1 /* 2 * WPA Supplicant - WPA state machine and EAPOL-Key processing 3 * Copyright (c) 2003-2018, Jouni Malinen <j (at) w1.fi> 4 * Copyright(c) 2015 Intel Deutschland GmbH 5 * 6 * This software may be distributed under the terms of the BSD license. 7 * See README for more details. 8 */ 9 10 #include "includes.h" 11 12 #include "common.h" 13 #include "crypto/aes.h" 14 #include "crypto/aes_wrap.h" 15 #include "crypto/crypto.h" 16 #include "crypto/random.h" 17 #include "crypto/aes_siv.h" 18 #include "crypto/sha256.h" 19 #include "crypto/sha384.h" 20 #include "crypto/sha512.h" 21 #include "common/ieee802_11_defs.h" 22 #include "common/ieee802_11_common.h" 23 #include "common/ocv.h" 24 #include "common/dpp.h" 25 #include "common/wpa_ctrl.h" 26 #include "eap_common/eap_defs.h" 27 #include "eapol_supp/eapol_supp_sm.h" 28 #include "drivers/driver.h" 29 #include "wpa.h" 30 #include "eloop.h" 31 #include "preauth.h" 32 #include "pmksa_cache.h" 33 #include "wpa_i.h" 34 #include "wpa_ie.h" 35 36 37 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; 38 39 40 static void _wpa_hexdump_link(int level, u8 link_id, const char *title, 41 const void *buf, size_t len, bool key) 42 { 43 char *link_title = NULL; 44 45 if (link_id >= MAX_NUM_MLD_LINKS) 46 goto out; 47 48 link_title = os_malloc(os_strlen(title) + 20); 49 if (!link_title) 50 goto out; 51 52 os_snprintf(link_title, os_strlen(title) + 20, "MLO link[%u]: %s", 53 link_id, title); 54 55 out: 56 if (key) 57 wpa_hexdump_key(level, link_title ? link_title : title, buf, 58 len); 59 else 60 wpa_hexdump(level, link_title ? link_title : title, buf, len); 61 os_free(link_title); 62 } 63 64 65 static void wpa_hexdump_link(int level, u8 link_id, const char *title, 66 const void *buf, size_t len) 67 { 68 _wpa_hexdump_link(level, link_id, title, buf, len, false); 69 } 70 71 72 static void wpa_hexdump_link_key(int level, u8 link_id, const char *title, 73 const void *buf, size_t len) 74 { 75 _wpa_hexdump_link(level, link_id, title, buf, len, true); 76 } 77 78 79 /** 80 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message 81 * @sm: Pointer to WPA state machine data from wpa_sm_init() 82 * @ptk: PTK for Key Confirmation/Encryption Key 83 * @ver: Version field from Key Info 84 * @dest: Destination address for the frame 85 * @proto: Ethertype (usually ETH_P_EAPOL) 86 * @msg: EAPOL-Key message 87 * @msg_len: Length of message 88 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written 89 * Returns: >= 0 on success, < 0 on failure 90 */ 91 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk, 92 int ver, const u8 *dest, u16 proto, 93 u8 *msg, size_t msg_len, u8 *key_mic) 94 { 95 int ret = -1; 96 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 97 98 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR 99 " ver=%d mic_len=%d key_mgmt=0x%x", 100 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt); 101 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) { 102 /* 103 * Association event was not yet received; try to fetch 104 * BSSID from the driver. 105 */ 106 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) { 107 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 108 "WPA: Failed to read BSSID for " 109 "EAPOL-Key destination address"); 110 } else { 111 dest = sm->bssid; 112 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 113 "WPA: Use BSSID (" MACSTR 114 ") as the destination for EAPOL-Key", 115 MAC2STR(dest)); 116 } 117 } 118 119 if (mic_len) { 120 if (key_mic && (!ptk || !ptk->kck_len)) 121 goto out; 122 123 if (key_mic && 124 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver, 125 msg, msg_len, key_mic)) { 126 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 127 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC", 128 ver, sm->key_mgmt); 129 goto out; 130 } 131 if (ptk) 132 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", 133 ptk->kck, ptk->kck_len); 134 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC", 135 key_mic, mic_len); 136 } else { 137 #ifdef CONFIG_FILS 138 /* AEAD cipher - Key MIC field not used */ 139 struct ieee802_1x_hdr *s_hdr, *hdr; 140 struct wpa_eapol_key *s_key, *key; 141 u8 *buf, *s_key_data, *key_data; 142 size_t buf_len = msg_len + AES_BLOCK_SIZE; 143 size_t key_data_len; 144 u16 eapol_len; 145 const u8 *aad[1]; 146 size_t aad_len[1]; 147 148 if (!ptk || !ptk->kek_len) 149 goto out; 150 151 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) - 152 sizeof(struct wpa_eapol_key) - 2; 153 154 buf = os_malloc(buf_len); 155 if (!buf) 156 goto out; 157 158 os_memcpy(buf, msg, msg_len); 159 hdr = (struct ieee802_1x_hdr *) buf; 160 key = (struct wpa_eapol_key *) (hdr + 1); 161 key_data = ((u8 *) (key + 1)) + 2; 162 163 /* Update EAPOL header to include AES-SIV overhead */ 164 eapol_len = be_to_host16(hdr->length); 165 eapol_len += AES_BLOCK_SIZE; 166 hdr->length = host_to_be16(eapol_len); 167 168 /* Update Key Data Length field to include AES-SIV overhead */ 169 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len); 170 171 s_hdr = (struct ieee802_1x_hdr *) msg; 172 s_key = (struct wpa_eapol_key *) (s_hdr + 1); 173 s_key_data = ((u8 *) (s_key + 1)) + 2; 174 175 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data", 176 s_key_data, key_data_len); 177 178 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len); 179 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 180 * to Key Data (exclusive). */ 181 aad[0] = buf; 182 aad_len[0] = key_data - buf; 183 if (aes_siv_encrypt(ptk->kek, ptk->kek_len, 184 s_key_data, key_data_len, 185 1, aad, aad_len, key_data) < 0) { 186 os_free(buf); 187 goto out; 188 } 189 190 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV", 191 key_data, AES_BLOCK_SIZE + key_data_len); 192 193 os_free(msg); 194 msg = buf; 195 msg_len = buf_len; 196 #else /* CONFIG_FILS */ 197 goto out; 198 #endif /* CONFIG_FILS */ 199 } 200 201 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len); 202 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len); 203 eapol_sm_notify_tx_eapol_key(sm->eapol); 204 out: 205 os_free(msg); 206 return ret; 207 } 208 209 210 /** 211 * wpa_sm_key_request - Send EAPOL-Key Request 212 * @sm: Pointer to WPA state machine data from wpa_sm_init() 213 * @error: Indicate whether this is an Michael MIC error report 214 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet 215 * 216 * Send an EAPOL-Key Request to the current authenticator. This function is 217 * used to request rekeying and it is usually called when a local Michael MIC 218 * failure is detected. 219 */ 220 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise) 221 { 222 size_t mic_len, hdrlen, rlen; 223 struct wpa_eapol_key *reply; 224 int key_info, ver; 225 u8 *rbuf, *key_mic, *mic; 226 227 if (pairwise && sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id && 228 wpa_sm_get_state(sm) == WPA_COMPLETED && !error) { 229 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 230 "WPA: PTK0 rekey not allowed, reconnecting"); 231 wpa_sm_reconnect(sm); 232 return; 233 } 234 235 if (!sm->ptk_set) { 236 wpa_printf(MSG_INFO, 237 "WPA: No PTK derived yet - cannot send EAPOL-Key Request"); 238 return; 239 } 240 241 if (wpa_use_akm_defined(sm->key_mgmt)) 242 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED; 243 else if (wpa_key_mgmt_ft(sm->key_mgmt) || 244 wpa_key_mgmt_sha256(sm->key_mgmt)) 245 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC; 246 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP) 247 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 248 else 249 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 250 251 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 252 hdrlen = sizeof(*reply) + mic_len + 2; 253 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 254 hdrlen, &rlen, (void *) &reply); 255 if (rbuf == NULL) 256 return; 257 258 reply->type = (sm->proto == WPA_PROTO_RSN || 259 sm->proto == WPA_PROTO_OSEN) ? 260 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 261 key_info = WPA_KEY_INFO_REQUEST | ver; 262 key_info |= WPA_KEY_INFO_SECURE; 263 if (mic_len) 264 key_info |= WPA_KEY_INFO_MIC; 265 else 266 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 267 if (error) 268 key_info |= WPA_KEY_INFO_ERROR; 269 if (pairwise) 270 key_info |= WPA_KEY_INFO_KEY_TYPE; 271 WPA_PUT_BE16(reply->key_info, key_info); 272 WPA_PUT_BE16(reply->key_length, 0); 273 os_memcpy(reply->replay_counter, sm->request_counter, 274 WPA_REPLAY_COUNTER_LEN); 275 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN); 276 277 mic = (u8 *) (reply + 1); 278 WPA_PUT_BE16(mic + mic_len, 0); 279 if (!(key_info & WPA_KEY_INFO_MIC)) 280 key_mic = NULL; 281 else 282 key_mic = mic; 283 284 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 285 "WPA: Sending EAPOL-Key Request (error=%d " 286 "pairwise=%d ptk_set=%d len=%lu)", 287 error, pairwise, sm->ptk_set, (unsigned long) rlen); 288 wpa_eapol_key_send(sm, &sm->ptk, ver, wpa_sm_get_auth_addr(sm), 289 ETH_P_EAPOL, rbuf, rlen, key_mic); 290 } 291 292 293 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm) 294 { 295 #ifdef CONFIG_IEEE80211R 296 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) { 297 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len)) 298 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 299 "RSN: Cannot set low order 256 bits of MSK for key management offload"); 300 } else { 301 #endif /* CONFIG_IEEE80211R */ 302 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len)) 303 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 304 "RSN: Cannot set PMK for key management offload"); 305 #ifdef CONFIG_IEEE80211R 306 } 307 #endif /* CONFIG_IEEE80211R */ 308 } 309 310 311 static int wpa_supplicant_get_pmk(struct wpa_sm *sm, 312 const unsigned char *src_addr, 313 const u8 *pmkid) 314 { 315 int abort_cached = 0; 316 317 if (pmkid && !sm->cur_pmksa) { 318 /* When using drivers that generate RSN IE, wpa_supplicant may 319 * not have enough time to get the association information 320 * event before receiving this 1/4 message, so try to find a 321 * matching PMKSA cache entry here. */ 322 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, 323 sm->own_addr, pmkid, 324 NULL, 0); 325 if (sm->cur_pmksa) { 326 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 327 "RSN: found matching PMKID from PMKSA cache"); 328 } else { 329 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 330 "RSN: no matching PMKID found"); 331 abort_cached = 1; 332 } 333 } 334 335 if (pmkid && sm->cur_pmksa && 336 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) { 337 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN); 338 wpa_sm_set_pmk_from_pmksa(sm); 339 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache", 340 sm->pmk, sm->pmk_len); 341 eapol_sm_notify_cached(sm->eapol); 342 #ifdef CONFIG_IEEE80211R 343 sm->xxkey_len = 0; 344 #ifdef CONFIG_SAE 345 if ((sm->key_mgmt == WPA_KEY_MGMT_FT_SAE || 346 sm->key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) && 347 sm->pmk_len == PMK_LEN) { 348 /* Need to allow FT key derivation to proceed with 349 * PMK from SAE being used as the XXKey in cases where 350 * the PMKID in msg 1/4 matches the PMKSA entry that was 351 * just added based on SAE authentication for the 352 * initial mobility domain association. */ 353 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len); 354 sm->xxkey_len = sm->pmk_len; 355 } 356 #endif /* CONFIG_SAE */ 357 #endif /* CONFIG_IEEE80211R */ 358 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) { 359 int res, pmk_len; 360 #ifdef CONFIG_IEEE80211R 361 u8 buf[2 * PMK_LEN]; 362 #endif /* CONFIG_IEEE80211R */ 363 364 if (wpa_key_mgmt_sha384(sm->key_mgmt)) 365 pmk_len = PMK_LEN_SUITE_B_192; 366 else 367 pmk_len = PMK_LEN; 368 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len); 369 if (res) { 370 if (pmk_len == PMK_LEN) { 371 /* 372 * EAP-LEAP is an exception from other EAP 373 * methods: it uses only 16-byte PMK. 374 */ 375 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16); 376 pmk_len = 16; 377 } 378 } 379 #ifdef CONFIG_IEEE80211R 380 if (res == 0 && 381 eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) { 382 if (wpa_key_mgmt_sha384(sm->key_mgmt)) { 383 os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN); 384 sm->xxkey_len = SHA384_MAC_LEN; 385 } else { 386 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN); 387 sm->xxkey_len = PMK_LEN; 388 } 389 forced_memzero(buf, sizeof(buf)); 390 if (sm->proto == WPA_PROTO_RSN && 391 wpa_key_mgmt_ft(sm->key_mgmt)) { 392 struct rsn_pmksa_cache_entry *sa = NULL; 393 const u8 *fils_cache_id = NULL; 394 395 #ifdef CONFIG_FILS 396 if (sm->fils_cache_id_set) 397 fils_cache_id = sm->fils_cache_id; 398 #endif /* CONFIG_FILS */ 399 wpa_hexdump_key(MSG_DEBUG, 400 "FT: Cache XXKey/MPMK", 401 sm->xxkey, sm->xxkey_len); 402 sa = pmksa_cache_add(sm->pmksa, 403 sm->xxkey, sm->xxkey_len, 404 NULL, NULL, 0, 405 src_addr, sm->own_addr, 406 sm->network_ctx, 407 sm->key_mgmt, 408 fils_cache_id); 409 if (!sm->cur_pmksa) 410 sm->cur_pmksa = sa; 411 } 412 } 413 #endif /* CONFIG_IEEE80211R */ 414 if (res == 0) { 415 struct rsn_pmksa_cache_entry *sa = NULL; 416 const u8 *fils_cache_id = NULL; 417 418 #ifdef CONFIG_FILS 419 if (sm->fils_cache_id_set) 420 fils_cache_id = sm->fils_cache_id; 421 #endif /* CONFIG_FILS */ 422 423 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state " 424 "machines", sm->pmk, pmk_len); 425 sm->pmk_len = pmk_len; 426 wpa_supplicant_key_mgmt_set_pmk(sm); 427 if (sm->proto == WPA_PROTO_RSN && 428 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 429 !wpa_key_mgmt_ft(sm->key_mgmt)) { 430 sa = pmksa_cache_add(sm->pmksa, 431 sm->pmk, pmk_len, NULL, 432 NULL, 0, 433 src_addr, sm->own_addr, 434 sm->network_ctx, 435 sm->key_mgmt, 436 fils_cache_id); 437 } 438 if (!sm->cur_pmksa && pmkid && 439 pmksa_cache_get(sm->pmksa, src_addr, sm->own_addr, 440 pmkid, NULL, 0)) { 441 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 442 "RSN: the new PMK matches with the " 443 "PMKID"); 444 abort_cached = 0; 445 } else if (sa && !sm->cur_pmksa && pmkid) { 446 /* 447 * It looks like the authentication server 448 * derived mismatching MSK. This should not 449 * really happen, but bugs happen.. There is not 450 * much we can do here without knowing what 451 * exactly caused the server to misbehave. 452 */ 453 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 454 "RSN: PMKID mismatch - authentication server may have derived different MSK?!"); 455 return -1; 456 } 457 458 if (!sm->cur_pmksa) 459 sm->cur_pmksa = sa; 460 #ifdef CONFIG_IEEE80211R 461 } else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) { 462 wpa_printf(MSG_DEBUG, 463 "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol"); 464 #endif /* CONFIG_IEEE80211R */ 465 } else { 466 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 467 "WPA: Failed to get master session key from " 468 "EAPOL state machines - key handshake " 469 "aborted"); 470 if (sm->cur_pmksa) { 471 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 472 "RSN: Cancelled PMKSA caching " 473 "attempt"); 474 sm->cur_pmksa = NULL; 475 abort_cached = 1; 476 } else if (!abort_cached) { 477 return -1; 478 } 479 } 480 } 481 482 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && 483 !wpa_key_mgmt_suite_b(sm->key_mgmt) && 484 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN) 485 { 486 /* Send EAPOL-Start to trigger full EAP authentication. */ 487 u8 *buf; 488 size_t buflen; 489 490 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 491 "RSN: no PMKSA entry found - trigger " 492 "full EAP authentication"); 493 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START, 494 NULL, 0, &buflen, NULL); 495 if (buf) { 496 /* Set and reset eapFail to allow EAP state machine to 497 * proceed with new authentication. */ 498 eapol_sm_notify_eap_fail(sm->eapol, true); 499 eapol_sm_notify_eap_fail(sm->eapol, false); 500 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL, 501 buf, buflen); 502 os_free(buf); 503 return -2; 504 } 505 506 return -1; 507 } 508 509 return 0; 510 } 511 512 513 /** 514 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake 515 * @sm: Pointer to WPA state machine data from wpa_sm_init() 516 * @dst: Destination address for the frame 517 * @key: Pointer to the EAPOL-Key frame header 518 * @ver: Version bits from EAPOL-Key Key Info 519 * @nonce: Nonce value for the EAPOL-Key frame 520 * @wpa_ie: WPA/RSN IE 521 * @wpa_ie_len: Length of the WPA/RSN IE 522 * @ptk: PTK to use for keyed hash and encryption 523 * Returns: >= 0 on success, < 0 on failure 524 */ 525 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst, 526 const struct wpa_eapol_key *key, 527 int ver, const u8 *nonce, 528 const u8 *wpa_ie, size_t wpa_ie_len, 529 struct wpa_ptk *ptk) 530 { 531 size_t mic_len, hdrlen, rlen, extra_len = 0; 532 struct wpa_eapol_key *reply; 533 u8 *rbuf, *key_mic; 534 u8 *rsn_ie_buf = NULL; 535 u16 key_info; 536 #ifdef CONFIG_TESTING_OPTIONS 537 size_t pad_len = 0; 538 #endif /* CONFIG_TESTING_OPTIONS */ 539 540 if (wpa_ie == NULL) { 541 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - " 542 "cannot generate msg 2/4"); 543 return -1; 544 } 545 546 #ifdef CONFIG_IEEE80211R 547 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 548 int res; 549 550 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE before FT processing", 551 wpa_ie, wpa_ie_len); 552 /* 553 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and 554 * FTIE from (Re)Association Response. 555 */ 556 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN + 557 sm->assoc_resp_ies_len); 558 if (rsn_ie_buf == NULL) 559 return -1; 560 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len); 561 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len, 562 sm->pmk_r1_name, !sm->ft_prepend_pmkid); 563 if (res < 0) { 564 os_free(rsn_ie_buf); 565 return -1; 566 } 567 wpa_hexdump(MSG_DEBUG, 568 "WPA: WPA IE after PMKID[PMKR1Name] addition into RSNE", 569 rsn_ie_buf, wpa_ie_len); 570 571 if (sm->assoc_resp_ies) { 572 wpa_hexdump(MSG_DEBUG, "WPA: Add assoc_resp_ies", 573 sm->assoc_resp_ies, 574 sm->assoc_resp_ies_len); 575 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies, 576 sm->assoc_resp_ies_len); 577 wpa_ie_len += sm->assoc_resp_ies_len; 578 } 579 580 wpa_ie = rsn_ie_buf; 581 } 582 #endif /* CONFIG_IEEE80211R */ 583 584 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len); 585 586 #ifdef CONFIG_TESTING_OPTIONS 587 if (sm->test_eapol_m2_elems) 588 extra_len = wpabuf_len(sm->test_eapol_m2_elems); 589 if (sm->encrypt_eapol_m2) { 590 pad_len = (wpa_ie_len + extra_len) % 8; 591 if (pad_len) 592 pad_len = 8 - pad_len; 593 extra_len += pad_len + 8; 594 } 595 #endif /* CONFIG_TESTING_OPTIONS */ 596 597 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 598 hdrlen = sizeof(*reply) + mic_len + 2; 599 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, 600 NULL, hdrlen + wpa_ie_len + extra_len, 601 &rlen, (void *) &reply); 602 if (rbuf == NULL) { 603 os_free(rsn_ie_buf); 604 return -1; 605 } 606 607 reply->type = (sm->proto == WPA_PROTO_RSN || 608 sm->proto == WPA_PROTO_OSEN) ? 609 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 610 key_info = ver | WPA_KEY_INFO_KEY_TYPE; 611 if (sm->ptk_set && sm->proto != WPA_PROTO_WPA) 612 key_info |= WPA_KEY_INFO_SECURE; 613 if (mic_len) 614 key_info |= WPA_KEY_INFO_MIC; 615 else 616 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 617 #ifdef CONFIG_TESTING_OPTIONS 618 if (sm->encrypt_eapol_m2) 619 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 620 #endif /* CONFIG_TESTING_OPTIONS */ 621 WPA_PUT_BE16(reply->key_info, key_info); 622 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 623 WPA_PUT_BE16(reply->key_length, 0); 624 else 625 os_memcpy(reply->key_length, key->key_length, 2); 626 os_memcpy(reply->replay_counter, key->replay_counter, 627 WPA_REPLAY_COUNTER_LEN); 628 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter, 629 WPA_REPLAY_COUNTER_LEN); 630 631 key_mic = (u8 *) (reply + 1); 632 /* Key Data Length */ 633 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len + extra_len); 634 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */ 635 os_free(rsn_ie_buf); 636 #ifdef CONFIG_TESTING_OPTIONS 637 if (sm->test_eapol_m2_elems) { 638 os_memcpy(key_mic + mic_len + 2 + wpa_ie_len, 639 wpabuf_head(sm->test_eapol_m2_elems), 640 wpabuf_len(sm->test_eapol_m2_elems)); 641 } 642 643 if (sm->encrypt_eapol_m2) { 644 u8 *plain; 645 size_t plain_len; 646 647 if (sm->test_eapol_m2_elems) 648 extra_len = wpabuf_len(sm->test_eapol_m2_elems); 649 else 650 extra_len = 0; 651 plain_len = wpa_ie_len + extra_len + pad_len; 652 plain = os_memdup(key_mic + mic_len + 2, plain_len); 653 if (!plain) { 654 os_free(rbuf); 655 return -1; 656 } 657 if (pad_len) 658 plain[plain_len - pad_len] = 0xdd; 659 660 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK", 661 ptk->kek, ptk->kek_len); 662 if (aes_wrap(ptk->kek, ptk->kek_len, plain_len / 8, plain, 663 key_mic + mic_len + 2)) { 664 os_free(plain); 665 os_free(rbuf); 666 return -1; 667 } 668 wpa_hexdump(MSG_DEBUG, 669 "RSN: Encrypted Key Data from AES-WRAP", 670 key_mic + mic_len + 2, plain_len + 8); 671 os_free(plain); 672 } 673 #endif /* CONFIG_TESTING_OPTIONS */ 674 675 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN); 676 677 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4"); 678 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen, 679 key_mic); 680 } 681 682 683 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr, 684 const struct wpa_eapol_key *key, struct wpa_ptk *ptk) 685 { 686 int ret; 687 const u8 *z = NULL; 688 size_t z_len = 0, kdk_len; 689 int akmp; 690 691 #ifdef CONFIG_IEEE80211R 692 if (wpa_key_mgmt_ft(sm->key_mgmt)) 693 return wpa_derive_ptk_ft(sm, src_addr, key, ptk); 694 #endif /* CONFIG_IEEE80211R */ 695 696 #ifdef CONFIG_DPP2 697 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) { 698 z = wpabuf_head(sm->dpp_z); 699 z_len = wpabuf_len(sm->dpp_z); 700 } 701 #endif /* CONFIG_DPP2 */ 702 703 akmp = sm->key_mgmt; 704 #ifdef CONFIG_OWE 705 if (sm->owe_ptk_workaround && akmp == WPA_KEY_MGMT_OWE && 706 sm->pmk_len > 32) { 707 wpa_printf(MSG_DEBUG, 708 "OWE: Force SHA256 for PTK derivation"); 709 akmp |= WPA_KEY_MGMT_PSK_SHA256; 710 } 711 #endif /* CONFIG_OWE */ 712 713 if (sm->force_kdk_derivation || 714 (sm->secure_ltf && 715 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))) 716 kdk_len = WPA_KDK_MAX_LEN; 717 else 718 kdk_len = 0; 719 720 ret = wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion", 721 sm->own_addr, wpa_sm_get_auth_addr(sm), sm->snonce, 722 key->key_nonce, ptk, akmp, 723 sm->pairwise_cipher, z, z_len, 724 kdk_len); 725 if (ret) { 726 wpa_printf(MSG_ERROR, "WPA: PTK derivation failed"); 727 return ret; 728 } 729 730 #ifdef CONFIG_PASN 731 if (sm->secure_ltf && 732 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)) 733 ret = wpa_ltf_keyseed(ptk, akmp, sm->pairwise_cipher); 734 #endif /* CONFIG_PASN */ 735 736 return ret; 737 } 738 739 740 static int wpa_handle_ext_key_id(struct wpa_sm *sm, 741 struct wpa_eapol_ie_parse *kde) 742 { 743 if (sm->ext_key_id) { 744 u16 key_id; 745 746 if (!kde->key_id) { 747 wpa_msg(sm->ctx->msg_ctx, 748 sm->use_ext_key_id ? MSG_INFO : MSG_DEBUG, 749 "RSN: No Key ID in Extended Key ID handshake"); 750 sm->keyidx_active = 0; 751 return sm->use_ext_key_id ? -1 : 0; 752 } 753 754 key_id = kde->key_id[0] & 0x03; 755 if (key_id > 1) { 756 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 757 "RSN: Invalid Extended Key ID: %d", key_id); 758 return -1; 759 } 760 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 761 "RSN: Using Extended Key ID %d", key_id); 762 sm->keyidx_active = key_id; 763 sm->use_ext_key_id = 1; 764 } else { 765 if (kde->key_id && (kde->key_id[0] & 0x03)) { 766 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 767 "RSN: Non-zero Extended Key ID Key ID in PTK0 handshake"); 768 return -1; 769 } 770 771 if (kde->key_id) { 772 /* This is not supposed to be included here, but ignore 773 * the case of matching Key ID 0 just in case. */ 774 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG, 775 "RSN: Extended Key ID Key ID 0 in PTK0 handshake"); 776 } 777 sm->keyidx_active = 0; 778 sm->use_ext_key_id = 0; 779 } 780 781 return 0; 782 } 783 784 785 static u8 * rsn_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len) 786 { 787 *pos++ = WLAN_EID_VENDOR_SPECIFIC; 788 *pos++ = RSN_SELECTOR_LEN + data_len; 789 RSN_SELECTOR_PUT(pos, kde); 790 pos += RSN_SELECTOR_LEN; 791 os_memcpy(pos, data, data_len); 792 pos += data_len; 793 794 return pos; 795 } 796 797 798 static size_t wpa_mlo_link_kde_len(struct wpa_sm *sm) 799 { 800 int i; 801 unsigned int num_links = 0; 802 803 for_each_link(sm->mlo.req_links, i) { 804 if (sm->mlo.assoc_link_id != i) 805 num_links++; 806 } 807 808 return num_links * (RSN_SELECTOR_LEN + 1 + ETH_ALEN + 2); 809 } 810 811 812 static u8 * wpa_mlo_link_kde(struct wpa_sm *sm, u8 *pos) 813 { 814 int i; 815 u8 hdr[1 + ETH_ALEN]; 816 817 for_each_link(sm->mlo.req_links, i) { 818 if (sm->mlo.assoc_link_id == i) 819 continue; 820 821 wpa_printf(MSG_DEBUG, 822 "MLO: Add MLO Link %d KDE in EAPOL-Key 2/4", i); 823 hdr[0] = i & 0xF; /* LinkID; no RSNE or RSNXE */ 824 os_memcpy(&hdr[1], sm->mlo.links[i].addr, ETH_ALEN); 825 pos = rsn_add_kde(pos, RSN_KEY_DATA_MLO_LINK, hdr, sizeof(hdr)); 826 } 827 828 return pos; 829 } 830 831 832 static bool is_valid_ap_mld_mac_kde(struct wpa_sm *sm, const u8 *mac_kde) 833 { 834 return mac_kde && 835 ether_addr_equal(mac_kde, sm->mlo.ap_mld_addr); 836 } 837 838 839 static void wpas_swap_tkip_mic_keys(struct wpa_ptk *ptk) 840 { 841 u8 buf[8]; 842 843 /* Supplicant: swap tx/rx Mic keys */ 844 os_memcpy(buf, &ptk->tk[16], 8); 845 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8); 846 os_memcpy(&ptk->tk[24], buf, 8); 847 forced_memzero(buf, sizeof(buf)); 848 } 849 850 851 static void wpa_supplicant_process_1_of_4_wpa(struct wpa_sm *sm, 852 const unsigned char *src_addr, 853 const struct wpa_eapol_key *key, 854 u16 ver, const u8 *key_data, 855 size_t key_data_len, 856 enum frame_encryption encrypted) 857 { 858 struct wpa_eapol_ie_parse ie; 859 struct wpa_ptk *ptk; 860 int res; 861 862 if (wpa_sm_get_network_ctx(sm) == NULL) { 863 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 864 "WPA: No SSID info found (msg 1 of 4)"); 865 return; 866 } 867 868 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 869 "WPA: RX message 1 of 4-Way Handshake from " MACSTR 870 " (ver=%d)", MAC2STR(src_addr), ver); 871 872 os_memset(&ie, 0, sizeof(ie)); 873 874 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid); 875 if (res == -2) { 876 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 877 "WPA: Do not reply to msg 1/4 - requesting full EAP authentication"); 878 return; 879 } 880 if (res) 881 goto failed; 882 883 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE); 884 885 if (sm->renew_snonce) { 886 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) { 887 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 888 "WPA: Failed to get random data for SNonce"); 889 goto failed; 890 } 891 sm->renew_snonce = 0; 892 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce", 893 sm->snonce, WPA_NONCE_LEN); 894 } 895 896 /* Calculate PTK which will be stored as a temporary PTK until it has 897 * been verified when processing message 3/4. */ 898 ptk = &sm->tptk; 899 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0) 900 goto failed; 901 if (sm->pairwise_cipher == WPA_CIPHER_TKIP) 902 wpas_swap_tkip_mic_keys(ptk); 903 sm->tptk_set = 1; 904 905 if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver, 906 sm->snonce, sm->assoc_wpa_ie, 907 sm->assoc_wpa_ie_len, ptk) < 0) 908 goto failed; 909 910 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN); 911 return; 912 913 failed: 914 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 915 } 916 917 918 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm, 919 const unsigned char *src_addr, 920 const struct wpa_eapol_key *key, 921 u16 ver, const u8 *key_data, 922 size_t key_data_len, 923 enum frame_encryption encrypted) 924 { 925 struct wpa_eapol_ie_parse ie; 926 struct wpa_ptk *ptk; 927 int res; 928 u8 *kde, *kde_buf = NULL; 929 size_t kde_len; 930 size_t mlo_kde_len = 0; 931 932 if (encrypted == FRAME_NOT_ENCRYPTED && sm->tk_set && 933 wpa_sm_pmf_enabled(sm)) { 934 wpa_printf(MSG_DEBUG, 935 "RSN: Discard unencrypted EAPOL-Key msg 1/4 when TK is set and PMF is enabled"); 936 return; 937 } 938 939 if (wpa_sm_get_network_ctx(sm) == NULL) { 940 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info " 941 "found (msg 1 of 4)"); 942 return; 943 } 944 945 if (sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id && 946 wpa_sm_get_state(sm) == WPA_COMPLETED) { 947 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 948 "WPA: PTK0 rekey not allowed, reconnecting"); 949 wpa_sm_reconnect(sm); 950 return; 951 } 952 953 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way " 954 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver); 955 956 os_memset(&ie, 0, sizeof(ie)); 957 958 /* RSN: msg 1/4 should contain PMKID for the selected PMK */ 959 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", key_data, key_data_len); 960 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) { 961 wpa_printf(MSG_DEBUG, 962 "RSN: Discard EAPOL-Key msg 1/4 with invalid IEs/KDEs"); 963 return; 964 } 965 if (ie.pmkid) { 966 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from Authenticator", 967 ie.pmkid, PMKID_LEN); 968 } 969 970 if (sm->mlo.valid_links && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) { 971 wpa_printf(MSG_INFO, 972 "RSN: Discard EAPOL-Key msg 1/4 with invalid AP MLD MAC address KDE"); 973 return; 974 } 975 976 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid); 977 if (res == -2) { 978 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to " 979 "msg 1/4 - requesting full EAP authentication"); 980 return; 981 } 982 if (res) 983 goto failed; 984 985 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE); 986 987 if (sm->renew_snonce) { 988 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) { 989 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 990 "WPA: Failed to get random data for SNonce"); 991 goto failed; 992 } 993 sm->renew_snonce = 0; 994 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce", 995 sm->snonce, WPA_NONCE_LEN); 996 } 997 998 /* Calculate PTK which will be stored as a temporary PTK until it has 999 * been verified when processing message 3/4. */ 1000 ptk = &sm->tptk; 1001 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0) 1002 goto failed; 1003 if (sm->pairwise_cipher == WPA_CIPHER_TKIP) 1004 wpas_swap_tkip_mic_keys(ptk); 1005 sm->tptk_set = 1; 1006 1007 /* Add MLO Link KDE and MAC KDE in M2 for ML connection */ 1008 if (sm->mlo.valid_links) 1009 mlo_kde_len = wpa_mlo_link_kde_len(sm) + 1010 RSN_SELECTOR_LEN + ETH_ALEN + 2; 1011 1012 kde = sm->assoc_wpa_ie; 1013 kde_len = sm->assoc_wpa_ie_len; 1014 kde_buf = os_malloc(kde_len + 1015 2 + RSN_SELECTOR_LEN + 3 + 1016 sm->assoc_rsnxe_len + 1017 2 + RSN_SELECTOR_LEN + 1 + 1018 2 + RSN_SELECTOR_LEN + 2 + mlo_kde_len); 1019 1020 if (!kde_buf) 1021 goto failed; 1022 os_memcpy(kde_buf, kde, kde_len); 1023 kde = kde_buf; 1024 1025 #ifdef CONFIG_OCV 1026 if (wpa_sm_ocv_enabled(sm)) { 1027 struct wpa_channel_info ci; 1028 u8 *pos; 1029 1030 pos = kde + kde_len; 1031 if (wpa_sm_channel_info(sm, &ci) != 0) { 1032 wpa_printf(MSG_WARNING, 1033 "Failed to get channel info for OCI element in EAPOL-Key 2/4"); 1034 goto failed; 1035 } 1036 #ifdef CONFIG_TESTING_OPTIONS 1037 if (sm->oci_freq_override_eapol) { 1038 wpa_printf(MSG_INFO, 1039 "TEST: Override OCI KDE frequency %d -> %d MHz", 1040 ci.frequency, sm->oci_freq_override_eapol); 1041 ci.frequency = sm->oci_freq_override_eapol; 1042 } 1043 #endif /* CONFIG_TESTING_OPTIONS */ 1044 1045 if (ocv_insert_oci_kde(&ci, &pos) < 0) 1046 goto failed; 1047 kde_len = pos - kde; 1048 } 1049 #endif /* CONFIG_OCV */ 1050 1051 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) { 1052 os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len); 1053 kde_len += sm->assoc_rsnxe_len; 1054 } 1055 1056 #ifdef CONFIG_P2P 1057 if (sm->p2p) { 1058 u8 *pos; 1059 1060 wpa_printf(MSG_DEBUG, 1061 "P2P: Add IP Address Request KDE into EAPOL-Key 2/4"); 1062 pos = kde + kde_len; 1063 *pos++ = WLAN_EID_VENDOR_SPECIFIC; 1064 *pos++ = RSN_SELECTOR_LEN + 1; 1065 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ); 1066 pos += RSN_SELECTOR_LEN; 1067 *pos++ = 0x01; 1068 kde_len = pos - kde; 1069 } 1070 #endif /* CONFIG_P2P */ 1071 1072 #ifdef CONFIG_DPP2 1073 if (DPP_VERSION > 1 && sm->key_mgmt == WPA_KEY_MGMT_DPP) { 1074 u8 *pos; 1075 1076 wpa_printf(MSG_DEBUG, "DPP: Add DPP KDE into EAPOL-Key 2/4"); 1077 pos = kde + kde_len; 1078 *pos++ = WLAN_EID_VENDOR_SPECIFIC; 1079 *pos++ = RSN_SELECTOR_LEN + 2; 1080 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_DPP); 1081 pos += RSN_SELECTOR_LEN; 1082 *pos++ = DPP_VERSION; /* Protocol Version */ 1083 *pos = 0; /* Flags */ 1084 if (sm->dpp_pfs == 0) 1085 *pos |= DPP_KDE_PFS_ALLOWED; 1086 else if (sm->dpp_pfs == 1) 1087 *pos |= DPP_KDE_PFS_ALLOWED | DPP_KDE_PFS_REQUIRED; 1088 pos++; 1089 kde_len = pos - kde; 1090 } 1091 #endif /* CONFIG_DPP2 */ 1092 1093 if (sm->mlo.valid_links) { 1094 u8 *pos; 1095 1096 /* Add MAC KDE */ 1097 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 2/4"); 1098 pos = kde + kde_len; 1099 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr, 1100 ETH_ALEN); 1101 1102 /* Add MLO Link KDE */ 1103 wpa_printf(MSG_DEBUG, "Add MLO Link KDE(s) into EAPOL-Key 2/4"); 1104 pos = wpa_mlo_link_kde(sm, pos); 1105 kde_len = pos - kde; 1106 } 1107 1108 if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver, 1109 sm->snonce, kde, kde_len, ptk) < 0) 1110 goto failed; 1111 1112 os_free(kde_buf); 1113 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN); 1114 return; 1115 1116 failed: 1117 os_free(kde_buf); 1118 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 1119 } 1120 1121 1122 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx) 1123 { 1124 struct wpa_sm *sm = eloop_ctx; 1125 rsn_preauth_candidate_process(sm); 1126 } 1127 1128 1129 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm, 1130 const u8 *addr, int secure) 1131 { 1132 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1133 "WPA: Key negotiation completed with " 1134 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr), 1135 wpa_cipher_txt(sm->pairwise_cipher), 1136 wpa_cipher_txt(sm->group_cipher)); 1137 wpa_sm_cancel_auth_timeout(sm); 1138 wpa_sm_set_state(sm, WPA_COMPLETED); 1139 1140 if (secure) { 1141 wpa_sm_mlme_setprotection( 1142 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX, 1143 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE); 1144 eapol_sm_notify_portValid(sm->eapol, true); 1145 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) || 1146 sm->key_mgmt == WPA_KEY_MGMT_DPP || 1147 sm->key_mgmt == WPA_KEY_MGMT_OWE) 1148 eapol_sm_notify_eap_success(sm->eapol, true); 1149 /* 1150 * Start preauthentication after a short wait to avoid a 1151 * possible race condition between the data receive and key 1152 * configuration after the 4-Way Handshake. This increases the 1153 * likelihood of the first preauth EAPOL-Start frame getting to 1154 * the target AP. 1155 */ 1156 if (!dl_list_empty(&sm->pmksa_candidates)) 1157 eloop_register_timeout(1, 0, wpa_sm_start_preauth, 1158 sm, NULL); 1159 } 1160 1161 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) { 1162 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1163 "RSN: Authenticator accepted " 1164 "opportunistic PMKSA entry - marking it valid"); 1165 sm->cur_pmksa->opportunistic = 0; 1166 } 1167 1168 #ifdef CONFIG_IEEE80211R 1169 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 1170 /* Prepare for the next transition */ 1171 wpa_ft_prepare_auth_request(sm, NULL); 1172 } 1173 #endif /* CONFIG_IEEE80211R */ 1174 } 1175 1176 1177 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx) 1178 { 1179 struct wpa_sm *sm = eloop_ctx; 1180 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying"); 1181 wpa_sm_key_request(sm, 0, 1); 1182 } 1183 1184 1185 static int wpa_supplicant_install_ptk(struct wpa_sm *sm, 1186 const struct wpa_eapol_key *key, 1187 enum key_flag key_flag) 1188 { 1189 int keylen, rsclen; 1190 enum wpa_alg alg; 1191 const u8 *key_rsc; 1192 1193 if (sm->ptk.installed) { 1194 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1195 "WPA: Do not re-install same PTK to the driver"); 1196 return 0; 1197 } 1198 1199 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1200 "WPA: Installing PTK to the driver"); 1201 1202 if (sm->pairwise_cipher == WPA_CIPHER_NONE) { 1203 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher " 1204 "Suite: NONE - do not use pairwise keys"); 1205 return 0; 1206 } 1207 1208 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) { 1209 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1210 "WPA: Unsupported pairwise cipher %d", 1211 sm->pairwise_cipher); 1212 return -1; 1213 } 1214 1215 alg = wpa_cipher_to_alg(sm->pairwise_cipher); 1216 keylen = wpa_cipher_key_len(sm->pairwise_cipher); 1217 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) { 1218 wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu", 1219 keylen, (long unsigned int) sm->ptk.tk_len); 1220 return -1; 1221 } 1222 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher); 1223 1224 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) { 1225 key_rsc = null_rsc; 1226 } else { 1227 key_rsc = key->key_rsc; 1228 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen); 1229 } 1230 1231 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm), 1232 sm->keyidx_active, 1, key_rsc, rsclen, sm->ptk.tk, 1233 keylen, KEY_FLAG_PAIRWISE | key_flag) < 0) { 1234 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1235 "WPA: Failed to set PTK to the driver (alg=%d keylen=%d auth_addr=" 1236 MACSTR " idx=%d key_flag=0x%x)", 1237 alg, keylen, MAC2STR(wpa_sm_get_auth_addr(sm)), 1238 sm->keyidx_active, key_flag); 1239 return -1; 1240 } 1241 1242 #ifdef CONFIG_PASN 1243 if (sm->secure_ltf && 1244 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) && 1245 wpa_sm_set_ltf_keyseed(sm, sm->own_addr, sm->bssid, 1246 sm->ptk.ltf_keyseed_len, 1247 sm->ptk.ltf_keyseed) < 0) { 1248 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1249 "WPA: Failed to set LTF keyseed to the driver (keylen=%zu bssid=" 1250 MACSTR ")", sm->ptk.ltf_keyseed_len, 1251 MAC2STR(sm->bssid)); 1252 return -1; 1253 } 1254 #endif /* CONFIG_PASN */ 1255 1256 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher, 1257 sm->dot11RSNAConfigPMKLifetime, &sm->ptk); 1258 1259 /* TK is not needed anymore in supplicant */ 1260 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); 1261 sm->ptk.tk_len = 0; 1262 sm->ptk.installed = 1; 1263 sm->tk_set = true; 1264 1265 if (sm->wpa_ptk_rekey) { 1266 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 1267 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk, 1268 sm, NULL); 1269 } 1270 return 0; 1271 } 1272 1273 1274 static int wpa_supplicant_activate_ptk(struct wpa_sm *sm) 1275 { 1276 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1277 "WPA: Activate PTK (idx=%d auth_addr=" MACSTR ")", 1278 sm->keyidx_active, MAC2STR(wpa_sm_get_auth_addr(sm))); 1279 1280 if (wpa_sm_set_key(sm, -1, 0, wpa_sm_get_auth_addr(sm), 1281 sm->keyidx_active, 0, NULL, 0, NULL, 0, 1282 KEY_FLAG_PAIRWISE_RX_TX_MODIFY) < 0) { 1283 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1284 "WPA: Failed to activate PTK for TX (idx=%d auth_addr=" 1285 MACSTR ")", sm->keyidx_active, 1286 MAC2STR(wpa_sm_get_auth_addr(sm))); 1287 return -1; 1288 } 1289 return 0; 1290 } 1291 1292 1293 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm, 1294 int group_cipher, 1295 int keylen, int maxkeylen, 1296 int *key_rsc_len, 1297 enum wpa_alg *alg) 1298 { 1299 int klen; 1300 1301 *alg = wpa_cipher_to_alg(group_cipher); 1302 if (*alg == WPA_ALG_NONE) { 1303 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1304 "WPA: Unsupported Group Cipher %d", 1305 group_cipher); 1306 return -1; 1307 } 1308 *key_rsc_len = wpa_cipher_rsc_len(group_cipher); 1309 1310 klen = wpa_cipher_key_len(group_cipher); 1311 if (keylen != klen || maxkeylen < klen) { 1312 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1313 "WPA: Unsupported %s Group Cipher key length %d (%d)", 1314 wpa_cipher_txt(group_cipher), keylen, maxkeylen); 1315 return -1; 1316 } 1317 return 0; 1318 } 1319 1320 1321 struct wpa_gtk_data { 1322 enum wpa_alg alg; 1323 int tx, key_rsc_len, keyidx; 1324 u8 gtk[32]; 1325 int gtk_len; 1326 }; 1327 1328 1329 static int wpa_supplicant_install_gtk(struct wpa_sm *sm, 1330 const struct wpa_gtk_data *gd, 1331 const u8 *key_rsc, int wnm_sleep) 1332 { 1333 const u8 *_gtk = gd->gtk; 1334 u8 gtk_buf[32]; 1335 1336 /* Detect possible key reinstallation */ 1337 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len && 1338 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) || 1339 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len && 1340 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk, 1341 sm->gtk_wnm_sleep.gtk_len) == 0)) { 1342 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1343 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)", 1344 gd->keyidx, gd->tx, gd->gtk_len); 1345 return 0; 1346 } 1347 1348 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len); 1349 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1350 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)", 1351 gd->keyidx, gd->tx, gd->gtk_len); 1352 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len); 1353 if (sm->group_cipher == WPA_CIPHER_TKIP) { 1354 /* Swap Tx/Rx keys for Michael MIC */ 1355 os_memcpy(gtk_buf, gd->gtk, 16); 1356 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8); 1357 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8); 1358 _gtk = gtk_buf; 1359 } 1360 if (sm->pairwise_cipher == WPA_CIPHER_NONE) { 1361 if (wpa_sm_set_key(sm, -1, gd->alg, NULL, 1362 gd->keyidx, 1, key_rsc, gd->key_rsc_len, 1363 _gtk, gd->gtk_len, 1364 KEY_FLAG_GROUP_RX_TX_DEFAULT) < 0) { 1365 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1366 "WPA: Failed to set GTK to the driver " 1367 "(Group only)"); 1368 forced_memzero(gtk_buf, sizeof(gtk_buf)); 1369 return -1; 1370 } 1371 } else if (wpa_sm_set_key(sm, -1, gd->alg, broadcast_ether_addr, 1372 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len, 1373 _gtk, gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) { 1374 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1375 "WPA: Failed to set GTK to " 1376 "the driver (alg=%d keylen=%d keyidx=%d)", 1377 gd->alg, gd->gtk_len, gd->keyidx); 1378 forced_memzero(gtk_buf, sizeof(gtk_buf)); 1379 return -1; 1380 } 1381 forced_memzero(gtk_buf, sizeof(gtk_buf)); 1382 1383 if (wnm_sleep) { 1384 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len; 1385 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk, 1386 sm->gtk_wnm_sleep.gtk_len); 1387 } else { 1388 sm->gtk.gtk_len = gd->gtk_len; 1389 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len); 1390 } 1391 1392 return 0; 1393 } 1394 1395 1396 static int wpa_supplicant_install_mlo_gtk(struct wpa_sm *sm, u8 link_id, 1397 const struct wpa_gtk_data *gd, 1398 const u8 *key_rsc, int wnm_sleep) 1399 { 1400 const u8 *gtk = gd->gtk; 1401 u8 gtk_buf[32]; 1402 1403 /* Detect possible key reinstallation */ 1404 if ((sm->mlo.links[link_id].gtk.gtk_len == (size_t) gd->gtk_len && 1405 os_memcmp(sm->mlo.links[link_id].gtk.gtk, gd->gtk, 1406 sm->mlo.links[link_id].gtk.gtk_len) == 0) || 1407 (sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len == 1408 (size_t) gd->gtk_len && 1409 os_memcmp(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk, 1410 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len) == 0)) { 1411 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1412 "RSN: Not reinstalling already in-use GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)", 1413 link_id, gd->keyidx, gd->tx, gd->gtk_len); 1414 return 0; 1415 } 1416 1417 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: Group Key", gd->gtk, 1418 gd->gtk_len); 1419 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1420 "RSN: Installing GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)", 1421 link_id, gd->keyidx, gd->tx, gd->gtk_len); 1422 wpa_hexdump_link(MSG_DEBUG, link_id, "RSN: RSC", 1423 key_rsc, gd->key_rsc_len); 1424 if (sm->group_cipher == WPA_CIPHER_TKIP) { 1425 /* Swap Tx/Rx keys for Michael MIC */ 1426 os_memcpy(gtk_buf, gd->gtk, 16); 1427 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8); 1428 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8); 1429 gtk = gtk_buf; 1430 } 1431 if (wpa_sm_set_key(sm, link_id, gd->alg, broadcast_ether_addr, 1432 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len, gtk, 1433 gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) { 1434 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1435 "RSN: Failed to set GTK to the driver (link_id=%d alg=%d keylen=%d keyidx=%d)", 1436 link_id, gd->alg, gd->gtk_len, gd->keyidx); 1437 forced_memzero(gtk_buf, sizeof(gtk_buf)); 1438 return -1; 1439 } 1440 forced_memzero(gtk_buf, sizeof(gtk_buf)); 1441 1442 if (wnm_sleep) { 1443 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len = gd->gtk_len; 1444 os_memcpy(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk, 1445 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len); 1446 } else { 1447 sm->mlo.links[link_id].gtk.gtk_len = gd->gtk_len; 1448 os_memcpy(sm->mlo.links[link_id].gtk.gtk, gd->gtk, 1449 sm->mlo.links[link_id].gtk.gtk_len); 1450 } 1451 1452 return 0; 1453 } 1454 1455 1456 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm, 1457 int tx) 1458 { 1459 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) { 1460 /* Ignore Tx bit for GTK if a pairwise key is used. One AP 1461 * seemed to set this bit (incorrectly, since Tx is only when 1462 * doing Group Key only APs) and without this workaround, the 1463 * data connection does not work because wpa_supplicant 1464 * configured non-zero keyidx to be used for unicast. */ 1465 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1466 "WPA: Tx bit set for GTK, but pairwise " 1467 "keys are used - ignore Tx bit"); 1468 return 0; 1469 } 1470 return tx; 1471 } 1472 1473 1474 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm, 1475 const u8 *rsc) 1476 { 1477 int rsclen; 1478 1479 if (!sm->wpa_rsc_relaxation) 1480 return 0; 1481 1482 rsclen = wpa_cipher_rsc_len(sm->group_cipher); 1483 1484 /* 1485 * Try to detect RSC (endian) corruption issue where the AP sends 1486 * the RSC bytes in EAPOL-Key message in the wrong order, both if 1487 * it's actually a 6-byte field (as it should be) and if it treats 1488 * it as an 8-byte field. 1489 * An AP model known to have this bug is the Sapido RB-1632. 1490 */ 1491 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) { 1492 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1493 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0", 1494 rsc[0], rsc[1], rsc[2], rsc[3], 1495 rsc[4], rsc[5], rsc[6], rsc[7]); 1496 1497 return 1; 1498 } 1499 1500 return 0; 1501 } 1502 1503 1504 static int wpa_supplicant_mlo_gtk(struct wpa_sm *sm, u8 link_id, const u8 *gtk, 1505 size_t gtk_len, int key_info) 1506 { 1507 struct wpa_gtk_data gd; 1508 const u8 *key_rsc; 1509 int ret; 1510 1511 /* 1512 * MLO GTK KDE format: 1513 * KeyID[bits 0-1], Tx [bit 2], Reserved [bit 3], link id [4-7] 1514 * PN 1515 * GTK 1516 */ 1517 os_memset(&gd, 0, sizeof(gd)); 1518 wpa_hexdump_link_key(MSG_DEBUG, link_id, 1519 "RSN: received GTK in pairwise handshake", 1520 gtk, gtk_len); 1521 1522 if (gtk_len < RSN_MLO_GTK_KDE_PREFIX_LENGTH || 1523 gtk_len - RSN_MLO_GTK_KDE_PREFIX_LENGTH > sizeof(gd.gtk)) 1524 return -1; 1525 1526 gd.keyidx = gtk[0] & 0x3; 1527 gtk += 1; 1528 gtk_len -= 1; 1529 1530 key_rsc = gtk; 1531 1532 gtk += 6; 1533 gtk_len -= 6; 1534 1535 os_memcpy(gd.gtk, gtk, gtk_len); 1536 gd.gtk_len = gtk_len; 1537 1538 ret = 0; 1539 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, gtk_len, 1540 gtk_len, &gd.key_rsc_len, 1541 &gd.alg) || 1542 wpa_supplicant_install_mlo_gtk(sm, link_id, &gd, key_rsc, 0)) { 1543 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1544 "RSN: Failed to install GTK for MLO Link ID %u", 1545 link_id); 1546 ret = -1; 1547 goto out; 1548 } 1549 1550 out: 1551 forced_memzero(&gd, sizeof(gd)); 1552 return ret; 1553 } 1554 1555 1556 static int wpa_supplicant_pairwise_mlo_gtk(struct wpa_sm *sm, 1557 const struct wpa_eapol_key *key, 1558 struct wpa_eapol_ie_parse *ie, 1559 int key_info) 1560 { 1561 u8 i; 1562 1563 for_each_link(sm->mlo.valid_links, i) { 1564 if (!ie->mlo_gtk[i]) { 1565 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 1566 "MLO RSN: GTK not found for link ID %u", i); 1567 return -1; 1568 } 1569 1570 if (wpa_supplicant_mlo_gtk(sm, i, ie->mlo_gtk[i], 1571 ie->mlo_gtk_len[i], key_info)) 1572 return -1; 1573 } 1574 1575 return 0; 1576 } 1577 1578 1579 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm, 1580 const struct wpa_eapol_key *key, 1581 const u8 *gtk, size_t gtk_len, 1582 int key_info) 1583 { 1584 struct wpa_gtk_data gd; 1585 const u8 *key_rsc; 1586 1587 /* 1588 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x 1589 * GTK KDE format: 1590 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7] 1591 * Reserved [bits 0-7] 1592 * GTK 1593 */ 1594 1595 os_memset(&gd, 0, sizeof(gd)); 1596 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake", 1597 gtk, gtk_len); 1598 1599 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk)) 1600 return -1; 1601 1602 gd.keyidx = gtk[0] & 0x3; 1603 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 1604 !!(gtk[0] & BIT(2))); 1605 gtk += 2; 1606 gtk_len -= 2; 1607 1608 os_memcpy(gd.gtk, gtk, gtk_len); 1609 gd.gtk_len = gtk_len; 1610 1611 key_rsc = key->key_rsc; 1612 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) 1613 key_rsc = null_rsc; 1614 1615 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED && 1616 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 1617 gtk_len, gtk_len, 1618 &gd.key_rsc_len, &gd.alg) || 1619 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) { 1620 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1621 "RSN: Failed to install GTK"); 1622 forced_memzero(&gd, sizeof(gd)); 1623 return -1; 1624 } 1625 forced_memzero(&gd, sizeof(gd)); 1626 1627 return 0; 1628 } 1629 1630 1631 static int wpa_supplicant_install_igtk(struct wpa_sm *sm, 1632 const struct wpa_igtk_kde *igtk, 1633 int wnm_sleep) 1634 { 1635 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1636 u16 keyidx = WPA_GET_LE16(igtk->keyid); 1637 1638 /* Detect possible key reinstallation */ 1639 if ((sm->igtk.igtk_len == len && 1640 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) || 1641 (sm->igtk_wnm_sleep.igtk_len == len && 1642 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk, 1643 sm->igtk_wnm_sleep.igtk_len) == 0)) { 1644 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1645 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)", 1646 keyidx); 1647 return 0; 1648 } 1649 1650 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1651 "WPA: IGTK keyid %d pn " COMPACT_MACSTR, 1652 keyidx, MAC2STR(igtk->pn)); 1653 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len); 1654 if (keyidx > 4095) { 1655 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1656 "WPA: Invalid IGTK KeyID %d", keyidx); 1657 return -1; 1658 } 1659 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher), 1660 broadcast_ether_addr, 1661 keyidx, 0, igtk->pn, sizeof(igtk->pn), 1662 igtk->igtk, len, KEY_FLAG_GROUP_RX) < 0) { 1663 if (keyidx == 0x0400 || keyidx == 0x0500) { 1664 /* Assume the AP has broken PMF implementation since it 1665 * seems to have swapped the KeyID bytes. The AP cannot 1666 * be trusted to implement BIP correctly or provide a 1667 * valid IGTK, so do not try to configure this key with 1668 * swapped KeyID bytes. Instead, continue without 1669 * configuring the IGTK so that the driver can drop any 1670 * received group-addressed robust management frames due 1671 * to missing keys. 1672 * 1673 * Normally, this error behavior would result in us 1674 * disconnecting, but there are number of deployed APs 1675 * with this broken behavior, so as an interoperability 1676 * workaround, allow the connection to proceed. */ 1677 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1678 "WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order"); 1679 } else { 1680 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1681 "WPA: Failed to configure IGTK to the driver"); 1682 return -1; 1683 } 1684 } 1685 1686 if (wnm_sleep) { 1687 sm->igtk_wnm_sleep.igtk_len = len; 1688 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk, 1689 sm->igtk_wnm_sleep.igtk_len); 1690 } else { 1691 sm->igtk.igtk_len = len; 1692 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len); 1693 } 1694 1695 return 0; 1696 } 1697 1698 1699 static int wpa_supplicant_install_bigtk(struct wpa_sm *sm, 1700 const struct wpa_bigtk_kde *bigtk, 1701 int wnm_sleep) 1702 { 1703 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1704 u16 keyidx = WPA_GET_LE16(bigtk->keyid); 1705 1706 /* Detect possible key reinstallation */ 1707 if ((sm->bigtk.bigtk_len == len && 1708 os_memcmp(sm->bigtk.bigtk, bigtk->bigtk, 1709 sm->bigtk.bigtk_len) == 0) || 1710 (sm->bigtk_wnm_sleep.bigtk_len == len && 1711 os_memcmp(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk, 1712 sm->bigtk_wnm_sleep.bigtk_len) == 0)) { 1713 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1714 "WPA: Not reinstalling already in-use BIGTK to the driver (keyidx=%d)", 1715 keyidx); 1716 return 0; 1717 } 1718 1719 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1720 "WPA: BIGTK keyid %d pn " COMPACT_MACSTR, 1721 keyidx, MAC2STR(bigtk->pn)); 1722 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK", bigtk->bigtk, len); 1723 if (keyidx < 6 || keyidx > 7) { 1724 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1725 "WPA: Invalid BIGTK KeyID %d", keyidx); 1726 return -1; 1727 } 1728 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher), 1729 broadcast_ether_addr, 1730 keyidx, 0, bigtk->pn, sizeof(bigtk->pn), 1731 bigtk->bigtk, len, KEY_FLAG_GROUP_RX) < 0) { 1732 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1733 "WPA: Failed to configure BIGTK to the driver"); 1734 return -1; 1735 } 1736 1737 if (wnm_sleep) { 1738 sm->bigtk_wnm_sleep.bigtk_len = len; 1739 os_memcpy(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk, 1740 sm->bigtk_wnm_sleep.bigtk_len); 1741 } else { 1742 sm->bigtk.bigtk_len = len; 1743 os_memcpy(sm->bigtk.bigtk, bigtk->bigtk, sm->bigtk.bigtk_len); 1744 } 1745 1746 return 0; 1747 } 1748 1749 1750 static int wpa_supplicant_install_mlo_igtk(struct wpa_sm *sm, u8 link_id, 1751 const struct rsn_mlo_igtk_kde *igtk, 1752 int wnm_sleep) 1753 { 1754 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1755 u16 keyidx = WPA_GET_LE16(igtk->keyid); 1756 1757 /* Detect possible key reinstallation */ 1758 if ((sm->mlo.links[link_id].igtk.igtk_len == len && 1759 os_memcmp(sm->mlo.links[link_id].igtk.igtk, igtk->igtk, 1760 sm->mlo.links[link_id].igtk.igtk_len) == 0) || 1761 (sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len == len && 1762 os_memcmp(sm->mlo.links[link_id].igtk_wnm_sleep.igtk, igtk->igtk, 1763 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len) == 0)) { 1764 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1765 "RSN: Not reinstalling already in-use IGTK to the driver (link_id=%d keyidx=%d)", 1766 link_id, keyidx); 1767 return 0; 1768 } 1769 1770 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1771 "RSN: MLO Link %u IGTK keyid %d pn " COMPACT_MACSTR, 1772 link_id, keyidx, MAC2STR(igtk->pn)); 1773 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: IGTK", igtk->igtk, len); 1774 if (keyidx > 4095) { 1775 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1776 "RSN: Invalid MLO Link %d IGTK KeyID %d", link_id, 1777 keyidx); 1778 return -1; 1779 } 1780 if (wpa_sm_set_key(sm, link_id, 1781 wpa_cipher_to_alg(sm->mgmt_group_cipher), 1782 broadcast_ether_addr, keyidx, 0, igtk->pn, 1783 sizeof(igtk->pn), igtk->igtk, len, 1784 KEY_FLAG_GROUP_RX) < 0) { 1785 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1786 "RSN: Failed to configure MLO Link %d IGTK to the driver", 1787 link_id); 1788 return -1; 1789 } 1790 1791 if (wnm_sleep) { 1792 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len = len; 1793 os_memcpy(sm->mlo.links[link_id].igtk_wnm_sleep.igtk, 1794 igtk->igtk, 1795 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len); 1796 } else { 1797 sm->mlo.links[link_id].igtk.igtk_len = len; 1798 os_memcpy(sm->mlo.links[link_id].igtk.igtk, igtk->igtk, 1799 sm->mlo.links[link_id].igtk.igtk_len); 1800 } 1801 1802 return 0; 1803 } 1804 1805 1806 static int 1807 wpa_supplicant_install_mlo_bigtk(struct wpa_sm *sm, u8 link_id, 1808 const struct rsn_mlo_bigtk_kde *bigtk, 1809 int wnm_sleep) 1810 { 1811 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1812 u16 keyidx = WPA_GET_LE16(bigtk->keyid); 1813 1814 /* Detect possible key reinstallation */ 1815 if ((sm->mlo.links[link_id].bigtk.bigtk_len == len && 1816 os_memcmp(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk, 1817 sm->mlo.links[link_id].bigtk.bigtk_len) == 0) || 1818 (sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len == len && 1819 os_memcmp(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk, 1820 bigtk->bigtk, 1821 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len) == 1822 0)) { 1823 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1824 "RSN: Not reinstalling already in-use BIGTK to the driver (link_id=%d keyidx=%d)", 1825 link_id, keyidx); 1826 return 0; 1827 } 1828 1829 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 1830 "RSN: MLO Link %u BIGTK keyid %d pn " COMPACT_MACSTR, 1831 link_id, keyidx, MAC2STR(bigtk->pn)); 1832 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: BIGTK", bigtk->bigtk, 1833 len); 1834 if (keyidx < 6 || keyidx > 7) { 1835 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1836 "RSN: Invalid MLO Link %d BIGTK KeyID %d", link_id, 1837 keyidx); 1838 return -1; 1839 } 1840 if (wpa_sm_set_key(sm, link_id, 1841 wpa_cipher_to_alg(sm->mgmt_group_cipher), 1842 broadcast_ether_addr, keyidx, 0, bigtk->pn, 1843 sizeof(bigtk->pn), bigtk->bigtk, len, 1844 KEY_FLAG_GROUP_RX) < 0) { 1845 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1846 "RSN: Failed to configure MLO Link %d BIGTK to the driver", 1847 link_id); 1848 return -1; 1849 } 1850 1851 if (wnm_sleep) { 1852 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len = len; 1853 os_memcpy(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk, 1854 bigtk->bigtk, 1855 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len); 1856 } else { 1857 sm->mlo.links[link_id].bigtk.bigtk_len = len; 1858 os_memcpy(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk, 1859 sm->mlo.links[link_id].bigtk.bigtk_len); 1860 } 1861 1862 return 0; 1863 } 1864 1865 1866 static int _mlo_ieee80211w_set_keys(struct wpa_sm *sm, u8 link_id, 1867 struct wpa_eapol_ie_parse *ie) 1868 { 1869 size_t len; 1870 1871 if (ie->mlo_igtk[link_id]) { 1872 len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1873 if (ie->mlo_igtk_len[link_id] != 1874 RSN_MLO_IGTK_KDE_PREFIX_LENGTH + len) 1875 return -1; 1876 1877 if (wpa_supplicant_install_mlo_igtk( 1878 sm, link_id, 1879 (const struct rsn_mlo_igtk_kde *) 1880 ie->mlo_igtk[link_id], 1881 0) < 0) 1882 return -1; 1883 } 1884 1885 if (ie->mlo_bigtk[link_id] && sm->beacon_prot) { 1886 len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1887 if (ie->mlo_bigtk_len[link_id] != 1888 RSN_MLO_BIGTK_KDE_PREFIX_LENGTH + len) 1889 return -1; 1890 1891 if (wpa_supplicant_install_mlo_bigtk( 1892 sm, link_id, 1893 (const struct rsn_mlo_bigtk_kde *) 1894 ie->mlo_bigtk[link_id], 1895 0) < 0) 1896 return -1; 1897 } 1898 1899 return 0; 1900 } 1901 1902 1903 static int mlo_ieee80211w_set_keys(struct wpa_sm *sm, 1904 struct wpa_eapol_ie_parse *ie) 1905 { 1906 u8 i; 1907 1908 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) || 1909 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED) 1910 return 0; 1911 1912 for_each_link(sm->mlo.valid_links, i) { 1913 if (_mlo_ieee80211w_set_keys(sm, i, ie)) 1914 return -1; 1915 } 1916 1917 return 0; 1918 } 1919 1920 1921 static int ieee80211w_set_keys(struct wpa_sm *sm, 1922 struct wpa_eapol_ie_parse *ie) 1923 { 1924 size_t len; 1925 1926 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) || 1927 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED) 1928 return 0; 1929 1930 if (ie->igtk) { 1931 const struct wpa_igtk_kde *igtk; 1932 1933 len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1934 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len) 1935 return -1; 1936 1937 igtk = (const struct wpa_igtk_kde *) ie->igtk; 1938 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0) 1939 return -1; 1940 } 1941 1942 if (ie->bigtk && sm->beacon_prot) { 1943 const struct wpa_bigtk_kde *bigtk; 1944 1945 len = wpa_cipher_key_len(sm->mgmt_group_cipher); 1946 if (ie->bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + len) 1947 return -1; 1948 1949 bigtk = (const struct wpa_bigtk_kde *) ie->bigtk; 1950 if (wpa_supplicant_install_bigtk(sm, bigtk, 0) < 0) 1951 return -1; 1952 } 1953 1954 return 0; 1955 } 1956 1957 1958 static void wpa_report_ie_mismatch(struct wpa_sm *sm, 1959 const char *reason, const u8 *src_addr, 1960 const u8 *wpa_ie, size_t wpa_ie_len, 1961 const u8 *rsn_ie, size_t rsn_ie_len) 1962 { 1963 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")", 1964 reason, MAC2STR(src_addr)); 1965 1966 if (sm->ap_wpa_ie) { 1967 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp", 1968 sm->ap_wpa_ie, sm->ap_wpa_ie_len); 1969 } 1970 if (wpa_ie) { 1971 if (!sm->ap_wpa_ie) { 1972 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1973 "WPA: No WPA IE in Beacon/ProbeResp"); 1974 } 1975 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg", 1976 wpa_ie, wpa_ie_len); 1977 } 1978 1979 if (sm->ap_rsn_ie) { 1980 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp", 1981 sm->ap_rsn_ie, sm->ap_rsn_ie_len); 1982 } 1983 if (rsn_ie) { 1984 if (!sm->ap_rsn_ie) { 1985 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 1986 "WPA: No RSN IE in Beacon/ProbeResp"); 1987 } 1988 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg", 1989 rsn_ie, rsn_ie_len); 1990 } 1991 1992 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS); 1993 } 1994 1995 1996 #ifdef CONFIG_IEEE80211R 1997 1998 static int ft_validate_mdie(struct wpa_sm *sm, 1999 const unsigned char *src_addr, 2000 struct wpa_eapol_ie_parse *ie, 2001 const u8 *assoc_resp_mdie) 2002 { 2003 struct rsn_mdie *mdie; 2004 2005 mdie = (struct rsn_mdie *) (ie->mdie + 2); 2006 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) || 2007 os_memcmp(mdie->mobility_domain, sm->mobility_domain, 2008 MOBILITY_DOMAIN_ID_LEN) != 0) { 2009 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did " 2010 "not match with the current mobility domain"); 2011 return -1; 2012 } 2013 2014 if (assoc_resp_mdie && 2015 (assoc_resp_mdie[1] != ie->mdie[1] || 2016 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) { 2017 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch"); 2018 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4", 2019 ie->mdie, 2 + ie->mdie[1]); 2020 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response", 2021 assoc_resp_mdie, 2 + assoc_resp_mdie[1]); 2022 return -1; 2023 } 2024 2025 return 0; 2026 } 2027 2028 2029 static int ft_validate_ftie(struct wpa_sm *sm, 2030 const unsigned char *src_addr, 2031 struct wpa_eapol_ie_parse *ie, 2032 const u8 *assoc_resp_ftie) 2033 { 2034 if (ie->ftie == NULL) { 2035 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2036 "FT: No FTIE in EAPOL-Key msg 3/4"); 2037 return -1; 2038 } 2039 2040 if (assoc_resp_ftie == NULL) 2041 return 0; 2042 2043 if (assoc_resp_ftie[1] != ie->ftie[1] || 2044 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) { 2045 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch"); 2046 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4", 2047 ie->ftie, 2 + ie->ftie[1]); 2048 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response", 2049 assoc_resp_ftie, 2 + assoc_resp_ftie[1]); 2050 return -1; 2051 } 2052 2053 return 0; 2054 } 2055 2056 2057 static int ft_validate_rsnie(struct wpa_sm *sm, 2058 const unsigned char *src_addr, 2059 struct wpa_eapol_ie_parse *ie) 2060 { 2061 struct wpa_ie_data rsn; 2062 2063 if (!ie->rsn_ie) 2064 return 0; 2065 2066 /* 2067 * Verify that PMKR1Name from EAPOL-Key message 3/4 2068 * matches with the value we derived. 2069 */ 2070 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 || 2071 rsn.num_pmkid != 1 || rsn.pmkid == NULL) { 2072 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in " 2073 "FT 4-way handshake message 3/4"); 2074 return -1; 2075 } 2076 2077 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0) 2078 { 2079 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2080 "FT: PMKR1Name mismatch in " 2081 "FT 4-way handshake message 3/4"); 2082 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator", 2083 rsn.pmkid, WPA_PMK_NAME_LEN); 2084 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name", 2085 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 2086 return -1; 2087 } 2088 2089 return 0; 2090 } 2091 2092 2093 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm, 2094 const unsigned char *src_addr, 2095 struct wpa_eapol_ie_parse *ie) 2096 { 2097 const u8 *pos, *end, *mdie = NULL, *ftie = NULL; 2098 2099 if (sm->assoc_resp_ies) { 2100 pos = sm->assoc_resp_ies; 2101 end = pos + sm->assoc_resp_ies_len; 2102 while (end - pos > 2) { 2103 if (2 + pos[1] > end - pos) 2104 break; 2105 switch (*pos) { 2106 case WLAN_EID_MOBILITY_DOMAIN: 2107 mdie = pos; 2108 break; 2109 case WLAN_EID_FAST_BSS_TRANSITION: 2110 ftie = pos; 2111 break; 2112 } 2113 pos += 2 + pos[1]; 2114 } 2115 } 2116 2117 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 || 2118 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 || 2119 ft_validate_rsnie(sm, src_addr, ie) < 0) 2120 return -1; 2121 2122 return 0; 2123 } 2124 2125 #endif /* CONFIG_IEEE80211R */ 2126 2127 2128 static int wpa_supplicant_validate_ie(struct wpa_sm *sm, 2129 const unsigned char *src_addr, 2130 struct wpa_eapol_ie_parse *ie) 2131 { 2132 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) { 2133 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2134 "WPA: No WPA/RSN IE for this AP known. " 2135 "Trying to get from scan results"); 2136 if (wpa_sm_get_beacon_ie(sm) < 0) { 2137 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2138 "WPA: Could not find AP from " 2139 "the scan results"); 2140 return -1; 2141 } 2142 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG, 2143 "WPA: Found the current AP from updated scan results"); 2144 } 2145 2146 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL && 2147 (sm->ap_wpa_ie || sm->ap_rsn_ie)) { 2148 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match " 2149 "with IE in Beacon/ProbeResp (no IE?)", 2150 src_addr, ie->wpa_ie, ie->wpa_ie_len, 2151 ie->rsn_ie, ie->rsn_ie_len); 2152 return -1; 2153 } 2154 2155 if ((ie->wpa_ie && sm->ap_wpa_ie && 2156 (ie->wpa_ie_len != sm->ap_wpa_ie_len || 2157 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) || 2158 (ie->rsn_ie && sm->ap_rsn_ie && 2159 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt), 2160 sm->ap_rsn_ie, sm->ap_rsn_ie_len, 2161 ie->rsn_ie, ie->rsn_ie_len))) { 2162 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match " 2163 "with IE in Beacon/ProbeResp", 2164 src_addr, ie->wpa_ie, ie->wpa_ie_len, 2165 ie->rsn_ie, ie->rsn_ie_len); 2166 return -1; 2167 } 2168 2169 if (sm->proto == WPA_PROTO_WPA && 2170 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) { 2171 wpa_report_ie_mismatch(sm, "Possible downgrade attack " 2172 "detected - RSN was enabled and RSN IE " 2173 "was in msg 3/4, but not in " 2174 "Beacon/ProbeResp", 2175 src_addr, ie->wpa_ie, ie->wpa_ie_len, 2176 ie->rsn_ie, ie->rsn_ie_len); 2177 return -1; 2178 } 2179 2180 if (sm->proto == WPA_PROTO_RSN && 2181 ((sm->ap_rsnxe && !ie->rsnxe) || 2182 (!sm->ap_rsnxe && ie->rsnxe) || 2183 (sm->ap_rsnxe && ie->rsnxe && 2184 (sm->ap_rsnxe_len != ie->rsnxe_len || 2185 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) { 2186 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2187 "WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4"); 2188 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp", 2189 sm->ap_rsnxe, sm->ap_rsnxe_len); 2190 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4", 2191 ie->rsnxe, ie->rsnxe_len); 2192 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS); 2193 return -1; 2194 } 2195 2196 #ifdef CONFIG_IEEE80211R 2197 if (wpa_key_mgmt_ft(sm->key_mgmt) && 2198 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0) 2199 return -1; 2200 #endif /* CONFIG_IEEE80211R */ 2201 2202 return 0; 2203 } 2204 2205 2206 /** 2207 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake 2208 * @sm: Pointer to WPA state machine data from wpa_sm_init() 2209 * @dst: Destination address for the frame 2210 * @key: Pointer to the EAPOL-Key frame header 2211 * @ver: Version bits from EAPOL-Key Key Info 2212 * @key_info: Key Info 2213 * @ptk: PTK to use for keyed hash and encryption 2214 * Returns: >= 0 on success, < 0 on failure 2215 */ 2216 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst, 2217 const struct wpa_eapol_key *key, 2218 u16 ver, u16 key_info, 2219 struct wpa_ptk *ptk) 2220 { 2221 size_t mic_len, hdrlen, rlen; 2222 struct wpa_eapol_key *reply; 2223 u8 *rbuf, *key_mic; 2224 u8 *kde = NULL; 2225 size_t kde_len = 0, extra_len = 0; 2226 #ifdef CONFIG_TESTING_OPTIONS 2227 size_t pad_len = 0; 2228 #endif /* CONFIG_TESTING_OPTIONS */ 2229 2230 if (sm->mlo.valid_links) { 2231 u8 *pos; 2232 2233 kde = os_malloc(RSN_SELECTOR_LEN + ETH_ALEN + 2); 2234 if (!kde) 2235 return -1; 2236 2237 /* Add MAC KDE */ 2238 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 4/4"); 2239 pos = kde; 2240 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr, 2241 ETH_ALEN); 2242 kde_len = pos - kde; 2243 } 2244 2245 #ifdef CONFIG_TESTING_OPTIONS 2246 if (sm->test_eapol_m4_elems) 2247 extra_len = wpabuf_len(sm->test_eapol_m4_elems); 2248 if (sm->encrypt_eapol_m4) { 2249 pad_len = (kde_len + extra_len) % 8; 2250 if (pad_len) 2251 pad_len = 8 - pad_len; 2252 extra_len += pad_len + 8; 2253 } 2254 #endif /* CONFIG_TESTING_OPTIONS */ 2255 2256 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 2257 hdrlen = sizeof(*reply) + mic_len + 2; 2258 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 2259 hdrlen + kde_len + extra_len, &rlen, 2260 (void *) &reply); 2261 if (!rbuf) { 2262 os_free(kde); 2263 return -1; 2264 } 2265 2266 reply->type = (sm->proto == WPA_PROTO_RSN || 2267 sm->proto == WPA_PROTO_OSEN) ? 2268 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 2269 key_info &= WPA_KEY_INFO_SECURE; 2270 key_info |= ver | WPA_KEY_INFO_KEY_TYPE; 2271 if (mic_len) 2272 key_info |= WPA_KEY_INFO_MIC; 2273 else 2274 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 2275 #ifdef CONFIG_TESTING_OPTIONS 2276 if (sm->encrypt_eapol_m4) 2277 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 2278 #endif /* CONFIG_TESTING_OPTIONS */ 2279 WPA_PUT_BE16(reply->key_info, key_info); 2280 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 2281 WPA_PUT_BE16(reply->key_length, 0); 2282 else 2283 os_memcpy(reply->key_length, key->key_length, 2); 2284 os_memcpy(reply->replay_counter, key->replay_counter, 2285 WPA_REPLAY_COUNTER_LEN); 2286 2287 key_mic = (u8 *) (reply + 1); 2288 /* Key Data length */ 2289 WPA_PUT_BE16(key_mic + mic_len, kde_len + extra_len); 2290 if (kde) { 2291 os_memcpy(key_mic + mic_len + 2, kde, kde_len); /* Key Data */ 2292 os_free(kde); 2293 } 2294 2295 #ifdef CONFIG_TESTING_OPTIONS 2296 if (sm->test_eapol_m4_elems) { 2297 os_memcpy(key_mic + mic_len + 2 + kde_len, 2298 wpabuf_head(sm->test_eapol_m4_elems), 2299 wpabuf_len(sm->test_eapol_m4_elems)); 2300 } 2301 2302 if (sm->encrypt_eapol_m4) { 2303 u8 *plain; 2304 size_t plain_len; 2305 2306 if (sm->test_eapol_m4_elems) 2307 extra_len = wpabuf_len(sm->test_eapol_m4_elems); 2308 else 2309 extra_len = 0; 2310 plain_len = kde_len + extra_len + pad_len; 2311 plain = os_memdup(key_mic + mic_len + 2, plain_len); 2312 if (!plain) { 2313 os_free(rbuf); 2314 return -1; 2315 } 2316 if (pad_len) 2317 plain[plain_len - pad_len] = 0xdd; 2318 2319 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK", 2320 ptk->kek, ptk->kek_len); 2321 if (aes_wrap(ptk->kek, ptk->kek_len, plain_len / 8, plain, 2322 key_mic + mic_len + 2)) { 2323 os_free(plain); 2324 os_free(rbuf); 2325 return -1; 2326 } 2327 wpa_hexdump(MSG_DEBUG, 2328 "RSN: Encrypted Key Data from AES-WRAP", 2329 key_mic + mic_len + 2, plain_len + 8); 2330 os_free(plain); 2331 } 2332 #endif /* CONFIG_TESTING_OPTIONS */ 2333 2334 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4"); 2335 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen, 2336 key_mic); 2337 } 2338 2339 2340 static int wpa_supplicant_validate_link_kde(struct wpa_sm *sm, u8 link_id, 2341 const u8 *link_kde, 2342 size_t link_kde_len) 2343 { 2344 size_t rsne_len = 0, rsnxe_len = 0; 2345 const u8 *rsne = NULL, *rsnxe = NULL; 2346 2347 if (!link_kde || 2348 link_kde_len < RSN_MLO_LINK_KDE_LINK_MAC_INDEX + ETH_ALEN) { 2349 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2350 "RSN: MLO Link KDE is not found for link ID %d", 2351 link_id); 2352 return -1; 2353 } 2354 2355 if (!ether_addr_equal(sm->mlo.links[link_id].bssid, 2356 &link_kde[RSN_MLO_LINK_KDE_LINK_MAC_INDEX])) { 2357 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2358 "RSN: MLO Link %u MAC address (" MACSTR 2359 ") not matching association response (" MACSTR ")", 2360 link_id, 2361 MAC2STR(&link_kde[RSN_MLO_LINK_KDE_LINK_MAC_INDEX]), 2362 MAC2STR(sm->mlo.links[link_id].bssid)); 2363 return -1; 2364 } 2365 2366 if (link_kde[0] & RSN_MLO_LINK_KDE_LI_RSNE_INFO) { 2367 rsne = link_kde + RSN_MLO_LINK_KDE_FIXED_LENGTH; 2368 if (link_kde_len < RSN_MLO_LINK_KDE_FIXED_LENGTH + 2 || 2369 link_kde_len < 2370 (size_t) (RSN_MLO_LINK_KDE_FIXED_LENGTH + 2 + rsne[1])) { 2371 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2372 "RSN: No room for link %u RSNE in MLO Link KDE", 2373 link_id); 2374 return -1; 2375 } 2376 2377 rsne_len = rsne[1] + 2; 2378 } 2379 2380 if (!rsne) { 2381 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2382 "RSN: RSNE not present in MLO Link %u KDE", link_id); 2383 return -1; 2384 } 2385 2386 if (link_kde[0] & RSN_MLO_LINK_KDE_LI_RSNXE_INFO) { 2387 rsnxe = link_kde + RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len; 2388 if (link_kde_len < 2389 (RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len + 2) || 2390 link_kde_len < 2391 (RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len + 2 + rsnxe[1])) { 2392 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2393 "RSN: No room for link %u RSNXE in MLO Link KDE", 2394 link_id); 2395 return -1; 2396 } 2397 2398 rsnxe_len = rsnxe[1] + 2; 2399 } 2400 2401 if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt), 2402 sm->mlo.links[link_id].ap_rsne, 2403 sm->mlo.links[link_id].ap_rsne_len, 2404 rsne, rsne_len)) { 2405 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2406 "RSN MLO: IE in 3/4 msg does not match with IE in Beacon/ProbeResp for link ID %u", 2407 link_id); 2408 wpa_hexdump(MSG_INFO, "RSNE in Beacon/ProbeResp", 2409 sm->mlo.links[link_id].ap_rsne, 2410 sm->mlo.links[link_id].ap_rsne_len); 2411 wpa_hexdump(MSG_INFO, "RSNE in EAPOL-Key msg 3/4", 2412 rsne, rsne_len); 2413 return -1; 2414 } 2415 2416 if ((sm->mlo.links[link_id].ap_rsnxe && !rsnxe) || 2417 (!sm->mlo.links[link_id].ap_rsnxe && rsnxe) || 2418 (sm->mlo.links[link_id].ap_rsnxe && rsnxe && 2419 (sm->mlo.links[link_id].ap_rsnxe_len != rsnxe_len || 2420 os_memcmp(sm->mlo.links[link_id].ap_rsnxe, rsnxe, 2421 sm->mlo.links[link_id].ap_rsnxe_len) != 0))) { 2422 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2423 "RSN MLO: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4 for link ID %u", 2424 link_id); 2425 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp", 2426 sm->mlo.links[link_id].ap_rsnxe, 2427 sm->mlo.links[link_id].ap_rsnxe_len); 2428 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4", 2429 rsnxe, rsnxe_len); 2430 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS); 2431 return -1; 2432 } 2433 2434 return 0; 2435 } 2436 2437 2438 static int wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm *sm, 2439 u8 link_id, 2440 struct wpa_eapol_ie_parse *ie) 2441 { 2442 if (ie->mlo_igtk[link_id] && 2443 ie->mlo_igtk_len[link_id] != RSN_MLO_IGTK_KDE_PREFIX_LENGTH + 2444 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) { 2445 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2446 "RSN MLO: Invalid IGTK KDE length %lu for link ID %u", 2447 (unsigned long) ie->mlo_igtk_len[link_id], link_id); 2448 return -1; 2449 } 2450 2451 if (!sm->beacon_prot) 2452 return 0; 2453 2454 if (ie->mlo_bigtk[link_id] && 2455 ie->mlo_bigtk_len[link_id] != RSN_MLO_BIGTK_KDE_PREFIX_LENGTH + 2456 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) { 2457 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2458 "RSN MLO: Invalid BIGTK KDE length %lu for link ID %u", 2459 (unsigned long) ie->mlo_bigtk_len[link_id], link_id); 2460 return -1; 2461 } 2462 2463 return 0; 2464 } 2465 2466 2467 static void wpa_supplicant_process_3_of_4_wpa(struct wpa_sm *sm, 2468 const struct wpa_eapol_key *key, 2469 u16 ver, const u8 *key_data, 2470 size_t key_data_len) 2471 { 2472 u16 key_info, keylen; 2473 struct wpa_eapol_ie_parse ie; 2474 2475 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE); 2476 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2477 "WPA: RX message 3 of 4-Way Handshake from " MACSTR 2478 " (ver=%d)", MAC2STR(sm->bssid), ver); 2479 2480 key_info = WPA_GET_BE16(key->key_info); 2481 2482 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len); 2483 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) 2484 goto failed; 2485 2486 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0) 2487 goto failed; 2488 2489 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) { 2490 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2491 "WPA: ANonce from message 1 of 4-Way Handshake differs from 3 of 4-Way Handshake - drop packet (src=" 2492 MACSTR ")", MAC2STR(sm->bssid)); 2493 goto failed; 2494 } 2495 2496 keylen = WPA_GET_BE16(key->key_length); 2497 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) { 2498 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2499 "WPA: Invalid %s key length %d (src=" MACSTR ")", 2500 wpa_cipher_txt(sm->pairwise_cipher), keylen, 2501 MAC2STR(sm->bssid)); 2502 goto failed; 2503 } 2504 2505 if (wpa_supplicant_send_4_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver, 2506 key_info, &sm->ptk) < 0) 2507 goto failed; 2508 2509 /* SNonce was successfully used in msg 3/4, so mark it to be renewed 2510 * for the next 4-Way Handshake. If msg 3 is received again, the old 2511 * SNonce will still be used to avoid changing PTK. */ 2512 sm->renew_snonce = 1; 2513 2514 if ((key_info & WPA_KEY_INFO_INSTALL) && 2515 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX_TX)) 2516 goto failed; 2517 2518 if (key_info & WPA_KEY_INFO_SECURE) { 2519 wpa_sm_mlme_setprotection( 2520 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX, 2521 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE); 2522 eapol_sm_notify_portValid(sm->eapol, true); 2523 } 2524 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE); 2525 2526 sm->msg_3_of_4_ok = 1; 2527 return; 2528 2529 failed: 2530 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 2531 } 2532 2533 2534 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm, 2535 const struct wpa_eapol_key *key, 2536 u16 ver, const u8 *key_data, 2537 size_t key_data_len) 2538 { 2539 u16 key_info, keylen; 2540 struct wpa_eapol_ie_parse ie; 2541 bool mlo = sm->mlo.valid_links; 2542 int i; 2543 2544 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE); 2545 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 2546 "RSN: RX message 3 of 4-Way Handshake from " MACSTR 2547 " (ver=%d)%s", MAC2STR(sm->bssid), ver, mlo ? " (MLO)" : ""); 2548 2549 key_info = WPA_GET_BE16(key->key_info); 2550 2551 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len); 2552 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) 2553 goto failed; 2554 2555 if (sm->ssid_protection) { 2556 if (!ie.ssid) { 2557 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2558 "RSN: No SSID included in EAPOL-Key msg 3/4"); 2559 goto failed; 2560 } 2561 2562 if (ie.ssid_len != sm->ssid_len || 2563 os_memcmp(ie.ssid, sm->ssid, sm->ssid_len) != 0) { 2564 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2565 "RSN: SSID mismatch in EAPOL-Key msg 3/4"); 2566 wpa_hexdump_ascii(MSG_DEBUG, "RSN: Received SSID", 2567 ie.ssid, ie.ssid_len); 2568 wpa_hexdump_ascii(MSG_DEBUG, "RSN: Expected SSID", 2569 sm->ssid, sm->ssid_len); 2570 goto failed; 2571 } 2572 2573 wpa_sm_ssid_verified(sm); 2574 } 2575 2576 if (mlo && !ie.valid_mlo_gtks) { 2577 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2578 "MLO RSN: No GTK KDE included in EAPOL-Key msg 3/4"); 2579 goto failed; 2580 } 2581 if (mlo && 2582 (key_info & 2583 (WPA_KEY_INFO_ENCR_KEY_DATA | WPA_KEY_INFO_INSTALL | 2584 WPA_KEY_INFO_SECURE)) != 2585 (WPA_KEY_INFO_ENCR_KEY_DATA | WPA_KEY_INFO_INSTALL | 2586 WPA_KEY_INFO_SECURE)) { 2587 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2588 "RSN MLO: Invalid key info (0x%x) in EAPOL-Key msg 3/4", 2589 key_info); 2590 goto failed; 2591 } 2592 2593 if (mlo && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) { 2594 wpa_printf(MSG_DEBUG, "RSN: Invalid AP MLD MAC address KDE"); 2595 goto failed; 2596 } 2597 2598 for (i = 0; mlo && i < MAX_NUM_MLD_LINKS; i++) { 2599 if (!(sm->mlo.req_links & BIT(i))) 2600 continue; 2601 2602 if (wpa_supplicant_validate_link_kde(sm, i, ie.mlo_link[i], 2603 ie.mlo_link_len[i]) < 0) 2604 goto failed; 2605 2606 if (!(sm->mlo.valid_links & BIT(i))) 2607 continue; 2608 2609 if (!ie.mlo_gtk[i]) { 2610 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 2611 "RSN: GTK not found for link ID %u", i); 2612 goto failed; 2613 } 2614 2615 if (sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED && 2616 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) && 2617 wpa_validate_mlo_ieee80211w_kdes(sm, i, &ie) < 0) 2618 goto failed; 2619 } 2620 2621 #ifdef CONFIG_IEEE80211R 2622 if (mlo && wpa_key_mgmt_ft(sm->key_mgmt) && 2623 wpa_supplicant_validate_ie_ft(sm, sm->bssid, &ie) < 0) 2624 goto failed; 2625 #endif /* CONFIG_IEEE80211R */ 2626 2627 if (!mlo && ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 2628 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2629 "WPA: GTK IE in unencrypted key data"); 2630 goto failed; 2631 } 2632 if (!mlo && ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 2633 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2634 "WPA: IGTK KDE in unencrypted key data"); 2635 goto failed; 2636 } 2637 2638 if (!mlo && ie.igtk && 2639 sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED && 2640 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) && 2641 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN + 2642 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) { 2643 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2644 "WPA: Invalid IGTK KDE length %lu", 2645 (unsigned long) ie.igtk_len); 2646 goto failed; 2647 } 2648 2649 if (!mlo && wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0) 2650 goto failed; 2651 2652 if (wpa_handle_ext_key_id(sm, &ie)) 2653 goto failed; 2654 2655 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) { 2656 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2657 "WPA: ANonce from message 1 of 4-Way Handshake " 2658 "differs from 3 of 4-Way Handshake - drop packet (src=" 2659 MACSTR ")", MAC2STR(sm->bssid)); 2660 goto failed; 2661 } 2662 2663 keylen = WPA_GET_BE16(key->key_length); 2664 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) { 2665 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2666 "WPA: Invalid %s key length %d (src=" MACSTR 2667 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen, 2668 MAC2STR(sm->bssid)); 2669 goto failed; 2670 } 2671 2672 #ifdef CONFIG_P2P 2673 if (ie.ip_addr_alloc) { 2674 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4); 2675 wpa_hexdump(MSG_DEBUG, "P2P: IP address info", 2676 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr)); 2677 } 2678 #endif /* CONFIG_P2P */ 2679 2680 #ifdef CONFIG_OCV 2681 if (wpa_sm_ocv_enabled(sm)) { 2682 struct wpa_channel_info ci; 2683 2684 if (wpa_sm_channel_info(sm, &ci) != 0) { 2685 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2686 "Failed to get channel info to validate received OCI in EAPOL-Key 3/4"); 2687 return; 2688 } 2689 2690 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci, 2691 channel_width_to_int(ci.chanwidth), 2692 ci.seg1_idx) != OCI_SUCCESS) { 2693 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE 2694 "addr=" MACSTR " frame=eapol-key-m3 error=%s", 2695 MAC2STR(sm->bssid), ocv_errorstr); 2696 return; 2697 } 2698 } 2699 #endif /* CONFIG_OCV */ 2700 2701 #ifdef CONFIG_DPP2 2702 if (DPP_VERSION > 1 && ie.dpp_kde) { 2703 wpa_printf(MSG_DEBUG, 2704 "DPP: peer Protocol Version %u Flags 0x%x", 2705 ie.dpp_kde[0], ie.dpp_kde[1]); 2706 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_pfs != 2 && 2707 (ie.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && !sm->dpp_z) { 2708 wpa_printf(MSG_INFO, 2709 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association"); 2710 goto failed; 2711 } 2712 } 2713 #endif /* CONFIG_DPP2 */ 2714 2715 if (sm->use_ext_key_id && 2716 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX)) 2717 goto failed; 2718 2719 if (wpa_supplicant_send_4_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver, 2720 key_info, &sm->ptk) < 0) 2721 goto failed; 2722 2723 /* SNonce was successfully used in msg 3/4, so mark it to be renewed 2724 * for the next 4-Way Handshake. If msg 3 is received again, the old 2725 * SNonce will still be used to avoid changing PTK. */ 2726 sm->renew_snonce = 1; 2727 2728 if (key_info & WPA_KEY_INFO_INSTALL) { 2729 int res; 2730 2731 if (sm->use_ext_key_id) 2732 res = wpa_supplicant_activate_ptk(sm); 2733 else 2734 res = wpa_supplicant_install_ptk(sm, key, 2735 KEY_FLAG_RX_TX); 2736 if (res) 2737 goto failed; 2738 } 2739 2740 if (key_info & WPA_KEY_INFO_SECURE) { 2741 wpa_sm_mlme_setprotection( 2742 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX, 2743 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE); 2744 eapol_sm_notify_portValid(sm->eapol, true); 2745 } 2746 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE); 2747 2748 if (mlo) { 2749 if (wpa_supplicant_pairwise_mlo_gtk(sm, key, &ie, 2750 key_info) < 0) { 2751 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2752 "MLO RSN: Failed to configure MLO GTKs"); 2753 goto failed; 2754 } 2755 } else if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) { 2756 /* No GTK to be set to the driver */ 2757 } else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) { 2758 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2759 "RSN: No GTK KDE included in EAPOL-Key msg 3/4"); 2760 goto failed; 2761 } else if (ie.gtk && 2762 wpa_supplicant_pairwise_gtk(sm, key, 2763 ie.gtk, ie.gtk_len, key_info) < 0) { 2764 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2765 "RSN: Failed to configure GTK"); 2766 goto failed; 2767 } 2768 2769 if ((mlo && mlo_ieee80211w_set_keys(sm, &ie) < 0) || 2770 (!mlo && ieee80211w_set_keys(sm, &ie) < 0)) { 2771 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2772 "RSN: Failed to configure IGTK"); 2773 goto failed; 2774 } 2775 2776 if (mlo || sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk) 2777 wpa_supplicant_key_neg_complete(sm, sm->bssid, 2778 key_info & WPA_KEY_INFO_SECURE); 2779 2780 if (mlo || ie.gtk) 2781 wpa_sm_set_rekey_offload(sm); 2782 2783 /* Add PMKSA cache entry for Suite B AKMs here since PMKID can be 2784 * calculated only after KCK has been derived. Though, do not replace an 2785 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID) 2786 * to avoid unnecessary changes of PMKID while continuing to use the 2787 * same PMK. */ 2788 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) && 2789 !sm->cur_pmksa) { 2790 struct rsn_pmksa_cache_entry *sa; 2791 2792 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL, 2793 sm->ptk.kck, sm->ptk.kck_len, 2794 wpa_sm_get_auth_addr(sm), sm->own_addr, 2795 sm->network_ctx, sm->key_mgmt, NULL); 2796 if (!sm->cur_pmksa) 2797 sm->cur_pmksa = sa; 2798 } 2799 2800 if (ie.transition_disable) 2801 wpa_sm_transition_disable(sm, ie.transition_disable[0]); 2802 sm->msg_3_of_4_ok = 1; 2803 return; 2804 2805 failed: 2806 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 2807 } 2808 2809 2810 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm, 2811 const struct wpa_eapol_key *key, 2812 int ver, u16 key_info) 2813 { 2814 size_t mic_len, hdrlen, rlen; 2815 struct wpa_eapol_key *reply; 2816 u8 *rbuf, *key_mic; 2817 size_t kde_len = 0; 2818 2819 #ifdef CONFIG_TESTING_OPTIONS 2820 if (sm->disable_eapol_g2_tx) { 2821 wpa_printf(MSG_INFO, "TEST: Disable sending EAPOL-Key 2/2"); 2822 return 0; 2823 } 2824 #endif /* CONFIG_TESTING_OPTIONS */ 2825 2826 #ifdef CONFIG_OCV 2827 if (wpa_sm_ocv_enabled(sm)) 2828 kde_len = OCV_OCI_KDE_LEN; 2829 #endif /* CONFIG_OCV */ 2830 2831 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 2832 hdrlen = sizeof(*reply) + mic_len + 2; 2833 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 2834 hdrlen + kde_len, &rlen, (void *) &reply); 2835 if (rbuf == NULL) 2836 return -1; 2837 2838 reply->type = (sm->proto == WPA_PROTO_RSN || 2839 sm->proto == WPA_PROTO_OSEN) ? 2840 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA; 2841 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK; 2842 key_info |= ver | WPA_KEY_INFO_SECURE; 2843 if (mic_len) 2844 key_info |= WPA_KEY_INFO_MIC; 2845 else 2846 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA; 2847 WPA_PUT_BE16(reply->key_info, key_info); 2848 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) 2849 WPA_PUT_BE16(reply->key_length, 0); 2850 else 2851 os_memcpy(reply->key_length, key->key_length, 2); 2852 os_memcpy(reply->replay_counter, key->replay_counter, 2853 WPA_REPLAY_COUNTER_LEN); 2854 2855 key_mic = (u8 *) (reply + 1); 2856 WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */ 2857 2858 #ifdef CONFIG_OCV 2859 if (wpa_sm_ocv_enabled(sm)) { 2860 struct wpa_channel_info ci; 2861 u8 *pos; 2862 2863 if (wpa_sm_channel_info(sm, &ci) != 0) { 2864 wpa_printf(MSG_WARNING, 2865 "Failed to get channel info for OCI element in EAPOL-Key 2/2"); 2866 os_free(rbuf); 2867 return -1; 2868 } 2869 #ifdef CONFIG_TESTING_OPTIONS 2870 if (sm->oci_freq_override_eapol_g2) { 2871 wpa_printf(MSG_INFO, 2872 "TEST: Override OCI KDE frequency %d -> %d MHz", 2873 ci.frequency, 2874 sm->oci_freq_override_eapol_g2); 2875 ci.frequency = sm->oci_freq_override_eapol_g2; 2876 } 2877 #endif /* CONFIG_TESTING_OPTIONS */ 2878 2879 pos = key_mic + mic_len + 2; /* Key Data */ 2880 if (ocv_insert_oci_kde(&ci, &pos) < 0) { 2881 os_free(rbuf); 2882 return -1; 2883 } 2884 } 2885 #endif /* CONFIG_OCV */ 2886 2887 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2"); 2888 return wpa_eapol_key_send(sm, &sm->ptk, ver, wpa_sm_get_auth_addr(sm), 2889 ETH_P_EAPOL, rbuf, rlen, key_mic); 2890 } 2891 2892 2893 static void wpa_supplicant_process_mlo_1_of_2(struct wpa_sm *sm, 2894 const unsigned char *src_addr, 2895 const struct wpa_eapol_key *key, 2896 const u8 *key_data, 2897 size_t key_data_len, u16 ver) 2898 { 2899 u16 key_info; 2900 u8 i; 2901 struct wpa_eapol_ie_parse ie; 2902 2903 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) { 2904 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2905 "MLO RSN: Group Key Handshake started prior to completion of 4-way handshake"); 2906 goto failed; 2907 } 2908 2909 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "MLO RSN: RX message 1 of Group " 2910 "Key Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), 2911 ver); 2912 2913 key_info = WPA_GET_BE16(key->key_info); 2914 2915 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE); 2916 2917 wpa_hexdump_key(MSG_DEBUG, "MLO RSN: msg 1/2 key data", key_data, 2918 key_data_len); 2919 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) 2920 goto failed; 2921 2922 if (!ie.valid_mlo_gtks) { 2923 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2924 "MLO RSN: No MLO GTK KDE in Group Key msg 1/2"); 2925 goto failed; 2926 } 2927 2928 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 2929 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2930 "MLO RSN: MLO GTK KDE in unencrypted key data"); 2931 goto failed; 2932 } 2933 2934 #ifdef CONFIG_OCV 2935 if (wpa_sm_ocv_enabled(sm)) { 2936 struct wpa_channel_info ci; 2937 2938 if (wpa_sm_channel_info(sm, &ci) != 0) { 2939 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 2940 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2"); 2941 goto failed; 2942 } 2943 2944 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci, 2945 channel_width_to_int(ci.chanwidth), 2946 ci.seg1_idx) != OCI_SUCCESS) { 2947 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE 2948 "addr=" MACSTR " frame=eapol-key-g1 error=%s", 2949 MAC2STR(sm->bssid), ocv_errorstr); 2950 goto failed; 2951 } 2952 } 2953 #endif /* CONFIG_OCV */ 2954 2955 if (mlo_ieee80211w_set_keys(sm, &ie) < 0) 2956 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 2957 "MLO RSN: Failed to configure MLO IGTK"); 2958 2959 for_each_link(sm->mlo.valid_links, i) { 2960 /* 2961 * AP may send group keys for subset of the all links during 2962 * rekey 2963 */ 2964 if (!ie.mlo_gtk[i]) 2965 continue; 2966 2967 if (wpa_supplicant_mlo_gtk(sm, i, ie.mlo_gtk[i], 2968 ie.mlo_gtk_len[i], key_info)) 2969 goto failed; 2970 } 2971 2972 if (wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) 2973 goto failed; 2974 2975 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "MLO RSN: Group rekeying completed " 2976 "with " MACSTR " [GTK=%s]", MAC2STR(sm->mlo.ap_mld_addr), 2977 wpa_cipher_txt(sm->group_cipher)); 2978 wpa_sm_cancel_auth_timeout(sm); 2979 wpa_sm_set_state(sm, WPA_COMPLETED); 2980 2981 wpa_sm_set_rekey_offload(sm); 2982 2983 return; 2984 2985 failed: 2986 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 2987 } 2988 2989 2990 static void wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm, 2991 const unsigned char *src_addr, 2992 const struct wpa_eapol_key *key, 2993 const u8 *key_data, 2994 size_t key_data_len, u16 ver) 2995 { 2996 u16 key_info; 2997 int rekey; 2998 struct wpa_gtk_data gd; 2999 const u8 *key_rsc; 3000 size_t maxkeylen; 3001 u16 gtk_len; 3002 3003 if (!sm->msg_3_of_4_ok) { 3004 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3005 "WPA: Group Key Handshake started prior to completion of 4-way handshake"); 3006 goto failed; 3007 } 3008 3009 os_memset(&gd, 0, sizeof(gd)); 3010 3011 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED; 3012 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3013 "WPA: RX message 1 of Group Key Handshake from " MACSTR 3014 " (ver=%d)", MAC2STR(src_addr), ver); 3015 3016 key_info = WPA_GET_BE16(key->key_info); 3017 3018 gtk_len = WPA_GET_BE16(key->key_length); 3019 maxkeylen = key_data_len; 3020 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 3021 if (maxkeylen < 8) { 3022 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3023 "WPA: Too short maxkeylen (%lu)", 3024 (unsigned long) maxkeylen); 3025 goto failed; 3026 } 3027 maxkeylen -= 8; 3028 } 3029 3030 if (gtk_len > maxkeylen || 3031 wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 3032 gtk_len, maxkeylen, 3033 &gd.key_rsc_len, &gd.alg)) 3034 goto failed; 3035 3036 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE); 3037 3038 gd.gtk_len = gtk_len; 3039 gd.keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 3040 WPA_KEY_INFO_KEY_INDEX_SHIFT; 3041 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) { 3042 #if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS) 3043 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3044 "WPA: RC4 not supported in the build"); 3045 goto failed; 3046 #else /* CONFIG_NO_RC4 || CONFIG_FIPS */ 3047 u8 ek[32]; 3048 if (key_data_len > sizeof(gd.gtk)) { 3049 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3050 "WPA: RC4 key data too long (%lu)", 3051 (unsigned long) key_data_len); 3052 goto failed; 3053 } 3054 os_memcpy(ek, key->key_iv, 16); 3055 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len); 3056 os_memcpy(gd.gtk, key_data, key_data_len); 3057 if (rc4_skip(ek, 32, 256, gd.gtk, key_data_len)) { 3058 forced_memzero(ek, sizeof(ek)); 3059 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 3060 "WPA: RC4 failed"); 3061 goto failed; 3062 } 3063 forced_memzero(ek, sizeof(ek)); 3064 #endif /* CONFIG_NO_RC4 || CONFIG_FIPS */ 3065 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 3066 if (maxkeylen % 8) { 3067 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3068 "WPA: Unsupported AES-WRAP len %lu", 3069 (unsigned long) maxkeylen); 3070 goto failed; 3071 } 3072 if (maxkeylen > sizeof(gd.gtk)) { 3073 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3074 "WPA: AES-WRAP key data " 3075 "too long (keydatalen=%lu maxkeylen=%lu)", 3076 (unsigned long) key_data_len, 3077 (unsigned long) maxkeylen); 3078 goto failed; 3079 } 3080 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8, 3081 key_data, gd.gtk)) { 3082 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3083 "WPA: AES unwrap failed - could not decrypt " 3084 "GTK"); 3085 goto failed; 3086 } 3087 } else { 3088 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3089 "WPA: Unsupported key_info type %d", ver); 3090 goto failed; 3091 } 3092 gd.tx = wpa_supplicant_gtk_tx_bit_workaround( 3093 sm, !!(key_info & WPA_KEY_INFO_TXRX)); 3094 3095 key_rsc = key->key_rsc; 3096 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) 3097 key_rsc = null_rsc; 3098 3099 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || 3100 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) 3101 goto failed; 3102 forced_memzero(&gd, sizeof(gd)); 3103 3104 if (rekey) { 3105 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3106 "WPA: Group rekeying completed with " MACSTR 3107 " [GTK=%s]", 3108 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher)); 3109 wpa_sm_cancel_auth_timeout(sm); 3110 wpa_sm_set_state(sm, WPA_COMPLETED); 3111 } else { 3112 wpa_supplicant_key_neg_complete(sm, sm->bssid, 3113 key_info & WPA_KEY_INFO_SECURE); 3114 } 3115 3116 wpa_sm_set_rekey_offload(sm); 3117 3118 return; 3119 3120 failed: 3121 forced_memzero(&gd, sizeof(gd)); 3122 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 3123 } 3124 3125 3126 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm, 3127 const unsigned char *src_addr, 3128 const struct wpa_eapol_key *key, 3129 const u8 *key_data, 3130 size_t key_data_len, u16 ver) 3131 { 3132 u16 key_info; 3133 struct wpa_gtk_data gd; 3134 const u8 *key_rsc; 3135 int maxkeylen; 3136 struct wpa_eapol_ie_parse ie; 3137 u16 gtk_len; 3138 3139 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) { 3140 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3141 "RSN: Group Key Handshake started prior to completion of 4-way handshake"); 3142 goto failed; 3143 } 3144 3145 os_memset(&gd, 0, sizeof(gd)); 3146 3147 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3148 "RSN: RX message 1 of Group Key Handshake from " MACSTR 3149 " (ver=%d)", MAC2STR(src_addr), ver); 3150 3151 key_info = WPA_GET_BE16(key->key_info); 3152 3153 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data", 3154 key_data, key_data_len); 3155 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) 3156 goto failed; 3157 3158 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE); 3159 3160 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 3161 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3162 "RSN: GTK KDE in unencrypted key data"); 3163 goto failed; 3164 } 3165 if (!ie.gtk) { 3166 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3167 "RSN: No GTK KDE in Group Key msg 1/2"); 3168 goto failed; 3169 } 3170 gtk_len = ie.gtk_len; 3171 if (gtk_len < 2) { 3172 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3173 "RSN: Invalid GTK KDE length (%u) in Group Key msg 1/2", 3174 gtk_len); 3175 goto failed; 3176 } 3177 gtk_len -= 2; 3178 if (gtk_len > sizeof(gd.gtk)) { 3179 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3180 "RSN: Too long GTK in GTK KDE (len=%u)", gtk_len); 3181 goto failed; 3182 } 3183 maxkeylen = gd.gtk_len = gtk_len; 3184 3185 #ifdef CONFIG_OCV 3186 if (wpa_sm_ocv_enabled(sm)) { 3187 struct wpa_channel_info ci; 3188 3189 if (wpa_sm_channel_info(sm, &ci) != 0) { 3190 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3191 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2"); 3192 goto failed; 3193 } 3194 3195 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci, 3196 channel_width_to_int(ci.chanwidth), 3197 ci.seg1_idx) != OCI_SUCCESS) { 3198 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE 3199 "addr=" MACSTR " frame=eapol-key-g1 error=%s", 3200 MAC2STR(sm->bssid), ocv_errorstr); 3201 goto failed; 3202 } 3203 } 3204 #endif /* CONFIG_OCV */ 3205 3206 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 3207 gtk_len, maxkeylen, 3208 &gd.key_rsc_len, &gd.alg)) 3209 goto failed; 3210 3211 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake", 3212 ie.gtk, 2 + gtk_len); 3213 gd.keyidx = ie.gtk[0] & 0x3; 3214 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 3215 !!(ie.gtk[0] & BIT(2))); 3216 os_memcpy(gd.gtk, ie.gtk + 2, gtk_len); 3217 3218 if (ieee80211w_set_keys(sm, &ie) < 0) 3219 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3220 "RSN: Failed to configure IGTK"); 3221 3222 key_rsc = key->key_rsc; 3223 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc)) 3224 key_rsc = null_rsc; 3225 3226 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) || 3227 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0) 3228 goto failed; 3229 forced_memzero(&gd, sizeof(gd)); 3230 3231 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3232 "RSN: Group rekeying completed with " MACSTR " [GTK=%s]", 3233 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher)); 3234 wpa_sm_cancel_auth_timeout(sm); 3235 wpa_sm_set_state(sm, WPA_COMPLETED); 3236 3237 wpa_sm_set_rekey_offload(sm); 3238 3239 return; 3240 3241 failed: 3242 forced_memzero(&gd, sizeof(gd)); 3243 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 3244 } 3245 3246 3247 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm, 3248 struct wpa_eapol_key *key, 3249 u16 ver, 3250 const u8 *buf, size_t len) 3251 { 3252 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN]; 3253 int ok = 0; 3254 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len); 3255 3256 os_memcpy(mic, key + 1, mic_len); 3257 if (sm->tptk_set) { 3258 os_memset(key + 1, 0, mic_len); 3259 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len, 3260 sm->key_mgmt, 3261 ver, buf, len, (u8 *) (key + 1)) < 0 || 3262 os_memcmp_const(mic, key + 1, mic_len) != 0) { 3263 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3264 "WPA: Invalid EAPOL-Key MIC " 3265 "when using TPTK - ignoring TPTK"); 3266 #ifdef TEST_FUZZ 3267 wpa_printf(MSG_INFO, 3268 "TEST: Ignore Key MIC failure for fuzz testing"); 3269 goto continue_fuzz; 3270 #endif /* TEST_FUZZ */ 3271 } else { 3272 #ifdef TEST_FUZZ 3273 continue_fuzz: 3274 #endif /* TEST_FUZZ */ 3275 ok = 1; 3276 sm->tptk_set = 0; 3277 sm->ptk_set = 1; 3278 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk)); 3279 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 3280 /* 3281 * This assures the same TPTK in sm->tptk can never be 3282 * copied twice to sm->ptk as the new PTK. In 3283 * combination with the installed flag in the wpa_ptk 3284 * struct, this assures the same PTK is only installed 3285 * once. 3286 */ 3287 sm->renew_snonce = 1; 3288 } 3289 } 3290 3291 if (!ok && sm->ptk_set) { 3292 os_memset(key + 1, 0, mic_len); 3293 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len, 3294 sm->key_mgmt, 3295 ver, buf, len, (u8 *) (key + 1)) < 0 || 3296 os_memcmp_const(mic, key + 1, mic_len) != 0) { 3297 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3298 "WPA: Invalid EAPOL-Key MIC - " 3299 "dropping packet"); 3300 #ifdef TEST_FUZZ 3301 wpa_printf(MSG_INFO, 3302 "TEST: Ignore Key MIC failure for fuzz testing"); 3303 goto continue_fuzz2; 3304 #endif /* TEST_FUZZ */ 3305 return -1; 3306 } 3307 #ifdef TEST_FUZZ 3308 continue_fuzz2: 3309 #endif /* TEST_FUZZ */ 3310 ok = 1; 3311 } 3312 3313 if (!ok) { 3314 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3315 "WPA: Could not verify EAPOL-Key MIC - " 3316 "dropping packet"); 3317 return -1; 3318 } 3319 3320 os_memcpy(sm->rx_replay_counter, key->replay_counter, 3321 WPA_REPLAY_COUNTER_LEN); 3322 sm->rx_replay_counter_set = 1; 3323 return 0; 3324 } 3325 3326 3327 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */ 3328 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm, 3329 struct wpa_eapol_key *key, 3330 size_t mic_len, u16 ver, 3331 u8 *key_data, size_t *key_data_len) 3332 { 3333 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data", 3334 key_data, *key_data_len); 3335 if (!sm->ptk_set) { 3336 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3337 "WPA: PTK not available, cannot decrypt EAPOL-Key Key " 3338 "Data"); 3339 return -1; 3340 } 3341 3342 /* Decrypt key data here so that this operation does not need 3343 * to be implemented separately for each message type. */ 3344 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) { 3345 #if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS) 3346 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3347 "WPA: RC4 not supported in the build"); 3348 return -1; 3349 #else /* CONFIG_NO_RC4 || CONFIG_FIPS */ 3350 u8 ek[32]; 3351 3352 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4"); 3353 os_memcpy(ek, key->key_iv, 16); 3354 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len); 3355 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) { 3356 forced_memzero(ek, sizeof(ek)); 3357 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 3358 "WPA: RC4 failed"); 3359 return -1; 3360 } 3361 forced_memzero(ek, sizeof(ek)); 3362 #endif /* CONFIG_NO_RC4 || CONFIG_FIPS */ 3363 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES || 3364 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC || 3365 wpa_use_aes_key_wrap(sm->key_mgmt)) { 3366 u8 *buf; 3367 3368 wpa_printf(MSG_DEBUG, 3369 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)", 3370 (unsigned int) sm->ptk.kek_len); 3371 if (*key_data_len < 8 || *key_data_len % 8) { 3372 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3373 "WPA: Unsupported AES-WRAP len %u", 3374 (unsigned int) *key_data_len); 3375 return -1; 3376 } 3377 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */ 3378 buf = os_malloc(*key_data_len); 3379 if (buf == NULL) { 3380 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3381 "WPA: No memory for AES-UNWRAP buffer"); 3382 return -1; 3383 } 3384 #ifdef TEST_FUZZ 3385 os_memset(buf, 0x11, *key_data_len); 3386 #endif /* TEST_FUZZ */ 3387 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8, 3388 key_data, buf)) { 3389 #ifdef TEST_FUZZ 3390 wpa_printf(MSG_INFO, 3391 "TEST: Ignore AES unwrap failure for fuzz testing"); 3392 goto continue_fuzz; 3393 #endif /* TEST_FUZZ */ 3394 bin_clear_free(buf, *key_data_len); 3395 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3396 "WPA: AES unwrap failed - " 3397 "could not decrypt EAPOL-Key key data"); 3398 return -1; 3399 } 3400 #ifdef TEST_FUZZ 3401 continue_fuzz: 3402 #endif /* TEST_FUZZ */ 3403 os_memcpy(key_data, buf, *key_data_len); 3404 bin_clear_free(buf, *key_data_len); 3405 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len); 3406 } else { 3407 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3408 "WPA: Unsupported key_info type %d", ver); 3409 return -1; 3410 } 3411 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data", 3412 key_data, *key_data_len); 3413 return 0; 3414 } 3415 3416 3417 /** 3418 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted 3419 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3420 */ 3421 void wpa_sm_aborted_cached(struct wpa_sm *sm) 3422 { 3423 if (sm && sm->cur_pmksa) { 3424 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3425 "RSN: Cancelling PMKSA caching attempt"); 3426 sm->cur_pmksa = NULL; 3427 } 3428 } 3429 3430 3431 void wpa_sm_aborted_external_cached(struct wpa_sm *sm) 3432 { 3433 if (sm && sm->cur_pmksa && sm->cur_pmksa->external) { 3434 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3435 "RSN: Cancelling external PMKSA caching attempt"); 3436 sm->cur_pmksa = NULL; 3437 } 3438 } 3439 3440 3441 static void wpa_eapol_key_dump(struct wpa_sm *sm, 3442 const struct wpa_eapol_key *key, 3443 unsigned int key_data_len, 3444 const u8 *mic, unsigned int mic_len) 3445 { 3446 #ifndef CONFIG_NO_STDOUT_DEBUG 3447 u16 key_info = WPA_GET_BE16(key->key_info); 3448 3449 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type); 3450 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3451 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)", 3452 key_info, key_info & WPA_KEY_INFO_TYPE_MASK, 3453 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >> 3454 WPA_KEY_INFO_KEY_INDEX_SHIFT, 3455 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13, 3456 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group", 3457 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "", 3458 key_info & WPA_KEY_INFO_ACK ? " Ack" : "", 3459 key_info & WPA_KEY_INFO_MIC ? " MIC" : "", 3460 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "", 3461 key_info & WPA_KEY_INFO_ERROR ? " Error" : "", 3462 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "", 3463 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : ""); 3464 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3465 " key_length=%u key_data_length=%u", 3466 WPA_GET_BE16(key->key_length), key_data_len); 3467 wpa_hexdump(MSG_DEBUG, " replay_counter", 3468 key->replay_counter, WPA_REPLAY_COUNTER_LEN); 3469 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN); 3470 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16); 3471 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8); 3472 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8); 3473 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len); 3474 #endif /* CONFIG_NO_STDOUT_DEBUG */ 3475 } 3476 3477 3478 #ifdef CONFIG_FILS 3479 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len, 3480 size_t *key_data_len) 3481 { 3482 struct wpa_ptk *ptk; 3483 struct ieee802_1x_hdr *hdr; 3484 struct wpa_eapol_key *key; 3485 u8 *pos, *tmp; 3486 const u8 *aad[1]; 3487 size_t aad_len[1]; 3488 3489 if (*key_data_len < AES_BLOCK_SIZE) { 3490 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame"); 3491 return -1; 3492 } 3493 3494 if (sm->tptk_set) 3495 ptk = &sm->tptk; 3496 else if (sm->ptk_set) 3497 ptk = &sm->ptk; 3498 else 3499 return -1; 3500 3501 hdr = (struct ieee802_1x_hdr *) buf; 3502 key = (struct wpa_eapol_key *) (hdr + 1); 3503 pos = (u8 *) (key + 1); 3504 pos += 2; /* Pointing at the Encrypted Key Data field */ 3505 3506 tmp = os_malloc(*key_data_len); 3507 if (!tmp) 3508 return -1; 3509 3510 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to 3511 * to Key Data (exclusive). */ 3512 aad[0] = buf; 3513 aad_len[0] = pos - buf; 3514 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len, 3515 1, aad, aad_len, tmp) < 0) { 3516 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame"); 3517 bin_clear_free(tmp, *key_data_len); 3518 return -1; 3519 } 3520 3521 /* AEAD decryption and validation completed successfully */ 3522 (*key_data_len) -= AES_BLOCK_SIZE; 3523 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data", 3524 tmp, *key_data_len); 3525 3526 /* Replace Key Data field with the decrypted version */ 3527 os_memcpy(pos, tmp, *key_data_len); 3528 pos -= 2; /* Key Data Length field */ 3529 WPA_PUT_BE16(pos, *key_data_len); 3530 bin_clear_free(tmp, *key_data_len); 3531 3532 if (sm->tptk_set) { 3533 sm->tptk_set = 0; 3534 sm->ptk_set = 1; 3535 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk)); 3536 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 3537 } 3538 3539 os_memcpy(sm->rx_replay_counter, key->replay_counter, 3540 WPA_REPLAY_COUNTER_LEN); 3541 sm->rx_replay_counter_set = 1; 3542 3543 return 0; 3544 } 3545 #endif /* CONFIG_FILS */ 3546 3547 3548 static int wpa_sm_rx_eapol_wpa(struct wpa_sm *sm, const u8 *src_addr, 3549 struct wpa_eapol_key *key, 3550 enum frame_encryption encrypted, 3551 const u8 *tmp, size_t data_len, 3552 u8 *key_data, size_t key_data_len) 3553 { 3554 u16 key_info, ver; 3555 3556 key_info = WPA_GET_BE16(key->key_info); 3557 3558 if (key->type != EAPOL_KEY_TYPE_WPA) { 3559 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3560 "WPA: Unsupported EAPOL-Key type %d", key->type); 3561 return -1; 3562 } 3563 3564 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 3565 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && 3566 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 3567 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3568 "WPA: Unsupported EAPOL-Key descriptor version %d", 3569 ver); 3570 return -1; 3571 } 3572 3573 if (sm->pairwise_cipher == WPA_CIPHER_CCMP && 3574 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 3575 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3576 "WPA: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2", 3577 ver); 3578 if (sm->group_cipher != WPA_CIPHER_CCMP && 3579 !(key_info & WPA_KEY_INFO_KEY_TYPE)) { 3580 /* Earlier versions of IEEE 802.11i did not explicitly 3581 * require version 2 descriptor for all EAPOL-Key 3582 * packets, so allow group keys to use version 1 if 3583 * CCMP is not used for them. */ 3584 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3585 "WPA: Backwards compatibility: allow invalid version for non-CCMP group keys"); 3586 } else 3587 return -1; 3588 } 3589 3590 if ((key_info & WPA_KEY_INFO_MIC) && 3591 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len)) 3592 return -1; 3593 3594 if (key_info & WPA_KEY_INFO_KEY_TYPE) { 3595 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) { 3596 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3597 "WPA: Ignored EAPOL-Key (Pairwise) with non-zero key index"); 3598 return -1; 3599 } 3600 if (key_info & (WPA_KEY_INFO_MIC | 3601 WPA_KEY_INFO_ENCR_KEY_DATA)) { 3602 /* 3/4 4-Way Handshake */ 3603 wpa_supplicant_process_3_of_4_wpa(sm, key, ver, 3604 key_data, 3605 key_data_len); 3606 } else { 3607 /* 1/4 4-Way Handshake */ 3608 wpa_supplicant_process_1_of_4_wpa(sm, src_addr, key, 3609 ver, key_data, 3610 key_data_len, 3611 encrypted); 3612 } 3613 } else { 3614 if (key_info & WPA_KEY_INFO_MIC) { 3615 /* 1/2 Group Key Handshake */ 3616 wpa_supplicant_process_1_of_2_wpa(sm, src_addr, key, 3617 key_data, 3618 key_data_len, 3619 ver); 3620 } else { 3621 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3622 "WPA: EAPOL-Key (Group) without Mic/Encr bit - dropped"); 3623 } 3624 } 3625 3626 return 1; 3627 } 3628 3629 3630 /** 3631 * wpa_sm_rx_eapol - Process received WPA EAPOL frames 3632 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3633 * @src_addr: Source MAC address of the EAPOL packet 3634 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header) 3635 * @len: Length of the EAPOL frame 3636 * @encrypted: Whether the frame was encrypted 3637 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure 3638 * 3639 * This function is called for each received EAPOL frame. Other than EAPOL-Key 3640 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is 3641 * only processing WPA and WPA2 EAPOL-Key frames. 3642 * 3643 * The received EAPOL-Key packets are validated and valid packets are replied 3644 * to. In addition, key material (PTK, GTK) is configured at the end of a 3645 * successful key handshake. 3646 */ 3647 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr, 3648 const u8 *buf, size_t len, enum frame_encryption encrypted) 3649 { 3650 size_t plen, data_len, key_data_len; 3651 const struct ieee802_1x_hdr *hdr; 3652 struct wpa_eapol_key *key; 3653 u16 key_info, ver; 3654 u8 *tmp = NULL; 3655 int ret = -1; 3656 u8 *mic, *key_data; 3657 size_t mic_len, keyhdrlen, pmk_len; 3658 3659 #ifdef CONFIG_IEEE80211R 3660 sm->ft_completed = 0; 3661 #endif /* CONFIG_IEEE80211R */ 3662 3663 pmk_len = sm->pmk_len; 3664 if (!pmk_len && sm->cur_pmksa) 3665 pmk_len = sm->cur_pmksa->pmk_len; 3666 mic_len = wpa_mic_len(sm->key_mgmt, pmk_len); 3667 keyhdrlen = sizeof(*key) + mic_len + 2; 3668 3669 if (len < sizeof(*hdr) + keyhdrlen) { 3670 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3671 "WPA: EAPOL frame too short to be a WPA " 3672 "EAPOL-Key (len %lu, expecting at least %lu)", 3673 (unsigned long) len, 3674 (unsigned long) sizeof(*hdr) + keyhdrlen); 3675 return 0; 3676 } 3677 3678 hdr = (const struct ieee802_1x_hdr *) buf; 3679 plen = be_to_host16(hdr->length); 3680 data_len = plen + sizeof(*hdr); 3681 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3682 "IEEE 802.1X RX: version=%d type=%d length=%lu", 3683 hdr->version, hdr->type, (unsigned long) plen); 3684 3685 if (hdr->version < EAPOL_VERSION) { 3686 /* TODO: backwards compatibility */ 3687 } 3688 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) { 3689 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3690 "WPA: EAPOL frame (type %u) discarded, " 3691 "not a Key frame", hdr->type); 3692 ret = 0; 3693 goto out; 3694 } 3695 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len); 3696 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) { 3697 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3698 "WPA: EAPOL frame payload size %lu " 3699 "invalid (frame size %lu)", 3700 (unsigned long) plen, (unsigned long) len); 3701 ret = 0; 3702 goto out; 3703 } 3704 if (data_len < len) { 3705 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3706 "WPA: ignoring %lu bytes after the IEEE 802.1X data", 3707 (unsigned long) len - data_len); 3708 } 3709 3710 /* 3711 * Make a copy of the frame since we need to modify the buffer during 3712 * MAC validation and Key Data decryption. 3713 */ 3714 tmp = os_memdup(buf, data_len); 3715 if (tmp == NULL) 3716 goto out; 3717 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr)); 3718 mic = (u8 *) (key + 1); 3719 key_data = mic + mic_len + 2; 3720 3721 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN) 3722 { 3723 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 3724 "WPA: EAPOL-Key type (%d) unknown, discarded", 3725 key->type); 3726 ret = 0; 3727 goto out; 3728 } 3729 3730 key_data_len = WPA_GET_BE16(mic + mic_len); 3731 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len); 3732 3733 if (key_data_len > plen - keyhdrlen) { 3734 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key " 3735 "frame - key_data overflow (%u > %u)", 3736 (unsigned int) key_data_len, 3737 (unsigned int) (plen - keyhdrlen)); 3738 goto out; 3739 } 3740 3741 if (sm->rx_replay_counter_set && 3742 os_memcmp(key->replay_counter, sm->rx_replay_counter, 3743 WPA_REPLAY_COUNTER_LEN) <= 0) { 3744 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3745 "WPA: EAPOL-Key Replay Counter did not increase - dropping packet"); 3746 goto out; 3747 } 3748 3749 eapol_sm_notify_lower_layer_success(sm->eapol, 0); 3750 3751 key_info = WPA_GET_BE16(key->key_info); 3752 3753 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) { 3754 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3755 "WPA: Unsupported SMK bit in key_info"); 3756 goto out; 3757 } 3758 3759 if (!(key_info & WPA_KEY_INFO_ACK)) { 3760 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3761 "WPA: No Ack bit in key_info"); 3762 goto out; 3763 } 3764 3765 if (key_info & WPA_KEY_INFO_REQUEST) { 3766 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3767 "WPA: EAPOL-Key with Request bit - dropped"); 3768 goto out; 3769 } 3770 3771 if (sm->proto == WPA_PROTO_WPA) { 3772 ret = wpa_sm_rx_eapol_wpa(sm, src_addr, key, encrypted, 3773 tmp, data_len, 3774 key_data, key_data_len); 3775 goto out; 3776 } 3777 3778 if (key->type != EAPOL_KEY_TYPE_RSN) { 3779 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3780 "RSN: Unsupported EAPOL-Key type %d", key->type); 3781 goto out; 3782 } 3783 3784 ver = key_info & WPA_KEY_INFO_TYPE_MASK; 3785 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && 3786 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC && 3787 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES && 3788 !wpa_use_akm_defined(sm->key_mgmt)) { 3789 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3790 "RSN: Unsupported EAPOL-Key descriptor version %d", 3791 ver); 3792 goto out; 3793 } 3794 3795 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && 3796 sm->pairwise_cipher != WPA_CIPHER_TKIP) { 3797 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3798 "RSN: EAPOL-Key descriptor version %d not allowed without TKIP as the pairwise cipher", 3799 ver); 3800 goto out; 3801 } 3802 3803 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES && 3804 (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X && 3805 sm->key_mgmt != WPA_KEY_MGMT_PSK)) { 3806 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3807 "RSN: EAPOL-Key descriptor version %d not allowed due to negotiated AKM (0x%x)", 3808 ver, sm->key_mgmt); 3809 goto out; 3810 } 3811 3812 if (wpa_use_akm_defined(sm->key_mgmt) && 3813 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) { 3814 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3815 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)", 3816 ver); 3817 goto out; 3818 } 3819 3820 #ifdef CONFIG_IEEE80211R 3821 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 3822 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */ 3823 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC && 3824 !wpa_use_akm_defined(sm->key_mgmt)) { 3825 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3826 "FT: AP did not use AES-128-CMAC"); 3827 goto out; 3828 } 3829 } else 3830 #endif /* CONFIG_IEEE80211R */ 3831 if (wpa_key_mgmt_sha256(sm->key_mgmt)) { 3832 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC && 3833 !wpa_use_akm_defined(sm->key_mgmt)) { 3834 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3835 "RSN: AP did not use the negotiated AES-128-CMAC"); 3836 goto out; 3837 } 3838 } else if (sm->pairwise_cipher == WPA_CIPHER_CCMP && 3839 !wpa_use_akm_defined(sm->key_mgmt) && 3840 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 3841 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3842 "RSN: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2", ver); 3843 if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) { 3844 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3845 "RSN: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used"); 3846 } else { 3847 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3848 "RSN: Unexpected descriptor version %u", ver); 3849 goto out; 3850 } 3851 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP && 3852 !wpa_use_akm_defined(sm->key_mgmt) && 3853 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) { 3854 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 3855 "RSN: GCMP is used, but EAPOL-Key descriptor version (%d) is not 2", 3856 ver); 3857 goto out; 3858 } 3859 3860 if ((key_info & WPA_KEY_INFO_MIC) && 3861 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len)) 3862 goto out; 3863 3864 #ifdef CONFIG_FILS 3865 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) { 3866 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len)) 3867 goto out; 3868 } 3869 #endif /* CONFIG_FILS */ 3870 3871 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) && 3872 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) { 3873 /* 3874 * Only decrypt the Key Data field if the frame's authenticity 3875 * was verified. When using AES-SIV (FILS), the MIC flag is not 3876 * set, so this check should only be performed if mic_len != 0 3877 * which is the case in this code branch. 3878 */ 3879 if (!(key_info & WPA_KEY_INFO_MIC)) { 3880 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3881 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data"); 3882 goto out; 3883 } 3884 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len, 3885 ver, key_data, 3886 &key_data_len)) 3887 goto out; 3888 } 3889 3890 if (key_info & WPA_KEY_INFO_KEY_TYPE) { 3891 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) { 3892 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3893 "RSN: Ignored EAPOL-Key (Pairwise) with non-zero key index"); 3894 goto out; 3895 } 3896 if (key_info & (WPA_KEY_INFO_MIC | 3897 WPA_KEY_INFO_ENCR_KEY_DATA)) { 3898 /* 3/4 4-Way Handshake */ 3899 wpa_supplicant_process_3_of_4(sm, key, ver, key_data, 3900 key_data_len); 3901 } else { 3902 /* 1/4 4-Way Handshake */ 3903 wpa_supplicant_process_1_of_4(sm, src_addr, key, 3904 ver, key_data, 3905 key_data_len, 3906 encrypted); 3907 } 3908 } else { 3909 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) || 3910 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) { 3911 /* 1/2 Group Key Handshake */ 3912 if (sm->mlo.valid_links) 3913 wpa_supplicant_process_mlo_1_of_2(sm, src_addr, 3914 key, key_data, 3915 key_data_len, 3916 ver); 3917 else 3918 wpa_supplicant_process_1_of_2(sm, src_addr, key, 3919 key_data, 3920 key_data_len, 3921 ver); 3922 } else { 3923 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 3924 "RSN: EAPOL-Key (Group) without Mic/Encr bit - dropped"); 3925 } 3926 } 3927 3928 ret = 1; 3929 3930 out: 3931 bin_clear_free(tmp, data_len); 3932 return ret; 3933 } 3934 3935 3936 #ifdef CONFIG_CTRL_IFACE 3937 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm) 3938 { 3939 switch (sm->key_mgmt) { 3940 case WPA_KEY_MGMT_IEEE8021X: 3941 return ((sm->proto == WPA_PROTO_RSN || 3942 sm->proto == WPA_PROTO_OSEN) ? 3943 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X : 3944 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X); 3945 case WPA_KEY_MGMT_PSK: 3946 return (sm->proto == WPA_PROTO_RSN ? 3947 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X : 3948 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X); 3949 #ifdef CONFIG_IEEE80211R 3950 case WPA_KEY_MGMT_FT_IEEE8021X: 3951 return RSN_AUTH_KEY_MGMT_FT_802_1X; 3952 case WPA_KEY_MGMT_FT_PSK: 3953 return RSN_AUTH_KEY_MGMT_FT_PSK; 3954 #endif /* CONFIG_IEEE80211R */ 3955 case WPA_KEY_MGMT_IEEE8021X_SHA256: 3956 return RSN_AUTH_KEY_MGMT_802_1X_SHA256; 3957 case WPA_KEY_MGMT_PSK_SHA256: 3958 return RSN_AUTH_KEY_MGMT_PSK_SHA256; 3959 case WPA_KEY_MGMT_CCKM: 3960 return (sm->proto == WPA_PROTO_RSN ? 3961 RSN_AUTH_KEY_MGMT_CCKM: 3962 WPA_AUTH_KEY_MGMT_CCKM); 3963 case WPA_KEY_MGMT_WPA_NONE: 3964 return WPA_AUTH_KEY_MGMT_NONE; 3965 case WPA_KEY_MGMT_IEEE8021X_SUITE_B: 3966 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B; 3967 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192: 3968 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192; 3969 case WPA_KEY_MGMT_IEEE8021X_SHA384: 3970 return RSN_AUTH_KEY_MGMT_802_1X_SHA384; 3971 default: 3972 return 0; 3973 } 3974 } 3975 3976 3977 #define RSN_SUITE "%02x-%02x-%02x-%d" 3978 #define RSN_SUITE_ARG(s) \ 3979 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff 3980 3981 /** 3982 * wpa_sm_get_mib - Dump text list of MIB entries 3983 * @sm: Pointer to WPA state machine data from wpa_sm_init() 3984 * @buf: Buffer for the list 3985 * @buflen: Length of the buffer 3986 * Returns: Number of bytes written to buffer 3987 * 3988 * This function is used fetch dot11 MIB variables. 3989 */ 3990 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen) 3991 { 3992 char pmkid_txt[PMKID_LEN * 2 + 1]; 3993 bool rsna; 3994 int ret; 3995 size_t len; 3996 3997 if (sm->cur_pmksa) { 3998 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt), 3999 sm->cur_pmksa->pmkid, PMKID_LEN); 4000 } else 4001 pmkid_txt[0] = '\0'; 4002 4003 rsna = (wpa_key_mgmt_wpa_psk(sm->key_mgmt) || 4004 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) && 4005 sm->proto == WPA_PROTO_RSN; 4006 4007 ret = os_snprintf(buf, buflen, 4008 "dot11RSNAOptionImplemented=TRUE\n" 4009 "dot11RSNAPreauthenticationImplemented=TRUE\n" 4010 "dot11RSNAEnabled=%s\n" 4011 "dot11RSNAPreauthenticationEnabled=%s\n" 4012 "dot11RSNAConfigVersion=%d\n" 4013 "dot11RSNAConfigPairwiseKeysSupported=5\n" 4014 "dot11RSNAConfigGroupCipherSize=%d\n" 4015 "dot11RSNAConfigPMKLifetime=%d\n" 4016 "dot11RSNAConfigPMKReauthThreshold=%d\n" 4017 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n" 4018 "dot11RSNAConfigSATimeout=%d\n", 4019 rsna ? "TRUE" : "FALSE", 4020 rsna ? "TRUE" : "FALSE", 4021 RSN_VERSION, 4022 wpa_cipher_key_len(sm->group_cipher) * 8, 4023 sm->dot11RSNAConfigPMKLifetime, 4024 sm->dot11RSNAConfigPMKReauthThreshold, 4025 sm->dot11RSNAConfigSATimeout); 4026 if (os_snprintf_error(buflen, ret)) 4027 return 0; 4028 len = ret; 4029 4030 ret = os_snprintf( 4031 buf + len, buflen - len, 4032 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n" 4033 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n" 4034 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n" 4035 "dot11RSNAPMKIDUsed=%s\n" 4036 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n" 4037 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n" 4038 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n" 4039 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n" 4040 "dot11RSNA4WayHandshakeFailures=%u\n", 4041 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)), 4042 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 4043 sm->pairwise_cipher)), 4044 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 4045 sm->group_cipher)), 4046 pmkid_txt, 4047 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)), 4048 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 4049 sm->pairwise_cipher)), 4050 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto, 4051 sm->group_cipher)), 4052 sm->dot11RSNA4WayHandshakeFailures); 4053 if (!os_snprintf_error(buflen - len, ret)) 4054 len += ret; 4055 4056 return (int) len; 4057 } 4058 #endif /* CONFIG_CTRL_IFACE */ 4059 4060 4061 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, 4062 void *ctx, enum pmksa_free_reason reason) 4063 { 4064 struct wpa_sm *sm = ctx; 4065 int deauth = 0; 4066 4067 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: " 4068 MACSTR " reason=%d", MAC2STR(entry->aa), reason); 4069 4070 if (sm->cur_pmksa == entry) { 4071 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 4072 "RSN: %s current PMKSA entry", 4073 reason == PMKSA_REPLACE ? "replaced" : "removed"); 4074 pmksa_cache_clear_current(sm); 4075 4076 /* 4077 * If an entry is simply being replaced, there's no need to 4078 * deauthenticate because it will be immediately re-added. 4079 * This happens when EAP authentication is completed again 4080 * (reauth or failed PMKSA caching attempt). 4081 */ 4082 if (reason != PMKSA_REPLACE) 4083 deauth = 1; 4084 } 4085 4086 if (reason == PMKSA_EXPIRE && 4087 (sm->pmk_len == entry->pmk_len && 4088 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) { 4089 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 4090 "RSN: deauthenticating due to expired PMK"); 4091 pmksa_cache_clear_current(sm); 4092 deauth = 1; 4093 } 4094 4095 if (deauth) { 4096 sm->pmk_len = 0; 4097 os_memset(sm->pmk, 0, sizeof(sm->pmk)); 4098 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED); 4099 } 4100 } 4101 4102 4103 static bool wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry *entry, 4104 void *ctx) 4105 { 4106 struct wpa_sm *sm = ctx; 4107 4108 return sm->cur_pmksa == entry; 4109 } 4110 4111 4112 static void wpa_sm_pmksa_notify_cb(struct rsn_pmksa_cache_entry *entry, 4113 void *ctx) 4114 { 4115 struct wpa_sm *sm = ctx; 4116 4117 wpa_sm_notify_pmksa_cache_entry(sm, entry); 4118 } 4119 4120 4121 /** 4122 * wpa_sm_init - Initialize WPA state machine 4123 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer 4124 * Returns: Pointer to the allocated WPA state machine data 4125 * 4126 * This function is used to allocate a new WPA state machine and the returned 4127 * value is passed to all WPA state machine calls. 4128 */ 4129 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx) 4130 { 4131 struct wpa_sm *sm; 4132 4133 sm = os_zalloc(sizeof(*sm)); 4134 if (sm == NULL) 4135 return NULL; 4136 dl_list_init(&sm->pmksa_candidates); 4137 sm->renew_snonce = 1; 4138 sm->ctx = ctx; 4139 4140 sm->dot11RSNAConfigPMKLifetime = 43200; 4141 sm->dot11RSNAConfigPMKReauthThreshold = 70; 4142 sm->dot11RSNAConfigSATimeout = 60; 4143 4144 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, 4145 wpa_sm_pmksa_is_current_cb, 4146 wpa_sm_pmksa_notify_cb, sm, sm); 4147 if (sm->pmksa == NULL) { 4148 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR, 4149 "RSN: PMKSA cache initialization failed"); 4150 os_free(sm); 4151 return NULL; 4152 } 4153 4154 return sm; 4155 } 4156 4157 4158 /** 4159 * wpa_sm_deinit - Deinitialize WPA state machine 4160 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4161 */ 4162 void wpa_sm_deinit(struct wpa_sm *sm) 4163 { 4164 int i; 4165 4166 if (sm == NULL) 4167 return; 4168 pmksa_cache_deinit(sm->pmksa); 4169 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL); 4170 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 4171 os_free(sm->assoc_wpa_ie); 4172 os_free(sm->assoc_rsnxe); 4173 os_free(sm->ap_wpa_ie); 4174 os_free(sm->ap_rsn_ie); 4175 os_free(sm->ap_rsnxe); 4176 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) { 4177 os_free(sm->mlo.links[i].ap_rsne); 4178 os_free(sm->mlo.links[i].ap_rsnxe); 4179 } 4180 wpa_sm_drop_sa(sm); 4181 os_free(sm->ctx); 4182 #ifdef CONFIG_IEEE80211R 4183 os_free(sm->assoc_resp_ies); 4184 #endif /* CONFIG_IEEE80211R */ 4185 #ifdef CONFIG_TESTING_OPTIONS 4186 wpabuf_free(sm->test_assoc_ie); 4187 wpabuf_free(sm->test_eapol_m2_elems); 4188 wpabuf_free(sm->test_eapol_m4_elems); 4189 #endif /* CONFIG_TESTING_OPTIONS */ 4190 #ifdef CONFIG_FILS_SK_PFS 4191 crypto_ecdh_deinit(sm->fils_ecdh); 4192 #endif /* CONFIG_FILS_SK_PFS */ 4193 #ifdef CONFIG_FILS 4194 wpabuf_free(sm->fils_ft_ies); 4195 #endif /* CONFIG_FILS */ 4196 #ifdef CONFIG_OWE 4197 crypto_ecdh_deinit(sm->owe_ecdh); 4198 #endif /* CONFIG_OWE */ 4199 #ifdef CONFIG_DPP2 4200 wpabuf_clear_free(sm->dpp_z); 4201 #endif /* CONFIG_DPP2 */ 4202 os_free(sm); 4203 } 4204 4205 4206 static void wpa_sm_clear_ptk(struct wpa_sm *sm) 4207 { 4208 int i; 4209 4210 sm->ptk_set = 0; 4211 os_memset(&sm->ptk, 0, sizeof(sm->ptk)); 4212 sm->tptk_set = 0; 4213 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 4214 os_memset(&sm->gtk, 0, sizeof(sm->gtk)); 4215 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep)); 4216 os_memset(&sm->igtk, 0, sizeof(sm->igtk)); 4217 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep)); 4218 os_memset(&sm->bigtk, 0, sizeof(sm->bigtk)); 4219 os_memset(&sm->bigtk_wnm_sleep, 0, sizeof(sm->bigtk_wnm_sleep)); 4220 sm->tk_set = false; 4221 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) { 4222 os_memset(&sm->mlo.links[i].gtk, 0, 4223 sizeof(sm->mlo.links[i].gtk)); 4224 os_memset(&sm->mlo.links[i].gtk_wnm_sleep, 0, 4225 sizeof(sm->mlo.links[i].gtk_wnm_sleep)); 4226 os_memset(&sm->mlo.links[i].igtk, 0, 4227 sizeof(sm->mlo.links[i].igtk)); 4228 os_memset(&sm->mlo.links[i].igtk_wnm_sleep, 0, 4229 sizeof(sm->mlo.links[i].igtk_wnm_sleep)); 4230 os_memset(&sm->mlo.links[i].bigtk, 0, 4231 sizeof(sm->mlo.links[i].bigtk)); 4232 os_memset(&sm->mlo.links[i].bigtk_wnm_sleep, 0, 4233 sizeof(sm->mlo.links[i].bigtk_wnm_sleep)); 4234 } 4235 } 4236 4237 4238 /** 4239 * wpa_sm_notify_assoc - Notify WPA state machine about association 4240 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4241 * @bssid: The BSSID of the new association 4242 * 4243 * This function is called to let WPA state machine know that the connection 4244 * was established. 4245 */ 4246 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid) 4247 { 4248 int clear_keys = 1; 4249 4250 if (sm == NULL) 4251 return; 4252 4253 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 4254 "WPA: Association event - clear replay counter"); 4255 os_memcpy(sm->bssid, bssid, ETH_ALEN); 4256 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN); 4257 sm->rx_replay_counter_set = 0; 4258 sm->renew_snonce = 1; 4259 if (ether_addr_equal(sm->preauth_bssid, bssid)) 4260 rsn_preauth_deinit(sm); 4261 4262 #ifdef CONFIG_IEEE80211R 4263 if (wpa_ft_is_completed(sm)) { 4264 /* 4265 * Clear portValid to kick EAPOL state machine to re-enter 4266 * AUTHENTICATED state to get the EAPOL port Authorized. 4267 */ 4268 eapol_sm_notify_portValid(sm->eapol, false); 4269 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1); 4270 4271 /* Prepare for the next transition */ 4272 wpa_ft_prepare_auth_request(sm, NULL); 4273 4274 clear_keys = 0; 4275 sm->ft_protocol = 1; 4276 } else { 4277 sm->ft_protocol = 0; 4278 } 4279 #endif /* CONFIG_IEEE80211R */ 4280 #ifdef CONFIG_FILS 4281 if (sm->fils_completed) { 4282 /* 4283 * Clear portValid to kick EAPOL state machine to re-enter 4284 * AUTHENTICATED state to get the EAPOL port Authorized. 4285 */ 4286 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1); 4287 clear_keys = 0; 4288 } 4289 #endif /* CONFIG_FILS */ 4290 4291 if (clear_keys) { 4292 /* 4293 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if 4294 * this is not part of a Fast BSS Transition. 4295 */ 4296 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK"); 4297 wpa_sm_clear_ptk(sm); 4298 } 4299 4300 #ifdef CONFIG_TDLS 4301 wpa_tdls_assoc(sm); 4302 #endif /* CONFIG_TDLS */ 4303 4304 #ifdef CONFIG_P2P 4305 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr)); 4306 #endif /* CONFIG_P2P */ 4307 4308 sm->keyidx_active = 0; 4309 } 4310 4311 4312 /** 4313 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation 4314 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4315 * 4316 * This function is called to let WPA state machine know that the connection 4317 * was lost. This will abort any existing pre-authentication session. 4318 */ 4319 void wpa_sm_notify_disassoc(struct wpa_sm *sm) 4320 { 4321 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL); 4322 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); 4323 rsn_preauth_deinit(sm); 4324 pmksa_cache_clear_current(sm); 4325 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE) 4326 sm->dot11RSNA4WayHandshakeFailures++; 4327 #ifdef CONFIG_TDLS 4328 wpa_tdls_disassoc(sm); 4329 #endif /* CONFIG_TDLS */ 4330 #ifdef CONFIG_FILS 4331 sm->fils_completed = 0; 4332 #endif /* CONFIG_FILS */ 4333 #ifdef CONFIG_IEEE80211R 4334 sm->ft_reassoc_completed = 0; 4335 sm->ft_protocol = 0; 4336 #endif /* CONFIG_IEEE80211R */ 4337 4338 /* Keys are not needed in the WPA state machine anymore */ 4339 wpa_sm_drop_sa(sm); 4340 sm->keyidx_active = 0; 4341 4342 sm->msg_3_of_4_ok = 0; 4343 os_memset(sm->bssid, 0, ETH_ALEN); 4344 } 4345 4346 4347 /** 4348 * wpa_sm_set_pmk - Set PMK 4349 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4350 * @pmk: The new PMK 4351 * @pmk_len: The length of the new PMK in bytes 4352 * @pmkid: Calculated PMKID 4353 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK 4354 * 4355 * Configure the PMK for WPA state machine. 4356 */ 4357 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, 4358 const u8 *pmkid, const u8 *bssid) 4359 { 4360 if (sm == NULL) 4361 return; 4362 4363 wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data", 4364 pmk, pmk_len); 4365 sm->pmk_len = pmk_len; 4366 os_memcpy(sm->pmk, pmk, pmk_len); 4367 4368 #ifdef CONFIG_IEEE80211R 4369 /* Set XXKey to be PSK for FT key derivation */ 4370 sm->xxkey_len = pmk_len; 4371 os_memcpy(sm->xxkey, pmk, pmk_len); 4372 #endif /* CONFIG_IEEE80211R */ 4373 4374 if (bssid) { 4375 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, 4376 pmkid, NULL, 0, bssid, 4377 sm->own_addr, 4378 sm->network_ctx, sm->key_mgmt, 4379 NULL); 4380 } 4381 } 4382 4383 4384 /** 4385 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA 4386 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4387 * 4388 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK 4389 * will be cleared. 4390 */ 4391 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm) 4392 { 4393 if (sm == NULL) 4394 return; 4395 4396 if (sm->cur_pmksa) { 4397 wpa_hexdump_key(MSG_DEBUG, 4398 "WPA: Set PMK based on current PMKSA", 4399 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len); 4400 sm->pmk_len = sm->cur_pmksa->pmk_len; 4401 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len); 4402 } else { 4403 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK"); 4404 sm->pmk_len = 0; 4405 os_memset(sm->pmk, 0, PMK_LEN_MAX); 4406 } 4407 } 4408 4409 4410 /** 4411 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled 4412 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4413 * @fast_reauth: Whether fast reauthentication (EAP) is allowed 4414 */ 4415 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth) 4416 { 4417 if (sm) 4418 sm->fast_reauth = fast_reauth; 4419 } 4420 4421 4422 /** 4423 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks 4424 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4425 * @scard_ctx: Context pointer for smartcard related callback functions 4426 */ 4427 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx) 4428 { 4429 if (sm == NULL) 4430 return; 4431 sm->scard_ctx = scard_ctx; 4432 if (sm->preauth_eapol) 4433 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx); 4434 } 4435 4436 4437 /** 4438 * wpa_sm_set_config - Notification of current configuration change 4439 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4440 * @config: Pointer to current network configuration 4441 * 4442 * Notify WPA state machine that configuration has changed. config will be 4443 * stored as a backpointer to network configuration. This can be %NULL to clear 4444 * the stored pointed. 4445 */ 4446 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config) 4447 { 4448 if (!sm) 4449 return; 4450 4451 if (config) { 4452 sm->network_ctx = config->network_ctx; 4453 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher; 4454 sm->proactive_key_caching = config->proactive_key_caching; 4455 sm->eap_workaround = config->eap_workaround; 4456 sm->eap_conf_ctx = config->eap_conf_ctx; 4457 if (config->ssid) { 4458 os_memcpy(sm->ssid, config->ssid, config->ssid_len); 4459 sm->ssid_len = config->ssid_len; 4460 } else 4461 sm->ssid_len = 0; 4462 sm->wpa_ptk_rekey = config->wpa_ptk_rekey; 4463 sm->p2p = config->p2p; 4464 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation; 4465 sm->owe_ptk_workaround = config->owe_ptk_workaround; 4466 sm->force_kdk_derivation = config->force_kdk_derivation; 4467 #ifdef CONFIG_FILS 4468 if (config->fils_cache_id) { 4469 sm->fils_cache_id_set = 1; 4470 os_memcpy(sm->fils_cache_id, config->fils_cache_id, 4471 FILS_CACHE_ID_LEN); 4472 } else { 4473 sm->fils_cache_id_set = 0; 4474 } 4475 #endif /* CONFIG_FILS */ 4476 sm->beacon_prot = config->beacon_prot; 4477 } else { 4478 sm->network_ctx = NULL; 4479 sm->allowed_pairwise_cipher = 0; 4480 sm->proactive_key_caching = 0; 4481 sm->eap_workaround = 0; 4482 sm->eap_conf_ctx = NULL; 4483 sm->ssid_len = 0; 4484 sm->wpa_ptk_rekey = 0; 4485 sm->p2p = 0; 4486 sm->wpa_rsc_relaxation = 0; 4487 sm->owe_ptk_workaround = 0; 4488 sm->beacon_prot = 0; 4489 sm->force_kdk_derivation = false; 4490 } 4491 } 4492 4493 4494 void wpa_sm_set_ssid(struct wpa_sm *sm, const u8 *ssid, size_t ssid_len) 4495 { 4496 if (!sm) 4497 return; 4498 4499 if (ssid) { 4500 os_memcpy(sm->ssid, ssid, ssid_len); 4501 sm->ssid_len = ssid_len; 4502 } else { 4503 sm->ssid_len = 0; 4504 } 4505 } 4506 4507 4508 int wpa_sm_set_mlo_params(struct wpa_sm *sm, const struct wpa_sm_mlo *mlo) 4509 { 4510 int i; 4511 4512 if (!sm) 4513 return -1; 4514 4515 os_memcpy(sm->mlo.ap_mld_addr, mlo->ap_mld_addr, ETH_ALEN); 4516 sm->mlo.assoc_link_id = mlo->assoc_link_id; 4517 sm->mlo.valid_links = mlo->valid_links; 4518 sm->mlo.req_links = mlo->req_links; 4519 4520 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) { 4521 const u8 *ie; 4522 size_t len; 4523 4524 if (sm->mlo.req_links & BIT(i)) { 4525 if (!mlo->links[i].ap_rsne || 4526 mlo->links[i].ap_rsne_len == 0) { 4527 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, 4528 "RSN: No RSNE for AP MLO link %d with BSSID " 4529 MACSTR, 4530 i, MAC2STR(mlo->links[i].bssid)); 4531 return -1; 4532 4533 } 4534 os_memcpy(sm->mlo.links[i].addr, mlo->links[i].addr, 4535 ETH_ALEN); 4536 os_memcpy(sm->mlo.links[i].bssid, mlo->links[i].bssid, 4537 ETH_ALEN); 4538 } 4539 4540 ie = mlo->links[i].ap_rsne; 4541 len = mlo->links[i].ap_rsne_len; 4542 os_free(sm->mlo.links[i].ap_rsne); 4543 if (!ie || len == 0) { 4544 if (sm->mlo.links[i].ap_rsne) 4545 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 4546 "RSN: Clearing MLO link[%u] AP RSNE", 4547 i); 4548 sm->mlo.links[i].ap_rsne = NULL; 4549 sm->mlo.links[i].ap_rsne_len = 0; 4550 } else { 4551 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNE", 4552 ie, len); 4553 sm->mlo.links[i].ap_rsne = os_memdup(ie, len); 4554 if (!sm->mlo.links[i].ap_rsne) { 4555 sm->mlo.links[i].ap_rsne_len = 0; 4556 return -1; 4557 } 4558 sm->mlo.links[i].ap_rsne_len = len; 4559 } 4560 4561 ie = mlo->links[i].ap_rsnxe; 4562 len = mlo->links[i].ap_rsnxe_len; 4563 os_free(sm->mlo.links[i].ap_rsnxe); 4564 if (!ie || len == 0) { 4565 if (sm->mlo.links[i].ap_rsnxe) 4566 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 4567 "RSN: Clearing MLO link[%u] AP RSNXE", 4568 i); 4569 sm->mlo.links[i].ap_rsnxe = NULL; 4570 sm->mlo.links[i].ap_rsnxe_len = 0; 4571 } else { 4572 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNXE", ie, 4573 len); 4574 sm->mlo.links[i].ap_rsnxe = os_memdup(ie, len); 4575 if (!sm->mlo.links[i].ap_rsnxe) { 4576 sm->mlo.links[i].ap_rsnxe_len = 0; 4577 return -1; 4578 } 4579 sm->mlo.links[i].ap_rsnxe_len = len; 4580 } 4581 } 4582 4583 return 0; 4584 } 4585 4586 4587 /** 4588 * wpa_sm_set_own_addr - Set own MAC address 4589 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4590 * @addr: Own MAC address 4591 */ 4592 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr) 4593 { 4594 if (sm) 4595 os_memcpy(sm->own_addr, addr, ETH_ALEN); 4596 } 4597 4598 4599 /** 4600 * wpa_sm_set_ifname - Set network interface name 4601 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4602 * @ifname: Interface name 4603 * @bridge_ifname: Optional bridge interface name (for pre-auth) 4604 */ 4605 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname, 4606 const char *bridge_ifname) 4607 { 4608 if (sm) { 4609 sm->ifname = ifname; 4610 sm->bridge_ifname = bridge_ifname; 4611 } 4612 } 4613 4614 4615 /** 4616 * wpa_sm_set_eapol - Set EAPOL state machine pointer 4617 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4618 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init() 4619 */ 4620 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol) 4621 { 4622 if (sm) 4623 sm->eapol = eapol; 4624 } 4625 4626 4627 /** 4628 * wpa_sm_set_param - Set WPA state machine parameters 4629 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4630 * @param: Parameter field 4631 * @value: Parameter value 4632 * Returns: 0 on success, -1 on failure 4633 */ 4634 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param, 4635 unsigned int value) 4636 { 4637 int ret = 0; 4638 4639 if (sm == NULL) 4640 return -1; 4641 4642 switch (param) { 4643 case RSNA_PMK_LIFETIME: 4644 if (value > 0) 4645 sm->dot11RSNAConfigPMKLifetime = value; 4646 else 4647 ret = -1; 4648 break; 4649 case RSNA_PMK_REAUTH_THRESHOLD: 4650 if (value > 0 && value <= 100) 4651 sm->dot11RSNAConfigPMKReauthThreshold = value; 4652 else 4653 ret = -1; 4654 break; 4655 case RSNA_SA_TIMEOUT: 4656 if (value > 0) 4657 sm->dot11RSNAConfigSATimeout = value; 4658 else 4659 ret = -1; 4660 break; 4661 case WPA_PARAM_PROTO: 4662 sm->proto = value; 4663 break; 4664 case WPA_PARAM_PAIRWISE: 4665 sm->pairwise_cipher = value; 4666 break; 4667 case WPA_PARAM_GROUP: 4668 sm->group_cipher = value; 4669 break; 4670 case WPA_PARAM_KEY_MGMT: 4671 sm->key_mgmt = value; 4672 break; 4673 case WPA_PARAM_MGMT_GROUP: 4674 sm->mgmt_group_cipher = value; 4675 break; 4676 case WPA_PARAM_RSN_ENABLED: 4677 sm->rsn_enabled = value; 4678 break; 4679 case WPA_PARAM_MFP: 4680 sm->mfp = value; 4681 break; 4682 case WPA_PARAM_OCV: 4683 sm->ocv = value; 4684 break; 4685 case WPA_PARAM_SAE_PWE: 4686 sm->sae_pwe = value; 4687 break; 4688 case WPA_PARAM_SAE_PK: 4689 sm->sae_pk = value; 4690 break; 4691 case WPA_PARAM_DENY_PTK0_REKEY: 4692 sm->wpa_deny_ptk0_rekey = value; 4693 break; 4694 case WPA_PARAM_EXT_KEY_ID: 4695 sm->ext_key_id = value; 4696 break; 4697 case WPA_PARAM_USE_EXT_KEY_ID: 4698 sm->use_ext_key_id = value; 4699 break; 4700 #ifdef CONFIG_TESTING_OPTIONS 4701 case WPA_PARAM_FT_RSNXE_USED: 4702 sm->ft_rsnxe_used = value; 4703 break; 4704 case WPA_PARAM_OCI_FREQ_EAPOL: 4705 sm->oci_freq_override_eapol = value; 4706 break; 4707 case WPA_PARAM_OCI_FREQ_EAPOL_G2: 4708 sm->oci_freq_override_eapol_g2 = value; 4709 break; 4710 case WPA_PARAM_OCI_FREQ_FT_ASSOC: 4711 sm->oci_freq_override_ft_assoc = value; 4712 break; 4713 case WPA_PARAM_OCI_FREQ_FILS_ASSOC: 4714 sm->oci_freq_override_fils_assoc = value; 4715 break; 4716 case WPA_PARAM_DISABLE_EAPOL_G2_TX: 4717 sm->disable_eapol_g2_tx = value; 4718 break; 4719 case WPA_PARAM_ENCRYPT_EAPOL_M2: 4720 sm->encrypt_eapol_m2 = value; 4721 break; 4722 case WPA_PARAM_ENCRYPT_EAPOL_M4: 4723 sm->encrypt_eapol_m4 = value; 4724 break; 4725 #endif /* CONFIG_TESTING_OPTIONS */ 4726 #ifdef CONFIG_DPP2 4727 case WPA_PARAM_DPP_PFS: 4728 sm->dpp_pfs = value; 4729 break; 4730 #endif /* CONFIG_DPP2 */ 4731 case WPA_PARAM_WMM_ENABLED: 4732 sm->wmm_enabled = value; 4733 break; 4734 case WPA_PARAM_FT_PREPEND_PMKID: 4735 sm->ft_prepend_pmkid = value; 4736 break; 4737 case WPA_PARAM_SSID_PROTECTION: 4738 sm->ssid_protection = value; 4739 break; 4740 default: 4741 break; 4742 } 4743 4744 return ret; 4745 } 4746 4747 4748 /** 4749 * wpa_sm_get_status - Get WPA state machine 4750 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4751 * @buf: Buffer for status information 4752 * @buflen: Maximum buffer length 4753 * @verbose: Whether to include verbose status information 4754 * Returns: Number of bytes written to buf. 4755 * 4756 * Query WPA state machine for status information. This function fills in 4757 * a text area with current status information. If the buffer (buf) is not 4758 * large enough, status information will be truncated to fit the buffer. 4759 */ 4760 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen, 4761 int verbose) 4762 { 4763 char *pos = buf, *end = buf + buflen; 4764 int ret; 4765 4766 ret = os_snprintf(pos, end - pos, 4767 "pairwise_cipher=%s\n" 4768 "group_cipher=%s\n" 4769 "key_mgmt=%s\n", 4770 wpa_cipher_txt(sm->pairwise_cipher), 4771 wpa_cipher_txt(sm->group_cipher), 4772 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto)); 4773 if (os_snprintf_error(end - pos, ret)) 4774 return pos - buf; 4775 pos += ret; 4776 4777 #ifdef CONFIG_DPP2 4778 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) { 4779 ret = os_snprintf(pos, end - pos, "dpp_pfs=1\n"); 4780 if (os_snprintf_error(end - pos, ret)) 4781 return pos - buf; 4782 pos += ret; 4783 } 4784 #endif /* CONFIG_DPP2 */ 4785 4786 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) { 4787 struct wpa_ie_data rsn; 4788 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) 4789 >= 0 && 4790 rsn.capabilities & (WPA_CAPABILITY_MFPR | 4791 WPA_CAPABILITY_MFPC)) { 4792 ret = os_snprintf(pos, end - pos, "pmf=%d\n" 4793 "mgmt_group_cipher=%s\n", 4794 (rsn.capabilities & 4795 WPA_CAPABILITY_MFPR) ? 2 : 1, 4796 wpa_cipher_txt( 4797 sm->mgmt_group_cipher)); 4798 if (os_snprintf_error(end - pos, ret)) 4799 return pos - buf; 4800 pos += ret; 4801 } 4802 } 4803 4804 return pos - buf; 4805 } 4806 4807 4808 int wpa_sm_pmf_enabled(struct wpa_sm *sm) 4809 { 4810 struct wpa_ie_data rsn; 4811 4812 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie) 4813 return 0; 4814 4815 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 && 4816 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC)) 4817 return 1; 4818 4819 return 0; 4820 } 4821 4822 4823 int wpa_sm_ext_key_id(struct wpa_sm *sm) 4824 { 4825 return sm ? sm->ext_key_id : 0; 4826 } 4827 4828 4829 int wpa_sm_ext_key_id_active(struct wpa_sm *sm) 4830 { 4831 return sm ? sm->use_ext_key_id : 0; 4832 } 4833 4834 4835 int wpa_sm_ocv_enabled(struct wpa_sm *sm) 4836 { 4837 struct wpa_ie_data rsn; 4838 4839 if (!sm->ocv || !sm->ap_rsn_ie) 4840 return 0; 4841 4842 return wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, 4843 &rsn) >= 0 && 4844 (rsn.capabilities & WPA_CAPABILITY_OCVC); 4845 } 4846 4847 4848 /** 4849 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration 4850 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4851 * @wpa_ie: Pointer to buffer for WPA/RSN IE 4852 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer 4853 * Returns: 0 on success, -1 on failure 4854 */ 4855 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie, 4856 size_t *wpa_ie_len) 4857 { 4858 int res; 4859 4860 if (sm == NULL) 4861 return -1; 4862 4863 #ifdef CONFIG_TESTING_OPTIONS 4864 if (sm->test_assoc_ie) { 4865 wpa_printf(MSG_DEBUG, 4866 "TESTING: Replace association WPA/RSN IE"); 4867 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie)) 4868 return -1; 4869 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie), 4870 wpabuf_len(sm->test_assoc_ie)); 4871 res = wpabuf_len(sm->test_assoc_ie); 4872 } else 4873 #endif /* CONFIG_TESTING_OPTIONS */ 4874 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len); 4875 if (res < 0) 4876 return -1; 4877 *wpa_ie_len = res; 4878 4879 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default", 4880 wpa_ie, *wpa_ie_len); 4881 4882 if (sm->assoc_wpa_ie == NULL) { 4883 /* 4884 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets 4885 * the correct version of the IE even if PMKSA caching is 4886 * aborted (which would remove PMKID from IE generation). 4887 */ 4888 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len); 4889 if (sm->assoc_wpa_ie == NULL) 4890 return -1; 4891 4892 sm->assoc_wpa_ie_len = *wpa_ie_len; 4893 } else { 4894 wpa_hexdump(MSG_DEBUG, 4895 "WPA: Leave previously set WPA IE default", 4896 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 4897 } 4898 4899 return 0; 4900 } 4901 4902 4903 /** 4904 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq 4905 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4906 * @ie: Pointer to IE data (starting from id) 4907 * @len: IE length 4908 * Returns: 0 on success, -1 on failure 4909 * 4910 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association 4911 * Request frame. The IE will be used to override the default value generated 4912 * with wpa_sm_set_assoc_wpa_ie_default(). 4913 */ 4914 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 4915 { 4916 if (sm == NULL) 4917 return -1; 4918 4919 os_free(sm->assoc_wpa_ie); 4920 if (ie == NULL || len == 0) { 4921 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 4922 "WPA: clearing own WPA/RSN IE"); 4923 sm->assoc_wpa_ie = NULL; 4924 sm->assoc_wpa_ie_len = 0; 4925 } else { 4926 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len); 4927 sm->assoc_wpa_ie = os_memdup(ie, len); 4928 if (sm->assoc_wpa_ie == NULL) 4929 return -1; 4930 4931 sm->assoc_wpa_ie_len = len; 4932 } 4933 4934 return 0; 4935 } 4936 4937 4938 /** 4939 * wpa_sm_set_assoc_rsnxe_default - Generate own RSNXE from configuration 4940 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4941 * @rsnxe: Pointer to buffer for RSNXE 4942 * @rsnxe_len: Pointer to the length of the rsne buffer 4943 * Returns: 0 on success, -1 on failure 4944 */ 4945 int wpa_sm_set_assoc_rsnxe_default(struct wpa_sm *sm, u8 *rsnxe, 4946 size_t *rsnxe_len) 4947 { 4948 int res; 4949 4950 if (!sm) 4951 return -1; 4952 4953 res = wpa_gen_rsnxe(sm, rsnxe, *rsnxe_len); 4954 if (res < 0) 4955 return -1; 4956 *rsnxe_len = res; 4957 4958 wpa_hexdump(MSG_DEBUG, "RSN: Set own RSNXE default", rsnxe, *rsnxe_len); 4959 4960 if (sm->assoc_rsnxe) { 4961 wpa_hexdump(MSG_DEBUG, 4962 "RSN: Leave previously set RSNXE default", 4963 sm->assoc_rsnxe, sm->assoc_rsnxe_len); 4964 } else if (*rsnxe_len > 0) { 4965 /* 4966 * Make a copy of the RSNXE so that 4-Way Handshake gets the 4967 * correct version of the IE even if it gets changed. 4968 */ 4969 sm->assoc_rsnxe = os_memdup(rsnxe, *rsnxe_len); 4970 if (!sm->assoc_rsnxe) 4971 return -1; 4972 4973 sm->assoc_rsnxe_len = *rsnxe_len; 4974 } 4975 4976 return 0; 4977 } 4978 4979 4980 /** 4981 * wpa_sm_set_assoc_rsnxe - Set own RSNXE from (Re)AssocReq 4982 * @sm: Pointer to WPA state machine data from wpa_sm_init() 4983 * @ie: Pointer to IE data (starting from id) 4984 * @len: IE length 4985 * Returns: 0 on success, -1 on failure 4986 * 4987 * Inform WPA state machine about the RSNXE used in (Re)Association Request 4988 * frame. The IE will be used to override the default value generated 4989 * with wpa_sm_set_assoc_rsnxe_default(). 4990 */ 4991 int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len) 4992 { 4993 if (!sm) 4994 return -1; 4995 4996 os_free(sm->assoc_rsnxe); 4997 if (!ie || len == 0) { 4998 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 4999 "RSN: clearing own RSNXE"); 5000 sm->assoc_rsnxe = NULL; 5001 sm->assoc_rsnxe_len = 0; 5002 } else { 5003 wpa_hexdump(MSG_DEBUG, "RSN: set own RSNXE", ie, len); 5004 sm->assoc_rsnxe = os_memdup(ie, len); 5005 if (!sm->assoc_rsnxe) 5006 return -1; 5007 5008 sm->assoc_rsnxe_len = len; 5009 } 5010 5011 if (sm->ssid_protection && 5012 !ieee802_11_rsnx_capab(sm->assoc_rsnxe, 5013 WLAN_RSNX_CAPAB_SSID_PROTECTION)) { 5014 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 5015 "RSN: Disabling SSID protection based on own RSNXE update"); 5016 sm->ssid_protection = 0; 5017 } 5018 5019 return 0; 5020 } 5021 5022 5023 /** 5024 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp 5025 * @sm: Pointer to WPA state machine data from wpa_sm_init() 5026 * @ie: Pointer to IE data (starting from id) 5027 * @len: IE length 5028 * Returns: 0 on success, -1 on failure 5029 * 5030 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response 5031 * frame. 5032 */ 5033 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 5034 { 5035 if (sm == NULL) 5036 return -1; 5037 5038 os_free(sm->ap_wpa_ie); 5039 if (ie == NULL || len == 0) { 5040 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 5041 "WPA: clearing AP WPA IE"); 5042 sm->ap_wpa_ie = NULL; 5043 sm->ap_wpa_ie_len = 0; 5044 } else { 5045 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len); 5046 sm->ap_wpa_ie = os_memdup(ie, len); 5047 if (sm->ap_wpa_ie == NULL) 5048 return -1; 5049 5050 sm->ap_wpa_ie_len = len; 5051 } 5052 5053 return 0; 5054 } 5055 5056 5057 /** 5058 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp 5059 * @sm: Pointer to WPA state machine data from wpa_sm_init() 5060 * @ie: Pointer to IE data (starting from id) 5061 * @len: IE length 5062 * Returns: 0 on success, -1 on failure 5063 * 5064 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response 5065 * frame. 5066 */ 5067 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len) 5068 { 5069 if (sm == NULL) 5070 return -1; 5071 5072 os_free(sm->ap_rsn_ie); 5073 if (ie == NULL || len == 0) { 5074 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 5075 "WPA: clearing AP RSN IE"); 5076 sm->ap_rsn_ie = NULL; 5077 sm->ap_rsn_ie_len = 0; 5078 } else { 5079 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len); 5080 sm->ap_rsn_ie = os_memdup(ie, len); 5081 if (sm->ap_rsn_ie == NULL) 5082 return -1; 5083 5084 sm->ap_rsn_ie_len = len; 5085 } 5086 5087 return 0; 5088 } 5089 5090 5091 /** 5092 * wpa_sm_set_ap_rsnxe - Set AP RSNXE from Beacon/ProbeResp 5093 * @sm: Pointer to WPA state machine data from wpa_sm_init() 5094 * @ie: Pointer to IE data (starting from id) 5095 * @len: IE length 5096 * Returns: 0 on success, -1 on failure 5097 * 5098 * Inform WPA state machine about the RSNXE used in Beacon / Probe Response 5099 * frame. 5100 */ 5101 int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len) 5102 { 5103 if (!sm) 5104 return -1; 5105 5106 os_free(sm->ap_rsnxe); 5107 if (!ie || len == 0) { 5108 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE"); 5109 sm->ap_rsnxe = NULL; 5110 sm->ap_rsnxe_len = 0; 5111 } else { 5112 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len); 5113 sm->ap_rsnxe = os_memdup(ie, len); 5114 if (!sm->ap_rsnxe) 5115 return -1; 5116 5117 sm->ap_rsnxe_len = len; 5118 } 5119 5120 return 0; 5121 } 5122 5123 5124 /** 5125 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE 5126 * @sm: Pointer to WPA state machine data from wpa_sm_init() 5127 * @data: Pointer to data area for parsing results 5128 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure 5129 * 5130 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the 5131 * parsed data into data. 5132 */ 5133 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data) 5134 { 5135 if (sm == NULL) 5136 return -1; 5137 5138 if (sm->assoc_wpa_ie == NULL) { 5139 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, 5140 "WPA: No WPA/RSN IE available from association info"); 5141 return -1; 5142 } 5143 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data)) 5144 return -2; 5145 return 0; 5146 } 5147 5148 5149 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len) 5150 { 5151 return pmksa_cache_list(sm->pmksa, buf, len); 5152 } 5153 5154 5155 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm) 5156 { 5157 return pmksa_cache_head(sm->pmksa); 5158 } 5159 5160 5161 struct rsn_pmksa_cache_entry * 5162 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm, 5163 struct rsn_pmksa_cache_entry * entry) 5164 { 5165 return pmksa_cache_add_entry(sm->pmksa, entry); 5166 } 5167 5168 5169 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len, 5170 const u8 *pmkid, const u8 *bssid, 5171 const u8 *fils_cache_id) 5172 { 5173 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0, 5174 bssid, sm->own_addr, sm->network_ctx, 5175 sm->key_mgmt, fils_cache_id); 5176 } 5177 5178 5179 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid, const u8 *own_addr, 5180 const void *network_ctx) 5181 { 5182 return pmksa_cache_get(sm->pmksa, bssid, own_addr, NULL, network_ctx, 5183 0) != NULL; 5184 } 5185 5186 5187 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_get(struct wpa_sm *sm, 5188 const u8 *aa, 5189 const u8 *pmkid, 5190 const void *network_ctx, 5191 int akmp) 5192 { 5193 return pmksa_cache_get(sm->pmksa, aa, sm->own_addr, pmkid, network_ctx, 5194 akmp); 5195 } 5196 5197 5198 void wpa_sm_pmksa_cache_remove(struct wpa_sm *sm, 5199 struct rsn_pmksa_cache_entry *entry) 5200 { 5201 if (sm && sm->pmksa) 5202 pmksa_cache_remove(sm->pmksa, entry); 5203 } 5204 5205 5206 void wpa_sm_drop_sa(struct wpa_sm *sm) 5207 { 5208 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK"); 5209 wpa_sm_clear_ptk(sm); 5210 sm->pmk_len = 0; 5211 os_memset(sm->pmk, 0, sizeof(sm->pmk)); 5212 #ifdef CONFIG_IEEE80211R 5213 os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); 5214 sm->xxkey_len = 0; 5215 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0)); 5216 sm->pmk_r0_len = 0; 5217 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1)); 5218 sm->pmk_r1_len = 0; 5219 #ifdef CONFIG_PASN 5220 os_free(sm->pasn_r1kh); 5221 sm->pasn_r1kh = NULL; 5222 sm->n_pasn_r1kh = 0; 5223 #endif /* CONFIG_PASN */ 5224 #endif /* CONFIG_IEEE80211R */ 5225 } 5226 5227 5228 #ifdef CONFIG_IEEE80211R 5229 bool wpa_sm_has_ft_keys(struct wpa_sm *sm, const u8 *md) 5230 { 5231 if (!sm) 5232 return false; 5233 if (!wpa_key_mgmt_ft(sm->key_mgmt) || 5234 os_memcmp(md, sm->key_mobility_domain, 5235 MOBILITY_DOMAIN_ID_LEN) != 0) { 5236 /* Do not allow FT protocol to be used even if we were to have 5237 * an PTK since the mobility domain has changed. */ 5238 return false; 5239 } 5240 return sm->ptk_set; 5241 } 5242 #endif /* CONFIG_IEEE80211R */ 5243 5244 5245 int wpa_sm_has_ptk_installed(struct wpa_sm *sm) 5246 { 5247 if (!sm) 5248 return 0; 5249 return sm->tk_set || sm->ptk.installed; 5250 } 5251 5252 5253 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr) 5254 { 5255 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN); 5256 } 5257 5258 5259 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx) 5260 { 5261 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, false); 5262 } 5263 5264 5265 void wpa_sm_external_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx) 5266 { 5267 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, true); 5268 } 5269 5270 5271 #ifdef CONFIG_WNM 5272 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf) 5273 { 5274 u16 keyinfo; 5275 u8 keylen; /* plaintext key len */ 5276 u8 *key_rsc; 5277 5278 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) { 5279 struct wpa_gtk_data gd; 5280 5281 os_memset(&gd, 0, sizeof(gd)); 5282 keylen = wpa_cipher_key_len(sm->group_cipher); 5283 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher); 5284 gd.alg = wpa_cipher_to_alg(sm->group_cipher); 5285 if (gd.alg == WPA_ALG_NONE) { 5286 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite"); 5287 return -1; 5288 } 5289 5290 key_rsc = buf + 5; 5291 keyinfo = WPA_GET_LE16(buf + 2); 5292 gd.gtk_len = keylen; 5293 if (gd.gtk_len != buf[4]) { 5294 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d", 5295 gd.gtk_len, buf[4]); 5296 return -1; 5297 } 5298 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */ 5299 gd.tx = wpa_supplicant_gtk_tx_bit_workaround( 5300 sm, !!(keyinfo & WPA_KEY_INFO_TXRX)); 5301 5302 os_memcpy(gd.gtk, buf + 13, gd.gtk_len); 5303 5304 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)", 5305 gd.gtk, gd.gtk_len); 5306 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) { 5307 forced_memzero(&gd, sizeof(gd)); 5308 wpa_printf(MSG_DEBUG, "Failed to install the GTK in " 5309 "WNM mode"); 5310 return -1; 5311 } 5312 forced_memzero(&gd, sizeof(gd)); 5313 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) { 5314 const struct wpa_igtk_kde *igtk; 5315 5316 igtk = (const struct wpa_igtk_kde *) (buf + 2); 5317 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0) 5318 return -1; 5319 } else if (subelem_id == WNM_SLEEP_SUBELEM_BIGTK) { 5320 const struct wpa_bigtk_kde *bigtk; 5321 5322 bigtk = (const struct wpa_bigtk_kde *) (buf + 2); 5323 if (sm->beacon_prot && 5324 wpa_supplicant_install_bigtk(sm, bigtk, 1) < 0) 5325 return -1; 5326 } else { 5327 wpa_printf(MSG_DEBUG, "Unknown element id"); 5328 return -1; 5329 } 5330 5331 return 0; 5332 } 5333 #endif /* CONFIG_WNM */ 5334 5335 5336 #ifdef CONFIG_P2P 5337 5338 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf) 5339 { 5340 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0) 5341 return -1; 5342 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4); 5343 return 0; 5344 } 5345 5346 #endif /* CONFIG_P2P */ 5347 5348 5349 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter) 5350 { 5351 if (rx_replay_counter == NULL) 5352 return; 5353 5354 os_memcpy(sm->rx_replay_counter, rx_replay_counter, 5355 WPA_REPLAY_COUNTER_LEN); 5356 sm->rx_replay_counter_set = 1; 5357 wpa_printf(MSG_DEBUG, "Updated key replay counter"); 5358 } 5359 5360 5361 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm, 5362 const u8 *ptk_kck, size_t ptk_kck_len, 5363 const u8 *ptk_kek, size_t ptk_kek_len) 5364 { 5365 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) { 5366 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len); 5367 sm->ptk.kck_len = ptk_kck_len; 5368 wpa_printf(MSG_DEBUG, "Updated PTK KCK"); 5369 } 5370 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) { 5371 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len); 5372 sm->ptk.kek_len = ptk_kek_len; 5373 wpa_printf(MSG_DEBUG, "Updated PTK KEK"); 5374 } 5375 sm->ptk_set = 1; 5376 } 5377 5378 5379 #ifdef CONFIG_TESTING_OPTIONS 5380 5381 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf) 5382 { 5383 wpabuf_free(sm->test_assoc_ie); 5384 sm->test_assoc_ie = buf; 5385 } 5386 5387 5388 void wpa_sm_set_test_eapol_m2_elems(struct wpa_sm *sm, struct wpabuf *buf) 5389 { 5390 wpabuf_free(sm->test_eapol_m2_elems); 5391 sm->test_eapol_m2_elems = buf; 5392 } 5393 5394 5395 void wpa_sm_set_test_eapol_m4_elems(struct wpa_sm *sm, struct wpabuf *buf) 5396 { 5397 wpabuf_free(sm->test_eapol_m4_elems); 5398 sm->test_eapol_m4_elems = buf; 5399 } 5400 5401 5402 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm) 5403 { 5404 return sm->anonce; 5405 } 5406 5407 #endif /* CONFIG_TESTING_OPTIONS */ 5408 5409 5410 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm) 5411 { 5412 return sm->key_mgmt; 5413 } 5414 5415 5416 const u8 * wpa_sm_get_auth_addr(struct wpa_sm *sm) 5417 { 5418 return sm->mlo.valid_links ? sm->mlo.ap_mld_addr : sm->bssid; 5419 } 5420 5421 5422 #ifdef CONFIG_FILS 5423 5424 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md) 5425 { 5426 struct wpabuf *buf = NULL; 5427 struct wpabuf *erp_msg; 5428 struct wpabuf *pub = NULL; 5429 5430 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol); 5431 if (!erp_msg && !sm->cur_pmksa) { 5432 wpa_printf(MSG_DEBUG, 5433 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS"); 5434 goto fail; 5435 } 5436 5437 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)", 5438 erp_msg != NULL, sm->cur_pmksa != NULL); 5439 5440 sm->fils_completed = 0; 5441 5442 if (!sm->assoc_wpa_ie) { 5443 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS"); 5444 goto fail; 5445 } 5446 5447 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 || 5448 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0) 5449 goto fail; 5450 5451 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce", 5452 sm->fils_nonce, FILS_NONCE_LEN); 5453 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session", 5454 sm->fils_session, FILS_SESSION_LEN); 5455 5456 #ifdef CONFIG_FILS_SK_PFS 5457 sm->fils_dh_group = dh_group; 5458 if (dh_group) { 5459 crypto_ecdh_deinit(sm->fils_ecdh); 5460 sm->fils_ecdh = crypto_ecdh_init(dh_group); 5461 if (!sm->fils_ecdh) { 5462 wpa_printf(MSG_INFO, 5463 "FILS: Could not initialize ECDH with group %d", 5464 dh_group); 5465 goto fail; 5466 } 5467 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1); 5468 if (!pub) 5469 goto fail; 5470 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)", 5471 pub); 5472 sm->fils_dh_elem_len = wpabuf_len(pub); 5473 } 5474 #endif /* CONFIG_FILS_SK_PFS */ 5475 5476 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len + 5477 (pub ? wpabuf_len(pub) : 0)); 5478 if (!buf) 5479 goto fail; 5480 5481 /* Fields following the Authentication algorithm number field */ 5482 5483 /* Authentication Transaction seq# */ 5484 wpabuf_put_le16(buf, 1); 5485 5486 /* Status Code */ 5487 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 5488 5489 /* TODO: FILS PK */ 5490 #ifdef CONFIG_FILS_SK_PFS 5491 if (dh_group) { 5492 /* Finite Cyclic Group */ 5493 wpabuf_put_le16(buf, dh_group); 5494 /* Element */ 5495 wpabuf_put_buf(buf, pub); 5496 } 5497 #endif /* CONFIG_FILS_SK_PFS */ 5498 5499 /* RSNE */ 5500 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame", 5501 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 5502 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len); 5503 5504 if (md) { 5505 /* MDE when using FILS for FT initial association */ 5506 struct rsn_mdie *mdie; 5507 5508 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN); 5509 wpabuf_put_u8(buf, sizeof(*mdie)); 5510 mdie = wpabuf_put(buf, sizeof(*mdie)); 5511 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN); 5512 mdie->ft_capab = 0; 5513 } 5514 5515 /* FILS Nonce */ 5516 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 5517 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */ 5518 /* Element ID Extension */ 5519 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE); 5520 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN); 5521 5522 /* FILS Session */ 5523 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 5524 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */ 5525 /* Element ID Extension */ 5526 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION); 5527 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN); 5528 5529 /* Wrapped Data */ 5530 sm->fils_erp_pmkid_set = 0; 5531 if (erp_msg) { 5532 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 5533 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */ 5534 /* Element ID Extension */ 5535 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA); 5536 wpabuf_put_buf(buf, erp_msg); 5537 /* Calculate pending PMKID here so that we do not need to 5538 * maintain a copy of the EAP-Initiate/Reauth message. */ 5539 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg), 5540 wpabuf_len(erp_msg), 5541 sm->fils_erp_pmkid) == 0) 5542 sm->fils_erp_pmkid_set = 1; 5543 } 5544 5545 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame", 5546 buf); 5547 5548 fail: 5549 wpabuf_free(erp_msg); 5550 wpabuf_free(pub); 5551 return buf; 5552 } 5553 5554 5555 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data, 5556 size_t len) 5557 { 5558 const u8 *pos, *end; 5559 struct ieee802_11_elems elems; 5560 struct wpa_ie_data rsn; 5561 int pmkid_match = 0; 5562 u8 ick[FILS_ICK_MAX_LEN]; 5563 size_t ick_len; 5564 int res; 5565 struct wpabuf *dh_ss = NULL; 5566 const u8 *g_sta = NULL; 5567 size_t g_sta_len = 0; 5568 const u8 *g_ap = NULL; 5569 size_t g_ap_len = 0, kdk_len; 5570 struct wpabuf *pub = NULL; 5571 #ifdef CONFIG_IEEE80211R 5572 struct wpa_ft_ies parse; 5573 5574 os_memset(&parse, 0, sizeof(parse)); 5575 #endif /* CONFIG_IEEE80211R */ 5576 5577 os_memcpy(sm->bssid, bssid, ETH_ALEN); 5578 5579 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields", 5580 data, len); 5581 pos = data; 5582 end = data + len; 5583 5584 /* TODO: FILS PK */ 5585 #ifdef CONFIG_FILS_SK_PFS 5586 if (sm->fils_dh_group) { 5587 u16 group; 5588 5589 /* Using FILS PFS */ 5590 5591 /* Finite Cyclic Group */ 5592 if (end - pos < 2) { 5593 wpa_printf(MSG_DEBUG, 5594 "FILS: No room for Finite Cyclic Group"); 5595 goto fail; 5596 } 5597 group = WPA_GET_LE16(pos); 5598 pos += 2; 5599 if (group != sm->fils_dh_group) { 5600 wpa_printf(MSG_DEBUG, 5601 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)", 5602 group, sm->fils_dh_group); 5603 goto fail; 5604 } 5605 5606 /* Element */ 5607 if ((size_t) (end - pos) < sm->fils_dh_elem_len) { 5608 wpa_printf(MSG_DEBUG, "FILS: No room for Element"); 5609 goto fail; 5610 } 5611 5612 if (!sm->fils_ecdh) { 5613 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available"); 5614 goto fail; 5615 } 5616 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos, 5617 sm->fils_dh_elem_len); 5618 if (!dh_ss) { 5619 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed"); 5620 goto fail; 5621 } 5622 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss); 5623 g_ap = pos; 5624 g_ap_len = sm->fils_dh_elem_len; 5625 pos += sm->fils_dh_elem_len; 5626 } 5627 #endif /* CONFIG_FILS_SK_PFS */ 5628 5629 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos); 5630 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) { 5631 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements"); 5632 goto fail; 5633 } 5634 5635 /* RSNE */ 5636 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie, 5637 elems.rsn_ie_len); 5638 if (!elems.rsn_ie || 5639 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 5640 &rsn) < 0) { 5641 wpa_printf(MSG_DEBUG, "FILS: No RSN element"); 5642 goto fail; 5643 } 5644 5645 if (!elems.fils_nonce) { 5646 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field"); 5647 goto fail; 5648 } 5649 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN); 5650 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN); 5651 5652 #ifdef CONFIG_IEEE80211R 5653 if (wpa_key_mgmt_ft(sm->key_mgmt)) { 5654 if (!elems.mdie || !elems.ftie) { 5655 wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE"); 5656 goto fail; 5657 } 5658 5659 if (wpa_ft_parse_ies(pos, end - pos, &parse, 5660 sm->key_mgmt, false) < 0) { 5661 wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs"); 5662 goto fail; 5663 } 5664 5665 if (!parse.r0kh_id) { 5666 wpa_printf(MSG_DEBUG, 5667 "FILS+FT: No R0KH-ID subelem in FTE"); 5668 goto fail; 5669 } 5670 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len); 5671 sm->r0kh_id_len = parse.r0kh_id_len; 5672 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID", 5673 sm->r0kh_id, sm->r0kh_id_len); 5674 5675 if (!parse.r1kh_id) { 5676 wpa_printf(MSG_DEBUG, 5677 "FILS+FT: No R1KH-ID subelem in FTE"); 5678 goto fail; 5679 } 5680 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN); 5681 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID", 5682 sm->r1kh_id, FT_R1KH_ID_LEN); 5683 5684 /* TODO: Check MDE and FTE payload */ 5685 5686 wpabuf_free(sm->fils_ft_ies); 5687 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len + 5688 2 + elems.ftie_len); 5689 if (!sm->fils_ft_ies) 5690 goto fail; 5691 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2, 5692 2 + elems.mdie_len); 5693 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2, 5694 2 + elems.ftie_len); 5695 } else { 5696 wpabuf_free(sm->fils_ft_ies); 5697 sm->fils_ft_ies = NULL; 5698 } 5699 #endif /* CONFIG_IEEE80211R */ 5700 5701 /* PMKID List */ 5702 if (rsn.pmkid && rsn.num_pmkid > 0) { 5703 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List", 5704 rsn.pmkid, rsn.num_pmkid * PMKID_LEN); 5705 5706 if (rsn.num_pmkid != 1) { 5707 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection"); 5708 goto fail; 5709 } 5710 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN); 5711 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0) 5712 { 5713 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch"); 5714 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID", 5715 sm->cur_pmksa->pmkid, PMKID_LEN); 5716 goto fail; 5717 } 5718 wpa_printf(MSG_DEBUG, 5719 "FILS: Matching PMKID - continue using PMKSA caching"); 5720 pmkid_match = 1; 5721 } 5722 if (!pmkid_match && sm->cur_pmksa) { 5723 wpa_printf(MSG_DEBUG, 5724 "FILS: No PMKID match - cannot use cached PMKSA entry"); 5725 sm->cur_pmksa = NULL; 5726 } 5727 5728 /* FILS Session */ 5729 if (!elems.fils_session) { 5730 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 5731 goto fail; 5732 } 5733 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session, 5734 FILS_SESSION_LEN); 5735 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN) 5736 != 0) { 5737 wpa_printf(MSG_DEBUG, "FILS: Session mismatch"); 5738 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 5739 sm->fils_session, FILS_SESSION_LEN); 5740 goto fail; 5741 } 5742 5743 /* Wrapped Data */ 5744 if (!sm->cur_pmksa && elems.wrapped_data) { 5745 u8 rmsk[ERP_MAX_KEY_LEN]; 5746 size_t rmsk_len; 5747 5748 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data", 5749 elems.wrapped_data, 5750 elems.wrapped_data_len); 5751 eapol_sm_process_erp_finish(sm->eapol, elems.wrapped_data, 5752 elems.wrapped_data_len); 5753 if (eapol_sm_failed(sm->eapol)) 5754 goto fail; 5755 5756 rmsk_len = ERP_MAX_KEY_LEN; 5757 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len); 5758 if (res == PMK_LEN) { 5759 rmsk_len = PMK_LEN; 5760 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len); 5761 } 5762 if (res) 5763 goto fail; 5764 5765 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len, 5766 sm->fils_nonce, sm->fils_anonce, 5767 dh_ss ? wpabuf_head(dh_ss) : NULL, 5768 dh_ss ? wpabuf_len(dh_ss) : 0, 5769 sm->pmk, &sm->pmk_len); 5770 forced_memzero(rmsk, sizeof(rmsk)); 5771 5772 /* Don't use DHss in PTK derivation if PMKSA caching is not 5773 * used. */ 5774 wpabuf_clear_free(dh_ss); 5775 dh_ss = NULL; 5776 5777 if (res) 5778 goto fail; 5779 5780 if (!sm->fils_erp_pmkid_set) { 5781 wpa_printf(MSG_DEBUG, "FILS: PMKID not available"); 5782 goto fail; 5783 } 5784 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid, 5785 PMKID_LEN); 5786 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result"); 5787 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, 5788 sm->fils_erp_pmkid, NULL, 0, 5789 sm->bssid, sm->own_addr, 5790 sm->network_ctx, sm->key_mgmt, 5791 NULL); 5792 } 5793 5794 if (!sm->cur_pmksa) { 5795 wpa_printf(MSG_DEBUG, 5796 "FILS: No remaining options to continue FILS authentication"); 5797 goto fail; 5798 } 5799 5800 if (sm->force_kdk_derivation || 5801 (sm->secure_ltf && 5802 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))) 5803 kdk_len = WPA_KDK_MAX_LEN; 5804 else 5805 kdk_len = 0; 5806 5807 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, 5808 wpa_sm_get_auth_addr(sm), 5809 sm->fils_nonce, sm->fils_anonce, 5810 dh_ss ? wpabuf_head(dh_ss) : NULL, 5811 dh_ss ? wpabuf_len(dh_ss) : 0, 5812 &sm->ptk, ick, &ick_len, 5813 sm->key_mgmt, sm->pairwise_cipher, 5814 sm->fils_ft, &sm->fils_ft_len, 5815 kdk_len) < 0) { 5816 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK"); 5817 goto fail; 5818 } 5819 5820 #ifdef CONFIG_PASN 5821 if (sm->secure_ltf && 5822 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) && 5823 wpa_ltf_keyseed(&sm->ptk, sm->key_mgmt, sm->pairwise_cipher)) { 5824 wpa_printf(MSG_DEBUG, "FILS: Failed to derive LTF keyseed"); 5825 goto fail; 5826 } 5827 #endif /* CONFIG_PASN */ 5828 5829 wpabuf_clear_free(dh_ss); 5830 dh_ss = NULL; 5831 5832 sm->ptk_set = 1; 5833 sm->tptk_set = 0; 5834 os_memset(&sm->tptk, 0, sizeof(sm->tptk)); 5835 5836 #ifdef CONFIG_FILS_SK_PFS 5837 if (sm->fils_dh_group) { 5838 if (!sm->fils_ecdh) { 5839 wpa_printf(MSG_INFO, "FILS: ECDH not initialized"); 5840 goto fail; 5841 } 5842 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1); 5843 if (!pub) 5844 goto fail; 5845 wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub); 5846 g_sta = wpabuf_head(pub); 5847 g_sta_len = wpabuf_len(pub); 5848 if (!g_ap) { 5849 wpa_printf(MSG_INFO, "FILS: gAP not available"); 5850 goto fail; 5851 } 5852 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len); 5853 } 5854 #endif /* CONFIG_FILS_SK_PFS */ 5855 5856 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce, 5857 sm->fils_anonce, sm->own_addr, sm->bssid, 5858 g_sta, g_sta_len, g_ap, g_ap_len, 5859 sm->key_mgmt, sm->fils_key_auth_sta, 5860 sm->fils_key_auth_ap, 5861 &sm->fils_key_auth_len); 5862 wpabuf_free(pub); 5863 forced_memzero(ick, sizeof(ick)); 5864 #ifdef CONFIG_IEEE80211R 5865 wpa_ft_parse_ies_free(&parse); 5866 #endif /* CONFIG_IEEE80211R */ 5867 return res; 5868 fail: 5869 wpabuf_free(pub); 5870 wpabuf_clear_free(dh_ss); 5871 #ifdef CONFIG_IEEE80211R 5872 wpa_ft_parse_ies_free(&parse); 5873 #endif /* CONFIG_IEEE80211R */ 5874 return -1; 5875 } 5876 5877 5878 #ifdef CONFIG_IEEE80211R 5879 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf) 5880 { 5881 struct rsn_ie_hdr *rsnie; 5882 u16 capab; 5883 u8 *pos; 5884 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt); 5885 5886 /* RSNIE[PMKR0Name/PMKR1Name] */ 5887 rsnie = wpabuf_put(buf, sizeof(*rsnie)); 5888 rsnie->elem_id = WLAN_EID_RSN; 5889 WPA_PUT_LE16(rsnie->version, RSN_VERSION); 5890 5891 /* Group Suite Selector */ 5892 if (!wpa_cipher_valid_group(sm->group_cipher)) { 5893 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)", 5894 sm->group_cipher); 5895 return -1; 5896 } 5897 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 5898 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, 5899 sm->group_cipher)); 5900 5901 /* Pairwise Suite Count */ 5902 wpabuf_put_le16(buf, 1); 5903 5904 /* Pairwise Suite List */ 5905 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) { 5906 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)", 5907 sm->pairwise_cipher); 5908 return -1; 5909 } 5910 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 5911 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, 5912 sm->pairwise_cipher)); 5913 5914 /* Authenticated Key Management Suite Count */ 5915 wpabuf_put_le16(buf, 1); 5916 5917 /* Authenticated Key Management Suite List */ 5918 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 5919 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256) 5920 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256); 5921 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384) 5922 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384); 5923 else { 5924 wpa_printf(MSG_WARNING, 5925 "FILS+FT: Invalid key management type (%d)", 5926 sm->key_mgmt); 5927 return -1; 5928 } 5929 5930 /* RSN Capabilities */ 5931 capab = 0; 5932 if (sm->mfp) 5933 capab |= WPA_CAPABILITY_MFPC; 5934 if (sm->mfp == 2) 5935 capab |= WPA_CAPABILITY_MFPR; 5936 if (sm->ocv) 5937 capab |= WPA_CAPABILITY_OCVC; 5938 if (sm->ext_key_id) 5939 capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST; 5940 wpabuf_put_le16(buf, capab); 5941 5942 /* PMKID Count */ 5943 wpabuf_put_le16(buf, 1); 5944 5945 /* PMKID List [PMKR1Name] */ 5946 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)", 5947 sm->fils_ft, sm->fils_ft_len); 5948 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len); 5949 wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID", 5950 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN); 5951 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID", 5952 sm->r0kh_id, sm->r0kh_id_len); 5953 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid, 5954 sm->ssid_len, sm->mobility_domain, 5955 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr, 5956 sm->pmk_r0, sm->pmk_r0_name, sm->key_mgmt) < 0) { 5957 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0"); 5958 return -1; 5959 } 5960 if (wpa_key_mgmt_sae_ext_key(sm->key_mgmt)) 5961 sm->pmk_r0_len = sm->fils_ft_len; 5962 else 5963 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN; 5964 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR, 5965 MAC2STR(sm->r1kh_id)); 5966 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN); 5967 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr, 5968 sm->pmk_r1_name, sm->fils_ft_len) < 0) { 5969 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name"); 5970 return -1; 5971 } 5972 os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN); 5973 5974 os_memcpy(sm->key_mobility_domain, sm->mobility_domain, 5975 MOBILITY_DOMAIN_ID_LEN); 5976 5977 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) { 5978 /* Management Group Cipher Suite */ 5979 pos = wpabuf_put(buf, RSN_SELECTOR_LEN); 5980 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC); 5981 } 5982 5983 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2; 5984 return 0; 5985 } 5986 #endif /* CONFIG_IEEE80211R */ 5987 5988 5989 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek, 5990 size_t *kek_len, const u8 **snonce, 5991 const u8 **anonce, 5992 const struct wpabuf **hlp, 5993 unsigned int num_hlp) 5994 { 5995 struct wpabuf *buf; 5996 size_t len; 5997 unsigned int i; 5998 5999 len = 1000; 6000 #ifdef CONFIG_IEEE80211R 6001 if (sm->fils_ft_ies) 6002 len += wpabuf_len(sm->fils_ft_ies); 6003 if (wpa_key_mgmt_ft(sm->key_mgmt)) 6004 len += 256; 6005 #endif /* CONFIG_IEEE80211R */ 6006 for (i = 0; hlp && i < num_hlp; i++) 6007 len += 10 + wpabuf_len(hlp[i]); 6008 buf = wpabuf_alloc(len); 6009 if (!buf) 6010 return NULL; 6011 6012 #ifdef CONFIG_IEEE80211R 6013 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) { 6014 /* MDE and FTE when using FILS+FT */ 6015 wpabuf_put_buf(buf, sm->fils_ft_ies); 6016 /* RSNE with PMKR1Name in PMKID field */ 6017 if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) { 6018 wpabuf_free(buf); 6019 return NULL; 6020 } 6021 } 6022 #endif /* CONFIG_IEEE80211R */ 6023 6024 /* FILS Session */ 6025 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 6026 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */ 6027 /* Element ID Extension */ 6028 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION); 6029 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN); 6030 6031 /* Everything after FILS Session element gets encrypted in the driver 6032 * with KEK. The buffer returned from here is the plaintext version. */ 6033 6034 /* TODO: FILS Public Key */ 6035 6036 /* FILS Key Confirm */ 6037 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 6038 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */ 6039 /* Element ID Extension */ 6040 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM); 6041 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len); 6042 6043 /* FILS HLP Container */ 6044 for (i = 0; hlp && i < num_hlp; i++) { 6045 const u8 *pos = wpabuf_head(hlp[i]); 6046 size_t left = wpabuf_len(hlp[i]); 6047 6048 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */ 6049 if (left <= 254) 6050 len = 1 + left; 6051 else 6052 len = 255; 6053 wpabuf_put_u8(buf, len); /* Length */ 6054 /* Element ID Extension */ 6055 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER); 6056 /* Destination MAC Address, Source MAC Address, HLP Packet. 6057 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP 6058 * header when LPD is used). */ 6059 wpabuf_put_data(buf, pos, len - 1); 6060 pos += len - 1; 6061 left -= len - 1; 6062 while (left) { 6063 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT); 6064 len = left > 255 ? 255 : left; 6065 wpabuf_put_u8(buf, len); 6066 wpabuf_put_data(buf, pos, len); 6067 pos += len; 6068 left -= len; 6069 } 6070 } 6071 6072 /* TODO: FILS IP Address Assignment */ 6073 6074 #ifdef CONFIG_OCV 6075 if (wpa_sm_ocv_enabled(sm)) { 6076 struct wpa_channel_info ci; 6077 u8 *pos; 6078 6079 if (wpa_sm_channel_info(sm, &ci) != 0) { 6080 wpa_printf(MSG_WARNING, 6081 "FILS: Failed to get channel info for OCI element"); 6082 wpabuf_free(buf); 6083 return NULL; 6084 } 6085 #ifdef CONFIG_TESTING_OPTIONS 6086 if (sm->oci_freq_override_fils_assoc) { 6087 wpa_printf(MSG_INFO, 6088 "TEST: Override OCI KDE frequency %d -> %d MHz", 6089 ci.frequency, 6090 sm->oci_freq_override_fils_assoc); 6091 ci.frequency = sm->oci_freq_override_fils_assoc; 6092 } 6093 #endif /* CONFIG_TESTING_OPTIONS */ 6094 6095 pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN); 6096 if (ocv_insert_extended_oci(&ci, pos) < 0) { 6097 wpabuf_free(buf); 6098 return NULL; 6099 } 6100 } 6101 #endif /* CONFIG_OCV */ 6102 6103 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf); 6104 6105 *kek = sm->ptk.kek; 6106 *kek_len = sm->ptk.kek_len; 6107 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len); 6108 *snonce = sm->fils_nonce; 6109 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD", 6110 *snonce, FILS_NONCE_LEN); 6111 *anonce = sm->fils_anonce; 6112 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD", 6113 *anonce, FILS_NONCE_LEN); 6114 6115 return buf; 6116 } 6117 6118 6119 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len) 6120 { 6121 const u8 *pos, *end; 6122 6123 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len); 6124 if (len < 2 * ETH_ALEN) 6125 return; 6126 pos = resp + 2 * ETH_ALEN; 6127 end = resp + len; 6128 if (end - pos >= 6 && 6129 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0) 6130 pos += 6; /* Remove SNAP/LLC header */ 6131 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos); 6132 } 6133 6134 6135 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos, 6136 size_t len) 6137 { 6138 const u8 *end = pos + len; 6139 u8 *tmp, *tmp_pos; 6140 6141 /* Check if there are any FILS HLP Container elements */ 6142 while (end - pos >= 2) { 6143 if (2 + pos[1] > end - pos) 6144 return; 6145 if (pos[0] == WLAN_EID_EXTENSION && 6146 pos[1] >= 1 + 2 * ETH_ALEN && 6147 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER) 6148 break; 6149 pos += 2 + pos[1]; 6150 } 6151 if (end - pos < 2) 6152 return; /* No FILS HLP Container elements */ 6153 6154 tmp = os_malloc(end - pos); 6155 if (!tmp) 6156 return; 6157 6158 while (end - pos >= 2) { 6159 if (2 + pos[1] > end - pos || 6160 pos[0] != WLAN_EID_EXTENSION || 6161 pos[1] < 1 + 2 * ETH_ALEN || 6162 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER) 6163 break; 6164 tmp_pos = tmp; 6165 os_memcpy(tmp_pos, pos + 3, pos[1] - 1); 6166 tmp_pos += pos[1] - 1; 6167 pos += 2 + pos[1]; 6168 6169 /* Add possible fragments */ 6170 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT && 6171 2 + pos[1] <= end - pos) { 6172 os_memcpy(tmp_pos, pos + 2, pos[1]); 6173 tmp_pos += pos[1]; 6174 pos += 2 + pos[1]; 6175 } 6176 6177 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp); 6178 } 6179 6180 os_free(tmp); 6181 } 6182 6183 6184 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len) 6185 { 6186 const struct ieee80211_mgmt *mgmt; 6187 const u8 *end, *ie_start; 6188 struct ieee802_11_elems elems; 6189 int keylen, rsclen; 6190 enum wpa_alg alg; 6191 struct wpa_gtk_data gd; 6192 int maxkeylen; 6193 struct wpa_eapol_ie_parse kde; 6194 6195 if (!sm || !sm->ptk_set) { 6196 wpa_printf(MSG_DEBUG, "FILS: No KEK available"); 6197 return -1; 6198 } 6199 6200 if (!wpa_key_mgmt_fils(sm->key_mgmt)) { 6201 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM"); 6202 return -1; 6203 } 6204 6205 if (sm->fils_completed) { 6206 wpa_printf(MSG_DEBUG, 6207 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission"); 6208 return -1; 6209 } 6210 6211 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame", 6212 resp, len); 6213 6214 mgmt = (const struct ieee80211_mgmt *) resp; 6215 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp)) 6216 return -1; 6217 6218 end = resp + len; 6219 /* Same offset for Association Response and Reassociation Response */ 6220 ie_start = mgmt->u.assoc_resp.variable; 6221 6222 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) == 6223 ParseFailed) { 6224 wpa_printf(MSG_DEBUG, 6225 "FILS: Failed to parse decrypted elements"); 6226 goto fail; 6227 } 6228 6229 if (!elems.fils_session) { 6230 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element"); 6231 return -1; 6232 } 6233 if (os_memcmp(elems.fils_session, sm->fils_session, 6234 FILS_SESSION_LEN) != 0) { 6235 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch"); 6236 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session", 6237 elems.fils_session, FILS_SESSION_LEN); 6238 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session", 6239 sm->fils_session, FILS_SESSION_LEN); 6240 } 6241 6242 if (!elems.rsn_ie) { 6243 wpa_printf(MSG_DEBUG, 6244 "FILS: No RSNE in (Re)Association Response"); 6245 /* As an interop workaround, allow this for now since IEEE Std 6246 * 802.11ai-2016 did not include all the needed changes to make 6247 * a FILS AP include RSNE in the frame. This workaround might 6248 * eventually be removed and replaced with rejection (goto fail) 6249 * to follow a strict interpretation of the standard. */ 6250 } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt), 6251 sm->ap_rsn_ie, sm->ap_rsn_ie_len, 6252 elems.rsn_ie - 2, elems.rsn_ie_len + 2)) { 6253 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 6254 "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response"); 6255 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response", 6256 sm->ap_rsn_ie, sm->ap_rsn_ie_len); 6257 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response", 6258 elems.rsn_ie, elems.rsn_ie_len); 6259 goto fail; 6260 } 6261 6262 /* TODO: FILS Public Key */ 6263 6264 if (!elems.fils_key_confirm) { 6265 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element"); 6266 goto fail; 6267 } 6268 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) { 6269 wpa_printf(MSG_DEBUG, 6270 "FILS: Unexpected Key-Auth length %d (expected %d)", 6271 elems.fils_key_confirm_len, 6272 (int) sm->fils_key_auth_len); 6273 goto fail; 6274 } 6275 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap, 6276 sm->fils_key_auth_len) != 0) { 6277 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch"); 6278 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth", 6279 elems.fils_key_confirm, 6280 elems.fils_key_confirm_len); 6281 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth", 6282 sm->fils_key_auth_ap, sm->fils_key_auth_len); 6283 goto fail; 6284 } 6285 6286 #ifdef CONFIG_OCV 6287 if (wpa_sm_ocv_enabled(sm)) { 6288 struct wpa_channel_info ci; 6289 6290 if (wpa_sm_channel_info(sm, &ci) != 0) { 6291 wpa_printf(MSG_WARNING, 6292 "Failed to get channel info to validate received OCI in FILS (Re)Association Response frame"); 6293 goto fail; 6294 } 6295 6296 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci, 6297 channel_width_to_int(ci.chanwidth), 6298 ci.seg1_idx) != OCI_SUCCESS) { 6299 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE 6300 "addr=" MACSTR " frame=fils-assoc error=%s", 6301 MAC2STR(sm->bssid), ocv_errorstr); 6302 goto fail; 6303 } 6304 } 6305 #endif /* CONFIG_OCV */ 6306 6307 #ifdef CONFIG_IEEE80211R 6308 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) { 6309 struct wpa_ie_data rsn; 6310 6311 /* Check that PMKR1Name derived by the AP matches */ 6312 if (!elems.rsn_ie || 6313 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 6314 &rsn) < 0 || 6315 !rsn.pmkid || rsn.num_pmkid != 1 || 6316 os_memcmp(rsn.pmkid, sm->pmk_r1_name, 6317 WPA_PMK_NAME_LEN) != 0) { 6318 wpa_printf(MSG_DEBUG, 6319 "FILS+FT: No RSNE[PMKR1Name] match in AssocResp"); 6320 goto fail; 6321 } 6322 } 6323 #endif /* CONFIG_IEEE80211R */ 6324 6325 /* Key Delivery */ 6326 if (!elems.key_delivery) { 6327 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element"); 6328 goto fail; 6329 } 6330 6331 /* Parse GTK and set the key to the driver */ 6332 os_memset(&gd, 0, sizeof(gd)); 6333 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN, 6334 elems.key_delivery_len - WPA_KEY_RSC_LEN, 6335 &kde) < 0) { 6336 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs"); 6337 goto fail; 6338 } 6339 if (!kde.gtk) { 6340 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE"); 6341 goto fail; 6342 } 6343 maxkeylen = gd.gtk_len = kde.gtk_len - 2; 6344 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, 6345 gd.gtk_len, maxkeylen, 6346 &gd.key_rsc_len, &gd.alg)) 6347 goto fail; 6348 6349 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len); 6350 gd.keyidx = kde.gtk[0] & 0x3; 6351 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm, 6352 !!(kde.gtk[0] & BIT(2))); 6353 if (kde.gtk_len - 2 > sizeof(gd.gtk)) { 6354 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)", 6355 (unsigned long) kde.gtk_len - 2); 6356 goto fail; 6357 } 6358 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2); 6359 6360 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver"); 6361 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) { 6362 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK"); 6363 goto fail; 6364 } 6365 6366 if (ieee80211w_set_keys(sm, &kde) < 0) { 6367 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK"); 6368 goto fail; 6369 } 6370 6371 alg = wpa_cipher_to_alg(sm->pairwise_cipher); 6372 keylen = wpa_cipher_key_len(sm->pairwise_cipher); 6373 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) { 6374 wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu", 6375 keylen, (long unsigned int) sm->ptk.tk_len); 6376 goto fail; 6377 } 6378 6379 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher); 6380 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver", 6381 sm->ptk.tk, keylen); 6382 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm), 0, 1, 6383 null_rsc, rsclen, 6384 sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE_RX_TX) < 0) { 6385 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 6386 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d auth_addr=" 6387 MACSTR ")", 6388 alg, keylen, MAC2STR(wpa_sm_get_auth_addr(sm))); 6389 goto fail; 6390 } 6391 6392 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher, 6393 sm->dot11RSNAConfigPMKLifetime, &sm->ptk); 6394 6395 /* TODO: TK could be cleared after auth frame exchange now that driver 6396 * takes care of association frame encryption/decryption. */ 6397 /* TK is not needed anymore in supplicant */ 6398 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN); 6399 sm->ptk.tk_len = 0; 6400 sm->ptk.installed = 1; 6401 sm->tk_set = true; 6402 6403 /* FILS HLP Container */ 6404 fils_process_hlp_container(sm, ie_start, end - ie_start); 6405 6406 /* TODO: FILS IP Address Assignment */ 6407 6408 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully"); 6409 sm->fils_completed = 1; 6410 forced_memzero(&gd, sizeof(gd)); 6411 6412 if (kde.transition_disable) 6413 wpa_sm_transition_disable(sm, kde.transition_disable[0]); 6414 6415 return 0; 6416 fail: 6417 forced_memzero(&gd, sizeof(gd)); 6418 return -1; 6419 } 6420 6421 6422 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set) 6423 { 6424 if (sm) 6425 sm->fils_completed = !!set; 6426 } 6427 6428 #endif /* CONFIG_FILS */ 6429 6430 6431 int wpa_fils_is_completed(struct wpa_sm *sm) 6432 { 6433 #ifdef CONFIG_FILS 6434 return sm && sm->fils_completed; 6435 #else /* CONFIG_FILS */ 6436 return 0; 6437 #endif /* CONFIG_FILS */ 6438 } 6439 6440 6441 #ifdef CONFIG_OWE 6442 6443 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group) 6444 { 6445 struct wpabuf *ie = NULL, *pub = NULL; 6446 size_t prime_len; 6447 6448 if (group == 19) 6449 prime_len = 32; 6450 else if (group == 20) 6451 prime_len = 48; 6452 else if (group == 21) 6453 prime_len = 66; 6454 else 6455 return NULL; 6456 6457 crypto_ecdh_deinit(sm->owe_ecdh); 6458 sm->owe_ecdh = crypto_ecdh_init(group); 6459 if (!sm->owe_ecdh) 6460 goto fail; 6461 sm->owe_group = group; 6462 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0); 6463 pub = wpabuf_zeropad(pub, prime_len); 6464 if (!pub) 6465 goto fail; 6466 6467 ie = wpabuf_alloc(5 + wpabuf_len(pub)); 6468 if (!ie) 6469 goto fail; 6470 wpabuf_put_u8(ie, WLAN_EID_EXTENSION); 6471 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub)); 6472 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM); 6473 wpabuf_put_le16(ie, group); 6474 wpabuf_put_buf(ie, pub); 6475 wpabuf_free(pub); 6476 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element", 6477 ie); 6478 6479 return ie; 6480 fail: 6481 wpabuf_free(pub); 6482 crypto_ecdh_deinit(sm->owe_ecdh); 6483 sm->owe_ecdh = NULL; 6484 return NULL; 6485 } 6486 6487 6488 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid, 6489 const u8 *resp_ies, size_t resp_ies_len) 6490 { 6491 struct ieee802_11_elems elems; 6492 u16 group; 6493 struct wpabuf *secret, *pub, *hkey; 6494 int res; 6495 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN]; 6496 const char *info = "OWE Key Generation"; 6497 const u8 *addr[2]; 6498 size_t len[2]; 6499 size_t hash_len, prime_len; 6500 struct wpa_ie_data data; 6501 6502 if (!resp_ies || 6503 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) == 6504 ParseFailed) { 6505 wpa_printf(MSG_INFO, 6506 "OWE: Could not parse Association Response frame elements"); 6507 return -1; 6508 } 6509 6510 if (sm->cur_pmksa && elems.rsn_ie && 6511 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len, 6512 &data) == 0 && 6513 data.num_pmkid == 1 && data.pmkid && 6514 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) { 6515 wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching"); 6516 wpa_sm_set_pmk_from_pmksa(sm); 6517 return 0; 6518 } 6519 6520 if (!elems.owe_dh) { 6521 wpa_printf(MSG_INFO, 6522 "OWE: No Diffie-Hellman Parameter element found in Association Response frame"); 6523 return -1; 6524 } 6525 6526 group = WPA_GET_LE16(elems.owe_dh); 6527 if (group != sm->owe_group) { 6528 wpa_printf(MSG_INFO, 6529 "OWE: Unexpected Diffie-Hellman group in response: %u", 6530 group); 6531 return -1; 6532 } 6533 6534 if (!sm->owe_ecdh) { 6535 wpa_printf(MSG_INFO, "OWE: No ECDH state available"); 6536 return -1; 6537 } 6538 6539 if (group == 19) 6540 prime_len = 32; 6541 else if (group == 20) 6542 prime_len = 48; 6543 else if (group == 21) 6544 prime_len = 66; 6545 else 6546 return -1; 6547 6548 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0, 6549 elems.owe_dh + 2, 6550 elems.owe_dh_len - 2); 6551 secret = wpabuf_zeropad(secret, prime_len); 6552 if (!secret) { 6553 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key"); 6554 return -1; 6555 } 6556 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret); 6557 6558 /* prk = HKDF-extract(C | A | group, z) */ 6559 6560 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0); 6561 if (!pub) { 6562 wpabuf_clear_free(secret); 6563 return -1; 6564 } 6565 6566 /* PMKID = Truncate-128(Hash(C | A)) */ 6567 addr[0] = wpabuf_head(pub); 6568 len[0] = wpabuf_len(pub); 6569 addr[1] = elems.owe_dh + 2; 6570 len[1] = elems.owe_dh_len - 2; 6571 if (group == 19) { 6572 res = sha256_vector(2, addr, len, pmkid); 6573 hash_len = SHA256_MAC_LEN; 6574 } else if (group == 20) { 6575 res = sha384_vector(2, addr, len, pmkid); 6576 hash_len = SHA384_MAC_LEN; 6577 } else if (group == 21) { 6578 res = sha512_vector(2, addr, len, pmkid); 6579 hash_len = SHA512_MAC_LEN; 6580 } else { 6581 res = -1; 6582 hash_len = 0; 6583 } 6584 pub = wpabuf_zeropad(pub, prime_len); 6585 if (res < 0 || !pub) { 6586 wpabuf_free(pub); 6587 wpabuf_clear_free(secret); 6588 return -1; 6589 } 6590 6591 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2); 6592 if (!hkey) { 6593 wpabuf_free(pub); 6594 wpabuf_clear_free(secret); 6595 return -1; 6596 } 6597 6598 wpabuf_put_buf(hkey, pub); /* C */ 6599 wpabuf_free(pub); 6600 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */ 6601 wpabuf_put_le16(hkey, sm->owe_group); /* group */ 6602 if (group == 19) 6603 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey), 6604 wpabuf_head(secret), wpabuf_len(secret), prk); 6605 else if (group == 20) 6606 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey), 6607 wpabuf_head(secret), wpabuf_len(secret), prk); 6608 else if (group == 21) 6609 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey), 6610 wpabuf_head(secret), wpabuf_len(secret), prk); 6611 wpabuf_clear_free(hkey); 6612 wpabuf_clear_free(secret); 6613 if (res < 0) 6614 return -1; 6615 6616 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len); 6617 6618 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */ 6619 6620 if (group == 19) 6621 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info, 6622 os_strlen(info), sm->pmk, hash_len); 6623 else if (group == 20) 6624 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info, 6625 os_strlen(info), sm->pmk, hash_len); 6626 else if (group == 21) 6627 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info, 6628 os_strlen(info), sm->pmk, hash_len); 6629 forced_memzero(prk, SHA512_MAC_LEN); 6630 if (res < 0) { 6631 sm->pmk_len = 0; 6632 return -1; 6633 } 6634 sm->pmk_len = hash_len; 6635 6636 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len); 6637 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN); 6638 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0, 6639 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt, 6640 NULL); 6641 6642 return 0; 6643 } 6644 6645 #endif /* CONFIG_OWE */ 6646 6647 6648 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id) 6649 { 6650 #ifdef CONFIG_FILS 6651 if (sm && fils_cache_id) { 6652 sm->fils_cache_id_set = 1; 6653 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN); 6654 } 6655 #endif /* CONFIG_FILS */ 6656 } 6657 6658 6659 #ifdef CONFIG_DPP2 6660 void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z) 6661 { 6662 if (sm) { 6663 wpabuf_clear_free(sm->dpp_z); 6664 sm->dpp_z = z ? wpabuf_dup(z) : NULL; 6665 } 6666 } 6667 #endif /* CONFIG_DPP2 */ 6668 6669 6670 #ifdef CONFIG_PASN 6671 6672 void wpa_pasn_sm_set_caps(struct wpa_sm *sm, unsigned int flags2) 6673 { 6674 if (flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_STA) 6675 sm->secure_ltf = 1; 6676 if (flags2 & WPA_DRIVER_FLAGS2_SEC_RTT_STA) 6677 sm->secure_rtt = 1; 6678 if (flags2 & WPA_DRIVER_FLAGS2_PROT_RANGE_NEG_STA) 6679 sm->prot_range_neg = 1; 6680 } 6681 6682 #endif /* CONFIG_PASN */ 6683 6684 6685 void wpa_sm_pmksa_cache_reconfig(struct wpa_sm *sm) 6686 { 6687 if (sm) 6688 pmksa_cache_reconfig(sm->pmksa); 6689 } 6690 6691 6692 struct rsn_pmksa_cache * wpa_sm_get_pmksa_cache(struct wpa_sm *sm) 6693 { 6694 return sm ? sm->pmksa : NULL; 6695 } 6696 6697 6698 void wpa_sm_set_cur_pmksa(struct wpa_sm *sm, 6699 struct rsn_pmksa_cache_entry *entry) 6700 { 6701 if (sm) 6702 sm->cur_pmksa = entry; 6703 } 6704 6705 6706 void wpa_sm_set_driver_bss_selection(struct wpa_sm *sm, 6707 bool driver_bss_selection) 6708 { 6709 if (sm) 6710 sm->driver_bss_selection = driver_bss_selection; 6711 } 6712
Indexes created Wed Jun 24 00:24:50 UTC 2026