->ip_addr, 4); 4442 return 0; 4443} 4444#endif /* CONFIG_P2P */ 4445 4446 4447int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth, 4448 struct radius_das_attrs *attr) 4449{ 4450 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr); 4451} 4452 4453 4454void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth) 4455{ 4456 struct wpa_group *group; 4457 4458 if (!wpa_auth) 4459 return; 4460 for (group = wpa_auth->group; group; group = group->next) 4461 wpa_group_config_group_keys(wpa_auth, group); 4462} 4463 4464 4465#ifdef CONFIG_FILS 4466 4467struct wpa_auth_fils_iter_data { 4468 struct wpa_authenticator *auth; 4469 const u8 *cache_id; 4470 struct rsn_pmksa_cache_entry *pmksa; 4471 const u8 *spa; 4472 const u8 *pmkid; 4473}; 4474 4475 4476static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx) 4477{ 4478 struct wpa_auth_fils_iter_data *data = ctx; 4479 4480 if (a == data->auth || !a->conf.fils_cache_id_set || 4481 os_memcmp(a->conf.fils_cache_id, data->cache_id, 4482 FILS_CACHE_ID_LEN) != 0) 4483 return 0; 4484 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid); 4485 return data->pmksa != NULL; 4486} 4487 4488 4489struct rsn_pmksa_cache_entry * 4490wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth, 4491 const u8 *sta_addr, const u8 *pmkid) 4492{ 4493 struct wpa_auth_fils_iter_data idata; 4494 4495 if (!wpa_auth->conf.fils_cache_id_set) 4496 return NULL; 4497 idata.auth = wpa_auth; 4498 idata.cache_id = wpa_auth->conf.fils_cache_id; 4499 idata.pmksa = NULL; 4500 idata.spa = sta_addr; 4501 idata.pmkid = pmkid; 4502 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata); 4503 return idata.pmksa; 4504} 4505 4506 4507#ifdef CONFIG_IEEE80211R_AP 4508int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, u8 *buf, size_t len) 4509{ 4510 struct wpa_auth_config *conf = &wpa_auth->conf; 4511 4512 return wpa_write_ftie(conf, conf->r0_key_holder, 4513 conf->r0_key_holder_len, 4514 NULL, NULL, buf, len, NULL, 0); 4515} 4516#endif /* CONFIG_IEEE80211R_AP */ 4517 4518 4519void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm, 4520 u8 *fils_anonce, u8 *fils_snonce, 4521 u8 *fils_kek, size_t *fils_kek_len) 4522{ 4523 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN); 4524 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN); 4525 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN); 4526 *fils_kek_len = sm->PTK.kek_len; 4527} 4528 4529#endif /* CONFIG_FILS */ 4530 4531 4532#if CONFIG_TESTING_OPTIONS 4533 4534int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce, 4535 void (*cb)(void *ctx1, void *ctx2), 4536 void *ctx1, void *ctx2) 4537{ 4538 const u8 *anonce = sm->ANonce; 4539 u8 anonce_buf[WPA_NONCE_LEN]; 4540 4541 if (change_anonce) { 4542 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN)) 4543 return -1; 4544 anonce = anonce_buf; 4545 } 4546 4547 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4548 "sending 1/4 msg of 4-Way Handshake (TESTING)"); 4549 wpa_send_eapol(sm->wpa_auth, sm, 4550 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL, 4551 anonce, NULL, 0, 0, 0); 4552 return 0; 4553} 4554 4555 4556int wpa_auth_resend_m3(struct wpa_state_machine *sm, 4557 void (*cb)(void *ctx1, void *ctx2), 4558 void *ctx1, void *ctx2) 4559{ 4560 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, *opos; 4561 size_t gtk_len, kde_len; 4562 struct wpa_group *gsm = sm->group; 4563 u8 *wpa_ie; 4564 int wpa_ie_len, secure, keyidx, encr = 0; 4565 4566 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE], 4567 GTK[GN], IGTK, [FTIE], [TIE * 2]) 4568 */ 4569 4570 /* Use 0 RSC */ 4571 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 4572 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */ 4573 wpa_ie = sm->wpa_auth->wpa_ie; 4574 wpa_ie_len = sm->wpa_auth->wpa_ie_len; 4575 if (sm->wpa == WPA_VERSION_WPA && 4576 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) && 4577 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) { 4578 /* WPA-only STA, remove RSN IE and possible MDIE */ 4579 wpa_ie = wpa_ie + wpa_ie[1] + 2; 4580 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN) 4581 wpa_ie = wpa_ie + wpa_ie[1] + 2; 4582 wpa_ie_len = wpa_ie[1] + 2; 4583 } 4584 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4585 "sending 3/4 msg of 4-Way Handshake (TESTING)"); 4586 if (sm->wpa == WPA_VERSION_WPA2) { 4587 /* WPA2 send GTK in the 4-way handshake */ 4588 secure = 1; 4589 gtk = gsm->GTK[gsm->GN - 1]; 4590 gtk_len = gsm->GTK_len; 4591 keyidx = gsm->GN; 4592 _rsc = rsc; 4593 encr = 1; 4594 } else { 4595 /* WPA does not include GTK in msg 3/4 */ 4596 secure = 0; 4597 gtk = NULL; 4598 gtk_len = 0; 4599 keyidx = 0; 4600 _rsc = NULL; 4601 if (sm->rx_eapol_key_secure) { 4602 /* 4603 * It looks like Windows 7 supplicant tries to use 4604 * Secure bit in msg 2/4 after having reported Michael 4605 * MIC failure and it then rejects the 4-way handshake 4606 * if msg 3/4 does not set Secure bit. Work around this 4607 * by setting the Secure bit here even in the case of 4608 * WPA if the supplicant used it first. 4609 */ 4610 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4611 "STA used Secure bit in WPA msg 2/4 - " 4612 "set Secure for 3/4 as workaround"); 4613 secure = 1; 4614 } 4615 } 4616 4617 kde_len = wpa_ie_len + ieee80211w_kde_len(sm); 4618 if (gtk) 4619 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len; 4620#ifdef CONFIG_IEEE80211R_AP 4621 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 4622 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */ 4623 kde_len += 300; /* FTIE + 2 * TIE */ 4624 } 4625#endif /* CONFIG_IEEE80211R_AP */ 4626 kde = os_malloc(kde_len); 4627 if (kde == NULL) 4628 return -1; 4629 4630 pos = kde; 4631 os_memcpy(pos, wpa_ie, wpa_ie_len); 4632 pos += wpa_ie_len; 4633#ifdef CONFIG_IEEE80211R_AP 4634 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 4635 int res; 4636 size_t elen; 4637 4638 elen = pos - kde; 4639 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name); 4640 if (res < 0) { 4641 wpa_printf(MSG_ERROR, "FT: Failed to insert " 4642 "PMKR1Name into RSN IE in EAPOL-Key data"); 4643 os_free(kde); 4644 return -1; 4645 } 4646 pos -= wpa_ie_len; 4647 pos += elen; 4648 } 4649#endif /* CONFIG_IEEE80211R_AP */ 4650 if (gtk) { 4651 u8 hdr[2]; 4652 hdr[0] = keyidx & 0x03; 4653 hdr[1] = 0; 4654 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 4655 gtk, gtk_len); 4656 } 4657 opos = pos; 4658 pos = ieee80211w_kde_add(sm, pos); 4659 if (pos - opos >= WPA_IGTK_KDE_PREFIX_LEN) { 4660 opos += 2; /* skip keyid */ 4661 os_memset(opos, 0, 6); /* clear PN */ 4662 } 4663 4664#ifdef CONFIG_IEEE80211R_AP 4665 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) { 4666 int res; 4667 struct wpa_auth_config *conf; 4668 4669 conf = &sm->wpa_auth->conf; 4670 if (sm->assoc_resp_ftie && 4671 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) { 4672 os_memcpy(pos, sm->assoc_resp_ftie, 4673 2 + sm->assoc_resp_ftie[1]); 4674 res = 2 + sm->assoc_resp_ftie[1]; 4675 } else { 4676 res = wpa_write_ftie(conf, conf->r0_key_holder, 4677 conf->r0_key_holder_len, 4678 NULL, NULL, pos, 4679 kde + kde_len - pos, 4680 NULL, 0); 4681 } 4682 if (res < 0) { 4683 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE " 4684 "into EAPOL-Key Key Data"); 4685 os_free(kde); 4686 return -1; 4687 } 4688 pos += res; 4689 4690 /* TIE[ReassociationDeadline] (TU) */ 4691 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 4692 *pos++ = 5; 4693 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE; 4694 WPA_PUT_LE32(pos, conf->reassociation_deadline); 4695 pos += 4; 4696 4697 /* TIE[KeyLifetime] (seconds) */ 4698 *pos++ = WLAN_EID_TIMEOUT_INTERVAL; 4699 *pos++ = 5; 4700 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME; 4701 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60); 4702 pos += 4; 4703 } 4704#endif /* CONFIG_IEEE80211R_AP */ 4705 4706 wpa_send_eapol(sm->wpa_auth, sm, 4707 (secure ? WPA_KEY_INFO_SECURE : 0) | 4708 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 4709 WPA_KEY_INFO_MIC : 0) | 4710 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL | 4711 WPA_KEY_INFO_KEY_TYPE, 4712 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr); 4713 os_free(kde); 4714 return 0; 4715} 4716 4717 4718int wpa_auth_resend_group_m1(struct wpa_state_machine *sm, 4719 void (*cb)(void *ctx1, void *ctx2), 4720 void *ctx1, void *ctx2) 4721{ 4722 u8 rsc[WPA_KEY_RSC_LEN]; 4723 struct wpa_group *gsm = sm->group; 4724 const u8 *kde; 4725 u8 *kde_buf = NULL, *pos, *opos, hdr[2]; 4726 size_t kde_len; 4727 u8 *gtk; 4728 4729 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */ 4730 os_memset(rsc, 0, WPA_KEY_RSC_LEN); 4731 /* Use 0 RSC */ 4732 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG, 4733 "sending 1/2 msg of Group Key Handshake (TESTING)"); 4734 4735 gtk = gsm->GTK[gsm->GN - 1]; 4736 if (sm->wpa == WPA_VERSION_WPA2) { 4737 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len + 4738 ieee80211w_kde_len(sm); 4739 kde_buf = os_malloc(kde_len); 4740 if (kde_buf == NULL) 4741 return -1; 4742 4743 kde = pos = kde_buf; 4744 hdr[0] = gsm->GN & 0x03; 4745 hdr[1] = 0; 4746 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2, 4747 gtk, gsm->GTK_len); 4748 opos = pos; 4749 pos = ieee80211w_kde_add(sm, pos); 4750 if (pos - opos >= WPA_IGTK_KDE_PREFIX_LEN) { 4751 opos += 2; /* skip keyid */ 4752 os_memset(opos, 0, 6); /* clear PN */ 4753 } 4754 kde_len = pos - kde; 4755 } else { 4756 kde = gtk; 4757 kde_len = gsm->GTK_len; 4758 } 4759 4760 sm->eapol_status_cb = cb; 4761 sm->eapol_status_cb_ctx1 = ctx1; 4762 sm->eapol_status_cb_ctx2 = ctx2; 4763 4764 wpa_send_eapol(sm->wpa_auth, sm, 4765 WPA_KEY_INFO_SECURE | 4766 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ? 4767 WPA_KEY_INFO_MIC : 0) | 4768 WPA_KEY_INFO_ACK | 4769 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0), 4770 rsc, NULL, kde, kde_len, gsm->GN, 1); 4771 4772 os_free(kde_buf); 4773 return 0; 4774} 4775 4776#endif /* CONFIG_TESTING_OPTIONS */ 4777