1 /*
2 * IEEE 802.11 RSN / WPA Authenticator
3 * Copyright (c) 2004-2022, Jouni Malinen <[email protected]>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/state_machine.h"
14 #include "utils/bitfield.h"
15 #include "common/ieee802_11_defs.h"
16 #include "common/ocv.h"
17 #include "common/dpp.h"
18 #include "common/wpa_ctrl.h"
19 #include "crypto/aes.h"
20 #include "crypto/aes_wrap.h"
21 #include "crypto/aes_siv.h"
22 #include "crypto/crypto.h"
23 #include "crypto/sha1.h"
24 #include "crypto/sha256.h"
25 #include "crypto/sha384.h"
26 #include "crypto/sha512.h"
27 #include "crypto/random.h"
28 #include "eapol_auth/eapol_auth_sm.h"
29 #include "drivers/driver.h"
30 #include "ap_config.h"
31 #include "ieee802_11.h"
32 #include "sta_info.h"
33 #include "wpa_auth.h"
34 #include "pmksa_cache_auth.h"
35 #include "wpa_auth_i.h"
36 #include "wpa_auth_ie.h"
37
38 #define STATE_MACHINE_DATA struct wpa_state_machine
39 #define STATE_MACHINE_DEBUG_PREFIX "WPA"
40 #define STATE_MACHINE_ADDR wpa_auth_get_spa(sm)
41
42
43 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
44 static int wpa_sm_step(struct wpa_state_machine *sm);
45 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
46 u8 *data, size_t data_len);
47 #ifdef CONFIG_FILS
48 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
49 u8 *buf, size_t buf_len, u16 *_key_data_len);
50 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
51 const struct wpabuf *hlp);
52 #endif /* CONFIG_FILS */
53 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
54 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
55 struct wpa_group *group);
56 static void wpa_request_new_ptk(struct wpa_state_machine *sm);
57 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
58 struct wpa_group *group);
59 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
60 struct wpa_group *group);
61 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
62 const u8 *pmk, unsigned int pmk_len,
63 struct wpa_ptk *ptk, int force_sha256,
64 u8 *pmk_r0, u8 *pmk_r1, u8 *pmk_r0_name,
65 size_t *key_len, bool no_kdk);
66 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
67 struct wpa_group *group);
68 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
69 struct wpa_group *group);
70 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
71 struct wpa_group *group);
72 static int ieee80211w_kde_len(struct wpa_state_machine *sm);
73 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
74 static void wpa_group_update_gtk(struct wpa_authenticator *wpa_auth,
75 struct wpa_group *group);
76
77
78 static const u32 eapol_key_timeout_first = 100; /* ms */
79 static const u32 eapol_key_timeout_subseq = 1000; /* ms */
80 static const u32 eapol_key_timeout_first_group = 500; /* ms */
81 static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
82
83 /* TODO: make these configurable */
84 static const int dot11RSNAConfigPMKLifetime = 43200;
85 static const int dot11RSNAConfigPMKReauthThreshold = 70;
86 static const int dot11RSNAConfigSATimeout = 60;
87
88
wpa_auth_get_aa(const struct wpa_state_machine * sm)89 static const u8 * wpa_auth_get_aa(const struct wpa_state_machine *sm)
90 {
91 #ifdef CONFIG_IEEE80211BE
92 if (sm->mld_assoc_link_id >= 0)
93 return sm->wpa_auth->mld_addr;
94 #endif /* CONFIG_IEEE80211BE */
95 return sm->wpa_auth->addr;
96 }
97
98
wpa_auth_get_spa(const struct wpa_state_machine * sm)99 static const u8 * wpa_auth_get_spa(const struct wpa_state_machine *sm)
100 {
101 #ifdef CONFIG_IEEE80211BE
102 if (sm->mld_assoc_link_id >= 0)
103 return sm->peer_mld_addr;
104 #endif /* CONFIG_IEEE80211BE */
105 return sm->addr;
106 }
107
108
wpa_gkeydone_sta(struct wpa_state_machine * sm)109 static void wpa_gkeydone_sta(struct wpa_state_machine *sm)
110 {
111 #ifdef CONFIG_IEEE80211BE
112 int link_id;
113 #endif /* CONFIG_IEEE80211BE */
114
115 sm->group->GKeyDoneStations--;
116 sm->GUpdateStationKeys = false;
117
118 #ifdef CONFIG_IEEE80211BE
119 for_each_sm_auth(sm, link_id)
120 sm->mld_links[link_id].wpa_auth->group->GKeyDoneStations--;
121 #endif /* CONFIG_IEEE80211BE */
122 }
123
124
125 #ifdef CONFIG_IEEE80211BE
126
wpa_release_link_auth_ref(struct wpa_state_machine * sm,int release_link_id)127 void wpa_release_link_auth_ref(struct wpa_state_machine *sm,
128 int release_link_id)
129 {
130 int link_id;
131
132 if (!sm || release_link_id >= MAX_NUM_MLD_LINKS)
133 return;
134
135 for_each_sm_auth(sm, link_id) {
136 if (link_id == release_link_id) {
137 wpa_group_put(sm->mld_links[link_id].wpa_auth,
138 sm->mld_links[link_id].wpa_auth->group);
139 sm->mld_links[link_id].wpa_auth = NULL;
140 }
141 }
142 }
143
144
145 struct wpa_get_link_auth_ctx {
146 const u8 *addr;
147 const u8 *mld_addr;
148 int link_id;
149 struct wpa_authenticator *wpa_auth;
150 };
151
wpa_get_link_sta_auth(struct wpa_authenticator * wpa_auth,void * data)152 static int wpa_get_link_sta_auth(struct wpa_authenticator *wpa_auth, void *data)
153 {
154 struct wpa_get_link_auth_ctx *ctx = data;
155
156 if (!wpa_auth->is_ml)
157 return 0;
158
159 if (ctx->mld_addr &&
160 !ether_addr_equal(wpa_auth->mld_addr, ctx->mld_addr))
161 return 0;
162
163 if ((ctx->addr && ether_addr_equal(wpa_auth->addr, ctx->addr)) ||
164 (ctx->link_id > -1 && wpa_auth->is_ml &&
165 wpa_auth->link_id == ctx->link_id)) {
166 ctx->wpa_auth = wpa_auth;
167 return 1;
168
169 }
170 return 0;
171 }
172
173
174 static struct wpa_authenticator *
wpa_get_link_auth(struct wpa_authenticator * wpa_auth,int link_id)175 wpa_get_link_auth(struct wpa_authenticator *wpa_auth, int link_id)
176 {
177 struct wpa_get_link_auth_ctx ctx;
178
179 ctx.addr = NULL;
180 ctx.mld_addr = wpa_auth->mld_addr;
181 ctx.link_id = link_id;
182 ctx.wpa_auth = NULL;
183 wpa_auth_for_each_auth(wpa_auth, wpa_get_link_sta_auth, &ctx);
184 return ctx.wpa_auth;
185 }
186
187
wpa_get_primary_auth_cb(struct wpa_authenticator * wpa_auth,void * data)188 static int wpa_get_primary_auth_cb(struct wpa_authenticator *wpa_auth,
189 void *data)
190 {
191 struct wpa_get_link_auth_ctx *ctx = data;
192
193 if (!wpa_auth->is_ml ||
194 !ether_addr_equal(wpa_auth->mld_addr, ctx->addr) ||
195 !wpa_auth->primary_auth)
196 return 0;
197
198 ctx->wpa_auth = wpa_auth;
199 return 1;
200 }
201
202 #endif /* CONFIG_IEEE80211BE */
203
204
205 static struct wpa_authenticator *
wpa_get_primary_auth(struct wpa_authenticator * wpa_auth)206 wpa_get_primary_auth(struct wpa_authenticator *wpa_auth)
207 {
208 #ifdef CONFIG_IEEE80211BE
209 struct wpa_get_link_auth_ctx ctx;
210
211 if (!wpa_auth || !wpa_auth->is_ml || wpa_auth->primary_auth)
212 return wpa_auth;
213
214 ctx.addr = wpa_auth->mld_addr;
215 ctx.wpa_auth = NULL;
216 wpa_auth_for_each_auth(wpa_auth, wpa_get_primary_auth_cb, &ctx);
217
218 return ctx.wpa_auth;
219 #else /* CONFIG_IEEE80211BE */
220 return wpa_auth;
221 #endif /* CONFIG_IEEE80211BE */
222 }
223
224
wpa_auth_mic_failure_report(struct wpa_authenticator * wpa_auth,const u8 * addr)225 static inline int wpa_auth_mic_failure_report(
226 struct wpa_authenticator *wpa_auth, const u8 *addr)
227 {
228 if (wpa_auth->cb->mic_failure_report)
229 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
230 return 0;
231 }
232
233
wpa_auth_psk_failure_report(struct wpa_authenticator * wpa_auth,const u8 * addr)234 static inline void wpa_auth_psk_failure_report(
235 struct wpa_authenticator *wpa_auth, const u8 *addr)
236 {
237 if (wpa_auth->cb->psk_failure_report)
238 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
239 }
240
241
wpa_auth_set_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var,int value)242 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
243 const u8 *addr, wpa_eapol_variable var,
244 int value)
245 {
246 if (wpa_auth->cb->set_eapol)
247 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
248 }
249
250
wpa_auth_get_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var)251 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
252 const u8 *addr, wpa_eapol_variable var)
253 {
254 if (!wpa_auth->cb->get_eapol)
255 return -1;
256 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
257 }
258
259
wpa_auth_get_psk(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * p2p_dev_addr,const u8 * prev_psk,size_t * psk_len,int * vlan_id)260 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
261 const u8 *addr,
262 const u8 *p2p_dev_addr,
263 const u8 *prev_psk, size_t *psk_len,
264 int *vlan_id)
265 {
266 if (!wpa_auth->cb->get_psk)
267 return NULL;
268 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
269 prev_psk, psk_len, vlan_id);
270 }
271
272
wpa_auth_get_msk(struct wpa_authenticator * wpa_auth,const u8 * addr,u8 * msk,size_t * len)273 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
274 const u8 *addr, u8 *msk, size_t *len)
275 {
276 if (!wpa_auth->cb->get_msk)
277 return -1;
278 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
279 }
280
281
wpa_auth_set_key(struct wpa_authenticator * wpa_auth,int vlan_id,enum wpa_alg alg,const u8 * addr,int idx,u8 * key,size_t key_len,enum key_flag key_flag)282 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
283 int vlan_id,
284 enum wpa_alg alg, const u8 *addr, int idx,
285 u8 *key, size_t key_len,
286 enum key_flag key_flag)
287 {
288 if (!wpa_auth->cb->set_key)
289 return -1;
290 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
291 key, key_len, key_flag);
292 }
293
294
295 #ifdef CONFIG_PASN
wpa_auth_set_ltf_keyseed(struct wpa_authenticator * wpa_auth,const u8 * peer_addr,const u8 * ltf_keyseed,size_t ltf_keyseed_len)296 static inline int wpa_auth_set_ltf_keyseed(struct wpa_authenticator *wpa_auth,
297 const u8 *peer_addr,
298 const u8 *ltf_keyseed,
299 size_t ltf_keyseed_len)
300 {
301 if (!wpa_auth->cb->set_ltf_keyseed)
302 return -1;
303 return wpa_auth->cb->set_ltf_keyseed(wpa_auth->cb_ctx, peer_addr,
304 ltf_keyseed, ltf_keyseed_len);
305 }
306 #endif /* CONFIG_PASN */
307
308
wpa_auth_get_seqnum(struct wpa_authenticator * wpa_auth,const u8 * addr,int idx,u8 * seq)309 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
310 const u8 *addr, int idx, u8 *seq)
311 {
312 int res;
313
314 if (!wpa_auth->cb->get_seqnum)
315 return -1;
316 #ifdef CONFIG_TESTING_OPTIONS
317 os_memset(seq, 0, WPA_KEY_RSC_LEN);
318 #endif /* CONFIG_TESTING_OPTIONS */
319 res = wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
320 #ifdef CONFIG_TESTING_OPTIONS
321 if (!addr && idx < 4 && wpa_auth->conf.gtk_rsc_override_set) {
322 wpa_printf(MSG_DEBUG,
323 "TESTING: Override GTK RSC %016llx --> %016llx",
324 (long long unsigned) WPA_GET_LE64(seq),
325 (long long unsigned)
326 WPA_GET_LE64(wpa_auth->conf.gtk_rsc_override));
327 os_memcpy(seq, wpa_auth->conf.gtk_rsc_override,
328 WPA_KEY_RSC_LEN);
329 }
330 if (!addr && idx >= 4 && idx <= 5 &&
331 wpa_auth->conf.igtk_rsc_override_set) {
332 wpa_printf(MSG_DEBUG,
333 "TESTING: Override IGTK RSC %016llx --> %016llx",
334 (long long unsigned) WPA_GET_LE64(seq),
335 (long long unsigned)
336 WPA_GET_LE64(wpa_auth->conf.igtk_rsc_override));
337 os_memcpy(seq, wpa_auth->conf.igtk_rsc_override,
338 WPA_KEY_RSC_LEN);
339 }
340 #endif /* CONFIG_TESTING_OPTIONS */
341 return res;
342 }
343
344
345 static inline int
wpa_auth_send_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * data,size_t data_len,int encrypt)346 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
347 const u8 *data, size_t data_len, int encrypt)
348 {
349 if (!wpa_auth->cb->send_eapol)
350 return -1;
351 #ifdef CONFIG_TESTING_OPTIONS
352 if (wpa_auth->conf.skip_send_eapol)
353 return 0;
354 #endif
355 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
356 encrypt);
357 }
358
359
360 #ifdef CONFIG_MESH
wpa_auth_start_ampe(struct wpa_authenticator * wpa_auth,const u8 * addr)361 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
362 const u8 *addr)
363 {
364 if (!wpa_auth->cb->start_ampe)
365 return -1;
366 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
367 }
368 #endif /* CONFIG_MESH */
369
370
wpa_auth_for_each_sta(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_state_machine * sm,void * ctx),void * cb_ctx)371 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
372 int (*cb)(struct wpa_state_machine *sm, void *ctx),
373 void *cb_ctx)
374 {
375 if (!wpa_auth->cb->for_each_sta)
376 return 0;
377 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
378 }
379
380
wpa_auth_for_each_auth(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_authenticator * a,void * ctx),void * cb_ctx)381 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
382 int (*cb)(struct wpa_authenticator *a, void *ctx),
383 void *cb_ctx)
384 {
385 if (!wpa_auth->cb->for_each_auth)
386 return 0;
387 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
388 }
389
390
wpa_auth_store_ptksa(struct wpa_authenticator * wpa_auth,const u8 * addr,int cipher,u32 life_time,const struct wpa_ptk * ptk)391 void wpa_auth_store_ptksa(struct wpa_authenticator *wpa_auth,
392 const u8 *addr, int cipher,
393 u32 life_time, const struct wpa_ptk *ptk)
394 {
395 if (wpa_auth->cb->store_ptksa)
396 wpa_auth->cb->store_ptksa(wpa_auth->cb_ctx, addr, cipher,
397 life_time, ptk);
398 }
399
400
wpa_auth_remove_ptksa(struct wpa_authenticator * wpa_auth,const u8 * addr,int cipher)401 static void wpa_auth_remove_ptksa(struct wpa_authenticator *wpa_auth,
402 const u8 *addr, int cipher)
403 {
404 if (wpa_auth->cb->clear_ptksa)
405 wpa_auth->cb->clear_ptksa(wpa_auth->cb_ctx, addr, cipher);
406 }
407
408
wpa_auth_logger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * txt)409 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
410 logger_level level, const char *txt)
411 {
412 if (!wpa_auth->cb->logger)
413 return;
414 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
415 }
416
417
wpa_auth_vlogger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * fmt,...)418 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
419 logger_level level, const char *fmt, ...)
420 {
421 char *format;
422 int maxlen;
423 va_list ap;
424
425 if (!wpa_auth->cb->logger)
426 return;
427
428 maxlen = os_strlen(fmt) + 100;
429 format = os_malloc(maxlen);
430 if (!format)
431 return;
432
433 va_start(ap, fmt);
434 vsnprintf(format, maxlen, fmt, ap);
435 va_end(ap);
436
437 wpa_auth_logger(wpa_auth, addr, level, format);
438
439 os_free(format);
440 }
441
442
wpa_sta_disconnect(struct wpa_authenticator * wpa_auth,const u8 * addr,u16 reason)443 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
444 const u8 *addr, u16 reason)
445 {
446 if (!wpa_auth->cb->disconnect)
447 return;
448 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)",
449 MAC2STR(addr), reason);
450 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason);
451 }
452
453
454 #ifdef CONFIG_OCV
wpa_channel_info(struct wpa_authenticator * wpa_auth,struct wpa_channel_info * ci)455 static int wpa_channel_info(struct wpa_authenticator *wpa_auth,
456 struct wpa_channel_info *ci)
457 {
458 if (!wpa_auth->cb->channel_info)
459 return -1;
460 return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci);
461 }
462 #endif /* CONFIG_OCV */
463
464
wpa_auth_update_vlan(struct wpa_authenticator * wpa_auth,const u8 * addr,int vlan_id)465 static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth,
466 const u8 *addr, int vlan_id)
467 {
468 if (!wpa_auth->cb->update_vlan)
469 return -1;
470 return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id);
471 }
472
473
wpa_rekey_gmk(void * eloop_ctx,void * timeout_ctx)474 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
475 {
476 struct wpa_authenticator *wpa_auth = eloop_ctx;
477
478 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
479 wpa_printf(MSG_ERROR,
480 "Failed to get random data for WPA initialization.");
481 } else {
482 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
483 wpa_hexdump_key(MSG_DEBUG, "GMK",
484 wpa_auth->group->GMK, WPA_GMK_LEN);
485 }
486
487 if (wpa_auth->conf.wpa_gmk_rekey) {
488 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
489 wpa_rekey_gmk, wpa_auth, NULL);
490 }
491 }
492
493
wpa_rekey_all_groups(struct wpa_authenticator * wpa_auth)494 static void wpa_rekey_all_groups(struct wpa_authenticator *wpa_auth)
495 {
496 struct wpa_group *group, *next;
497
498 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
499 group = wpa_auth->group;
500 while (group) {
501 wpa_printf(MSG_DEBUG, "GTK rekey start for authenticator ("
502 MACSTR "), group vlan %d",
503 MAC2STR(wpa_auth->addr), group->vlan_id);
504 wpa_group_get(wpa_auth, group);
505
506 group->GTKReKey = true;
507 do {
508 group->changed = false;
509 wpa_group_sm_step(wpa_auth, group);
510 } while (group->changed);
511
512 next = group->next;
513 wpa_group_put(wpa_auth, group);
514 group = next;
515 }
516 }
517
518
519 #ifdef CONFIG_IEEE80211BE
520
wpa_update_all_gtks(struct wpa_authenticator * wpa_auth)521 static void wpa_update_all_gtks(struct wpa_authenticator *wpa_auth)
522 {
523 struct wpa_group *group, *next;
524
525 group = wpa_auth->group;
526 while (group) {
527 wpa_group_get(wpa_auth, group);
528
529 wpa_group_update_gtk(wpa_auth, group);
530 next = group->next;
531 wpa_group_put(wpa_auth, group);
532 group = next;
533 }
534 }
535
536
wpa_update_all_gtks_cb(struct wpa_authenticator * wpa_auth,void * ctx)537 static int wpa_update_all_gtks_cb(struct wpa_authenticator *wpa_auth, void *ctx)
538 {
539 const u8 *mld_addr = ctx;
540
541 if (!ether_addr_equal(wpa_auth->mld_addr, mld_addr))
542 return 0;
543
544 wpa_update_all_gtks(wpa_auth);
545 return 0;
546 }
547
548
wpa_rekey_all_groups_cb(struct wpa_authenticator * wpa_auth,void * ctx)549 static int wpa_rekey_all_groups_cb(struct wpa_authenticator *wpa_auth,
550 void *ctx)
551 {
552 const u8 *mld_addr = ctx;
553
554 if (!ether_addr_equal(wpa_auth->mld_addr, mld_addr))
555 return 0;
556
557 wpa_rekey_all_groups(wpa_auth);
558 return 0;
559 }
560
561 #endif /* CONFIG_IEEE80211BE */
562
563
wpa_rekey_gtk(void * eloop_ctx,void * timeout_ctx)564 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
565 {
566 struct wpa_authenticator *wpa_auth = eloop_ctx;
567
568 #ifdef CONFIG_IEEE80211BE
569 if (wpa_auth->is_ml) {
570 /* Non-primary ML authenticator eloop timer for group rekey is
571 * never started and shouldn't fire. Check and warn just in
572 * case. */
573 if (!wpa_auth->primary_auth) {
574 wpa_printf(MSG_DEBUG,
575 "RSN: Cannot start GTK rekey on non-primary ML authenticator");
576 return;
577 }
578
579 /* Generate all the new group keys */
580 wpa_auth_for_each_auth(wpa_auth, wpa_update_all_gtks_cb,
581 wpa_auth->mld_addr);
582
583 /* Send all the generated group keys to the respective stations
584 * with group key handshake. */
585 wpa_auth_for_each_auth(wpa_auth, wpa_rekey_all_groups_cb,
586 wpa_auth->mld_addr);
587 } else {
588 wpa_rekey_all_groups(wpa_auth);
589 }
590 #else /* CONFIG_IEEE80211BE */
591 wpa_rekey_all_groups(wpa_auth);
592 #endif /* CONFIG_IEEE80211BE */
593
594 if (wpa_auth->conf.wpa_group_rekey) {
595 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
596 0, wpa_rekey_gtk, wpa_auth, NULL);
597 }
598 }
599
600
wpa_rekey_ptk(void * eloop_ctx,void * timeout_ctx)601 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
602 {
603 struct wpa_authenticator *wpa_auth = eloop_ctx;
604 struct wpa_state_machine *sm = timeout_ctx;
605
606 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
607 "rekeying PTK");
608 wpa_request_new_ptk(sm);
609 wpa_sm_step(sm);
610 }
611
612
wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine * sm)613 void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine *sm)
614 {
615 if (sm && sm->wpa_auth->conf.wpa_ptk_rekey) {
616 wpa_printf(MSG_DEBUG, "WPA: Start PTK rekeying timer for "
617 MACSTR " (%d seconds)",
618 MAC2STR(wpa_auth_get_spa(sm)),
619 sm->wpa_auth->conf.wpa_ptk_rekey);
620 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
621 eloop_register_timeout(sm->wpa_auth->conf.wpa_ptk_rekey, 0,
622 wpa_rekey_ptk, sm->wpa_auth, sm);
623 }
624 }
625
626
wpa_auth_pmksa_clear_cb(struct wpa_state_machine * sm,void * ctx)627 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
628 {
629 if (sm->pmksa == ctx)
630 sm->pmksa = NULL;
631 return 0;
632 }
633
634
wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)635 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
636 void *ctx)
637 {
638 struct wpa_authenticator *wpa_auth = ctx;
639 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
640 }
641
642
wpa_group_init_gmk_and_counter(struct wpa_authenticator * wpa_auth,struct wpa_group * group)643 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
644 struct wpa_group *group)
645 {
646 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
647 u8 rkey[32];
648 unsigned long ptr;
649
650 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
651 return -1;
652 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
653
654 /*
655 * Counter = PRF-256(Random number, "Init Counter",
656 * Local MAC Address || Time)
657 */
658 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
659 wpa_get_ntp_timestamp(buf + ETH_ALEN);
660 ptr = (unsigned long) group;
661 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
662 #ifdef TEST_FUZZ
663 os_memset(buf + ETH_ALEN, 0xab, 8);
664 os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr));
665 #endif /* TEST_FUZZ */
666 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
667 return -1;
668
669 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
670 group->Counter, WPA_NONCE_LEN) < 0)
671 return -1;
672 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
673 group->Counter, WPA_NONCE_LEN);
674
675 return 0;
676 }
677
678
wpa_group_init(struct wpa_authenticator * wpa_auth,int vlan_id,int delay_init)679 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
680 int vlan_id, int delay_init)
681 {
682 struct wpa_group *group;
683
684 group = os_zalloc(sizeof(struct wpa_group));
685 if (!group)
686 return NULL;
687
688 group->GTKAuthenticator = true;
689 group->vlan_id = vlan_id;
690 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
691
692 if (random_pool_ready() != 1) {
693 wpa_printf(MSG_INFO,
694 "WPA: Not enough entropy in random pool for secure operations - update keys later when the first station connects");
695 }
696
697 /*
698 * Set initial GMK/Counter value here. The actual values that will be
699 * used in negotiations will be set once the first station tries to
700 * connect. This allows more time for collecting additional randomness
701 * on embedded devices.
702 */
703 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
704 wpa_printf(MSG_ERROR,
705 "Failed to get random data for WPA initialization.");
706 os_free(group);
707 return NULL;
708 }
709
710 group->GInit = true;
711 if (delay_init) {
712 wpa_printf(MSG_DEBUG,
713 "WPA: Delay group state machine start until Beacon frames have been configured");
714 /* Initialization is completed in wpa_init_keys(). */
715 } else {
716 wpa_group_sm_step(wpa_auth, group);
717 group->GInit = false;
718 wpa_group_sm_step(wpa_auth, group);
719 }
720
721 return group;
722 }
723
724
725 /**
726 * wpa_init - Initialize WPA authenticator
727 * @addr: Authenticator address
728 * @conf: Configuration for WPA authenticator
729 * @cb: Callback functions for WPA authenticator
730 * Returns: Pointer to WPA authenticator data or %NULL on failure
731 */
wpa_init(const u8 * addr,struct wpa_auth_config * conf,const struct wpa_auth_callbacks * cb,void * cb_ctx)732 struct wpa_authenticator * wpa_init(const u8 *addr,
733 struct wpa_auth_config *conf,
734 const struct wpa_auth_callbacks *cb,
735 void *cb_ctx)
736 {
737 struct wpa_authenticator *wpa_auth;
738
739 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
740 if (!wpa_auth)
741 return NULL;
742
743 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
744 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
745
746 #ifdef CONFIG_IEEE80211BE
747 if (conf->mld_addr) {
748 wpa_auth->is_ml = true;
749 wpa_auth->link_id = conf->link_id;
750 wpa_auth->primary_auth = !conf->first_link_auth;
751 os_memcpy(wpa_auth->mld_addr, conf->mld_addr, ETH_ALEN);
752 }
753 #endif /* CONFIG_IEEE80211BE */
754
755 wpa_auth->cb = cb;
756 wpa_auth->cb_ctx = cb_ctx;
757
758 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
759 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
760 os_free(wpa_auth);
761 return NULL;
762 }
763
764 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
765 if (!wpa_auth->group) {
766 os_free(wpa_auth->wpa_ie);
767 os_free(wpa_auth);
768 return NULL;
769 }
770
771 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
772 wpa_auth);
773 if (!wpa_auth->pmksa) {
774 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
775 os_free(wpa_auth->group);
776 os_free(wpa_auth->wpa_ie);
777 os_free(wpa_auth);
778 return NULL;
779 }
780
781 #ifdef CONFIG_IEEE80211R_AP
782 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
783 if (!wpa_auth->ft_pmk_cache) {
784 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
785 os_free(wpa_auth->group);
786 os_free(wpa_auth->wpa_ie);
787 pmksa_cache_auth_deinit(wpa_auth->pmksa);
788 os_free(wpa_auth);
789 return NULL;
790 }
791 #endif /* CONFIG_IEEE80211R_AP */
792
793 if (wpa_auth->conf.wpa_gmk_rekey) {
794 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
795 wpa_rekey_gmk, wpa_auth, NULL);
796 }
797
798 #ifdef CONFIG_IEEE80211BE
799 /* For AP MLD, run group rekey timer only on one link (first) and
800 * whenever it fires do rekey on all associated ML links in one shot.
801 */
802 if ((!wpa_auth->is_ml || !conf->first_link_auth) &&
803 wpa_auth->conf.wpa_group_rekey) {
804 #else /* CONFIG_IEEE80211BE */
805 if (wpa_auth->conf.wpa_group_rekey) {
806 #endif /* CONFIG_IEEE80211BE */
807 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
808 wpa_rekey_gtk, wpa_auth, NULL);
809 }
810
811 #ifdef CONFIG_P2P
812 if (WPA_GET_BE32(conf->ip_addr_start)) {
813 int count = WPA_GET_BE32(conf->ip_addr_end) -
814 WPA_GET_BE32(conf->ip_addr_start) + 1;
815 if (count > 1000)
816 count = 1000;
817 if (count > 0)
818 wpa_auth->ip_pool = bitfield_alloc(count);
819 }
820 #endif /* CONFIG_P2P */
821
822 if (conf->tx_bss_auth && conf->beacon_prot) {
823 conf->tx_bss_auth->non_tx_beacon_prot = true;
824 if (!conf->tx_bss_auth->conf.beacon_prot)
825 conf->tx_bss_auth->conf.beacon_prot = true;
826 if (!conf->tx_bss_auth->conf.group_mgmt_cipher)
827 conf->tx_bss_auth->conf.group_mgmt_cipher =
828 conf->group_mgmt_cipher;
829 }
830
831 return wpa_auth;
832 }
833
834
835 int wpa_init_keys(struct wpa_authenticator *wpa_auth)
836 {
837 struct wpa_group *group = wpa_auth->group;
838
839 wpa_printf(MSG_DEBUG,
840 "WPA: Start group state machine to set initial keys");
841 wpa_group_sm_step(wpa_auth, group);
842 group->GInit = false;
843 wpa_group_sm_step(wpa_auth, group);
844 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
845 return -1;
846 return 0;
847 }
848
849
850 static void wpa_auth_free_conf(struct wpa_auth_config *conf)
851 {
852 #ifdef CONFIG_TESTING_OPTIONS
853 wpabuf_free(conf->eapol_m1_elements);
854 conf->eapol_m1_elements = NULL;
855 wpabuf_free(conf->eapol_m3_elements);
856 conf->eapol_m3_elements = NULL;
857 #endif /* CONFIG_TESTING_OPTIONS */
858 }
859
860
861 /**
862 * wpa_deinit - Deinitialize WPA authenticator
863 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
864 */
865 void wpa_deinit(struct wpa_authenticator *wpa_auth)
866 {
867 struct wpa_group *group, *prev;
868
869 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
870
871 /* TODO: Assign ML primary authenticator to next link authenticator and
872 * start rekey timer. */
873 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
874
875 pmksa_cache_auth_deinit(wpa_auth->pmksa);
876
877 #ifdef CONFIG_IEEE80211R_AP
878 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
879 wpa_auth->ft_pmk_cache = NULL;
880 wpa_ft_deinit(wpa_auth);
881 #endif /* CONFIG_IEEE80211R_AP */
882
883 #ifdef CONFIG_P2P
884 bitfield_free(wpa_auth->ip_pool);
885 #endif /* CONFIG_P2P */
886
887
888 os_free(wpa_auth->wpa_ie);
889
890 group = wpa_auth->group;
891 while (group) {
892 prev = group;
893 group = group->next;
894 bin_clear_free(prev, sizeof(*prev));
895 }
896
897 wpa_auth_free_conf(&wpa_auth->conf);
898 os_free(wpa_auth);
899 }
900
901
902 /**
903 * wpa_reconfig - Update WPA authenticator configuration
904 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
905 * @conf: Configuration for WPA authenticator
906 */
907 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
908 struct wpa_auth_config *conf)
909 {
910 struct wpa_group *group;
911
912 if (!wpa_auth)
913 return 0;
914
915 wpa_auth_free_conf(&wpa_auth->conf);
916 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
917 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
918 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
919 return -1;
920 }
921
922 /*
923 * Reinitialize GTK to make sure it is suitable for the new
924 * configuration.
925 */
926 group = wpa_auth->group;
927 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
928 group->GInit = true;
929 wpa_group_sm_step(wpa_auth, group);
930 group->GInit = false;
931 wpa_group_sm_step(wpa_auth, group);
932
933 return 0;
934 }
935
936
937 struct wpa_state_machine *
938 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
939 const u8 *p2p_dev_addr)
940 {
941 struct wpa_state_machine *sm;
942
943 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
944 return NULL;
945
946 sm = os_zalloc(sizeof(struct wpa_state_machine));
947 if (!sm)
948 return NULL;
949 os_memcpy(sm->addr, addr, ETH_ALEN);
950 if (p2p_dev_addr)
951 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
952
953 sm->wpa_auth = wpa_auth;
954 sm->group = wpa_auth->group;
955 wpa_group_get(sm->wpa_auth, sm->group);
956 #ifdef CONFIG_IEEE80211BE
957 sm->mld_assoc_link_id = -1;
958 #endif /* CONFIG_IEEE80211BE */
959
960 return sm;
961 }
962
963
964 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
965 struct wpa_state_machine *sm)
966 {
967 if (!wpa_auth || !wpa_auth->conf.wpa || !sm)
968 return -1;
969
970 #ifdef CONFIG_IEEE80211R_AP
971 if (sm->ft_completed) {
972 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
973 "FT authentication already completed - do not start 4-way handshake");
974 /* Go to PTKINITDONE state to allow GTK rekeying */
975 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
976 sm->Pair = true;
977 return 0;
978 }
979 #endif /* CONFIG_IEEE80211R_AP */
980
981 #ifdef CONFIG_FILS
982 if (sm->fils_completed) {
983 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
984 "FILS authentication already completed - do not start 4-way handshake");
985 /* Go to PTKINITDONE state to allow GTK rekeying */
986 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
987 sm->Pair = true;
988 return 0;
989 }
990 #endif /* CONFIG_FILS */
991
992 if (sm->started) {
993 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
994 sm->ReAuthenticationRequest = true;
995 return wpa_sm_step(sm);
996 }
997
998 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
999 "start authentication");
1000 sm->started = 1;
1001
1002 sm->Init = true;
1003 if (wpa_sm_step(sm) == 1)
1004 return 1; /* should not really happen */
1005 sm->Init = false;
1006 sm->AuthenticationRequest = true;
1007 return wpa_sm_step(sm);
1008 }
1009
1010
1011 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
1012 {
1013 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
1014 * reassociates back to the same AP while the previous entry for the
1015 * STA has not yet been removed. */
1016 if (!sm)
1017 return;
1018
1019 sm->wpa_key_mgmt = 0;
1020 }
1021
1022
1023 static void wpa_free_sta_sm(struct wpa_state_machine *sm)
1024 {
1025 #ifdef CONFIG_IEEE80211BE
1026 int link_id;
1027 #endif /* CONFIG_IEEE80211BE */
1028
1029 #ifdef CONFIG_P2P
1030 if (WPA_GET_BE32(sm->ip_addr)) {
1031 wpa_printf(MSG_DEBUG,
1032 "P2P: Free assigned IP address %u.%u.%u.%u from "
1033 MACSTR " (bit %u)",
1034 sm->ip_addr[0], sm->ip_addr[1],
1035 sm->ip_addr[2], sm->ip_addr[3],
1036 MAC2STR(wpa_auth_get_spa(sm)),
1037 sm->ip_addr_bit);
1038 bitfield_clear(sm->wpa_auth->ip_pool, sm->ip_addr_bit);
1039 }
1040 #endif /* CONFIG_P2P */
1041 if (sm->GUpdateStationKeys)
1042 wpa_gkeydone_sta(sm);
1043 #ifdef CONFIG_IEEE80211R_AP
1044 os_free(sm->assoc_resp_ftie);
1045 wpabuf_free(sm->ft_pending_req_ies);
1046 #endif /* CONFIG_IEEE80211R_AP */
1047 os_free(sm->last_rx_eapol_key);
1048 os_free(sm->wpa_ie);
1049 os_free(sm->rsnxe);
1050 os_free(sm->rsn_selection);
1051 #ifdef CONFIG_IEEE80211BE
1052 for_each_sm_auth(sm, link_id) {
1053 wpa_group_put(sm->mld_links[link_id].wpa_auth,
1054 sm->mld_links[link_id].wpa_auth->group);
1055 sm->mld_links[link_id].wpa_auth = NULL;
1056 }
1057 #endif /* CONFIG_IEEE80211BE */
1058 wpa_group_put(sm->wpa_auth, sm->group);
1059 #ifdef CONFIG_DPP2
1060 wpabuf_clear_free(sm->dpp_z);
1061 #endif /* CONFIG_DPP2 */
1062 bin_clear_free(sm, sizeof(*sm));
1063 }
1064
1065
1066 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
1067 {
1068 struct wpa_authenticator *wpa_auth;
1069
1070 if (!sm)
1071 return;
1072
1073 wpa_auth = sm->wpa_auth;
1074 if (wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
1075 struct wpa_authenticator *primary_auth = wpa_auth;
1076
1077 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1078 "strict rekeying - force GTK rekey since STA is leaving");
1079
1080 #ifdef CONFIG_IEEE80211BE
1081 if (wpa_auth->is_ml && !wpa_auth->primary_auth)
1082 primary_auth = wpa_get_primary_auth(wpa_auth);
1083 #endif /* CONFIG_IEEE80211BE */
1084
1085 if (eloop_deplete_timeout(0, 500000, wpa_rekey_gtk,
1086 primary_auth, NULL) == -1)
1087 eloop_register_timeout(0, 500000, wpa_rekey_gtk,
1088 primary_auth, NULL);
1089 }
1090
1091 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1092 sm->pending_1_of_4_timeout = 0;
1093 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
1094 eloop_cancel_timeout(wpa_rekey_ptk, wpa_auth, sm);
1095 #ifdef CONFIG_IEEE80211R_AP
1096 wpa_ft_sta_deinit(sm);
1097 #endif /* CONFIG_IEEE80211R_AP */
1098 if (sm->in_step_loop) {
1099 /* Must not free state machine while wpa_sm_step() is running.
1100 * Freeing will be completed in the end of wpa_sm_step(). */
1101 wpa_printf(MSG_DEBUG,
1102 "WPA: Registering pending STA state machine deinit for "
1103 MACSTR, MAC2STR(wpa_auth_get_spa(sm)));
1104 sm->pending_deinit = 1;
1105 } else
1106 wpa_free_sta_sm(sm);
1107 }
1108
1109
1110 static void wpa_request_new_ptk(struct wpa_state_machine *sm)
1111 {
1112 if (!sm)
1113 return;
1114
1115 if (!sm->use_ext_key_id && sm->wpa_auth->conf.wpa_deny_ptk0_rekey) {
1116 wpa_printf(MSG_INFO,
1117 "WPA: PTK0 rekey not allowed, disconnect " MACSTR,
1118 MAC2STR(wpa_auth_get_spa(sm)));
1119 sm->Disconnect = true;
1120 /* Try to encourage the STA to reconnect */
1121 sm->disconnect_reason =
1122 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA;
1123 } else {
1124 if (sm->use_ext_key_id)
1125 sm->keyidx_active ^= 1; /* flip Key ID */
1126 sm->PTKRequest = true;
1127 sm->PTK_valid = 0;
1128 }
1129 }
1130
1131
1132 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
1133 const u8 *replay_counter)
1134 {
1135 int i;
1136 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1137 if (!ctr[i].valid)
1138 break;
1139 if (os_memcmp(replay_counter, ctr[i].counter,
1140 WPA_REPLAY_COUNTER_LEN) == 0)
1141 return 1;
1142 }
1143 return 0;
1144 }
1145
1146
1147 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
1148 const u8 *replay_counter)
1149 {
1150 int i;
1151 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1152 if (ctr[i].valid &&
1153 (!replay_counter ||
1154 os_memcmp(replay_counter, ctr[i].counter,
1155 WPA_REPLAY_COUNTER_LEN) == 0))
1156 ctr[i].valid = false;
1157 }
1158 }
1159
1160
1161 #ifdef CONFIG_IEEE80211R_AP
1162 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
1163 struct wpa_state_machine *sm,
1164 struct wpa_eapol_ie_parse *kde)
1165 {
1166 struct wpa_ie_data ie, assoc_ie;
1167 struct rsn_mdie *mdie;
1168 unsigned int i, j;
1169 bool found = false;
1170
1171 /* Verify that PMKR1Name from EAPOL-Key message 2/4 matches the value
1172 * we derived. */
1173
1174 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
1175 ie.num_pmkid < 1 || !ie.pmkid) {
1176 wpa_printf(MSG_DEBUG,
1177 "FT: No PMKR1Name in FT 4-way handshake message 2/4");
1178 return -1;
1179 }
1180
1181 if (wpa_parse_wpa_ie_rsn(sm->wpa_ie, sm->wpa_ie_len, &assoc_ie) < 0) {
1182 wpa_printf(MSG_DEBUG,
1183 "FT: Could not parse (Re)Association Request frame RSNE");
1184 os_memset(&assoc_ie, 0, sizeof(assoc_ie));
1185 /* Continue to allow PMKR1Name matching to be done to cover the
1186 * case where it is the only listed PMKID. */
1187 }
1188
1189 for (i = 0; i < ie.num_pmkid; i++) {
1190 const u8 *pmkid = ie.pmkid + i * PMKID_LEN;
1191
1192 if (os_memcmp_const(pmkid, sm->pmk_r1_name,
1193 WPA_PMK_NAME_LEN) == 0) {
1194 wpa_printf(MSG_DEBUG,
1195 "FT: RSNE[PMKID[%u]] from supplicant matches PMKR1Name",
1196 i);
1197 found = true;
1198 } else {
1199 for (j = 0; j < assoc_ie.num_pmkid; j++) {
1200 if (os_memcmp(pmkid,
1201 assoc_ie.pmkid + j * PMKID_LEN,
1202 PMKID_LEN) == 0)
1203 break;
1204 }
1205
1206 if (j == assoc_ie.num_pmkid) {
1207 wpa_printf(MSG_DEBUG,
1208 "FT: RSNE[PMKID[%u]] from supplicant is neither PMKR1Name nor included in AssocReq",
1209 i);
1210 found = false;
1211 break;
1212 }
1213 wpa_printf(MSG_DEBUG,
1214 "FT: RSNE[PMKID[%u]] from supplicant is not PMKR1Name, but matches a PMKID in AssocReq",
1215 i);
1216 }
1217 }
1218
1219 if (!found) {
1220 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
1221 LOGGER_DEBUG,
1222 "PMKR1Name mismatch in FT 4-way handshake");
1223 wpa_hexdump(MSG_DEBUG,
1224 "FT: PMKIDs/PMKR1Name from Supplicant",
1225 ie.pmkid, ie.num_pmkid * PMKID_LEN);
1226 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1227 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1228 return -1;
1229 }
1230
1231 if (!kde->mdie || !kde->ftie) {
1232 wpa_printf(MSG_DEBUG,
1233 "FT: No %s in FT 4-way handshake message 2/4",
1234 kde->mdie ? "FTIE" : "MDIE");
1235 return -1;
1236 }
1237
1238 mdie = (struct rsn_mdie *) (kde->mdie + 2);
1239 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
1240 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
1241 MOBILITY_DOMAIN_ID_LEN) != 0) {
1242 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
1243 return -1;
1244 }
1245
1246 if (sm->assoc_resp_ftie &&
1247 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
1248 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
1249 2 + sm->assoc_resp_ftie[1]) != 0)) {
1250 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
1251 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
1252 kde->ftie, kde->ftie_len);
1253 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
1254 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
1255 return -1;
1256 }
1257
1258 return 0;
1259 }
1260 #endif /* CONFIG_IEEE80211R_AP */
1261
1262
1263 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
1264 struct wpa_state_machine *sm, int group)
1265 {
1266 /* Supplicant reported a Michael MIC error */
1267 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1268 "received EAPOL-Key Error Request (STA detected Michael MIC failure (group=%d))",
1269 group);
1270
1271 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
1272 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1273 "ignore Michael MIC failure report since group cipher is not TKIP");
1274 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
1275 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1276 "ignore Michael MIC failure report since pairwise cipher is not TKIP");
1277 } else {
1278 if (wpa_auth_mic_failure_report(wpa_auth,
1279 wpa_auth_get_spa(sm)) > 0)
1280 return 1; /* STA entry was removed */
1281 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
1282 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
1283 }
1284
1285 /*
1286 * Error report is not a request for a new key handshake, but since
1287 * Authenticator may do it, let's change the keys now anyway.
1288 */
1289 wpa_request_new_ptk(sm);
1290 return 0;
1291 }
1292
1293
1294 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
1295 size_t data_len)
1296 {
1297 struct wpa_ptk PTK;
1298 int ok = 0;
1299 const u8 *pmk = NULL;
1300 size_t pmk_len;
1301 int vlan_id = 0;
1302 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
1303 u8 pmk_r1[PMK_LEN_MAX];
1304 size_t key_len;
1305 int ret = -1;
1306
1307 os_memset(&PTK, 0, sizeof(PTK));
1308 for (;;) {
1309 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
1310 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
1311 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
1312 sm->p2p_dev_addr, pmk, &pmk_len,
1313 &vlan_id);
1314 if (!pmk)
1315 break;
1316 #ifdef CONFIG_IEEE80211R_AP
1317 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
1318 os_memcpy(sm->xxkey, pmk, pmk_len);
1319 sm->xxkey_len = pmk_len;
1320 }
1321 #endif /* CONFIG_IEEE80211R_AP */
1322 } else {
1323 pmk = sm->PMK;
1324 pmk_len = sm->pmk_len;
1325 }
1326
1327 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK, 0,
1328 pmk_r0, pmk_r1, pmk_r0_name, &key_len,
1329 false) < 0)
1330 break;
1331
1332 if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
1333 data, data_len) == 0) {
1334 if (sm->PMK != pmk) {
1335 os_memcpy(sm->PMK, pmk, pmk_len);
1336 sm->pmk_len = pmk_len;
1337 }
1338 ok = 1;
1339 break;
1340 }
1341
1342 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
1343 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
1344 break;
1345 }
1346
1347 if (!ok) {
1348 wpa_printf(MSG_DEBUG,
1349 "WPA: Earlier SNonce did not result in matching MIC");
1350 goto fail;
1351 }
1352
1353 wpa_printf(MSG_DEBUG,
1354 "WPA: Earlier SNonce resulted in matching MIC");
1355 sm->alt_snonce_valid = 0;
1356
1357 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
1358 wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0)
1359 goto fail;
1360
1361 #ifdef CONFIG_IEEE80211R_AP
1362 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) && !sm->ft_completed) {
1363 wpa_printf(MSG_DEBUG, "FT: Store PMK-R0/PMK-R1");
1364 wpa_auth_ft_store_keys(sm, pmk_r0, pmk_r1, pmk_r0_name,
1365 key_len);
1366 }
1367 #endif /* CONFIG_IEEE80211R_AP */
1368
1369 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
1370 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
1371 forced_memzero(&PTK, sizeof(PTK));
1372 sm->PTK_valid = true;
1373
1374 ret = 0;
1375 fail:
1376 forced_memzero(pmk_r0, sizeof(pmk_r0));
1377 forced_memzero(pmk_r1, sizeof(pmk_r1));
1378 return ret;
1379 }
1380
1381
1382 static bool wpa_auth_gtk_rekey_in_process(struct wpa_authenticator *wpa_auth)
1383 {
1384 struct wpa_group *group;
1385
1386 for (group = wpa_auth->group; group; group = group->next) {
1387 if (group->GKeyDoneStations)
1388 return true;
1389 }
1390 return false;
1391 }
1392
1393
1394 enum eapol_key_msg { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST };
1395
1396 static bool wpa_auth_valid_key_desc_ver(struct wpa_authenticator *wpa_auth,
1397 struct wpa_state_machine *sm, u16 ver)
1398 {
1399 if (ver > WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1400 wpa_printf(MSG_INFO, "RSN: " MACSTR
1401 " used undefined Key Descriptor Version %d",
1402 MAC2STR(wpa_auth_get_spa(sm)), ver);
1403 return false;
1404 }
1405
1406 if (!wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1407 wpa_use_cmac(sm->wpa_key_mgmt) &&
1408 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1409 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1410 LOGGER_WARNING,
1411 "advertised support for AES-128-CMAC, but did not use it");
1412 return false;
1413 }
1414
1415 if (sm->pairwise != WPA_CIPHER_TKIP &&
1416 !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1417 !wpa_use_cmac(sm->wpa_key_mgmt) &&
1418 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1419 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1420 LOGGER_WARNING,
1421 "did not use HMAC-SHA1-AES with CCMP/GCMP");
1422 return false;
1423 }
1424
1425 if (wpa_use_akm_defined(sm->wpa_key_mgmt) &&
1426 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1427 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1428 LOGGER_WARNING,
1429 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1430 return false;
1431 }
1432
1433 return true;
1434 }
1435
1436
1437 static bool wpa_auth_valid_request_counter(struct wpa_authenticator *wpa_auth,
1438 struct wpa_state_machine *sm,
1439 const u8 *replay_counter)
1440 {
1441
1442 if (sm->req_replay_counter_used &&
1443 os_memcmp(replay_counter, sm->req_replay_counter,
1444 WPA_REPLAY_COUNTER_LEN) <= 0) {
1445 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1446 LOGGER_WARNING,
1447 "received EAPOL-Key request with replayed counter");
1448 return false;
1449 }
1450
1451 return true;
1452 }
1453
1454
1455 static bool wpa_auth_valid_counter(struct wpa_authenticator *wpa_auth,
1456 struct wpa_state_machine *sm,
1457 const struct wpa_eapol_key *key,
1458 enum eapol_key_msg msg,
1459 const char *msgtxt)
1460 {
1461 int i;
1462
1463 if (msg == REQUEST)
1464 return wpa_auth_valid_request_counter(wpa_auth, sm,
1465 key->replay_counter);
1466
1467 if (wpa_replay_counter_valid(sm->key_replay, key->replay_counter))
1468 return true;
1469
1470 if (msg == PAIRWISE_2 &&
1471 wpa_replay_counter_valid(sm->prev_key_replay,
1472 key->replay_counter) &&
1473 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1474 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
1475 /*
1476 * Some supplicant implementations (e.g., Windows XP
1477 * WZC) update SNonce for each EAPOL-Key 2/4. This
1478 * breaks the workaround on accepting any of the
1479 * pending requests, so allow the SNonce to be updated
1480 * even if we have already sent out EAPOL-Key 3/4.
1481 */
1482 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1483 LOGGER_DEBUG,
1484 "Process SNonce update from STA based on retransmitted EAPOL-Key 1/4");
1485 sm->update_snonce = 1;
1486 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1487 sm->alt_snonce_valid = true;
1488 os_memcpy(sm->alt_replay_counter,
1489 sm->key_replay[0].counter,
1490 WPA_REPLAY_COUNTER_LEN);
1491 return true;
1492 }
1493
1494 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1495 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1496 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1497 WPA_REPLAY_COUNTER_LEN) == 0) {
1498 /*
1499 * Supplicant may still be using the old SNonce since
1500 * there was two EAPOL-Key 2/4 messages and they had
1501 * different SNonce values.
1502 */
1503 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1504 LOGGER_DEBUG,
1505 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
1506 return true;
1507 }
1508
1509 if (msg == PAIRWISE_2 &&
1510 wpa_replay_counter_valid(sm->prev_key_replay,
1511 key->replay_counter) &&
1512 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1513 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1514 LOGGER_DEBUG,
1515 "ignore retransmitted EAPOL-Key %s - SNonce did not change",
1516 msgtxt);
1517 } else {
1518 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1519 LOGGER_DEBUG,
1520 "received EAPOL-Key %s with unexpected replay counter",
1521 msgtxt);
1522 }
1523 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1524 if (!sm->key_replay[i].valid)
1525 break;
1526 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1527 sm->key_replay[i].counter,
1528 WPA_REPLAY_COUNTER_LEN);
1529 }
1530 wpa_hexdump(MSG_DEBUG, "received replay counter",
1531 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1532 return false;
1533 }
1534
1535
1536 void wpa_receive(struct wpa_authenticator *wpa_auth,
1537 struct wpa_state_machine *sm,
1538 u8 *data, size_t data_len)
1539 {
1540 struct ieee802_1x_hdr *hdr;
1541 struct wpa_eapol_key *key;
1542 u16 key_info, ver, key_data_length;
1543 enum eapol_key_msg msg;
1544 const char *msgtxt;
1545 const u8 *key_data;
1546 size_t keyhdrlen, mic_len;
1547 u8 *mic;
1548 u8 *key_data_buf = NULL;
1549 size_t key_data_buf_len = 0;
1550
1551 if (!wpa_auth || !wpa_auth->conf.wpa || !sm)
1552 return;
1553
1554 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
1555
1556 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
1557 keyhdrlen = sizeof(*key) + mic_len + 2;
1558
1559 if (data_len < sizeof(*hdr) + keyhdrlen) {
1560 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
1561 return;
1562 }
1563
1564 hdr = (struct ieee802_1x_hdr *) data;
1565 key = (struct wpa_eapol_key *) (hdr + 1);
1566 mic = (u8 *) (key + 1);
1567 key_info = WPA_GET_BE16(key->key_info);
1568 key_data = mic + mic_len + 2;
1569 key_data_length = WPA_GET_BE16(mic + mic_len);
1570 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
1571 " key_info=0x%x type=%u mic_len=%zu key_data_length=%u",
1572 MAC2STR(wpa_auth_get_spa(sm)), key_info, key->type,
1573 mic_len, key_data_length);
1574 wpa_hexdump(MSG_MSGDUMP,
1575 "WPA: EAPOL-Key header (ending before Key MIC)",
1576 key, sizeof(*key));
1577 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
1578 mic, mic_len);
1579 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
1580 wpa_printf(MSG_INFO,
1581 "WPA: Invalid EAPOL-Key frame - key_data overflow (%d > %zu)",
1582 key_data_length,
1583 data_len - sizeof(*hdr) - keyhdrlen);
1584 return;
1585 }
1586
1587 if (sm->wpa == WPA_VERSION_WPA2) {
1588 if (key->type == EAPOL_KEY_TYPE_WPA) {
1589 /*
1590 * Some deployed station implementations seem to send
1591 * msg 4/4 with incorrect type value in WPA2 mode.
1592 */
1593 wpa_printf(MSG_DEBUG,
1594 "Workaround: Allow EAPOL-Key with unexpected WPA type in RSN mode");
1595 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
1596 wpa_printf(MSG_DEBUG,
1597 "Ignore EAPOL-Key with unexpected type %d in RSN mode",
1598 key->type);
1599 return;
1600 }
1601 } else {
1602 if (key->type != EAPOL_KEY_TYPE_WPA) {
1603 wpa_printf(MSG_DEBUG,
1604 "Ignore EAPOL-Key with unexpected type %d in WPA mode",
1605 key->type);
1606 return;
1607 }
1608 }
1609
1610 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
1611 WPA_NONCE_LEN);
1612 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
1613 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1614
1615 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
1616 * are set */
1617
1618 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
1619 wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message");
1620 return;
1621 }
1622
1623 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
1624 if (!wpa_auth_valid_key_desc_ver(wpa_auth, sm, ver))
1625 goto out;
1626 if (mic_len > 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1627 sm->PTK_valid &&
1628 (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1629 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
1630 wpa_use_aes_key_wrap(sm->wpa_key_mgmt)) &&
1631 key_data_length >= 8 && key_data_length % 8 == 0) {
1632 key_data_length -= 8; /* AES-WRAP adds 8 bytes */
1633 key_data_buf = os_malloc(key_data_length);
1634 if (!key_data_buf)
1635 goto out;
1636 key_data_buf_len = key_data_length;
1637 if (aes_unwrap(sm->PTK.kek, sm->PTK.kek_len,
1638 key_data_length / 8, key_data, key_data_buf)) {
1639 wpa_printf(MSG_INFO,
1640 "RSN: AES unwrap failed - could not decrypt EAPOL-Key key data");
1641 goto out;
1642 }
1643 key_data = key_data_buf;
1644 wpa_hexdump_key(MSG_DEBUG, "RSN: Decrypted EAPOL-Key Key Data",
1645 key_data, key_data_length);
1646 }
1647
1648 if (key_info & WPA_KEY_INFO_REQUEST) {
1649 msg = REQUEST;
1650 msgtxt = "Request";
1651 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
1652 msg = GROUP_2;
1653 msgtxt = "2/2 Group";
1654 } else if (key_data_length == 0 ||
1655 (sm->wpa == WPA_VERSION_WPA2 &&
1656 (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA) ||
1657 key_data_buf) &&
1658 (key_info & WPA_KEY_INFO_SECURE) &&
1659 !get_ie(key_data, key_data_length, WLAN_EID_RSN)) ||
1660 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
1661 key_data_length == AES_BLOCK_SIZE)) {
1662 msg = PAIRWISE_4;
1663 msgtxt = "4/4 Pairwise";
1664 } else {
1665 msg = PAIRWISE_2;
1666 msgtxt = "2/4 Pairwise";
1667 }
1668
1669 if (!wpa_auth_valid_counter(wpa_auth, sm, key, msg, msgtxt))
1670 goto out;
1671
1672 #ifdef CONFIG_FILS
1673 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1674 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1675 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1676 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1677 goto out;
1678 }
1679 #endif /* CONFIG_FILS */
1680
1681 switch (msg) {
1682 case PAIRWISE_2:
1683 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
1684 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1685 (!sm->update_snonce ||
1686 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
1687 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1688 LOGGER_INFO,
1689 "received EAPOL-Key msg 2/4 in invalid state (%d) - dropped",
1690 sm->wpa_ptk_state);
1691 goto out;
1692 }
1693 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
1694 if (sm->group->reject_4way_hs_for_entropy) {
1695 /*
1696 * The system did not have enough entropy to generate
1697 * strong random numbers. Reject the first 4-way
1698 * handshake(s) and collect some entropy based on the
1699 * information from it. Once enough entropy is
1700 * available, the next atempt will trigger GMK/Key
1701 * Counter update and the station will be allowed to
1702 * continue.
1703 */
1704 wpa_printf(MSG_DEBUG,
1705 "WPA: Reject 4-way handshake to collect more entropy for random number generation");
1706 random_mark_pool_ready();
1707 wpa_sta_disconnect(wpa_auth, sm->addr,
1708 WLAN_REASON_PREV_AUTH_NOT_VALID);
1709 goto out;
1710 }
1711 break;
1712 case PAIRWISE_4:
1713 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1714 !sm->PTK_valid) {
1715 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1716 LOGGER_INFO,
1717 "received EAPOL-Key msg 4/4 in invalid state (%d) - dropped",
1718 sm->wpa_ptk_state);
1719 goto out;
1720 }
1721 break;
1722 case GROUP_2:
1723 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1724 || !sm->PTK_valid) {
1725 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1726 LOGGER_INFO,
1727 "received EAPOL-Key msg 2/2 in invalid state (%d) - dropped",
1728 sm->wpa_ptk_group_state);
1729 goto out;
1730 }
1731 break;
1732 case REQUEST:
1733 if (sm->wpa_ptk_state == WPA_PTK_PTKSTART ||
1734 sm->wpa_ptk_state == WPA_PTK_PTKCALCNEGOTIATING ||
1735 sm->wpa_ptk_state == WPA_PTK_PTKCALCNEGOTIATING2 ||
1736 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1737 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
1738 LOGGER_INFO,
1739 "received EAPOL-Key Request in invalid state (%d) - dropped",
1740 sm->wpa_ptk_state);
1741 goto out;
1742 }
1743 break;
1744 }
1745
1746 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1747 "received EAPOL-Key frame (%s)", msgtxt);
1748
1749 if (key_info & WPA_KEY_INFO_ACK) {
1750 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1751 "received invalid EAPOL-Key: Key Ack set");
1752 goto out;
1753 }
1754
1755 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1756 !(key_info & WPA_KEY_INFO_MIC)) {
1757 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1758 "received invalid EAPOL-Key: Key MIC not set");
1759 goto out;
1760 }
1761
1762 #ifdef CONFIG_FILS
1763 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1764 (key_info & WPA_KEY_INFO_MIC)) {
1765 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
1766 "received invalid EAPOL-Key: Key MIC set");
1767 goto out;
1768 }
1769 #endif /* CONFIG_FILS */
1770
1771 sm->MICVerified = false;
1772 if (sm->PTK_valid && !sm->update_snonce) {
1773 if (mic_len &&
1774 wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK,
1775 data, data_len) &&
1776 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1777 wpa_try_alt_snonce(sm, data, data_len))) {
1778 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1779 LOGGER_INFO,
1780 "received EAPOL-Key with invalid MIC");
1781 #ifdef TEST_FUZZ
1782 wpa_printf(MSG_INFO,
1783 "TEST: Ignore Key MIC failure for fuzz testing");
1784 goto continue_fuzz;
1785 #endif /* TEST_FUZZ */
1786 goto out;
1787 }
1788 #ifdef CONFIG_FILS
1789 if (!mic_len &&
1790 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1791 &key_data_length) < 0) {
1792 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1793 LOGGER_INFO,
1794 "received EAPOL-Key with invalid MIC");
1795 #ifdef TEST_FUZZ
1796 wpa_printf(MSG_INFO,
1797 "TEST: Ignore Key MIC failure for fuzz testing");
1798 goto continue_fuzz;
1799 #endif /* TEST_FUZZ */
1800 goto out;
1801 }
1802 #endif /* CONFIG_FILS */
1803 #ifdef TEST_FUZZ
1804 continue_fuzz:
1805 #endif /* TEST_FUZZ */
1806 sm->MICVerified = true;
1807 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1808 sm->pending_1_of_4_timeout = 0;
1809 }
1810
1811 if (key_info & WPA_KEY_INFO_REQUEST) {
1812 if (!(key_info & WPA_KEY_INFO_SECURE)) {
1813 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1814 LOGGER_INFO,
1815 "received EAPOL-Key request without Secure=1");
1816 goto out;
1817 }
1818 if (sm->MICVerified) {
1819 sm->req_replay_counter_used = 1;
1820 os_memcpy(sm->req_replay_counter, key->replay_counter,
1821 WPA_REPLAY_COUNTER_LEN);
1822 } else {
1823 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1824 LOGGER_INFO,
1825 "received EAPOL-Key request with invalid MIC");
1826 goto out;
1827 }
1828
1829 if (key_info & WPA_KEY_INFO_ERROR) {
1830 if (wpa_receive_error_report(
1831 wpa_auth, sm,
1832 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1833 goto out; /* STA entry was removed */
1834 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1835 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1836 LOGGER_INFO,
1837 "received EAPOL-Key Request for new 4-Way Handshake");
1838 wpa_request_new_ptk(sm);
1839 } else {
1840 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
1841 LOGGER_INFO,
1842 "received EAPOL-Key Request for GTK rekeying");
1843
1844 eloop_cancel_timeout(wpa_rekey_gtk,
1845 wpa_get_primary_auth(wpa_auth),
1846 NULL);
1847 if (wpa_auth_gtk_rekey_in_process(wpa_auth))
1848 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG,
1849 "skip new GTK rekey - already in process");
1850 else
1851 wpa_rekey_gtk(wpa_get_primary_auth(wpa_auth),
1852 NULL);
1853 }
1854 } else {
1855 /* Do not allow the same key replay counter to be reused. */
1856 wpa_replay_counter_mark_invalid(sm->key_replay,
1857 key->replay_counter);
1858
1859 if (msg == PAIRWISE_2) {
1860 /*
1861 * Maintain a copy of the pending EAPOL-Key frames in
1862 * case the EAPOL-Key frame was retransmitted. This is
1863 * needed to allow EAPOL-Key msg 2/4 reply to another
1864 * pending msg 1/4 to update the SNonce to work around
1865 * unexpected supplicant behavior.
1866 */
1867 os_memcpy(sm->prev_key_replay, sm->key_replay,
1868 sizeof(sm->key_replay));
1869 } else {
1870 os_memset(sm->prev_key_replay, 0,
1871 sizeof(sm->prev_key_replay));
1872 }
1873
1874 /*
1875 * Make sure old valid counters are not accepted anymore and
1876 * do not get copied again.
1877 */
1878 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1879 }
1880
1881 os_free(sm->last_rx_eapol_key);
1882 sm->last_rx_eapol_key = os_memdup(data, data_len);
1883 if (!sm->last_rx_eapol_key)
1884 goto out;
1885 sm->last_rx_eapol_key_len = data_len;
1886
1887 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1888 sm->EAPOLKeyReceived = true;
1889 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1890 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1891 if (msg == PAIRWISE_2)
1892 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1893 wpa_sm_step(sm);
1894
1895 out:
1896 bin_clear_free(key_data_buf, key_data_buf_len);
1897 }
1898
1899
1900 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1901 const u8 *gnonce, u8 *gtk, size_t gtk_len)
1902 {
1903 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + WPA_GTK_MAX_LEN];
1904 u8 *pos;
1905 int ret = 0;
1906
1907 /* GTK = PRF-X(GMK, "Group key expansion",
1908 * AA || GNonce || Time || random data)
1909 * The example described in the IEEE 802.11 standard uses only AA and
1910 * GNonce as inputs here. Add some more entropy since this derivation
1911 * is done only at the Authenticator and as such, does not need to be
1912 * exactly same.
1913 */
1914 os_memset(data, 0, sizeof(data));
1915 os_memcpy(data, addr, ETH_ALEN);
1916 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1917 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1918 wpa_get_ntp_timestamp(pos);
1919 #ifdef TEST_FUZZ
1920 os_memset(pos, 0xef, 8);
1921 #endif /* TEST_FUZZ */
1922 pos += 8;
1923 if (random_get_bytes(pos, gtk_len) < 0)
1924 ret = -1;
1925
1926 #ifdef CONFIG_SHA384
1927 if (sha384_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1928 gtk, gtk_len) < 0)
1929 ret = -1;
1930 #else /* CONFIG_SHA384 */
1931 #ifdef CONFIG_SHA256
1932 if (sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1933 gtk, gtk_len) < 0)
1934 ret = -1;
1935 #else /* CONFIG_SHA256 */
1936 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data),
1937 gtk, gtk_len) < 0)
1938 ret = -1;
1939 #endif /* CONFIG_SHA256 */
1940 #endif /* CONFIG_SHA384 */
1941
1942 forced_memzero(data, sizeof(data));
1943
1944 return ret;
1945 }
1946
1947
1948 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1949 {
1950 struct wpa_authenticator *wpa_auth = eloop_ctx;
1951 struct wpa_state_machine *sm = timeout_ctx;
1952
1953 if (sm->waiting_radius_psk) {
1954 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1955 "Ignore EAPOL-Key timeout while waiting for RADIUS PSK");
1956 return;
1957 }
1958
1959 sm->pending_1_of_4_timeout = 0;
1960 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
1961 "EAPOL-Key timeout");
1962 sm->TimeoutEvt = true;
1963 wpa_sm_step(sm);
1964 }
1965
1966
1967 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1968 struct wpa_state_machine *sm, int key_info,
1969 const u8 *key_rsc, const u8 *nonce,
1970 const u8 *kde, size_t kde_len,
1971 int keyidx, int encr, int force_version)
1972 {
1973 struct wpa_auth_config *conf = &wpa_auth->conf;
1974 struct ieee802_1x_hdr *hdr;
1975 struct wpa_eapol_key *key;
1976 size_t len, mic_len, keyhdrlen;
1977 int alg;
1978 int key_data_len, pad_len = 0;
1979 u8 *buf, *pos;
1980 int version, pairwise;
1981 int i;
1982 u8 *key_mic, *key_data;
1983
1984 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
1985 keyhdrlen = sizeof(*key) + mic_len + 2;
1986
1987 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
1988
1989 if (force_version)
1990 version = force_version;
1991 else if (wpa_use_akm_defined(sm->wpa_key_mgmt))
1992 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
1993 else if (wpa_use_cmac(sm->wpa_key_mgmt))
1994 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1995 else if (sm->pairwise != WPA_CIPHER_TKIP)
1996 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1997 else
1998 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1999
2000 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
2001
2002 wpa_printf(MSG_DEBUG,
2003 "WPA: Send EAPOL(version=%d secure=%d mic=%d ack=%d install=%d pairwise=%d kde_len=%zu keyidx=%d encr=%d)",
2004 version,
2005 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
2006 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
2007 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
2008 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
2009 pairwise, kde_len, keyidx, encr);
2010
2011 key_data_len = kde_len;
2012
2013 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
2014 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
2015 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
2016 pad_len = key_data_len % 8;
2017 if (pad_len)
2018 pad_len = 8 - pad_len;
2019 key_data_len += pad_len + 8;
2020 }
2021
2022 len += key_data_len;
2023 if (!mic_len && encr)
2024 len += AES_BLOCK_SIZE;
2025
2026 hdr = os_zalloc(len);
2027 if (!hdr)
2028 return;
2029 hdr->version = conf->eapol_version;
2030 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
2031 hdr->length = host_to_be16(len - sizeof(*hdr));
2032 key = (struct wpa_eapol_key *) (hdr + 1);
2033 key_mic = (u8 *) (key + 1);
2034 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
2035
2036 key->type = sm->wpa == WPA_VERSION_WPA2 ?
2037 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2038 key_info |= version;
2039 if (encr && sm->wpa == WPA_VERSION_WPA2)
2040 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2041 if (sm->wpa != WPA_VERSION_WPA2)
2042 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
2043 WPA_PUT_BE16(key->key_info, key_info);
2044
2045 alg = pairwise ? sm->pairwise : conf->wpa_group;
2046 if (sm->wpa == WPA_VERSION_WPA2 && !pairwise)
2047 WPA_PUT_BE16(key->key_length, 0);
2048 else
2049 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
2050
2051 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
2052 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
2053 os_memcpy(sm->key_replay[i].counter,
2054 sm->key_replay[i - 1].counter,
2055 WPA_REPLAY_COUNTER_LEN);
2056 }
2057 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
2058 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
2059 WPA_REPLAY_COUNTER_LEN);
2060 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
2061 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
2062 sm->key_replay[0].valid = true;
2063
2064 if (nonce)
2065 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
2066
2067 if (key_rsc)
2068 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
2069
2070 #ifdef CONFIG_TESTING_OPTIONS
2071 if (conf->eapol_key_reserved_random)
2072 random_get_bytes(key->key_id, sizeof(key->key_id));
2073 #endif /* CONFIG_TESTING_OPTIONS */
2074
2075 if (kde && !encr) {
2076 os_memcpy(key_data, kde, kde_len);
2077 WPA_PUT_BE16(key_mic + mic_len, kde_len);
2078 #ifdef CONFIG_FILS
2079 } else if (!mic_len && kde) {
2080 const u8 *aad[1];
2081 size_t aad_len[1];
2082
2083 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
2084 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
2085 kde, kde_len);
2086
2087 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
2088 sm->PTK.kek, sm->PTK.kek_len);
2089 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2090 * to Key Data (exclusive). */
2091 aad[0] = (u8 *) hdr;
2092 aad_len[0] = key_mic + 2 - (u8 *) hdr;
2093 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
2094 1, aad, aad_len, key_mic + 2) < 0) {
2095 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
2096 return;
2097 }
2098
2099 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
2100 key_mic + 2, AES_BLOCK_SIZE + kde_len);
2101 #endif /* CONFIG_FILS */
2102 } else if (encr && kde) {
2103 buf = os_zalloc(key_data_len);
2104 if (!buf) {
2105 os_free(hdr);
2106 return;
2107 }
2108 pos = buf;
2109 os_memcpy(pos, kde, kde_len);
2110 pos += kde_len;
2111
2112 if (pad_len)
2113 *pos++ = 0xdd;
2114
2115 wpa_hexdump_key(MSG_DEBUG,
2116 "Plaintext EAPOL-Key Key Data (+ padding)",
2117 buf, key_data_len);
2118 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
2119 wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
2120 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
2121 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK",
2122 sm->PTK.kek, sm->PTK.kek_len);
2123 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
2124 (key_data_len - 8) / 8, buf, key_data)) {
2125 os_free(hdr);
2126 bin_clear_free(buf, key_data_len);
2127 return;
2128 }
2129 wpa_hexdump(MSG_DEBUG,
2130 "RSN: Encrypted Key Data from AES-WRAP",
2131 key_data, key_data_len);
2132 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
2133 #if !defined(CONFIG_NO_RC4) && !defined(CONFIG_FIPS)
2134 } else if (sm->PTK.kek_len == 16) {
2135 u8 ek[32];
2136
2137 wpa_printf(MSG_DEBUG,
2138 "WPA: Encrypt Key Data using RC4");
2139 os_memcpy(key->key_iv,
2140 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
2141 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
2142 os_memcpy(ek, key->key_iv, 16);
2143 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
2144 os_memcpy(key_data, buf, key_data_len);
2145 rc4_skip(ek, 32, 256, key_data, key_data_len);
2146 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
2147 #endif /* !(CONFIG_NO_RC4 || CONFIG_FIPS) */
2148 } else {
2149 os_free(hdr);
2150 bin_clear_free(buf, key_data_len);
2151 return;
2152 }
2153 bin_clear_free(buf, key_data_len);
2154 }
2155
2156 if (key_info & WPA_KEY_INFO_MIC) {
2157 if (!sm->PTK_valid || !mic_len) {
2158 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
2159 LOGGER_DEBUG,
2160 "PTK not valid when sending EAPOL-Key frame");
2161 os_free(hdr);
2162 return;
2163 }
2164
2165 if (wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
2166 sm->wpa_key_mgmt, version,
2167 (u8 *) hdr, len, key_mic) < 0) {
2168 os_free(hdr);
2169 return;
2170 }
2171 #ifdef CONFIG_TESTING_OPTIONS
2172 if (!pairwise &&
2173 conf->corrupt_gtk_rekey_mic_probability > 0.0 &&
2174 drand48() < conf->corrupt_gtk_rekey_mic_probability) {
2175 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
2176 LOGGER_INFO,
2177 "Corrupting group EAPOL-Key Key MIC");
2178 key_mic[0]++;
2179 }
2180 #endif /* CONFIG_TESTING_OPTIONS */
2181 }
2182
2183 wpa_auth_set_eapol(wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx, 1);
2184 wpa_hexdump(MSG_DEBUG, "Send EAPOL-Key msg", hdr, len);
2185 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
2186 sm->pairwise_set);
2187 os_free(hdr);
2188 }
2189
2190
2191 static int wpa_auth_get_sta_count(struct wpa_authenticator *wpa_auth)
2192 {
2193 if (!wpa_auth->cb->get_sta_count)
2194 return -1;
2195
2196 return wpa_auth->cb->get_sta_count(wpa_auth->cb_ctx);
2197 }
2198
2199
2200 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
2201 struct wpa_state_machine *sm, int key_info,
2202 const u8 *key_rsc, const u8 *nonce,
2203 const u8 *kde, size_t kde_len,
2204 int keyidx, int encr)
2205 {
2206 int timeout_ms;
2207 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
2208 u32 ctr;
2209
2210 if (!sm)
2211 return;
2212
2213 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
2214
2215 #ifdef CONFIG_TESTING_OPTIONS
2216 /* When delay_eapol_tx is true, delay the EAPOL-Key transmission by
2217 * sending it only on the last attempt after all timeouts for the prior
2218 * skipped attemps. */
2219 if (wpa_auth->conf.delay_eapol_tx &&
2220 ctr != wpa_auth->conf.wpa_pairwise_update_count) {
2221 wpa_msg(sm->wpa_auth->conf.msg_ctx, MSG_INFO,
2222 "DELAY-EAPOL-TX-%d", ctr);
2223 goto skip_tx;
2224 }
2225 #endif /* CONFIG_TESTING_OPTIONS */
2226 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
2227 keyidx, encr, 0);
2228 #ifdef CONFIG_TESTING_OPTIONS
2229 skip_tx:
2230 #endif /* CONFIG_TESTING_OPTIONS */
2231
2232 if (ctr == 1 && wpa_auth->conf.tx_status) {
2233 if (pairwise)
2234 timeout_ms = eapol_key_timeout_first;
2235 else if (wpa_auth_get_sta_count(wpa_auth) > 100)
2236 timeout_ms = eapol_key_timeout_first_group * 2;
2237 else
2238 timeout_ms = eapol_key_timeout_first_group;
2239 } else {
2240 timeout_ms = eapol_key_timeout_subseq;
2241 }
2242 if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
2243 (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
2244 timeout_ms = eapol_key_timeout_no_retrans;
2245 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
2246 sm->pending_1_of_4_timeout = 1;
2247 #ifdef TEST_FUZZ
2248 timeout_ms = 1;
2249 #endif /* TEST_FUZZ */
2250 #ifdef CONFIG_TESTING_OPTIONS
2251 if(wpa_auth->conf.enable_eapol_large_timeout) {
2252 timeout_ms = 50 * 1000;
2253 }
2254 #endif
2255 wpa_printf(MSG_DEBUG,
2256 "WPA: Use EAPOL-Key timeout of %u ms (retry counter %u)",
2257 timeout_ms, ctr);
2258 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
2259 wpa_send_eapol_timeout, wpa_auth, sm);
2260 }
2261
2262
2263 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
2264 u8 *data, size_t data_len)
2265 {
2266 struct ieee802_1x_hdr *hdr;
2267 struct wpa_eapol_key *key;
2268 u16 key_info;
2269 int ret = 0;
2270 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
2271 size_t mic_len = wpa_mic_len(akmp, pmk_len);
2272
2273 if (data_len < sizeof(*hdr) + sizeof(*key))
2274 return -1;
2275
2276 hdr = (struct ieee802_1x_hdr *) data;
2277 key = (struct wpa_eapol_key *) (hdr + 1);
2278 mic_pos = (u8 *) (key + 1);
2279 key_info = WPA_GET_BE16(key->key_info);
2280 os_memcpy(mic, mic_pos, mic_len);
2281 os_memset(mic_pos, 0, mic_len);
2282 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
2283 key_info & WPA_KEY_INFO_TYPE_MASK,
2284 data, data_len, mic_pos) ||
2285 os_memcmp_const(mic, mic_pos, mic_len) != 0)
2286 ret = -1;
2287 os_memcpy(mic_pos, mic, mic_len);
2288 return ret;
2289 }
2290
2291
2292 void wpa_remove_ptk(struct wpa_state_machine *sm)
2293 {
2294 sm->PTK_valid = false;
2295 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2296
2297 wpa_auth_remove_ptksa(sm->wpa_auth, sm->addr, sm->pairwise);
2298
2299 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
2300 0, KEY_FLAG_PAIRWISE))
2301 wpa_printf(MSG_DEBUG,
2302 "RSN: PTK removal from the driver failed");
2303 if (sm->use_ext_key_id &&
2304 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 1, NULL,
2305 0, KEY_FLAG_PAIRWISE))
2306 wpa_printf(MSG_DEBUG,
2307 "RSN: PTK Key ID 1 removal from the driver failed");
2308 sm->pairwise_set = false;
2309 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2310 }
2311
2312
2313 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
2314 {
2315 int remove_ptk = 1;
2316
2317 if (!sm)
2318 return -1;
2319
2320 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
2321 "event %d notification", event);
2322
2323 switch (event) {
2324 case WPA_AUTH:
2325 #ifdef CONFIG_MESH
2326 /* PTKs are derived through AMPE */
2327 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
2328 /* not mesh */
2329 break;
2330 }
2331 return 0;
2332 #endif /* CONFIG_MESH */
2333 case WPA_ASSOC:
2334 break;
2335 case WPA_DEAUTH:
2336 case WPA_DISASSOC:
2337 sm->DeauthenticationRequest = true;
2338 os_memset(sm->PMK, 0, sizeof(sm->PMK));
2339 sm->pmk_len = 0;
2340 #ifdef CONFIG_IEEE80211R_AP
2341 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
2342 sm->xxkey_len = 0;
2343 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
2344 sm->pmk_r1_len = 0;
2345 #endif /* CONFIG_IEEE80211R_AP */
2346 break;
2347 case WPA_REAUTH:
2348 case WPA_REAUTH_EAPOL:
2349 if (!sm->started) {
2350 /*
2351 * When using WPS, we may end up here if the STA
2352 * manages to re-associate without the previous STA
2353 * entry getting removed. Consequently, we need to make
2354 * sure that the WPA state machines gets initialized
2355 * properly at this point.
2356 */
2357 wpa_printf(MSG_DEBUG,
2358 "WPA state machine had not been started - initialize now");
2359 sm->started = 1;
2360 sm->Init = true;
2361 if (wpa_sm_step(sm) == 1)
2362 return 1; /* should not really happen */
2363 sm->Init = false;
2364 sm->AuthenticationRequest = true;
2365 break;
2366 }
2367
2368 if (sm->ptkstart_without_success > 3) {
2369 wpa_printf(MSG_INFO,
2370 "WPA: Multiple EAP reauth attempts without 4-way handshake completion, disconnect "
2371 MACSTR, MAC2STR(sm->addr));
2372 sm->Disconnect = true;
2373 break;
2374 }
2375
2376 if (!sm->use_ext_key_id &&
2377 sm->wpa_auth->conf.wpa_deny_ptk0_rekey) {
2378 wpa_printf(MSG_INFO,
2379 "WPA: PTK0 rekey not allowed, disconnect "
2380 MACSTR, MAC2STR(wpa_auth_get_spa(sm)));
2381 sm->Disconnect = true;
2382 /* Try to encourage the STA to reconnect */
2383 sm->disconnect_reason =
2384 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA;
2385 break;
2386 }
2387
2388 if (sm->use_ext_key_id)
2389 sm->keyidx_active ^= 1; /* flip Key ID */
2390
2391 if (sm->GUpdateStationKeys) {
2392 /*
2393 * Reauthentication cancels the pending group key
2394 * update for this STA.
2395 */
2396 wpa_gkeydone_sta(sm);
2397 sm->PtkGroupInit = true;
2398 }
2399 sm->ReAuthenticationRequest = true;
2400 break;
2401 case WPA_ASSOC_FT:
2402 #ifdef CONFIG_IEEE80211R_AP
2403 wpa_printf(MSG_DEBUG,
2404 "FT: Retry PTK configuration after association");
2405 wpa_ft_install_ptk(sm, 1);
2406
2407 /* Using FT protocol, not WPA auth state machine */
2408 sm->ft_completed = 1;
2409 wpa_auth_set_ptk_rekey_timer(sm);
2410 return 0;
2411 #else /* CONFIG_IEEE80211R_AP */
2412 break;
2413 #endif /* CONFIG_IEEE80211R_AP */
2414 case WPA_ASSOC_FILS:
2415 #ifdef CONFIG_FILS
2416 wpa_printf(MSG_DEBUG,
2417 "FILS: TK configuration after association");
2418 fils_set_tk(sm);
2419 sm->fils_completed = 1;
2420 return 0;
2421 #else /* CONFIG_FILS */
2422 break;
2423 #endif /* CONFIG_FILS */
2424 case WPA_DRV_STA_REMOVED:
2425 sm->tk_already_set = false;
2426 return 0;
2427 }
2428
2429 #ifdef CONFIG_IEEE80211R_AP
2430 sm->ft_completed = 0;
2431 #endif /* CONFIG_IEEE80211R_AP */
2432
2433 if (sm->mgmt_frame_prot && event == WPA_AUTH)
2434 remove_ptk = 0;
2435 #ifdef CONFIG_FILS
2436 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
2437 (event == WPA_AUTH || event == WPA_ASSOC))
2438 remove_ptk = 0;
2439 #endif /* CONFIG_FILS */
2440
2441 if (remove_ptk) {
2442 sm->PTK_valid = false;
2443 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2444
2445 if (event != WPA_REAUTH_EAPOL)
2446 wpa_remove_ptk(sm);
2447 }
2448
2449 if (sm->in_step_loop) {
2450 /*
2451 * wpa_sm_step() is already running - avoid recursive call to
2452 * it by making the existing loop process the new update.
2453 */
2454 sm->changed = true;
2455 return 0;
2456 }
2457 return wpa_sm_step(sm);
2458 }
2459
2460
2461 SM_STATE(WPA_PTK, INITIALIZE)
2462 {
2463 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
2464 if (sm->Init) {
2465 /* Init flag is not cleared here, so avoid busy
2466 * loop by claiming nothing changed. */
2467 sm->changed = false;
2468 }
2469
2470 sm->keycount = 0;
2471 if (sm->GUpdateStationKeys)
2472 wpa_gkeydone_sta(sm);
2473 if (sm->wpa == WPA_VERSION_WPA)
2474 sm->PInitAKeys = false;
2475 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
2476 * Local AA > Remote AA)) */) {
2477 sm->Pair = true;
2478 }
2479 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
2480 wpa_remove_ptk(sm);
2481 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
2482 sm->TimeoutCtr = 0;
2483 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
2484 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
2485 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
2486 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2487 WPA_EAPOL_authorized, 0);
2488 }
2489 }
2490
2491
2492 SM_STATE(WPA_PTK, DISCONNECT)
2493 {
2494 u16 reason = sm->disconnect_reason;
2495
2496 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
2497 sm->Disconnect = false;
2498 sm->disconnect_reason = 0;
2499 if (!reason)
2500 reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
2501 wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason);
2502 }
2503
2504
2505 SM_STATE(WPA_PTK, DISCONNECTED)
2506 {
2507 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
2508 sm->DeauthenticationRequest = false;
2509 }
2510
2511
2512 SM_STATE(WPA_PTK, AUTHENTICATION)
2513 {
2514 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
2515 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2516 sm->PTK_valid = false;
2517 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
2518 1);
2519 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
2520 sm->AuthenticationRequest = false;
2521 }
2522
2523
2524 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
2525 struct wpa_group *group)
2526 {
2527 if (group->first_sta_seen)
2528 return;
2529 /*
2530 * System has run bit further than at the time hostapd was started
2531 * potentially very early during boot up. This provides better chances
2532 * of collecting more randomness on embedded systems. Re-initialize the
2533 * GMK and Counter here to improve their strength if there was not
2534 * enough entropy available immediately after system startup.
2535 */
2536 wpa_printf(MSG_DEBUG,
2537 "WPA: Re-initialize GMK/Counter on first station");
2538 if (random_pool_ready() != 1) {
2539 wpa_printf(MSG_INFO,
2540 "WPA: Not enough entropy in random pool to proceed - reject first 4-way handshake");
2541 group->reject_4way_hs_for_entropy = true;
2542 } else {
2543 group->first_sta_seen = true;
2544 group->reject_4way_hs_for_entropy = false;
2545 }
2546
2547 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
2548 wpa_gtk_update(wpa_auth, group) < 0 ||
2549 wpa_group_config_group_keys(wpa_auth, group) < 0) {
2550 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
2551 group->first_sta_seen = false;
2552 group->reject_4way_hs_for_entropy = true;
2553 }
2554 }
2555
2556
2557 SM_STATE(WPA_PTK, AUTHENTICATION2)
2558 {
2559 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
2560
2561 wpa_group_ensure_init(sm->wpa_auth, sm->group);
2562 sm->ReAuthenticationRequest = false;
2563
2564 /*
2565 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
2566 * ambiguous. The Authenticator state machine uses a counter that is
2567 * incremented by one for each 4-way handshake. However, the security
2568 * analysis of 4-way handshake points out that unpredictable nonces
2569 * help in preventing precomputation attacks. Instead of the state
2570 * machine definition, use an unpredictable nonce value here to provide
2571 * stronger protection against potential precomputation attacks.
2572 */
2573 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
2574 wpa_printf(MSG_ERROR,
2575 "WPA: Failed to get random data for ANonce.");
2576 sm->Disconnect = true;
2577 return;
2578 }
2579 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
2580 WPA_NONCE_LEN);
2581 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
2582 * logical place than INITIALIZE since AUTHENTICATION2 can be
2583 * re-entered on ReAuthenticationRequest without going through
2584 * INITIALIZE. */
2585 sm->TimeoutCtr = 0;
2586 }
2587
2588
2589 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
2590 {
2591 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
2592 wpa_printf(MSG_ERROR,
2593 "WPA: Failed to get random data for ANonce");
2594 sm->Disconnect = true;
2595 return -1;
2596 }
2597 wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
2598 WPA_NONCE_LEN);
2599 sm->TimeoutCtr = 0;
2600 return 0;
2601 }
2602
2603
2604 SM_STATE(WPA_PTK, INITPMK)
2605 {
2606 u8 msk[2 * PMK_LEN];
2607 size_t len = 2 * PMK_LEN;
2608
2609 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
2610 #ifdef CONFIG_IEEE80211R_AP
2611 sm->xxkey_len = 0;
2612 #endif /* CONFIG_IEEE80211R_AP */
2613 if (sm->pmksa) {
2614 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
2615 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2616 sm->pmk_len = sm->pmksa->pmk_len;
2617 #ifdef CONFIG_DPP
2618 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
2619 wpa_printf(MSG_DEBUG,
2620 "DPP: No PMKSA cache entry for STA - reject connection");
2621 sm->Disconnect = true;
2622 sm->disconnect_reason = WLAN_REASON_INVALID_PMKID;
2623 return;
2624 #endif /* CONFIG_DPP */
2625 } else if (wpa_auth_get_msk(sm->wpa_auth, wpa_auth_get_spa(sm),
2626 msk, &len) == 0) {
2627 unsigned int pmk_len;
2628
2629 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
2630 pmk_len = PMK_LEN_SUITE_B_192;
2631 else
2632 pmk_len = PMK_LEN;
2633 wpa_printf(MSG_DEBUG,
2634 "WPA: PMK from EAPOL state machine (MSK len=%zu PMK len=%u)",
2635 len, pmk_len);
2636 if (len < pmk_len) {
2637 wpa_printf(MSG_DEBUG,
2638 "WPA: MSK not long enough (%zu) to create PMK (%u)",
2639 len, pmk_len);
2640 sm->Disconnect = true;
2641 return;
2642 }
2643 os_memcpy(sm->PMK, msk, pmk_len);
2644 sm->pmk_len = pmk_len;
2645 #ifdef CONFIG_IEEE80211R_AP
2646 if (len >= 2 * PMK_LEN) {
2647 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
2648 os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN);
2649 sm->xxkey_len = SHA384_MAC_LEN;
2650 } else {
2651 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
2652 sm->xxkey_len = PMK_LEN;
2653 }
2654 }
2655 #endif /* CONFIG_IEEE80211R_AP */
2656 } else {
2657 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
2658 sm->wpa_auth->cb->get_msk);
2659 sm->Disconnect = true;
2660 return;
2661 }
2662 forced_memzero(msk, sizeof(msk));
2663
2664 sm->req_replay_counter_used = 0;
2665 /* IEEE 802.11i does not set keyRun to false, but not doing this
2666 * will break reauthentication since EAPOL state machines may not be
2667 * get into AUTHENTICATING state that clears keyRun before WPA state
2668 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
2669 * state and takes PMK from the previously used AAA Key. This will
2670 * eventually fail in 4-Way Handshake because Supplicant uses PMK
2671 * derived from the new AAA Key. Setting keyRun = false here seems to
2672 * be good workaround for this issue. */
2673 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, false);
2674 }
2675
2676
2677 SM_STATE(WPA_PTK, INITPSK)
2678 {
2679 const u8 *psk;
2680 size_t psk_len;
2681
2682 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
2683 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL,
2684 &psk_len, NULL);
2685 if (psk) {
2686 os_memcpy(sm->PMK, psk, psk_len);
2687 sm->pmk_len = psk_len;
2688 #ifdef CONFIG_IEEE80211R_AP
2689 sm->xxkey_len = PMK_LEN;
2690 #ifdef CONFIG_SAE
2691 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY &&
2692 (psk_len == SHA512_MAC_LEN || psk_len == SHA384_MAC_LEN ||
2693 psk_len == SHA256_MAC_LEN))
2694 sm->xxkey_len = psk_len;
2695 #endif /* CONFIG_SAE */
2696 os_memcpy(sm->xxkey, psk, sm->xxkey_len);
2697 #endif /* CONFIG_IEEE80211R_AP */
2698 }
2699 #ifdef CONFIG_SAE
2700 if (wpa_auth_uses_sae(sm) && sm->pmksa) {
2701 wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache (len=%zu)",
2702 sm->pmksa->pmk_len);
2703 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2704 sm->pmk_len = sm->pmksa->pmk_len;
2705 #ifdef CONFIG_IEEE80211R_AP
2706 os_memcpy(sm->xxkey, sm->pmksa->pmk, sm->pmksa->pmk_len);
2707 sm->xxkey_len = sm->pmksa->pmk_len;
2708 #endif /* CONFIG_IEEE80211R_AP */
2709 }
2710 #endif /* CONFIG_SAE */
2711 sm->req_replay_counter_used = 0;
2712 }
2713
2714
2715 SM_STATE(WPA_PTK, PTKSTART)
2716 {
2717 u8 *buf;
2718 size_t buf_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2719 u8 *pmkid = NULL;
2720 size_t kde_len = 0;
2721 u16 key_info;
2722 #ifdef CONFIG_TESTING_OPTIONS
2723 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
2724 #endif /* CONFIG_TESTING_OPTIONS */
2725
2726 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2727 sm->PTKRequest = false;
2728 sm->TimeoutEvt = false;
2729 sm->alt_snonce_valid = false;
2730 sm->ptkstart_without_success++;
2731
2732 sm->TimeoutCtr++;
2733 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
2734 /* No point in sending the EAPOL-Key - we will disconnect
2735 * immediately following this. */
2736 return;
2737 }
2738
2739 #ifdef CONFIG_IEEE80211BE
2740 if (sm->mld_assoc_link_id >= 0)
2741 buf_len += 2 + RSN_SELECTOR_LEN + ETH_ALEN;
2742 #endif /* CONFIG_IEEE80211BE */
2743 #ifdef CONFIG_TESTING_OPTIONS
2744 if (conf->eapol_m1_elements)
2745 buf_len += wpabuf_len(conf->eapol_m1_elements);
2746 #endif /* CONFIG_TESTING_OPTIONS */
2747
2748 buf = os_zalloc(buf_len);
2749 if (!buf)
2750 return;
2751
2752 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
2753 "sending 1/4 msg of 4-Way Handshake");
2754 /*
2755 * For infrastructure BSS cases, it is better for the AP not to include
2756 * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate
2757 * offline search for the passphrase/PSK without having to be able to
2758 * capture a 4-way handshake from a STA that has access to the network.
2759 *
2760 * For IBSS cases, addition of PMKID KDE could be considered even with
2761 * WPA2-PSK cases that use multiple PSKs, but only if there is a single
2762 * possible PSK for this STA. However, this should not be done unless
2763 * there is support for using that information on the supplicant side.
2764 * The concern about exposing PMKID unnecessarily in infrastructure BSS
2765 * cases would also apply here, but at least in the IBSS case, this
2766 * would cover a potential real use case.
2767 */
2768 if (sm->wpa == WPA_VERSION_WPA2 &&
2769 (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) ||
2770 (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) ||
2771 wpa_key_mgmt_sae(sm->wpa_key_mgmt)) &&
2772 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
2773 pmkid = buf;
2774 kde_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2775 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2776 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2777 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
2778 if (sm->pmksa) {
2779 wpa_hexdump(MSG_DEBUG,
2780 "RSN: Message 1/4 PMKID from PMKSA entry",
2781 sm->pmksa->pmkid, PMKID_LEN);
2782 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2783 sm->pmksa->pmkid, PMKID_LEN);
2784 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2785 /* No KCK available to derive PMKID */
2786 wpa_printf(MSG_DEBUG,
2787 "RSN: No KCK available to derive PMKID for message 1/4");
2788 pmkid = NULL;
2789 #ifdef CONFIG_FILS
2790 } else if (wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2791 if (sm->pmkid_set) {
2792 wpa_hexdump(MSG_DEBUG,
2793 "RSN: Message 1/4 PMKID from FILS/ERP",
2794 sm->pmkid, PMKID_LEN);
2795 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2796 sm->pmkid, PMKID_LEN);
2797 } else {
2798 /* No PMKID available */
2799 wpa_printf(MSG_DEBUG,
2800 "RSN: No FILS/ERP PMKID available for message 1/4");
2801 pmkid = NULL;
2802 }
2803 #endif /* CONFIG_FILS */
2804 #ifdef CONFIG_IEEE80211R_AP
2805 } else if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) &&
2806 sm->ft_completed) {
2807 wpa_printf(MSG_DEBUG,
2808 "FT: No PMKID in message 1/4 when using FT protocol");
2809 pmkid = NULL;
2810 #endif /* CONFIG_IEEE80211R_AP */
2811 #ifdef CONFIG_SAE
2812 } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
2813 if (sm->pmkid_set) {
2814 wpa_hexdump(MSG_DEBUG,
2815 "RSN: Message 1/4 PMKID from SAE",
2816 sm->pmkid, PMKID_LEN);
2817 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2818 sm->pmkid, PMKID_LEN);
2819 } else {
2820 /* No PMKID available */
2821 wpa_printf(MSG_DEBUG,
2822 "RSN: No SAE PMKID available for message 1/4");
2823 pmkid = NULL;
2824 }
2825 #endif /* CONFIG_SAE */
2826 } else {
2827 /*
2828 * Calculate PMKID since no PMKSA cache entry was
2829 * available with pre-calculated PMKID.
2830 */
2831 rsn_pmkid(sm->PMK, sm->pmk_len,
2832 wpa_auth_get_aa(sm),
2833 wpa_auth_get_spa(sm),
2834 &pmkid[2 + RSN_SELECTOR_LEN],
2835 sm->wpa_key_mgmt);
2836 wpa_hexdump(MSG_DEBUG,
2837 "RSN: Message 1/4 PMKID derived from PMK",
2838 &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN);
2839 }
2840 }
2841 if (!pmkid)
2842 kde_len = 0;
2843
2844 #ifdef CONFIG_IEEE80211BE
2845 if (sm->mld_assoc_link_id >= 0) {
2846 wpa_printf(MSG_DEBUG,
2847 "RSN: MLD: Add MAC Address KDE: kde_len=%zu",
2848 kde_len);
2849 wpa_add_kde(buf + kde_len, RSN_KEY_DATA_MAC_ADDR,
2850 sm->wpa_auth->mld_addr, ETH_ALEN, NULL, 0);
2851 kde_len += 2 + RSN_SELECTOR_LEN + ETH_ALEN;
2852 }
2853 #endif /* CONFIG_IEEE80211BE */
2854
2855 #ifdef CONFIG_TESTING_OPTIONS
2856 if (conf->eapol_m1_elements) {
2857 os_memcpy(buf + kde_len, wpabuf_head(conf->eapol_m1_elements),
2858 wpabuf_len(conf->eapol_m1_elements));
2859 kde_len += wpabuf_len(conf->eapol_m1_elements);
2860 }
2861 #endif /* CONFIG_TESTING_OPTIONS */
2862
2863 key_info = WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE;
2864 if (sm->pairwise_set && sm->wpa != WPA_VERSION_WPA)
2865 key_info |= WPA_KEY_INFO_SECURE;
2866 wpa_send_eapol(sm->wpa_auth, sm, key_info, NULL,
2867 sm->ANonce, kde_len ? buf : NULL, kde_len, 0, 0);
2868 os_free(buf);
2869 }
2870
2871
2872 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
2873 const u8 *pmk, unsigned int pmk_len,
2874 struct wpa_ptk *ptk, int force_sha256,
2875 u8 *pmk_r0, u8 *pmk_r1, u8 *pmk_r0_name,
2876 size_t *key_len, bool no_kdk)
2877 {
2878 const u8 *z = NULL;
2879 size_t z_len = 0, kdk_len;
2880 int akmp;
2881 int ret;
2882
2883 if (sm->wpa_auth->conf.force_kdk_derivation ||
2884 (!no_kdk && sm->wpa_auth->conf.secure_ltf &&
2885 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
2886 kdk_len = WPA_KDK_MAX_LEN;
2887 else
2888 kdk_len = 0;
2889
2890 #ifdef CONFIG_IEEE80211R_AP
2891 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2892 if (sm->ft_completed) {
2893 u8 ptk_name[WPA_PMK_NAME_LEN];
2894
2895 ret = wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->pmk_r1_len,
2896 sm->SNonce, sm->ANonce,
2897 wpa_auth_get_spa(sm),
2898 wpa_auth_get_aa(sm),
2899 sm->pmk_r1_name, ptk,
2900 ptk_name, sm->wpa_key_mgmt,
2901 sm->pairwise, kdk_len);
2902 } else {
2903 ret = wpa_auth_derive_ptk_ft(sm, ptk, pmk_r0, pmk_r1,
2904 pmk_r0_name, key_len,
2905 kdk_len);
2906 }
2907 if (ret) {
2908 wpa_printf(MSG_ERROR, "FT: PTK derivation failed");
2909 return ret;
2910 }
2911
2912 #ifdef CONFIG_PASN
2913 if (!no_kdk && sm->wpa_auth->conf.secure_ltf &&
2914 ieee802_11_rsnx_capab(sm->rsnxe,
2915 WLAN_RSNX_CAPAB_SECURE_LTF)) {
2916 ret = wpa_ltf_keyseed(ptk, sm->wpa_key_mgmt,
2917 sm->pairwise);
2918 if (ret) {
2919 wpa_printf(MSG_ERROR,
2920 "FT: LTF keyseed derivation failed");
2921 }
2922 }
2923 #endif /* CONFIG_PASN */
2924 return ret;
2925 }
2926 #endif /* CONFIG_IEEE80211R_AP */
2927
2928 #ifdef CONFIG_DPP2
2929 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
2930 z = wpabuf_head(sm->dpp_z);
2931 z_len = wpabuf_len(sm->dpp_z);
2932 }
2933 #endif /* CONFIG_DPP2 */
2934
2935 akmp = sm->wpa_key_mgmt;
2936 if (force_sha256)
2937 akmp |= WPA_KEY_MGMT_PSK_SHA256;
2938 ret = wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
2939 wpa_auth_get_aa(sm), wpa_auth_get_spa(sm),
2940 sm->ANonce, snonce, ptk, akmp,
2941 sm->pairwise, z, z_len, kdk_len);
2942 if (ret) {
2943 wpa_printf(MSG_DEBUG,
2944 "WPA: PTK derivation failed");
2945 return ret;
2946 }
2947
2948 #ifdef CONFIG_PASN
2949 if (!no_kdk && sm->wpa_auth->conf.secure_ltf &&
2950 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)) {
2951 ret = wpa_ltf_keyseed(ptk, sm->wpa_key_mgmt, sm->pairwise);
2952 if (ret) {
2953 wpa_printf(MSG_DEBUG,
2954 "WPA: LTF keyseed derivation failed");
2955 }
2956 }
2957 #endif /* CONFIG_PASN */
2958 return ret;
2959 }
2960
2961
2962 #ifdef CONFIG_FILS
2963
2964 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
2965 size_t pmk_len, const u8 *snonce, const u8 *anonce,
2966 const u8 *dhss, size_t dhss_len,
2967 struct wpabuf *g_sta, struct wpabuf *g_ap)
2968 {
2969 u8 ick[FILS_ICK_MAX_LEN];
2970 size_t ick_len;
2971 int res;
2972 u8 fils_ft[FILS_FT_MAX_LEN];
2973 size_t fils_ft_len = 0, kdk_len;
2974
2975 if (sm->wpa_auth->conf.force_kdk_derivation ||
2976 (sm->wpa_auth->conf.secure_ltf &&
2977 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
2978 kdk_len = WPA_KDK_MAX_LEN;
2979 else
2980 kdk_len = 0;
2981
2982 res = fils_pmk_to_ptk(pmk, pmk_len, wpa_auth_get_spa(sm),
2983 wpa_auth_get_aa(sm),
2984 snonce, anonce, dhss, dhss_len,
2985 &sm->PTK, ick, &ick_len,
2986 sm->wpa_key_mgmt, sm->pairwise,
2987 fils_ft, &fils_ft_len, kdk_len);
2988 if (res < 0)
2989 return res;
2990
2991 #ifdef CONFIG_PASN
2992 if (sm->wpa_auth->conf.secure_ltf &&
2993 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)) {
2994 res = wpa_ltf_keyseed(&sm->PTK, sm->wpa_key_mgmt, sm->pairwise);
2995 if (res) {
2996 wpa_printf(MSG_ERROR,
2997 "FILS: LTF keyseed derivation failed");
2998 return res;
2999 }
3000 }
3001 #endif /* CONFIG_PASN */
3002
3003 sm->PTK_valid = true;
3004 sm->tk_already_set = false;
3005
3006 #ifdef CONFIG_IEEE80211R_AP
3007 if (fils_ft_len) {
3008 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3009 struct wpa_auth_config *conf = &wpa_auth->conf;
3010 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
3011
3012 if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
3013 conf->ssid, conf->ssid_len,
3014 conf->mobility_domain,
3015 conf->r0_key_holder,
3016 conf->r0_key_holder_len,
3017 wpa_auth_get_spa(sm), pmk_r0, pmk_r0_name,
3018 sm->wpa_key_mgmt) < 0)
3019 return -1;
3020
3021 wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name);
3022 forced_memzero(fils_ft, sizeof(fils_ft));
3023
3024 res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder,
3025 wpa_auth_get_spa(sm),
3026 sm->pmk_r1_name,
3027 fils_ft_len);
3028 forced_memzero(pmk_r0, PMK_LEN_MAX);
3029 if (res < 0)
3030 return -1;
3031 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name,
3032 WPA_PMK_NAME_LEN);
3033 sm->pmk_r1_name_valid = 1;
3034 }
3035 #endif /* CONFIG_IEEE80211R_AP */
3036
3037 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
3038 wpa_auth_get_spa(sm),
3039 wpa_auth_get_aa(sm),
3040 g_sta ? wpabuf_head(g_sta) : NULL,
3041 g_sta ? wpabuf_len(g_sta) : 0,
3042 g_ap ? wpabuf_head(g_ap) : NULL,
3043 g_ap ? wpabuf_len(g_ap) : 0,
3044 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
3045 sm->fils_key_auth_ap,
3046 &sm->fils_key_auth_len);
3047 forced_memzero(ick, sizeof(ick));
3048
3049 /* Store nonces for (Re)Association Request/Response frame processing */
3050 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
3051 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
3052
3053 return res;
3054 }
3055
3056
3057 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
3058 u8 *buf, size_t buf_len, u16 *_key_data_len)
3059 {
3060 struct ieee802_1x_hdr *hdr;
3061 struct wpa_eapol_key *key;
3062 u8 *pos;
3063 u16 key_data_len;
3064 u8 *tmp;
3065 const u8 *aad[1];
3066 size_t aad_len[1];
3067
3068 hdr = (struct ieee802_1x_hdr *) buf;
3069 key = (struct wpa_eapol_key *) (hdr + 1);
3070 pos = (u8 *) (key + 1);
3071 key_data_len = WPA_GET_BE16(pos);
3072 if (key_data_len < AES_BLOCK_SIZE ||
3073 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
3074 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3075 "No room for AES-SIV data in the frame");
3076 return -1;
3077 }
3078 pos += 2; /* Pointing at the Encrypted Key Data field */
3079
3080 tmp = os_malloc(key_data_len);
3081 if (!tmp)
3082 return -1;
3083
3084 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
3085 * to Key Data (exclusive). */
3086 aad[0] = buf;
3087 aad_len[0] = pos - buf;
3088 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
3089 1, aad, aad_len, tmp) < 0) {
3090 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3091 "Invalid AES-SIV data in the frame");
3092 bin_clear_free(tmp, key_data_len);
3093 return -1;
3094 }
3095
3096 /* AEAD decryption and validation completed successfully */
3097 key_data_len -= AES_BLOCK_SIZE;
3098 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
3099 tmp, key_data_len);
3100
3101 /* Replace Key Data field with the decrypted version */
3102 os_memcpy(pos, tmp, key_data_len);
3103 pos -= 2; /* Key Data Length field */
3104 WPA_PUT_BE16(pos, key_data_len);
3105 bin_clear_free(tmp, key_data_len);
3106 if (_key_data_len)
3107 *_key_data_len = key_data_len;
3108 return 0;
3109 }
3110
3111
3112 const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
3113 const u8 *ies, size_t ies_len,
3114 const u8 *fils_session)
3115 {
3116 const u8 *ie, *end;
3117 const u8 *session = NULL;
3118
3119 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
3120 wpa_printf(MSG_DEBUG,
3121 "FILS: Not a FILS AKM - reject association");
3122 return NULL;
3123 }
3124
3125 /* Verify Session element */
3126 ie = ies;
3127 end = ((const u8 *) ie) + ies_len;
3128 while (ie + 1 < end) {
3129 if (ie + 2 + ie[1] > end)
3130 break;
3131 if (ie[0] == WLAN_EID_EXTENSION &&
3132 ie[1] >= 1 + FILS_SESSION_LEN &&
3133 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
3134 session = ie;
3135 break;
3136 }
3137 ie += 2 + ie[1];
3138 }
3139
3140 if (!session) {
3141 wpa_printf(MSG_DEBUG,
3142 "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
3143 __func__);
3144 return NULL;
3145 }
3146
3147 if (!fils_session) {
3148 wpa_printf(MSG_DEBUG,
3149 "FILS: %s: Could not find FILS Session element in STA entry - reject",
3150 __func__);
3151 return NULL;
3152 }
3153
3154 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
3155 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
3156 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
3157 fils_session, FILS_SESSION_LEN);
3158 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
3159 session + 3, FILS_SESSION_LEN);
3160 return NULL;
3161 }
3162 return session;
3163 }
3164
3165
3166 int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
3167 size_t ies_len)
3168 {
3169 struct ieee802_11_elems elems;
3170
3171 if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
3172 wpa_printf(MSG_DEBUG,
3173 "FILS: Failed to parse decrypted elements");
3174 return -1;
3175 }
3176
3177 if (!elems.fils_session) {
3178 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
3179 return -1;
3180 }
3181
3182 if (!elems.fils_key_confirm) {
3183 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
3184 return -1;
3185 }
3186
3187 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
3188 wpa_printf(MSG_DEBUG,
3189 "FILS: Unexpected Key-Auth length %d (expected %zu)",
3190 elems.fils_key_confirm_len,
3191 sm->fils_key_auth_len);
3192 return -1;
3193 }
3194
3195 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
3196 sm->fils_key_auth_len) != 0) {
3197 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
3198 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
3199 elems.fils_key_confirm, elems.fils_key_confirm_len);
3200 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
3201 sm->fils_key_auth_sta, sm->fils_key_auth_len);
3202 return -1;
3203 }
3204
3205 return 0;
3206 }
3207
3208
3209 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
3210 const struct ieee80211_mgmt *mgmt, size_t frame_len,
3211 u8 *pos, size_t left)
3212 {
3213 u16 fc, stype;
3214 const u8 *end, *ie_start, *ie, *session, *crypt;
3215 const u8 *aad[5];
3216 size_t aad_len[5];
3217
3218 if (!sm || !sm->PTK_valid) {
3219 wpa_printf(MSG_DEBUG,
3220 "FILS: No KEK to decrypt Assocication Request frame");
3221 return -1;
3222 }
3223
3224 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
3225 wpa_printf(MSG_DEBUG,
3226 "FILS: Not a FILS AKM - reject association");
3227 return -1;
3228 }
3229
3230 end = ((const u8 *) mgmt) + frame_len;
3231 fc = le_to_host16(mgmt->frame_control);
3232 stype = WLAN_FC_GET_STYPE(fc);
3233 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
3234 ie_start = mgmt->u.reassoc_req.variable;
3235 else
3236 ie_start = mgmt->u.assoc_req.variable;
3237 ie = ie_start;
3238
3239 /*
3240 * Find FILS Session element which is the last unencrypted element in
3241 * the frame.
3242 */
3243 session = wpa_fils_validate_fils_session(sm, ie, end - ie,
3244 fils_session);
3245 if (!session) {
3246 wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
3247 return -1;
3248 }
3249
3250 crypt = session + 2 + session[1];
3251
3252 if (end - crypt < AES_BLOCK_SIZE) {
3253 wpa_printf(MSG_DEBUG,
3254 "FILS: Too short frame to include AES-SIV data");
3255 return -1;
3256 }
3257
3258 /* AES-SIV AAD vectors */
3259
3260 /* The STA's MAC address */
3261 aad[0] = mgmt->sa;
3262 aad_len[0] = ETH_ALEN;
3263 /* The AP's BSSID */
3264 aad[1] = mgmt->da;
3265 aad_len[1] = ETH_ALEN;
3266 /* The STA's nonce */
3267 aad[2] = sm->SNonce;
3268 aad_len[2] = FILS_NONCE_LEN;
3269 /* The AP's nonce */
3270 aad[3] = sm->ANonce;
3271 aad_len[3] = FILS_NONCE_LEN;
3272 /*
3273 * The (Re)Association Request frame from the Capability Information
3274 * field to the FILS Session element (both inclusive).
3275 */
3276 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
3277 aad_len[4] = crypt - aad[4];
3278
3279 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
3280 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
3281 wpa_printf(MSG_DEBUG,
3282 "FILS: Invalid AES-SIV data in the frame");
3283 return -1;
3284 }
3285 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
3286 pos, left - AES_BLOCK_SIZE);
3287
3288 if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
3289 wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
3290 return -1;
3291 }
3292
3293 return left - AES_BLOCK_SIZE;
3294 }
3295
3296
3297 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
3298 size_t current_len, size_t max_len,
3299 const struct wpabuf *hlp)
3300 {
3301 u8 *end = buf + max_len;
3302 u8 *pos = buf + current_len;
3303 struct ieee80211_mgmt *mgmt;
3304 struct wpabuf *plain;
3305 const u8 *aad[5];
3306 size_t aad_len[5];
3307
3308 if (!sm || !sm->PTK_valid)
3309 return -1;
3310
3311 wpa_hexdump(MSG_DEBUG,
3312 "FILS: Association Response frame before FILS processing",
3313 buf, current_len);
3314
3315 mgmt = (struct ieee80211_mgmt *) buf;
3316
3317 /* AES-SIV AAD vectors */
3318
3319 /* The AP's BSSID */
3320 aad[0] = mgmt->sa;
3321 aad_len[0] = ETH_ALEN;
3322 /* The STA's MAC address */
3323 aad[1] = mgmt->da;
3324 aad_len[1] = ETH_ALEN;
3325 /* The AP's nonce */
3326 aad[2] = sm->ANonce;
3327 aad_len[2] = FILS_NONCE_LEN;
3328 /* The STA's nonce */
3329 aad[3] = sm->SNonce;
3330 aad_len[3] = FILS_NONCE_LEN;
3331 /*
3332 * The (Re)Association Response frame from the Capability Information
3333 * field (the same offset in both Association and Reassociation
3334 * Response frames) to the FILS Session element (both inclusive).
3335 */
3336 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
3337 aad_len[4] = pos - aad[4];
3338
3339 /* The following elements will be encrypted with AES-SIV */
3340 plain = fils_prepare_plainbuf(sm, hlp);
3341 if (!plain) {
3342 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
3343 return -1;
3344 }
3345
3346 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
3347 wpa_printf(MSG_DEBUG,
3348 "FILS: Not enough room for FILS elements");
3349 wpabuf_clear_free(plain);
3350 return -1;
3351 }
3352
3353 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
3354 plain);
3355
3356 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
3357 wpabuf_head(plain), wpabuf_len(plain),
3358 5, aad, aad_len, pos) < 0) {
3359 wpabuf_clear_free(plain);
3360 return -1;
3361 }
3362
3363 wpa_hexdump(MSG_DEBUG,
3364 "FILS: Encrypted Association Response elements",
3365 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
3366 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
3367 wpabuf_clear_free(plain);
3368
3369 sm->fils_completed = 1;
3370
3371 return current_len;
3372 }
3373
3374
3375 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
3376 const struct wpabuf *hlp)
3377 {
3378 struct wpabuf *plain;
3379 u8 *len, *tmp, *tmp2;
3380 u8 hdr[2];
3381 u8 *gtk, stub_gtk[32];
3382 size_t gtk_len;
3383 struct wpa_group *gsm;
3384 size_t plain_len;
3385 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
3386
3387 plain_len = 1000 + ieee80211w_kde_len(sm);
3388 if (conf->transition_disable)
3389 plain_len += 2 + RSN_SELECTOR_LEN + 1;
3390 plain = wpabuf_alloc(plain_len);
3391 if (!plain)
3392 return NULL;
3393
3394 /* TODO: FILS Public Key */
3395
3396 /* FILS Key Confirmation */
3397 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
3398 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
3399 /* Element ID Extension */
3400 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
3401 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
3402
3403 /* FILS HLP Container */
3404 if (hlp)
3405 wpabuf_put_buf(plain, hlp);
3406
3407 /* TODO: FILS IP Address Assignment */
3408
3409 /* Key Delivery */
3410 gsm = sm->group;
3411 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
3412 len = wpabuf_put(plain, 1);
3413 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
3414 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
3415 wpabuf_put(plain, WPA_KEY_RSC_LEN));
3416 /* GTK KDE */
3417 gtk = gsm->GTK[gsm->GN - 1];
3418 gtk_len = gsm->GTK_len;
3419 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
3420 /*
3421 * Provide unique random GTK to each STA to prevent use
3422 * of GTK in the BSS.
3423 */
3424 if (random_get_bytes(stub_gtk, gtk_len) < 0) {
3425 wpabuf_clear_free(plain);
3426 return NULL;
3427 }
3428 gtk = stub_gtk;
3429 }
3430 hdr[0] = gsm->GN & 0x03;
3431 hdr[1] = 0;
3432 tmp = wpabuf_put(plain, 0);
3433 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3434 gtk, gtk_len);
3435 wpabuf_put(plain, tmp2 - tmp);
3436
3437 /* IGTK KDE and BIGTK KDE */
3438 tmp = wpabuf_put(plain, 0);
3439 tmp2 = ieee80211w_kde_add(sm, tmp);
3440 wpabuf_put(plain, tmp2 - tmp);
3441
3442 if (conf->transition_disable) {
3443 tmp = wpabuf_put(plain, 0);
3444 tmp2 = wpa_add_kde(tmp, WFA_KEY_DATA_TRANSITION_DISABLE,
3445 &conf->transition_disable, 1, NULL, 0);
3446 wpabuf_put(plain, tmp2 - tmp);
3447 }
3448
3449 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
3450
3451 #ifdef CONFIG_OCV
3452 if (wpa_auth_uses_ocv(sm)) {
3453 struct wpa_channel_info ci;
3454 u8 *pos;
3455
3456 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
3457 wpa_printf(MSG_WARNING,
3458 "FILS: Failed to get channel info for OCI element");
3459 wpabuf_clear_free(plain);
3460 return NULL;
3461 }
3462 #ifdef CONFIG_TESTING_OPTIONS
3463 if (conf->oci_freq_override_fils_assoc) {
3464 wpa_printf(MSG_INFO,
3465 "TEST: Override OCI frequency %d -> %u MHz",
3466 ci.frequency,
3467 conf->oci_freq_override_fils_assoc);
3468 ci.frequency = conf->oci_freq_override_fils_assoc;
3469 }
3470 #endif /* CONFIG_TESTING_OPTIONS */
3471
3472 pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN);
3473 if (ocv_insert_extended_oci(&ci, pos) < 0) {
3474 wpabuf_clear_free(plain);
3475 return NULL;
3476 }
3477 }
3478 #endif /* CONFIG_OCV */
3479
3480 return plain;
3481 }
3482
3483
3484 int fils_set_tk(struct wpa_state_machine *sm)
3485 {
3486 enum wpa_alg alg;
3487 int klen;
3488
3489 if (!sm || !sm->PTK_valid) {
3490 wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK");
3491 return -1;
3492 }
3493 if (sm->tk_already_set) {
3494 wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver");
3495 return -1;
3496 }
3497
3498 alg = wpa_cipher_to_alg(sm->pairwise);
3499 klen = wpa_cipher_key_len(sm->pairwise);
3500
3501 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
3502 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
3503 sm->PTK.tk, klen, KEY_FLAG_PAIRWISE_RX_TX)) {
3504 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
3505 return -1;
3506 }
3507
3508 #ifdef CONFIG_PASN
3509 if (sm->wpa_auth->conf.secure_ltf &&
3510 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
3511 wpa_auth_set_ltf_keyseed(sm->wpa_auth, sm->addr,
3512 sm->PTK.ltf_keyseed,
3513 sm->PTK.ltf_keyseed_len)) {
3514 wpa_printf(MSG_ERROR,
3515 "FILS: Failed to set LTF keyseed to driver");
3516 return -1;
3517 }
3518 #endif /* CONFIG_PASN */
3519
3520 sm->pairwise_set = true;
3521 sm->tk_already_set = true;
3522
3523 wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, sm->pairwise,
3524 dot11RSNAConfigPMKLifetime, &sm->PTK);
3525
3526 return 0;
3527 }
3528
3529
3530 u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
3531 const u8 *fils_session, struct wpabuf *hlp)
3532 {
3533 struct wpabuf *plain;
3534 u8 *pos = buf;
3535
3536 /* FILS Session */
3537 *pos++ = WLAN_EID_EXTENSION; /* Element ID */
3538 *pos++ = 1 + FILS_SESSION_LEN; /* Length */
3539 *pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
3540 os_memcpy(pos, fils_session, FILS_SESSION_LEN);
3541 pos += FILS_SESSION_LEN;
3542
3543 plain = fils_prepare_plainbuf(sm, hlp);
3544 if (!plain) {
3545 wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
3546 return NULL;
3547 }
3548
3549 os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
3550 pos += wpabuf_len(plain);
3551
3552 wpa_printf(MSG_DEBUG, "%s: plain buf_len: %zu", __func__,
3553 wpabuf_len(plain));
3554 wpabuf_clear_free(plain);
3555 sm->fils_completed = 1;
3556 return pos;
3557 }
3558
3559 #endif /* CONFIG_FILS */
3560
3561
3562 #ifdef CONFIG_OCV
3563 int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth,
3564 int ap_seg1_idx, int *bandwidth, int *seg1_idx)
3565 {
3566 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3567
3568 if (!wpa_auth->cb->get_sta_tx_params)
3569 return -1;
3570 return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr,
3571 ap_max_chanwidth, ap_seg1_idx,
3572 bandwidth, seg1_idx);
3573 }
3574 #endif /* CONFIG_OCV */
3575
3576
3577 static int wpa_auth_validate_ml_kdes_m2(struct wpa_state_machine *sm,
3578 struct wpa_eapol_ie_parse *kde)
3579 {
3580 #ifdef CONFIG_IEEE80211BE
3581 int i;
3582 unsigned int n_links = 0;
3583
3584 if (sm->mld_assoc_link_id < 0)
3585 return 0;
3586
3587 /* MLD MAC address must be the same */
3588 if (!kde->mac_addr ||
3589 !ether_addr_equal(kde->mac_addr, sm->peer_mld_addr)) {
3590 wpa_printf(MSG_DEBUG, "RSN: MLD: Invalid MLD address");
3591 return -1;
3592 }
3593
3594 /* Find matching link ID and the MAC address for each link */
3595 for_each_link(kde->valid_mlo_links, i) {
3596 /*
3597 * Each entry should contain the link information and the MAC
3598 * address.
3599 */
3600 if (kde->mlo_link_len[i] != 1 + ETH_ALEN) {
3601 wpa_printf(MSG_DEBUG,
3602 "RSN: MLD: Invalid MLO Link (ID %u) KDE len=%zu",
3603 i, kde->mlo_link_len[i]);
3604 return -1;
3605 }
3606
3607 if (!sm->mld_links[i].valid || i == sm->mld_assoc_link_id) {
3608 wpa_printf(MSG_DEBUG,
3609 "RSN: MLD: Invalid link ID=%u", i);
3610 return -1;
3611 }
3612
3613 if (!ether_addr_equal(sm->mld_links[i].peer_addr,
3614 kde->mlo_link[i] + 1)) {
3615 wpa_printf(MSG_DEBUG,
3616 "RSN: MLD: invalid MAC address=" MACSTR
3617 " expected " MACSTR " (link ID %u)",
3618 MAC2STR(kde->mlo_link[i] + 1),
3619 MAC2STR(sm->mld_links[i].peer_addr), i);
3620 return -1;
3621 }
3622
3623 n_links++;
3624 }
3625
3626 /* Must have the same number of MLO links (excluding the local one) */
3627 if (n_links != sm->n_mld_affiliated_links) {
3628 wpa_printf(MSG_DEBUG,
3629 "RSN: MLD: Expecting %u MLD links in msg 2, but got %u",
3630 sm->n_mld_affiliated_links, n_links);
3631 return -1;
3632 }
3633 #endif /* CONFIG_IEEE80211BE */
3634
3635 return 0;
3636 }
3637
3638
3639 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
3640 {
3641 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3642 struct wpa_ptk PTK;
3643 int ok = 0, psk_found = 0;
3644 const u8 *pmk = NULL;
3645 size_t pmk_len;
3646 int ft;
3647 const u8 *eapol_key_ie, *key_data, *mic;
3648 u16 key_info, ver, key_data_length;
3649 size_t mic_len, eapol_key_ie_len;
3650 struct ieee802_1x_hdr *hdr;
3651 struct wpa_eapol_key *key;
3652 struct wpa_eapol_ie_parse kde;
3653 int vlan_id = 0;
3654 int owe_ptk_workaround = !!wpa_auth->conf.owe_ptk_workaround;
3655 u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
3656 u8 pmk_r1[PMK_LEN_MAX];
3657 size_t key_len;
3658 u8 *key_data_buf = NULL;
3659 size_t key_data_buf_len = 0;
3660 bool derive_kdk, no_kdk = false;
3661
3662 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
3663 sm->EAPOLKeyReceived = false;
3664 sm->update_snonce = false;
3665 os_memset(&PTK, 0, sizeof(PTK));
3666
3667 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
3668
3669 derive_kdk = sm->wpa_auth->conf.secure_ltf &&
3670 ieee802_11_rsnx_capab(sm->rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF);
3671
3672 /* WPA with IEEE 802.1X: use the derived PMK from EAP
3673 * WPA-PSK: iterate through possible PSKs and select the one matching
3674 * the packet */
3675 for (;;) {
3676 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
3677 !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
3678 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
3679 sm->p2p_dev_addr, pmk, &pmk_len,
3680 &vlan_id);
3681 if (!pmk)
3682 break;
3683 psk_found = 1;
3684 #ifdef CONFIG_IEEE80211R_AP
3685 if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
3686 os_memcpy(sm->xxkey, pmk, pmk_len);
3687 sm->xxkey_len = pmk_len;
3688 }
3689 #endif /* CONFIG_IEEE80211R_AP */
3690 } else {
3691 pmk = sm->PMK;
3692 pmk_len = sm->pmk_len;
3693 }
3694
3695 if ((!pmk || !pmk_len) && sm->pmksa) {
3696 wpa_printf(MSG_DEBUG, "WPA: Use PMK from PMKSA cache");
3697 pmk = sm->pmksa->pmk;
3698 pmk_len = sm->pmksa->pmk_len;
3699 }
3700
3701 no_kdk = false;
3702 try_without_kdk:
3703 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK,
3704 owe_ptk_workaround == 2, pmk_r0, pmk_r1,
3705 pmk_r0_name, &key_len, no_kdk) < 0)
3706 break;
3707
3708 if (mic_len &&
3709 wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
3710 sm->last_rx_eapol_key,
3711 sm->last_rx_eapol_key_len) == 0) {
3712 if (sm->PMK != pmk) {
3713 os_memcpy(sm->PMK, pmk, pmk_len);
3714 sm->pmk_len = pmk_len;
3715 }
3716 ok = 1;
3717 break;
3718 }
3719
3720 #ifdef CONFIG_FILS
3721 if (!mic_len &&
3722 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
3723 sm->last_rx_eapol_key_len, NULL) == 0) {
3724 ok = 1;
3725 break;
3726 }
3727 #endif /* CONFIG_FILS */
3728
3729 #ifdef CONFIG_OWE
3730 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && pmk_len > 32 &&
3731 owe_ptk_workaround == 1) {
3732 wpa_printf(MSG_DEBUG,
3733 "OWE: Try PTK derivation workaround with SHA256");
3734 owe_ptk_workaround = 2;
3735 continue;
3736 }
3737 #endif /* CONFIG_OWE */
3738
3739 /* Some deployed STAs that advertise SecureLTF support in the
3740 * RSNXE in (Re)Association Request frames, do not derive KDK
3741 * during PTK generation. Try to work around this by checking if
3742 * a PTK derived without KDK would result in a matching MIC. */
3743 if (!sm->wpa_auth->conf.force_kdk_derivation &&
3744 derive_kdk && !no_kdk) {
3745 wpa_printf(MSG_DEBUG,
3746 "Try new PTK derivation without KDK as a workaround");
3747 no_kdk = true;
3748 goto try_without_kdk;
3749 }
3750
3751 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3752 wpa_key_mgmt_sae(sm->wpa_key_mgmt))
3753 break;
3754 }
3755
3756 if (no_kdk && ok) {
3757 /* The workaround worked, so allow the 4-way handshake to be
3758 * completed with the PTK that was derived without the KDK. */
3759 wpa_printf(MSG_DEBUG,
3760 "PTK without KDK worked - misbehaving STA "
3761 MACSTR, MAC2STR(sm->addr));
3762 }
3763
3764 if (!ok && wpa_key_mgmt_wpa_psk_no_sae(sm->wpa_key_mgmt) &&
3765 wpa_auth->conf.radius_psk && wpa_auth->cb->request_radius_psk &&
3766 !sm->waiting_radius_psk) {
3767 wpa_printf(MSG_DEBUG, "No PSK available - ask RADIUS server");
3768 wpa_auth->cb->request_radius_psk(wpa_auth->cb_ctx, sm->addr,
3769 sm->wpa_key_mgmt,
3770 sm->ANonce,
3771 sm->last_rx_eapol_key,
3772 sm->last_rx_eapol_key_len);
3773 sm->waiting_radius_psk = 1;
3774 goto out;
3775 }
3776
3777 if (!ok) {
3778 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
3779 LOGGER_DEBUG,
3780 "invalid MIC in msg 2/4 of 4-Way Handshake");
3781 if (psk_found)
3782 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
3783 goto out;
3784 }
3785
3786 /*
3787 * Note: last_rx_eapol_key length fields have already been validated in
3788 * wpa_receive().
3789 */
3790 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
3791 key = (struct wpa_eapol_key *) (hdr + 1);
3792 mic = (u8 *) (key + 1);
3793 key_info = WPA_GET_BE16(key->key_info);
3794 key_data = mic + mic_len + 2;
3795 key_data_length = WPA_GET_BE16(mic + mic_len);
3796 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
3797 sizeof(*key) - mic_len - 2)
3798 goto out;
3799
3800 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3801 if (mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3802 if (ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
3803 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
3804 !wpa_use_aes_key_wrap(sm->wpa_key_mgmt)) {
3805 wpa_printf(MSG_INFO,
3806 "Unsupported EAPOL-Key Key Data field encryption");
3807 goto out;
3808 }
3809
3810 if (key_data_length < 8 || key_data_length % 8) {
3811 wpa_printf(MSG_INFO,
3812 "RSN: Unsupported AES-WRAP len %u",
3813 key_data_length);
3814 goto out;
3815 }
3816 key_data_length -= 8; /* AES-WRAP adds 8 bytes */
3817 key_data_buf = os_malloc(key_data_length);
3818 if (!key_data_buf)
3819 goto out;
3820 key_data_buf_len = key_data_length;
3821 if (aes_unwrap(PTK.kek, PTK.kek_len, key_data_length / 8,
3822 key_data, key_data_buf)) {
3823 bin_clear_free(key_data_buf, key_data_buf_len);
3824 wpa_printf(MSG_INFO,
3825 "RSN: AES unwrap failed - could not decrypt EAPOL-Key key data");
3826 goto out;
3827 }
3828 key_data = key_data_buf;
3829 wpa_hexdump_key(MSG_DEBUG, "RSN: Decrypted EAPOL-Key Key Data",
3830 key_data, key_data_length);
3831 }
3832
3833 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
3834 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3835 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
3836 goto out;
3837 }
3838 if (kde.rsn_ie) {
3839 eapol_key_ie = kde.rsn_ie;
3840 eapol_key_ie_len = kde.rsn_ie_len;
3841 } else if (kde.osen) {
3842 eapol_key_ie = kde.osen;
3843 eapol_key_ie_len = kde.osen_len;
3844 } else {
3845 eapol_key_ie = kde.wpa_ie;
3846 eapol_key_ie_len = kde.wpa_ie_len;
3847 }
3848 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
3849 if (!sm->wpa_ie ||
3850 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
3851 eapol_key_ie, eapol_key_ie_len)) {
3852 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3853 "WPA IE from (Re)AssocReq did not match with msg 2/4");
3854 if (sm->wpa_ie) {
3855 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
3856 sm->wpa_ie, sm->wpa_ie_len);
3857 }
3858 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
3859 eapol_key_ie, eapol_key_ie_len);
3860 /* MLME-DEAUTHENTICATE.request */
3861 wpa_sta_disconnect(wpa_auth, sm->addr,
3862 WLAN_REASON_PREV_AUTH_NOT_VALID);
3863 goto out;
3864 }
3865 if ((!sm->rsnxe && kde.rsnxe) ||
3866 (sm->rsnxe && !kde.rsnxe) ||
3867 (sm->rsnxe && kde.rsnxe &&
3868 (sm->rsnxe_len != kde.rsnxe_len ||
3869 os_memcmp(sm->rsnxe, kde.rsnxe, sm->rsnxe_len) != 0))) {
3870 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3871 "RSNXE from (Re)AssocReq did not match the one in EAPOL-Key msg 2/4");
3872 wpa_hexdump(MSG_DEBUG, "RSNXE in AssocReq",
3873 sm->rsnxe, sm->rsnxe_len);
3874 wpa_hexdump(MSG_DEBUG, "RSNXE in EAPOL-Key msg 2/4",
3875 kde.rsnxe, kde.rsnxe_len);
3876 /* MLME-DEAUTHENTICATE.request */
3877 wpa_sta_disconnect(wpa_auth, sm->addr,
3878 WLAN_REASON_PREV_AUTH_NOT_VALID);
3879 goto out;
3880 }
3881 #ifdef CONFIG_OCV
3882 if (wpa_auth_uses_ocv(sm)) {
3883 struct wpa_channel_info ci;
3884 int tx_chanwidth;
3885 int tx_seg1_idx;
3886 enum oci_verify_result res;
3887
3888 if (wpa_channel_info(wpa_auth, &ci) != 0) {
3889 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
3890 LOGGER_INFO,
3891 "Failed to get channel info to validate received OCI in EAPOL-Key 2/4");
3892 goto out;
3893 }
3894
3895 if (get_sta_tx_parameters(sm,
3896 channel_width_to_int(ci.chanwidth),
3897 ci.seg1_idx, &tx_chanwidth,
3898 &tx_seg1_idx) < 0)
3899 goto out;
3900
3901 res = ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
3902 tx_chanwidth, tx_seg1_idx);
3903 if (wpa_auth_uses_ocv(sm) == 2 && res == OCI_NOT_FOUND) {
3904 /* Work around misbehaving STAs */
3905 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
3906 LOGGER_INFO,
3907 "Disable OCV with a STA that does not send OCI");
3908 wpa_auth_set_ocv(sm, 0);
3909 } else if (res != OCI_SUCCESS) {
3910 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
3911 LOGGER_INFO,
3912 "OCV failed: %s", ocv_errorstr);
3913 if (wpa_auth->conf.msg_ctx)
3914 wpa_msg(wpa_auth->conf.msg_ctx, MSG_INFO,
3915 OCV_FAILURE "addr=" MACSTR
3916 " frame=eapol-key-m2 error=%s",
3917 MAC2STR(wpa_auth_get_spa(sm)),
3918 ocv_errorstr);
3919 goto out;
3920 }
3921 }
3922 #endif /* CONFIG_OCV */
3923 #ifdef CONFIG_IEEE80211R_AP
3924 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
3925 wpa_sta_disconnect(wpa_auth, sm->addr,
3926 WLAN_REASON_PREV_AUTH_NOT_VALID);
3927 goto out;
3928 }
3929 #endif /* CONFIG_IEEE80211R_AP */
3930
3931 /* Verify RSN Selection element for RSN overriding */
3932 if ((wpa_auth->conf.rsn_override_key_mgmt ||
3933 wpa_auth->conf.rsn_override_key_mgmt_2) &&
3934 ((rsn_is_snonce_cookie(sm->SNonce) && !kde.rsn_selection) ||
3935 (!rsn_is_snonce_cookie(sm->SNonce) && kde.rsn_selection) ||
3936 (sm->rsn_selection && !kde.rsn_selection) ||
3937 (!sm->rsn_selection && kde.rsn_selection) ||
3938 (sm->rsn_selection && kde.rsn_selection &&
3939 (sm->rsn_selection_len != kde.rsn_selection_len ||
3940 os_memcmp(sm->rsn_selection, kde.rsn_selection,
3941 sm->rsn_selection_len) != 0)))) {
3942 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
3943 "RSN Selection element from (Re)AssocReq did not match the one in EAPOL-Key msg 2/4");
3944 wpa_printf(MSG_DEBUG,
3945 "SNonce cookie for RSN overriding %sused",
3946 rsn_is_snonce_cookie(sm->SNonce) ? "" : "not ");
3947 wpa_hexdump(MSG_DEBUG, "RSN Selection in AssocReq",
3948 sm->rsn_selection, sm->rsn_selection_len);
3949 wpa_hexdump(MSG_DEBUG, "RSN Selection in EAPOL-Key msg 2/4",
3950 kde.rsn_selection, kde.rsn_selection_len);
3951 /* MLME-DEAUTHENTICATE.request */
3952 wpa_sta_disconnect(wpa_auth, sm->addr,
3953 WLAN_REASON_PREV_AUTH_NOT_VALID);
3954 goto out;
3955
3956 }
3957
3958 #ifdef CONFIG_P2P
3959 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
3960 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
3961 int idx;
3962 wpa_printf(MSG_DEBUG,
3963 "P2P: IP address requested in EAPOL-Key exchange");
3964 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
3965 if (idx >= 0) {
3966 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
3967 bitfield_set(wpa_auth->ip_pool, idx);
3968 sm->ip_addr_bit = idx;
3969 WPA_PUT_BE32(sm->ip_addr, start + idx);
3970 wpa_printf(MSG_DEBUG,
3971 "P2P: Assigned IP address %u.%u.%u.%u to "
3972 MACSTR " (bit %u)",
3973 sm->ip_addr[0], sm->ip_addr[1],
3974 sm->ip_addr[2], sm->ip_addr[3],
3975 MAC2STR(wpa_auth_get_spa(sm)),
3976 sm->ip_addr_bit);
3977 }
3978 }
3979 #endif /* CONFIG_P2P */
3980
3981 #ifdef CONFIG_DPP2
3982 if (DPP_VERSION > 1 && kde.dpp_kde) {
3983 wpa_printf(MSG_DEBUG,
3984 "DPP: peer Protocol Version %u Flags 0x%x",
3985 kde.dpp_kde[0], kde.dpp_kde[1]);
3986 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP &&
3987 wpa_auth->conf.dpp_pfs != 2 &&
3988 (kde.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) &&
3989 !sm->dpp_z) {
3990 wpa_printf(MSG_INFO,
3991 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
3992 wpa_sta_disconnect(wpa_auth, sm->addr,
3993 WLAN_REASON_PREV_AUTH_NOT_VALID);
3994 goto out;
3995 }
3996 }
3997 #endif /* CONFIG_DPP2 */
3998
3999 if (wpa_auth_validate_ml_kdes_m2(sm, &kde) < 0) {
4000 wpa_sta_disconnect(wpa_auth, sm->addr,
4001 WLAN_REASON_PREV_AUTH_NOT_VALID);
4002 return;
4003 }
4004
4005 if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
4006 wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) {
4007 wpa_sta_disconnect(wpa_auth, sm->addr,
4008 WLAN_REASON_PREV_AUTH_NOT_VALID);
4009 goto out;
4010 }
4011
4012 sm->pending_1_of_4_timeout = 0;
4013 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
4014
4015 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) && sm->PMK != pmk) {
4016 /* PSK may have changed from the previous choice, so update
4017 * state machine data based on whatever PSK was selected here.
4018 */
4019 os_memcpy(sm->PMK, pmk, PMK_LEN);
4020 sm->pmk_len = PMK_LEN;
4021 }
4022
4023 sm->MICVerified = true;
4024
4025 #ifdef CONFIG_IEEE80211R_AP
4026 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) && !sm->ft_completed) {
4027 wpa_printf(MSG_DEBUG, "FT: Store PMK-R0/PMK-R1");
4028 wpa_auth_ft_store_keys(sm, pmk_r0, pmk_r1, pmk_r0_name,
4029 key_len);
4030 }
4031 #endif /* CONFIG_IEEE80211R_AP */
4032
4033 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
4034 forced_memzero(&PTK, sizeof(PTK));
4035 sm->PTK_valid = true;
4036 out:
4037 forced_memzero(pmk_r0, sizeof(pmk_r0));
4038 forced_memzero(pmk_r1, sizeof(pmk_r1));
4039 bin_clear_free(key_data_buf, key_data_buf_len);
4040 }
4041
4042
4043 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
4044 {
4045 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
4046 sm->TimeoutCtr = 0;
4047 }
4048
4049
4050 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
4051 {
4052 size_t len = 0;
4053 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
4054
4055 if (sm->mgmt_frame_prot) {
4056 len += 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN;
4057 len += wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
4058 }
4059
4060 if (wpa_auth->conf.tx_bss_auth)
4061 wpa_auth = wpa_auth->conf.tx_bss_auth;
4062 if (sm->mgmt_frame_prot && sm->wpa_auth->conf.beacon_prot) {
4063 len += 2 + RSN_SELECTOR_LEN + WPA_BIGTK_KDE_PREFIX_LEN;
4064 len += wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
4065 }
4066
4067 return len;
4068 }
4069
4070
4071 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
4072 {
4073 struct wpa_igtk_kde igtk;
4074 struct wpa_bigtk_kde bigtk;
4075 struct wpa_group *gsm = sm->group;
4076 u8 rsc[WPA_KEY_RSC_LEN];
4077 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
4078 struct wpa_auth_config *conf = &wpa_auth->conf;
4079 size_t len = wpa_cipher_key_len(conf->group_mgmt_cipher);
4080
4081 if (!sm->mgmt_frame_prot)
4082 return pos;
4083
4084 #ifdef CONFIG_IEEE80211BE
4085 if (sm->mld_assoc_link_id >= 0)
4086 return pos; /* Use per-link MLO KDEs instead */
4087 #endif /* CONFIG_IEEE80211BE */
4088
4089 igtk.keyid[0] = gsm->GN_igtk;
4090 igtk.keyid[1] = 0;
4091 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
4092 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
4093 os_memset(igtk.pn, 0, sizeof(igtk.pn));
4094 else
4095 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
4096 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
4097 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4098 /*
4099 * Provide unique random IGTK to each STA to prevent use of
4100 * IGTK in the BSS.
4101 */
4102 if (random_get_bytes(igtk.igtk, len) < 0)
4103 return pos;
4104 }
4105 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
4106 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
4107 NULL, 0);
4108 forced_memzero(&igtk, sizeof(igtk));
4109
4110 if (wpa_auth->conf.tx_bss_auth) {
4111 wpa_auth = wpa_auth->conf.tx_bss_auth;
4112 conf = &wpa_auth->conf;
4113 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
4114 gsm = wpa_auth->group;
4115 }
4116
4117 if (!sm->wpa_auth->conf.beacon_prot)
4118 return pos;
4119
4120 bigtk.keyid[0] = gsm->GN_bigtk;
4121 bigtk.keyid[1] = 0;
4122 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
4123 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_bigtk, rsc) < 0)
4124 os_memset(bigtk.pn, 0, sizeof(bigtk.pn));
4125 else
4126 os_memcpy(bigtk.pn, rsc, sizeof(bigtk.pn));
4127 os_memcpy(bigtk.bigtk, gsm->BIGTK[gsm->GN_bigtk - 6], len);
4128 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4129 /*
4130 * Provide unique random BIGTK to each OSEN STA to prevent use
4131 * of BIGTK in the BSS.
4132 */
4133 if (random_get_bytes(bigtk.bigtk, len) < 0)
4134 return pos;
4135 }
4136 pos = wpa_add_kde(pos, RSN_KEY_DATA_BIGTK,
4137 (const u8 *) &bigtk, WPA_BIGTK_KDE_PREFIX_LEN + len,
4138 NULL, 0);
4139 forced_memzero(&bigtk, sizeof(bigtk));
4140
4141 return pos;
4142 }
4143
4144
4145 static int ocv_oci_len(struct wpa_state_machine *sm)
4146 {
4147 #ifdef CONFIG_OCV
4148 if (wpa_auth_uses_ocv(sm))
4149 return OCV_OCI_KDE_LEN;
4150 #endif /* CONFIG_OCV */
4151 return 0;
4152 }
4153
4154
4155 static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos,
4156 unsigned int freq)
4157 {
4158 #ifdef CONFIG_OCV
4159 struct wpa_channel_info ci;
4160
4161 if (!wpa_auth_uses_ocv(sm))
4162 return 0;
4163
4164 if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
4165 wpa_printf(MSG_WARNING,
4166 "Failed to get channel info for OCI element");
4167 return -1;
4168 }
4169 #ifdef CONFIG_TESTING_OPTIONS
4170 if (freq) {
4171 wpa_printf(MSG_INFO,
4172 "TEST: Override OCI KDE frequency %d -> %u MHz",
4173 ci.frequency, freq);
4174 ci.frequency = freq;
4175 }
4176 #endif /* CONFIG_TESTING_OPTIONS */
4177
4178 return ocv_insert_oci_kde(&ci, argpos);
4179 #else /* CONFIG_OCV */
4180 return 0;
4181 #endif /* CONFIG_OCV */
4182 }
4183
4184
4185 #ifdef CONFIG_TESTING_OPTIONS
4186 static u8 * replace_ie(const char *name, const u8 *old_buf, size_t *len, u8 eid,
4187 const u8 *ie, size_t ie_len)
4188 {
4189 const u8 *elem;
4190 u8 *buf;
4191
4192 wpa_printf(MSG_DEBUG, "TESTING: %s EAPOL override", name);
4193 wpa_hexdump(MSG_DEBUG, "TESTING: wpa_ie before override",
4194 old_buf, *len);
4195 buf = os_malloc(*len + ie_len);
4196 if (!buf)
4197 return NULL;
4198 os_memcpy(buf, old_buf, *len);
4199 elem = get_ie(buf, *len, eid);
4200 if (elem) {
4201 u8 elem_len = 2 + elem[1];
4202
4203 os_memmove((void *) elem, elem + elem_len,
4204 *len - (elem - buf) - elem_len);
4205 *len -= elem_len;
4206 }
4207 os_memcpy(buf + *len, ie, ie_len);
4208 *len += ie_len;
4209 wpa_hexdump(MSG_DEBUG, "TESTING: wpa_ie after EAPOL override",
4210 buf, *len);
4211
4212 return buf;
4213 }
4214 #endif /* CONFIG_TESTING_OPTIONS */
4215
4216
4217 #ifdef CONFIG_IEEE80211BE
4218
4219 void wpa_auth_ml_get_key_info(struct wpa_authenticator *a,
4220 struct wpa_auth_ml_link_key_info *info,
4221 bool mgmt_frame_prot, bool beacon_prot,
4222 bool rekey)
4223 {
4224 struct wpa_group *gsm = a->group;
4225 u8 rsc[WPA_KEY_RSC_LEN];
4226
4227 wpa_printf(MSG_DEBUG,
4228 "MLD: Get group key info: link_id=%u, IGTK=%u, BIGTK=%u",
4229 info->link_id, mgmt_frame_prot, beacon_prot);
4230
4231 info->gtkidx = gsm->GN & 0x03;
4232 info->gtk = gsm->GTK[gsm->GN - 1];
4233 info->gtk_len = gsm->GTK_len;
4234
4235 if (rekey || wpa_auth_get_seqnum(a, NULL, gsm->GN, rsc) < 0)
4236 os_memset(info->pn, 0, sizeof(info->pn));
4237 else
4238 os_memcpy(info->pn, rsc, sizeof(info->pn));
4239
4240 if (!mgmt_frame_prot)
4241 return;
4242
4243 info->igtkidx = gsm->GN_igtk;
4244 info->igtk = gsm->IGTK[gsm->GN_igtk - 4];
4245 info->igtk_len = wpa_cipher_key_len(a->conf.group_mgmt_cipher);
4246
4247 if (rekey || wpa_auth_get_seqnum(a, NULL, gsm->GN_igtk, rsc) < 0)
4248 os_memset(info->ipn, 0, sizeof(info->ipn));
4249 else
4250 os_memcpy(info->ipn, rsc, sizeof(info->ipn));
4251
4252 if (!beacon_prot)
4253 return;
4254
4255 if (a->conf.tx_bss_auth) {
4256 a = a->conf.tx_bss_auth;
4257 gsm = a->group;
4258 }
4259
4260 info->bigtkidx = gsm->GN_bigtk;
4261 info->bigtk = gsm->BIGTK[gsm->GN_bigtk - 6];
4262
4263 if (rekey || wpa_auth_get_seqnum(a, NULL, gsm->GN_bigtk, rsc) < 0)
4264 os_memset(info->bipn, 0, sizeof(info->bipn));
4265 else
4266 os_memcpy(info->bipn, rsc, sizeof(info->bipn));
4267 }
4268
4269
4270 static void wpa_auth_get_ml_key_info(struct wpa_authenticator *wpa_auth,
4271 struct wpa_auth_ml_key_info *info,
4272 bool rekey)
4273 {
4274 if (!wpa_auth->cb->get_ml_key_info)
4275 return;
4276
4277 wpa_auth->cb->get_ml_key_info(wpa_auth->cb_ctx, info, rekey);
4278 }
4279
4280
4281 static size_t wpa_auth_ml_group_kdes_len(struct wpa_state_machine *sm)
4282 {
4283 struct wpa_authenticator *wpa_auth;
4284 size_t kde_len = 0;
4285 int link_id;
4286
4287 if (sm->mld_assoc_link_id < 0)
4288 return 0;
4289
4290 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4291 if (!sm->mld_links[link_id].valid)
4292 continue;
4293
4294 wpa_auth = sm->mld_links[link_id].wpa_auth;
4295 if (!wpa_auth || !wpa_auth->group)
4296 continue;
4297
4298 /* MLO GTK KDE
4299 * Header + Key ID + Tx + LinkID + PN + GTK */
4300 kde_len += KDE_HDR_LEN + 1 + RSN_PN_LEN;
4301 kde_len += wpa_auth->group->GTK_len;
4302
4303 if (!sm->mgmt_frame_prot)
4304 continue;
4305
4306 if (wpa_auth->conf.tx_bss_auth)
4307 wpa_auth = wpa_auth->conf.tx_bss_auth;
4308
4309 /* MLO IGTK KDE
4310 * Header + Key ID + IPN + LinkID + IGTK */
4311 kde_len += KDE_HDR_LEN + WPA_IGTK_KDE_PREFIX_LEN + 1;
4312 kde_len += wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
4313
4314 if (!wpa_auth->conf.beacon_prot)
4315 continue;
4316
4317 /* MLO BIGTK KDE
4318 * Header + Key ID + BIPN + LinkID + BIGTK */
4319 kde_len += KDE_HDR_LEN + WPA_BIGTK_KDE_PREFIX_LEN + 1;
4320 kde_len += wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
4321 }
4322
4323 wpa_printf(MSG_DEBUG, "MLO Group KDEs len = %zu", kde_len);
4324
4325 return kde_len;
4326 }
4327
4328
4329 static u8 * wpa_auth_ml_group_kdes(struct wpa_state_machine *sm, u8 *pos)
4330 {
4331 struct wpa_auth_ml_key_info ml_key_info;
4332 unsigned int i, link_id;
4333 u8 *start = pos;
4334 bool rekey = sm->wpa_ptk_group_state == WPA_PTK_GROUP_REKEYNEGOTIATING;
4335
4336 /* First fetch the key information from all the authenticators */
4337 os_memset(&ml_key_info, 0, sizeof(ml_key_info));
4338 ml_key_info.n_mld_links = sm->n_mld_affiliated_links + 1;
4339
4340 /*
4341 * Assume that management frame protection and beacon protection are the
4342 * same on all links.
4343 */
4344 ml_key_info.mgmt_frame_prot = sm->mgmt_frame_prot;
4345 ml_key_info.beacon_prot = sm->wpa_auth->conf.beacon_prot;
4346
4347 for (i = 0, link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4348 if (!sm->mld_links[link_id].valid)
4349 continue;
4350
4351 ml_key_info.links[i++].link_id = link_id;
4352 }
4353
4354 wpa_auth_get_ml_key_info(sm->wpa_auth, &ml_key_info, rekey);
4355
4356 /* Add MLO GTK KDEs */
4357 for (i = 0, link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4358 if (!sm->mld_links[link_id].valid ||
4359 !ml_key_info.links[i].gtk_len)
4360 continue;
4361
4362 wpa_printf(MSG_DEBUG, "RSN: MLO GTK: link=%u", link_id);
4363 wpa_hexdump_key(MSG_DEBUG, "RSN: MLO GTK",
4364 ml_key_info.links[i].gtk,
4365 ml_key_info.links[i].gtk_len);
4366
4367 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
4368 *pos++ = RSN_SELECTOR_LEN + 1 + 6 +
4369 ml_key_info.links[i].gtk_len;
4370
4371 RSN_SELECTOR_PUT(pos, RSN_KEY_DATA_MLO_GTK);
4372 pos += RSN_SELECTOR_LEN;
4373
4374 *pos++ = (ml_key_info.links[i].gtkidx & 0x3) | (link_id << 4);
4375
4376 os_memcpy(pos, ml_key_info.links[i].pn, 6);
4377 pos += 6;
4378
4379 os_memcpy(pos, ml_key_info.links[i].gtk,
4380 ml_key_info.links[i].gtk_len);
4381 pos += ml_key_info.links[i].gtk_len;
4382
4383 i++;
4384 }
4385
4386 if (!sm->mgmt_frame_prot) {
4387 wpa_printf(MSG_DEBUG, "RSN: MLO Group KDE len = %ld",
4388 pos - start);
4389 return pos;
4390 }
4391
4392 /* Add MLO IGTK KDEs */
4393 for (i = 0, link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4394 if (!sm->mld_links[link_id].valid ||
4395 !ml_key_info.links[i].igtk_len)
4396 continue;
4397
4398 wpa_printf(MSG_DEBUG, "RSN: MLO IGTK: link=%u", link_id);
4399 wpa_hexdump_key(MSG_DEBUG, "RSN: MLO IGTK",
4400 ml_key_info.links[i].igtk,
4401 ml_key_info.links[i].igtk_len);
4402
4403 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
4404 *pos++ = RSN_SELECTOR_LEN + 2 + 1 +
4405 sizeof(ml_key_info.links[i].ipn) +
4406 ml_key_info.links[i].igtk_len;
4407
4408 RSN_SELECTOR_PUT(pos, RSN_KEY_DATA_MLO_IGTK);
4409 pos += RSN_SELECTOR_LEN;
4410
4411 /* Add the Key ID */
4412 *pos++ = ml_key_info.links[i].igtkidx;
4413 *pos++ = 0;
4414
4415 /* Add the IPN */
4416 os_memcpy(pos, ml_key_info.links[i].ipn,
4417 sizeof(ml_key_info.links[i].ipn));
4418 pos += sizeof(ml_key_info.links[i].ipn);
4419
4420 *pos++ = ml_key_info.links[i].link_id << 4;
4421
4422 os_memcpy(pos, ml_key_info.links[i].igtk,
4423 ml_key_info.links[i].igtk_len);
4424 pos += ml_key_info.links[i].igtk_len;
4425
4426 i++;
4427 }
4428
4429 if (!sm->wpa_auth->conf.beacon_prot) {
4430 wpa_printf(MSG_DEBUG, "RSN: MLO Group KDE len = %ld",
4431 pos - start);
4432 return pos;
4433 }
4434
4435 /* Add MLO BIGTK KDEs */
4436 for (i = 0, link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4437 if (!sm->mld_links[link_id].valid ||
4438 !ml_key_info.links[i].bigtk ||
4439 !ml_key_info.links[i].igtk_len)
4440 continue;
4441
4442 wpa_printf(MSG_DEBUG, "RSN: MLO BIGTK: link=%u", link_id);
4443 wpa_hexdump_key(MSG_DEBUG, "RSN: MLO BIGTK",
4444 ml_key_info.links[i].bigtk,
4445 ml_key_info.links[i].igtk_len);
4446
4447 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
4448 *pos++ = RSN_SELECTOR_LEN + 2 + 1 +
4449 sizeof(ml_key_info.links[i].bipn) +
4450 ml_key_info.links[i].igtk_len;
4451
4452 RSN_SELECTOR_PUT(pos, RSN_KEY_DATA_MLO_BIGTK);
4453 pos += RSN_SELECTOR_LEN;
4454
4455 /* Add the Key ID */
4456 *pos++ = ml_key_info.links[i].bigtkidx;
4457 *pos++ = 0;
4458
4459 /* Add the BIPN */
4460 os_memcpy(pos, ml_key_info.links[i].bipn,
4461 sizeof(ml_key_info.links[i].bipn));
4462 pos += sizeof(ml_key_info.links[i].bipn);
4463
4464 *pos++ = ml_key_info.links[i].link_id << 4;
4465
4466 os_memcpy(pos, ml_key_info.links[i].bigtk,
4467 ml_key_info.links[i].igtk_len);
4468 pos += ml_key_info.links[i].igtk_len;
4469
4470 i++;
4471 }
4472
4473 wpa_printf(MSG_DEBUG, "RSN: MLO Group KDE len = %ld", pos - start);
4474 return pos;
4475 }
4476
4477 #endif /* CONFIG_IEEE80211BE */
4478
4479
4480 static size_t wpa_auth_ml_kdes_len(struct wpa_state_machine *sm)
4481 {
4482 size_t kde_len = 0;
4483
4484 #ifdef CONFIG_IEEE80211BE
4485 unsigned int link_id;
4486
4487 if (sm->mld_assoc_link_id < 0)
4488 return 0;
4489
4490 /* For the MAC Address KDE */
4491 kde_len = 2 + RSN_SELECTOR_LEN + ETH_ALEN;
4492
4493 /* MLO Link KDE and RSN Override Link KDE for each link */
4494 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4495 struct wpa_authenticator *wpa_auth;
4496 const u8 *ie;
4497
4498 wpa_auth = wpa_get_link_auth(sm->wpa_auth, link_id);
4499 if (!wpa_auth)
4500 continue;
4501
4502 /* MLO Link KDE */
4503 kde_len += 2 + RSN_SELECTOR_LEN + 1 + ETH_ALEN;
4504
4505 ie = get_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4506 WLAN_EID_RSN);
4507 if (ie)
4508 kde_len += 2 + ie[1];
4509
4510 ie = get_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4511 WLAN_EID_RSNX);
4512 if (ie)
4513 kde_len += 2 + ie[1];
4514
4515 if (!rsn_is_snonce_cookie(sm->SNonce))
4516 continue;
4517
4518 /* RSN Override Link KDE */
4519 kde_len += 2 + RSN_SELECTOR_LEN + 1;
4520
4521 ie = get_vendor_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4522 RSNE_OVERRIDE_IE_VENDOR_TYPE);
4523 if (ie)
4524 kde_len += 2 + ie[1];
4525
4526 ie = get_vendor_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4527 RSNE_OVERRIDE_2_IE_VENDOR_TYPE);
4528 if (ie)
4529 kde_len += 2 + ie[1];
4530
4531 ie = get_vendor_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4532 RSNXE_OVERRIDE_IE_VENDOR_TYPE);
4533 if (ie)
4534 kde_len += 2 + ie[1];
4535 }
4536
4537 kde_len += wpa_auth_ml_group_kdes_len(sm);
4538 #endif /* CONFIG_IEEE80211BE */
4539
4540 return kde_len;
4541 }
4542
4543
4544 static u8 * wpa_auth_ml_kdes(struct wpa_state_machine *sm, u8 *pos)
4545 {
4546 #ifdef CONFIG_IEEE80211BE
4547 u8 link_id;
4548 u8 *start = pos;
4549
4550 if (sm->mld_assoc_link_id < 0)
4551 return pos;
4552
4553 wpa_printf(MSG_DEBUG, "RSN: MLD: Adding MAC Address KDE");
4554 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR,
4555 sm->wpa_auth->mld_addr, ETH_ALEN, NULL, 0);
4556
4557 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
4558 struct wpa_authenticator *wpa_auth;
4559 const u8 *rsne, *rsnxe, *rsnoe, *rsno2e, *rsnxoe;
4560 size_t rsne_len, rsnxe_len, rsnoe_len, rsno2e_len, rsnxoe_len;
4561 size_t kde_len;
4562
4563 wpa_auth = wpa_get_link_auth(sm->wpa_auth, link_id);
4564 if (!wpa_auth)
4565 continue;
4566
4567 rsne = get_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4568 WLAN_EID_RSN);
4569 rsne_len = rsne ? 2 + rsne[1] : 0;
4570
4571 rsnxe = get_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4572 WLAN_EID_RSNX);
4573 rsnxe_len = rsnxe ? 2 + rsnxe[1] : 0;
4574
4575 wpa_printf(MSG_DEBUG,
4576 "RSN: MLO Link: link=%u, len=%zu", link_id,
4577 RSN_SELECTOR_LEN + 1 + ETH_ALEN +
4578 rsne_len + rsnxe_len);
4579
4580 /* MLO Link KDE */
4581 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
4582 *pos++ = RSN_SELECTOR_LEN + 1 + ETH_ALEN +
4583 rsne_len + rsnxe_len;
4584
4585 RSN_SELECTOR_PUT(pos, RSN_KEY_DATA_MLO_LINK);
4586 pos += RSN_SELECTOR_LEN;
4587
4588 /* Add the Link Information */
4589 *pos = link_id;
4590 if (rsne_len)
4591 *pos |= RSN_MLO_LINK_KDE_LI_RSNE_INFO;
4592 if (rsnxe_len)
4593 *pos |= RSN_MLO_LINK_KDE_LI_RSNXE_INFO;
4594
4595 pos++;
4596 os_memcpy(pos, wpa_auth->addr, ETH_ALEN);
4597 pos += ETH_ALEN;
4598
4599 if (rsne_len) {
4600 os_memcpy(pos, rsne, rsne_len);
4601 pos += rsne_len;
4602 }
4603
4604 if (rsnxe_len) {
4605 os_memcpy(pos, rsnxe, rsnxe_len);
4606 pos += rsnxe_len;
4607 }
4608
4609 if (!rsn_is_snonce_cookie(sm->SNonce))
4610 continue;
4611
4612 rsnoe = get_vendor_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4613 RSNE_OVERRIDE_IE_VENDOR_TYPE);
4614 rsnoe_len = rsnoe ? 2 + rsnoe[1] : 0;
4615
4616 rsno2e = get_vendor_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4617 RSNE_OVERRIDE_2_IE_VENDOR_TYPE);
4618 rsno2e_len = rsno2e ? 2 + rsno2e[1] : 0;
4619
4620 rsnxoe = get_vendor_ie(wpa_auth->wpa_ie, wpa_auth->wpa_ie_len,
4621 RSNXE_OVERRIDE_IE_VENDOR_TYPE);
4622 rsnxoe_len = rsnxoe ? 2 + rsnxoe[1] : 0;
4623
4624 wpa_printf(MSG_DEBUG,
4625 "RSN: RSN Override Link KDE: link=%u, len=%zu",
4626 link_id, RSN_SELECTOR_LEN + rsnoe_len + rsno2e_len +
4627 rsnxoe_len);
4628
4629 /* RSN Override Link KDE */
4630 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
4631 kde_len = RSN_SELECTOR_LEN + 1 + rsnoe_len + rsno2e_len +
4632 rsnxoe_len;
4633 if (kde_len > 255) {
4634 wpa_printf(MSG_ERROR,
4635 "RSN: RSNOE/RSNO2E/RSNXOE too long (KDE length %zu) to fit in RSN Override Link KDE for link %u",
4636 kde_len, link_id);
4637 return NULL;
4638 }
4639 *pos++ = kde_len;
4640
4641 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_RSN_OVERRIDE_LINK);
4642 pos += RSN_SELECTOR_LEN;
4643
4644 *pos++ = link_id;
4645
4646 if (rsnoe_len) {
4647 os_memcpy(pos, rsnoe, rsnoe_len);
4648 pos += rsnoe_len;
4649 }
4650
4651 if (rsno2e_len) {
4652 os_memcpy(pos, rsno2e, rsno2e_len);
4653 pos += rsno2e_len;
4654 }
4655
4656 if (rsnxoe_len) {
4657 os_memcpy(pos, rsnxoe, rsnxoe_len);
4658 pos += rsnxoe_len;
4659 }
4660 }
4661
4662 wpa_printf(MSG_DEBUG,
4663 "RSN: MLO Link KDEs and RSN Override Link KDEs len = %ld",
4664 pos - start);
4665 pos = wpa_auth_ml_group_kdes(sm, pos);
4666 #endif /* CONFIG_IEEE80211BE */
4667
4668 return pos;
4669 }
4670
4671
4672 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
4673 {
4674 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde = NULL, *pos, stub_gtk[32];
4675 size_t gtk_len, kde_len = 0, wpa_ie_len;
4676 struct wpa_group *gsm = sm->group;
4677 u8 *wpa_ie;
4678 int secure, gtkidx, encr = 0;
4679 u8 *wpa_ie_buf = NULL, *wpa_ie_buf2 = NULL, *wpa_ie_buf3 = NULL;
4680 u8 hdr[2];
4681 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
4682 #ifdef CONFIG_IEEE80211BE
4683 bool is_mld = sm->mld_assoc_link_id >= 0;
4684 #else /* CONFIG_IEEE80211BE */
4685 bool is_mld = false;
4686 #endif /* CONFIG_IEEE80211BE */
4687
4688 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
4689 sm->TimeoutEvt = false;
4690
4691 sm->TimeoutCtr++;
4692 if (conf->wpa_disable_eapol_key_retries && sm->TimeoutCtr > 1) {
4693 /* Do not allow retransmission of EAPOL-Key msg 3/4 */
4694 return;
4695 }
4696 if (sm->TimeoutCtr > conf->wpa_pairwise_update_count) {
4697 /* No point in sending the EAPOL-Key - we will disconnect
4698 * immediately following this. */
4699 return;
4700 }
4701
4702 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
4703 GTK[GN], IGTK, [BIGTK], [FTIE], [TIE * 2])
4704 */
4705 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
4706 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
4707 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
4708 wpa_ie = sm->wpa_auth->wpa_ie;
4709 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
4710 if (sm->wpa == WPA_VERSION_WPA && (conf->wpa & WPA_PROTO_RSN) &&
4711 wpa_ie_len > wpa_ie[1] + 2U && wpa_ie[0] == WLAN_EID_RSN) {
4712 /* WPA-only STA, remove RSN IE and possible MDIE */
4713 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4714 if (wpa_ie[0] == WLAN_EID_RSNX)
4715 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4716 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
4717 wpa_ie = wpa_ie + wpa_ie[1] + 2;
4718 wpa_ie_len = wpa_ie[1] + 2;
4719 }
4720 if ((conf->rsn_override_key_mgmt || conf->rsn_override_key_mgmt_2) &&
4721 !rsn_is_snonce_cookie(sm->SNonce)) {
4722 u8 *ie;
4723 size_t ie_len;
4724 u32 ids[] = {
4725 RSNE_OVERRIDE_IE_VENDOR_TYPE,
4726 RSNE_OVERRIDE_2_IE_VENDOR_TYPE,
4727 RSNXE_OVERRIDE_IE_VENDOR_TYPE,
4728 0
4729 };
4730 int i;
4731
4732 wpa_printf(MSG_DEBUG,
4733 "RSN: Remove RSNE/RSNXE override elements");
4734 wpa_hexdump(MSG_DEBUG, "EAPOL-Key msg 3/4 IEs before edits",
4735 wpa_ie, wpa_ie_len);
4736 wpa_ie_buf3 = os_memdup(wpa_ie, wpa_ie_len);
4737 if (!wpa_ie_buf3)
4738 goto done;
4739 wpa_ie = wpa_ie_buf3;
4740
4741 for (i = 0; ids[i]; i++) {
4742 ie = (u8 *) get_vendor_ie(wpa_ie, wpa_ie_len, ids[i]);
4743 if (ie) {
4744 ie_len = 2 + ie[1];
4745 os_memmove(ie, ie + ie_len,
4746 wpa_ie_len - (ie + ie_len - wpa_ie));
4747 wpa_ie_len -= ie_len;
4748 }
4749 }
4750 wpa_hexdump(MSG_DEBUG, "EAPOL-Key msg 3/4 IEs after edits",
4751 wpa_ie, wpa_ie_len);
4752 }
4753 #ifdef CONFIG_TESTING_OPTIONS
4754 if (conf->rsne_override_eapol_set) {
4755 wpa_ie_buf2 = replace_ie(
4756 "RSNE", wpa_ie, &wpa_ie_len, WLAN_EID_RSN,
4757 conf->rsne_override_eapol,
4758 conf->rsne_override_eapol_len);
4759 if (!wpa_ie_buf2)
4760 goto done;
4761 wpa_ie = wpa_ie_buf2;
4762 }
4763 if (conf->rsnxe_override_eapol_set) {
4764 wpa_ie_buf = replace_ie(
4765 "RSNXE", wpa_ie, &wpa_ie_len, WLAN_EID_RSNX,
4766 conf->rsnxe_override_eapol,
4767 conf->rsnxe_override_eapol_len);
4768 if (!wpa_ie_buf)
4769 goto done;
4770 wpa_ie = wpa_ie_buf;
4771 }
4772 #endif /* CONFIG_TESTING_OPTIONS */
4773 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
4774 "sending 3/4 msg of 4-Way Handshake");
4775 if (sm->wpa == WPA_VERSION_WPA2) {
4776 if (sm->use_ext_key_id && sm->TimeoutCtr == 1 &&
4777 wpa_auth_set_key(sm->wpa_auth, 0,
4778 wpa_cipher_to_alg(sm->pairwise),
4779 sm->addr,
4780 sm->keyidx_active, sm->PTK.tk,
4781 wpa_cipher_key_len(sm->pairwise),
4782 KEY_FLAG_PAIRWISE_RX)) {
4783 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
4784 WLAN_REASON_PREV_AUTH_NOT_VALID);
4785 return;
4786 }
4787
4788 #ifdef CONFIG_PASN
4789 if (sm->wpa_auth->conf.secure_ltf &&
4790 ieee802_11_rsnx_capab(sm->rsnxe,
4791 WLAN_RSNX_CAPAB_SECURE_LTF) &&
4792 wpa_auth_set_ltf_keyseed(sm->wpa_auth, sm->addr,
4793 sm->PTK.ltf_keyseed,
4794 sm->PTK.ltf_keyseed_len)) {
4795 wpa_printf(MSG_ERROR,
4796 "WPA: Failed to set LTF keyseed to driver");
4797 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
4798 WLAN_REASON_PREV_AUTH_NOT_VALID);
4799 return;
4800 }
4801 #endif /* CONFIG_PASN */
4802
4803 /* WPA2 send GTK in the 4-way handshake */
4804 secure = 1;
4805 gtk = gsm->GTK[gsm->GN - 1];
4806 gtk_len = gsm->GTK_len;
4807 if (conf->disable_gtk ||
4808 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
4809 /*
4810 * Provide unique random GTK to each STA to prevent use
4811 * of GTK in the BSS.
4812 */
4813 if (random_get_bytes(stub_gtk, gtk_len) < 0)
4814 goto done;
4815 gtk = stub_gtk;
4816 }
4817 gtkidx = gsm->GN;
4818 _rsc = rsc;
4819 encr = 1;
4820 } else {
4821 /* WPA does not include GTK in msg 3/4 */
4822 secure = 0;
4823 gtk = NULL;
4824 gtk_len = 0;
4825 gtkidx = 0;
4826 _rsc = NULL;
4827 if (sm->rx_eapol_key_secure) {
4828 /*
4829 * It looks like Windows 7 supplicant tries to use
4830 * Secure bit in msg 2/4 after having reported Michael
4831 * MIC failure and it then rejects the 4-way handshake
4832 * if msg 3/4 does not set Secure bit. Work around this
4833 * by setting the Secure bit here even in the case of
4834 * WPA if the supplicant used it first.
4835 */
4836 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
4837 LOGGER_DEBUG,
4838 "STA used Secure bit in WPA msg 2/4 - set Secure for 3/4 as workaround");
4839 secure = 1;
4840 }
4841 }
4842
4843 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
4844
4845 if (sm->use_ext_key_id)
4846 kde_len += 2 + RSN_SELECTOR_LEN + 2;
4847
4848 if (gtk)
4849 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4850 #ifdef CONFIG_IEEE80211R_AP
4851 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4852 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
4853 kde_len += 300; /* FTIE + 2 * TIE */
4854 }
4855 #endif /* CONFIG_IEEE80211R_AP */
4856 #ifdef CONFIG_P2P
4857 if (WPA_GET_BE32(sm->ip_addr) > 0)
4858 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
4859 #endif /* CONFIG_P2P */
4860
4861 if (conf->transition_disable)
4862 kde_len += 2 + RSN_SELECTOR_LEN + 1;
4863
4864 #ifdef CONFIG_DPP2
4865 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
4866 kde_len += 2 + RSN_SELECTOR_LEN + 2;
4867 #endif /* CONFIG_DPP2 */
4868
4869 kde_len += wpa_auth_ml_kdes_len(sm);
4870
4871 if (sm->ssid_protection)
4872 kde_len += 2 + conf->ssid_len;
4873
4874 #ifdef CONFIG_TESTING_OPTIONS
4875 if (conf->eapol_m3_elements)
4876 kde_len += wpabuf_len(conf->eapol_m3_elements);
4877 #endif /* CONFIG_TESTING_OPTIONS */
4878
4879 kde = os_malloc(kde_len);
4880 if (!kde)
4881 goto done;
4882
4883 pos = kde;
4884 if (!is_mld) {
4885 os_memcpy(pos, wpa_ie, wpa_ie_len);
4886 pos += wpa_ie_len;
4887 }
4888 #ifdef CONFIG_IEEE80211R_AP
4889 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4890 int res;
4891 size_t elen;
4892
4893 elen = pos - kde;
4894 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name, true);
4895 if (res < 0) {
4896 wpa_printf(MSG_ERROR,
4897 "FT: Failed to insert PMKR1Name into RSN IE in EAPOL-Key data");
4898 goto done;
4899 }
4900 pos -= wpa_ie_len;
4901 pos += elen;
4902 }
4903 #endif /* CONFIG_IEEE80211R_AP */
4904 hdr[1] = 0;
4905
4906 if (sm->use_ext_key_id) {
4907 hdr[0] = sm->keyidx_active & 0x01;
4908 pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
4909 }
4910
4911 if (gtk && !is_mld) {
4912 hdr[0] = gtkidx & 0x03;
4913 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
4914 gtk, gtk_len);
4915 }
4916 pos = ieee80211w_kde_add(sm, pos);
4917 if (ocv_oci_add(sm, &pos, conf->oci_freq_override_eapol_m3) < 0)
4918 goto done;
4919
4920 #ifdef CONFIG_IEEE80211R_AP
4921 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4922 int res;
4923
4924 if (sm->assoc_resp_ftie &&
4925 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
4926 os_memcpy(pos, sm->assoc_resp_ftie,
4927 2 + sm->assoc_resp_ftie[1]);
4928 res = 2 + sm->assoc_resp_ftie[1];
4929 } else {
4930 res = wpa_write_ftie(conf, sm->wpa_key_mgmt,
4931 sm->xxkey_len,
4932 conf->r0_key_holder,
4933 conf->r0_key_holder_len,
4934 NULL, NULL, pos,
4935 kde + kde_len - pos,
4936 NULL, 0, 0);
4937 }
4938 if (res < 0) {
4939 wpa_printf(MSG_ERROR,
4940 "FT: Failed to insert FTIE into EAPOL-Key Key Data");
4941 goto done;
4942 }
4943 pos += res;
4944
4945 /* TIE[ReassociationDeadline] (TU) */
4946 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
4947 *pos++ = 5;
4948 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
4949 WPA_PUT_LE32(pos, conf->reassociation_deadline);
4950 pos += 4;
4951
4952 /* TIE[KeyLifetime] (seconds) */
4953 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
4954 *pos++ = 5;
4955 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
4956 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
4957 pos += 4;
4958 }
4959 #endif /* CONFIG_IEEE80211R_AP */
4960 #ifdef CONFIG_P2P
4961 if (WPA_GET_BE32(sm->ip_addr) > 0) {
4962 u8 addr[3 * 4];
4963 os_memcpy(addr, sm->ip_addr, 4);
4964 os_memcpy(addr + 4, conf->ip_addr_mask, 4);
4965 os_memcpy(addr + 8, conf->ip_addr_go, 4);
4966 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
4967 addr, sizeof(addr), NULL, 0);
4968 }
4969 #endif /* CONFIG_P2P */
4970
4971 if (conf->transition_disable)
4972 pos = wpa_add_kde(pos, WFA_KEY_DATA_TRANSITION_DISABLE,
4973 &conf->transition_disable, 1, NULL, 0);
4974
4975 #ifdef CONFIG_DPP2
4976 if (DPP_VERSION > 1 && sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
4977 u8 payload[2];
4978
4979 payload[0] = DPP_VERSION; /* Protocol Version */
4980 payload[1] = 0; /* Flags */
4981 if (conf->dpp_pfs == 0)
4982 payload[1] |= DPP_KDE_PFS_ALLOWED;
4983 else if (conf->dpp_pfs == 1)
4984 payload[1] |= DPP_KDE_PFS_ALLOWED |
4985 DPP_KDE_PFS_REQUIRED;
4986 pos = wpa_add_kde(pos, WFA_KEY_DATA_DPP,
4987 payload, sizeof(payload), NULL, 0);
4988 }
4989 #endif /* CONFIG_DPP2 */
4990
4991 pos = wpa_auth_ml_kdes(sm, pos);
4992 if (!pos) {
4993 wpa_printf(MSG_ERROR, "RSN: Failed to add MLO KDEs");
4994 goto done;
4995 }
4996
4997 if (sm->ssid_protection) {
4998 *pos++ = WLAN_EID_SSID;
4999 *pos++ = conf->ssid_len;
5000 os_memcpy(pos, conf->ssid, conf->ssid_len);
5001 pos += conf->ssid_len;
5002 }
5003
5004 #ifdef CONFIG_TESTING_OPTIONS
5005 if (conf->eapol_m3_elements) {
5006 os_memcpy(pos, wpabuf_head(conf->eapol_m3_elements),
5007 wpabuf_len(conf->eapol_m3_elements));
5008 pos += wpabuf_len(conf->eapol_m3_elements);
5009 }
5010
5011 if (conf->eapol_m3_no_encrypt)
5012 encr = 0;
5013 #endif /* CONFIG_TESTING_OPTIONS */
5014
5015 wpa_send_eapol(sm->wpa_auth, sm,
5016 (secure ? WPA_KEY_INFO_SECURE : 0) |
5017 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5018 WPA_KEY_INFO_MIC : 0) |
5019 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
5020 WPA_KEY_INFO_KEY_TYPE,
5021 _rsc, sm->ANonce, kde, pos - kde, 0, encr);
5022 done:
5023 bin_clear_free(kde, kde_len);
5024 os_free(wpa_ie_buf);
5025 os_free(wpa_ie_buf2);
5026 os_free(wpa_ie_buf3);
5027 }
5028
5029
5030 static int wpa_auth_validate_ml_kdes_m4(struct wpa_state_machine *sm)
5031 {
5032 #ifdef CONFIG_IEEE80211BE
5033 const struct ieee802_1x_hdr *hdr;
5034 const struct wpa_eapol_key *key;
5035 struct wpa_eapol_ie_parse kde;
5036 const u8 *key_data, *mic;
5037 u16 key_data_length;
5038 size_t mic_len;
5039
5040 if (sm->mld_assoc_link_id < 0)
5041 return 0;
5042
5043 /*
5044 * Note: last_rx_eapol_key length fields have already been validated in
5045 * wpa_receive().
5046 */
5047 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
5048
5049 hdr = (const struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
5050 key = (const struct wpa_eapol_key *) (hdr + 1);
5051 mic = (const u8 *) (key + 1);
5052 key_data = mic + mic_len + 2;
5053 key_data_length = WPA_GET_BE16(mic + mic_len);
5054 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
5055 sizeof(*key) - mic_len - 2)
5056 return -1;
5057
5058 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
5059 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm),
5060 LOGGER_INFO,
5061 "received EAPOL-Key msg 4/4 with invalid Key Data contents");
5062 return -1;
5063 }
5064
5065 /* MLD MAC address must be the same */
5066 if (!kde.mac_addr ||
5067 !ether_addr_equal(kde.mac_addr, sm->peer_mld_addr)) {
5068 wpa_printf(MSG_DEBUG,
5069 "MLD: Mismatching or missing MLD address in EAPOL-Key msg 4/4");
5070 return -1;
5071 }
5072
5073 wpa_printf(MSG_DEBUG, "MLD: MLD address in EAPOL-Key msg 4/4: " MACSTR,
5074 MAC2STR(kde.mac_addr));
5075 #endif /* CONFIG_IEEE80211BE */
5076
5077 return 0;
5078 }
5079
5080
5081 SM_STATE(WPA_PTK, PTKINITDONE)
5082 {
5083 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
5084 sm->EAPOLKeyReceived = false;
5085
5086 if (wpa_auth_validate_ml_kdes_m4(sm) < 0) {
5087 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
5088 WLAN_REASON_PREV_AUTH_NOT_VALID);
5089 return;
5090 }
5091
5092 if (sm->Pair) {
5093 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
5094 int klen = wpa_cipher_key_len(sm->pairwise);
5095 int res;
5096
5097 if (sm->use_ext_key_id)
5098 res = wpa_auth_set_key(sm->wpa_auth, 0, 0, sm->addr,
5099 sm->keyidx_active, NULL, 0,
5100 KEY_FLAG_PAIRWISE_RX_TX_MODIFY);
5101 else
5102 res = wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr,
5103 0, sm->PTK.tk, klen,
5104 KEY_FLAG_PAIRWISE_RX_TX);
5105 if (res) {
5106 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
5107 WLAN_REASON_PREV_AUTH_NOT_VALID);
5108 return;
5109 }
5110
5111 #ifdef CONFIG_PASN
5112 if (sm->wpa_auth->conf.secure_ltf &&
5113 ieee802_11_rsnx_capab(sm->rsnxe,
5114 WLAN_RSNX_CAPAB_SECURE_LTF) &&
5115 wpa_auth_set_ltf_keyseed(sm->wpa_auth, sm->addr,
5116 sm->PTK.ltf_keyseed,
5117 sm->PTK.ltf_keyseed_len)) {
5118 wpa_printf(MSG_ERROR,
5119 "WPA: Failed to set LTF keyseed to driver");
5120 wpa_sta_disconnect(sm->wpa_auth, sm->addr,
5121 WLAN_REASON_PREV_AUTH_NOT_VALID);
5122 return;
5123 }
5124 #endif /* CONFIG_PASN */
5125
5126 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
5127 sm->pairwise_set = true;
5128
5129 wpa_auth_set_ptk_rekey_timer(sm);
5130 wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, sm->pairwise,
5131 dot11RSNAConfigPMKLifetime, &sm->PTK);
5132
5133 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
5134 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
5135 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
5136 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
5137 WPA_EAPOL_authorized, 1);
5138 }
5139 }
5140
5141 if (0 /* IBSS == TRUE */) {
5142 sm->keycount++;
5143 if (sm->keycount == 2) {
5144 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
5145 WPA_EAPOL_portValid, 1);
5146 }
5147 } else {
5148 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
5149 1);
5150 }
5151 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable,
5152 false);
5153 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, true);
5154 if (sm->wpa == WPA_VERSION_WPA)
5155 sm->PInitAKeys = true;
5156 else
5157 sm->has_GTK = true;
5158 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
5159 "pairwise key handshake completed (%s)",
5160 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
5161 wpa_msg(sm->wpa_auth->conf.msg_ctx, MSG_INFO, "EAPOL-4WAY-HS-COMPLETED "
5162 MACSTR, MAC2STR(sm->addr));
5163
5164 #ifdef CONFIG_IEEE80211R_AP
5165 wpa_ft_push_pmk_r1(sm->wpa_auth, wpa_auth_get_spa(sm));
5166 #endif /* CONFIG_IEEE80211R_AP */
5167
5168 sm->ptkstart_without_success = 0;
5169 }
5170
5171
5172 SM_STEP(WPA_PTK)
5173 {
5174 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
5175 struct wpa_auth_config *conf = &wpa_auth->conf;
5176
5177 if (sm->Init)
5178 SM_ENTER(WPA_PTK, INITIALIZE);
5179 else if (sm->Disconnect
5180 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
5181 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
5182 "WPA_PTK: sm->Disconnect");
5183 SM_ENTER(WPA_PTK, DISCONNECT);
5184 }
5185 else if (sm->DeauthenticationRequest)
5186 SM_ENTER(WPA_PTK, DISCONNECTED);
5187 else if (sm->AuthenticationRequest)
5188 SM_ENTER(WPA_PTK, AUTHENTICATION);
5189 else if (sm->ReAuthenticationRequest)
5190 SM_ENTER(WPA_PTK, AUTHENTICATION2);
5191 else if (sm->PTKRequest) {
5192 if (wpa_auth_sm_ptk_update(sm) < 0)
5193 SM_ENTER(WPA_PTK, DISCONNECTED);
5194 else
5195 SM_ENTER(WPA_PTK, PTKSTART);
5196 } else switch (sm->wpa_ptk_state) {
5197 case WPA_PTK_INITIALIZE:
5198 break;
5199 case WPA_PTK_DISCONNECT:
5200 SM_ENTER(WPA_PTK, DISCONNECTED);
5201 break;
5202 case WPA_PTK_DISCONNECTED:
5203 SM_ENTER(WPA_PTK, INITIALIZE);
5204 break;
5205 case WPA_PTK_AUTHENTICATION:
5206 SM_ENTER(WPA_PTK, AUTHENTICATION2);
5207 break;
5208 case WPA_PTK_AUTHENTICATION2:
5209 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
5210 wpa_auth_get_eapol(wpa_auth, sm->addr,
5211 WPA_EAPOL_keyRun))
5212 SM_ENTER(WPA_PTK, INITPMK);
5213 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
5214 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
5215 /* FIX: && 802.1X::keyRun */)
5216 SM_ENTER(WPA_PTK, INITPSK);
5217 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
5218 SM_ENTER(WPA_PTK, INITPMK);
5219 break;
5220 case WPA_PTK_INITPMK:
5221 if (wpa_auth_get_eapol(wpa_auth, sm->addr,
5222 WPA_EAPOL_keyAvailable)) {
5223 SM_ENTER(WPA_PTK, PTKSTART);
5224 #ifdef CONFIG_DPP
5225 } else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) {
5226 SM_ENTER(WPA_PTK, PTKSTART);
5227 #endif /* CONFIG_DPP */
5228 } else {
5229 wpa_auth->dot11RSNA4WayHandshakeFailures++;
5230 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
5231 LOGGER_INFO,
5232 "INITPMK - keyAvailable = false");
5233 SM_ENTER(WPA_PTK, DISCONNECT);
5234 }
5235 break;
5236 case WPA_PTK_INITPSK:
5237 if (wpa_auth_get_psk(wpa_auth, sm->addr, sm->p2p_dev_addr,
5238 NULL, NULL, NULL)) {
5239 SM_ENTER(WPA_PTK, PTKSTART);
5240 #ifdef CONFIG_SAE
5241 } else if (wpa_auth_uses_sae(sm) && sm->pmksa) {
5242 SM_ENTER(WPA_PTK, PTKSTART);
5243 #endif /* CONFIG_SAE */
5244 } else if (wpa_key_mgmt_wpa_psk_no_sae(sm->wpa_key_mgmt) &&
5245 wpa_auth->conf.radius_psk) {
5246 wpa_printf(MSG_DEBUG,
5247 "INITPSK: No PSK yet available for STA - use RADIUS later");
5248 SM_ENTER(WPA_PTK, PTKSTART);
5249 } else {
5250 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
5251 LOGGER_INFO,
5252 "no PSK configured for the STA");
5253 wpa_auth->dot11RSNA4WayHandshakeFailures++;
5254 SM_ENTER(WPA_PTK, DISCONNECT);
5255 }
5256 break;
5257 case WPA_PTK_PTKSTART:
5258 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
5259 sm->EAPOLKeyPairwise)
5260 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
5261 else if (sm->TimeoutCtr > conf->wpa_pairwise_update_count) {
5262 wpa_auth->dot11RSNA4WayHandshakeFailures++;
5263 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
5264 LOGGER_DEBUG,
5265 "PTKSTART: Retry limit %u reached",
5266 conf->wpa_pairwise_update_count);
5267 sm->disconnect_reason =
5268 WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT;
5269 SM_ENTER(WPA_PTK, DISCONNECT);
5270 } else if (sm->TimeoutEvt)
5271 SM_ENTER(WPA_PTK, PTKSTART);
5272 break;
5273 case WPA_PTK_PTKCALCNEGOTIATING:
5274 if (sm->MICVerified)
5275 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
5276 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
5277 sm->EAPOLKeyPairwise)
5278 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
5279 else if (sm->TimeoutEvt)
5280 SM_ENTER(WPA_PTK, PTKSTART);
5281 break;
5282 case WPA_PTK_PTKCALCNEGOTIATING2:
5283 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
5284 break;
5285 case WPA_PTK_PTKINITNEGOTIATING:
5286 if (sm->update_snonce)
5287 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
5288 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
5289 sm->EAPOLKeyPairwise && sm->MICVerified)
5290 SM_ENTER(WPA_PTK, PTKINITDONE);
5291 else if (sm->TimeoutCtr >
5292 conf->wpa_pairwise_update_count ||
5293 (conf->wpa_disable_eapol_key_retries &&
5294 sm->TimeoutCtr > 1)) {
5295 wpa_auth->dot11RSNA4WayHandshakeFailures++;
5296 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
5297 LOGGER_DEBUG,
5298 "PTKINITNEGOTIATING: Retry limit %u reached",
5299 conf->wpa_pairwise_update_count);
5300 sm->disconnect_reason =
5301 WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT;
5302 SM_ENTER(WPA_PTK, DISCONNECT);
5303 } else if (sm->TimeoutEvt)
5304 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
5305 break;
5306 case WPA_PTK_PTKINITDONE:
5307 break;
5308 }
5309 }
5310
5311
5312 SM_STATE(WPA_PTK_GROUP, IDLE)
5313 {
5314 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
5315 if (sm->Init) {
5316 /* Init flag is not cleared here, so avoid busy
5317 * loop by claiming nothing changed. */
5318 sm->changed = false;
5319 }
5320 sm->GTimeoutCtr = 0;
5321 }
5322
5323
5324 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
5325 {
5326 u8 rsc[WPA_KEY_RSC_LEN];
5327 struct wpa_group *gsm = sm->group;
5328 const u8 *kde = NULL;
5329 u8 *kde_buf = NULL, *pos, hdr[2];
5330 size_t kde_len = 0;
5331 u8 *gtk, stub_gtk[32];
5332 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
5333 bool is_mld = false;
5334
5335 #ifdef CONFIG_IEEE80211BE
5336 is_mld = sm->mld_assoc_link_id >= 0;
5337 #endif /* CONFIG_IEEE80211BE */
5338
5339 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
5340
5341 sm->GTimeoutCtr++;
5342 if (conf->wpa_disable_eapol_key_retries && sm->GTimeoutCtr > 1) {
5343 /* Do not allow retransmission of EAPOL-Key group msg 1/2 */
5344 return;
5345 }
5346 if (sm->GTimeoutCtr > conf->wpa_group_update_count) {
5347 /* No point in sending the EAPOL-Key - we will disconnect
5348 * immediately following this. */
5349 return;
5350 }
5351
5352 if (sm->wpa == WPA_VERSION_WPA)
5353 sm->PInitAKeys = false;
5354 sm->TimeoutEvt = false;
5355 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
5356 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
5357 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
5358 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
5359 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
5360 "sending 1/2 msg of Group Key Handshake");
5361
5362 gtk = gsm->GTK[gsm->GN - 1];
5363 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
5364 /*
5365 * Provide unique random GTK to each STA to prevent use
5366 * of GTK in the BSS.
5367 */
5368 if (random_get_bytes(stub_gtk, gsm->GTK_len) < 0)
5369 return;
5370 gtk = stub_gtk;
5371 }
5372
5373 if (sm->wpa == WPA_VERSION_WPA2 && !is_mld) {
5374 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
5375 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
5376 kde_buf = os_malloc(kde_len);
5377 if (!kde_buf)
5378 return;
5379
5380 kde = pos = kde_buf;
5381 hdr[0] = gsm->GN & 0x03;
5382 hdr[1] = 0;
5383 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
5384 gtk, gsm->GTK_len);
5385 pos = ieee80211w_kde_add(sm, pos);
5386 if (ocv_oci_add(sm, &pos,
5387 conf->oci_freq_override_eapol_g1) < 0) {
5388 os_free(kde_buf);
5389 return;
5390 }
5391 kde_len = pos - kde;
5392 #ifdef CONFIG_IEEE80211BE
5393 } else if (sm->wpa == WPA_VERSION_WPA2 && is_mld) {
5394 kde_len = wpa_auth_ml_group_kdes_len(sm);
5395 if (kde_len) {
5396 kde_buf = os_malloc(kde_len);
5397 if (!kde_buf)
5398 return;
5399
5400 kde = pos = kde_buf;
5401 pos = wpa_auth_ml_group_kdes(sm, pos);
5402 kde_len = pos - kde_buf;
5403 }
5404 #endif /* CONFIG_IEEE80211BE */
5405 } else {
5406 kde = gtk;
5407 kde_len = gsm->GTK_len;
5408 }
5409
5410 wpa_send_eapol(sm->wpa_auth, sm,
5411 WPA_KEY_INFO_SECURE |
5412 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
5413 WPA_KEY_INFO_MIC : 0) |
5414 WPA_KEY_INFO_ACK |
5415 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
5416 rsc, NULL, kde, kde_len, gsm->GN, 1);
5417
5418 bin_clear_free(kde_buf, kde_len);
5419 }
5420
5421
5422 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
5423 {
5424 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
5425 #ifdef CONFIG_OCV
5426 const u8 *key_data, *mic;
5427 struct ieee802_1x_hdr *hdr;
5428 struct wpa_eapol_key *key;
5429 struct wpa_eapol_ie_parse kde;
5430 size_t mic_len;
5431 u16 key_data_length;
5432 #endif /* CONFIG_OCV */
5433
5434 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
5435 sm->EAPOLKeyReceived = false;
5436
5437 #ifdef CONFIG_OCV
5438 mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
5439
5440 /*
5441 * Note: last_rx_eapol_key length fields have already been validated in
5442 * wpa_receive().
5443 */
5444 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
5445 key = (struct wpa_eapol_key *) (hdr + 1);
5446 mic = (u8 *) (key + 1);
5447 key_data = mic + mic_len + 2;
5448 key_data_length = WPA_GET_BE16(mic + mic_len);
5449 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
5450 sizeof(*key) - mic_len - 2)
5451 return;
5452
5453 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
5454 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
5455 "received EAPOL-Key group msg 2/2 with invalid Key Data contents");
5456 return;
5457 }
5458
5459 if (wpa_auth_uses_ocv(sm)) {
5460 struct wpa_channel_info ci;
5461 int tx_chanwidth;
5462 int tx_seg1_idx;
5463
5464 if (wpa_channel_info(wpa_auth, &ci) != 0) {
5465 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
5466 LOGGER_INFO,
5467 "Failed to get channel info to validate received OCI in EAPOL-Key group 2/2");
5468 return;
5469 }
5470
5471 if (get_sta_tx_parameters(sm,
5472 channel_width_to_int(ci.chanwidth),
5473 ci.seg1_idx, &tx_chanwidth,
5474 &tx_seg1_idx) < 0)
5475 return;
5476
5477 if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
5478 tx_chanwidth, tx_seg1_idx) !=
5479 OCI_SUCCESS) {
5480 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm),
5481 LOGGER_INFO,
5482 "OCV failed: %s", ocv_errorstr);
5483 if (wpa_auth->conf.msg_ctx)
5484 wpa_msg(wpa_auth->conf.msg_ctx, MSG_INFO,
5485 OCV_FAILURE "addr=" MACSTR
5486 " frame=eapol-key-g2 error=%s",
5487 MAC2STR(wpa_auth_get_spa(sm)),
5488 ocv_errorstr);
5489 return;
5490 }
5491 }
5492 #endif /* CONFIG_OCV */
5493
5494 if (sm->GUpdateStationKeys)
5495 wpa_gkeydone_sta(sm);
5496 sm->GTimeoutCtr = 0;
5497 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
5498 wpa_auth_vlogger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
5499 "group key handshake completed (%s)",
5500 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
5501 sm->has_GTK = true;
5502 }
5503
5504
5505 SM_STATE(WPA_PTK_GROUP, KEYERROR)
5506 {
5507 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
5508 if (sm->GUpdateStationKeys)
5509 wpa_gkeydone_sta(sm);
5510 if (sm->wpa_auth->conf.no_disconnect_on_group_keyerror &&
5511 sm->wpa == WPA_VERSION_WPA2) {
5512 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm),
5513 LOGGER_DEBUG,
5514 "group key handshake failed after %u tries - allow STA to remain connected",
5515 sm->wpa_auth->conf.wpa_group_update_count);
5516 return;
5517 }
5518 sm->Disconnect = true;
5519 sm->disconnect_reason = WLAN_REASON_GROUP_KEY_UPDATE_TIMEOUT;
5520 wpa_auth_vlogger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_INFO,
5521 "group key handshake failed (%s) after %u tries",
5522 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
5523 sm->wpa_auth->conf.wpa_group_update_count);
5524 }
5525
5526
5527 SM_STEP(WPA_PTK_GROUP)
5528 {
5529 if (sm->Init || sm->PtkGroupInit) {
5530 SM_ENTER(WPA_PTK_GROUP, IDLE);
5531 sm->PtkGroupInit = false;
5532 } else switch (sm->wpa_ptk_group_state) {
5533 case WPA_PTK_GROUP_IDLE:
5534 if (sm->GUpdateStationKeys ||
5535 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
5536 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
5537 break;
5538 case WPA_PTK_GROUP_REKEYNEGOTIATING:
5539 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
5540 !sm->EAPOLKeyPairwise && sm->MICVerified)
5541 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
5542 else if (sm->GTimeoutCtr >
5543 sm->wpa_auth->conf.wpa_group_update_count ||
5544 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
5545 sm->GTimeoutCtr > 1))
5546 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
5547 else if (sm->TimeoutEvt)
5548 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
5549 break;
5550 case WPA_PTK_GROUP_KEYERROR:
5551 SM_ENTER(WPA_PTK_GROUP, IDLE);
5552 break;
5553 case WPA_PTK_GROUP_REKEYESTABLISHED:
5554 SM_ENTER(WPA_PTK_GROUP, IDLE);
5555 break;
5556 }
5557 }
5558
5559
5560 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
5561 struct wpa_group *group)
5562 {
5563 struct wpa_auth_config *conf = &wpa_auth->conf;
5564 int ret = 0;
5565 size_t len;
5566
5567 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
5568 inc_byte_array(group->Counter, WPA_NONCE_LEN);
5569 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
5570 wpa_auth->addr, group->GNonce,
5571 group->GTK[group->GN - 1], group->GTK_len) < 0)
5572 ret = -1;
5573 wpa_hexdump_key(MSG_DEBUG, "GTK",
5574 group->GTK[group->GN - 1], group->GTK_len);
5575
5576 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
5577 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
5578 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
5579 inc_byte_array(group->Counter, WPA_NONCE_LEN);
5580 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
5581 wpa_auth->addr, group->GNonce,
5582 group->IGTK[group->GN_igtk - 4], len) < 0)
5583 ret = -1;
5584 wpa_hexdump_key(MSG_DEBUG, "IGTK",
5585 group->IGTK[group->GN_igtk - 4], len);
5586 }
5587
5588 if (!wpa_auth->non_tx_beacon_prot &&
5589 conf->ieee80211w == NO_MGMT_FRAME_PROTECTION)
5590 return ret;
5591 if (!conf->beacon_prot)
5592 return ret;
5593
5594 if (wpa_auth->conf.tx_bss_auth) {
5595 group = wpa_auth->conf.tx_bss_auth->group;
5596 if (group->bigtk_set)
5597 return ret;
5598 wpa_printf(MSG_DEBUG, "Set up BIGTK for TX BSS");
5599 }
5600
5601 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
5602 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
5603 inc_byte_array(group->Counter, WPA_NONCE_LEN);
5604 if (wpa_gmk_to_gtk(group->GMK, "BIGTK key expansion",
5605 wpa_auth->addr, group->GNonce,
5606 group->BIGTK[group->GN_bigtk - 6], len) < 0)
5607 return -1;
5608 group->bigtk_set = true;
5609 wpa_hexdump_key(MSG_DEBUG, "BIGTK",
5610 group->BIGTK[group->GN_bigtk - 6], len);
5611
5612 return ret;
5613 }
5614
5615
5616 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
5617 struct wpa_group *group)
5618 {
5619 wpa_printf(MSG_DEBUG,
5620 "WPA: group state machine entering state GTK_INIT (VLAN-ID %d)",
5621 group->vlan_id);
5622 group->changed = false; /* GInit is not cleared here; avoid loop */
5623 group->wpa_group_state = WPA_GROUP_GTK_INIT;
5624
5625 /* GTK[0..N] = 0 */
5626 os_memset(group->GTK, 0, sizeof(group->GTK));
5627 group->GN = 1;
5628 group->GM = 2;
5629 group->GN_igtk = 4;
5630 group->GM_igtk = 5;
5631 group->GN_bigtk = 6;
5632 group->GM_bigtk = 7;
5633 /* GTK[GN] = CalcGTK() */
5634 wpa_gtk_update(wpa_auth, group);
5635 }
5636
5637
5638 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
5639 {
5640 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
5641 struct wpa_group *group = sm->group;
5642 #ifdef CONFIG_IEEE80211BE
5643 int link_id;
5644
5645 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
5646 if (!sm->mld_links[link_id].valid)
5647 continue;
5648 if (sm->mld_links[link_id].wpa_auth &&
5649 sm->mld_links[link_id].wpa_auth->group == ctx) {
5650 group = sm->mld_links[link_id].wpa_auth->group;
5651 wpa_auth = sm->mld_links[link_id].wpa_auth;
5652 break;
5653 }
5654 }
5655 #endif /* CONFIG_IEEE80211BE */
5656
5657 if (ctx && ctx != group)
5658 return 0;
5659
5660 #ifdef CONFIG_IEEE80211BE
5661 /* For ML STA, run rekey on the association link and send G1 with keys
5662 * for all links. This is based on assumption that MLD level
5663 * Authenticator updates group keys on all affiliated links in one shot
5664 * and not independently or concurrently for separate links. */
5665 if (sm->mld_assoc_link_id >= 0 &&
5666 sm->mld_assoc_link_id != wpa_auth->link_id)
5667 return 0;
5668 #endif /* CONFIG_IEEE80211BE */
5669
5670 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
5671 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
5672 LOGGER_DEBUG,
5673 "Not in PTKINITDONE; skip Group Key update");
5674 sm->GUpdateStationKeys = false;
5675 return 0;
5676 }
5677 if (sm->GUpdateStationKeys) {
5678 /*
5679 * This should not really happen, so add a debug log entry.
5680 * Since we clear the GKeyDoneStations before the loop, the
5681 * station needs to be counted here anyway.
5682 */
5683 wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm),
5684 LOGGER_DEBUG,
5685 "GUpdateStationKeys was already set when marking station for GTK rekeying");
5686 }
5687
5688 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
5689 if (sm->is_wnmsleep)
5690 return 0;
5691
5692 sm->group->GKeyDoneStations++;
5693 #ifdef CONFIG_IEEE80211BE
5694 for_each_sm_auth(sm, link_id)
5695 sm->mld_links[link_id].wpa_auth->group->GKeyDoneStations++;
5696 #endif /* CONFIG_IEEE80211BE */
5697
5698 sm->GUpdateStationKeys = true;
5699
5700 wpa_sm_step(sm);
5701 return 0;
5702 }
5703
5704
5705 #ifdef CONFIG_WNM_AP
5706 /* update GTK when exiting WNM-Sleep Mode */
5707 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
5708 {
5709 if (!sm || sm->is_wnmsleep)
5710 return;
5711
5712 wpa_group_update_sta(sm, NULL);
5713 }
5714
5715
5716 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
5717 {
5718 if (sm)
5719 sm->is_wnmsleep = !!flag;
5720 }
5721
5722
5723 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
5724 {
5725 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
5726 struct wpa_group *gsm = sm->group;
5727 u8 *start = pos;
5728
5729 /*
5730 * GTK subelement:
5731 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
5732 * Key[5..32]
5733 */
5734 *pos++ = WNM_SLEEP_SUBELEM_GTK;
5735 *pos++ = 11 + gsm->GTK_len;
5736 /* Key ID in B0-B1 of Key Info */
5737 WPA_PUT_LE16(pos, gsm->GN & 0x03);
5738 pos += 2;
5739 *pos++ = gsm->GTK_len;
5740 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
5741 return 0;
5742 pos += 8;
5743 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
5744 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
5745 /*
5746 * Provide unique random GTK to each STA to prevent use
5747 * of GTK in the BSS.
5748 */
5749 if (random_get_bytes(pos, gsm->GTK_len) < 0)
5750 return 0;
5751 }
5752 pos += gsm->GTK_len;
5753
5754 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
5755 gsm->GN);
5756 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
5757 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
5758
5759 return pos - start;
5760 }
5761
5762
5763 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
5764 {
5765 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
5766 struct wpa_group *gsm = sm->group;
5767 u8 *start = pos;
5768 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
5769
5770 /*
5771 * IGTK subelement:
5772 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
5773 */
5774 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
5775 *pos++ = 2 + 6 + len;
5776 WPA_PUT_LE16(pos, gsm->GN_igtk);
5777 pos += 2;
5778 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
5779 return 0;
5780 pos += 6;
5781
5782 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
5783 if (conf->disable_gtk || sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
5784 /*
5785 * Provide unique random IGTK to each STA to prevent use
5786 * of IGTK in the BSS.
5787 */
5788 if (random_get_bytes(pos, len) < 0)
5789 return 0;
5790 }
5791 pos += len;
5792
5793 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
5794 gsm->GN_igtk);
5795 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
5796 gsm->IGTK[gsm->GN_igtk - 4], len);
5797
5798 return pos - start;
5799 }
5800
5801
5802 int wpa_wnmsleep_bigtk_subelem(struct wpa_state_machine *sm, u8 *pos)
5803 {
5804 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
5805 struct wpa_group *gsm = wpa_auth->group;
5806 u8 *start = pos;
5807 size_t len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
5808
5809 /*
5810 * BIGTK subelement:
5811 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
5812 */
5813 *pos++ = WNM_SLEEP_SUBELEM_BIGTK;
5814 *pos++ = 2 + 6 + len;
5815 WPA_PUT_LE16(pos, gsm->GN_bigtk);
5816 pos += 2;
5817 if (wpa_auth_get_seqnum(wpa_auth, NULL, gsm->GN_bigtk, pos) != 0)
5818 return 0;
5819 pos += 6;
5820
5821 os_memcpy(pos, gsm->BIGTK[gsm->GN_bigtk - 6], len);
5822 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
5823 /*
5824 * Provide unique random BIGTK to each STA to prevent use
5825 * of BIGTK in the BSS.
5826 */
5827 if (random_get_bytes(pos, len) < 0)
5828 return 0;
5829 }
5830 pos += len;
5831
5832 wpa_printf(MSG_DEBUG, "WNM: BIGTK Key ID %u in WNM-Sleep Mode exit",
5833 gsm->GN_bigtk);
5834 wpa_hexdump_key(MSG_DEBUG, "WNM: BIGTK in WNM-Sleep Mode exit",
5835 gsm->BIGTK[gsm->GN_bigtk - 6], len);
5836
5837 return pos - start;
5838 }
5839
5840 #endif /* CONFIG_WNM_AP */
5841
5842
5843 static void wpa_group_update_gtk(struct wpa_authenticator *wpa_auth,
5844 struct wpa_group *group)
5845 {
5846 int tmp;
5847
5848 tmp = group->GM;
5849 group->GM = group->GN;
5850 group->GN = tmp;
5851 tmp = group->GM_igtk;
5852 group->GM_igtk = group->GN_igtk;
5853 group->GN_igtk = tmp;
5854 tmp = group->GM_bigtk;
5855 group->GM_bigtk = group->GN_bigtk;
5856 group->GN_bigtk = tmp;
5857 /* "GKeyDoneStations = GNoStations" is done in more robust way by
5858 * counting the STAs that are marked with GUpdateStationKeys instead of
5859 * including all STAs that could be in not-yet-completed state. */
5860 wpa_gtk_update(wpa_auth, group);
5861 }
5862
5863
5864 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
5865 struct wpa_group *group)
5866 {
5867 wpa_printf(MSG_DEBUG,
5868 "WPA: group state machine entering state SETKEYS (VLAN-ID %d)",
5869 group->vlan_id);
5870 group->changed = true;
5871 group->wpa_group_state = WPA_GROUP_SETKEYS;
5872 group->GTKReKey = false;
5873
5874 #ifdef CONFIG_IEEE80211BE
5875 if (wpa_auth->is_ml)
5876 goto skip_update;
5877 #endif /* CONFIG_IEEE80211BE */
5878
5879 wpa_group_update_gtk(wpa_auth, group);
5880
5881 if (group->GKeyDoneStations) {
5882 wpa_printf(MSG_DEBUG,
5883 "wpa_group_setkeys: Unexpected GKeyDoneStations=%d when starting new GTK rekey",
5884 group->GKeyDoneStations);
5885 group->GKeyDoneStations = 0;
5886 }
5887
5888 #ifdef CONFIG_IEEE80211BE
5889 skip_update:
5890 #endif /* CONFIG_IEEE80211BE */
5891 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
5892 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
5893 group->GKeyDoneStations);
5894 }
5895
5896
5897 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
5898 struct wpa_group *group)
5899 {
5900 struct wpa_auth_config *conf = &wpa_auth->conf;
5901 int ret = 0;
5902
5903 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
5904 wpa_cipher_to_alg(conf->wpa_group),
5905 broadcast_ether_addr, group->GN,
5906 group->GTK[group->GN - 1], group->GTK_len,
5907 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
5908 ret = -1;
5909
5910 if (conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) {
5911 enum wpa_alg alg;
5912 size_t len;
5913
5914 alg = wpa_cipher_to_alg(conf->group_mgmt_cipher);
5915 len = wpa_cipher_key_len(conf->group_mgmt_cipher);
5916
5917 if (ret == 0 &&
5918 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
5919 broadcast_ether_addr, group->GN_igtk,
5920 group->IGTK[group->GN_igtk - 4], len,
5921 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
5922 ret = -1;
5923
5924 if (ret || !conf->beacon_prot)
5925 return ret;
5926 if (wpa_auth->conf.tx_bss_auth) {
5927 wpa_auth = wpa_auth->conf.tx_bss_auth;
5928 group = wpa_auth->group;
5929 if (!group->bigtk_set || group->bigtk_configured)
5930 return ret;
5931 }
5932 if (wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
5933 broadcast_ether_addr, group->GN_bigtk,
5934 group->BIGTK[group->GN_bigtk - 6], len,
5935 KEY_FLAG_GROUP_TX_DEFAULT) < 0)
5936 ret = -1;
5937 else
5938 group->bigtk_configured = true;
5939 }
5940
5941 return ret;
5942 }
5943
5944
5945 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
5946 {
5947 if (sm->group == ctx) {
5948 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
5949 " for disconnection due to fatal failure",
5950 MAC2STR(wpa_auth_get_spa(sm)));
5951 sm->Disconnect = true;
5952 }
5953
5954 return 0;
5955 }
5956
5957
5958 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
5959 struct wpa_group *group)
5960 {
5961 wpa_printf(MSG_DEBUG,
5962 "WPA: group state machine entering state FATAL_FAILURE");
5963 group->changed = true;
5964 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
5965 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
5966 }
5967
5968
5969 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
5970 struct wpa_group *group)
5971 {
5972 wpa_printf(MSG_DEBUG,
5973 "WPA: group state machine entering state SETKEYSDONE (VLAN-ID %d)",
5974 group->vlan_id);
5975 group->changed = true;
5976 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
5977
5978 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
5979 wpa_group_fatal_failure(wpa_auth, group);
5980 return -1;
5981 }
5982
5983 return 0;
5984 }
5985
5986
5987 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
5988 struct wpa_group *group)
5989 {
5990 if (group->GInit) {
5991 wpa_group_gtk_init(wpa_auth, group);
5992 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
5993 /* Do not allow group operations */
5994 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
5995 group->GTKAuthenticator) {
5996 wpa_group_setkeysdone(wpa_auth, group);
5997 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
5998 group->GTKReKey) {
5999 wpa_group_setkeys(wpa_auth, group);
6000 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
6001 if (group->GKeyDoneStations == 0)
6002 wpa_group_setkeysdone(wpa_auth, group);
6003 else if (group->GTKReKey)
6004 wpa_group_setkeys(wpa_auth, group);
6005 }
6006 }
6007
6008
6009 static void wpa_clear_changed(struct wpa_state_machine *sm)
6010 {
6011 #ifdef CONFIG_IEEE80211BE
6012 int link_id;
6013 #endif /* CONFIG_IEEE80211BE */
6014
6015 sm->changed = false;
6016 sm->wpa_auth->group->changed = false;
6017
6018 #ifdef CONFIG_IEEE80211BE
6019 for_each_sm_auth(sm, link_id)
6020 sm->mld_links[link_id].wpa_auth->group->changed = false;
6021 #endif /* CONFIG_IEEE80211BE */
6022 }
6023
6024
6025 static void wpa_group_sm_step_links(struct wpa_state_machine *sm)
6026 {
6027 #ifdef CONFIG_IEEE80211BE
6028 int link_id;
6029 #endif /* CONFIG_IEEE80211BE */
6030
6031 if (!sm || !sm->wpa_auth)
6032 return;
6033 wpa_group_sm_step(sm->wpa_auth, sm->wpa_auth->group);
6034
6035 #ifdef CONFIG_IEEE80211BE
6036 for_each_sm_auth(sm, link_id) {
6037 wpa_group_sm_step(sm->mld_links[link_id].wpa_auth,
6038 sm->mld_links[link_id].wpa_auth->group);
6039 }
6040 #endif /* CONFIG_IEEE80211BE */
6041 }
6042
6043
6044 static bool wpa_group_sm_changed(struct wpa_state_machine *sm)
6045 {
6046 #ifdef CONFIG_IEEE80211BE
6047 int link_id;
6048 #endif /* CONFIG_IEEE80211BE */
6049 bool changed;
6050
6051 if (!sm || !sm->wpa_auth)
6052 return false;
6053 changed = sm->wpa_auth->group->changed;
6054
6055 #ifdef CONFIG_IEEE80211BE
6056 for_each_sm_auth(sm, link_id)
6057 changed |= sm->mld_links[link_id].wpa_auth->group->changed;
6058 #endif /* CONFIG_IEEE80211BE */
6059
6060 return changed;
6061 }
6062
6063
6064 static int wpa_sm_step(struct wpa_state_machine *sm)
6065 {
6066 if (!sm)
6067 return 0;
6068
6069 if (sm->in_step_loop) {
6070 /* This should not happen, but if it does, make sure we do not
6071 * end up freeing the state machine too early by exiting the
6072 * recursive call. */
6073 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
6074 return 0;
6075 }
6076
6077 sm->in_step_loop = 1;
6078 do {
6079 if (sm->pending_deinit)
6080 break;
6081
6082 wpa_clear_changed(sm);
6083
6084 SM_STEP_RUN(WPA_PTK);
6085 if (sm->pending_deinit)
6086 break;
6087 SM_STEP_RUN(WPA_PTK_GROUP);
6088 if (sm->pending_deinit)
6089 break;
6090 wpa_group_sm_step_links(sm);
6091 } while (sm->changed || wpa_group_sm_changed(sm));
6092 sm->in_step_loop = 0;
6093
6094 if (sm->pending_deinit) {
6095 wpa_printf(MSG_DEBUG,
6096 "WPA: Completing pending STA state machine deinit for "
6097 MACSTR, MAC2STR(wpa_auth_get_spa(sm)));
6098 wpa_free_sta_sm(sm);
6099 return 1;
6100 }
6101 return 0;
6102 }
6103
6104
6105 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
6106 {
6107 struct wpa_state_machine *sm = eloop_ctx;
6108 wpa_sm_step(sm);
6109 }
6110
6111
6112 void wpa_auth_sm_notify(struct wpa_state_machine *sm)
6113 {
6114 if (!sm)
6115 return;
6116 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
6117 }
6118
6119
6120 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
6121 {
6122 int tmp, i;
6123 struct wpa_group *group;
6124
6125 if (!wpa_auth)
6126 return;
6127
6128 group = wpa_auth->group;
6129
6130 for (i = 0; i < 2; i++) {
6131 tmp = group->GM;
6132 group->GM = group->GN;
6133 group->GN = tmp;
6134 tmp = group->GM_igtk;
6135 group->GM_igtk = group->GN_igtk;
6136 group->GN_igtk = tmp;
6137 if (!wpa_auth->conf.tx_bss_auth) {
6138 tmp = group->GM_bigtk;
6139 group->GM_bigtk = group->GN_bigtk;
6140 group->GN_bigtk = tmp;
6141 }
6142 wpa_gtk_update(wpa_auth, group);
6143 wpa_group_config_group_keys(wpa_auth, group);
6144 }
6145 }
6146
6147
6148 static const char * wpa_bool_txt(int val)
6149 {
6150 return val ? "TRUE" : "FALSE";
6151 }
6152
6153
6154 #define RSN_SUITE "%02x-%02x-%02x-%d"
6155 #define RSN_SUITE_ARG(s) \
6156 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
6157
6158 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
6159 {
6160 struct wpa_auth_config *conf;
6161 int len = 0, ret;
6162 char pmkid_txt[PMKID_LEN * 2 + 1];
6163 #ifdef CONFIG_RSN_PREAUTH
6164 const int preauth = 1;
6165 #else /* CONFIG_RSN_PREAUTH */
6166 const int preauth = 0;
6167 #endif /* CONFIG_RSN_PREAUTH */
6168
6169 if (!wpa_auth)
6170 return len;
6171 conf = &wpa_auth->conf;
6172
6173 ret = os_snprintf(buf + len, buflen - len,
6174 "dot11RSNAOptionImplemented=TRUE\n"
6175 "dot11RSNAPreauthenticationImplemented=%s\n"
6176 "dot11RSNAEnabled=%s\n"
6177 "dot11RSNAPreauthenticationEnabled=%s\n",
6178 wpa_bool_txt(preauth),
6179 wpa_bool_txt(conf->wpa & WPA_PROTO_RSN),
6180 wpa_bool_txt(conf->rsn_preauth));
6181 if (os_snprintf_error(buflen - len, ret))
6182 return len;
6183 len += ret;
6184
6185 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
6186 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
6187
6188 ret = os_snprintf(
6189 buf + len, buflen - len,
6190 "dot11RSNAConfigVersion=%u\n"
6191 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
6192 /* FIX: dot11RSNAConfigGroupCipher */
6193 /* FIX: dot11RSNAConfigGroupRekeyMethod */
6194 /* FIX: dot11RSNAConfigGroupRekeyTime */
6195 /* FIX: dot11RSNAConfigGroupRekeyPackets */
6196 "dot11RSNAConfigGroupRekeyStrict=%u\n"
6197 "dot11RSNAConfigGroupUpdateCount=%u\n"
6198 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
6199 "dot11RSNAConfigGroupCipherSize=%u\n"
6200 "dot11RSNAConfigPMKLifetime=%u\n"
6201 "dot11RSNAConfigPMKReauthThreshold=%u\n"
6202 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
6203 "dot11RSNAConfigSATimeout=%u\n"
6204 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
6205 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
6206 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
6207 "dot11RSNAPMKIDUsed=%s\n"
6208 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
6209 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
6210 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
6211 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
6212 "dot11RSNA4WayHandshakeFailures=%u\n"
6213 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
6214 RSN_VERSION,
6215 !!conf->wpa_strict_rekey,
6216 conf->wpa_group_update_count,
6217 conf->wpa_pairwise_update_count,
6218 wpa_cipher_key_len(conf->wpa_group) * 8,
6219 dot11RSNAConfigPMKLifetime,
6220 dot11RSNAConfigPMKReauthThreshold,
6221 dot11RSNAConfigSATimeout,
6222 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
6223 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
6224 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
6225 pmkid_txt,
6226 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
6227 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
6228 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
6229 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
6230 wpa_auth->dot11RSNA4WayHandshakeFailures);
6231 if (os_snprintf_error(buflen - len, ret))
6232 return len;
6233 len += ret;
6234
6235 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
6236 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
6237
6238 /* Private MIB */
6239 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
6240 wpa_auth->group->wpa_group_state);
6241 if (os_snprintf_error(buflen - len, ret))
6242 return len;
6243 len += ret;
6244
6245 return len;
6246 }
6247
6248
6249 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
6250 {
6251 int len = 0, ret;
6252 u32 pairwise = 0;
6253
6254 if (!sm)
6255 return 0;
6256
6257 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
6258
6259 /* dot11RSNAStatsEntry */
6260
6261 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
6262 WPA_PROTO_RSN : WPA_PROTO_WPA,
6263 sm->pairwise);
6264 if (pairwise == 0)
6265 return 0;
6266
6267 ret = os_snprintf(
6268 buf + len, buflen - len,
6269 /* TODO: dot11RSNAStatsIndex */
6270 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
6271 "dot11RSNAStatsVersion=1\n"
6272 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
6273 /* TODO: dot11RSNAStatsTKIPICVErrors */
6274 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
6275 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
6276 /* TODO: dot11RSNAStatsCCMPReplays */
6277 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
6278 /* TODO: dot11RSNAStatsTKIPReplays */,
6279 MAC2STR(sm->addr),
6280 RSN_SUITE_ARG(pairwise),
6281 sm->dot11RSNAStatsTKIPLocalMICFailures,
6282 sm->dot11RSNAStatsTKIPRemoteMICFailures);
6283 if (os_snprintf_error(buflen - len, ret))
6284 return len;
6285 len += ret;
6286
6287 /* Private MIB */
6288 ret = os_snprintf(buf + len, buflen - len,
6289 "wpa=%d\n"
6290 "AKMSuiteSelector=" RSN_SUITE "\n"
6291 "hostapdWPAPTKState=%d\n"
6292 "hostapdWPAPTKGroupState=%d\n"
6293 "hostapdMFPR=%d\n",
6294 sm->wpa,
6295 RSN_SUITE_ARG(wpa_akm_to_suite(sm->wpa_key_mgmt)),
6296 sm->wpa_ptk_state,
6297 sm->wpa_ptk_group_state,
6298 sm->mfpr);
6299 if (os_snprintf_error(buflen - len, ret))
6300 return len;
6301 len += ret;
6302
6303 return len;
6304 }
6305
6306
6307 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
6308 {
6309 if (wpa_auth)
6310 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
6311 }
6312
6313
6314 int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
6315 {
6316 return sm && sm->pairwise_set;
6317 }
6318
6319
6320 int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
6321 {
6322 return sm->pairwise;
6323 }
6324
6325
6326 const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len)
6327 {
6328 if (!sm)
6329 return NULL;
6330 *len = sm->pmk_len;
6331 return sm->PMK;
6332 }
6333
6334
6335 const u8 * wpa_auth_get_dpp_pkhash(struct wpa_state_machine *sm)
6336 {
6337 if (!sm || !sm->pmksa)
6338 return NULL;
6339 return sm->pmksa->dpp_pkhash;
6340 }
6341
6342
6343 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
6344 {
6345 if (!sm)
6346 return -1;
6347 return sm->wpa_key_mgmt;
6348 }
6349
6350
6351 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
6352 {
6353 if (!sm)
6354 return 0;
6355 return sm->wpa;
6356 }
6357
6358
6359 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
6360 {
6361 if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
6362 return 0;
6363 return sm->tk_already_set;
6364 }
6365
6366
6367 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm)
6368 {
6369 if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt))
6370 return 0;
6371 return sm->tk_already_set;
6372 }
6373
6374
6375 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
6376 struct rsn_pmksa_cache_entry *entry)
6377 {
6378 if (!sm || sm->pmksa != entry)
6379 return -1;
6380 sm->pmksa = NULL;
6381 return 0;
6382 }
6383
6384
6385 struct rsn_pmksa_cache_entry *
6386 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
6387 {
6388 return sm ? sm->pmksa : NULL;
6389 }
6390
6391
6392 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
6393 {
6394 if (sm)
6395 sm->dot11RSNAStatsTKIPLocalMICFailures++;
6396 }
6397
6398
6399 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
6400 {
6401 if (!wpa_auth)
6402 return NULL;
6403 *len = wpa_auth->wpa_ie_len;
6404 return wpa_auth->wpa_ie;
6405 }
6406
6407
6408 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
6409 unsigned int pmk_len,
6410 int session_timeout, struct eapol_state_machine *eapol)
6411 {
6412 if (!sm || sm->wpa != WPA_VERSION_WPA2 ||
6413 sm->wpa_auth->conf.disable_pmksa_caching)
6414 return -1;
6415
6416 #ifdef CONFIG_IEEE80211R_AP
6417 if (pmk_len >= 2 * PMK_LEN && wpa_key_mgmt_ft(sm->wpa_key_mgmt) &&
6418 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
6419 !wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
6420 /* Cache MPMK/XXKey instead of initial part from MSK */
6421 pmk = pmk + PMK_LEN;
6422 pmk_len = PMK_LEN;
6423 } else
6424 #endif /* CONFIG_IEEE80211R_AP */
6425 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
6426 if (pmk_len > PMK_LEN_SUITE_B_192)
6427 pmk_len = PMK_LEN_SUITE_B_192;
6428 } else if (pmk_len > PMK_LEN) {
6429 pmk_len = PMK_LEN;
6430 }
6431
6432 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK", pmk, pmk_len);
6433 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
6434 sm->PTK.kck, sm->PTK.kck_len,
6435 wpa_auth_get_aa(sm),
6436 wpa_auth_get_spa(sm), session_timeout,
6437 eapol, sm->wpa_key_mgmt))
6438 return 0;
6439
6440 return -1;
6441 }
6442
6443
6444 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
6445 const u8 *pmk, size_t len, const u8 *sta_addr,
6446 int session_timeout,
6447 struct eapol_state_machine *eapol)
6448 {
6449 if (!wpa_auth)
6450 return -1;
6451
6452 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from preauth", pmk, len);
6453 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
6454 NULL, 0,
6455 wpa_auth->addr,
6456 sta_addr, session_timeout, eapol,
6457 WPA_KEY_MGMT_IEEE8021X))
6458 return 0;
6459
6460 return -1;
6461 }
6462
6463
6464 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
6465 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
6466 int akmp)
6467 {
6468 if (wpa_auth->conf.disable_pmksa_caching)
6469 return -1;
6470
6471 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE", pmk, pmk_len);
6472 if (!akmp)
6473 akmp = WPA_KEY_MGMT_SAE;
6474 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
6475 NULL, 0, wpa_auth->addr, addr, 0, NULL, akmp))
6476 return 0;
6477
6478 return -1;
6479 }
6480
6481
6482 void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid)
6483 {
6484 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
6485 sm->pmkid_set = 1;
6486 }
6487
6488
6489 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
6490 const u8 *pmk, size_t pmk_len, const u8 *pmkid,
6491 int session_timeout, int akmp, const u8 *dpp_pkhash)
6492 {
6493 struct rsn_pmksa_cache_entry *entry;
6494
6495 if (!wpa_auth || wpa_auth->conf.disable_pmksa_caching)
6496 return -1;
6497
6498 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK (3)", pmk, PMK_LEN);
6499 entry = pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
6500 NULL, 0, wpa_auth->addr, addr, session_timeout,
6501 NULL, akmp);
6502 if (!entry)
6503 return -1;
6504
6505 if (dpp_pkhash)
6506 entry->dpp_pkhash = os_memdup(dpp_pkhash, SHA256_MAC_LEN);
6507
6508 return 0;
6509 }
6510
6511
6512 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
6513 const u8 *sta_addr)
6514 {
6515 struct rsn_pmksa_cache_entry *pmksa;
6516
6517 if (!wpa_auth || !wpa_auth->pmksa)
6518 return;
6519 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
6520 if (pmksa) {
6521 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
6522 MACSTR " based on request", MAC2STR(sta_addr));
6523 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
6524 }
6525 }
6526
6527
6528 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
6529 size_t len)
6530 {
6531 if (!wpa_auth || !wpa_auth->pmksa)
6532 return 0;
6533 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
6534 }
6535
6536
6537 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
6538 {
6539 if (wpa_auth && wpa_auth->pmksa)
6540 pmksa_cache_auth_flush(wpa_auth->pmksa);
6541 }
6542
6543
6544 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL
6545 #ifdef CONFIG_MESH
6546
6547 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
6548 char *buf, size_t len)
6549 {
6550 if (!wpa_auth || !wpa_auth->pmksa)
6551 return 0;
6552
6553 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
6554 }
6555
6556
6557 struct rsn_pmksa_cache_entry *
6558 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
6559 size_t pmk_len, int akmp,
6560 const u8 *pmkid, int expiration)
6561 {
6562 struct rsn_pmksa_cache_entry *entry;
6563 struct os_reltime now;
6564
6565 entry = pmksa_cache_auth_create_entry(pmk, pmk_len, pmkid, NULL, 0, aa,
6566 spa, 0, NULL, akmp);
6567 if (!entry)
6568 return NULL;
6569
6570 os_get_reltime(&now);
6571 entry->expiration = now.sec + expiration;
6572 return entry;
6573 }
6574
6575
6576 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
6577 struct rsn_pmksa_cache_entry *entry)
6578 {
6579 int ret;
6580
6581 if (!wpa_auth || !wpa_auth->pmksa)
6582 return -1;
6583
6584 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
6585 if (ret < 0)
6586 wpa_printf(MSG_DEBUG,
6587 "RSN: Failed to store external PMKSA cache for "
6588 MACSTR, MAC2STR(entry->spa));
6589
6590 return ret;
6591 }
6592
6593 #endif /* CONFIG_MESH */
6594 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
6595
6596
6597 struct rsn_pmksa_cache *
6598 wpa_auth_get_pmksa_cache(struct wpa_authenticator *wpa_auth)
6599 {
6600 if (!wpa_auth || !wpa_auth->pmksa)
6601 return NULL;
6602 return wpa_auth->pmksa;
6603 }
6604
6605
6606 struct rsn_pmksa_cache_entry *
6607 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
6608 const u8 *pmkid)
6609 {
6610 if (!wpa_auth || !wpa_auth->pmksa)
6611 return NULL;
6612 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
6613 }
6614
6615
6616 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
6617 struct wpa_state_machine *sm,
6618 struct wpa_authenticator *wpa_auth,
6619 u8 *pmkid, u8 *pmk, size_t *pmk_len)
6620 {
6621 if (!sm)
6622 return;
6623
6624 sm->pmksa = pmksa;
6625 os_memcpy(pmk, pmksa->pmk, pmksa->pmk_len);
6626 *pmk_len = pmksa->pmk_len;
6627 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
6628 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
6629 }
6630
6631
6632 /*
6633 * Remove and free the group from wpa_authenticator. This is triggered by a
6634 * callback to make sure nobody is currently iterating the group list while it
6635 * gets modified.
6636 */
6637 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
6638 struct wpa_group *group)
6639 {
6640 struct wpa_group *prev = wpa_auth->group;
6641
6642 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
6643 group->vlan_id);
6644
6645 while (prev) {
6646 if (prev->next == group) {
6647 /* This never frees the special first group as needed */
6648 prev->next = group->next;
6649 os_free(group);
6650 break;
6651 }
6652 prev = prev->next;
6653 }
6654
6655 }
6656
6657
6658 /* Increase the reference counter for group */
6659 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
6660 struct wpa_group *group)
6661 {
6662 /* Skip the special first group */
6663 if (wpa_auth->group == group)
6664 return;
6665
6666 group->references++;
6667 }
6668
6669
6670 /* Decrease the reference counter and maybe free the group */
6671 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
6672 struct wpa_group *group)
6673 {
6674 /* Skip the special first group */
6675 if (wpa_auth->group == group)
6676 return;
6677
6678 group->references--;
6679 if (group->references)
6680 return;
6681 wpa_group_free(wpa_auth, group);
6682 }
6683
6684
6685 /*
6686 * Add a group that has its references counter set to zero. Caller needs to
6687 * call wpa_group_get() on the return value to mark the entry in use.
6688 */
6689 static struct wpa_group *
6690 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
6691 {
6692 struct wpa_group *group;
6693
6694 if (!wpa_auth || !wpa_auth->group)
6695 return NULL;
6696
6697 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
6698 vlan_id);
6699 group = wpa_group_init(wpa_auth, vlan_id, 0);
6700 if (!group)
6701 return NULL;
6702
6703 group->next = wpa_auth->group->next;
6704 wpa_auth->group->next = group;
6705
6706 return group;
6707 }
6708
6709
6710 /*
6711 * Enforce that the group state machine for the VLAN is running, increase
6712 * reference counter as interface is up. References might have been increased
6713 * even if a negative value is returned.
6714 * Returns: -1 on error (group missing, group already failed); otherwise, 0
6715 */
6716 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
6717 {
6718 struct wpa_group *group;
6719
6720 if (!wpa_auth)
6721 return 0;
6722
6723 group = wpa_auth->group;
6724 while (group) {
6725 if (group->vlan_id == vlan_id)
6726 break;
6727 group = group->next;
6728 }
6729
6730 if (!group) {
6731 group = wpa_auth_add_group(wpa_auth, vlan_id);
6732 if (!group)
6733 return -1;
6734 }
6735
6736 wpa_printf(MSG_DEBUG,
6737 "WPA: Ensure group state machine running for VLAN ID %d",
6738 vlan_id);
6739
6740 wpa_group_get(wpa_auth, group);
6741 group->num_setup_iface++;
6742
6743 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
6744 return -1;
6745
6746 return 0;
6747 }
6748
6749
6750 /*
6751 * Decrease reference counter, expected to be zero afterwards.
6752 * returns: -1 on error (group not found, group in fail state)
6753 * -2 if wpa_group is still referenced
6754 * 0 else
6755 */
6756 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
6757 {
6758 struct wpa_group *group;
6759 int ret = 0;
6760
6761 if (!wpa_auth)
6762 return 0;
6763
6764 group = wpa_auth->group;
6765 while (group) {
6766 if (group->vlan_id == vlan_id)
6767 break;
6768 group = group->next;
6769 }
6770
6771 if (!group)
6772 return -1;
6773
6774 wpa_printf(MSG_DEBUG,
6775 "WPA: Try stopping group state machine for VLAN ID %d",
6776 vlan_id);
6777
6778 if (group->num_setup_iface <= 0) {
6779 wpa_printf(MSG_ERROR,
6780 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
6781 vlan_id);
6782 return -1;
6783 }
6784 group->num_setup_iface--;
6785
6786 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
6787 ret = -1;
6788
6789 if (group->references > 1) {
6790 wpa_printf(MSG_DEBUG,
6791 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
6792 vlan_id);
6793 ret = -2;
6794 }
6795
6796 wpa_group_put(wpa_auth, group);
6797
6798 return ret;
6799 }
6800
6801
6802 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
6803 {
6804 struct wpa_group *group;
6805
6806 if (!sm || !sm->wpa_auth)
6807 return 0;
6808
6809 group = sm->wpa_auth->group;
6810 while (group) {
6811 if (group->vlan_id == vlan_id)
6812 break;
6813 group = group->next;
6814 }
6815
6816 if (!group) {
6817 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
6818 if (!group)
6819 return -1;
6820 }
6821
6822 if (sm->group == group)
6823 return 0;
6824
6825 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
6826 return -1;
6827
6828 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR
6829 " to use group state machine for VLAN ID %d",
6830 MAC2STR(wpa_auth_get_spa(sm)), vlan_id);
6831
6832 wpa_group_get(sm->wpa_auth, group);
6833 wpa_group_put(sm->wpa_auth, sm->group);
6834 sm->group = group;
6835
6836 return 0;
6837 }
6838
6839
6840 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
6841 struct wpa_state_machine *sm, int ack)
6842 {
6843 if (!wpa_auth || !sm)
6844 return;
6845 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
6846 " ack=%d", MAC2STR(wpa_auth_get_spa(sm)), ack);
6847 if (sm->pending_1_of_4_timeout && ack) {
6848 /*
6849 * Some deployed supplicant implementations update their SNonce
6850 * for each EAPOL-Key 2/4 message even within the same 4-way
6851 * handshake and then fail to use the first SNonce when
6852 * deriving the PTK. This results in unsuccessful 4-way
6853 * handshake whenever the relatively short initial timeout is
6854 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
6855 * around this by increasing the timeout now that we know that
6856 * the station has received the frame.
6857 */
6858 int timeout_ms = eapol_key_timeout_subseq;
6859 wpa_printf(MSG_DEBUG,
6860 "WPA: Increase initial EAPOL-Key 1/4 timeout by %u ms because of acknowledged frame",
6861 timeout_ms);
6862 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
6863 eloop_register_timeout(timeout_ms / 1000,
6864 (timeout_ms % 1000) * 1000,
6865 wpa_send_eapol_timeout, wpa_auth, sm);
6866 }
6867
6868 #ifdef CONFIG_TESTING_OPTIONS
6869 if (sm->eapol_status_cb) {
6870 sm->eapol_status_cb(sm->eapol_status_cb_ctx1,
6871 sm->eapol_status_cb_ctx2);
6872 sm->eapol_status_cb = NULL;
6873 }
6874 #endif /* CONFIG_TESTING_OPTIONS */
6875 }
6876
6877
6878 int wpa_auth_uses_sae(struct wpa_state_machine *sm)
6879 {
6880 if (!sm)
6881 return 0;
6882 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
6883 }
6884
6885
6886 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
6887 {
6888 if (!sm)
6889 return 0;
6890 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE ||
6891 sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY;
6892 }
6893
6894
6895 #ifdef CONFIG_P2P
6896 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
6897 {
6898 if (!sm || WPA_GET_BE32(sm->ip_addr) == 0)
6899 return -1;
6900 os_memcpy(addr, sm->ip_addr, 4);
6901 return 0;
6902 }
6903 #endif /* CONFIG_P2P */
6904
6905
6906 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
6907 struct radius_das_attrs *attr)
6908 {
6909 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
6910 }
6911
6912
6913 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
6914 {
6915 struct wpa_group *group;
6916
6917 if (!wpa_auth)
6918 return;
6919 for (group = wpa_auth->group; group; group = group->next)
6920 wpa_group_config_group_keys(wpa_auth, group);
6921 }
6922
6923
6924 #ifdef CONFIG_FILS
6925
6926 struct wpa_auth_fils_iter_data {
6927 struct wpa_authenticator *auth;
6928 const u8 *cache_id;
6929 struct rsn_pmksa_cache_entry *pmksa;
6930 const u8 *spa;
6931 const u8 *pmkid;
6932 };
6933
6934
6935 static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
6936 {
6937 struct wpa_auth_fils_iter_data *data = ctx;
6938
6939 if (a == data->auth || !a->conf.fils_cache_id_set ||
6940 os_memcmp(a->conf.fils_cache_id, data->cache_id,
6941 FILS_CACHE_ID_LEN) != 0)
6942 return 0;
6943 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
6944 return data->pmksa != NULL;
6945 }
6946
6947
6948 struct rsn_pmksa_cache_entry *
6949 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
6950 const u8 *sta_addr, const u8 *pmkid)
6951 {
6952 struct wpa_auth_fils_iter_data idata;
6953
6954 if (!wpa_auth->conf.fils_cache_id_set)
6955 return NULL;
6956 idata.auth = wpa_auth;
6957 idata.cache_id = wpa_auth->conf.fils_cache_id;
6958 idata.pmksa = NULL;
6959 idata.spa = sta_addr;
6960 idata.pmkid = pmkid;
6961 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
6962 return idata.pmksa;
6963 }
6964
6965
6966 #ifdef CONFIG_IEEE80211R_AP
6967 int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth,
6968 struct wpa_state_machine *sm,
6969 u8 *buf, size_t len)
6970 {
6971 struct wpa_auth_config *conf = &wpa_auth->conf;
6972
6973 return wpa_write_ftie(conf, sm->wpa_key_mgmt, sm->xxkey_len,
6974 conf->r0_key_holder, conf->r0_key_holder_len,
6975 NULL, NULL, buf, len, NULL, 0, 0);
6976 }
6977 #endif /* CONFIG_IEEE80211R_AP */
6978
6979
6980 void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
6981 u8 *fils_anonce, u8 *fils_snonce,
6982 u8 *fils_kek, size_t *fils_kek_len)
6983 {
6984 os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
6985 os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
6986 os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
6987 *fils_kek_len = sm->PTK.kek_len;
6988 }
6989
6990
6991 void wpa_auth_add_fils_pmk_pmkid(struct wpa_state_machine *sm, const u8 *pmk,
6992 size_t pmk_len, const u8 *pmkid)
6993 {
6994 os_memcpy(sm->PMK, pmk, pmk_len);
6995 sm->pmk_len = pmk_len;
6996 os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
6997 sm->pmkid_set = 1;
6998 }
6999
7000 #endif /* CONFIG_FILS */
7001
7002
7003 void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg)
7004 {
7005 if (sm)
7006 sm->auth_alg = auth_alg;
7007 }
7008
7009
7010 void wpa_auth_set_rsn_selection(struct wpa_state_machine *sm, const u8 *ie,
7011 size_t len)
7012 {
7013 if (!sm)
7014 return;
7015 os_free(sm->rsn_selection);
7016 sm->rsn_selection = NULL;
7017 sm->rsn_selection_len = 0;
7018 sm->rsn_override = false;
7019 sm->rsn_override_2 = false;
7020 if (ie) {
7021 if (len >= 1) {
7022 if (ie[0] == RSN_SELECTION_RSNE_OVERRIDE)
7023 sm->rsn_override = true;
7024 else if (ie[0] == RSN_SELECTION_RSNE_OVERRIDE_2)
7025 sm->rsn_override_2 = true;
7026 }
7027 sm->rsn_selection = os_memdup(ie, len);
7028 if (sm->rsn_selection)
7029 sm->rsn_selection_len = len;
7030 }
7031 }
7032
7033
7034 #ifdef CONFIG_DPP2
7035 void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z)
7036 {
7037 if (sm) {
7038 wpabuf_clear_free(sm->dpp_z);
7039 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
7040 }
7041 }
7042 #endif /* CONFIG_DPP2 */
7043
7044
7045 void wpa_auth_set_ssid_protection(struct wpa_state_machine *sm, bool val)
7046 {
7047 if (sm)
7048 sm->ssid_protection = val;
7049 }
7050
7051
7052 void wpa_auth_set_transition_disable(struct wpa_authenticator *wpa_auth,
7053 u8 val)
7054 {
7055 if (wpa_auth)
7056 wpa_auth->conf.transition_disable = val;
7057 }
7058
7059
7060 #ifdef CONFIG_TESTING_OPTIONS
7061
7062 int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce,
7063 void (*cb)(void *ctx1, void *ctx2),
7064 void *ctx1, void *ctx2)
7065 {
7066 const u8 *anonce = sm->ANonce;
7067 u8 anonce_buf[WPA_NONCE_LEN];
7068
7069 if (change_anonce) {
7070 if (random_get_bytes(anonce_buf, WPA_NONCE_LEN))
7071 return -1;
7072 anonce = anonce_buf;
7073 }
7074
7075 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
7076 "sending 1/4 msg of 4-Way Handshake (TESTING)");
7077 wpa_send_eapol(sm->wpa_auth, sm,
7078 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
7079 anonce, NULL, 0, 0, 0);
7080 return 0;
7081 }
7082
7083
7084 int wpa_auth_resend_m3(struct wpa_state_machine *sm,
7085 void (*cb)(void *ctx1, void *ctx2),
7086 void *ctx1, void *ctx2)
7087 {
7088 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos;
7089 u8 *opos;
7090 size_t gtk_len, kde_len;
7091 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
7092 struct wpa_group *gsm = sm->group;
7093 u8 *wpa_ie;
7094 int wpa_ie_len, secure, gtkidx, encr = 0;
7095 u8 hdr[2];
7096
7097 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
7098 GTK[GN], IGTK, [BIGTK], [FTIE], [TIE * 2])
7099 */
7100
7101 /* Use 0 RSC */
7102 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
7103 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
7104 wpa_ie = sm->wpa_auth->wpa_ie;
7105 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
7106 if (sm->wpa == WPA_VERSION_WPA &&
7107 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
7108 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
7109 /* WPA-only STA, remove RSN IE and possible MDIE */
7110 wpa_ie = wpa_ie + wpa_ie[1] + 2;
7111 if (wpa_ie[0] == WLAN_EID_RSNX)
7112 wpa_ie = wpa_ie + wpa_ie[1] + 2;
7113 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
7114 wpa_ie = wpa_ie + wpa_ie[1] + 2;
7115 wpa_ie_len = wpa_ie[1] + 2;
7116 }
7117 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
7118 "sending 3/4 msg of 4-Way Handshake (TESTING)");
7119 if (sm->wpa == WPA_VERSION_WPA2) {
7120 /* WPA2 send GTK in the 4-way handshake */
7121 secure = 1;
7122 gtk = gsm->GTK[gsm->GN - 1];
7123 gtk_len = gsm->GTK_len;
7124 gtkidx = gsm->GN;
7125 _rsc = rsc;
7126 encr = 1;
7127 } else {
7128 /* WPA does not include GTK in msg 3/4 */
7129 secure = 0;
7130 gtk = NULL;
7131 gtk_len = 0;
7132 _rsc = NULL;
7133 if (sm->rx_eapol_key_secure) {
7134 /*
7135 * It looks like Windows 7 supplicant tries to use
7136 * Secure bit in msg 2/4 after having reported Michael
7137 * MIC failure and it then rejects the 4-way handshake
7138 * if msg 3/4 does not set Secure bit. Work around this
7139 * by setting the Secure bit here even in the case of
7140 * WPA if the supplicant used it first.
7141 */
7142 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm),
7143 LOGGER_DEBUG,
7144 "STA used Secure bit in WPA msg 2/4 - set Secure for 3/4 as workaround");
7145 secure = 1;
7146 }
7147 }
7148
7149 kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
7150
7151 if (sm->use_ext_key_id)
7152 kde_len += 2 + RSN_SELECTOR_LEN + 2;
7153
7154 if (gtk)
7155 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
7156 #ifdef CONFIG_IEEE80211R_AP
7157 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
7158 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
7159 kde_len += 300; /* FTIE + 2 * TIE */
7160 }
7161 #endif /* CONFIG_IEEE80211R_AP */
7162 kde = os_malloc(kde_len);
7163 if (!kde)
7164 return -1;
7165
7166 pos = kde;
7167 os_memcpy(pos, wpa_ie, wpa_ie_len);
7168 pos += wpa_ie_len;
7169 #ifdef CONFIG_IEEE80211R_AP
7170 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
7171 int res;
7172 size_t elen;
7173
7174 elen = pos - kde;
7175 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name, true);
7176 if (res < 0) {
7177 wpa_printf(MSG_ERROR,
7178 "FT: Failed to insert PMKR1Name into RSN IE in EAPOL-Key data");
7179 os_free(kde);
7180 return -1;
7181 }
7182 pos -= wpa_ie_len;
7183 pos += elen;
7184 }
7185 #endif /* CONFIG_IEEE80211R_AP */
7186 hdr[1] = 0;
7187
7188 if (sm->use_ext_key_id) {
7189 hdr[0] = sm->keyidx_active & 0x01;
7190 pos = wpa_add_kde(pos, RSN_KEY_DATA_KEYID, hdr, 2, NULL, 0);
7191 }
7192
7193 if (gtk) {
7194 hdr[0] = gtkidx & 0x03;
7195 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
7196 gtk, gtk_len);
7197 }
7198 opos = pos;
7199 pos = ieee80211w_kde_add(sm, pos);
7200 if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
7201 /* skip KDE header and keyid */
7202 opos += 2 + RSN_SELECTOR_LEN + 2;
7203 os_memset(opos, 0, 6); /* clear PN */
7204 }
7205 if (ocv_oci_add(sm, &pos, conf->oci_freq_override_eapol_m3) < 0) {
7206 os_free(kde);
7207 return -1;
7208 }
7209
7210 #ifdef CONFIG_IEEE80211R_AP
7211 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
7212 int res;
7213
7214 if (sm->assoc_resp_ftie &&
7215 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
7216 os_memcpy(pos, sm->assoc_resp_ftie,
7217 2 + sm->assoc_resp_ftie[1]);
7218 res = 2 + sm->assoc_resp_ftie[1];
7219 } else {
7220 res = wpa_write_ftie(conf, sm->wpa_key_mgmt,
7221 sm->xxkey_len,
7222 conf->r0_key_holder,
7223 conf->r0_key_holder_len,
7224 NULL, NULL, pos,
7225 kde + kde_len - pos,
7226 NULL, 0, 0);
7227 }
7228 if (res < 0) {
7229 wpa_printf(MSG_ERROR,
7230 "FT: Failed to insert FTIE into EAPOL-Key Key Data");
7231 os_free(kde);
7232 return -1;
7233 }
7234 pos += res;
7235
7236 /* TIE[ReassociationDeadline] (TU) */
7237 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
7238 *pos++ = 5;
7239 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
7240 WPA_PUT_LE32(pos, conf->reassociation_deadline);
7241 pos += 4;
7242
7243 /* TIE[KeyLifetime] (seconds) */
7244 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
7245 *pos++ = 5;
7246 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
7247 WPA_PUT_LE32(pos, conf->r0_key_lifetime);
7248 pos += 4;
7249 }
7250 #endif /* CONFIG_IEEE80211R_AP */
7251
7252 wpa_send_eapol(sm->wpa_auth, sm,
7253 (secure ? WPA_KEY_INFO_SECURE : 0) |
7254 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
7255 WPA_KEY_INFO_MIC : 0) |
7256 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
7257 WPA_KEY_INFO_KEY_TYPE,
7258 _rsc, sm->ANonce, kde, pos - kde, 0, encr);
7259 bin_clear_free(kde, kde_len);
7260 return 0;
7261 }
7262
7263
7264 int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
7265 void (*cb)(void *ctx1, void *ctx2),
7266 void *ctx1, void *ctx2)
7267 {
7268 u8 rsc[WPA_KEY_RSC_LEN];
7269 struct wpa_auth_config *conf = &sm->wpa_auth->conf;
7270 struct wpa_group *gsm = sm->group;
7271 const u8 *kde;
7272 u8 *kde_buf = NULL, *pos, hdr[2];
7273 u8 *opos;
7274 size_t kde_len;
7275 u8 *gtk;
7276
7277 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
7278 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
7279 /* Use 0 RSC */
7280 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
7281 "sending 1/2 msg of Group Key Handshake (TESTING)");
7282
7283 gtk = gsm->GTK[gsm->GN - 1];
7284 if (sm->wpa == WPA_VERSION_WPA2) {
7285 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
7286 ieee80211w_kde_len(sm) + ocv_oci_len(sm);
7287 kde_buf = os_malloc(kde_len);
7288 if (!kde_buf)
7289 return -1;
7290
7291 kde = pos = kde_buf;
7292 hdr[0] = gsm->GN & 0x03;
7293 hdr[1] = 0;
7294 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
7295 gtk, gsm->GTK_len);
7296 opos = pos;
7297 pos = ieee80211w_kde_add(sm, pos);
7298 if (pos - opos >=
7299 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
7300 /* skip KDE header and keyid */
7301 opos += 2 + RSN_SELECTOR_LEN + 2;
7302 os_memset(opos, 0, 6); /* clear PN */
7303 }
7304 if (ocv_oci_add(sm, &pos,
7305 conf->oci_freq_override_eapol_g1) < 0) {
7306 os_free(kde_buf);
7307 return -1;
7308 }
7309 kde_len = pos - kde;
7310 } else {
7311 kde = gtk;
7312 kde_len = gsm->GTK_len;
7313 }
7314
7315 sm->eapol_status_cb = cb;
7316 sm->eapol_status_cb_ctx1 = ctx1;
7317 sm->eapol_status_cb_ctx2 = ctx2;
7318
7319 wpa_send_eapol(sm->wpa_auth, sm,
7320 WPA_KEY_INFO_SECURE |
7321 (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
7322 WPA_KEY_INFO_MIC : 0) |
7323 WPA_KEY_INFO_ACK |
7324 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
7325 rsc, NULL, kde, kde_len, gsm->GN, 1);
7326
7327 bin_clear_free(kde_buf, kde_len);
7328 return 0;
7329 }
7330
7331
7332 int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth)
7333 {
7334 if (!wpa_auth)
7335 return -1;
7336 eloop_cancel_timeout(wpa_rekey_gtk,
7337 wpa_get_primary_auth(wpa_auth), NULL);
7338 return eloop_register_timeout(0, 0, wpa_rekey_gtk,
7339 wpa_get_primary_auth(wpa_auth), NULL);
7340 }
7341
7342
7343 int wpa_auth_rekey_ptk(struct wpa_authenticator *wpa_auth,
7344 struct wpa_state_machine *sm)
7345 {
7346 if (!wpa_auth || !sm)
7347 return -1;
7348 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
7349 wpa_request_new_ptk(sm);
7350 wpa_sm_step(sm);
7351 return 0;
7352 }
7353
7354
7355 void wpa_auth_set_ft_rsnxe_used(struct wpa_authenticator *wpa_auth, int val)
7356 {
7357 if (wpa_auth)
7358 wpa_auth->conf.ft_rsnxe_used = val;
7359 }
7360
7361
7362 void wpa_auth_set_ocv_override_freq(struct wpa_authenticator *wpa_auth,
7363 enum wpa_auth_ocv_override_frame frame,
7364 unsigned int freq)
7365 {
7366 if (!wpa_auth)
7367 return;
7368 switch (frame) {
7369 case WPA_AUTH_OCV_OVERRIDE_EAPOL_M3:
7370 wpa_auth->conf.oci_freq_override_eapol_m3 = freq;
7371 break;
7372 case WPA_AUTH_OCV_OVERRIDE_EAPOL_G1:
7373 wpa_auth->conf.oci_freq_override_eapol_g1 = freq;
7374 break;
7375 case WPA_AUTH_OCV_OVERRIDE_FT_ASSOC:
7376 wpa_auth->conf.oci_freq_override_ft_assoc = freq;
7377 break;
7378 case WPA_AUTH_OCV_OVERRIDE_FILS_ASSOC:
7379 wpa_auth->conf.oci_freq_override_fils_assoc = freq;
7380 break;
7381 }
7382 }
7383
7384 void wpa_auth_set_skip_send_eapol(struct wpa_authenticator *wpa_auth,
7385 u8 val)
7386 {
7387 if (wpa_auth)
7388 wpa_auth->conf.skip_send_eapol = val;
7389 }
7390
7391 void wpa_auth_set_enable_eapol_large_timeout(struct wpa_authenticator *wpa_auth,
7392 u8 val)
7393 {
7394 if (wpa_auth)
7395 wpa_auth->conf.enable_eapol_large_timeout = val;
7396 }
7397
7398
7399 #endif /* CONFIG_TESTING_OPTIONS */
7400
7401
7402 void wpa_auth_sta_radius_psk_resp(struct wpa_state_machine *sm, bool success)
7403 {
7404 if (!sm->waiting_radius_psk) {
7405 wpa_printf(MSG_DEBUG,
7406 "Ignore RADIUS PSK response for " MACSTR
7407 " that did not wait one",
7408 MAC2STR(sm->addr));
7409 return;
7410 }
7411
7412 wpa_printf(MSG_DEBUG, "RADIUS PSK response for " MACSTR " (%s)",
7413 MAC2STR(sm->addr), success ? "success" : "fail");
7414 sm->waiting_radius_psk = 0;
7415
7416 if (success) {
7417 /* Try to process the EAPOL-Key msg 2/4 again */
7418 sm->EAPOLKeyReceived = true;
7419 } else {
7420 sm->Disconnect = true;
7421 }
7422
7423 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
7424 }
7425
7426
7427 void wpa_auth_set_ml_info(struct wpa_state_machine *sm,
7428 u8 mld_assoc_link_id, struct mld_info *info)
7429 {
7430 #ifdef CONFIG_IEEE80211BE
7431 unsigned int link_id;
7432
7433 if (!info)
7434 return;
7435
7436 os_memset(sm->mld_links, 0, sizeof(sm->mld_links));
7437 sm->n_mld_affiliated_links = 0;
7438
7439 wpa_auth_logger(sm->wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
7440 "MLD: Initialization");
7441
7442 os_memcpy(sm->peer_mld_addr, info->common_info.mld_addr, ETH_ALEN);
7443
7444 sm->mld_assoc_link_id = mld_assoc_link_id;
7445
7446 for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++) {
7447 struct mld_link_info *link = &info->links[link_id];
7448 struct mld_link *sm_link = &sm->mld_links[link_id];
7449 struct wpa_get_link_auth_ctx ctx;
7450
7451 sm_link->valid = link->valid;
7452 if (!link->valid)
7453 continue;
7454
7455 os_memcpy(sm_link->peer_addr, link->peer_addr, ETH_ALEN);
7456
7457 wpa_printf(MSG_DEBUG,
7458 "WPA_AUTH: MLD: id=%u, peer=" MACSTR,
7459 link_id,
7460 MAC2STR(sm_link->peer_addr));
7461
7462 if (link_id != mld_assoc_link_id) {
7463 sm->n_mld_affiliated_links++;
7464 ctx.addr = link->local_addr;
7465 ctx.mld_addr = NULL;
7466 ctx.link_id = -1;
7467 ctx.wpa_auth = NULL;
7468 wpa_auth_for_each_auth(sm->wpa_auth,
7469 wpa_get_link_sta_auth, &ctx);
7470 if (ctx.wpa_auth) {
7471 sm_link->wpa_auth = ctx.wpa_auth;
7472 wpa_group_get(sm_link->wpa_auth,
7473 sm_link->wpa_auth->group);
7474 }
7475 } else {
7476 sm_link->wpa_auth = sm->wpa_auth;
7477 }
7478
7479 if (!sm_link->wpa_auth)
7480 wpa_printf(MSG_ERROR,
7481 "Unable to find authenticator object for ML STA "
7482 MACSTR " on link id %d",
7483 MAC2STR(sm->wpa_auth->mld_addr),
7484 link_id);
7485 }
7486 #endif /* CONFIG_IEEE80211BE */
7487 }
7488