1/* 2 * WPA Supplicant - WPA state machine and EAPOL-Key processing 3 * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi> 4 * Copyright(c) 2015 Intel Deutschland GmbH 5 * 6 * This software may be distributed under the terms of the BSD license. 7 * See README for more details. 8 */ 9 10#include "includes.h" 11 12#include "common.h" 13#include "crypto/aes.h" 14#include "crypto/aes_wrap.h" 15#include "crypto/crypto.h" 16#include "crypto/random.h" 17#include "crypto/aes_siv.h" 18#include "crypto/sha256.h" 19#include "crypto/sha384.h" 20#include "crypto/sha512.h" 21#include "common/ieee802_11_defs.h" 22#include "common/ieee802_11_common.h" 23#include "common/ocv.h" 24#include "common/dpp.h" 25#include "common/wpa_ctrl.h" 26#include "eap_common/eap_defs.h" 27#include "eapol_supp/eapol_supp_sm.h" 28#include "drivers/driver.h" 29#include "wpa.h" 30#include "eloop.h" 31#include "preauth.h" 32#include "pmksa_cache.h" 33#include "wpa_i.h" 34#include "wpa_ie.h" 35 36 37static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; 38 39 40/** 41 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message 42 * @sm: Pointer to WPA state machine data from wpa_sm_init() 43 * @ptk: PTK for Key Confirmation/Encryption Key 44 * @ver: Version field from Key Info 45 * @dest: Destination address for the frame 46 * @proto: Ethertype (usually ETH_P_EAPOL) 47 * @msg: EAPOL-Key message 48 * @msg_len: Length of message 49 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written 50 * Returns: >= 0 on success, < 0 on failure 51 */ 52int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk, 53 int ver, const u8 *dest, u16 proto, 54 u8 *msg, size_t msg_len, u8 *key_mic) 55{ 56 int ret = -1; 57 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 58 59 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR 60 " ver=%d mic_len=%d key_mgmt=0x%x", 61 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt); 62 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) { 63 /* 64 * Association event was not yet received; try to fetch 65 * BSSID from the driver. 66 */ 67 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) { 68 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 69 "WPA: Failed to read BSSID for " 70 "EAPOL-Key destination address"); 71 } else { 72 dest = sm->bssid; 73 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 74 "WPA: Use BSSID (" MACSTR 75 ") as the destination for EAPOL-Key", 76 MAC2STR(dest)); 77 } 78 } 79 80 if (mic_len) { 81 if (key_mic && (!ptk || !ptk->kck_len)) 82 goto out; 83 84 if (key_mic && 85 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver, 86 msg, msg_len, key_mic)) { 87 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 88 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC", 89 ver, sm->key_mgmt); 90 goto out; 91 } 92 if (ptk) 93 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", 94 ptk->kck, ptk->kck_len); 95 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC", 96 key_mic, mic_len); 97 } else { 98#ifdef CONFIG_FILS 99 /* AEAD cipher - Key MIC field not used */ 100 struct ieee802_1x_hdr *s_hdr, *hdr; 101 struct wpa_eapol_key *s_key, *key; 102 u8 *buf, *s_key_data, *key_data; 103 size_t buf_len = msg_len + AES_BLOCK_SIZE; 104 size_t key_data_len; 105 u16 eapol_len; 106 const u8 *aad[1]; 107 size_t aad_len[1]; 108 109 if (!ptk || !ptk->kek_len) 110 goto out; 111 112 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) - 113 sizeof(struct wpa_eapol_key) - 2; 114 115 buf = os_malloc(buf_len); 116 if (!buf) 117 goto out; 118 119 os_memcpy(buf, msg, msg_len); 120 hdr = (struct ieee802_1x_hdr *) buf; 121 key = (struct wpa_eapol_key *) (hdr + 1); 122 key_data = ((u8 *) (key + 1)) + 2; 123 124 /* Update EAPOL header to include AES-SIV overhead */ 125 eapol_len = be_to_host16(hdr->length); 126 eapol_len += AES_BLOCK_SIZE; 127 hdr->length = host_to_be16(eapol_len); 128 129 /* Update Key Data Length field to include AES-SIV overhead */ 130 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len); 131 132 s_hdr = (struct ieee802_1x_hdr *) msg; 133 s_key = (struct wpa_eapol_key *) (s_hdr + 1); 134 s_key_data = ((u8 *) (s_key + 1)) + 2; 135 136 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data", 137 s_key_data, key_data_len); 138 139 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len); 140 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 141 * to Key Data (exclusive). */ 142 aad[0] = buf; 143 aad_len[0] = key_data - buf; 144 if (aes_siv_encrypt(ptk->kek, ptk->kek_len, 145 s_key_data, key_data_len, 146 1, aad, aad_len, key_data) < 0) { 147 os_free(buf); 148 goto out; 149 } 150 151 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV", 152 key_data, AES_BLOCK_SIZE + key_data_len); 153 154 os_free(msg); 155 msg = buf; 156 msg_len = buf_len; 157#else /* CONFIG_FILS */ 158 goto out; 159#endif /* CONFIG_FILS */ 160 } 161 162 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len); 163 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len); 164 eapol_sm_notify_tx_eapol_key(sm->eapol); 165out: 166 os_free(msg); 167 return ret; 168} 169 170 171/** 172 * wpa_sm_key_request - Send EAPOL-Key Request 173 * @sm: Pointer to WPA state machine data from wpa_sm_init() 174 * @error: Indicate whether this is an Michael MIC error report 175 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet 176 * 177 * Send an EAPOL-Key Request to the current authenticator. This function is 178 * used to request rekeying and it is usually called when a local Michael MIC 179 * failure is detected. 180 */ 181void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise) 182{ 183 size_t mic_len, hdrlen, rlen; 184 struct wpa_eapol_key *reply; 185 int key_info, ver; 186 u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic; 187 188 if (pairwise && sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id && 189 wpa_sm_get_state(sm) == WPA_COMPLETED) { 190 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 191 "WPA: PTK0 rekey not allowed, reconnecting"); 192 wpa_sm_reconnect(sm); 193 return; 194 } 195 196 if (wpa_use_akm_defined(sm->key_mgmt)) 197 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED; 198 else if (wpa_key_mgmt_ft(sm->key_mgmt) || 199 wpa_key_mgmt_sha256(sm->key_mgmt)) 200 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC; 201 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP) 202 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 203 else 204 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 205 206 if (wpa_sm_get_bssid(sm, bssid) < 0) { 207 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 208 "Failed to read BSSID for EAPOL-Key request"); 209 return; 210 } 211 212 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 213 hdrlen = sizeof(*reply) + mic_len + 2; 214 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 215 hdrlen, &rlen, (void *) &reply); 216 if (rbuf == NULL) 217 return; 218 219 reply->type = (sm->proto == WPA_PROTO_RSN || 220 sm->proto == WPA_PROTO_OSEN) ? 221 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 222 key_info = WPA_KEY_INFO_REQUEST | ver; 223 if (sm->ptk_set) 224 key_info |= WPA_KEY_INFO_SECURE; 225 if (sm->ptk_set && mic_len) 226 key_info |= WPA_KEY_INFO_MIC; 227 if (error) 228 key_info |= WPA_KEY_INFO_ERROR; 229 if (pairwise) 230 key_info |= WPA_KEY_INFO_KEY_TYPE; 231 WPA_PUT_BE16(reply->key_info, key_info); 232 WPA_PUT_BE16(reply->key_length, 0); 233 os_memcpy(reply->replay_counter, sm->request_counter, 234 WPA_REPLAY_COUNTER_LEN); 235 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN); 236 237 mic = (u8 *) (reply + 1); 238 WPA_PUT_BE16(mic + mic_len, 0); 239 if (!(key_info & WPA_KEY_INFO_MIC)) 240 key_mic = NULL; 241 else 242 key_mic = mic; 243 244 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 245 "WPA: Sending EAPOL-Key Request (error=%d " 246 "pairwise=%d ptk_set=%d len=%lu)", 247 error, pairwise, sm->ptk_set, (unsigned long) rlen); 248 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen, 249 key_mic); 250} 251 252 253static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm) 254{ 255#ifdef CONFIG_IEEE80211R 256 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) { 257 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len)) 258 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 259 "RSN: Cannot set low order 256 bits of MSK for key management offload"); 260 } else { 261#endif /* CONFIG_IEEE80211R */ 262 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len)) 263 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 264 "RSN: Cannot set PMK for key management offload"); 265#ifdef CONFIG_IEEE80211R 266 } 267#endif /* CONFIG_IEEE80211R */ 268} 269 270 271static int wpa_supplicant_get_pmk(struct wpa_sm *sm, 272 const unsigned char *src_addr, 273 const u8 *pmkid) 274{ 275 int abort_cached = 0; 276 277 if (pmkid && !sm->cur_pmksa) { 278 /* When using drivers that generate RSN IE, wpa_supplicant may 279 * not have enough time to get the association information 280 * event before receiving this 1/4 message, so try to find a 281 * matching PMKSA cache entry here. */ 282 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid, 283 NULL, 0); 284 if (sm->cur_pmksa) { 285 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 286 "RSN: found matching PMKID from PMKSA cache"); 287 } else { 288 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 289 "RSN: no matching PMKID found"); 290 abort_cached = 1; 291 } 292 } 293 294 if (pmkid && sm->cur_pmksa && 295 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) { 296 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN); 297 wpa_sm_set_pmk_from_pmksa(sm); 298 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache", 299 sm->pmk, sm->pmk_len); 300 eapol_sm_notify_cached(sm->eapol); 301#ifdef CONFIG_IEEE80211R 302 sm->xxkey_len = 0; 303#ifdef CONFIG_SAE 304 if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE && 305 sm->pmk_len == PMK_LEN) { 306 /* Need to allow FT key derivation to proceed with 307 * PMK from SAE being used as the XXKey in cases where 308 * the PMKID in msg 1/4 matches the PMKSA entry that was 309 * just added based on SAE authentication for the 310 * initial mobility domain association. */ 311 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len); 312 sm->xxkey_len = sm->pmk_len; 313 } 314#endif /* CONFIG_SAE */ 315#endif /* CONFIG_IEEE80211R */ 316 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) { 317 int res, pmk_len; 318#ifdef CONFIG_IEEE80211R 319 u8 buf[2 * PMK_LEN]; 320#endif /* CONFIG_IEEE80211R */ 321 322 if (wpa_key_mgmt_sha384(sm->key_mgmt)) 323 pmk_len = PMK_LEN_SUITE_B_192; 324 else 325 pmk_len = PMK_LEN; 326 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len); 327 if (res) { 328 if (pmk_len == PMK_LEN) { 329 /* 330 * EAP-LEAP is an exception from other EAP 331 * methods: it uses only 16-byte PMK. 332 */ 333 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16); 334 pmk_len = 16; 335 } 336 } 337#ifdef CONFIG_IEEE80211R 338 if (res == 0 && 339 eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) { 340 if (wpa_key_mgmt_sha384(sm->key_mgmt)) { 341 os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN); 342 sm->xxkey_len = SHA384_MAC_LEN; 343 } else { 344 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN); 345 sm->xxkey_len = PMK_LEN; 346 } 347 forced_memzero(buf, sizeof(buf)); 348 if (sm->proto == WPA_PROTO_RSN && 349 wpa_key_mgmt_ft(sm->key_mgmt)) { 350 struct rsn_pmksa_cache_entry *sa = NULL; 351 const u8 *fils_cache_id = NULL; 352 353#ifdef CONFIG_FILS 354 if (sm->fils_cache_id_set) 355 fils_cache_id = sm->fils_cache_id; 356#endif /* CONFIG_FILS */ 357 wpa_hexdump_key(MSG_DEBUG, 358 "FT: Cache XXKey/MPMK", 359 sm->xxkey, sm->xxkey_len); 360 sa = pmksa_cache_add(sm->pmksa, 361 sm->xxkey, sm->xxkey_len, 362 NULL, NULL, 0, 363 src_addr, sm->own_addr, 364 sm->network_ctx, 365 sm->key_mgmt, 366 fils_cache_id); 367 if (!sm->cur_pmksa) 368 sm->cur_pmksa = sa; 369 } 370 } 371#endif /* CONFIG_IEEE80211R */ 372 if (res == 0) { 373 struct rsn_pmksa_cache_entry *sa = NULL; 374 const u8 *fils_cache_id = NULL; 375 376#ifdef CONFIG_FILS 377 if (sm->fils_cache_id_set) 378 fils_cache_id = sm->fils_cache_id; 379#endif /* CONFIG_FILS */ 380 381 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state " 382 "machines", sm->pmk, pmk_len); 383 sm->pmk_len = pmk_len; 384 wpa_supplicant_key_mgmt_set_pmk(sm); 385 if (sm->proto == WPA_PROTO_RSN && 386 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 387 !wpa_key_mgmt_ft(sm->key_mgmt)) { 388 sa = pmksa_cache_add(sm->pmksa, 389 sm->pmk, pmk_len, NULL, 390 NULL, 0, 391 src_addr, sm->own_addr, 392 sm->network_ctx, 393 sm->key_mgmt, 394 fils_cache_id); 395 } 396 if (!sm->cur_pmksa && pmkid && 397 pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL, 398 0)) { 399 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 400 "RSN: the new PMK matches with the " 401 "PMKID"); 402 abort_cached = 0; 403 } else if (sa && !sm->cur_pmksa && pmkid) { 404 /* 405 * It looks like the authentication server 406 * derived mismatching MSK. This should not 407 * really happen, but bugs happen.. There is not 408 * much we can do here without knowing what 409 * exactly caused the server to misbehave. 410 */ 411 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 412 "RSN: PMKID mismatch - authentication server may have derived different MSK?!"); 413 return -1; 414 } 415 416 if (!sm->cur_pmksa) 417 sm->cur_pmksa = sa; 418#ifdef CONFIG_IEEE80211R 419 } else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) { 420 wpa_printf(MSG_DEBUG, 421 "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol"); 422#endif /* CONFIG_IEEE80211R */ 423 } else { 424 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 425 "WPA: Failed to get master session key from " 426 "EAPOL state machines - key handshake " 427 "aborted"); 428 if (sm->cur_pmksa) { 429 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 430 "RSN: Cancelled PMKSA caching " 431 "attempt"); 432 sm->cur_pmksa = NULL; 433 abort_cached = 1; 434 } else if (!abort_cached) { 435 return -1; 436 } 437 } 438 } 439 440 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && 441 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 442 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN) 443 { 444 /* Send EAPOL-Start to trigger full EAP authentication. */ 445 u8 *buf; 446 size_t buflen; 447 448 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 449 "RSN: no PMKSA entry found - trigger " 450 "full EAP authentication"); 451 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START, 452 NULL, 0, &buflen, NULL); 453 if (buf) { 454 /* Set and reset eapFail to allow EAP state machine to 455 * proceed with new authentication. */ 456 eapol_sm_notify_eap_fail(sm->eapol, true); 457 eapol_sm_notify_eap_fail(sm->eapol, false); 458 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL, 459 buf, buflen); 460 os_free(buf); 461 return -2; 462 } 463 464 return -1; 465 } 466 467 return 0; 468} 469 470 471/** 472 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake 473 * @sm: Pointer to WPA state machine data from wpa_sm_init() 474 * @dst: Destination address for the frame 475 * @key: Pointer to the EAPOL-Key frame header 476 * @ver: Version bits from EAPOL-Key Key Info 477 * @nonce: Nonce value for the EAPOL-Key frame 478 * @wpa_ie: WPA/RSN IE 479 * @wpa_ie_len: Length of the WPA/RSN IE 480 * @ptk: PTK to use for keyed hash and encryption 481 * Returns: >= 0 on success, < 0 on failure 482 */ 483int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst, 484 const struct wpa_eapol_key *key, 485 int ver, const u8 *nonce, 486 const u8 *wpa_ie, size_t wpa_ie_len, 487 struct wpa_ptk *ptk) 488{ 489 size_t mic_len, hdrlen, rlen; 490 struct wpa_eapol_key *reply; 491 u8 *rbuf, *key_mic; 492 u8 *rsn_ie_buf = NULL; 493 u16 key_info; 494 495 if (wpa_ie == NULL) { 496 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - " 497 "cannot generate msg 2/4"); 498 return -1; 499 } 500 501#ifdef CONFIG_IEEE80211R 502 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 503 int res; 504 505 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE before FT processing", 506 wpa_ie, wpa_ie_len); 507 /* 508 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and 509 * FTIE from (Re)Association Response. 510 */ 511 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN + 512 sm->assoc_resp_ies_len); 513 if (rsn_ie_buf == NULL) 514 return -1; 515 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len); 516 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len, 517 sm->pmk_r1_name); 518 if (res < 0) { 519 os_free(rsn_ie_buf); 520 return -1; 521 } 522 wpa_hexdump(MSG_DEBUG, 523 "WPA: WPA IE after PMKID[PMKR1Name] addition into RSNE", 524 rsn_ie_buf, wpa_ie_len); 525 526 if (sm->assoc_resp_ies) { 527 wpa_hexdump(MSG_DEBUG, "WPA: Add assoc_resp_ies", 528 sm->assoc_resp_ies, 529 sm->assoc_resp_ies_len); 530 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies, 531 sm->assoc_resp_ies_len); 532 wpa_ie_len += sm->assoc_resp_ies_len; 533 } 534 535 wpa_ie = rsn_ie_buf; 536 } 537#endif /* CONFIG_IEEE80211R */ 538 539 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len); 540 541 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 542 hdrlen = sizeof(*reply) + mic_len + 2; 543 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, 544 NULL, hdrlen + wpa_ie_len, 545 &rlen, (void *) &reply); 546 if (rbuf == NULL) { 547 os_free(rsn_ie_buf); 548 return -1; 549 } 550 551 reply->type = (sm->proto == WPA_PROTO_RSN || 552 sm->proto == WPA_PROTO_OSEN) ? 553 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 554 key_info = ver | WPA_KEY_INFO_KEY_TYPE; 555 if (mic_len) 556 key_info |= WPA_KEY_INFO_MIC; 557 else 558 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 559 WPA_PUT_BE16(reply->key_info, key_info); 560 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 561 WPA_PUT_BE16(reply->key_length, 0); 562 else 563 os_memcpy(reply->key_length, key->key_length, 2); 564 os_memcpy(reply->replay_counter, key->replay_counter, 565 WPA_REPLAY_COUNTER_LEN); 566 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter, 567 WPA_REPLAY_COUNTER_LEN); 568 569 key_mic = (u8 *) (reply + 1); 570 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */ 571 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */ 572 os_free(rsn_ie_buf); 573 574 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN); 575 576 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4"); 577 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen, 578 key_mic); 579} 580 581 582static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr, 583 const struct wpa_eapol_key *key, struct wpa_ptk *ptk) 584{ 585 const u8 *z = NULL; 586 size_t z_len = 0, kdk_len; 587 int akmp; 588 589#ifdef CONFIG_IEEE80211R 590 if (wpa_key_mgmt_ft(sm->key_mgmt)) 591 return wpa_derive_ptk_ft(sm, src_addr, key, ptk); 592#endif /* CONFIG_IEEE80211R */ 593 594#ifdef CONFIG_DPP2 595 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) { 596 z = wpabuf_head(sm->dpp_z); 597 z_len = wpabuf_len(sm->dpp_z); 598 } 599#endif /* CONFIG_DPP2 */ 600 601 akmp = sm->key_mgmt; 602#ifdef CONFIG_OWE 603 if (sm->owe_ptk_workaround && akmp == WPA_KEY_MGMT_OWE && 604 sm->pmk_len > 32) { 605 wpa_printf(MSG_DEBUG, 606 "OWE: Force SHA256 for PTK derivation"); 607 akmp |= WPA_KEY_MGMT_PSK_SHA256; 608 } 609#endif /* CONFIG_OWE */ 610 611 if (sm->force_kdk_derivation || 612 (sm->secure_ltf && 613 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))) 614 kdk_len = WPA_KDK_MAX_LEN; 615 else 616 kdk_len = 0; 617 618 return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion", 619 sm->own_addr, sm->bssid, sm->snonce, 620 key->key_nonce, ptk, akmp, 621 sm->pairwise_cipher, z, z_len, 622 kdk_len); 623} 624 625 626static int wpa_handle_ext_key_id(struct wpa_sm *sm, 627 struct wpa_eapol_ie_parse *kde) 628{ 629 if (sm->ext_key_id) { 630 u16 key_id; 631 632 if (!kde->key_id) { 633 wpa_msg(sm->ctx->msg_ctx, 634 sm->use_ext_key_id ? MSG_INFO : MSG_DEBUG, 635 "RSN: No Key ID in Extended Key ID handshake"); 636 sm->keyidx_active = 0; 637 return sm->use_ext_key_id ? -1 : 0; 638 } 639 640 key_id = kde->key_id[0] & 0x03; 641 if (key_id > 1) { 642 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 643 "RSN: Invalid Extended Key ID: %d", key_id); 644 return -1; 645 } 646 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 647 "RSN: Using Extended Key ID %d", key_id); 648 sm->keyidx_active = key_id; 649 sm->use_ext_key_id = 1; 650 } else { 651 if (kde->key_id && (kde->key_id[0] & 0x03)) { 652 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 653 "RSN: Non-zero Extended Key ID Key ID in PTK0 handshake"); 654 return -1; 655 } 656 657 if (kde->key_id) { 658 /* This is not supposed to be included here, but ignore 659 * the case of matching Key ID 0 just in case. */ 660 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG, 661 "RSN: Extended Key ID Key ID 0 in PTK0 handshake"); 662 } 663 sm->keyidx_active = 0; 664 sm->use_ext_key_id = 0; 665 } 666 667 return 0; 668} 669 670 671static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, 672 const unsigned char *src_addr, 673 const struct wpa_eapol_key *key, 674 u16 ver, const u8 *key_data, 675 size_t key_data_len) 676{ 677 struct wpa_eapol_ie_parse ie; 678 struct wpa_ptk *ptk; 679 int res; 680 u8 *kde, *kde_buf = NULL; 681 size_t kde_len; 682 683 if (wpa_sm_get_network_ctx(sm) == NULL) { 684 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info " 685 "found (msg 1 of 4)"); 686 return; 687 } 688 689 if (sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id && 690 wpa_sm_get_state(sm) == WPA_COMPLETED) { 691 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 692 "WPA: PTK0 rekey not allowed, reconnecting"); 693 wpa_sm_reconnect(sm); 694 return; 695 } 696 697 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE); 698 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way " 699 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 700 701 os_memset(&ie, 0, sizeof(ie)); 702 703 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) { 704 /* RSN: msg 1/4 should contain PMKID for the selected PMK */ 705 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", 706 key_data, key_data_len); 707 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) 708 goto failed; 709 if (ie.pmkid) { 710 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from " 711 "Authenticator", ie.pmkid, PMKID_LEN); 712 } 713 } 714 715 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid); 716 if (res == -2) { 717 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to " 718 "msg 1/4 - requesting full EAP authentication"); 719 return; 720 } 721 if (res) 722 goto failed; 723 724 if (sm->renew_snonce) { 725 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) { 726 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 727 "WPA: Failed to get random data for SNonce"); 728 goto failed; 729 } 730 sm->renew_snonce = 0; 731 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce", 732 sm->snonce, WPA_NONCE_LEN); 733 } 734 735 /* Calculate PTK which will be stored as a temporary PTK until it has 736 * been verified when processing message 3/4. */ 737 ptk = &sm->tptk; 738 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0) 739 goto failed; 740 if (sm->pairwise_cipher == WPA_CIPHER_TKIP) { 741 u8 buf[8]; 742 /* Supplicant: swap tx/rx Mic keys */ 743 os_memcpy(buf, &ptk->tk[16], 8); 744 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8); 745 os_memcpy(&ptk->tk[24], buf, 8); 746 forced_memzero(buf, sizeof(buf)); 747 } 748 sm->tptk_set = 1; 749 750 kde = sm->assoc_wpa_ie; 751 kde_len = sm->assoc_wpa_ie_len; 752 kde_buf = os_malloc(kde_len + 753 2 + RSN_SELECTOR_LEN + 3 + 754 sm->assoc_rsnxe_len + 755 2 + RSN_SELECTOR_LEN + 1 + 756 2 + RSN_SELECTOR_LEN + 2); 757 if (!kde_buf) 758 goto failed; 759 os_memcpy(kde_buf, kde, kde_len); 760 kde = kde_buf; 761 762#ifdef CONFIG_OCV 763 if (wpa_sm_ocv_enabled(sm)) { 764 struct wpa_channel_info ci; 765 u8 *pos; 766 767 pos = kde + kde_len; 768 if (wpa_sm_channel_info(sm, &ci) != 0) { 769 wpa_printf(MSG_WARNING, 770 "Failed to get channel info for OCI element in EAPOL-Key 2/4"); 771 goto failed; 772 } 773#ifdef CONFIG_TESTING_OPTIONS 774 if (sm->oci_freq_override_eapol) { 775 wpa_printf(MSG_INFO, 776 "TEST: Override OCI KDE frequency %d -> %d MHz", 777 ci.frequency, sm->oci_freq_override_eapol); 778 ci.frequency = sm->oci_freq_override_eapol; 779 } 780#endif /* CONFIG_TESTING_OPTIONS */ 781 782 if (ocv_insert_oci_kde(&ci, &pos) < 0) 783 goto failed; 784 kde_len = pos - kde; 785 } 786#endif /* CONFIG_OCV */ 787 788 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) { 789 os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len); 790 kde_len += sm->assoc_rsnxe_len; 791 } 792 793#ifdef CONFIG_P2P 794 if (sm->p2p) { 795 u8 *pos; 796 797 wpa_printf(MSG_DEBUG, 798 "P2P: Add IP Address Request KDE into EAPOL-Key 2/4"); 799 pos = kde + kde_len; 800 *pos++ = WLAN_EID_VENDOR_SPECIFIC; 801 *pos++ = RSN_SELECTOR_LEN + 1; 802 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ); 803 pos += RSN_SELECTOR_LEN; 804 *pos++ = 0x01; 805 kde_len = pos - kde; 806 } 807#endif /* CONFIG_P2P */ 808 809#ifdef CONFIG_DPP2 810 if (DPP_VERSION > 1 && sm->key_mgmt == WPA_KEY_MGMT_DPP) { 811 u8 *pos; 812 813 wpa_printf(MSG_DEBUG, "DPP: Add DPP KDE into EAPOL-Key 2/4"); 814 pos = kde + kde_len; 815 *pos++ = WLAN_EID_VENDOR_SPECIFIC; 816 *pos++ = RSN_SELECTOR_LEN + 2; 817 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_DPP); 818 pos += RSN_SELECTOR_LEN; 819 *pos++ = DPP_VERSION; /* Protocol Version */ 820 *pos = 0; /* Flags */ 821 if (sm->dpp_pfs == 0) 822 *pos |= DPP_KDE_PFS_ALLOWED; 823 else if (sm->dpp_pfs == 1) 824 *pos |= DPP_KDE_PFS_ALLOWED | DPP_KDE_PFS_REQUIRED; 825 pos++; 826 kde_len = pos - kde; 827 } 828#endif /* CONFIG_DPP2 */ 829 830 if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce, 831 kde, kde_len, ptk) < 0) 832 goto failed; 833 834 os_free(kde_buf); 835 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN); 836 return; 837 838failed: 839 os_free(kde_buf); 840 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 841} 842 843 844static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx) 845{ 846 struct wpa_sm *sm = eloop_ctx; 847 rsn_preauth_candidate_process(sm); 848} 849 850 851static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm, 852 const u8 *addr, int secure) 853{ 854 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 855 "WPA: Key negotiation completed with " 856 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr), 857 wpa_cipher_txt(sm->pairwise_cipher), 858 wpa_cipher_txt(sm->group_cipher)); 859 wpa_sm_cancel_auth_timeout(sm); 860 wpa_sm_set_state(sm, WPA_COMPLETED); 861 862 if (secure) { 863 wpa_sm_mlme_setprotection( 864 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX, 865 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE); 866 eapol_sm_notify_portValid(sm->eapol, true); 867 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) || 868 sm->key_mgmt == WPA_KEY_MGMT_DPP || 869 sm->key_mgmt == WPA_KEY_MGMT_OWE) 870 eapol_sm_notify_eap_success(sm->eapol, true); 871 /* 872 * Start preauthentication after a short wait to avoid a 873 * possible race condition between the data receive and key 874 * configuration after the 4-Way Handshake. This increases the 875 * likelihood of the first preauth EAPOL-Start frame getting to 876 * the target AP. 877 */ 878 if (!dl_list_empty(&sm->pmksa_candidates)) 879 eloop_register_timeout(1, 0, wpa_sm_start_preauth, 880 sm, NULL); 881 } 882 883 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) { 884 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 885 "RSN: Authenticator accepted " 886 "opportunistic PMKSA entry - marking it valid"); 887 sm->cur_pmksa->opportunistic = 0; 888 } 889 890#ifdef CONFIG_IEEE80211R 891 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 892 /* Prepare for the next transition */ 893 wpa_ft_prepare_auth_request(sm, NULL); 894 } 895#endif /* CONFIG_IEEE80211R */ 896} 897 898 899static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 900{ 901 struct wpa_sm *sm = eloop_ctx; 902 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying"); 903 wpa_sm_key_request(sm, 0, 1); 904} 905 906 907static int wpa_supplicant_install_ptk(struct wpa_sm *sm, 908 const struct wpa_eapol_key *key, 909 enum key_flag key_flag) 910{ 911 int keylen, rsclen; 912 enum wpa_alg alg; 913 const u8 *key_rsc; 914 915 if (sm->ptk.installed) { 916 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 917 "WPA: Do not re-install same PTK to the driver"); 918 return 0; 919 } 920 921 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 922 "WPA: Installing PTK to the driver"); 923 924 if (sm->pairwise_cipher == WPA_CIPHER_NONE) { 925 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher " 926 "Suite: NONE - do not use pairwise keys"); 927 return 0; 928 } 929 930 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) { 931 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 932 "WPA: Unsupported pairwise cipher %d", 933 sm->pairwise_cipher); 934 return -1; 935 } 936 937 alg = wpa_cipher_to_alg(sm->pairwise_cipher); 938 keylen = wpa_cipher_key_len(sm->pairwise_cipher); 939 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) { 940 wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu", 941 keylen, (long unsigned int) sm->ptk.tk_len); 942 return -1; 943 } 944 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher); 945 946 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) { 947 key_rsc = null_rsc; 948 } else { 949 key_rsc = key->key_rsc; 950 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen); 951 } 952 953 if (wpa_sm_set_key(sm, alg, sm->bssid, sm->keyidx_active, 1, key_rsc, 954 rsclen, sm->ptk.tk, keylen, 955 KEY_FLAG_PAIRWISE | key_flag) < 0) { 956 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 957 "WPA: Failed to set PTK to the driver (alg=%d keylen=%d bssid=" 958 MACSTR " idx=%d key_flag=0x%x)", 959 alg, keylen, MAC2STR(sm->bssid), 960 sm->keyidx_active, key_flag); 961 return -1; 962 } 963 964 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher, 965 sm->dot11RSNAConfigPMKLifetime, &sm->ptk); 966 967 /* TK is not needed anymore in supplicant */ 968 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); 969 sm->ptk.tk_len = 0; 970 sm->ptk.installed = 1; 971 972 if (sm->wpa_ptk_rekey) { 973 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 974 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk, 975 sm, NULL); 976 } 977 return 0; 978} 979 980 981static int wpa_supplicant_activate_ptk(struct wpa_sm *sm) 982{ 983 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 984 "WPA: Activate PTK (idx=%d bssid=" MACSTR ")", 985 sm->keyidx_active, MAC2STR(sm->bssid)); 986 987 if (wpa_sm_set_key(sm, 0, sm->bssid, sm->keyidx_active, 0, NULL, 0, 988 NULL, 0, KEY_FLAG_PAIRWISE_RX_TX_MODIFY) < 0) { 989 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 990 "WPA: Failed to activate PTK for TX (idx=%d bssid=" 991 MACSTR ")", sm->keyidx_active, MAC2STR(sm->bssid)); 992 return -1; 993 } 994 return 0; 995} 996 997 998static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm, 999 int group_cipher, 1000 int keylen, int maxkeylen, 1001 int *key_rsc_len, 1002 enum wpa_alg *alg) 1003{ 1004 int klen; 1005 1006 *alg = wpa_cipher_to_alg(group_cipher); 1007 if (*alg == WPA_ALG_NONE) { 1008 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1009 "WPA: Unsupported Group Cipher %d", 1010 group_cipher); 1011 return -1; 1012 } 1013 *key_rsc_len = wpa_cipher_rsc_len(group_cipher); 1014 1015 klen = wpa_cipher_key_len(group_cipher); 1016 if (keylen != klen || maxkeylen < klen) { 1017 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1018 "WPA: Unsupported %s Group Cipher key length %d (%d)", 1019 wpa_cipher_txt(group_cipher), keylen, maxkeylen); 1020 return -1; 1021 } 1022 return 0; 1023} 1024 1025 1026struct wpa_gtk_data { 1027 enum wpa_alg alg; 1028 int tx, key_rsc_len, keyidx; 1029 u8 gtk[32]; 1030 int gtk_len; 1031}; 1032 1033 1034static int wpa_supplicant_install_gtk(struct wpa_sm *sm, 1035 const struct wpa_gtk_data *gd, 1036 const u8 *key_rsc, int wnm_sleep) 1037{ 1038 const u8 *_gtk = gd->gtk; 1039 u8 gtk_buf[32]; 1040 1041 /* Detect possible key reinstallation */ 1042 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && 1043 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || 1044 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && 1045 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, 1046 sm->gtk_wnm_sleep.gtk_len) == 0)) { 1047 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1048 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", 1049 gd->keyidx, gd->tx, gd->gtk_len); 1050 return 0; 1051 } 1052 1053 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); 1054 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1055 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", 1056 gd->keyidx, gd->tx, gd->gtk_len); 1057 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len); 1058 if (sm->group_cipher == WPA_CIPHER_TKIP) { 1059 /* Swap Tx/Rx keys for Michael MIC */ 1060 os_memcpy(gtk_buf, gd->gtk, 16); 1061 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8); 1062 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8); 1063 _gtk = gtk_buf; 1064 } 1065 if (sm->pairwise_cipher == WPA_CIPHER_NONE) { 1066 if (wpa_sm_set_key(sm, gd->alg, NULL, 1067 gd->keyidx, 1, key_rsc, gd->key_rsc_len, 1068 _gtk, gd->gtk_len, 1069 KEY_FLAG_GROUP_RX_TX_DEFAULT) < 0) { 1070 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1071 "WPA: Failed to set GTK to the driver " 1072 "(Group only)"); 1073 forced_memzero(gtk_buf, sizeof(gtk_buf)); 1074 return -1; 1075 } 1076 } else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr, 1077 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len, 1078 _gtk, gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) { 1079 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1080 "WPA: Failed to set GTK to " 1081 "the driver (alg=%d keylen=%d keyidx=%d)", 1082 gd->alg, gd->gtk_len, gd->keyidx); 1083 forced_memzero(gtk_buf, sizeof(gtk_buf)); 1084 return -1; 1085 } 1086 forced_memzero(gtk_buf, sizeof(gtk_buf)); 1087 1088 if (wnm_sleep) { 1089 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; 1090 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, 1091 sm->gtk_wnm_sleep.gtk_len); 1092 } else { 1093 sm->gtk.gtk_len = gd->gtk_len; 1094 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); 1095 } 1096 1097 return 0; 1098} 1099 1100 1101static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm, 1102 int tx) 1103{ 1104 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) { 1105 /* Ignore Tx bit for GTK if a pairwise key is used. One AP 1106 * seemed to set this bit (incorrectly, since Tx is only when 1107 * doing Group Key only APs) and without this workaround, the 1108 * data connection does not work because wpa_supplicant 1109 * configured non-zero keyidx to be used for unicast. */ 1110 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1111 "WPA: Tx bit set for GTK, but pairwise " 1112 "keys are used - ignore Tx bit"); 1113 return 0; 1114 } 1115 return tx; 1116} 1117 1118 1119static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm, 1120 const u8 *rsc) 1121{ 1122 int rsclen; 1123 1124 if (!sm->wpa_rsc_relaxation) 1125 return 0; 1126 1127 rsclen = wpa_cipher_rsc_len(sm->group_cipher); 1128 1129 /* 1130 * Try to detect RSC (endian) corruption issue where the AP sends 1131 * the RSC bytes in EAPOL-Key message in the wrong order, both if 1132 * it's actually a 6-byte field (as it should be) and if it treats 1133 * it as an 8-byte field. 1134 * An AP model known to have this bug is the Sapido RB-1632. 1135 */ 1136 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) { 1137 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1138 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0", 1139 rsc[0], rsc[1], rsc[2], rsc[3], 1140 rsc[4], rsc[5], rsc[6], rsc[7]); 1141 1142 return 1; 1143 } 1144 1145 return 0; 1146} 1147 1148 1149static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, 1150 const struct wpa_eapol_key *key, 1151 const u8 *gtk, size_t gtk_len, 1152 int key_info) 1153{ 1154 struct wpa_gtk_data gd; 1155 const u8 *key_rsc; 1156 1157 /* 1158 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x 1159 * GTK KDE format: 1160 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7] 1161 * Reserved [bits 0-7] 1162 * GTK 1163 */ 1164 1165 os_memset(&gd, 0, sizeof(gd)); 1166 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake", 1167 gtk, gtk_len); 1168 1169 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk)) 1170 return -1; 1171 1172 gd.keyidx = gtk[0] & 0x3; 1173 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 1174 !!(gtk[0] & BIT(2))); 1175 gtk += 2; 1176 gtk_len -= 2; 1177 1178 os_memcpy(gd.gtk, gtk, gtk_len); 1179 gd.gtk_len = gtk_len; 1180 1181 key_rsc = key->key_rsc; 1182 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) 1183 key_rsc = null_rsc; 1184 1185 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED && 1186 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 1187 gtk_len, gtk_len, 1188 &gd.key_rsc_len, &gd.alg) || 1189 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { 1190 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1191 "RSN: Failed to install GTK"); 1192 forced_memzero(&gd, sizeof(gd)); 1193 return -1; 1194 } 1195 forced_memzero(&gd, sizeof(gd)); 1196 1197 return 0; 1198} 1199 1200 1201static int wpa_supplicant_install_igtk(struct wpa_sm *sm, 1202 const struct wpa_igtk_kde *igtk, 1203 int wnm_sleep) 1204{ 1205 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1206 u16 keyidx = WPA_GET_LE16(igtk->keyid); 1207 1208 /* Detect possible key reinstallation */ 1209 if ((sm->igtk.igtk_len == len && 1210 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || 1211 (sm->igtk_wnm_sleep.igtk_len == len && 1212 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, 1213 sm->igtk_wnm_sleep.igtk_len) == 0)) { 1214 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1215 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", 1216 keyidx); 1217 return 0; 1218 } 1219 1220 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1221 "WPA: IGTK keyid %d pn " COMPACT_MACSTR, 1222 keyidx, MAC2STR(igtk->pn)); 1223 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); 1224 if (keyidx > 4095) { 1225 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1226 "WPA: Invalid IGTK KeyID %d", keyidx); 1227 return -1; 1228 } 1229 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), 1230 broadcast_ether_addr, 1231 keyidx, 0, igtk->pn, sizeof(igtk->pn), 1232 igtk->igtk, len, KEY_FLAG_GROUP_RX) < 0) { 1233 if (keyidx == 0x0400 || keyidx == 0x0500) { 1234 /* Assume the AP has broken PMF implementation since it 1235 * seems to have swapped the KeyID bytes. The AP cannot 1236 * be trusted to implement BIP correctly or provide a 1237 * valid IGTK, so do not try to configure this key with 1238 * swapped KeyID bytes. Instead, continue without 1239 * configuring the IGTK so that the driver can drop any 1240 * received group-addressed robust management frames due 1241 * to missing keys. 1242 * 1243 * Normally, this error behavior would result in us 1244 * disconnecting, but there are number of deployed APs 1245 * with this broken behavior, so as an interoperability 1246 * workaround, allow the connection to proceed. */ 1247 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1248 "WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order"); 1249 } else { 1250 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1251 "WPA: Failed to configure IGTK to the driver"); 1252 return -1; 1253 } 1254 } 1255 1256 if (wnm_sleep) { 1257 sm->igtk_wnm_sleep.igtk_len = len; 1258 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, 1259 sm->igtk_wnm_sleep.igtk_len); 1260 } else { 1261 sm->igtk.igtk_len = len; 1262 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); 1263 } 1264 1265 return 0; 1266} 1267 1268 1269static int wpa_supplicant_install_bigtk(struct wpa_sm *sm, 1270 const struct wpa_bigtk_kde *bigtk, 1271 int wnm_sleep) 1272{ 1273 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1274 u16 keyidx = WPA_GET_LE16(bigtk->keyid); 1275 1276 /* Detect possible key reinstallation */ 1277 if ((sm->bigtk.bigtk_len == len && 1278 os_memcmp(sm->bigtk.bigtk, bigtk->bigtk, 1279 sm->bigtk.bigtk_len) == 0) || 1280 (sm->bigtk_wnm_sleep.bigtk_len == len && 1281 os_memcmp(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk, 1282 sm->bigtk_wnm_sleep.bigtk_len) == 0)) { 1283 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1284 "WPA: Not reinstalling already in-use BIGTK to the driver (keyidx=%d)", 1285 keyidx); 1286 return 0; 1287 } 1288 1289 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1290 "WPA: BIGTK keyid %d pn " COMPACT_MACSTR, 1291 keyidx, MAC2STR(bigtk->pn)); 1292 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK", bigtk->bigtk, len); 1293 if (keyidx < 6 || keyidx > 7) { 1294 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1295 "WPA: Invalid BIGTK KeyID %d", keyidx); 1296 return -1; 1297 } 1298 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), 1299 broadcast_ether_addr, 1300 keyidx, 0, bigtk->pn, sizeof(bigtk->pn), 1301 bigtk->bigtk, len, KEY_FLAG_GROUP_RX) < 0) { 1302 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1303 "WPA: Failed to configure BIGTK to the driver"); 1304 return -1; 1305 } 1306 1307 if (wnm_sleep) { 1308 sm->bigtk_wnm_sleep.bigtk_len = len; 1309 os_memcpy(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk, 1310 sm->bigtk_wnm_sleep.bigtk_len); 1311 } else { 1312 sm->bigtk.bigtk_len = len; 1313 os_memcpy(sm->bigtk.bigtk, bigtk->bigtk, sm->bigtk.bigtk_len); 1314 } 1315 1316 return 0; 1317} 1318 1319 1320static int ieee80211w_set_keys(struct wpa_sm *sm, 1321 struct wpa_eapol_ie_parse *ie) 1322{ 1323 size_t len; 1324 1325 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) || 1326 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED) 1327 return 0; 1328 1329 if (ie->igtk) { 1330 const struct wpa_igtk_kde *igtk; 1331 1332 len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1333 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) 1334 return -1; 1335 1336 igtk = (const struct wpa_igtk_kde *) ie->igtk; 1337 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) 1338 return -1; 1339 } 1340 1341 if (ie->bigtk && sm->beacon_prot) { 1342 const struct wpa_bigtk_kde *bigtk; 1343 1344 len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1345 if (ie->bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + len) 1346 return -1; 1347 1348 bigtk = (const struct wpa_bigtk_kde *) ie->bigtk; 1349 if (wpa_supplicant_install_bigtk(sm, bigtk, 0) < 0) 1350 return -1; 1351 } 1352 1353 return 0; 1354} 1355 1356 1357static void wpa_report_ie_mismatch(struct wpa_sm *sm, 1358 const char *reason, const u8 *src_addr, 1359 const u8 *wpa_ie, size_t wpa_ie_len, 1360 const u8 *rsn_ie, size_t rsn_ie_len) 1361{ 1362 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")", 1363 reason, MAC2STR(src_addr)); 1364 1365 if (sm->ap_wpa_ie) { 1366 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp", 1367 sm->ap_wpa_ie, sm->ap_wpa_ie_len); 1368 } 1369 if (wpa_ie) { 1370 if (!sm->ap_wpa_ie) { 1371 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1372 "WPA: No WPA IE in Beacon/ProbeResp"); 1373 } 1374 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg", 1375 wpa_ie, wpa_ie_len); 1376 } 1377 1378 if (sm->ap_rsn_ie) { 1379 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp", 1380 sm->ap_rsn_ie, sm->ap_rsn_ie_len); 1381 } 1382 if (rsn_ie) { 1383 if (!sm->ap_rsn_ie) { 1384 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1385 "WPA: No RSN IE in Beacon/ProbeResp"); 1386 } 1387 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg", 1388 rsn_ie, rsn_ie_len); 1389 } 1390 1391 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS); 1392} 1393 1394 1395#ifdef CONFIG_IEEE80211R 1396 1397static int ft_validate_mdie(struct wpa_sm *sm, 1398 const unsigned char *src_addr, 1399 struct wpa_eapol_ie_parse *ie, 1400 const u8 *assoc_resp_mdie) 1401{ 1402 struct rsn_mdie *mdie; 1403 1404 mdie = (struct rsn_mdie *) (ie->mdie + 2); 1405 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) || 1406 os_memcmp(mdie->mobility_domain, sm->mobility_domain, 1407 MOBILITY_DOMAIN_ID_LEN) != 0) { 1408 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did " 1409 "not match with the current mobility domain"); 1410 return -1; 1411 } 1412 1413 if (assoc_resp_mdie && 1414 (assoc_resp_mdie[1] != ie->mdie[1] || 1415 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) { 1416 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch"); 1417 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4", 1418 ie->mdie, 2 + ie->mdie[1]); 1419 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response", 1420 assoc_resp_mdie, 2 + assoc_resp_mdie[1]); 1421 return -1; 1422 } 1423 1424 return 0; 1425} 1426 1427 1428static int ft_validate_ftie(struct wpa_sm *sm, 1429 const unsigned char *src_addr, 1430 struct wpa_eapol_ie_parse *ie, 1431 const u8 *assoc_resp_ftie) 1432{ 1433 if (ie->ftie == NULL) { 1434 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1435 "FT: No FTIE in EAPOL-Key msg 3/4"); 1436 return -1; 1437 } 1438 1439 if (assoc_resp_ftie == NULL) 1440 return 0; 1441 1442 if (assoc_resp_ftie[1] != ie->ftie[1] || 1443 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) { 1444 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch"); 1445 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4", 1446 ie->ftie, 2 + ie->ftie[1]); 1447 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response", 1448 assoc_resp_ftie, 2 + assoc_resp_ftie[1]); 1449 return -1; 1450 } 1451 1452 return 0; 1453} 1454 1455 1456static int ft_validate_rsnie(struct wpa_sm *sm, 1457 const unsigned char *src_addr, 1458 struct wpa_eapol_ie_parse *ie) 1459{ 1460 struct wpa_ie_data rsn; 1461 1462 if (!ie->rsn_ie) 1463 return 0; 1464 1465 /* 1466 * Verify that PMKR1Name from EAPOL-Key message 3/4 1467 * matches with the value we derived. 1468 */ 1469 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 || 1470 rsn.num_pmkid != 1 || rsn.pmkid == NULL) { 1471 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in " 1472 "FT 4-way handshake message 3/4"); 1473 return -1; 1474 } 1475 1476 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0) 1477 { 1478 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1479 "FT: PMKR1Name mismatch in " 1480 "FT 4-way handshake message 3/4"); 1481 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator", 1482 rsn.pmkid, WPA_PMK_NAME_LEN); 1483 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 1484 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 1485 return -1; 1486 } 1487 1488 return 0; 1489} 1490 1491 1492static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm, 1493 const unsigned char *src_addr, 1494 struct wpa_eapol_ie_parse *ie) 1495{ 1496 const u8 *pos, *end, *mdie = NULL, *ftie = NULL; 1497 1498 if (sm->assoc_resp_ies) { 1499 pos = sm->assoc_resp_ies; 1500 end = pos + sm->assoc_resp_ies_len; 1501 while (end - pos > 2) { 1502 if (2 + pos[1] > end - pos) 1503 break; 1504 switch (*pos) { 1505 case WLAN_EID_MOBILITY_DOMAIN: 1506 mdie = pos; 1507 break; 1508 case WLAN_EID_FAST_BSS_TRANSITION: 1509 ftie = pos; 1510 break; 1511 } 1512 pos += 2 + pos[1]; 1513 } 1514 } 1515 1516 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 || 1517 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 || 1518 ft_validate_rsnie(sm, src_addr, ie) < 0) 1519 return -1; 1520 1521 return 0; 1522} 1523 1524#endif /* CONFIG_IEEE80211R */ 1525 1526 1527static int wpa_supplicant_validate_ie(struct wpa_sm *sm, 1528 const unsigned char *src_addr, 1529 struct wpa_eapol_ie_parse *ie) 1530{ 1531 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) { 1532 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1533 "WPA: No WPA/RSN IE for this AP known. " 1534 "Trying to get from scan results"); 1535 if (wpa_sm_get_beacon_ie(sm) < 0) { 1536 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1537 "WPA: Could not find AP from " 1538 "the scan results"); 1539 return -1; 1540 } 1541 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG, 1542 "WPA: Found the current AP from updated scan results"); 1543 } 1544 1545 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL && 1546 (sm->ap_wpa_ie || sm->ap_rsn_ie)) { 1547 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match " 1548 "with IE in Beacon/ProbeResp (no IE?)", 1549 src_addr, ie->wpa_ie, ie->wpa_ie_len, 1550 ie->rsn_ie, ie->rsn_ie_len); 1551 return -1; 1552 } 1553 1554 if ((ie->wpa_ie && sm->ap_wpa_ie && 1555 (ie->wpa_ie_len != sm->ap_wpa_ie_len || 1556 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) || 1557 (ie->rsn_ie && sm->ap_rsn_ie && 1558 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt), 1559 sm->ap_rsn_ie, sm->ap_rsn_ie_len, 1560 ie->rsn_ie, ie->rsn_ie_len))) { 1561 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match " 1562 "with IE in Beacon/ProbeResp", 1563 src_addr, ie->wpa_ie, ie->wpa_ie_len, 1564 ie->rsn_ie, ie->rsn_ie_len); 1565 return -1; 1566 } 1567 1568 if (sm->proto == WPA_PROTO_WPA && 1569 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) { 1570 wpa_report_ie_mismatch(sm, "Possible downgrade attack " 1571 "detected - RSN was enabled and RSN IE " 1572 "was in msg 3/4, but not in " 1573 "Beacon/ProbeResp", 1574 src_addr, ie->wpa_ie, ie->wpa_ie_len, 1575 ie->rsn_ie, ie->rsn_ie_len); 1576 return -1; 1577 } 1578 1579 if (sm->proto == WPA_PROTO_RSN && 1580 ((sm->ap_rsnxe && !ie->rsnxe) || 1581 (!sm->ap_rsnxe && ie->rsnxe) || 1582 (sm->ap_rsnxe && ie->rsnxe && 1583 (sm->ap_rsnxe_len != ie->rsnxe_len || 1584 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) { 1585 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1586 "WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4"); 1587 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp", 1588 sm->ap_rsnxe, sm->ap_rsnxe_len); 1589 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4", 1590 ie->rsnxe, ie->rsnxe_len); 1591 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS); 1592 return -1; 1593 } 1594 1595#ifdef CONFIG_IEEE80211R 1596 if (wpa_key_mgmt_ft(sm->key_mgmt) && 1597 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0) 1598 return -1; 1599#endif /* CONFIG_IEEE80211R */ 1600 1601 return 0; 1602} 1603 1604 1605/** 1606 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake 1607 * @sm: Pointer to WPA state machine data from wpa_sm_init() 1608 * @dst: Destination address for the frame 1609 * @key: Pointer to the EAPOL-Key frame header 1610 * @ver: Version bits from EAPOL-Key Key Info 1611 * @key_info: Key Info 1612 * @ptk: PTK to use for keyed hash and encryption 1613 * Returns: >= 0 on success, < 0 on failure 1614 */ 1615int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst, 1616 const struct wpa_eapol_key *key, 1617 u16 ver, u16 key_info, 1618 struct wpa_ptk *ptk) 1619{ 1620 size_t mic_len, hdrlen, rlen; 1621 struct wpa_eapol_key *reply; 1622 u8 *rbuf, *key_mic; 1623 1624 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 1625 hdrlen = sizeof(*reply) + mic_len + 2; 1626 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 1627 hdrlen, &rlen, (void *) &reply); 1628 if (rbuf == NULL) 1629 return -1; 1630 1631 reply->type = (sm->proto == WPA_PROTO_RSN || 1632 sm->proto == WPA_PROTO_OSEN) ? 1633 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 1634 key_info &= WPA_KEY_INFO_SECURE; 1635 key_info |= ver | WPA_KEY_INFO_KEY_TYPE; 1636 if (mic_len) 1637 key_info |= WPA_KEY_INFO_MIC; 1638 else 1639 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 1640 WPA_PUT_BE16(reply->key_info, key_info); 1641 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 1642 WPA_PUT_BE16(reply->key_length, 0); 1643 else 1644 os_memcpy(reply->key_length, key->key_length, 2); 1645 os_memcpy(reply->replay_counter, key->replay_counter, 1646 WPA_REPLAY_COUNTER_LEN); 1647 1648 key_mic = (u8 *) (reply + 1); 1649 WPA_PUT_BE16(key_mic + mic_len, 0); 1650 1651 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4"); 1652 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen, 1653 key_mic); 1654} 1655 1656 1657static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm, 1658 const struct wpa_eapol_key *key, 1659 u16 ver, const u8 *key_data, 1660 size_t key_data_len) 1661{ 1662 u16 key_info, keylen; 1663 struct wpa_eapol_ie_parse ie; 1664 1665 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE); 1666 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 3 of 4-Way " 1667 "Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver); 1668 1669 key_info = WPA_GET_BE16(key->key_info); 1670 1671 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len); 1672 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) 1673 goto failed; 1674 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1675 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1676 "WPA: GTK IE in unencrypted key data"); 1677 goto failed; 1678 } 1679 if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1680 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1681 "WPA: IGTK KDE in unencrypted key data"); 1682 goto failed; 1683 } 1684 1685 if (ie.igtk && 1686 sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED && 1687 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) && 1688 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN + 1689 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) { 1690 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1691 "WPA: Invalid IGTK KDE length %lu", 1692 (unsigned long) ie.igtk_len); 1693 goto failed; 1694 } 1695 1696 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0) 1697 goto failed; 1698 1699 if (wpa_handle_ext_key_id(sm, &ie)) 1700 goto failed; 1701 1702 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) { 1703 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1704 "WPA: ANonce from message 1 of 4-Way Handshake " 1705 "differs from 3 of 4-Way Handshake - drop packet (src=" 1706 MACSTR ")", MAC2STR(sm->bssid)); 1707 goto failed; 1708 } 1709 1710 keylen = WPA_GET_BE16(key->key_length); 1711 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) { 1712 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1713 "WPA: Invalid %s key length %d (src=" MACSTR 1714 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen, 1715 MAC2STR(sm->bssid)); 1716 goto failed; 1717 } 1718 1719#ifdef CONFIG_P2P 1720 if (ie.ip_addr_alloc) { 1721 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4); 1722 wpa_hexdump(MSG_DEBUG, "P2P: IP address info", 1723 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr)); 1724 } 1725#endif /* CONFIG_P2P */ 1726 1727#ifdef CONFIG_OCV 1728 if (wpa_sm_ocv_enabled(sm)) { 1729 struct wpa_channel_info ci; 1730 1731 if (wpa_sm_channel_info(sm, &ci) != 0) { 1732 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1733 "Failed to get channel info to validate received OCI in EAPOL-Key 3/4"); 1734 return; 1735 } 1736 1737 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci, 1738 channel_width_to_int(ci.chanwidth), 1739 ci.seg1_idx) != OCI_SUCCESS) { 1740 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE 1741 "addr=" MACSTR " frame=eapol-key-m3 error=%s", 1742 MAC2STR(sm->bssid), ocv_errorstr); 1743 return; 1744 } 1745 } 1746#endif /* CONFIG_OCV */ 1747 1748#ifdef CONFIG_DPP2 1749 if (DPP_VERSION > 1 && ie.dpp_kde) { 1750 wpa_printf(MSG_DEBUG, 1751 "DPP: peer Protocol Version %u Flags 0x%x", 1752 ie.dpp_kde[0], ie.dpp_kde[1]); 1753 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_pfs != 2 && 1754 (ie.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && !sm->dpp_z) { 1755 wpa_printf(MSG_INFO, 1756 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association"); 1757 goto failed; 1758 } 1759 } 1760#endif /* CONFIG_DPP2 */ 1761 1762 if (sm->use_ext_key_id && 1763 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX)) 1764 goto failed; 1765 1766 if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info, 1767 &sm->ptk) < 0) { 1768 goto failed; 1769 } 1770 1771 /* SNonce was successfully used in msg 3/4, so mark it to be renewed 1772 * for the next 4-Way Handshake. If msg 3 is received again, the old 1773 * SNonce will still be used to avoid changing PTK. */ 1774 sm->renew_snonce = 1; 1775 1776 if (key_info & WPA_KEY_INFO_INSTALL) { 1777 int res; 1778 1779 if (sm->use_ext_key_id) 1780 res = wpa_supplicant_activate_ptk(sm); 1781 else 1782 res = wpa_supplicant_install_ptk(sm, key, 1783 KEY_FLAG_RX_TX); 1784 if (res) 1785 goto failed; 1786 } 1787 1788 if (key_info & WPA_KEY_INFO_SECURE) { 1789 wpa_sm_mlme_setprotection( 1790 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX, 1791 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE); 1792 eapol_sm_notify_portValid(sm->eapol, true); 1793 } 1794 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE); 1795 1796 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) { 1797 /* No GTK to be set to the driver */ 1798 } else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) { 1799 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1800 "RSN: No GTK KDE included in EAPOL-Key msg 3/4"); 1801 goto failed; 1802 } else if (ie.gtk && 1803 wpa_supplicant_pairwise_gtk(sm, key, 1804 ie.gtk, ie.gtk_len, key_info) < 0) { 1805 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1806 "RSN: Failed to configure GTK"); 1807 goto failed; 1808 } 1809 1810 if (ieee80211w_set_keys(sm, &ie) < 0) { 1811 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1812 "RSN: Failed to configure IGTK"); 1813 goto failed; 1814 } 1815 1816 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk) 1817 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1818 key_info & WPA_KEY_INFO_SECURE); 1819 1820 if (ie.gtk) 1821 wpa_sm_set_rekey_offload(sm); 1822 1823 /* Add PMKSA cache entry for Suite B AKMs here since PMKID can be 1824 * calculated only after KCK has been derived. Though, do not replace an 1825 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID) 1826 * to avoid unnecessary changes of PMKID while continuing to use the 1827 * same PMK. */ 1828 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) && 1829 !sm->cur_pmksa) { 1830 struct rsn_pmksa_cache_entry *sa; 1831 1832 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL, 1833 sm->ptk.kck, sm->ptk.kck_len, 1834 sm->bssid, sm->own_addr, 1835 sm->network_ctx, sm->key_mgmt, NULL); 1836 if (!sm->cur_pmksa) 1837 sm->cur_pmksa = sa; 1838 } 1839 1840 if (ie.transition_disable) 1841 wpa_sm_transition_disable(sm, ie.transition_disable[0]); 1842 sm->msg_3_of_4_ok = 1; 1843 return; 1844 1845failed: 1846 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 1847} 1848 1849 1850static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm, 1851 const u8 *keydata, 1852 size_t keydatalen, 1853 u16 key_info, 1854 struct wpa_gtk_data *gd) 1855{ 1856 int maxkeylen; 1857 struct wpa_eapol_ie_parse ie; 1858 u16 gtk_len; 1859 1860 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data", 1861 keydata, keydatalen); 1862 if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0) 1863 return -1; 1864 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 1865 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1866 "WPA: GTK IE in unencrypted key data"); 1867 return -1; 1868 } 1869 if (ie.gtk == NULL) { 1870 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1871 "WPA: No GTK IE in Group Key msg 1/2"); 1872 return -1; 1873 } 1874 gtk_len = ie.gtk_len; 1875 if (gtk_len < 2) { 1876 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1877 "RSN: Invalid GTK KDE length (%u) in Group Key msg 1/2", 1878 gtk_len); 1879 return -1; 1880 } 1881 gtk_len -= 2; 1882 if (gtk_len > sizeof(gd->gtk)) { 1883 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1884 "RSN: Too long GTK in GTK KDE (len=%u)", gtk_len); 1885 return -1; 1886 } 1887 maxkeylen = gd->gtk_len = gtk_len; 1888 1889#ifdef CONFIG_OCV 1890 if (wpa_sm_ocv_enabled(sm)) { 1891 struct wpa_channel_info ci; 1892 1893 if (wpa_sm_channel_info(sm, &ci) != 0) { 1894 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1895 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2"); 1896 return -1; 1897 } 1898 1899 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci, 1900 channel_width_to_int(ci.chanwidth), 1901 ci.seg1_idx) != OCI_SUCCESS) { 1902 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE 1903 "addr=" MACSTR " frame=eapol-key-g1 error=%s", 1904 MAC2STR(sm->bssid), ocv_errorstr); 1905 return -1; 1906 } 1907 } 1908#endif /* CONFIG_OCV */ 1909 1910 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 1911 gtk_len, maxkeylen, 1912 &gd->key_rsc_len, &gd->alg)) 1913 return -1; 1914 1915 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake", 1916 ie.gtk, 2 + gtk_len); 1917 gd->keyidx = ie.gtk[0] & 0x3; 1918 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 1919 !!(ie.gtk[0] & BIT(2))); 1920 os_memcpy(gd->gtk, ie.gtk + 2, gtk_len); 1921 1922 if (ieee80211w_set_keys(sm, &ie) < 0) 1923 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1924 "RSN: Failed to configure IGTK"); 1925 1926 return 0; 1927} 1928 1929 1930static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm, 1931 const struct wpa_eapol_key *key, 1932 const u8 *key_data, 1933 size_t key_data_len, u16 key_info, 1934 u16 ver, struct wpa_gtk_data *gd) 1935{ 1936 size_t maxkeylen; 1937 u16 gtk_len; 1938 1939 gtk_len = WPA_GET_BE16(key->key_length); 1940 maxkeylen = key_data_len; 1941 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1942 if (maxkeylen < 8) { 1943 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1944 "WPA: Too short maxkeylen (%lu)", 1945 (unsigned long) maxkeylen); 1946 return -1; 1947 } 1948 maxkeylen -= 8; 1949 } 1950 1951 if (gtk_len > maxkeylen || 1952 wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 1953 gtk_len, maxkeylen, 1954 &gd->key_rsc_len, &gd->alg)) 1955 return -1; 1956 1957 gd->gtk_len = gtk_len; 1958 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 1959 WPA_KEY_INFO_KEY_INDEX_SHIFT; 1960 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) { 1961#ifdef CONFIG_NO_RC4 1962 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1963 "WPA: RC4 not supported in the build"); 1964 return -1; 1965#else /* CONFIG_NO_RC4 */ 1966 u8 ek[32]; 1967 if (key_data_len > sizeof(gd->gtk)) { 1968 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1969 "WPA: RC4 key data too long (%lu)", 1970 (unsigned long) key_data_len); 1971 return -1; 1972 } 1973 os_memcpy(ek, key->key_iv, 16); 1974 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len); 1975 os_memcpy(gd->gtk, key_data, key_data_len); 1976 if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) { 1977 forced_memzero(ek, sizeof(ek)); 1978 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 1979 "WPA: RC4 failed"); 1980 return -1; 1981 } 1982 forced_memzero(ek, sizeof(ek)); 1983#endif /* CONFIG_NO_RC4 */ 1984 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 1985 if (maxkeylen % 8) { 1986 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1987 "WPA: Unsupported AES-WRAP len %lu", 1988 (unsigned long) maxkeylen); 1989 return -1; 1990 } 1991 if (maxkeylen > sizeof(gd->gtk)) { 1992 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1993 "WPA: AES-WRAP key data " 1994 "too long (keydatalen=%lu maxkeylen=%lu)", 1995 (unsigned long) key_data_len, 1996 (unsigned long) maxkeylen); 1997 return -1; 1998 } 1999 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8, 2000 key_data, gd->gtk)) { 2001 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2002 "WPA: AES unwrap failed - could not decrypt " 2003 "GTK"); 2004 return -1; 2005 } 2006 } else { 2007 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2008 "WPA: Unsupported key_info type %d", ver); 2009 return -1; 2010 } 2011 gd->tx = wpa_supplicant_gtk_tx_bit_workaround( 2012 sm, !!(key_info & WPA_KEY_INFO_TXRX)); 2013 return 0; 2014} 2015 2016 2017static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm, 2018 const struct wpa_eapol_key *key, 2019 int ver, u16 key_info) 2020{ 2021 size_t mic_len, hdrlen, rlen; 2022 struct wpa_eapol_key *reply; 2023 u8 *rbuf, *key_mic; 2024 size_t kde_len = 0; 2025 2026#ifdef CONFIG_OCV 2027 if (wpa_sm_ocv_enabled(sm)) 2028 kde_len = OCV_OCI_KDE_LEN; 2029#endif /* CONFIG_OCV */ 2030 2031 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 2032 hdrlen = sizeof(*reply) + mic_len + 2; 2033 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 2034 hdrlen + kde_len, &rlen, (void *) &reply); 2035 if (rbuf == NULL) 2036 return -1; 2037 2038 reply->type = (sm->proto == WPA_PROTO_RSN || 2039 sm->proto == WPA_PROTO_OSEN) ? 2040 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 2041 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK; 2042 key_info |= ver | WPA_KEY_INFO_SECURE; 2043 if (mic_len) 2044 key_info |= WPA_KEY_INFO_MIC; 2045 else 2046 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 2047 WPA_PUT_BE16(reply->key_info, key_info); 2048 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 2049 WPA_PUT_BE16(reply->key_length, 0); 2050 else 2051 os_memcpy(reply->key_length, key->key_length, 2); 2052 os_memcpy(reply->replay_counter, key->replay_counter, 2053 WPA_REPLAY_COUNTER_LEN); 2054 2055 key_mic = (u8 *) (reply + 1); 2056 WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */ 2057 2058#ifdef CONFIG_OCV 2059 if (wpa_sm_ocv_enabled(sm)) { 2060 struct wpa_channel_info ci; 2061 u8 *pos; 2062 2063 if (wpa_sm_channel_info(sm, &ci) != 0) { 2064 wpa_printf(MSG_WARNING, 2065 "Failed to get channel info for OCI element in EAPOL-Key 2/2"); 2066 os_free(rbuf); 2067 return -1; 2068 } 2069#ifdef CONFIG_TESTING_OPTIONS 2070 if (sm->oci_freq_override_eapol_g2) { 2071 wpa_printf(MSG_INFO, 2072 "TEST: Override OCI KDE frequency %d -> %d MHz", 2073 ci.frequency, 2074 sm->oci_freq_override_eapol_g2); 2075 ci.frequency = sm->oci_freq_override_eapol_g2; 2076 } 2077#endif /* CONFIG_TESTING_OPTIONS */ 2078 2079 pos = key_mic + mic_len + 2; /* Key Data */ 2080 if (ocv_insert_oci_kde(&ci, &pos) < 0) { 2081 os_free(rbuf); 2082 return -1; 2083 } 2084 } 2085#endif /* CONFIG_OCV */ 2086 2087 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2"); 2088 return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL, 2089 rbuf, rlen, key_mic); 2090} 2091 2092 2093static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, 2094 const unsigned char *src_addr, 2095 const struct wpa_eapol_key *key, 2096 const u8 *key_data, 2097 size_t key_data_len, u16 ver) 2098{ 2099 u16 key_info; 2100 int rekey, ret; 2101 struct wpa_gtk_data gd; 2102 const u8 *key_rsc; 2103 2104 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) { 2105 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2106 "WPA: Group Key Handshake started prior to completion of 4-way handshake"); 2107 goto failed; 2108 } 2109 2110 os_memset(&gd, 0, sizeof(gd)); 2111 2112 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED; 2113 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key " 2114 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 2115 2116 key_info = WPA_GET_BE16(key->key_info); 2117 2118 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) { 2119 ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data, 2120 key_data_len, key_info, 2121 &gd); 2122 } else { 2123 ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data, 2124 key_data_len, 2125 key_info, ver, &gd); 2126 } 2127 2128 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE); 2129 2130 if (ret) 2131 goto failed; 2132 2133 key_rsc = key->key_rsc; 2134 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) 2135 key_rsc = null_rsc; 2136 2137 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || 2138 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) 2139 goto failed; 2140 forced_memzero(&gd, sizeof(gd)); 2141 2142 if (rekey) { 2143 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying " 2144 "completed with " MACSTR " [GTK=%s]", 2145 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher)); 2146 wpa_sm_cancel_auth_timeout(sm); 2147 wpa_sm_set_state(sm, WPA_COMPLETED); 2148 } else { 2149 wpa_supplicant_key_neg_complete(sm, sm->bssid, 2150 key_info & 2151 WPA_KEY_INFO_SECURE); 2152 } 2153 2154 wpa_sm_set_rekey_offload(sm); 2155 2156 return; 2157 2158failed: 2159 forced_memzero(&gd, sizeof(gd)); 2160 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 2161} 2162 2163 2164static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm, 2165 struct wpa_eapol_key *key, 2166 u16 ver, 2167 const u8 *buf, size_t len) 2168{ 2169 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN]; 2170 int ok = 0; 2171 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 2172 2173 os_memcpy(mic, key + 1, mic_len); 2174 if (sm->tptk_set) { 2175 os_memset(key + 1, 0, mic_len); 2176 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len, 2177 sm->key_mgmt, 2178 ver, buf, len, (u8 *) (key + 1)) < 0 || 2179 os_memcmp_const(mic, key + 1, mic_len) != 0) { 2180 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2181 "WPA: Invalid EAPOL-Key MIC " 2182 "when using TPTK - ignoring TPTK"); 2183#ifdef TEST_FUZZ 2184 wpa_printf(MSG_INFO, 2185 "TEST: Ignore Key MIC failure for fuzz testing"); 2186 goto continue_fuzz; 2187#endif /* TEST_FUZZ */ 2188 } else { 2189#ifdef TEST_FUZZ 2190 continue_fuzz: 2191#endif /* TEST_FUZZ */ 2192 ok = 1; 2193 sm->tptk_set = 0; 2194 sm->ptk_set = 1; 2195 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk)); 2196 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 2197 /* 2198 * This assures the same TPTK in sm->tptk can never be 2199 * copied twice to sm->ptk as the new PTK. In 2200 * combination with the installed flag in the wpa_ptk 2201 * struct, this assures the same PTK is only installed 2202 * once. 2203 */ 2204 sm->renew_snonce = 1; 2205 } 2206 } 2207 2208 if (!ok && sm->ptk_set) { 2209 os_memset(key + 1, 0, mic_len); 2210 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len, 2211 sm->key_mgmt, 2212 ver, buf, len, (u8 *) (key + 1)) < 0 || 2213 os_memcmp_const(mic, key + 1, mic_len) != 0) { 2214 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2215 "WPA: Invalid EAPOL-Key MIC - " 2216 "dropping packet"); 2217#ifdef TEST_FUZZ 2218 wpa_printf(MSG_INFO, 2219 "TEST: Ignore Key MIC failure for fuzz testing"); 2220 goto continue_fuzz2; 2221#endif /* TEST_FUZZ */ 2222 return -1; 2223 } 2224#ifdef TEST_FUZZ 2225 continue_fuzz2: 2226#endif /* TEST_FUZZ */ 2227 ok = 1; 2228 } 2229 2230 if (!ok) { 2231 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2232 "WPA: Could not verify EAPOL-Key MIC - " 2233 "dropping packet"); 2234 return -1; 2235 } 2236 2237 os_memcpy(sm->rx_replay_counter, key->replay_counter, 2238 WPA_REPLAY_COUNTER_LEN); 2239 sm->rx_replay_counter_set = 1; 2240 return 0; 2241} 2242 2243 2244/* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */ 2245static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm, 2246 struct wpa_eapol_key *key, 2247 size_t mic_len, u16 ver, 2248 u8 *key_data, size_t *key_data_len) 2249{ 2250 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data", 2251 key_data, *key_data_len); 2252 if (!sm->ptk_set) { 2253 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2254 "WPA: PTK not available, cannot decrypt EAPOL-Key Key " 2255 "Data"); 2256 return -1; 2257 } 2258 2259 /* Decrypt key data here so that this operation does not need 2260 * to be implemented separately for each message type. */ 2261 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) { 2262#ifdef CONFIG_NO_RC4 2263 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2264 "WPA: RC4 not supported in the build"); 2265 return -1; 2266#else /* CONFIG_NO_RC4 */ 2267 u8 ek[32]; 2268 2269 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4"); 2270 os_memcpy(ek, key->key_iv, 16); 2271 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len); 2272 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) { 2273 forced_memzero(ek, sizeof(ek)); 2274 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 2275 "WPA: RC4 failed"); 2276 return -1; 2277 } 2278 forced_memzero(ek, sizeof(ek)); 2279#endif /* CONFIG_NO_RC4 */ 2280 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 2281 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC || 2282 wpa_use_aes_key_wrap(sm->key_mgmt)) { 2283 u8 *buf; 2284 2285 wpa_printf(MSG_DEBUG, 2286 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)", 2287 (unsigned int) sm->ptk.kek_len); 2288 if (*key_data_len < 8 || *key_data_len % 8) { 2289 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2290 "WPA: Unsupported AES-WRAP len %u", 2291 (unsigned int) *key_data_len); 2292 return -1; 2293 } 2294 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */ 2295 buf = os_malloc(*key_data_len); 2296 if (buf == NULL) { 2297 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2298 "WPA: No memory for AES-UNWRAP buffer"); 2299 return -1; 2300 } 2301#ifdef TEST_FUZZ 2302 os_memset(buf, 0x11, *key_data_len); 2303#endif /* TEST_FUZZ */ 2304 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8, 2305 key_data, buf)) { 2306#ifdef TEST_FUZZ 2307 wpa_printf(MSG_INFO, 2308 "TEST: Ignore AES unwrap failure for fuzz testing"); 2309 goto continue_fuzz; 2310#endif /* TEST_FUZZ */ 2311 bin_clear_free(buf, *key_data_len); 2312 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2313 "WPA: AES unwrap failed - " 2314 "could not decrypt EAPOL-Key key data"); 2315 return -1; 2316 } 2317#ifdef TEST_FUZZ 2318 continue_fuzz: 2319#endif /* TEST_FUZZ */ 2320 os_memcpy(key_data, buf, *key_data_len); 2321 bin_clear_free(buf, *key_data_len); 2322 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len); 2323 } else { 2324 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2325 "WPA: Unsupported key_info type %d", ver); 2326 return -1; 2327 } 2328 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data", 2329 key_data, *key_data_len); 2330 return 0; 2331} 2332 2333 2334/** 2335 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted 2336 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2337 */ 2338void wpa_sm_aborted_cached(struct wpa_sm *sm) 2339{ 2340 if (sm && sm->cur_pmksa) { 2341 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2342 "RSN: Cancelling PMKSA caching attempt"); 2343 sm->cur_pmksa = NULL; 2344 } 2345} 2346 2347 2348void wpa_sm_aborted_external_cached(struct wpa_sm *sm) 2349{ 2350 if (sm && sm->cur_pmksa && sm->cur_pmksa->external) { 2351 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2352 "RSN: Cancelling external PMKSA caching attempt"); 2353 sm->cur_pmksa = NULL; 2354 } 2355} 2356 2357 2358static void wpa_eapol_key_dump(struct wpa_sm *sm, 2359 const struct wpa_eapol_key *key, 2360 unsigned int key_data_len, 2361 const u8 *mic, unsigned int mic_len) 2362{ 2363#ifndef CONFIG_NO_STDOUT_DEBUG 2364 u16 key_info = WPA_GET_BE16(key->key_info); 2365 2366 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type); 2367 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2368 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)", 2369 key_info, key_info & WPA_KEY_INFO_TYPE_MASK, 2370 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 2371 WPA_KEY_INFO_KEY_INDEX_SHIFT, 2372 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13, 2373 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group", 2374 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "", 2375 key_info & WPA_KEY_INFO_ACK ? " Ack" : "", 2376 key_info & WPA_KEY_INFO_MIC ? " MIC" : "", 2377 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "", 2378 key_info & WPA_KEY_INFO_ERROR ? " Error" : "", 2379 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "", 2380 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : ""); 2381 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2382 " key_length=%u key_data_length=%u", 2383 WPA_GET_BE16(key->key_length), key_data_len); 2384 wpa_hexdump(MSG_DEBUG, " replay_counter", 2385 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 2386 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN); 2387 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16); 2388 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8); 2389 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8); 2390 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len); 2391#endif /* CONFIG_NO_STDOUT_DEBUG */ 2392} 2393 2394 2395#ifdef CONFIG_FILS 2396static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len, 2397 size_t *key_data_len) 2398{ 2399 struct wpa_ptk *ptk; 2400 struct ieee802_1x_hdr *hdr; 2401 struct wpa_eapol_key *key; 2402 u8 *pos, *tmp; 2403 const u8 *aad[1]; 2404 size_t aad_len[1]; 2405 2406 if (*key_data_len < AES_BLOCK_SIZE) { 2407 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame"); 2408 return -1; 2409 } 2410 2411 if (sm->tptk_set) 2412 ptk = &sm->tptk; 2413 else if (sm->ptk_set) 2414 ptk = &sm->ptk; 2415 else 2416 return -1; 2417 2418 hdr = (struct ieee802_1x_hdr *) buf; 2419 key = (struct wpa_eapol_key *) (hdr + 1); 2420 pos = (u8 *) (key + 1); 2421 pos += 2; /* Pointing at the Encrypted Key Data field */ 2422 2423 tmp = os_malloc(*key_data_len); 2424 if (!tmp) 2425 return -1; 2426 2427 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 2428 * to Key Data (exclusive). */ 2429 aad[0] = buf; 2430 aad_len[0] = pos - buf; 2431 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len, 2432 1, aad, aad_len, tmp) < 0) { 2433 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame"); 2434 bin_clear_free(tmp, *key_data_len); 2435 return -1; 2436 } 2437 2438 /* AEAD decryption and validation completed successfully */ 2439 (*key_data_len) -= AES_BLOCK_SIZE; 2440 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data", 2441 tmp, *key_data_len); 2442 2443 /* Replace Key Data field with the decrypted version */ 2444 os_memcpy(pos, tmp, *key_data_len); 2445 pos -= 2; /* Key Data Length field */ 2446 WPA_PUT_BE16(pos, *key_data_len); 2447 bin_clear_free(tmp, *key_data_len); 2448 2449 if (sm->tptk_set) { 2450 sm->tptk_set = 0; 2451 sm->ptk_set = 1; 2452 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk)); 2453 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 2454 } 2455 2456 os_memcpy(sm->rx_replay_counter, key->replay_counter, 2457 WPA_REPLAY_COUNTER_LEN); 2458 sm->rx_replay_counter_set = 1; 2459 2460 return 0; 2461} 2462#endif /* CONFIG_FILS */ 2463 2464 2465/** 2466 * wpa_sm_rx_eapol - Process received WPA EAPOL frames 2467 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2468 * @src_addr: Source MAC address of the EAPOL packet 2469 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header) 2470 * @len: Length of the EAPOL frame 2471 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure 2472 * 2473 * This function is called for each received EAPOL frame. Other than EAPOL-Key 2474 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is 2475 * only processing WPA and WPA2 EAPOL-Key frames. 2476 * 2477 * The received EAPOL-Key packets are validated and valid packets are replied 2478 * to. In addition, key material (PTK, GTK) is configured at the end of a 2479 * successful key handshake. 2480 */ 2481int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr, 2482 const u8 *buf, size_t len) 2483{ 2484 size_t plen, data_len, key_data_len; 2485 const struct ieee802_1x_hdr *hdr; 2486 struct wpa_eapol_key *key; 2487 u16 key_info, ver; 2488 u8 *tmp = NULL; 2489 int ret = -1; 2490 u8 *mic, *key_data; 2491 size_t mic_len, keyhdrlen, pmk_len; 2492 2493#ifdef CONFIG_IEEE80211R 2494 sm->ft_completed = 0; 2495#endif /* CONFIG_IEEE80211R */ 2496 2497 pmk_len = sm->pmk_len; 2498 if (!pmk_len && sm->cur_pmksa) 2499 pmk_len = sm->cur_pmksa->pmk_len; 2500 mic_len = wpa_mic_len(sm->key_mgmt, pmk_len); 2501 keyhdrlen = sizeof(*key) + mic_len + 2; 2502 2503 if (len < sizeof(*hdr) + keyhdrlen) { 2504 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2505 "WPA: EAPOL frame too short to be a WPA " 2506 "EAPOL-Key (len %lu, expecting at least %lu)", 2507 (unsigned long) len, 2508 (unsigned long) sizeof(*hdr) + keyhdrlen); 2509 return 0; 2510 } 2511 2512 hdr = (const struct ieee802_1x_hdr *) buf; 2513 plen = be_to_host16(hdr->length); 2514 data_len = plen + sizeof(*hdr); 2515 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2516 "IEEE 802.1X RX: version=%d type=%d length=%lu", 2517 hdr->version, hdr->type, (unsigned long) plen); 2518 2519 if (hdr->version < EAPOL_VERSION) { 2520 /* TODO: backwards compatibility */ 2521 } 2522 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) { 2523 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2524 "WPA: EAPOL frame (type %u) discarded, " 2525 "not a Key frame", hdr->type); 2526 ret = 0; 2527 goto out; 2528 } 2529 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len); 2530 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) { 2531 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2532 "WPA: EAPOL frame payload size %lu " 2533 "invalid (frame size %lu)", 2534 (unsigned long) plen, (unsigned long) len); 2535 ret = 0; 2536 goto out; 2537 } 2538 if (data_len < len) { 2539 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2540 "WPA: ignoring %lu bytes after the IEEE 802.1X data", 2541 (unsigned long) len - data_len); 2542 } 2543 2544 /* 2545 * Make a copy of the frame since we need to modify the buffer during 2546 * MAC validation and Key Data decryption. 2547 */ 2548 tmp = os_memdup(buf, data_len); 2549 if (tmp == NULL) 2550 goto out; 2551 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr)); 2552 mic = (u8 *) (key + 1); 2553 key_data = mic + mic_len + 2; 2554 2555 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN) 2556 { 2557 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2558 "WPA: EAPOL-Key type (%d) unknown, discarded", 2559 key->type); 2560 ret = 0; 2561 goto out; 2562 } 2563 2564 key_data_len = WPA_GET_BE16(mic + mic_len); 2565 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len); 2566 2567 if (key_data_len > plen - keyhdrlen) { 2568 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key " 2569 "frame - key_data overflow (%u > %u)", 2570 (unsigned int) key_data_len, 2571 (unsigned int) (plen - keyhdrlen)); 2572 goto out; 2573 } 2574 2575 eapol_sm_notify_lower_layer_success(sm->eapol, 0); 2576 key_info = WPA_GET_BE16(key->key_info); 2577 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 2578 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && 2579 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC && 2580 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES && 2581 !wpa_use_akm_defined(sm->key_mgmt)) { 2582 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2583 "WPA: Unsupported EAPOL-Key descriptor version %d", 2584 ver); 2585 goto out; 2586 } 2587 2588 if (wpa_use_akm_defined(sm->key_mgmt) && 2589 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 2590 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2591 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)", 2592 ver); 2593 goto out; 2594 } 2595 2596#ifdef CONFIG_IEEE80211R 2597 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 2598 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */ 2599 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC && 2600 !wpa_use_akm_defined(sm->key_mgmt)) { 2601 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2602 "FT: AP did not use AES-128-CMAC"); 2603 goto out; 2604 } 2605 } else 2606#endif /* CONFIG_IEEE80211R */ 2607 if (wpa_key_mgmt_sha256(sm->key_mgmt)) { 2608 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC && 2609 !wpa_use_akm_defined(sm->key_mgmt)) { 2610 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2611 "WPA: AP did not use the " 2612 "negotiated AES-128-CMAC"); 2613 goto out; 2614 } 2615 } else if (sm->pairwise_cipher == WPA_CIPHER_CCMP && 2616 !wpa_use_akm_defined(sm->key_mgmt) && 2617 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 2618 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2619 "WPA: CCMP is used, but EAPOL-Key " 2620 "descriptor version (%d) is not 2", ver); 2621 if (sm->group_cipher != WPA_CIPHER_CCMP && 2622 !(key_info & WPA_KEY_INFO_KEY_TYPE)) { 2623 /* Earlier versions of IEEE 802.11i did not explicitly 2624 * require version 2 descriptor for all EAPOL-Key 2625 * packets, so allow group keys to use version 1 if 2626 * CCMP is not used for them. */ 2627 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2628 "WPA: Backwards compatibility: allow invalid " 2629 "version for non-CCMP group keys"); 2630 } else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 2631 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2632 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used"); 2633 } else 2634 goto out; 2635 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP && 2636 !wpa_use_akm_defined(sm->key_mgmt) && 2637 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 2638 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2639 "WPA: GCMP is used, but EAPOL-Key " 2640 "descriptor version (%d) is not 2", ver); 2641 goto out; 2642 } 2643 2644 if (sm->rx_replay_counter_set && 2645 os_memcmp(key->replay_counter, sm->rx_replay_counter, 2646 WPA_REPLAY_COUNTER_LEN) <= 0) { 2647 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2648 "WPA: EAPOL-Key Replay Counter did not increase - " 2649 "dropping packet"); 2650 goto out; 2651 } 2652 2653 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 2654 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2655 "WPA: Unsupported SMK bit in key_info"); 2656 goto out; 2657 } 2658 2659 if (!(key_info & WPA_KEY_INFO_ACK)) { 2660 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2661 "WPA: No Ack bit in key_info"); 2662 goto out; 2663 } 2664 2665 if (key_info & WPA_KEY_INFO_REQUEST) { 2666 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2667 "WPA: EAPOL-Key with Request bit - dropped"); 2668 goto out; 2669 } 2670 2671 if ((key_info & WPA_KEY_INFO_MIC) && 2672 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len)) 2673 goto out; 2674 2675#ifdef CONFIG_FILS 2676 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 2677 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len)) 2678 goto out; 2679 } 2680#endif /* CONFIG_FILS */ 2681 2682 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) && 2683 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) { 2684 /* 2685 * Only decrypt the Key Data field if the frame's authenticity 2686 * was verified. When using AES-SIV (FILS), the MIC flag is not 2687 * set, so this check should only be performed if mic_len != 0 2688 * which is the case in this code branch. 2689 */ 2690 if (!(key_info & WPA_KEY_INFO_MIC)) { 2691 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2692 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data"); 2693 goto out; 2694 } 2695 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len, 2696 ver, key_data, 2697 &key_data_len)) 2698 goto out; 2699 } 2700 2701 if (key_info & WPA_KEY_INFO_KEY_TYPE) { 2702 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) { 2703 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2704 "WPA: Ignored EAPOL-Key (Pairwise) with " 2705 "non-zero key index"); 2706 goto out; 2707 } 2708 if (key_info & (WPA_KEY_INFO_MIC | 2709 WPA_KEY_INFO_ENCR_KEY_DATA)) { 2710 /* 3/4 4-Way Handshake */ 2711 wpa_supplicant_process_3_of_4(sm, key, ver, key_data, 2712 key_data_len); 2713 } else { 2714 /* 1/4 4-Way Handshake */ 2715 wpa_supplicant_process_1_of_4(sm, src_addr, key, 2716 ver, key_data, 2717 key_data_len); 2718 } 2719 } else { 2720 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) || 2721 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) { 2722 /* 1/2 Group Key Handshake */ 2723 wpa_supplicant_process_1_of_2(sm, src_addr, key, 2724 key_data, key_data_len, 2725 ver); 2726 } else { 2727 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2728 "WPA: EAPOL-Key (Group) without Mic/Encr bit - " 2729 "dropped"); 2730 } 2731 } 2732 2733 ret = 1; 2734 2735out: 2736 bin_clear_free(tmp, data_len); 2737 return ret; 2738} 2739 2740 2741#ifdef CONFIG_CTRL_IFACE 2742static u32 wpa_key_mgmt_suite(struct wpa_sm *sm) 2743{ 2744 switch (sm->key_mgmt) { 2745 case WPA_KEY_MGMT_IEEE8021X: 2746 return ((sm->proto == WPA_PROTO_RSN || 2747 sm->proto == WPA_PROTO_OSEN) ? 2748 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X : 2749 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X); 2750 case WPA_KEY_MGMT_PSK: 2751 return (sm->proto == WPA_PROTO_RSN ? 2752 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X : 2753 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X); 2754#ifdef CONFIG_IEEE80211R 2755 case WPA_KEY_MGMT_FT_IEEE8021X: 2756 return RSN_AUTH_KEY_MGMT_FT_802_1X; 2757 case WPA_KEY_MGMT_FT_PSK: 2758 return RSN_AUTH_KEY_MGMT_FT_PSK; 2759#endif /* CONFIG_IEEE80211R */ 2760 case WPA_KEY_MGMT_IEEE8021X_SHA256: 2761 return RSN_AUTH_KEY_MGMT_802_1X_SHA256; 2762 case WPA_KEY_MGMT_PSK_SHA256: 2763 return RSN_AUTH_KEY_MGMT_PSK_SHA256; 2764 case WPA_KEY_MGMT_CCKM: 2765 return (sm->proto == WPA_PROTO_RSN ? 2766 RSN_AUTH_KEY_MGMT_CCKM: 2767 WPA_AUTH_KEY_MGMT_CCKM); 2768 case WPA_KEY_MGMT_WPA_NONE: 2769 return WPA_AUTH_KEY_MGMT_NONE; 2770 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 2771 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B; 2772 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 2773 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192; 2774 default: 2775 return 0; 2776 } 2777} 2778 2779 2780#define RSN_SUITE "%02x-%02x-%02x-%d" 2781#define RSN_SUITE_ARG(s) \ 2782((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 2783 2784/** 2785 * wpa_sm_get_mib - Dump text list of MIB entries 2786 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2787 * @buf: Buffer for the list 2788 * @buflen: Length of the buffer 2789 * Returns: Number of bytes written to buffer 2790 * 2791 * This function is used fetch dot11 MIB variables. 2792 */ 2793int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen) 2794{ 2795 char pmkid_txt[PMKID_LEN * 2 + 1]; 2796 bool rsna; 2797 int ret; 2798 size_t len; 2799 2800 if (sm->cur_pmksa) { 2801 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 2802 sm->cur_pmksa->pmkid, PMKID_LEN); 2803 } else 2804 pmkid_txt[0] = '\0'; 2805 2806 rsna = (wpa_key_mgmt_wpa_psk(sm->key_mgmt) || 2807 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) && 2808 sm->proto == WPA_PROTO_RSN; 2809 2810 ret = os_snprintf(buf, buflen, 2811 "dot11RSNAOptionImplemented=TRUE\n" 2812 "dot11RSNAPreauthenticationImplemented=TRUE\n" 2813 "dot11RSNAEnabled=%s\n" 2814 "dot11RSNAPreauthenticationEnabled=%s\n" 2815 "dot11RSNAConfigVersion=%d\n" 2816 "dot11RSNAConfigPairwiseKeysSupported=5\n" 2817 "dot11RSNAConfigGroupCipherSize=%d\n" 2818 "dot11RSNAConfigPMKLifetime=%d\n" 2819 "dot11RSNAConfigPMKReauthThreshold=%d\n" 2820 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n" 2821 "dot11RSNAConfigSATimeout=%d\n", 2822 rsna ? "TRUE" : "FALSE", 2823 rsna ? "TRUE" : "FALSE", 2824 RSN_VERSION, 2825 wpa_cipher_key_len(sm->group_cipher) * 8, 2826 sm->dot11RSNAConfigPMKLifetime, 2827 sm->dot11RSNAConfigPMKReauthThreshold, 2828 sm->dot11RSNAConfigSATimeout); 2829 if (os_snprintf_error(buflen, ret)) 2830 return 0; 2831 len = ret; 2832 2833 ret = os_snprintf( 2834 buf + len, buflen - len, 2835 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 2836 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 2837 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 2838 "dot11RSNAPMKIDUsed=%s\n" 2839 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 2840 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 2841 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 2842 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n" 2843 "dot11RSNA4WayHandshakeFailures=%u\n", 2844 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)), 2845 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2846 sm->pairwise_cipher)), 2847 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2848 sm->group_cipher)), 2849 pmkid_txt, 2850 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)), 2851 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2852 sm->pairwise_cipher)), 2853 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 2854 sm->group_cipher)), 2855 sm->dot11RSNA4WayHandshakeFailures); 2856 if (!os_snprintf_error(buflen - len, ret)) 2857 len += ret; 2858 2859 return (int) len; 2860} 2861#endif /* CONFIG_CTRL_IFACE */ 2862 2863 2864static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 2865 void *ctx, enum pmksa_free_reason reason) 2866{ 2867 struct wpa_sm *sm = ctx; 2868 int deauth = 0; 2869 2870 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: " 2871 MACSTR " reason=%d", MAC2STR(entry->aa), reason); 2872 2873 if (sm->cur_pmksa == entry) { 2874 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2875 "RSN: %s current PMKSA entry", 2876 reason == PMKSA_REPLACE ? "replaced" : "removed"); 2877 pmksa_cache_clear_current(sm); 2878 2879 /* 2880 * If an entry is simply being replaced, there's no need to 2881 * deauthenticate because it will be immediately re-added. 2882 * This happens when EAP authentication is completed again 2883 * (reauth or failed PMKSA caching attempt). 2884 */ 2885 if (reason != PMKSA_REPLACE) 2886 deauth = 1; 2887 } 2888 2889 if (reason == PMKSA_EXPIRE && 2890 (sm->pmk_len == entry->pmk_len && 2891 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) { 2892 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2893 "RSN: deauthenticating due to expired PMK"); 2894 pmksa_cache_clear_current(sm); 2895 deauth = 1; 2896 } 2897 2898 if (deauth) { 2899 sm->pmk_len = 0; 2900 os_memset(sm->pmk, 0, sizeof(sm->pmk)); 2901 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 2902 } 2903} 2904 2905 2906static bool wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry *entry, 2907 void *ctx) 2908{ 2909 struct wpa_sm *sm = ctx; 2910 2911 return sm->cur_pmksa == entry; 2912} 2913 2914 2915/** 2916 * wpa_sm_init - Initialize WPA state machine 2917 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer 2918 * Returns: Pointer to the allocated WPA state machine data 2919 * 2920 * This function is used to allocate a new WPA state machine and the returned 2921 * value is passed to all WPA state machine calls. 2922 */ 2923struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx) 2924{ 2925 struct wpa_sm *sm; 2926 2927 sm = os_zalloc(sizeof(*sm)); 2928 if (sm == NULL) 2929 return NULL; 2930 dl_list_init(&sm->pmksa_candidates); 2931 sm->renew_snonce = 1; 2932 sm->ctx = ctx; 2933 2934 sm->dot11RSNAConfigPMKLifetime = 43200; 2935 sm->dot11RSNAConfigPMKReauthThreshold = 70; 2936 sm->dot11RSNAConfigSATimeout = 60; 2937 2938 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, 2939 wpa_sm_pmksa_is_current_cb, sm, sm); 2940 if (sm->pmksa == NULL) { 2941 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 2942 "RSN: PMKSA cache initialization failed"); 2943 os_free(sm); 2944 return NULL; 2945 } 2946 2947 return sm; 2948} 2949 2950 2951/** 2952 * wpa_sm_deinit - Deinitialize WPA state machine 2953 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2954 */ 2955void wpa_sm_deinit(struct wpa_sm *sm) 2956{ 2957 if (sm == NULL) 2958 return; 2959 pmksa_cache_deinit(sm->pmksa); 2960 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL); 2961 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 2962 os_free(sm->assoc_wpa_ie); 2963 os_free(sm->assoc_rsnxe); 2964 os_free(sm->ap_wpa_ie); 2965 os_free(sm->ap_rsn_ie); 2966 os_free(sm->ap_rsnxe); 2967 wpa_sm_drop_sa(sm); 2968 os_free(sm->ctx); 2969#ifdef CONFIG_IEEE80211R 2970 os_free(sm->assoc_resp_ies); 2971#endif /* CONFIG_IEEE80211R */ 2972#ifdef CONFIG_TESTING_OPTIONS 2973 wpabuf_free(sm->test_assoc_ie); 2974#endif /* CONFIG_TESTING_OPTIONS */ 2975#ifdef CONFIG_FILS_SK_PFS 2976 crypto_ecdh_deinit(sm->fils_ecdh); 2977#endif /* CONFIG_FILS_SK_PFS */ 2978#ifdef CONFIG_FILS 2979 wpabuf_free(sm->fils_ft_ies); 2980#endif /* CONFIG_FILS */ 2981#ifdef CONFIG_OWE 2982 crypto_ecdh_deinit(sm->owe_ecdh); 2983#endif /* CONFIG_OWE */ 2984#ifdef CONFIG_DPP2 2985 wpabuf_clear_free(sm->dpp_z); 2986#endif /* CONFIG_DPP2 */ 2987 os_free(sm); 2988} 2989 2990 2991/** 2992 * wpa_sm_notify_assoc - Notify WPA state machine about association 2993 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2994 * @bssid: The BSSID of the new association 2995 * 2996 * This function is called to let WPA state machine know that the connection 2997 * was established. 2998 */ 2999void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) 3000{ 3001 int clear_keys = 1; 3002 3003 if (sm == NULL) 3004 return; 3005 3006 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3007 "WPA: Association event - clear replay counter"); 3008 os_memcpy(sm->bssid, bssid, ETH_ALEN); 3009 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN); 3010 sm->rx_replay_counter_set = 0; 3011 sm->renew_snonce = 1; 3012 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0) 3013 rsn_preauth_deinit(sm); 3014 3015#ifdef CONFIG_IEEE80211R 3016 if (wpa_ft_is_completed(sm)) { 3017 /* 3018 * Clear portValid to kick EAPOL state machine to re-enter 3019 * AUTHENTICATED state to get the EAPOL port Authorized. 3020 */ 3021 eapol_sm_notify_portValid(sm->eapol, false); 3022 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1); 3023 3024 /* Prepare for the next transition */ 3025 wpa_ft_prepare_auth_request(sm, NULL); 3026 3027 clear_keys = 0; 3028 sm->ft_protocol = 1; 3029 } else { 3030 sm->ft_protocol = 0; 3031 } 3032#endif /* CONFIG_IEEE80211R */ 3033#ifdef CONFIG_FILS 3034 if (sm->fils_completed) { 3035 /* 3036 * Clear portValid to kick EAPOL state machine to re-enter 3037 * AUTHENTICATED state to get the EAPOL port Authorized. 3038 */ 3039 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1); 3040 clear_keys = 0; 3041 } 3042#endif /* CONFIG_FILS */ 3043 3044 if (clear_keys) { 3045 /* 3046 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if 3047 * this is not part of a Fast BSS Transition. 3048 */ 3049 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK"); 3050 sm->ptk_set = 0; 3051 os_memset(&sm->ptk, 0, sizeof(sm->ptk)); 3052 sm->tptk_set = 0; 3053 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 3054 os_memset(&sm->gtk, 0, sizeof(sm->gtk)); 3055 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); 3056 os_memset(&sm->igtk, 0, sizeof(sm->igtk)); 3057 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); 3058 } 3059 3060#ifdef CONFIG_TDLS 3061 wpa_tdls_assoc(sm); 3062#endif /* CONFIG_TDLS */ 3063 3064#ifdef CONFIG_P2P 3065 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr)); 3066#endif /* CONFIG_P2P */ 3067 3068 sm->keyidx_active = 0; 3069} 3070 3071 3072/** 3073 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation 3074 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3075 * 3076 * This function is called to let WPA state machine know that the connection 3077 * was lost. This will abort any existing pre-authentication session. 3078 */ 3079void wpa_sm_notify_disassoc(struct wpa_sm *sm) 3080{ 3081 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL); 3082 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 3083 rsn_preauth_deinit(sm); 3084 pmksa_cache_clear_current(sm); 3085 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE) 3086 sm->dot11RSNA4WayHandshakeFailures++; 3087#ifdef CONFIG_TDLS 3088 wpa_tdls_disassoc(sm); 3089#endif /* CONFIG_TDLS */ 3090#ifdef CONFIG_FILS 3091 sm->fils_completed = 0; 3092#endif /* CONFIG_FILS */ 3093#ifdef CONFIG_IEEE80211R 3094 sm->ft_reassoc_completed = 0; 3095 sm->ft_protocol = 0; 3096#endif /* CONFIG_IEEE80211R */ 3097 3098 /* Keys are not needed in the WPA state machine anymore */ 3099 wpa_sm_drop_sa(sm); 3100 sm->keyidx_active = 0; 3101 3102 sm->msg_3_of_4_ok = 0; 3103 os_memset(sm->bssid, 0, ETH_ALEN); 3104} 3105 3106 3107/** 3108 * wpa_sm_set_pmk - Set PMK 3109 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3110 * @pmk: The new PMK 3111 * @pmk_len: The length of the new PMK in bytes 3112 * @pmkid: Calculated PMKID 3113 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK 3114 * 3115 * Configure the PMK for WPA state machine. 3116 */ 3117void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, 3118 const u8 *pmkid, const u8 *bssid) 3119{ 3120 if (sm == NULL) 3121 return; 3122 3123 wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data", 3124 pmk, pmk_len); 3125 sm->pmk_len = pmk_len; 3126 os_memcpy(sm->pmk, pmk, pmk_len); 3127 3128#ifdef CONFIG_IEEE80211R 3129 /* Set XXKey to be PSK for FT key derivation */ 3130 sm->xxkey_len = pmk_len; 3131 os_memcpy(sm->xxkey, pmk, pmk_len); 3132#endif /* CONFIG_IEEE80211R */ 3133 3134 if (bssid) { 3135 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, 3136 pmkid, NULL, 0, bssid, 3137 sm->own_addr, 3138 sm->network_ctx, sm->key_mgmt, 3139 NULL); 3140 } 3141} 3142 3143 3144/** 3145 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA 3146 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3147 * 3148 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK 3149 * will be cleared. 3150 */ 3151void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm) 3152{ 3153 if (sm == NULL) 3154 return; 3155 3156 if (sm->cur_pmksa) { 3157 wpa_hexdump_key(MSG_DEBUG, 3158 "WPA: Set PMK based on current PMKSA", 3159 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len); 3160 sm->pmk_len = sm->cur_pmksa->pmk_len; 3161 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len); 3162 } else { 3163 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK"); 3164 sm->pmk_len = 0; 3165 os_memset(sm->pmk, 0, PMK_LEN_MAX); 3166 } 3167} 3168 3169 3170/** 3171 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled 3172 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3173 * @fast_reauth: Whether fast reauthentication (EAP) is allowed 3174 */ 3175void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth) 3176{ 3177 if (sm) 3178 sm->fast_reauth = fast_reauth; 3179} 3180 3181 3182/** 3183 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks 3184 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3185 * @scard_ctx: Context pointer for smartcard related callback functions 3186 */ 3187void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx) 3188{ 3189 if (sm == NULL) 3190 return; 3191 sm->scard_ctx = scard_ctx; 3192 if (sm->preauth_eapol) 3193 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx); 3194} 3195 3196 3197/** 3198 * wpa_sm_set_config - Notification of current configuration change 3199 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3200 * @config: Pointer to current network configuration 3201 * 3202 * Notify WPA state machine that configuration has changed. config will be 3203 * stored as a backpointer to network configuration. This can be %NULL to clear 3204 * the stored pointed. 3205 */ 3206void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config) 3207{ 3208 if (!sm) 3209 return; 3210 3211 if (config) { 3212 sm->network_ctx = config->network_ctx; 3213 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher; 3214 sm->proactive_key_caching = config->proactive_key_caching; 3215 sm->eap_workaround = config->eap_workaround; 3216 sm->eap_conf_ctx = config->eap_conf_ctx; 3217 if (config->ssid) { 3218 os_memcpy(sm->ssid, config->ssid, config->ssid_len); 3219 sm->ssid_len = config->ssid_len; 3220 } else 3221 sm->ssid_len = 0; 3222 sm->wpa_ptk_rekey = config->wpa_ptk_rekey; 3223 sm->p2p = config->p2p; 3224 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation; 3225 sm->owe_ptk_workaround = config->owe_ptk_workaround; 3226 sm->force_kdk_derivation = config->force_kdk_derivation; 3227#ifdef CONFIG_FILS 3228 if (config->fils_cache_id) { 3229 sm->fils_cache_id_set = 1; 3230 os_memcpy(sm->fils_cache_id, config->fils_cache_id, 3231 FILS_CACHE_ID_LEN); 3232 } else { 3233 sm->fils_cache_id_set = 0; 3234 } 3235#endif /* CONFIG_FILS */ 3236 sm->beacon_prot = config->beacon_prot; 3237 } else { 3238 sm->network_ctx = NULL; 3239 sm->allowed_pairwise_cipher = 0; 3240 sm->proactive_key_caching = 0; 3241 sm->eap_workaround = 0; 3242 sm->eap_conf_ctx = NULL; 3243 sm->ssid_len = 0; 3244 sm->wpa_ptk_rekey = 0; 3245 sm->p2p = 0; 3246 sm->wpa_rsc_relaxation = 0; 3247 sm->owe_ptk_workaround = 0; 3248 sm->beacon_prot = 0; 3249 sm->force_kdk_derivation = false; 3250 } 3251} 3252 3253 3254/** 3255 * wpa_sm_set_own_addr - Set own MAC address 3256 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3257 * @addr: Own MAC address 3258 */ 3259void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr) 3260{ 3261 if (sm) 3262 os_memcpy(sm->own_addr, addr, ETH_ALEN); 3263} 3264 3265 3266/** 3267 * wpa_sm_set_ifname - Set network interface name 3268 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3269 * @ifname: Interface name 3270 * @bridge_ifname: Optional bridge interface name (for pre-auth) 3271 */ 3272void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname, 3273 const char *bridge_ifname) 3274{ 3275 if (sm) { 3276 sm->ifname = ifname; 3277 sm->bridge_ifname = bridge_ifname; 3278 } 3279} 3280 3281 3282/** 3283 * wpa_sm_set_eapol - Set EAPOL state machine pointer 3284 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3285 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init() 3286 */ 3287void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol) 3288{ 3289 if (sm) 3290 sm->eapol = eapol; 3291} 3292 3293 3294/** 3295 * wpa_sm_set_param - Set WPA state machine parameters 3296 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3297 * @param: Parameter field 3298 * @value: Parameter value 3299 * Returns: 0 on success, -1 on failure 3300 */ 3301int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param, 3302 unsigned int value) 3303{ 3304 int ret = 0; 3305 3306 if (sm == NULL) 3307 return -1; 3308 3309 switch (param) { 3310 case RSNA_PMK_LIFETIME: 3311 if (value > 0) 3312 sm->dot11RSNAConfigPMKLifetime = value; 3313 else 3314 ret = -1; 3315 break; 3316 case RSNA_PMK_REAUTH_THRESHOLD: 3317 if (value > 0 && value <= 100) 3318 sm->dot11RSNAConfigPMKReauthThreshold = value; 3319 else 3320 ret = -1; 3321 break; 3322 case RSNA_SA_TIMEOUT: 3323 if (value > 0) 3324 sm->dot11RSNAConfigSATimeout = value; 3325 else 3326 ret = -1; 3327 break; 3328 case WPA_PARAM_PROTO: 3329 sm->proto = value; 3330 break; 3331 case WPA_PARAM_PAIRWISE: 3332 sm->pairwise_cipher = value; 3333 break; 3334 case WPA_PARAM_GROUP: 3335 sm->group_cipher = value; 3336 break; 3337 case WPA_PARAM_KEY_MGMT: 3338 sm->key_mgmt = value; 3339 break; 3340 case WPA_PARAM_MGMT_GROUP: 3341 sm->mgmt_group_cipher = value; 3342 break; 3343 case WPA_PARAM_RSN_ENABLED: 3344 sm->rsn_enabled = value; 3345 break; 3346 case WPA_PARAM_MFP: 3347 sm->mfp = value; 3348 break; 3349 case WPA_PARAM_OCV: 3350 sm->ocv = value; 3351 break; 3352 case WPA_PARAM_SAE_PWE: 3353 sm->sae_pwe = value; 3354 break; 3355 case WPA_PARAM_SAE_PK: 3356 sm->sae_pk = value; 3357 break; 3358 case WPA_PARAM_DENY_PTK0_REKEY: 3359 sm->wpa_deny_ptk0_rekey = value; 3360 break; 3361 case WPA_PARAM_EXT_KEY_ID: 3362 sm->ext_key_id = value; 3363 break; 3364 case WPA_PARAM_USE_EXT_KEY_ID: 3365 sm->use_ext_key_id = value; 3366 break; 3367#ifdef CONFIG_TESTING_OPTIONS 3368 case WPA_PARAM_FT_RSNXE_USED: 3369 sm->ft_rsnxe_used = value; 3370 break; 3371 case WPA_PARAM_OCI_FREQ_EAPOL: 3372 sm->oci_freq_override_eapol = value; 3373 break; 3374 case WPA_PARAM_OCI_FREQ_EAPOL_G2: 3375 sm->oci_freq_override_eapol_g2 = value; 3376 break; 3377 case WPA_PARAM_OCI_FREQ_FT_ASSOC: 3378 sm->oci_freq_override_ft_assoc = value; 3379 break; 3380 case WPA_PARAM_OCI_FREQ_FILS_ASSOC: 3381 sm->oci_freq_override_fils_assoc = value; 3382 break; 3383#endif /* CONFIG_TESTING_OPTIONS */ 3384#ifdef CONFIG_DPP2 3385 case WPA_PARAM_DPP_PFS: 3386 sm->dpp_pfs = value; 3387 break; 3388#endif /* CONFIG_DPP2 */ 3389 default: 3390 break; 3391 } 3392 3393 return ret; 3394} 3395 3396 3397/** 3398 * wpa_sm_get_status - Get WPA state machine 3399 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3400 * @buf: Buffer for status information 3401 * @buflen: Maximum buffer length 3402 * @verbose: Whether to include verbose status information 3403 * Returns: Number of bytes written to buf. 3404 * 3405 * Query WPA state machine for status information. This function fills in 3406 * a text area with current status information. If the buffer (buf) is not 3407 * large enough, status information will be truncated to fit the buffer. 3408 */ 3409int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen, 3410 int verbose) 3411{ 3412 char *pos = buf, *end = buf + buflen; 3413 int ret; 3414 3415 ret = os_snprintf(pos, end - pos, 3416 "pairwise_cipher=%s\n" 3417 "group_cipher=%s\n" 3418 "key_mgmt=%s\n", 3419 wpa_cipher_txt(sm->pairwise_cipher), 3420 wpa_cipher_txt(sm->group_cipher), 3421 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto)); 3422 if (os_snprintf_error(end - pos, ret)) 3423 return pos - buf; 3424 pos += ret; 3425 3426#ifdef CONFIG_DPP2 3427 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) { 3428 ret = os_snprintf(pos, end - pos, "dpp_pfs=1\n"); 3429 if (os_snprintf_error(end - pos, ret)) 3430 return pos - buf; 3431 pos += ret; 3432 } 3433#endif /* CONFIG_DPP2 */ 3434 3435 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) { 3436 struct wpa_ie_data rsn; 3437 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) 3438 >= 0 && 3439 rsn.capabilities & (WPA_CAPABILITY_MFPR | 3440 WPA_CAPABILITY_MFPC)) { 3441 ret = os_snprintf(pos, end - pos, "pmf=%d\n" 3442 "mgmt_group_cipher=%s\n", 3443 (rsn.capabilities & 3444 WPA_CAPABILITY_MFPR) ? 2 : 1, 3445 wpa_cipher_txt( 3446 sm->mgmt_group_cipher)); 3447 if (os_snprintf_error(end - pos, ret)) 3448 return pos - buf; 3449 pos += ret; 3450 } 3451 } 3452 3453 return pos - buf; 3454} 3455 3456 3457int wpa_sm_pmf_enabled(struct wpa_sm *sm) 3458{ 3459 struct wpa_ie_data rsn; 3460 3461 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie) 3462 return 0; 3463 3464 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 && 3465 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC)) 3466 return 1; 3467 3468 return 0; 3469} 3470 3471 3472int wpa_sm_ext_key_id(struct wpa_sm *sm) 3473{ 3474 return sm ? sm->ext_key_id : 0; 3475} 3476 3477 3478int wpa_sm_ext_key_id_active(struct wpa_sm *sm) 3479{ 3480 return sm ? sm->use_ext_key_id : 0; 3481} 3482 3483 3484int wpa_sm_ocv_enabled(struct wpa_sm *sm) 3485{ 3486 struct wpa_ie_data rsn; 3487 3488 if (!sm->ocv || !sm->ap_rsn_ie) 3489 return 0; 3490 3491 return wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, 3492 &rsn) >= 0 && 3493 (rsn.capabilities & WPA_CAPABILITY_OCVC); 3494} 3495 3496 3497/** 3498 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration 3499 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3500 * @wpa_ie: Pointer to buffer for WPA/RSN IE 3501 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer 3502 * Returns: 0 on success, -1 on failure 3503 */ 3504int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie, 3505 size_t *wpa_ie_len) 3506{ 3507 int res; 3508 3509 if (sm == NULL) 3510 return -1; 3511 3512#ifdef CONFIG_TESTING_OPTIONS 3513 if (sm->test_assoc_ie) { 3514 wpa_printf(MSG_DEBUG, 3515 "TESTING: Replace association WPA/RSN IE"); 3516 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie)) 3517 return -1; 3518 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie), 3519 wpabuf_len(sm->test_assoc_ie)); 3520 res = wpabuf_len(sm->test_assoc_ie); 3521 } else 3522#endif /* CONFIG_TESTING_OPTIONS */ 3523 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len); 3524 if (res < 0) 3525 return -1; 3526 *wpa_ie_len = res; 3527 3528 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default", 3529 wpa_ie, *wpa_ie_len); 3530 3531 if (sm->assoc_wpa_ie == NULL) { 3532 /* 3533 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets 3534 * the correct version of the IE even if PMKSA caching is 3535 * aborted (which would remove PMKID from IE generation). 3536 */ 3537 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len); 3538 if (sm->assoc_wpa_ie == NULL) 3539 return -1; 3540 3541 sm->assoc_wpa_ie_len = *wpa_ie_len; 3542 } else { 3543 wpa_hexdump(MSG_DEBUG, 3544 "WPA: Leave previously set WPA IE default", 3545 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 3546 } 3547 3548 return 0; 3549} 3550 3551 3552/** 3553 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq 3554 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3555 * @ie: Pointer to IE data (starting from id) 3556 * @len: IE length 3557 * Returns: 0 on success, -1 on failure 3558 * 3559 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association 3560 * Request frame. The IE will be used to override the default value generated 3561 * with wpa_sm_set_assoc_wpa_ie_default(). 3562 */ 3563int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 3564{ 3565 if (sm == NULL) 3566 return -1; 3567 3568 os_free(sm->assoc_wpa_ie); 3569 if (ie == NULL || len == 0) { 3570 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3571 "WPA: clearing own WPA/RSN IE"); 3572 sm->assoc_wpa_ie = NULL; 3573 sm->assoc_wpa_ie_len = 0; 3574 } else { 3575 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len); 3576 sm->assoc_wpa_ie = os_memdup(ie, len); 3577 if (sm->assoc_wpa_ie == NULL) 3578 return -1; 3579 3580 sm->assoc_wpa_ie_len = len; 3581 } 3582 3583 return 0; 3584} 3585 3586 3587/** 3588 * wpa_sm_set_assoc_rsnxe_default - Generate own RSNXE from configuration 3589 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3590 * @rsnxe: Pointer to buffer for RSNXE 3591 * @rsnxe_len: Pointer to the length of the rsne buffer 3592 * Returns: 0 on success, -1 on failure 3593 */ 3594int wpa_sm_set_assoc_rsnxe_default(struct wpa_sm *sm, u8 *rsnxe, 3595 size_t *rsnxe_len) 3596{ 3597 int res; 3598 3599 if (!sm) 3600 return -1; 3601 3602 res = wpa_gen_rsnxe(sm, rsnxe, *rsnxe_len); 3603 if (res < 0) 3604 return -1; 3605 *rsnxe_len = res; 3606 3607 wpa_hexdump(MSG_DEBUG, "RSN: Set own RSNXE default", rsnxe, *rsnxe_len); 3608 3609 if (sm->assoc_rsnxe) { 3610 wpa_hexdump(MSG_DEBUG, 3611 "RSN: Leave previously set RSNXE default", 3612 sm->assoc_rsnxe, sm->assoc_rsnxe_len); 3613 } else if (*rsnxe_len > 0) { 3614 /* 3615 * Make a copy of the RSNXE so that 4-Way Handshake gets the 3616 * correct version of the IE even if it gets changed. 3617 */ 3618 sm->assoc_rsnxe = os_memdup(rsnxe, *rsnxe_len); 3619 if (!sm->assoc_rsnxe) 3620 return -1; 3621 3622 sm->assoc_rsnxe_len = *rsnxe_len; 3623 } 3624 3625 return 0; 3626} 3627 3628 3629/** 3630 * wpa_sm_set_assoc_rsnxe - Set own RSNXE from (Re)AssocReq 3631 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3632 * @ie: Pointer to IE data (starting from id) 3633 * @len: IE length 3634 * Returns: 0 on success, -1 on failure 3635 * 3636 * Inform WPA state machine about the RSNXE used in (Re)Association Request 3637 * frame. The IE will be used to override the default value generated 3638 * with wpa_sm_set_assoc_rsnxe_default(). 3639 */ 3640int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len) 3641{ 3642 if (!sm) 3643 return -1; 3644 3645 os_free(sm->assoc_rsnxe); 3646 if (!ie || len == 0) { 3647 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3648 "RSN: clearing own RSNXE"); 3649 sm->assoc_rsnxe = NULL; 3650 sm->assoc_rsnxe_len = 0; 3651 } else { 3652 wpa_hexdump(MSG_DEBUG, "RSN: set own RSNXE", ie, len); 3653 sm->assoc_rsnxe = os_memdup(ie, len); 3654 if (!sm->assoc_rsnxe) 3655 return -1; 3656 3657 sm->assoc_rsnxe_len = len; 3658 } 3659 3660 return 0; 3661} 3662 3663 3664/** 3665 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp 3666 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3667 * @ie: Pointer to IE data (starting from id) 3668 * @len: IE length 3669 * Returns: 0 on success, -1 on failure 3670 * 3671 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response 3672 * frame. 3673 */ 3674int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 3675{ 3676 if (sm == NULL) 3677 return -1; 3678 3679 os_free(sm->ap_wpa_ie); 3680 if (ie == NULL || len == 0) { 3681 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3682 "WPA: clearing AP WPA IE"); 3683 sm->ap_wpa_ie = NULL; 3684 sm->ap_wpa_ie_len = 0; 3685 } else { 3686 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len); 3687 sm->ap_wpa_ie = os_memdup(ie, len); 3688 if (sm->ap_wpa_ie == NULL) 3689 return -1; 3690 3691 sm->ap_wpa_ie_len = len; 3692 } 3693 3694 return 0; 3695} 3696 3697 3698/** 3699 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp 3700 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3701 * @ie: Pointer to IE data (starting from id) 3702 * @len: IE length 3703 * Returns: 0 on success, -1 on failure 3704 * 3705 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response 3706 * frame. 3707 */ 3708int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 3709{ 3710 if (sm == NULL) 3711 return -1; 3712 3713 os_free(sm->ap_rsn_ie); 3714 if (ie == NULL || len == 0) { 3715 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3716 "WPA: clearing AP RSN IE"); 3717 sm->ap_rsn_ie = NULL; 3718 sm->ap_rsn_ie_len = 0; 3719 } else { 3720 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len); 3721 sm->ap_rsn_ie = os_memdup(ie, len); 3722 if (sm->ap_rsn_ie == NULL) 3723 return -1; 3724 3725 sm->ap_rsn_ie_len = len; 3726 } 3727 3728 return 0; 3729} 3730 3731 3732/** 3733 * wpa_sm_set_ap_rsnxe - Set AP RSNXE from Beacon/ProbeResp 3734 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3735 * @ie: Pointer to IE data (starting from id) 3736 * @len: IE length 3737 * Returns: 0 on success, -1 on failure 3738 * 3739 * Inform WPA state machine about the RSNXE used in Beacon / Probe Response 3740 * frame. 3741 */ 3742int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len) 3743{ 3744 if (!sm) 3745 return -1; 3746 3747 os_free(sm->ap_rsnxe); 3748 if (!ie || len == 0) { 3749 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE"); 3750 sm->ap_rsnxe = NULL; 3751 sm->ap_rsnxe_len = 0; 3752 } else { 3753 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len); 3754 sm->ap_rsnxe = os_memdup(ie, len); 3755 if (!sm->ap_rsnxe) 3756 return -1; 3757 3758 sm->ap_rsnxe_len = len; 3759 } 3760 3761 return 0; 3762} 3763 3764 3765/** 3766 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE 3767 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3768 * @data: Pointer to data area for parsing results 3769 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure 3770 * 3771 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the 3772 * parsed data into data. 3773 */ 3774int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data) 3775{ 3776 if (sm == NULL) 3777 return -1; 3778 3779 if (sm->assoc_wpa_ie == NULL) { 3780 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3781 "WPA: No WPA/RSN IE available from association info"); 3782 return -1; 3783 } 3784 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data)) 3785 return -2; 3786 return 0; 3787} 3788 3789 3790int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len) 3791{ 3792 return pmksa_cache_list(sm->pmksa, buf, len); 3793} 3794 3795 3796struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm) 3797{ 3798 return pmksa_cache_head(sm->pmksa); 3799} 3800 3801 3802struct rsn_pmksa_cache_entry * 3803wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm, 3804 struct rsn_pmksa_cache_entry * entry) 3805{ 3806 return pmksa_cache_add_entry(sm->pmksa, entry); 3807} 3808 3809 3810void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, 3811 const u8 *pmkid, const u8 *bssid, 3812 const u8 *fils_cache_id) 3813{ 3814 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0, 3815 bssid, sm->own_addr, sm->network_ctx, 3816 sm->key_mgmt, fils_cache_id); 3817} 3818 3819 3820int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid, 3821 const void *network_ctx) 3822{ 3823 return pmksa_cache_get(sm->pmksa, bssid, NULL, network_ctx, 0) != NULL; 3824} 3825 3826 3827struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_get(struct wpa_sm *sm, 3828 const u8 *aa, 3829 const u8 *pmkid, 3830 const void *network_ctx, 3831 int akmp) 3832{ 3833 return pmksa_cache_get(sm->pmksa, aa, pmkid, network_ctx, akmp); 3834} 3835 3836 3837void wpa_sm_drop_sa(struct wpa_sm *sm) 3838{ 3839 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK"); 3840 sm->ptk_set = 0; 3841 sm->tptk_set = 0; 3842 sm->pmk_len = 0; 3843 os_memset(sm->pmk, 0, sizeof(sm->pmk)); 3844 os_memset(&sm->ptk, 0, sizeof(sm->ptk)); 3845 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 3846 os_memset(&sm->gtk, 0, sizeof(sm->gtk)); 3847 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); 3848 os_memset(&sm->igtk, 0, sizeof(sm->igtk)); 3849 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); 3850#ifdef CONFIG_IEEE80211R 3851 os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); 3852 sm->xxkey_len = 0; 3853 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); 3854 sm->pmk_r0_len = 0; 3855 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1)); 3856 sm->pmk_r1_len = 0; 3857#ifdef CONFIG_PASN 3858 os_free(sm->pasn_r1kh); 3859 sm->pasn_r1kh = NULL; 3860 sm->n_pasn_r1kh = 0; 3861#endif /* CONFIG_PASN */ 3862#endif /* CONFIG_IEEE80211R */ 3863} 3864 3865 3866int wpa_sm_has_ptk(struct wpa_sm *sm) 3867{ 3868 if (sm == NULL) 3869 return 0; 3870 return sm->ptk_set; 3871} 3872 3873 3874int wpa_sm_has_ptk_installed(struct wpa_sm *sm) 3875{ 3876 if (!sm) 3877 return 0; 3878 return sm->ptk.installed; 3879} 3880 3881 3882void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr) 3883{ 3884 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN); 3885} 3886 3887 3888void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx) 3889{ 3890 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, false); 3891} 3892 3893 3894void wpa_sm_external_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx) 3895{ 3896 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, true); 3897} 3898 3899 3900#ifdef CONFIG_WNM 3901int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) 3902{ 3903 u16 keyinfo; 3904 u8 keylen; /* plaintext key len */ 3905 u8 *key_rsc; 3906 3907 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) { 3908 struct wpa_gtk_data gd; 3909 3910 os_memset(&gd, 0, sizeof(gd)); 3911 keylen = wpa_cipher_key_len(sm->group_cipher); 3912 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher); 3913 gd.alg = wpa_cipher_to_alg(sm->group_cipher); 3914 if (gd.alg == WPA_ALG_NONE) { 3915 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite"); 3916 return -1; 3917 } 3918 3919 key_rsc = buf + 5; 3920 keyinfo = WPA_GET_LE16(buf + 2); 3921 gd.gtk_len = keylen; 3922 if (gd.gtk_len != buf[4]) { 3923 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d", 3924 gd.gtk_len, buf[4]); 3925 return -1; 3926 } 3927 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */ 3928 gd.tx = wpa_supplicant_gtk_tx_bit_workaround( 3929 sm, !!(keyinfo & WPA_KEY_INFO_TXRX)); 3930 3931 os_memcpy(gd.gtk, buf + 13, gd.gtk_len); 3932 3933 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", 3934 gd.gtk, gd.gtk_len); 3935 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { 3936 forced_memzero(&gd, sizeof(gd)); 3937 wpa_printf(MSG_DEBUG, "Failed to install the GTK in " 3938 "WNM mode"); 3939 return -1; 3940 } 3941 forced_memzero(&gd, sizeof(gd)); 3942 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { 3943 const struct wpa_igtk_kde *igtk; 3944 3945 igtk = (const struct wpa_igtk_kde *) (buf + 2); 3946 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) 3947 return -1; 3948 } else if (subelem_id == WNM_SLEEP_SUBELEM_BIGTK) { 3949 const struct wpa_bigtk_kde *bigtk; 3950 3951 bigtk = (const struct wpa_bigtk_kde *) (buf + 2); 3952 if (sm->beacon_prot && 3953 wpa_supplicant_install_bigtk(sm, bigtk, 1) < 0) 3954 return -1; 3955 } else { 3956 wpa_printf(MSG_DEBUG, "Unknown element id"); 3957 return -1; 3958 } 3959 3960 return 0; 3961} 3962#endif /* CONFIG_WNM */ 3963 3964 3965#ifdef CONFIG_P2P 3966 3967int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf) 3968{ 3969 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0) 3970 return -1; 3971 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4); 3972 return 0; 3973} 3974 3975#endif /* CONFIG_P2P */ 3976 3977 3978void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter) 3979{ 3980 if (rx_replay_counter == NULL) 3981 return; 3982 3983 os_memcpy(sm->rx_replay_counter, rx_replay_counter, 3984 WPA_REPLAY_COUNTER_LEN); 3985 sm->rx_replay_counter_set = 1; 3986 wpa_printf(MSG_DEBUG, "Updated key replay counter"); 3987} 3988 3989 3990void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm, 3991 const u8 *ptk_kck, size_t ptk_kck_len, 3992 const u8 *ptk_kek, size_t ptk_kek_len) 3993{ 3994 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) { 3995 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len); 3996 sm->ptk.kck_len = ptk_kck_len; 3997 wpa_printf(MSG_DEBUG, "Updated PTK KCK"); 3998 } 3999 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) { 4000 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len); 4001 sm->ptk.kek_len = ptk_kek_len; 4002 wpa_printf(MSG_DEBUG, "Updated PTK KEK"); 4003 } 4004 sm->ptk_set = 1; 4005} 4006 4007 4008#ifdef CONFIG_TESTING_OPTIONS 4009 4010void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf) 4011{ 4012 wpabuf_free(sm->test_assoc_ie); 4013 sm->test_assoc_ie = buf; 4014} 4015 4016 4017const u8 * wpa_sm_get_anonce(struct wpa_sm *sm) 4018{ 4019 return sm->anonce; 4020} 4021 4022#endif /* CONFIG_TESTING_OPTIONS */ 4023 4024 4025unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm) 4026{ 4027 return sm->key_mgmt; 4028} 4029 4030 4031#ifdef CONFIG_FILS 4032 4033struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md) 4034{ 4035 struct wpabuf *buf = NULL; 4036 struct wpabuf *erp_msg; 4037 struct wpabuf *pub = NULL; 4038 4039 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol); 4040 if (!erp_msg && !sm->cur_pmksa) { 4041 wpa_printf(MSG_DEBUG, 4042 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS"); 4043 goto fail; 4044 } 4045 4046 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)", 4047 erp_msg != NULL, sm->cur_pmksa != NULL); 4048 4049 sm->fils_completed = 0; 4050 4051 if (!sm->assoc_wpa_ie) { 4052 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS"); 4053 goto fail; 4054 } 4055 4056 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 || 4057 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0) 4058 goto fail; 4059 4060 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce", 4061 sm->fils_nonce, FILS_NONCE_LEN); 4062 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session", 4063 sm->fils_session, FILS_SESSION_LEN); 4064 4065#ifdef CONFIG_FILS_SK_PFS 4066 sm->fils_dh_group = dh_group; 4067 if (dh_group) { 4068 crypto_ecdh_deinit(sm->fils_ecdh); 4069 sm->fils_ecdh = crypto_ecdh_init(dh_group); 4070 if (!sm->fils_ecdh) { 4071 wpa_printf(MSG_INFO, 4072 "FILS: Could not initialize ECDH with group %d", 4073 dh_group); 4074 goto fail; 4075 } 4076 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1); 4077 if (!pub) 4078 goto fail; 4079 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)", 4080 pub); 4081 sm->fils_dh_elem_len = wpabuf_len(pub); 4082 } 4083#endif /* CONFIG_FILS_SK_PFS */ 4084 4085 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len + 4086 (pub ? wpabuf_len(pub) : 0)); 4087 if (!buf) 4088 goto fail; 4089 4090 /* Fields following the Authentication algorithm number field */ 4091 4092 /* Authentication Transaction seq# */ 4093 wpabuf_put_le16(buf, 1); 4094 4095 /* Status Code */ 4096 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 4097 4098 /* TODO: FILS PK */ 4099#ifdef CONFIG_FILS_SK_PFS 4100 if (dh_group) { 4101 /* Finite Cyclic Group */ 4102 wpabuf_put_le16(buf, dh_group); 4103 /* Element */ 4104 wpabuf_put_buf(buf, pub); 4105 } 4106#endif /* CONFIG_FILS_SK_PFS */ 4107 4108 /* RSNE */ 4109 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame", 4110 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 4111 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 4112 4113 if (md) { 4114 /* MDE when using FILS for FT initial association */ 4115 struct rsn_mdie *mdie; 4116 4117 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN); 4118 wpabuf_put_u8(buf, sizeof(*mdie)); 4119 mdie = wpabuf_put(buf, sizeof(*mdie)); 4120 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN); 4121 mdie->ft_capab = 0; 4122 } 4123 4124 /* FILS Nonce */ 4125 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 4126 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */ 4127 /* Element ID Extension */ 4128 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE); 4129 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN); 4130 4131 /* FILS Session */ 4132 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 4133 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */ 4134 /* Element ID Extension */ 4135 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION); 4136 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN); 4137 4138 /* Wrapped Data */ 4139 sm->fils_erp_pmkid_set = 0; 4140 if (erp_msg) { 4141 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 4142 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */ 4143 /* Element ID Extension */ 4144 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA); 4145 wpabuf_put_buf(buf, erp_msg); 4146 /* Calculate pending PMKID here so that we do not need to 4147 * maintain a copy of the EAP-Initiate/Reauth message. */ 4148 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg), 4149 wpabuf_len(erp_msg), 4150 sm->fils_erp_pmkid) == 0) 4151 sm->fils_erp_pmkid_set = 1; 4152 } 4153 4154 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame", 4155 buf); 4156 4157fail: 4158 wpabuf_free(erp_msg); 4159 wpabuf_free(pub); 4160 return buf; 4161} 4162 4163 4164int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data, 4165 size_t len) 4166{ 4167 const u8 *pos, *end; 4168 struct ieee802_11_elems elems; 4169 struct wpa_ie_data rsn; 4170 int pmkid_match = 0; 4171 u8 ick[FILS_ICK_MAX_LEN]; 4172 size_t ick_len; 4173 int res; 4174 struct wpabuf *dh_ss = NULL; 4175 const u8 *g_sta = NULL; 4176 size_t g_sta_len = 0; 4177 const u8 *g_ap = NULL; 4178 size_t g_ap_len = 0, kdk_len; 4179 struct wpabuf *pub = NULL; 4180 4181 os_memcpy(sm->bssid, bssid, ETH_ALEN); 4182 4183 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields", 4184 data, len); 4185 pos = data; 4186 end = data + len; 4187 4188 /* TODO: FILS PK */ 4189#ifdef CONFIG_FILS_SK_PFS 4190 if (sm->fils_dh_group) { 4191 u16 group; 4192 4193 /* Using FILS PFS */ 4194 4195 /* Finite Cyclic Group */ 4196 if (end - pos < 2) { 4197 wpa_printf(MSG_DEBUG, 4198 "FILS: No room for Finite Cyclic Group"); 4199 goto fail; 4200 } 4201 group = WPA_GET_LE16(pos); 4202 pos += 2; 4203 if (group != sm->fils_dh_group) { 4204 wpa_printf(MSG_DEBUG, 4205 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)", 4206 group, sm->fils_dh_group); 4207 goto fail; 4208 } 4209 4210 /* Element */ 4211 if ((size_t) (end - pos) < sm->fils_dh_elem_len) { 4212 wpa_printf(MSG_DEBUG, "FILS: No room for Element"); 4213 goto fail; 4214 } 4215 4216 if (!sm->fils_ecdh) { 4217 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available"); 4218 goto fail; 4219 } 4220 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos, 4221 sm->fils_dh_elem_len); 4222 if (!dh_ss) { 4223 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed"); 4224 goto fail; 4225 } 4226 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss); 4227 g_ap = pos; 4228 g_ap_len = sm->fils_dh_elem_len; 4229 pos += sm->fils_dh_elem_len; 4230 } 4231#endif /* CONFIG_FILS_SK_PFS */ 4232 4233 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos); 4234 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) { 4235 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements"); 4236 goto fail; 4237 } 4238 4239 /* RSNE */ 4240 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie, 4241 elems.rsn_ie_len); 4242 if (!elems.rsn_ie || 4243 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 4244 &rsn) < 0) { 4245 wpa_printf(MSG_DEBUG, "FILS: No RSN element"); 4246 goto fail; 4247 } 4248 4249 if (!elems.fils_nonce) { 4250 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field"); 4251 goto fail; 4252 } 4253 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN); 4254 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN); 4255 4256#ifdef CONFIG_IEEE80211R 4257 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 4258 struct wpa_ft_ies parse; 4259 4260 if (!elems.mdie || !elems.ftie) { 4261 wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE"); 4262 goto fail; 4263 } 4264 4265 if (wpa_ft_parse_ies(pos, end - pos, &parse, 4266 wpa_key_mgmt_sha384(sm->key_mgmt)) < 0) { 4267 wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs"); 4268 goto fail; 4269 } 4270 4271 if (!parse.r0kh_id) { 4272 wpa_printf(MSG_DEBUG, 4273 "FILS+FT: No R0KH-ID subelem in FTE"); 4274 goto fail; 4275 } 4276 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len); 4277 sm->r0kh_id_len = parse.r0kh_id_len; 4278 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID", 4279 sm->r0kh_id, sm->r0kh_id_len); 4280 4281 if (!parse.r1kh_id) { 4282 wpa_printf(MSG_DEBUG, 4283 "FILS+FT: No R1KH-ID subelem in FTE"); 4284 goto fail; 4285 } 4286 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN); 4287 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID", 4288 sm->r1kh_id, FT_R1KH_ID_LEN); 4289 4290 /* TODO: Check MDE and FTE payload */ 4291 4292 wpabuf_free(sm->fils_ft_ies); 4293 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len + 4294 2 + elems.ftie_len); 4295 if (!sm->fils_ft_ies) 4296 goto fail; 4297 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2, 4298 2 + elems.mdie_len); 4299 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2, 4300 2 + elems.ftie_len); 4301 } else { 4302 wpabuf_free(sm->fils_ft_ies); 4303 sm->fils_ft_ies = NULL; 4304 } 4305#endif /* CONFIG_IEEE80211R */ 4306 4307 /* PMKID List */ 4308 if (rsn.pmkid && rsn.num_pmkid > 0) { 4309 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List", 4310 rsn.pmkid, rsn.num_pmkid * PMKID_LEN); 4311 4312 if (rsn.num_pmkid != 1) { 4313 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection"); 4314 goto fail; 4315 } 4316 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN); 4317 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0) 4318 { 4319 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch"); 4320 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID", 4321 sm->cur_pmksa->pmkid, PMKID_LEN); 4322 goto fail; 4323 } 4324 wpa_printf(MSG_DEBUG, 4325 "FILS: Matching PMKID - continue using PMKSA caching"); 4326 pmkid_match = 1; 4327 } 4328 if (!pmkid_match && sm->cur_pmksa) { 4329 wpa_printf(MSG_DEBUG, 4330 "FILS: No PMKID match - cannot use cached PMKSA entry"); 4331 sm->cur_pmksa = NULL; 4332 } 4333 4334 /* FILS Session */ 4335 if (!elems.fils_session) { 4336 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 4337 goto fail; 4338 } 4339 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session, 4340 FILS_SESSION_LEN); 4341 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN) 4342 != 0) { 4343 wpa_printf(MSG_DEBUG, "FILS: Session mismatch"); 4344 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 4345 sm->fils_session, FILS_SESSION_LEN); 4346 goto fail; 4347 } 4348 4349 /* Wrapped Data */ 4350 if (!sm->cur_pmksa && elems.wrapped_data) { 4351 u8 rmsk[ERP_MAX_KEY_LEN]; 4352 size_t rmsk_len; 4353 4354 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data", 4355 elems.wrapped_data, 4356 elems.wrapped_data_len); 4357 eapol_sm_process_erp_finish(sm->eapol, elems.wrapped_data, 4358 elems.wrapped_data_len); 4359 if (eapol_sm_failed(sm->eapol)) 4360 goto fail; 4361 4362 rmsk_len = ERP_MAX_KEY_LEN; 4363 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len); 4364 if (res == PMK_LEN) { 4365 rmsk_len = PMK_LEN; 4366 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len); 4367 } 4368 if (res) 4369 goto fail; 4370 4371 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len, 4372 sm->fils_nonce, sm->fils_anonce, 4373 dh_ss ? wpabuf_head(dh_ss) : NULL, 4374 dh_ss ? wpabuf_len(dh_ss) : 0, 4375 sm->pmk, &sm->pmk_len); 4376 forced_memzero(rmsk, sizeof(rmsk)); 4377 4378 /* Don't use DHss in PTK derivation if PMKSA caching is not 4379 * used. */ 4380 wpabuf_clear_free(dh_ss); 4381 dh_ss = NULL; 4382 4383 if (res) 4384 goto fail; 4385 4386 if (!sm->fils_erp_pmkid_set) { 4387 wpa_printf(MSG_DEBUG, "FILS: PMKID not available"); 4388 goto fail; 4389 } 4390 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid, 4391 PMKID_LEN); 4392 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result"); 4393 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, 4394 sm->fils_erp_pmkid, NULL, 0, 4395 sm->bssid, sm->own_addr, 4396 sm->network_ctx, sm->key_mgmt, 4397 NULL); 4398 } 4399 4400 if (!sm->cur_pmksa) { 4401 wpa_printf(MSG_DEBUG, 4402 "FILS: No remaining options to continue FILS authentication"); 4403 goto fail; 4404 } 4405 4406 if (sm->force_kdk_derivation || 4407 (sm->secure_ltf && 4408 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))) 4409 kdk_len = WPA_KDK_MAX_LEN; 4410 else 4411 kdk_len = 0; 4412 4413 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid, 4414 sm->fils_nonce, sm->fils_anonce, 4415 dh_ss ? wpabuf_head(dh_ss) : NULL, 4416 dh_ss ? wpabuf_len(dh_ss) : 0, 4417 &sm->ptk, ick, &ick_len, 4418 sm->key_mgmt, sm->pairwise_cipher, 4419 sm->fils_ft, &sm->fils_ft_len, 4420 kdk_len) < 0) { 4421 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK"); 4422 goto fail; 4423 } 4424 4425 wpabuf_clear_free(dh_ss); 4426 dh_ss = NULL; 4427 4428 sm->ptk_set = 1; 4429 sm->tptk_set = 0; 4430 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 4431 4432#ifdef CONFIG_FILS_SK_PFS 4433 if (sm->fils_dh_group) { 4434 if (!sm->fils_ecdh) { 4435 wpa_printf(MSG_INFO, "FILS: ECDH not initialized"); 4436 goto fail; 4437 } 4438 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1); 4439 if (!pub) 4440 goto fail; 4441 wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub); 4442 g_sta = wpabuf_head(pub); 4443 g_sta_len = wpabuf_len(pub); 4444 if (!g_ap) { 4445 wpa_printf(MSG_INFO, "FILS: gAP not available"); 4446 goto fail; 4447 } 4448 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len); 4449 } 4450#endif /* CONFIG_FILS_SK_PFS */ 4451 4452 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce, 4453 sm->fils_anonce, sm->own_addr, sm->bssid, 4454 g_sta, g_sta_len, g_ap, g_ap_len, 4455 sm->key_mgmt, sm->fils_key_auth_sta, 4456 sm->fils_key_auth_ap, 4457 &sm->fils_key_auth_len); 4458 wpabuf_free(pub); 4459 forced_memzero(ick, sizeof(ick)); 4460 return res; 4461fail: 4462 wpabuf_free(pub); 4463 wpabuf_clear_free(dh_ss); 4464 return -1; 4465} 4466 4467 4468#ifdef CONFIG_IEEE80211R 4469static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf) 4470{ 4471 struct rsn_ie_hdr *rsnie; 4472 u16 capab; 4473 u8 *pos; 4474 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt); 4475 4476 /* RSNIE[PMKR0Name/PMKR1Name] */ 4477 rsnie = wpabuf_put(buf, sizeof(*rsnie)); 4478 rsnie->elem_id = WLAN_EID_RSN; 4479 WPA_PUT_LE16(rsnie->version, RSN_VERSION); 4480 4481 /* Group Suite Selector */ 4482 if (!wpa_cipher_valid_group(sm->group_cipher)) { 4483 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)", 4484 sm->group_cipher); 4485 return -1; 4486 } 4487 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 4488 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, 4489 sm->group_cipher)); 4490 4491 /* Pairwise Suite Count */ 4492 wpabuf_put_le16(buf, 1); 4493 4494 /* Pairwise Suite List */ 4495 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) { 4496 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)", 4497 sm->pairwise_cipher); 4498 return -1; 4499 } 4500 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 4501 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, 4502 sm->pairwise_cipher)); 4503 4504 /* Authenticated Key Management Suite Count */ 4505 wpabuf_put_le16(buf, 1); 4506 4507 /* Authenticated Key Management Suite List */ 4508 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 4509 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256) 4510 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256); 4511 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384) 4512 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384); 4513 else { 4514 wpa_printf(MSG_WARNING, 4515 "FILS+FT: Invalid key management type (%d)", 4516 sm->key_mgmt); 4517 return -1; 4518 } 4519 4520 /* RSN Capabilities */ 4521 capab = 0; 4522 if (sm->mfp) 4523 capab |= WPA_CAPABILITY_MFPC; 4524 if (sm->mfp == 2) 4525 capab |= WPA_CAPABILITY_MFPR; 4526 if (sm->ocv) 4527 capab |= WPA_CAPABILITY_OCVC; 4528 if (sm->ext_key_id) 4529 capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST; 4530 wpabuf_put_le16(buf, capab); 4531 4532 /* PMKID Count */ 4533 wpabuf_put_le16(buf, 1); 4534 4535 /* PMKID List [PMKR1Name] */ 4536 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)", 4537 sm->fils_ft, sm->fils_ft_len); 4538 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len); 4539 wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID", 4540 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN); 4541 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID", 4542 sm->r0kh_id, sm->r0kh_id_len); 4543 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid, 4544 sm->ssid_len, sm->mobility_domain, 4545 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr, 4546 sm->pmk_r0, sm->pmk_r0_name, use_sha384) < 0) { 4547 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0"); 4548 return -1; 4549 } 4550 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN; 4551 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR, 4552 MAC2STR(sm->r1kh_id)); 4553 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN); 4554 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr, 4555 sm->pmk_r1_name, use_sha384) < 0) { 4556 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name"); 4557 return -1; 4558 } 4559 os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN); 4560 4561 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) { 4562 /* Management Group Cipher Suite */ 4563 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 4564 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC); 4565 } 4566 4567 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2; 4568 return 0; 4569} 4570#endif /* CONFIG_IEEE80211R */ 4571 4572 4573struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek, 4574 size_t *kek_len, const u8 **snonce, 4575 const u8 **anonce, 4576 const struct wpabuf **hlp, 4577 unsigned int num_hlp) 4578{ 4579 struct wpabuf *buf; 4580 size_t len; 4581 unsigned int i; 4582 4583 len = 1000; 4584#ifdef CONFIG_IEEE80211R 4585 if (sm->fils_ft_ies) 4586 len += wpabuf_len(sm->fils_ft_ies); 4587 if (wpa_key_mgmt_ft(sm->key_mgmt)) 4588 len += 256; 4589#endif /* CONFIG_IEEE80211R */ 4590 for (i = 0; hlp && i < num_hlp; i++) 4591 len += 10 + wpabuf_len(hlp[i]); 4592 buf = wpabuf_alloc(len); 4593 if (!buf) 4594 return NULL; 4595 4596#ifdef CONFIG_IEEE80211R 4597 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) { 4598 /* MDE and FTE when using FILS+FT */ 4599 wpabuf_put_buf(buf, sm->fils_ft_ies); 4600 /* RSNE with PMKR1Name in PMKID field */ 4601 if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) { 4602 wpabuf_free(buf); 4603 return NULL; 4604 } 4605 } 4606#endif /* CONFIG_IEEE80211R */ 4607 4608 /* FILS Session */ 4609 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 4610 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */ 4611 /* Element ID Extension */ 4612 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION); 4613 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN); 4614 4615 /* Everything after FILS Session element gets encrypted in the driver 4616 * with KEK. The buffer returned from here is the plaintext version. */ 4617 4618 /* TODO: FILS Public Key */ 4619 4620 /* FILS Key Confirm */ 4621 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 4622 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */ 4623 /* Element ID Extension */ 4624 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM); 4625 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len); 4626 4627 /* FILS HLP Container */ 4628 for (i = 0; hlp && i < num_hlp; i++) { 4629 const u8 *pos = wpabuf_head(hlp[i]); 4630 size_t left = wpabuf_len(hlp[i]); 4631 4632 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 4633 if (left <= 254) 4634 len = 1 + left; 4635 else 4636 len = 255; 4637 wpabuf_put_u8(buf, len); /* Length */ 4638 /* Element ID Extension */ 4639 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER); 4640 /* Destination MAC Address, Source MAC Address, HLP Packet. 4641 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP 4642 * header when LPD is used). */ 4643 wpabuf_put_data(buf, pos, len - 1); 4644 pos += len - 1; 4645 left -= len - 1; 4646 while (left) { 4647 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT); 4648 len = left > 255 ? 255 : left; 4649 wpabuf_put_u8(buf, len); 4650 wpabuf_put_data(buf, pos, len); 4651 pos += len; 4652 left -= len; 4653 } 4654 } 4655 4656 /* TODO: FILS IP Address Assignment */ 4657 4658#ifdef CONFIG_OCV 4659 if (wpa_sm_ocv_enabled(sm)) { 4660 struct wpa_channel_info ci; 4661 u8 *pos; 4662 4663 if (wpa_sm_channel_info(sm, &ci) != 0) { 4664 wpa_printf(MSG_WARNING, 4665 "FILS: Failed to get channel info for OCI element"); 4666 wpabuf_free(buf); 4667 return NULL; 4668 } 4669#ifdef CONFIG_TESTING_OPTIONS 4670 if (sm->oci_freq_override_fils_assoc) { 4671 wpa_printf(MSG_INFO, 4672 "TEST: Override OCI KDE frequency %d -> %d MHz", 4673 ci.frequency, 4674 sm->oci_freq_override_fils_assoc); 4675 ci.frequency = sm->oci_freq_override_fils_assoc; 4676 } 4677#endif /* CONFIG_TESTING_OPTIONS */ 4678 4679 pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN); 4680 if (ocv_insert_extended_oci(&ci, pos) < 0) { 4681 wpabuf_free(buf); 4682 return NULL; 4683 } 4684 } 4685#endif /* CONFIG_OCV */ 4686 4687 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf); 4688 4689 *kek = sm->ptk.kek; 4690 *kek_len = sm->ptk.kek_len; 4691 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len); 4692 *snonce = sm->fils_nonce; 4693 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD", 4694 *snonce, FILS_NONCE_LEN); 4695 *anonce = sm->fils_anonce; 4696 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD", 4697 *anonce, FILS_NONCE_LEN); 4698 4699 return buf; 4700} 4701 4702 4703static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len) 4704{ 4705 const u8 *pos, *end; 4706 4707 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len); 4708 if (len < 2 * ETH_ALEN) 4709 return; 4710 pos = resp + 2 * ETH_ALEN; 4711 end = resp + len; 4712 if (end - pos >= 6 && 4713 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0) 4714 pos += 6; /* Remove SNAP/LLC header */ 4715 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos); 4716} 4717 4718 4719static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos, 4720 size_t len) 4721{ 4722 const u8 *end = pos + len; 4723 u8 *tmp, *tmp_pos; 4724 4725 /* Check if there are any FILS HLP Container elements */ 4726 while (end - pos >= 2) { 4727 if (2 + pos[1] > end - pos) 4728 return; 4729 if (pos[0] == WLAN_EID_EXTENSION && 4730 pos[1] >= 1 + 2 * ETH_ALEN && 4731 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER) 4732 break; 4733 pos += 2 + pos[1]; 4734 } 4735 if (end - pos < 2) 4736 return; /* No FILS HLP Container elements */ 4737 4738 tmp = os_malloc(end - pos); 4739 if (!tmp) 4740 return; 4741 4742 while (end - pos >= 2) { 4743 if (2 + pos[1] > end - pos || 4744 pos[0] != WLAN_EID_EXTENSION || 4745 pos[1] < 1 + 2 * ETH_ALEN || 4746 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER) 4747 break; 4748 tmp_pos = tmp; 4749 os_memcpy(tmp_pos, pos + 3, pos[1] - 1); 4750 tmp_pos += pos[1] - 1; 4751 pos += 2 + pos[1]; 4752 4753 /* Add possible fragments */ 4754 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT && 4755 2 + pos[1] <= end - pos) { 4756 os_memcpy(tmp_pos, pos + 2, pos[1]); 4757 tmp_pos += pos[1]; 4758 pos += 2 + pos[1]; 4759 } 4760 4761 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp); 4762 } 4763 4764 os_free(tmp); 4765} 4766 4767 4768int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len) 4769{ 4770 const struct ieee80211_mgmt *mgmt; 4771 const u8 *end, *ie_start; 4772 struct ieee802_11_elems elems; 4773 int keylen, rsclen; 4774 enum wpa_alg alg; 4775 struct wpa_gtk_data gd; 4776 int maxkeylen; 4777 struct wpa_eapol_ie_parse kde; 4778 4779 if (!sm || !sm->ptk_set) { 4780 wpa_printf(MSG_DEBUG, "FILS: No KEK available"); 4781 return -1; 4782 } 4783 4784 if (!wpa_key_mgmt_fils(sm->key_mgmt)) { 4785 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM"); 4786 return -1; 4787 } 4788 4789 if (sm->fils_completed) { 4790 wpa_printf(MSG_DEBUG, 4791 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission"); 4792 return -1; 4793 } 4794 4795 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame", 4796 resp, len); 4797 4798 mgmt = (const struct ieee80211_mgmt *) resp; 4799 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp)) 4800 return -1; 4801 4802 end = resp + len; 4803 /* Same offset for Association Response and Reassociation Response */ 4804 ie_start = mgmt->u.assoc_resp.variable; 4805 4806 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) == 4807 ParseFailed) { 4808 wpa_printf(MSG_DEBUG, 4809 "FILS: Failed to parse decrypted elements"); 4810 goto fail; 4811 } 4812 4813 if (!elems.fils_session) { 4814 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 4815 return -1; 4816 } 4817 if (os_memcmp(elems.fils_session, sm->fils_session, 4818 FILS_SESSION_LEN) != 0) { 4819 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch"); 4820 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session", 4821 elems.fils_session, FILS_SESSION_LEN); 4822 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 4823 sm->fils_session, FILS_SESSION_LEN); 4824 } 4825 4826 if (!elems.rsn_ie) { 4827 wpa_printf(MSG_DEBUG, 4828 "FILS: No RSNE in (Re)Association Response"); 4829 /* As an interop workaround, allow this for now since IEEE Std 4830 * 802.11ai-2016 did not include all the needed changes to make 4831 * a FILS AP include RSNE in the frame. This workaround might 4832 * eventually be removed and replaced with rejection (goto fail) 4833 * to follow a strict interpretation of the standard. */ 4834 } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt), 4835 sm->ap_rsn_ie, sm->ap_rsn_ie_len, 4836 elems.rsn_ie - 2, elems.rsn_ie_len + 2)) { 4837 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 4838 "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response"); 4839 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response", 4840 sm->ap_rsn_ie, sm->ap_rsn_ie_len); 4841 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response", 4842 elems.rsn_ie, elems.rsn_ie_len); 4843 goto fail; 4844 } 4845 4846 /* TODO: FILS Public Key */ 4847 4848 if (!elems.fils_key_confirm) { 4849 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element"); 4850 goto fail; 4851 } 4852 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) { 4853 wpa_printf(MSG_DEBUG, 4854 "FILS: Unexpected Key-Auth length %d (expected %d)", 4855 elems.fils_key_confirm_len, 4856 (int) sm->fils_key_auth_len); 4857 goto fail; 4858 } 4859 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap, 4860 sm->fils_key_auth_len) != 0) { 4861 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch"); 4862 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth", 4863 elems.fils_key_confirm, 4864 elems.fils_key_confirm_len); 4865 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth", 4866 sm->fils_key_auth_ap, sm->fils_key_auth_len); 4867 goto fail; 4868 } 4869 4870#ifdef CONFIG_OCV 4871 if (wpa_sm_ocv_enabled(sm)) { 4872 struct wpa_channel_info ci; 4873 4874 if (wpa_sm_channel_info(sm, &ci) != 0) { 4875 wpa_printf(MSG_WARNING, 4876 "Failed to get channel info to validate received OCI in FILS (Re)Association Response frame"); 4877 goto fail; 4878 } 4879 4880 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci, 4881 channel_width_to_int(ci.chanwidth), 4882 ci.seg1_idx) != OCI_SUCCESS) { 4883 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE 4884 "addr=" MACSTR " frame=fils-assoc error=%s", 4885 MAC2STR(sm->bssid), ocv_errorstr); 4886 goto fail; 4887 } 4888 } 4889#endif /* CONFIG_OCV */ 4890 4891#ifdef CONFIG_IEEE80211R 4892 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) { 4893 struct wpa_ie_data rsn; 4894 4895 /* Check that PMKR1Name derived by the AP matches */ 4896 if (!elems.rsn_ie || 4897 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 4898 &rsn) < 0 || 4899 !rsn.pmkid || rsn.num_pmkid != 1 || 4900 os_memcmp(rsn.pmkid, sm->pmk_r1_name, 4901 WPA_PMK_NAME_LEN) != 0) { 4902 wpa_printf(MSG_DEBUG, 4903 "FILS+FT: No RSNE[PMKR1Name] match in AssocResp"); 4904 goto fail; 4905 } 4906 } 4907#endif /* CONFIG_IEEE80211R */ 4908 4909 /* Key Delivery */ 4910 if (!elems.key_delivery) { 4911 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element"); 4912 goto fail; 4913 } 4914 4915 /* Parse GTK and set the key to the driver */ 4916 os_memset(&gd, 0, sizeof(gd)); 4917 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN, 4918 elems.key_delivery_len - WPA_KEY_RSC_LEN, 4919 &kde) < 0) { 4920 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs"); 4921 goto fail; 4922 } 4923 if (!kde.gtk) { 4924 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE"); 4925 goto fail; 4926 } 4927 maxkeylen = gd.gtk_len = kde.gtk_len - 2; 4928 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 4929 gd.gtk_len, maxkeylen, 4930 &gd.key_rsc_len, &gd.alg)) 4931 goto fail; 4932 4933 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len); 4934 gd.keyidx = kde.gtk[0] & 0x3; 4935 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 4936 !!(kde.gtk[0] & BIT(2))); 4937 if (kde.gtk_len - 2 > sizeof(gd.gtk)) { 4938 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)", 4939 (unsigned long) kde.gtk_len - 2); 4940 goto fail; 4941 } 4942 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2); 4943 4944 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver"); 4945 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) { 4946 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK"); 4947 goto fail; 4948 } 4949 4950 if (ieee80211w_set_keys(sm, &kde) < 0) { 4951 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK"); 4952 goto fail; 4953 } 4954 4955 alg = wpa_cipher_to_alg(sm->pairwise_cipher); 4956 keylen = wpa_cipher_key_len(sm->pairwise_cipher); 4957 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) { 4958 wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu", 4959 keylen, (long unsigned int) sm->ptk.tk_len); 4960 goto fail; 4961 } 4962 4963 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher); 4964 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver", 4965 sm->ptk.tk, keylen); 4966 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen, 4967 sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE_RX_TX) < 0) { 4968 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 4969 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid=" 4970 MACSTR ")", 4971 alg, keylen, MAC2STR(sm->bssid)); 4972 goto fail; 4973 } 4974 4975 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher, 4976 sm->dot11RSNAConfigPMKLifetime, &sm->ptk); 4977 4978 /* TODO: TK could be cleared after auth frame exchange now that driver 4979 * takes care of association frame encryption/decryption. */ 4980 /* TK is not needed anymore in supplicant */ 4981 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); 4982 sm->ptk.tk_len = 0; 4983 sm->ptk.installed = 1; 4984 4985 /* FILS HLP Container */ 4986 fils_process_hlp_container(sm, ie_start, end - ie_start); 4987 4988 /* TODO: FILS IP Address Assignment */ 4989 4990 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully"); 4991 sm->fils_completed = 1; 4992 forced_memzero(&gd, sizeof(gd)); 4993 4994 if (kde.transition_disable) 4995 wpa_sm_transition_disable(sm, kde.transition_disable[0]); 4996 4997 return 0; 4998fail: 4999 forced_memzero(&gd, sizeof(gd)); 5000 return -1; 5001} 5002 5003 5004void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set) 5005{ 5006 if (sm) 5007 sm->fils_completed = !!set; 5008} 5009 5010#endif /* CONFIG_FILS */ 5011 5012 5013int wpa_fils_is_completed(struct wpa_sm *sm) 5014{ 5015#ifdef CONFIG_FILS 5016 return sm && sm->fils_completed; 5017#else /* CONFIG_FILS */ 5018 return 0; 5019#endif /* CONFIG_FILS */ 5020} 5021 5022 5023#ifdef CONFIG_OWE 5024 5025struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group) 5026{ 5027 struct wpabuf *ie = NULL, *pub = NULL; 5028 size_t prime_len; 5029 5030 if (group == 19) 5031 prime_len = 32; 5032 else if (group == 20) 5033 prime_len = 48; 5034 else if (group == 21) 5035 prime_len = 66; 5036 else 5037 return NULL; 5038 5039 crypto_ecdh_deinit(sm->owe_ecdh); 5040 sm->owe_ecdh = crypto_ecdh_init(group); 5041 if (!sm->owe_ecdh) 5042 goto fail; 5043 sm->owe_group = group; 5044 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0); 5045 pub = wpabuf_zeropad(pub, prime_len); 5046 if (!pub) 5047 goto fail; 5048 5049 ie = wpabuf_alloc(5 + wpabuf_len(pub)); 5050 if (!ie) 5051 goto fail; 5052 wpabuf_put_u8(ie, WLAN_EID_EXTENSION); 5053 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub)); 5054 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM); 5055 wpabuf_put_le16(ie, group); 5056 wpabuf_put_buf(ie, pub); 5057 wpabuf_free(pub); 5058 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element", 5059 ie); 5060 5061 return ie; 5062fail: 5063 wpabuf_free(pub); 5064 crypto_ecdh_deinit(sm->owe_ecdh); 5065 sm->owe_ecdh = NULL; 5066 return NULL; 5067} 5068 5069 5070int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid, 5071 const u8 *resp_ies, size_t resp_ies_len) 5072{ 5073 struct ieee802_11_elems elems; 5074 u16 group; 5075 struct wpabuf *secret, *pub, *hkey; 5076 int res; 5077 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN]; 5078 const char *info = "OWE Key Generation"; 5079 const u8 *addr[2]; 5080 size_t len[2]; 5081 size_t hash_len, prime_len; 5082 struct wpa_ie_data data; 5083 5084 if (!resp_ies || 5085 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) == 5086 ParseFailed) { 5087 wpa_printf(MSG_INFO, 5088 "OWE: Could not parse Association Response frame elements"); 5089 return -1; 5090 } 5091 5092 if (sm->cur_pmksa && elems.rsn_ie && 5093 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len, 5094 &data) == 0 && 5095 data.num_pmkid == 1 && data.pmkid && 5096 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) { 5097 wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching"); 5098 wpa_sm_set_pmk_from_pmksa(sm); 5099 return 0; 5100 } 5101 5102 if (!elems.owe_dh) { 5103 wpa_printf(MSG_INFO, 5104 "OWE: No Diffie-Hellman Parameter element found in Association Response frame"); 5105 return -1; 5106 } 5107 5108 group = WPA_GET_LE16(elems.owe_dh); 5109 if (group != sm->owe_group) { 5110 wpa_printf(MSG_INFO, 5111 "OWE: Unexpected Diffie-Hellman group in response: %u", 5112 group); 5113 return -1; 5114 } 5115 5116 if (!sm->owe_ecdh) { 5117 wpa_printf(MSG_INFO, "OWE: No ECDH state available"); 5118 return -1; 5119 } 5120 5121 if (group == 19) 5122 prime_len = 32; 5123 else if (group == 20) 5124 prime_len = 48; 5125 else if (group == 21) 5126 prime_len = 66; 5127 else 5128 return -1; 5129 5130 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0, 5131 elems.owe_dh + 2, 5132 elems.owe_dh_len - 2); 5133 secret = wpabuf_zeropad(secret, prime_len); 5134 if (!secret) { 5135 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key"); 5136 return -1; 5137 } 5138 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret); 5139 5140 /* prk = HKDF-extract(C | A | group, z) */ 5141 5142 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0); 5143 if (!pub) { 5144 wpabuf_clear_free(secret); 5145 return -1; 5146 } 5147 5148 /* PMKID = Truncate-128(Hash(C | A)) */ 5149 addr[0] = wpabuf_head(pub); 5150 len[0] = wpabuf_len(pub); 5151 addr[1] = elems.owe_dh + 2; 5152 len[1] = elems.owe_dh_len - 2; 5153 if (group == 19) { 5154 res = sha256_vector(2, addr, len, pmkid); 5155 hash_len = SHA256_MAC_LEN; 5156 } else if (group == 20) { 5157 res = sha384_vector(2, addr, len, pmkid); 5158 hash_len = SHA384_MAC_LEN; 5159 } else if (group == 21) { 5160 res = sha512_vector(2, addr, len, pmkid); 5161 hash_len = SHA512_MAC_LEN; 5162 } else { 5163 res = -1; 5164 hash_len = 0; 5165 } 5166 pub = wpabuf_zeropad(pub, prime_len); 5167 if (res < 0 || !pub) { 5168 wpabuf_free(pub); 5169 wpabuf_clear_free(secret); 5170 return -1; 5171 } 5172 5173 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2); 5174 if (!hkey) { 5175 wpabuf_free(pub); 5176 wpabuf_clear_free(secret); 5177 return -1; 5178 } 5179 5180 wpabuf_put_buf(hkey, pub); /* C */ 5181 wpabuf_free(pub); 5182 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */ 5183 wpabuf_put_le16(hkey, sm->owe_group); /* group */ 5184 if (group == 19) 5185 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey), 5186 wpabuf_head(secret), wpabuf_len(secret), prk); 5187 else if (group == 20) 5188 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey), 5189 wpabuf_head(secret), wpabuf_len(secret), prk); 5190 else if (group == 21) 5191 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey), 5192 wpabuf_head(secret), wpabuf_len(secret), prk); 5193 wpabuf_clear_free(hkey); 5194 wpabuf_clear_free(secret); 5195 if (res < 0) 5196 return -1; 5197 5198 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len); 5199 5200 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */ 5201 5202 if (group == 19) 5203 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info, 5204 os_strlen(info), sm->pmk, hash_len); 5205 else if (group == 20) 5206 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info, 5207 os_strlen(info), sm->pmk, hash_len); 5208 else if (group == 21) 5209 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info, 5210 os_strlen(info), sm->pmk, hash_len); 5211 forced_memzero(prk, SHA512_MAC_LEN); 5212 if (res < 0) { 5213 sm->pmk_len = 0; 5214 return -1; 5215 } 5216 sm->pmk_len = hash_len; 5217 5218 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len); 5219 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN); 5220 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0, 5221 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt, 5222 NULL); 5223 5224 return 0; 5225} 5226 5227#endif /* CONFIG_OWE */ 5228 5229 5230void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id) 5231{ 5232#ifdef CONFIG_FILS 5233 if (sm && fils_cache_id) { 5234 sm->fils_cache_id_set = 1; 5235 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN); 5236 } 5237#endif /* CONFIG_FILS */ 5238} 5239 5240 5241#ifdef CONFIG_DPP2 5242void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z) 5243{ 5244 if (sm) { 5245 wpabuf_clear_free(sm->dpp_z); 5246 sm->dpp_z = z ? wpabuf_dup(z) : NULL; 5247 } 5248} 5249#endif /* CONFIG_DPP2 */ 5250 5251 5252#ifdef CONFIG_PASN 5253void wpa_pasn_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, 5254 const u8 *pmkid, const u8 *bssid, int key_mgmt) 5255{ 5256 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0, 5257 bssid, sm->own_addr, NULL, 5258 key_mgmt, 0); 5259} 5260#endif /* CONFIG_PASN */ 5261 5262 5263void wpa_sm_pmksa_cache_reconfig(struct wpa_sm *sm) 5264{ 5265 if (sm) 5266 pmksa_cache_reconfig(sm->pmksa); 5267} 5268