1 /*
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2018, Jouni Malinen <[email protected]>
4 * Copyright(c) 2015 Intel Deutschland GmbH
5 *
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
8 */
9
10 #include "includes.h"
11
12 #include "common.h"
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "crypto/sha256.h"
19 #include "crypto/sha384.h"
20 #include "crypto/sha512.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/ieee802_11_common.h"
23 #include "common/ocv.h"
24 #include "common/dpp.h"
25 #include "common/wpa_ctrl.h"
26 #include "eap_common/eap_defs.h"
27 #include "eapol_supp/eapol_supp_sm.h"
28 #include "drivers/driver.h"
29 #include "wpa.h"
30 #include "eloop.h"
31 #include "preauth.h"
32 #include "pmksa_cache.h"
33 #include "wpa_i.h"
34 #include "wpa_ie.h"
35 #include "wpa_supplicant_i.h"
36 #include "driver_i.h"
37
38 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
39
40
_wpa_hexdump_link(int level,u8 link_id,const char * title,const void * buf,size_t len,bool key)41 static void _wpa_hexdump_link(int level, u8 link_id, const char *title,
42 const void *buf, size_t len, bool key)
43 {
44 char *link_title = NULL;
45
46 if (link_id >= MAX_NUM_MLD_LINKS)
47 goto out;
48
49 link_title = os_malloc(os_strlen(title) + 20);
50 if (!link_title)
51 goto out;
52
53 os_snprintf(link_title, os_strlen(title) + 20, "MLO link[%u]: %s",
54 link_id, title);
55
56 out:
57 if (key)
58 wpa_hexdump_key(level, link_title ? link_title : title, buf,
59 len);
60 else
61 wpa_hexdump(level, link_title ? link_title : title, buf, len);
62 os_free(link_title);
63 }
64
65
wpa_hexdump_link(int level,u8 link_id,const char * title,const void * buf,size_t len)66 static void wpa_hexdump_link(int level, u8 link_id, const char *title,
67 const void *buf, size_t len)
68 {
69 _wpa_hexdump_link(level, link_id, title, buf, len, false);
70 }
71
72
wpa_hexdump_link_key(int level,u8 link_id,const char * title,const void * buf,size_t len)73 static void wpa_hexdump_link_key(int level, u8 link_id, const char *title,
74 const void *buf, size_t len)
75 {
76 _wpa_hexdump_link(level, link_id, title, buf, len, true);
77 }
78
79
80 /**
81 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
82 * @sm: Pointer to WPA state machine data from wpa_sm_init()
83 * @ptk: PTK for Key Confirmation/Encryption Key
84 * @ver: Version field from Key Info
85 * @dest: Destination address for the frame
86 * @proto: Ethertype (usually ETH_P_EAPOL)
87 * @msg: EAPOL-Key message
88 * @msg_len: Length of message
89 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
90 * Returns: >= 0 on success, < 0 on failure
91 */
wpa_eapol_key_send(struct wpa_sm * sm,struct wpa_ptk * ptk,int ver,const u8 * dest,u16 proto,u8 * msg,size_t msg_len,u8 * key_mic)92 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
93 int ver, const u8 *dest, u16 proto,
94 u8 *msg, size_t msg_len, u8 *key_mic)
95 {
96 int ret = -1;
97 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
98
99 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
100 " ver=%d mic_len=%d key_mgmt=0x%x",
101 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
102 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
103 /*
104 * Association event was not yet received; try to fetch
105 * BSSID from the driver.
106 */
107 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
108 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
109 "WPA: Failed to read BSSID for "
110 "EAPOL-Key destination address");
111 } else {
112 dest = sm->bssid;
113 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
114 "WPA: Use BSSID (" MACSTR
115 ") as the destination for EAPOL-Key",
116 MAC2STR(dest));
117 }
118 }
119
120 if (mic_len) {
121 if (key_mic && (!ptk || !ptk->kck_len))
122 goto out;
123
124 if (key_mic &&
125 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
126 msg, msg_len, key_mic)) {
127 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
128 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
129 ver, sm->key_mgmt);
130 goto out;
131 }
132 if (ptk)
133 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
134 ptk->kck, ptk->kck_len);
135 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
136 key_mic, mic_len);
137 } else {
138 #ifdef CONFIG_FILS
139 /* AEAD cipher - Key MIC field not used */
140 struct ieee802_1x_hdr *s_hdr, *hdr;
141 struct wpa_eapol_key *s_key, *key;
142 u8 *buf, *s_key_data, *key_data;
143 size_t buf_len = msg_len + AES_BLOCK_SIZE;
144 size_t key_data_len;
145 u16 eapol_len;
146 const u8 *aad[1];
147 size_t aad_len[1];
148
149 if (!ptk || !ptk->kek_len)
150 goto out;
151
152 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
153 sizeof(struct wpa_eapol_key) - 2;
154
155 buf = os_malloc(buf_len);
156 if (!buf)
157 goto out;
158
159 os_memcpy(buf, msg, msg_len);
160 hdr = (struct ieee802_1x_hdr *) buf;
161 key = (struct wpa_eapol_key *) (hdr + 1);
162 key_data = ((u8 *) (key + 1)) + 2;
163
164 /* Update EAPOL header to include AES-SIV overhead */
165 eapol_len = be_to_host16(hdr->length);
166 eapol_len += AES_BLOCK_SIZE;
167 hdr->length = host_to_be16(eapol_len);
168
169 /* Update Key Data Length field to include AES-SIV overhead */
170 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
171
172 s_hdr = (struct ieee802_1x_hdr *) msg;
173 s_key = (struct wpa_eapol_key *) (s_hdr + 1);
174 s_key_data = ((u8 *) (s_key + 1)) + 2;
175
176 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
177 s_key_data, key_data_len);
178
179 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
180 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
181 * to Key Data (exclusive). */
182 aad[0] = buf;
183 aad_len[0] = key_data - buf;
184 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
185 s_key_data, key_data_len,
186 1, aad, aad_len, key_data) < 0) {
187 os_free(buf);
188 goto out;
189 }
190
191 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
192 key_data, AES_BLOCK_SIZE + key_data_len);
193
194 os_free(msg);
195 msg = buf;
196 msg_len = buf_len;
197 #else /* CONFIG_FILS */
198 goto out;
199 #endif /* CONFIG_FILS */
200 }
201
202 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
203 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
204 eapol_sm_notify_tx_eapol_key(sm->eapol);
205 out:
206 os_free(msg);
207 return ret;
208 }
209
210
211 /**
212 * wpa_sm_key_request - Send EAPOL-Key Request
213 * @sm: Pointer to WPA state machine data from wpa_sm_init()
214 * @error: Indicate whether this is an Michael MIC error report
215 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
216 *
217 * Send an EAPOL-Key Request to the current authenticator. This function is
218 * used to request rekeying and it is usually called when a local Michael MIC
219 * failure is detected.
220 */
wpa_sm_key_request(struct wpa_sm * sm,int error,int pairwise)221 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
222 {
223 size_t mic_len, hdrlen, rlen;
224 struct wpa_eapol_key *reply;
225 int key_info, ver;
226 u8 *rbuf, *key_mic, *mic;
227
228 if (pairwise && sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
229 wpa_sm_get_state(sm) == WPA_COMPLETED && !error) {
230 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
231 "WPA: PTK0 rekey not allowed, reconnecting");
232 wpa_sm_reconnect(sm);
233 return;
234 }
235
236 if (!sm->ptk_set) {
237 wpa_printf(MSG_INFO,
238 "WPA: No PTK derived yet - cannot send EAPOL-Key Request");
239 return;
240 }
241
242 if (wpa_use_akm_defined(sm->key_mgmt))
243 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
244 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
245 wpa_key_mgmt_sha256(sm->key_mgmt))
246 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
247 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
248 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
249 else
250 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
251
252 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
253 hdrlen = sizeof(*reply) + mic_len + 2;
254 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
255 hdrlen, &rlen, (void *) &reply);
256 if (rbuf == NULL)
257 return;
258
259 reply->type = (sm->proto == WPA_PROTO_RSN ||
260 sm->proto == WPA_PROTO_OSEN) ?
261 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
262 key_info = WPA_KEY_INFO_REQUEST | ver;
263 key_info |= WPA_KEY_INFO_SECURE;
264 if (mic_len)
265 key_info |= WPA_KEY_INFO_MIC;
266 else
267 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
268 if (error)
269 key_info |= WPA_KEY_INFO_ERROR;
270 if (pairwise)
271 key_info |= WPA_KEY_INFO_KEY_TYPE;
272 WPA_PUT_BE16(reply->key_info, key_info);
273 WPA_PUT_BE16(reply->key_length, 0);
274 os_memcpy(reply->replay_counter, sm->request_counter,
275 WPA_REPLAY_COUNTER_LEN);
276 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
277
278 mic = (u8 *) (reply + 1);
279 WPA_PUT_BE16(mic + mic_len, 0);
280 if (!(key_info & WPA_KEY_INFO_MIC))
281 key_mic = NULL;
282 else
283 key_mic = mic;
284
285 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
286 "WPA: Sending EAPOL-Key Request (error=%d "
287 "pairwise=%d ptk_set=%d len=%lu)",
288 error, pairwise, sm->ptk_set, (unsigned long) rlen);
289 wpa_eapol_key_send(sm, &sm->ptk, ver, wpa_sm_get_auth_addr(sm),
290 ETH_P_EAPOL, rbuf, rlen, key_mic);
291 }
292
293
wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm * sm)294 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
295 {
296 #ifdef CONFIG_IEEE80211R
297 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
298 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
299 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
300 "RSN: Cannot set low order 256 bits of MSK for key management offload");
301 } else {
302 #endif /* CONFIG_IEEE80211R */
303 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
304 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
305 "RSN: Cannot set PMK for key management offload");
306 #ifdef CONFIG_IEEE80211R
307 }
308 #endif /* CONFIG_IEEE80211R */
309 }
310
311
wpa_supplicant_get_pmk(struct wpa_sm * sm,const unsigned char * src_addr,const u8 * pmkid)312 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
313 const unsigned char *src_addr,
314 const u8 *pmkid)
315 {
316 int abort_cached = 0;
317
318 if (pmkid && !sm->cur_pmksa) {
319 /* When using drivers that generate RSN IE, wpa_supplicant may
320 * not have enough time to get the association information
321 * event before receiving this 1/4 message, so try to find a
322 * matching PMKSA cache entry here. */
323 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr,
324 sm->own_addr, pmkid,
325 NULL, 0);
326 if (sm->cur_pmksa) {
327 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
328 "RSN: found matching PMKID from PMKSA cache");
329 } else {
330 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
331 "RSN: no matching PMKID found");
332 abort_cached = 1;
333 }
334 }
335
336 if (pmkid && sm->cur_pmksa &&
337 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
338 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
339 wpa_sm_set_pmk_from_pmksa(sm);
340 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
341 sm->pmk, sm->pmk_len);
342 eapol_sm_notify_cached(sm->eapol);
343 #ifdef CONFIG_IEEE80211R
344 sm->xxkey_len = 0;
345 #ifdef CONFIG_SAE
346 if ((sm->key_mgmt == WPA_KEY_MGMT_FT_SAE ||
347 sm->key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) &&
348 sm->pmk_len == PMK_LEN) {
349 /* Need to allow FT key derivation to proceed with
350 * PMK from SAE being used as the XXKey in cases where
351 * the PMKID in msg 1/4 matches the PMKSA entry that was
352 * just added based on SAE authentication for the
353 * initial mobility domain association. */
354 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
355 sm->xxkey_len = sm->pmk_len;
356 }
357 #endif /* CONFIG_SAE */
358 #endif /* CONFIG_IEEE80211R */
359 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
360 int res, pmk_len;
361 #ifdef CONFIG_IEEE80211R
362 u8 buf[2 * PMK_LEN];
363 #endif /* CONFIG_IEEE80211R */
364
365 if (wpa_key_mgmt_sha384(sm->key_mgmt))
366 pmk_len = PMK_LEN_SUITE_B_192;
367 else
368 pmk_len = PMK_LEN;
369 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
370 if (res) {
371 if (pmk_len == PMK_LEN) {
372 /*
373 * EAP-LEAP is an exception from other EAP
374 * methods: it uses only 16-byte PMK.
375 */
376 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
377 pmk_len = 16;
378 }
379 }
380 #ifdef CONFIG_IEEE80211R
381 if (res == 0 &&
382 eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) {
383 if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
384 os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN);
385 sm->xxkey_len = SHA384_MAC_LEN;
386 } else {
387 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
388 sm->xxkey_len = PMK_LEN;
389 }
390 forced_memzero(buf, sizeof(buf));
391 if (sm->proto == WPA_PROTO_RSN &&
392 wpa_key_mgmt_ft(sm->key_mgmt)) {
393 struct rsn_pmksa_cache_entry *sa = NULL;
394 const u8 *fils_cache_id = NULL;
395
396 #ifdef CONFIG_FILS
397 if (sm->fils_cache_id_set)
398 fils_cache_id = sm->fils_cache_id;
399 #endif /* CONFIG_FILS */
400 wpa_hexdump_key(MSG_DEBUG,
401 "FT: Cache XXKey/MPMK",
402 sm->xxkey, sm->xxkey_len);
403 sa = pmksa_cache_add(sm->pmksa,
404 sm->xxkey, sm->xxkey_len,
405 NULL, NULL, 0,
406 src_addr, sm->own_addr,
407 sm->network_ctx,
408 sm->key_mgmt,
409 fils_cache_id);
410 if (!sm->cur_pmksa)
411 sm->cur_pmksa = sa;
412 }
413 }
414 #endif /* CONFIG_IEEE80211R */
415 if (res == 0) {
416 struct rsn_pmksa_cache_entry *sa = NULL;
417 const u8 *fils_cache_id = NULL;
418
419 #ifdef CONFIG_FILS
420 if (sm->fils_cache_id_set)
421 fils_cache_id = sm->fils_cache_id;
422 #endif /* CONFIG_FILS */
423
424 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
425 "machines", sm->pmk, pmk_len);
426 sm->pmk_len = pmk_len;
427 wpa_supplicant_key_mgmt_set_pmk(sm);
428 if (sm->proto == WPA_PROTO_RSN &&
429 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
430 !wpa_key_mgmt_ft(sm->key_mgmt)) {
431 sa = pmksa_cache_add(sm->pmksa,
432 sm->pmk, pmk_len, NULL,
433 NULL, 0,
434 src_addr, sm->own_addr,
435 sm->network_ctx,
436 sm->key_mgmt,
437 fils_cache_id);
438 }
439 if (!sm->cur_pmksa && pmkid &&
440 pmksa_cache_get(sm->pmksa, src_addr, sm->own_addr,
441 pmkid, NULL, 0)) {
442 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
443 "RSN: the new PMK matches with the "
444 "PMKID");
445 abort_cached = 0;
446 } else if (sa && !sm->cur_pmksa && pmkid) {
447 /*
448 * It looks like the authentication server
449 * derived mismatching MSK. This should not
450 * really happen, but bugs happen.. There is not
451 * much we can do here without knowing what
452 * exactly caused the server to misbehave.
453 */
454 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
455 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
456 return -1;
457 }
458
459 if (!sm->cur_pmksa)
460 sm->cur_pmksa = sa;
461 #ifdef CONFIG_IEEE80211R
462 } else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) {
463 wpa_printf(MSG_DEBUG,
464 "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol");
465 #endif /* CONFIG_IEEE80211R */
466 } else {
467 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
468 "WPA: Failed to get master session key from "
469 "EAPOL state machines - key handshake "
470 "aborted");
471 if (sm->cur_pmksa) {
472 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
473 "RSN: Cancelled PMKSA caching "
474 "attempt");
475 sm->cur_pmksa = NULL;
476 abort_cached = 1;
477 } else if (!abort_cached) {
478 return -1;
479 }
480 }
481 }
482
483 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
484 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
485 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
486 {
487 /* Send EAPOL-Start to trigger full EAP authentication. */
488 u8 *buf;
489 size_t buflen;
490
491 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
492 "RSN: no PMKSA entry found - trigger "
493 "full EAP authentication");
494 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
495 NULL, 0, &buflen, NULL);
496 if (buf) {
497 /* Set and reset eapFail to allow EAP state machine to
498 * proceed with new authentication. */
499 eapol_sm_notify_eap_fail(sm->eapol, true);
500 eapol_sm_notify_eap_fail(sm->eapol, false);
501 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
502 buf, buflen);
503 os_free(buf);
504 return -2;
505 }
506
507 return -1;
508 }
509
510 return 0;
511 }
512
513
514 /**
515 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
516 * @sm: Pointer to WPA state machine data from wpa_sm_init()
517 * @dst: Destination address for the frame
518 * @key: Pointer to the EAPOL-Key frame header
519 * @ver: Version bits from EAPOL-Key Key Info
520 * @nonce: Nonce value for the EAPOL-Key frame
521 * @wpa_ie: WPA/RSN IE
522 * @wpa_ie_len: Length of the WPA/RSN IE
523 * @ptk: PTK to use for keyed hash and encryption
524 * Returns: >= 0 on success, < 0 on failure
525 */
wpa_supplicant_send_2_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,int ver,const u8 * nonce,const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ptk * ptk)526 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
527 const struct wpa_eapol_key *key,
528 int ver, const u8 *nonce,
529 const u8 *wpa_ie, size_t wpa_ie_len,
530 struct wpa_ptk *ptk)
531 {
532 size_t mic_len, hdrlen, rlen, extra_len = 0;
533 struct wpa_eapol_key *reply;
534 u8 *rbuf, *key_mic;
535 u8 *rsn_ie_buf = NULL, *buf2 = NULL;
536 u16 key_info;
537 #ifdef CONFIG_TESTING_OPTIONS
538 size_t pad_len = 0;
539 #endif /* CONFIG_TESTING_OPTIONS */
540
541 if (wpa_ie == NULL) {
542 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
543 "cannot generate msg 2/4");
544 return -1;
545 }
546
547 #ifdef CONFIG_IEEE80211R
548 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
549 int res;
550
551 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE before FT processing",
552 wpa_ie, wpa_ie_len);
553 /*
554 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
555 * FTIE from (Re)Association Response.
556 */
557 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
558 sm->assoc_resp_ies_len);
559 if (rsn_ie_buf == NULL)
560 return -1;
561 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
562 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
563 sm->pmk_r1_name, !sm->ft_prepend_pmkid);
564 if (res < 0) {
565 os_free(rsn_ie_buf);
566 return -1;
567 }
568 wpa_hexdump(MSG_DEBUG,
569 "WPA: WPA IE after PMKID[PMKR1Name] addition into RSNE",
570 rsn_ie_buf, wpa_ie_len);
571
572 if (sm->assoc_resp_ies) {
573 wpa_hexdump(MSG_DEBUG, "WPA: Add assoc_resp_ies",
574 sm->assoc_resp_ies,
575 sm->assoc_resp_ies_len);
576 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
577 sm->assoc_resp_ies_len);
578 wpa_ie_len += sm->assoc_resp_ies_len;
579 }
580
581 wpa_ie = rsn_ie_buf;
582 }
583 #endif /* CONFIG_IEEE80211R */
584
585 if (sm->rsn_override != RSN_OVERRIDE_NOT_USED) {
586 u8 *pos;
587
588 buf2 = os_malloc(wpa_ie_len + 2 + 4 + 1);
589 if (!buf2) {
590 os_free(rsn_ie_buf);
591 return -1;
592 }
593 os_memcpy(buf2, wpa_ie, wpa_ie_len);
594 pos = buf2 + wpa_ie_len;
595 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
596 *pos++ = 4 + 1;
597 WPA_PUT_BE32(pos, RSN_SELECTION_IE_VENDOR_TYPE);
598 pos += 4;
599 if (sm->rsn_override == RSN_OVERRIDE_RSNE) {
600 *pos++ = RSN_SELECTION_RSNE;
601 } else if (sm->rsn_override == RSN_OVERRIDE_RSNE_OVERRIDE) {
602 *pos++ = RSN_SELECTION_RSNE_OVERRIDE;
603 } else if (sm->rsn_override == RSN_OVERRIDE_RSNE_OVERRIDE_2) {
604 *pos++ = RSN_SELECTION_RSNE_OVERRIDE_2;
605 } else {
606 os_free(rsn_ie_buf);
607 os_free(buf2);
608 return -1;
609 }
610
611 wpa_ie = buf2;
612 wpa_ie_len += 2 + 4 + 1;
613
614 }
615
616 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
617
618 #ifdef CONFIG_TESTING_OPTIONS
619 if (sm->test_eapol_m2_elems)
620 extra_len = wpabuf_len(sm->test_eapol_m2_elems);
621 if (sm->encrypt_eapol_m2) {
622 pad_len = (wpa_ie_len + extra_len) % 8;
623 if (pad_len)
624 pad_len = 8 - pad_len;
625 extra_len += pad_len + 8;
626 }
627 #endif /* CONFIG_TESTING_OPTIONS */
628
629 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
630 hdrlen = sizeof(*reply) + mic_len + 2;
631 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
632 NULL, hdrlen + wpa_ie_len + extra_len,
633 &rlen, (void *) &reply);
634 if (rbuf == NULL) {
635 os_free(rsn_ie_buf);
636 os_free(buf2);
637 return -1;
638 }
639
640 reply->type = (sm->proto == WPA_PROTO_RSN ||
641 sm->proto == WPA_PROTO_OSEN) ?
642 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
643 key_info = ver | WPA_KEY_INFO_KEY_TYPE;
644 if (sm->ptk_set && sm->proto != WPA_PROTO_WPA)
645 key_info |= WPA_KEY_INFO_SECURE;
646 if (mic_len)
647 key_info |= WPA_KEY_INFO_MIC;
648 else
649 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
650 #ifdef CONFIG_TESTING_OPTIONS
651 if (sm->encrypt_eapol_m2)
652 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
653 #endif /* CONFIG_TESTING_OPTIONS */
654 WPA_PUT_BE16(reply->key_info, key_info);
655 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
656 WPA_PUT_BE16(reply->key_length, 0);
657 else
658 os_memcpy(reply->key_length, key->key_length, 2);
659 os_memcpy(reply->replay_counter, key->replay_counter,
660 WPA_REPLAY_COUNTER_LEN);
661 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
662 WPA_REPLAY_COUNTER_LEN);
663
664 key_mic = (u8 *) (reply + 1);
665 /* Key Data Length */
666 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len + extra_len);
667 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
668 os_free(rsn_ie_buf);
669 os_free(buf2);
670 #ifdef CONFIG_TESTING_OPTIONS
671 if (sm->test_eapol_m2_elems) {
672 os_memcpy(key_mic + mic_len + 2 + wpa_ie_len,
673 wpabuf_head(sm->test_eapol_m2_elems),
674 wpabuf_len(sm->test_eapol_m2_elems));
675 }
676
677 if (sm->encrypt_eapol_m2) {
678 u8 *plain;
679 size_t plain_len;
680
681 if (sm->test_eapol_m2_elems)
682 extra_len = wpabuf_len(sm->test_eapol_m2_elems);
683 else
684 extra_len = 0;
685 plain_len = wpa_ie_len + extra_len + pad_len;
686 plain = os_memdup(key_mic + mic_len + 2, plain_len);
687 if (!plain) {
688 os_free(rbuf);
689 return -1;
690 }
691 if (pad_len)
692 plain[plain_len - pad_len] = 0xdd;
693
694 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK",
695 ptk->kek, ptk->kek_len);
696 if (aes_wrap(ptk->kek, ptk->kek_len, plain_len / 8, plain,
697 key_mic + mic_len + 2)) {
698 os_free(plain);
699 os_free(rbuf);
700 return -1;
701 }
702 wpa_hexdump(MSG_DEBUG,
703 "RSN: Encrypted Key Data from AES-WRAP",
704 key_mic + mic_len + 2, plain_len + 8);
705 os_free(plain);
706 }
707 #endif /* CONFIG_TESTING_OPTIONS */
708
709 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
710
711 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Sending EAPOL-Key 2/4");
712 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
713 key_mic);
714 }
715
716
wpa_derive_ptk(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,struct wpa_ptk * ptk)717 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
718 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
719 {
720 int ret;
721 const u8 *z = NULL;
722 size_t z_len = 0, kdk_len;
723 int akmp;
724
725 #ifdef CONFIG_IEEE80211R
726 if (wpa_key_mgmt_ft(sm->key_mgmt))
727 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
728 #endif /* CONFIG_IEEE80211R */
729
730 #ifdef CONFIG_DPP2
731 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
732 z = wpabuf_head(sm->dpp_z);
733 z_len = wpabuf_len(sm->dpp_z);
734 }
735 #endif /* CONFIG_DPP2 */
736
737 akmp = sm->key_mgmt;
738 #ifdef CONFIG_OWE
739 if (sm->owe_ptk_workaround && akmp == WPA_KEY_MGMT_OWE &&
740 sm->pmk_len > 32) {
741 wpa_printf(MSG_DEBUG,
742 "OWE: Force SHA256 for PTK derivation");
743 akmp |= WPA_KEY_MGMT_PSK_SHA256;
744 }
745 #endif /* CONFIG_OWE */
746
747 if (sm->force_kdk_derivation ||
748 (sm->secure_ltf &&
749 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
750 kdk_len = WPA_KDK_MAX_LEN;
751 else
752 kdk_len = 0;
753
754 ret = wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
755 sm->own_addr, wpa_sm_get_auth_addr(sm), sm->snonce,
756 key->key_nonce, ptk, akmp,
757 sm->pairwise_cipher, z, z_len,
758 kdk_len);
759 if (ret) {
760 wpa_printf(MSG_ERROR, "WPA: PTK derivation failed");
761 return ret;
762 }
763
764 #ifdef CONFIG_PASN
765 if (sm->secure_ltf &&
766 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))
767 ret = wpa_ltf_keyseed(ptk, akmp, sm->pairwise_cipher);
768 #endif /* CONFIG_PASN */
769
770 return ret;
771 }
772
773
wpa_handle_ext_key_id(struct wpa_sm * sm,struct wpa_eapol_ie_parse * kde)774 static int wpa_handle_ext_key_id(struct wpa_sm *sm,
775 struct wpa_eapol_ie_parse *kde)
776 {
777 if (sm->ext_key_id) {
778 u16 key_id;
779
780 if (!kde->key_id) {
781 wpa_msg(sm->ctx->msg_ctx,
782 sm->use_ext_key_id ? MSG_INFO : MSG_DEBUG,
783 "RSN: No Key ID in Extended Key ID handshake");
784 sm->keyidx_active = 0;
785 return sm->use_ext_key_id ? -1 : 0;
786 }
787
788 key_id = kde->key_id[0] & 0x03;
789 if (key_id > 1) {
790 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
791 "RSN: Invalid Extended Key ID: %d", key_id);
792 return -1;
793 }
794 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
795 "RSN: Using Extended Key ID %d", key_id);
796 sm->keyidx_active = key_id;
797 sm->use_ext_key_id = 1;
798 } else {
799 if (kde->key_id && (kde->key_id[0] & 0x03)) {
800 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
801 "RSN: Non-zero Extended Key ID Key ID in PTK0 handshake");
802 return -1;
803 }
804
805 if (kde->key_id) {
806 /* This is not supposed to be included here, but ignore
807 * the case of matching Key ID 0 just in case. */
808 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
809 "RSN: Extended Key ID Key ID 0 in PTK0 handshake");
810 }
811 sm->keyidx_active = 0;
812 sm->use_ext_key_id = 0;
813 }
814
815 return 0;
816 }
817
818
rsn_add_kde(u8 * pos,u32 kde,const u8 * data,size_t data_len)819 static u8 * rsn_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len)
820 {
821 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
822 *pos++ = RSN_SELECTOR_LEN + data_len;
823 RSN_SELECTOR_PUT(pos, kde);
824 pos += RSN_SELECTOR_LEN;
825 os_memcpy(pos, data, data_len);
826 pos += data_len;
827
828 return pos;
829 }
830
831
wpa_mlo_link_kde_len(struct wpa_sm * sm)832 static size_t wpa_mlo_link_kde_len(struct wpa_sm *sm)
833 {
834 int i;
835 unsigned int num_links = 0;
836
837 for_each_link(sm->mlo.req_links, i) {
838 if (sm->mlo.assoc_link_id != i)
839 num_links++;
840 }
841
842 return num_links * (RSN_SELECTOR_LEN + 1 + ETH_ALEN + 2);
843 }
844
845
wpa_mlo_link_kde(struct wpa_sm * sm,u8 * pos)846 static u8 * wpa_mlo_link_kde(struct wpa_sm *sm, u8 *pos)
847 {
848 int i;
849 u8 hdr[1 + ETH_ALEN];
850
851 for_each_link(sm->mlo.req_links, i) {
852 if (sm->mlo.assoc_link_id == i)
853 continue;
854
855 wpa_printf(MSG_DEBUG,
856 "MLO: Add MLO Link %d KDE in EAPOL-Key 2/4", i);
857 hdr[0] = i & 0xF; /* LinkID; no RSNE or RSNXE */
858 os_memcpy(&hdr[1], sm->mlo.links[i].addr, ETH_ALEN);
859 pos = rsn_add_kde(pos, RSN_KEY_DATA_MLO_LINK, hdr, sizeof(hdr));
860 }
861
862 return pos;
863 }
864
865
is_valid_ap_mld_mac_kde(struct wpa_sm * sm,const u8 * mac_kde)866 static bool is_valid_ap_mld_mac_kde(struct wpa_sm *sm, const u8 *mac_kde)
867 {
868 return mac_kde &&
869 ether_addr_equal(mac_kde, sm->mlo.ap_mld_addr);
870 }
871
872
wpas_swap_tkip_mic_keys(struct wpa_ptk * ptk)873 static void wpas_swap_tkip_mic_keys(struct wpa_ptk *ptk)
874 {
875 u8 buf[8];
876
877 /* Supplicant: swap tx/rx Mic keys */
878 os_memcpy(buf, &ptk->tk[16], 8);
879 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
880 os_memcpy(&ptk->tk[24], buf, 8);
881 forced_memzero(buf, sizeof(buf));
882 }
883
884
wpa_supplicant_process_1_of_4_wpa(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len,enum frame_encryption encrypted)885 static void wpa_supplicant_process_1_of_4_wpa(struct wpa_sm *sm,
886 const unsigned char *src_addr,
887 const struct wpa_eapol_key *key,
888 u16 ver, const u8 *key_data,
889 size_t key_data_len,
890 enum frame_encryption encrypted)
891 {
892 struct wpa_eapol_ie_parse ie;
893 struct wpa_ptk *ptk;
894 int res;
895
896 if (wpa_sm_get_network_ctx(sm) == NULL) {
897 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
898 "WPA: No SSID info found (msg 1 of 4)");
899 return;
900 }
901
902 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
903 "WPA: RX message 1 of 4-Way Handshake from " MACSTR
904 " (ver=%d)", MAC2STR(src_addr), ver);
905
906 os_memset(&ie, 0, sizeof(ie));
907
908 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
909 if (res == -2) {
910 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
911 "WPA: Do not reply to msg 1/4 - requesting full EAP authentication");
912 return;
913 }
914 if (res)
915 goto failed;
916
917 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
918
919 if (sm->renew_snonce) {
920 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
921 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
922 "WPA: Failed to get random data for SNonce");
923 goto failed;
924 }
925 sm->renew_snonce = 0;
926 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
927 sm->snonce, WPA_NONCE_LEN);
928 }
929
930 /* Calculate PTK which will be stored as a temporary PTK until it has
931 * been verified when processing message 3/4. */
932 ptk = &sm->tptk;
933 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
934 goto failed;
935 if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
936 wpas_swap_tkip_mic_keys(ptk);
937 sm->tptk_set = 1;
938
939 if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
940 sm->snonce, sm->assoc_wpa_ie,
941 sm->assoc_wpa_ie_len, ptk) < 0)
942 goto failed;
943
944 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
945 return;
946
947 failed:
948 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
949 }
950
951
wpa_supplicant_process_1_of_4(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len,enum frame_encryption encrypted)952 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
953 const unsigned char *src_addr,
954 const struct wpa_eapol_key *key,
955 u16 ver, const u8 *key_data,
956 size_t key_data_len,
957 enum frame_encryption encrypted)
958 {
959 struct wpa_eapol_ie_parse ie;
960 struct wpa_ptk *ptk;
961 int res;
962 u8 *kde, *kde_buf = NULL;
963 size_t kde_len;
964 size_t mlo_kde_len = 0;
965
966 if (encrypted == FRAME_NOT_ENCRYPTED && sm->tk_set &&
967 wpa_sm_pmf_enabled(sm)) {
968 wpa_printf(MSG_DEBUG,
969 "RSN: Discard unencrypted EAPOL-Key msg 1/4 when TK is set and PMF is enabled");
970 return;
971 }
972
973 if (wpa_sm_get_network_ctx(sm) == NULL) {
974 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
975 "found (msg 1 of 4)");
976 return;
977 }
978
979 if (sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
980 wpa_sm_get_state(sm) == WPA_COMPLETED) {
981 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
982 "WPA: PTK0 rekey not allowed, reconnecting");
983 wpa_sm_reconnect(sm);
984 return;
985 }
986
987 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: RX message 1 of 4-Way "
988 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
989
990 os_memset(&ie, 0, sizeof(ie));
991
992 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
993 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", key_data, key_data_len);
994 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) {
995 wpa_printf(MSG_DEBUG,
996 "RSN: Discard EAPOL-Key msg 1/4 with invalid IEs/KDEs");
997 return;
998 }
999 if (ie.pmkid) {
1000 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from Authenticator",
1001 ie.pmkid, PMKID_LEN);
1002 }
1003
1004 if (sm->mlo.valid_links && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) {
1005 wpa_printf(MSG_INFO,
1006 "RSN: Discard EAPOL-Key msg 1/4 with invalid AP MLD MAC address KDE");
1007 return;
1008 }
1009
1010 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
1011 if (res == -2) {
1012 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
1013 "msg 1/4 - requesting full EAP authentication");
1014 return;
1015 }
1016 if (res)
1017 goto failed;
1018
1019 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
1020
1021 if (sm->renew_snonce) {
1022 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
1023 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1024 "WPA: Failed to get random data for SNonce");
1025 goto failed;
1026 }
1027 if (wpa_sm_rsn_overriding_supported(sm))
1028 rsn_set_snonce_cookie(sm->snonce);
1029 sm->renew_snonce = 0;
1030 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
1031 sm->snonce, WPA_NONCE_LEN);
1032 }
1033
1034 /* Calculate PTK which will be stored as a temporary PTK until it has
1035 * been verified when processing message 3/4. */
1036 ptk = &sm->tptk;
1037 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
1038 goto failed;
1039 if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
1040 wpas_swap_tkip_mic_keys(ptk);
1041 sm->tptk_set = 1;
1042
1043 /* Add MLO Link KDE and MAC KDE in M2 for ML connection */
1044 if (sm->mlo.valid_links)
1045 mlo_kde_len = wpa_mlo_link_kde_len(sm) +
1046 RSN_SELECTOR_LEN + ETH_ALEN + 2;
1047
1048 kde = sm->assoc_wpa_ie;
1049 kde_len = sm->assoc_wpa_ie_len;
1050 kde_buf = os_malloc(kde_len +
1051 2 + RSN_SELECTOR_LEN + 3 +
1052 sm->assoc_rsnxe_len +
1053 2 + RSN_SELECTOR_LEN + 1 +
1054 2 + RSN_SELECTOR_LEN + 2 + mlo_kde_len);
1055
1056 if (!kde_buf)
1057 goto failed;
1058 os_memcpy(kde_buf, kde, kde_len);
1059 kde = kde_buf;
1060
1061 #ifdef CONFIG_OCV
1062 if (wpa_sm_ocv_enabled(sm)) {
1063 struct wpa_channel_info ci;
1064 u8 *pos;
1065
1066 pos = kde + kde_len;
1067 if (wpa_sm_channel_info(sm, &ci) != 0) {
1068 wpa_printf(MSG_WARNING,
1069 "Failed to get channel info for OCI element in EAPOL-Key 2/4");
1070 goto failed;
1071 }
1072 #ifdef CONFIG_TESTING_OPTIONS
1073 if (sm->oci_freq_override_eapol) {
1074 wpa_printf(MSG_INFO,
1075 "TEST: Override OCI KDE frequency %d -> %d MHz",
1076 ci.frequency, sm->oci_freq_override_eapol);
1077 ci.frequency = sm->oci_freq_override_eapol;
1078 }
1079 #endif /* CONFIG_TESTING_OPTIONS */
1080
1081 if (ocv_insert_oci_kde(&ci, &pos) < 0)
1082 goto failed;
1083 kde_len = pos - kde;
1084 }
1085 #endif /* CONFIG_OCV */
1086
1087 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) {
1088 os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len);
1089 kde_len += sm->assoc_rsnxe_len;
1090 }
1091
1092 #ifdef CONFIG_P2P
1093 if (sm->p2p) {
1094 u8 *pos;
1095
1096 wpa_printf(MSG_DEBUG,
1097 "P2P: Add IP Address Request KDE into EAPOL-Key 2/4");
1098 pos = kde + kde_len;
1099 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
1100 *pos++ = RSN_SELECTOR_LEN + 1;
1101 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
1102 pos += RSN_SELECTOR_LEN;
1103 *pos++ = 0x01;
1104 kde_len = pos - kde;
1105 }
1106 #endif /* CONFIG_P2P */
1107
1108 #ifdef CONFIG_DPP2
1109 if (DPP_VERSION > 1 && sm->key_mgmt == WPA_KEY_MGMT_DPP) {
1110 u8 *pos;
1111
1112 wpa_printf(MSG_DEBUG, "DPP: Add DPP KDE into EAPOL-Key 2/4");
1113 pos = kde + kde_len;
1114 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
1115 *pos++ = RSN_SELECTOR_LEN + 2;
1116 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_DPP);
1117 pos += RSN_SELECTOR_LEN;
1118 *pos++ = DPP_VERSION; /* Protocol Version */
1119 *pos = 0; /* Flags */
1120 if (sm->dpp_pfs == 0)
1121 *pos |= DPP_KDE_PFS_ALLOWED;
1122 else if (sm->dpp_pfs == 1)
1123 *pos |= DPP_KDE_PFS_ALLOWED | DPP_KDE_PFS_REQUIRED;
1124 pos++;
1125 kde_len = pos - kde;
1126 }
1127 #endif /* CONFIG_DPP2 */
1128
1129 if (sm->mlo.valid_links) {
1130 u8 *pos;
1131
1132 /* Add MAC KDE */
1133 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 2/4");
1134 pos = kde + kde_len;
1135 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
1136 ETH_ALEN);
1137
1138 /* Add MLO Link KDE */
1139 wpa_printf(MSG_DEBUG, "Add MLO Link KDE(s) into EAPOL-Key 2/4");
1140 pos = wpa_mlo_link_kde(sm, pos);
1141 kde_len = pos - kde;
1142 }
1143
1144 if (wpa_supplicant_send_2_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
1145 sm->snonce, kde, kde_len, ptk) < 0)
1146 goto failed;
1147
1148 os_free(kde_buf);
1149 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
1150 return;
1151
1152 failed:
1153 os_free(kde_buf);
1154 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1155 }
1156
1157
wpa_sm_start_preauth(void * eloop_ctx,void * timeout_ctx)1158 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
1159 {
1160 struct wpa_sm *sm = eloop_ctx;
1161 rsn_preauth_candidate_process(sm);
1162 }
1163
1164
wpa_supplicant_key_neg_complete(struct wpa_sm * sm,const u8 * addr,int secure)1165 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
1166 const u8 *addr, int secure)
1167 {
1168 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1169 "WPA: Key negotiation completed with "
1170 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
1171 wpa_cipher_txt(sm->pairwise_cipher),
1172 wpa_cipher_txt(sm->group_cipher));
1173 wpa_sm_cancel_auth_timeout(sm);
1174 wpa_sm_set_state(sm, WPA_COMPLETED);
1175
1176 if (secure) {
1177 wpa_sm_mlme_setprotection(
1178 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
1179 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1180 eapol_sm_notify_portValid(sm->eapol, true);
1181 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
1182 sm->key_mgmt == WPA_KEY_MGMT_DPP ||
1183 sm->key_mgmt == WPA_KEY_MGMT_OWE)
1184 eapol_sm_notify_eap_success(sm->eapol, true);
1185 /*
1186 * Start preauthentication after a short wait to avoid a
1187 * possible race condition between the data receive and key
1188 * configuration after the 4-Way Handshake. This increases the
1189 * likelihood of the first preauth EAPOL-Start frame getting to
1190 * the target AP.
1191 */
1192 if (!dl_list_empty(&sm->pmksa_candidates))
1193 eloop_register_timeout(1, 0, wpa_sm_start_preauth,
1194 sm, NULL);
1195 }
1196
1197 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
1198 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1199 "RSN: Authenticator accepted "
1200 "opportunistic PMKSA entry - marking it valid");
1201 sm->cur_pmksa->opportunistic = 0;
1202 }
1203
1204 #ifdef CONFIG_IEEE80211R
1205 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
1206 /* Prepare for the next transition */
1207 wpa_ft_prepare_auth_request(sm, NULL);
1208 }
1209 #endif /* CONFIG_IEEE80211R */
1210 }
1211
1212
wpa_sm_rekey_ptk(void * eloop_ctx,void * timeout_ctx)1213 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
1214 {
1215 struct wpa_sm *sm = eloop_ctx;
1216 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
1217 wpa_sm_key_request(sm, 0, 1);
1218 }
1219
1220
wpa_supplicant_install_ptk(struct wpa_sm * sm,const struct wpa_eapol_key * key,enum key_flag key_flag)1221 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
1222 const struct wpa_eapol_key *key,
1223 enum key_flag key_flag)
1224 {
1225 int keylen, rsclen;
1226 enum wpa_alg alg;
1227 const u8 *key_rsc;
1228
1229 if (sm->ptk.installed) {
1230 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1231 "WPA: Do not re-install same PTK to the driver");
1232 return 0;
1233 }
1234
1235 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1236 "WPA: Installing PTK to the driver");
1237
1238 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1239 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
1240 "Suite: NONE - do not use pairwise keys");
1241 return 0;
1242 }
1243
1244 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
1245 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1246 "WPA: Unsupported pairwise cipher %d",
1247 sm->pairwise_cipher);
1248 return -1;
1249 }
1250
1251 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
1252 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
1253 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
1254 wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",
1255 keylen, (long unsigned int) sm->ptk.tk_len);
1256 return -1;
1257 }
1258 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
1259
1260 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
1261 key_rsc = null_rsc;
1262 } else {
1263 key_rsc = key->key_rsc;
1264 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
1265 }
1266
1267 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm),
1268 sm->keyidx_active, 1, key_rsc, rsclen, sm->ptk.tk,
1269 keylen, KEY_FLAG_PAIRWISE | key_flag) < 0) {
1270 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1271 "WPA: Failed to set PTK to the driver (alg=%d keylen=%d auth_addr="
1272 MACSTR " idx=%d key_flag=0x%x)",
1273 alg, keylen, MAC2STR(wpa_sm_get_auth_addr(sm)),
1274 sm->keyidx_active, key_flag);
1275 return -1;
1276 }
1277
1278 #ifdef CONFIG_PASN
1279 if (sm->secure_ltf &&
1280 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
1281 wpa_sm_set_ltf_keyseed(sm, sm->own_addr, sm->bssid,
1282 sm->ptk.ltf_keyseed_len,
1283 sm->ptk.ltf_keyseed) < 0) {
1284 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1285 "WPA: Failed to set LTF keyseed to the driver (keylen=%zu bssid="
1286 MACSTR ")", sm->ptk.ltf_keyseed_len,
1287 MAC2STR(sm->bssid));
1288 return -1;
1289 }
1290 #endif /* CONFIG_PASN */
1291
1292 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
1293 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
1294
1295 /* TK is not needed anymore in supplicant */
1296 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
1297 sm->ptk.tk_len = 0;
1298 sm->ptk.installed = 1;
1299 sm->tk_set = true;
1300
1301 if (sm->wpa_ptk_rekey) {
1302 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
1303 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
1304 sm, NULL);
1305 }
1306 return 0;
1307 }
1308
1309
wpa_supplicant_activate_ptk(struct wpa_sm * sm)1310 static int wpa_supplicant_activate_ptk(struct wpa_sm *sm)
1311 {
1312 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1313 "WPA: Activate PTK (idx=%d auth_addr=" MACSTR ")",
1314 sm->keyidx_active, MAC2STR(wpa_sm_get_auth_addr(sm)));
1315
1316 if (wpa_sm_set_key(sm, -1, 0, wpa_sm_get_auth_addr(sm),
1317 sm->keyidx_active, 0, NULL, 0, NULL, 0,
1318 KEY_FLAG_PAIRWISE_RX_TX_MODIFY) < 0) {
1319 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1320 "WPA: Failed to activate PTK for TX (idx=%d auth_addr="
1321 MACSTR ")", sm->keyidx_active,
1322 MAC2STR(wpa_sm_get_auth_addr(sm)));
1323 return -1;
1324 }
1325 return 0;
1326 }
1327
1328
wpa_supplicant_check_group_cipher(struct wpa_sm * sm,int group_cipher,int keylen,int maxkeylen,int * key_rsc_len,enum wpa_alg * alg)1329 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
1330 int group_cipher,
1331 int keylen, int maxkeylen,
1332 int *key_rsc_len,
1333 enum wpa_alg *alg)
1334 {
1335 int klen;
1336
1337 *alg = wpa_cipher_to_alg(group_cipher);
1338 if (*alg == WPA_ALG_NONE) {
1339 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1340 "WPA: Unsupported Group Cipher %d",
1341 group_cipher);
1342 return -1;
1343 }
1344 *key_rsc_len = wpa_cipher_rsc_len(group_cipher);
1345
1346 klen = wpa_cipher_key_len(group_cipher);
1347 if (keylen != klen || maxkeylen < klen) {
1348 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1349 "WPA: Unsupported %s Group Cipher key length %d (%d)",
1350 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
1351 return -1;
1352 }
1353 return 0;
1354 }
1355
1356
1357 struct wpa_gtk_data {
1358 enum wpa_alg alg;
1359 int tx, key_rsc_len, keyidx;
1360 u8 gtk[32];
1361 int gtk_len;
1362 };
1363
1364
wpa_supplicant_install_gtk(struct wpa_sm * sm,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1365 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
1366 const struct wpa_gtk_data *gd,
1367 const u8 *key_rsc, int wnm_sleep)
1368 {
1369 const u8 *_gtk = gd->gtk;
1370 u8 gtk_buf[32];
1371
1372 /* Detect possible key reinstallation */
1373 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
1374 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
1375 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
1376 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
1377 sm->gtk_wnm_sleep.gtk_len) == 0)) {
1378 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1379 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
1380 gd->keyidx, gd->tx, gd->gtk_len);
1381 return 0;
1382 }
1383
1384 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
1385 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1386 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
1387 gd->keyidx, gd->tx, gd->gtk_len);
1388 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
1389 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1390 /* Swap Tx/Rx keys for Michael MIC */
1391 os_memcpy(gtk_buf, gd->gtk, 16);
1392 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1393 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1394 _gtk = gtk_buf;
1395 }
1396 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1397 if (wpa_sm_set_key(sm, -1, gd->alg, NULL,
1398 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
1399 _gtk, gd->gtk_len,
1400 KEY_FLAG_GROUP_RX_TX_DEFAULT) < 0) {
1401 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1402 "WPA: Failed to set GTK to the driver "
1403 "(Group only)");
1404 forced_memzero(gtk_buf, sizeof(gtk_buf));
1405 return -1;
1406 }
1407 } else if (wpa_sm_set_key(sm, -1, gd->alg, broadcast_ether_addr,
1408 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
1409 _gtk, gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1410 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1411 "WPA: Failed to set GTK to "
1412 "the driver (alg=%d keylen=%d keyidx=%d)",
1413 gd->alg, gd->gtk_len, gd->keyidx);
1414 forced_memzero(gtk_buf, sizeof(gtk_buf));
1415 return -1;
1416 }
1417 forced_memzero(gtk_buf, sizeof(gtk_buf));
1418
1419 if (wnm_sleep) {
1420 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
1421 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
1422 sm->gtk_wnm_sleep.gtk_len);
1423 } else {
1424 sm->gtk.gtk_len = gd->gtk_len;
1425 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
1426 }
1427
1428 return 0;
1429 }
1430
1431
wpa_supplicant_install_mlo_gtk(struct wpa_sm * sm,u8 link_id,const struct wpa_gtk_data * gd,const u8 * key_rsc,int wnm_sleep)1432 static int wpa_supplicant_install_mlo_gtk(struct wpa_sm *sm, u8 link_id,
1433 const struct wpa_gtk_data *gd,
1434 const u8 *key_rsc, int wnm_sleep)
1435 {
1436 const u8 *gtk = gd->gtk;
1437 u8 gtk_buf[32];
1438
1439 /* Detect possible key reinstallation */
1440 if ((sm->mlo.links[link_id].gtk.gtk_len == (size_t) gd->gtk_len &&
1441 os_memcmp(sm->mlo.links[link_id].gtk.gtk, gd->gtk,
1442 sm->mlo.links[link_id].gtk.gtk_len) == 0) ||
1443 (sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len ==
1444 (size_t) gd->gtk_len &&
1445 os_memcmp(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk,
1446 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len) == 0)) {
1447 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1448 "RSN: Not reinstalling already in-use GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)",
1449 link_id, gd->keyidx, gd->tx, gd->gtk_len);
1450 return 0;
1451 }
1452
1453 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: Group Key", gd->gtk,
1454 gd->gtk_len);
1455 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1456 "RSN: Installing GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)",
1457 link_id, gd->keyidx, gd->tx, gd->gtk_len);
1458 wpa_hexdump_link(MSG_DEBUG, link_id, "RSN: RSC",
1459 key_rsc, gd->key_rsc_len);
1460 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1461 /* Swap Tx/Rx keys for Michael MIC */
1462 os_memcpy(gtk_buf, gd->gtk, 16);
1463 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1464 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1465 gtk = gtk_buf;
1466 }
1467 if (wpa_sm_set_key(sm, link_id, gd->alg, broadcast_ether_addr,
1468 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len, gtk,
1469 gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1470 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1471 "RSN: Failed to set GTK to the driver (link_id=%d alg=%d keylen=%d keyidx=%d)",
1472 link_id, gd->alg, gd->gtk_len, gd->keyidx);
1473 forced_memzero(gtk_buf, sizeof(gtk_buf));
1474 return -1;
1475 }
1476 forced_memzero(gtk_buf, sizeof(gtk_buf));
1477
1478 if (wnm_sleep) {
1479 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len = gd->gtk_len;
1480 os_memcpy(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk,
1481 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len);
1482 } else {
1483 sm->mlo.links[link_id].gtk.gtk_len = gd->gtk_len;
1484 os_memcpy(sm->mlo.links[link_id].gtk.gtk, gd->gtk,
1485 sm->mlo.links[link_id].gtk.gtk_len);
1486 }
1487
1488 return 0;
1489 }
1490
1491
wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm * sm,int tx)1492 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
1493 int tx)
1494 {
1495 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
1496 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
1497 * seemed to set this bit (incorrectly, since Tx is only when
1498 * doing Group Key only APs) and without this workaround, the
1499 * data connection does not work because wpa_supplicant
1500 * configured non-zero keyidx to be used for unicast. */
1501 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1502 "WPA: Tx bit set for GTK, but pairwise "
1503 "keys are used - ignore Tx bit");
1504 return 0;
1505 }
1506 return tx;
1507 }
1508
1509
wpa_supplicant_rsc_relaxation(const struct wpa_sm * sm,const u8 * rsc)1510 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
1511 const u8 *rsc)
1512 {
1513 int rsclen;
1514
1515 if (!sm->wpa_rsc_relaxation)
1516 return 0;
1517
1518 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
1519
1520 /*
1521 * Try to detect RSC (endian) corruption issue where the AP sends
1522 * the RSC bytes in EAPOL-Key message in the wrong order, both if
1523 * it's actually a 6-byte field (as it should be) and if it treats
1524 * it as an 8-byte field.
1525 * An AP model known to have this bug is the Sapido RB-1632.
1526 */
1527 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
1528 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1529 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
1530 rsc[0], rsc[1], rsc[2], rsc[3],
1531 rsc[4], rsc[5], rsc[6], rsc[7]);
1532
1533 return 1;
1534 }
1535
1536 return 0;
1537 }
1538
1539
wpa_supplicant_mlo_gtk(struct wpa_sm * sm,u8 link_id,const u8 * gtk,size_t gtk_len,int key_info)1540 static int wpa_supplicant_mlo_gtk(struct wpa_sm *sm, u8 link_id, const u8 *gtk,
1541 size_t gtk_len, int key_info)
1542 {
1543 struct wpa_gtk_data gd;
1544 const u8 *key_rsc;
1545 int ret;
1546
1547 /*
1548 * MLO GTK KDE format:
1549 * KeyID[bits 0-1], Tx [bit 2], Reserved [bit 3], link id [4-7]
1550 * PN
1551 * GTK
1552 */
1553 os_memset(&gd, 0, sizeof(gd));
1554 wpa_hexdump_link_key(MSG_DEBUG, link_id,
1555 "RSN: received GTK in pairwise handshake",
1556 gtk, gtk_len);
1557
1558 if (gtk_len < RSN_MLO_GTK_KDE_PREFIX_LENGTH ||
1559 gtk_len - RSN_MLO_GTK_KDE_PREFIX_LENGTH > sizeof(gd.gtk))
1560 return -1;
1561
1562 gd.keyidx = gtk[0] & 0x3;
1563 gtk += 1;
1564 gtk_len -= 1;
1565
1566 key_rsc = gtk;
1567
1568 gtk += 6;
1569 gtk_len -= 6;
1570
1571 os_memcpy(gd.gtk, gtk, gtk_len);
1572 gd.gtk_len = gtk_len;
1573
1574 ret = 0;
1575 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, gtk_len,
1576 gtk_len, &gd.key_rsc_len,
1577 &gd.alg) ||
1578 wpa_supplicant_install_mlo_gtk(sm, link_id, &gd, key_rsc, 0)) {
1579 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1580 "RSN: Failed to install GTK for MLO Link ID %u",
1581 link_id);
1582 ret = -1;
1583 goto out;
1584 }
1585
1586 out:
1587 forced_memzero(&gd, sizeof(gd));
1588 return ret;
1589 }
1590
1591
wpa_supplicant_pairwise_mlo_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,struct wpa_eapol_ie_parse * ie,int key_info)1592 static int wpa_supplicant_pairwise_mlo_gtk(struct wpa_sm *sm,
1593 const struct wpa_eapol_key *key,
1594 struct wpa_eapol_ie_parse *ie,
1595 int key_info)
1596 {
1597 u8 i;
1598
1599 for_each_link(sm->mlo.valid_links, i) {
1600 if (!ie->mlo_gtk[i]) {
1601 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1602 "MLO RSN: GTK not found for link ID %u", i);
1603 return -1;
1604 }
1605
1606 if (wpa_supplicant_mlo_gtk(sm, i, ie->mlo_gtk[i],
1607 ie->mlo_gtk_len[i], key_info))
1608 return -1;
1609 }
1610
1611 return 0;
1612 }
1613
1614
wpa_supplicant_pairwise_gtk(struct wpa_sm * sm,const struct wpa_eapol_key * key,const u8 * gtk,size_t gtk_len,int key_info)1615 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
1616 const struct wpa_eapol_key *key,
1617 const u8 *gtk, size_t gtk_len,
1618 int key_info)
1619 {
1620 struct wpa_gtk_data gd;
1621 const u8 *key_rsc;
1622
1623 /*
1624 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
1625 * GTK KDE format:
1626 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
1627 * Reserved [bits 0-7]
1628 * GTK
1629 */
1630
1631 os_memset(&gd, 0, sizeof(gd));
1632 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
1633 gtk, gtk_len);
1634
1635 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
1636 return -1;
1637
1638 gd.keyidx = gtk[0] & 0x3;
1639 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1640 !!(gtk[0] & BIT(2)));
1641 gtk += 2;
1642 gtk_len -= 2;
1643
1644 os_memcpy(gd.gtk, gtk, gtk_len);
1645 gd.gtk_len = gtk_len;
1646
1647 key_rsc = key->key_rsc;
1648 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1649 key_rsc = null_rsc;
1650
1651 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1652 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1653 gtk_len, gtk_len,
1654 &gd.key_rsc_len, &gd.alg) ||
1655 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
1656 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1657 "RSN: Failed to install GTK");
1658 forced_memzero(&gd, sizeof(gd));
1659 return -1;
1660 }
1661 forced_memzero(&gd, sizeof(gd));
1662
1663 return 0;
1664 }
1665
1666
wpa_supplicant_install_igtk(struct wpa_sm * sm,const struct wpa_igtk_kde * igtk,int wnm_sleep)1667 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
1668 const struct wpa_igtk_kde *igtk,
1669 int wnm_sleep)
1670 {
1671 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1672 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1673
1674 /* Detect possible key reinstallation */
1675 if ((sm->igtk.igtk_len == len &&
1676 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
1677 (sm->igtk_wnm_sleep.igtk_len == len &&
1678 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1679 sm->igtk_wnm_sleep.igtk_len) == 0)) {
1680 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1681 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1682 keyidx);
1683 return 0;
1684 }
1685
1686 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1687 "WPA: IGTK keyid %d pn " COMPACT_MACSTR,
1688 keyidx, MAC2STR(igtk->pn));
1689 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
1690 if (keyidx > 4095) {
1691 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1692 "WPA: Invalid IGTK KeyID %d", keyidx);
1693 return -1;
1694 }
1695 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1696 broadcast_ether_addr,
1697 keyidx, 0, igtk->pn, sizeof(igtk->pn),
1698 igtk->igtk, len, KEY_FLAG_GROUP_RX) < 0) {
1699 if (keyidx == 0x0400 || keyidx == 0x0500) {
1700 /* Assume the AP has broken PMF implementation since it
1701 * seems to have swapped the KeyID bytes. The AP cannot
1702 * be trusted to implement BIP correctly or provide a
1703 * valid IGTK, so do not try to configure this key with
1704 * swapped KeyID bytes. Instead, continue without
1705 * configuring the IGTK so that the driver can drop any
1706 * received group-addressed robust management frames due
1707 * to missing keys.
1708 *
1709 * Normally, this error behavior would result in us
1710 * disconnecting, but there are number of deployed APs
1711 * with this broken behavior, so as an interoperability
1712 * workaround, allow the connection to proceed. */
1713 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1714 "WPA: Ignore IGTK configuration error due to invalid IGTK KeyID byte order");
1715 } else {
1716 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1717 "WPA: Failed to configure IGTK to the driver");
1718 return -1;
1719 }
1720 }
1721
1722 if (wnm_sleep) {
1723 sm->igtk_wnm_sleep.igtk_len = len;
1724 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1725 sm->igtk_wnm_sleep.igtk_len);
1726 } else {
1727 sm->igtk.igtk_len = len;
1728 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
1729 }
1730
1731 return 0;
1732 }
1733
1734
wpa_supplicant_install_bigtk(struct wpa_sm * sm,const struct wpa_bigtk_kde * bigtk,int wnm_sleep)1735 static int wpa_supplicant_install_bigtk(struct wpa_sm *sm,
1736 const struct wpa_bigtk_kde *bigtk,
1737 int wnm_sleep)
1738 {
1739 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1740 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1741
1742 /* Detect possible key reinstallation */
1743 if ((sm->bigtk.bigtk_len == len &&
1744 os_memcmp(sm->bigtk.bigtk, bigtk->bigtk,
1745 sm->bigtk.bigtk_len) == 0) ||
1746 (sm->bigtk_wnm_sleep.bigtk_len == len &&
1747 os_memcmp(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1748 sm->bigtk_wnm_sleep.bigtk_len) == 0)) {
1749 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1750 "WPA: Not reinstalling already in-use BIGTK to the driver (keyidx=%d)",
1751 keyidx);
1752 return 0;
1753 }
1754
1755 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1756 "WPA: BIGTK keyid %d pn " COMPACT_MACSTR,
1757 keyidx, MAC2STR(bigtk->pn));
1758 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK", bigtk->bigtk, len);
1759 if (keyidx < 6 || keyidx > 7) {
1760 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1761 "WPA: Invalid BIGTK KeyID %d", keyidx);
1762 return -1;
1763 }
1764 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1765 broadcast_ether_addr,
1766 keyidx, 0, bigtk->pn, sizeof(bigtk->pn),
1767 bigtk->bigtk, len, KEY_FLAG_GROUP_RX) < 0) {
1768 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1769 "WPA: Failed to configure BIGTK to the driver");
1770 return -1;
1771 }
1772
1773 if (wnm_sleep) {
1774 sm->bigtk_wnm_sleep.bigtk_len = len;
1775 os_memcpy(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1776 sm->bigtk_wnm_sleep.bigtk_len);
1777 } else {
1778 sm->bigtk.bigtk_len = len;
1779 os_memcpy(sm->bigtk.bigtk, bigtk->bigtk, sm->bigtk.bigtk_len);
1780 }
1781
1782 return 0;
1783 }
1784
1785
wpa_supplicant_install_mlo_igtk(struct wpa_sm * sm,u8 link_id,const struct rsn_mlo_igtk_kde * igtk,int wnm_sleep)1786 static int wpa_supplicant_install_mlo_igtk(struct wpa_sm *sm, u8 link_id,
1787 const struct rsn_mlo_igtk_kde *igtk,
1788 int wnm_sleep)
1789 {
1790 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1791 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1792
1793 /* Detect possible key reinstallation */
1794 if ((sm->mlo.links[link_id].igtk.igtk_len == len &&
1795 os_memcmp(sm->mlo.links[link_id].igtk.igtk, igtk->igtk,
1796 sm->mlo.links[link_id].igtk.igtk_len) == 0) ||
1797 (sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len == len &&
1798 os_memcmp(sm->mlo.links[link_id].igtk_wnm_sleep.igtk, igtk->igtk,
1799 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len) == 0)) {
1800 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1801 "RSN: Not reinstalling already in-use IGTK to the driver (link_id=%d keyidx=%d)",
1802 link_id, keyidx);
1803 return 0;
1804 }
1805
1806 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1807 "RSN: MLO Link %u IGTK keyid %d pn " COMPACT_MACSTR,
1808 link_id, keyidx, MAC2STR(igtk->pn));
1809 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: IGTK", igtk->igtk, len);
1810 if (keyidx > 4095) {
1811 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1812 "RSN: Invalid MLO Link %d IGTK KeyID %d", link_id,
1813 keyidx);
1814 return -1;
1815 }
1816 if (wpa_sm_set_key(sm, link_id,
1817 wpa_cipher_to_alg(sm->mgmt_group_cipher),
1818 broadcast_ether_addr, keyidx, 0, igtk->pn,
1819 sizeof(igtk->pn), igtk->igtk, len,
1820 KEY_FLAG_GROUP_RX) < 0) {
1821 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1822 "RSN: Failed to configure MLO Link %d IGTK to the driver",
1823 link_id);
1824 return -1;
1825 }
1826
1827 if (wnm_sleep) {
1828 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len = len;
1829 os_memcpy(sm->mlo.links[link_id].igtk_wnm_sleep.igtk,
1830 igtk->igtk,
1831 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len);
1832 } else {
1833 sm->mlo.links[link_id].igtk.igtk_len = len;
1834 os_memcpy(sm->mlo.links[link_id].igtk.igtk, igtk->igtk,
1835 sm->mlo.links[link_id].igtk.igtk_len);
1836 }
1837
1838 return 0;
1839 }
1840
1841
1842 static int
wpa_supplicant_install_mlo_bigtk(struct wpa_sm * sm,u8 link_id,const struct rsn_mlo_bigtk_kde * bigtk,int wnm_sleep)1843 wpa_supplicant_install_mlo_bigtk(struct wpa_sm *sm, u8 link_id,
1844 const struct rsn_mlo_bigtk_kde *bigtk,
1845 int wnm_sleep)
1846 {
1847 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1848 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1849
1850 /* Detect possible key reinstallation */
1851 if ((sm->mlo.links[link_id].bigtk.bigtk_len == len &&
1852 os_memcmp(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk,
1853 sm->mlo.links[link_id].bigtk.bigtk_len) == 0) ||
1854 (sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len == len &&
1855 os_memcmp(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk,
1856 bigtk->bigtk,
1857 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len) ==
1858 0)) {
1859 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1860 "RSN: Not reinstalling already in-use BIGTK to the driver (link_id=%d keyidx=%d)",
1861 link_id, keyidx);
1862 return 0;
1863 }
1864
1865 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1866 "RSN: MLO Link %u BIGTK keyid %d pn " COMPACT_MACSTR,
1867 link_id, keyidx, MAC2STR(bigtk->pn));
1868 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: BIGTK", bigtk->bigtk,
1869 len);
1870 if (keyidx < 6 || keyidx > 7) {
1871 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1872 "RSN: Invalid MLO Link %d BIGTK KeyID %d", link_id,
1873 keyidx);
1874 return -1;
1875 }
1876 if (wpa_sm_set_key(sm, link_id,
1877 wpa_cipher_to_alg(sm->mgmt_group_cipher),
1878 broadcast_ether_addr, keyidx, 0, bigtk->pn,
1879 sizeof(bigtk->pn), bigtk->bigtk, len,
1880 KEY_FLAG_GROUP_RX) < 0) {
1881 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1882 "RSN: Failed to configure MLO Link %d BIGTK to the driver",
1883 link_id);
1884 return -1;
1885 }
1886
1887 if (wnm_sleep) {
1888 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len = len;
1889 os_memcpy(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk,
1890 bigtk->bigtk,
1891 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len);
1892 } else {
1893 sm->mlo.links[link_id].bigtk.bigtk_len = len;
1894 os_memcpy(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk,
1895 sm->mlo.links[link_id].bigtk.bigtk_len);
1896 }
1897
1898 return 0;
1899 }
1900
1901
_mlo_ieee80211w_set_keys(struct wpa_sm * sm,u8 link_id,struct wpa_eapol_ie_parse * ie)1902 static int _mlo_ieee80211w_set_keys(struct wpa_sm *sm, u8 link_id,
1903 struct wpa_eapol_ie_parse *ie)
1904 {
1905 size_t len;
1906
1907 if (ie->mlo_igtk[link_id]) {
1908 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1909 if (ie->mlo_igtk_len[link_id] !=
1910 RSN_MLO_IGTK_KDE_PREFIX_LENGTH + len)
1911 return -1;
1912
1913 if (wpa_supplicant_install_mlo_igtk(
1914 sm, link_id,
1915 (const struct rsn_mlo_igtk_kde *)
1916 ie->mlo_igtk[link_id],
1917 0) < 0)
1918 return -1;
1919 }
1920
1921 if (ie->mlo_bigtk[link_id] && sm->beacon_prot) {
1922 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1923 if (ie->mlo_bigtk_len[link_id] !=
1924 RSN_MLO_BIGTK_KDE_PREFIX_LENGTH + len)
1925 return -1;
1926
1927 if (wpa_supplicant_install_mlo_bigtk(
1928 sm, link_id,
1929 (const struct rsn_mlo_bigtk_kde *)
1930 ie->mlo_bigtk[link_id],
1931 0) < 0)
1932 return -1;
1933 }
1934
1935 return 0;
1936 }
1937
1938
mlo_ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1939 static int mlo_ieee80211w_set_keys(struct wpa_sm *sm,
1940 struct wpa_eapol_ie_parse *ie)
1941 {
1942 u8 i;
1943
1944 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1945 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1946 return 0;
1947
1948 for_each_link(sm->mlo.valid_links, i) {
1949 if (_mlo_ieee80211w_set_keys(sm, i, ie))
1950 return -1;
1951 }
1952
1953 return 0;
1954 }
1955
1956
ieee80211w_set_keys(struct wpa_sm * sm,struct wpa_eapol_ie_parse * ie)1957 static int ieee80211w_set_keys(struct wpa_sm *sm,
1958 struct wpa_eapol_ie_parse *ie)
1959 {
1960 size_t len;
1961
1962 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1963 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1964 return 0;
1965
1966 if (ie->igtk) {
1967 const struct wpa_igtk_kde *igtk;
1968
1969 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1970 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
1971 return -1;
1972
1973 igtk = (const struct wpa_igtk_kde *) ie->igtk;
1974 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
1975 return -1;
1976 }
1977
1978 if (ie->bigtk && sm->beacon_prot) {
1979 const struct wpa_bigtk_kde *bigtk;
1980
1981 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1982 if (ie->bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + len)
1983 return -1;
1984
1985 bigtk = (const struct wpa_bigtk_kde *) ie->bigtk;
1986 if (wpa_supplicant_install_bigtk(sm, bigtk, 0) < 0)
1987 return -1;
1988 }
1989
1990 return 0;
1991 }
1992
1993
wpa_report_ie_mismatch(struct wpa_sm * sm,const char * reason,const u8 * src_addr,const u8 * wpa_ie,size_t wpa_ie_len,const u8 * rsn_ie,size_t rsn_ie_len)1994 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
1995 const char *reason, const u8 *src_addr,
1996 const u8 *wpa_ie, size_t wpa_ie_len,
1997 const u8 *rsn_ie, size_t rsn_ie_len)
1998 {
1999 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
2000 reason, MAC2STR(src_addr));
2001
2002 if (sm->ap_wpa_ie) {
2003 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
2004 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
2005 }
2006 if (wpa_ie) {
2007 if (!sm->ap_wpa_ie) {
2008 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2009 "WPA: No WPA IE in Beacon/ProbeResp");
2010 }
2011 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
2012 wpa_ie, wpa_ie_len);
2013 }
2014
2015 if (sm->ap_rsn_ie) {
2016 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
2017 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
2018 }
2019 if (rsn_ie) {
2020 if (!sm->ap_rsn_ie) {
2021 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2022 "WPA: No RSN IE in Beacon/ProbeResp");
2023 }
2024 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
2025 rsn_ie, rsn_ie_len);
2026 }
2027
2028 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2029 }
2030
2031
2032 #ifdef CONFIG_IEEE80211R
2033
ft_validate_mdie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_mdie)2034 static int ft_validate_mdie(struct wpa_sm *sm,
2035 const unsigned char *src_addr,
2036 struct wpa_eapol_ie_parse *ie,
2037 const u8 *assoc_resp_mdie)
2038 {
2039 struct rsn_mdie *mdie;
2040
2041 mdie = (struct rsn_mdie *) (ie->mdie + 2);
2042 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
2043 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
2044 MOBILITY_DOMAIN_ID_LEN) != 0) {
2045 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
2046 "not match with the current mobility domain");
2047 return -1;
2048 }
2049
2050 if (assoc_resp_mdie &&
2051 (assoc_resp_mdie[1] != ie->mdie[1] ||
2052 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
2053 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
2054 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
2055 ie->mdie, 2 + ie->mdie[1]);
2056 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
2057 assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
2058 return -1;
2059 }
2060
2061 return 0;
2062 }
2063
2064
ft_validate_ftie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie,const u8 * assoc_resp_ftie)2065 static int ft_validate_ftie(struct wpa_sm *sm,
2066 const unsigned char *src_addr,
2067 struct wpa_eapol_ie_parse *ie,
2068 const u8 *assoc_resp_ftie)
2069 {
2070 if (ie->ftie == NULL) {
2071 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2072 "FT: No FTIE in EAPOL-Key msg 3/4");
2073 return -1;
2074 }
2075
2076 if (assoc_resp_ftie == NULL)
2077 return 0;
2078
2079 if (assoc_resp_ftie[1] != ie->ftie[1] ||
2080 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
2081 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
2082 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
2083 ie->ftie, 2 + ie->ftie[1]);
2084 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
2085 assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
2086 return -1;
2087 }
2088
2089 return 0;
2090 }
2091
2092
ft_validate_rsnie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2093 static int ft_validate_rsnie(struct wpa_sm *sm,
2094 const unsigned char *src_addr,
2095 struct wpa_eapol_ie_parse *ie)
2096 {
2097 struct wpa_ie_data rsn;
2098
2099 if (!ie->rsn_ie)
2100 return 0;
2101
2102 /*
2103 * Verify that PMKR1Name from EAPOL-Key message 3/4
2104 * matches with the value we derived.
2105 */
2106 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
2107 rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
2108 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
2109 "FT 4-way handshake message 3/4");
2110 return -1;
2111 }
2112
2113 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
2114 {
2115 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2116 "FT: PMKR1Name mismatch in "
2117 "FT 4-way handshake message 3/4");
2118 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
2119 rsn.pmkid, WPA_PMK_NAME_LEN);
2120 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2121 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2122 return -1;
2123 }
2124
2125 return 0;
2126 }
2127
2128
wpa_supplicant_validate_ie_ft(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2129 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
2130 const unsigned char *src_addr,
2131 struct wpa_eapol_ie_parse *ie)
2132 {
2133 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
2134
2135 if (sm->assoc_resp_ies) {
2136 pos = sm->assoc_resp_ies;
2137 end = pos + sm->assoc_resp_ies_len;
2138 while (end - pos > 2) {
2139 if (2 + pos[1] > end - pos)
2140 break;
2141 switch (*pos) {
2142 case WLAN_EID_MOBILITY_DOMAIN:
2143 mdie = pos;
2144 break;
2145 case WLAN_EID_FAST_BSS_TRANSITION:
2146 ftie = pos;
2147 break;
2148 }
2149 pos += 2 + pos[1];
2150 }
2151 }
2152
2153 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
2154 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
2155 ft_validate_rsnie(sm, src_addr, ie) < 0)
2156 return -1;
2157
2158 return 0;
2159 }
2160
2161 #endif /* CONFIG_IEEE80211R */
2162
2163
wpa_supplicant_validate_ie(struct wpa_sm * sm,const unsigned char * src_addr,struct wpa_eapol_ie_parse * ie)2164 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
2165 const unsigned char *src_addr,
2166 struct wpa_eapol_ie_parse *ie)
2167 {
2168 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
2169 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2170 "WPA: No WPA/RSN IE for this AP known. "
2171 "Trying to get from scan results");
2172 if (wpa_sm_get_beacon_ie(sm) < 0) {
2173 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2174 "WPA: Could not find AP from "
2175 "the scan results");
2176 return -1;
2177 }
2178 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
2179 "WPA: Found the current AP from updated scan results");
2180 }
2181
2182 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
2183 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
2184 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
2185 "with IE in Beacon/ProbeResp (no IE?)",
2186 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2187 ie->rsn_ie, ie->rsn_ie_len);
2188 return -1;
2189 }
2190
2191 if ((ie->wpa_ie && sm->ap_wpa_ie &&
2192 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
2193 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
2194 (ie->rsn_ie && sm->ap_rsn_ie &&
2195 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2196 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
2197 ie->rsn_ie, ie->rsn_ie_len))) {
2198 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
2199 "with IE in Beacon/ProbeResp",
2200 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2201 ie->rsn_ie, ie->rsn_ie_len);
2202 return -1;
2203 }
2204
2205 if (sm->proto == WPA_PROTO_WPA &&
2206 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
2207 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
2208 "detected - RSN was enabled and RSN IE "
2209 "was in msg 3/4, but not in "
2210 "Beacon/ProbeResp",
2211 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2212 ie->rsn_ie, ie->rsn_ie_len);
2213 return -1;
2214 }
2215
2216 if (sm->proto == WPA_PROTO_RSN &&
2217 ((sm->ap_rsnxe && !ie->rsnxe) ||
2218 (!sm->ap_rsnxe && ie->rsnxe) ||
2219 (sm->ap_rsnxe && ie->rsnxe &&
2220 (sm->ap_rsnxe_len != ie->rsnxe_len ||
2221 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) {
2222 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2223 "WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2224 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
2225 sm->ap_rsnxe, sm->ap_rsnxe_len);
2226 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
2227 ie->rsnxe, ie->rsnxe_len);
2228 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2229 return -1;
2230 }
2231
2232 if (sm->proto == WPA_PROTO_RSN && wpa_sm_rsn_overriding_supported(sm)) {
2233 if ((sm->ap_rsne_override && !ie->rsne_override) ||
2234 (!sm->ap_rsne_override && ie->rsne_override) ||
2235 (sm->ap_rsne_override && ie->rsne_override &&
2236 (sm->ap_rsne_override_len != ie->rsne_override_len ||
2237 os_memcmp(sm->ap_rsne_override, ie->rsne_override,
2238 sm->ap_rsne_override_len) != 0))) {
2239 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2240 "RSN: RSNE Override element mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2241 wpa_hexdump(MSG_INFO,
2242 "RSNE Override element in Beacon/ProbeResp",
2243 sm->ap_rsne_override,
2244 sm->ap_rsne_override_len);
2245 wpa_hexdump(MSG_INFO,
2246 "RSNE Override element in EAPOL-Key msg 3/4",
2247 ie->rsne_override, ie->rsne_override_len);
2248 wpa_sm_deauthenticate(sm,
2249 WLAN_REASON_IE_IN_4WAY_DIFFERS);
2250 return -1;
2251 }
2252
2253 if ((sm->ap_rsne_override_2 && !ie->rsne_override_2) ||
2254 (!sm->ap_rsne_override_2 && ie->rsne_override_2) ||
2255 (sm->ap_rsne_override_2 && ie->rsne_override_2 &&
2256 (sm->ap_rsne_override_2_len != ie->rsne_override_2_len ||
2257 os_memcmp(sm->ap_rsne_override_2, ie->rsne_override_2,
2258 sm->ap_rsne_override_2_len) != 0))) {
2259 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2260 "RSN: RSNE Override 2 element mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2261 wpa_hexdump(MSG_INFO,
2262 "RSNE Override 2 element in Beacon/ProbeResp",
2263 sm->ap_rsne_override_2,
2264 sm->ap_rsne_override_2_len);
2265 wpa_hexdump(MSG_INFO,
2266 "RSNE Override 2 element in EAPOL-Key msg 3/4",
2267 ie->rsne_override_2, ie->rsne_override_2_len);
2268 wpa_sm_deauthenticate(sm,
2269 WLAN_REASON_IE_IN_4WAY_DIFFERS);
2270 return -1;
2271 }
2272
2273 if ((sm->ap_rsnxe_override && !ie->rsnxe_override) ||
2274 (!sm->ap_rsnxe_override && ie->rsnxe_override) ||
2275 (sm->ap_rsnxe_override && ie->rsnxe_override &&
2276 (sm->ap_rsnxe_override_len != ie->rsnxe_override_len ||
2277 os_memcmp(sm->ap_rsnxe_override, ie->rsnxe_override,
2278 sm->ap_rsnxe_override_len) != 0))) {
2279 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2280 "RSN: RSNXE Override element mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2281 wpa_hexdump(MSG_INFO,
2282 "RSNXE Override element in Beacon/ProbeResp",
2283 sm->ap_rsnxe_override,
2284 sm->ap_rsnxe_override_len);
2285 wpa_hexdump(MSG_INFO,
2286 "RSNXE Override element in EAPOL-Key msg 3/4",
2287 ie->rsnxe_override, ie->rsnxe_override_len);
2288 wpa_sm_deauthenticate(sm,
2289 WLAN_REASON_IE_IN_4WAY_DIFFERS);
2290 return -1;
2291 }
2292 }
2293
2294 #ifdef CONFIG_IEEE80211R
2295 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
2296 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
2297 return -1;
2298 #endif /* CONFIG_IEEE80211R */
2299
2300 return 0;
2301 }
2302
2303
2304 /**
2305 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
2306 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2307 * @dst: Destination address for the frame
2308 * @key: Pointer to the EAPOL-Key frame header
2309 * @ver: Version bits from EAPOL-Key Key Info
2310 * @key_info: Key Info
2311 * @ptk: PTK to use for keyed hash and encryption
2312 * Returns: >= 0 on success, < 0 on failure
2313 */
wpa_supplicant_send_4_of_4(struct wpa_sm * sm,const unsigned char * dst,const struct wpa_eapol_key * key,u16 ver,u16 key_info,struct wpa_ptk * ptk)2314 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
2315 const struct wpa_eapol_key *key,
2316 u16 ver, u16 key_info,
2317 struct wpa_ptk *ptk)
2318 {
2319 size_t mic_len, hdrlen, rlen;
2320 struct wpa_eapol_key *reply;
2321 u8 *rbuf, *key_mic;
2322 u8 *kde = NULL;
2323 size_t kde_len = 0, extra_len = 0;
2324 #ifdef CONFIG_TESTING_OPTIONS
2325 size_t pad_len = 0;
2326 #endif /* CONFIG_TESTING_OPTIONS */
2327
2328 if (sm->mlo.valid_links) {
2329 u8 *pos;
2330
2331 kde = os_malloc(RSN_SELECTOR_LEN + ETH_ALEN + 2);
2332 if (!kde)
2333 return -1;
2334
2335 /* Add MAC KDE */
2336 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 4/4");
2337 pos = kde;
2338 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
2339 ETH_ALEN);
2340 kde_len = pos - kde;
2341 }
2342
2343 #ifdef CONFIG_TESTING_OPTIONS
2344 if (sm->test_eapol_m4_elems)
2345 extra_len = wpabuf_len(sm->test_eapol_m4_elems);
2346 if (sm->encrypt_eapol_m4) {
2347 pad_len = (kde_len + extra_len) % 8;
2348 if (pad_len)
2349 pad_len = 8 - pad_len;
2350 extra_len += pad_len + 8;
2351 }
2352 #endif /* CONFIG_TESTING_OPTIONS */
2353
2354 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2355 hdrlen = sizeof(*reply) + mic_len + 2;
2356 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
2357 hdrlen + kde_len + extra_len, &rlen,
2358 (void *) &reply);
2359 if (!rbuf) {
2360 os_free(kde);
2361 return -1;
2362 }
2363
2364 reply->type = (sm->proto == WPA_PROTO_RSN ||
2365 sm->proto == WPA_PROTO_OSEN) ?
2366 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
2367 key_info &= WPA_KEY_INFO_SECURE;
2368 key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
2369 if (mic_len)
2370 key_info |= WPA_KEY_INFO_MIC;
2371 else
2372 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2373 #ifdef CONFIG_TESTING_OPTIONS
2374 if (sm->encrypt_eapol_m4)
2375 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
2376 #endif /* CONFIG_TESTING_OPTIONS */
2377 WPA_PUT_BE16(reply->key_info, key_info);
2378 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
2379 WPA_PUT_BE16(reply->key_length, 0);
2380 else
2381 os_memcpy(reply->key_length, key->key_length, 2);
2382 os_memcpy(reply->replay_counter, key->replay_counter,
2383 WPA_REPLAY_COUNTER_LEN);
2384
2385 key_mic = (u8 *) (reply + 1);
2386 /* Key Data length */
2387 WPA_PUT_BE16(key_mic + mic_len, kde_len + extra_len);
2388 if (kde) {
2389 os_memcpy(key_mic + mic_len + 2, kde, kde_len); /* Key Data */
2390 os_free(kde);
2391 }
2392
2393 #ifdef CONFIG_TESTING_OPTIONS
2394 if (sm->test_eapol_m4_elems) {
2395 os_memcpy(key_mic + mic_len + 2 + kde_len,
2396 wpabuf_head(sm->test_eapol_m4_elems),
2397 wpabuf_len(sm->test_eapol_m4_elems));
2398 }
2399
2400 if (sm->encrypt_eapol_m4) {
2401 u8 *plain;
2402 size_t plain_len;
2403
2404 if (sm->test_eapol_m4_elems)
2405 extra_len = wpabuf_len(sm->test_eapol_m4_elems);
2406 else
2407 extra_len = 0;
2408 plain_len = kde_len + extra_len + pad_len;
2409 plain = os_memdup(key_mic + mic_len + 2, plain_len);
2410 if (!plain) {
2411 os_free(rbuf);
2412 return -1;
2413 }
2414 if (pad_len)
2415 plain[plain_len - pad_len] = 0xdd;
2416
2417 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK",
2418 ptk->kek, ptk->kek_len);
2419 if (aes_wrap(ptk->kek, ptk->kek_len, plain_len / 8, plain,
2420 key_mic + mic_len + 2)) {
2421 os_free(plain);
2422 os_free(rbuf);
2423 return -1;
2424 }
2425 wpa_hexdump(MSG_DEBUG,
2426 "RSN: Encrypted Key Data from AES-WRAP",
2427 key_mic + mic_len + 2, plain_len + 8);
2428 os_free(plain);
2429 }
2430 #endif /* CONFIG_TESTING_OPTIONS */
2431
2432 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Sending EAPOL-Key 4/4");
2433 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
2434 key_mic);
2435 }
2436
2437
wpa_supplicant_validate_link_kde(struct wpa_sm * sm,u8 link_id,const u8 * link_kde,size_t link_kde_len,const u8 * rsn_override_link_kde,size_t rsn_override_link_kde_len)2438 static int wpa_supplicant_validate_link_kde(struct wpa_sm *sm, u8 link_id,
2439 const u8 *link_kde,
2440 size_t link_kde_len,
2441 const u8 *rsn_override_link_kde,
2442 size_t rsn_override_link_kde_len)
2443 {
2444 size_t rsne_len = 0, rsnxe_len = 0, rsnoe_len = 0, rsno2e_len = 0,
2445 rsnxoe_len = 0;
2446 const u8 *rsne = NULL, *rsnxe = NULL, *rsnoe = NULL, *rsno2e = NULL,
2447 *rsnxoe = NULL;
2448
2449 if (!link_kde ||
2450 link_kde_len < RSN_MLO_LINK_KDE_LINK_MAC_INDEX + ETH_ALEN) {
2451 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2452 "RSN: MLO Link KDE is not found for link ID %d",
2453 link_id);
2454 return -1;
2455 }
2456
2457 if (!ether_addr_equal(sm->mlo.links[link_id].bssid,
2458 &link_kde[RSN_MLO_LINK_KDE_LINK_MAC_INDEX])) {
2459 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2460 "RSN: MLO Link %u MAC address (" MACSTR
2461 ") not matching association response (" MACSTR ")",
2462 link_id,
2463 MAC2STR(&link_kde[RSN_MLO_LINK_KDE_LINK_MAC_INDEX]),
2464 MAC2STR(sm->mlo.links[link_id].bssid));
2465 return -1;
2466 }
2467
2468 if (link_kde[0] & RSN_MLO_LINK_KDE_LI_RSNE_INFO) {
2469 rsne = link_kde + RSN_MLO_LINK_KDE_FIXED_LENGTH;
2470 if (link_kde_len < RSN_MLO_LINK_KDE_FIXED_LENGTH + 2 ||
2471 link_kde_len <
2472 (size_t) (RSN_MLO_LINK_KDE_FIXED_LENGTH + 2 + rsne[1])) {
2473 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2474 "RSN: No room for link %u RSNE in MLO Link KDE",
2475 link_id);
2476 return -1;
2477 }
2478
2479 rsne_len = rsne[1] + 2;
2480 }
2481
2482 if (!rsne) {
2483 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2484 "RSN: RSNE not present in MLO Link %u KDE", link_id);
2485 return -1;
2486 }
2487
2488 if (link_kde[0] & RSN_MLO_LINK_KDE_LI_RSNXE_INFO) {
2489 rsnxe = link_kde + RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len;
2490 if (link_kde_len <
2491 (RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len + 2) ||
2492 link_kde_len <
2493 (RSN_MLO_LINK_KDE_FIXED_LENGTH + rsne_len + 2 + rsnxe[1])) {
2494 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2495 "RSN: No room for link %u RSNXE in MLO Link KDE",
2496 link_id);
2497 return -1;
2498 }
2499
2500 rsnxe_len = rsnxe[1] + 2;
2501 }
2502
2503 if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2504 sm->mlo.links[link_id].ap_rsne,
2505 sm->mlo.links[link_id].ap_rsne_len,
2506 rsne, rsne_len)) {
2507 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2508 "RSN MLO: RSNE in 3/4 msg does not match with IE in Beacon/ProbeResp for link ID %u",
2509 link_id);
2510 wpa_hexdump(MSG_INFO, "RSNE in Beacon/ProbeResp",
2511 sm->mlo.links[link_id].ap_rsne,
2512 sm->mlo.links[link_id].ap_rsne_len);
2513 wpa_hexdump(MSG_INFO, "RSNE in EAPOL-Key msg 3/4",
2514 rsne, rsne_len);
2515 goto fail;
2516 }
2517
2518 if ((sm->mlo.links[link_id].ap_rsnxe && !rsnxe) ||
2519 (!sm->mlo.links[link_id].ap_rsnxe && rsnxe) ||
2520 (sm->mlo.links[link_id].ap_rsnxe && rsnxe &&
2521 (sm->mlo.links[link_id].ap_rsnxe_len != rsnxe_len ||
2522 os_memcmp(sm->mlo.links[link_id].ap_rsnxe, rsnxe,
2523 sm->mlo.links[link_id].ap_rsnxe_len) != 0))) {
2524 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2525 "RSN MLO: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4 for link ID %u",
2526 link_id);
2527 wpa_hexdump(MSG_INFO, "RSNXE in Beacon/ProbeResp",
2528 sm->mlo.links[link_id].ap_rsnxe,
2529 sm->mlo.links[link_id].ap_rsnxe_len);
2530 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
2531 rsnxe, rsnxe_len);
2532 goto fail;
2533 }
2534
2535 if (!wpa_sm_rsn_overriding_supported(sm))
2536 return 0;
2537
2538 if (rsn_override_link_kde) {
2539 rsnoe = get_vendor_ie(rsn_override_link_kde + 1,
2540 rsn_override_link_kde_len - 1,
2541 RSNE_OVERRIDE_IE_VENDOR_TYPE);
2542 if (rsnoe)
2543 rsnoe_len = 2 + rsnoe[1];
2544
2545 rsno2e = get_vendor_ie(rsn_override_link_kde + 1,
2546 rsn_override_link_kde_len - 1,
2547 RSNE_OVERRIDE_2_IE_VENDOR_TYPE);
2548 if (rsno2e)
2549 rsno2e_len = 2 + rsno2e[1];
2550
2551 rsnxoe = get_vendor_ie(rsn_override_link_kde + 1,
2552 rsn_override_link_kde_len - 1,
2553 RSNXE_OVERRIDE_IE_VENDOR_TYPE);
2554 if (rsnxoe)
2555 rsnxoe_len = 2 + rsnxoe[1];
2556 }
2557
2558 if ((sm->mlo.links[link_id].ap_rsnoe && !rsnoe) ||
2559 (!sm->mlo.links[link_id].ap_rsnoe && rsnoe) ||
2560 (sm->mlo.links[link_id].ap_rsnoe && rsnoe &&
2561 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2562 sm->mlo.links[link_id].ap_rsnoe,
2563 sm->mlo.links[link_id].ap_rsnoe_len,
2564 rsnoe, rsnoe_len))) {
2565 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2566 "RSN MLO: RSNOE in 3/4 msg does not match with IE in Beacon/ProbeResp for link ID %u",
2567 link_id);
2568 wpa_hexdump(MSG_INFO, "RSNOE in Beacon/ProbeResp",
2569 sm->mlo.links[link_id].ap_rsnoe,
2570 sm->mlo.links[link_id].ap_rsnoe_len);
2571 wpa_hexdump(MSG_INFO, "RSNOE in EAPOL-Key msg 3/4",
2572 rsnoe, rsnoe_len);
2573 goto fail;
2574 }
2575
2576 if ((sm->mlo.links[link_id].ap_rsno2e && !rsno2e) ||
2577 (!sm->mlo.links[link_id].ap_rsno2e && rsno2e) ||
2578 (sm->mlo.links[link_id].ap_rsno2e && rsno2e &&
2579 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2580 sm->mlo.links[link_id].ap_rsno2e,
2581 sm->mlo.links[link_id].ap_rsno2e_len,
2582 rsno2e, rsno2e_len))) {
2583 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2584 "RSN MLO: RSNO2E in 3/4 msg does not match with IE in Beacon/ProbeResp for link ID %u",
2585 link_id);
2586 wpa_hexdump(MSG_INFO, "RSNO2E in Beacon/ProbeResp",
2587 sm->mlo.links[link_id].ap_rsno2e,
2588 sm->mlo.links[link_id].ap_rsno2e_len);
2589 wpa_hexdump(MSG_INFO, "RSNOE in EAPOL-Key msg 3/4",
2590 rsno2e, rsno2e_len);
2591 goto fail;
2592 }
2593
2594 if ((sm->mlo.links[link_id].ap_rsnxoe && !rsnxoe) ||
2595 (!sm->mlo.links[link_id].ap_rsnxoe && rsnxoe) ||
2596 (sm->mlo.links[link_id].ap_rsnxoe && rsnxoe &&
2597 (sm->mlo.links[link_id].ap_rsnxoe_len != rsnxoe_len ||
2598 os_memcmp(sm->mlo.links[link_id].ap_rsnxoe, rsnxoe,
2599 sm->mlo.links[link_id].ap_rsnxoe_len) != 0))) {
2600 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2601 "RSN MLO: RSNXOE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4 for link ID %u",
2602 link_id);
2603 wpa_hexdump(MSG_INFO, "RSNXOE in Beacon/ProbeResp",
2604 sm->mlo.links[link_id].ap_rsnxoe,
2605 sm->mlo.links[link_id].ap_rsnxoe_len);
2606 wpa_hexdump(MSG_INFO, "RSNXOE in EAPOL-Key msg 3/4",
2607 rsnxoe, rsnxoe_len);
2608 goto fail;
2609 }
2610
2611 return 0;
2612 fail:
2613 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
2614 return -1;
2615 }
2616
2617
wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm * sm,u8 link_id,struct wpa_eapol_ie_parse * ie)2618 static int wpa_validate_mlo_ieee80211w_kdes(struct wpa_sm *sm,
2619 u8 link_id,
2620 struct wpa_eapol_ie_parse *ie)
2621 {
2622 if (ie->mlo_igtk[link_id] &&
2623 ie->mlo_igtk_len[link_id] != RSN_MLO_IGTK_KDE_PREFIX_LENGTH +
2624 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2625 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2626 "RSN MLO: Invalid IGTK KDE length %lu for link ID %u",
2627 (unsigned long) ie->mlo_igtk_len[link_id], link_id);
2628 return -1;
2629 }
2630
2631 if (!sm->beacon_prot)
2632 return 0;
2633
2634 if (ie->mlo_bigtk[link_id] &&
2635 ie->mlo_bigtk_len[link_id] != RSN_MLO_BIGTK_KDE_PREFIX_LENGTH +
2636 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2637 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2638 "RSN MLO: Invalid BIGTK KDE length %lu for link ID %u",
2639 (unsigned long) ie->mlo_bigtk_len[link_id], link_id);
2640 return -1;
2641 }
2642
2643 return 0;
2644 }
2645
2646
wpa_supplicant_process_3_of_4_wpa(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)2647 static void wpa_supplicant_process_3_of_4_wpa(struct wpa_sm *sm,
2648 const struct wpa_eapol_key *key,
2649 u16 ver, const u8 *key_data,
2650 size_t key_data_len)
2651 {
2652 u16 key_info, keylen;
2653 struct wpa_eapol_ie_parse ie;
2654
2655 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
2656 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2657 "WPA: RX message 3 of 4-Way Handshake from " MACSTR
2658 " (ver=%d)", MAC2STR(sm->bssid), ver);
2659
2660 key_info = WPA_GET_BE16(key->key_info);
2661
2662 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
2663 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
2664 goto failed;
2665
2666 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
2667 goto failed;
2668
2669 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2670 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2671 "WPA: ANonce from message 1 of 4-Way Handshake differs from 3 of 4-Way Handshake - drop packet (src="
2672 MACSTR ")", MAC2STR(sm->bssid));
2673 goto failed;
2674 }
2675
2676 keylen = WPA_GET_BE16(key->key_length);
2677 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
2678 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2679 "WPA: Invalid %s key length %d (src=" MACSTR ")",
2680 wpa_cipher_txt(sm->pairwise_cipher), keylen,
2681 MAC2STR(sm->bssid));
2682 goto failed;
2683 }
2684
2685 if (wpa_supplicant_send_4_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
2686 key_info, &sm->ptk) < 0)
2687 goto failed;
2688
2689 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
2690 * for the next 4-Way Handshake. If msg 3 is received again, the old
2691 * SNonce will still be used to avoid changing PTK. */
2692 sm->renew_snonce = 1;
2693
2694 if ((key_info & WPA_KEY_INFO_INSTALL) &&
2695 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX_TX))
2696 goto failed;
2697
2698 if (key_info & WPA_KEY_INFO_SECURE) {
2699 wpa_sm_mlme_setprotection(
2700 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2701 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
2702 eapol_sm_notify_portValid(sm->eapol, true);
2703 }
2704 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2705
2706 sm->msg_3_of_4_ok = 1;
2707 return;
2708
2709 failed:
2710 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2711 }
2712
2713
wpa_supplicant_process_3_of_4(struct wpa_sm * sm,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)2714 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
2715 const struct wpa_eapol_key *key,
2716 u16 ver, const u8 *key_data,
2717 size_t key_data_len)
2718 {
2719 u16 key_info, keylen;
2720 struct wpa_eapol_ie_parse ie;
2721 bool mlo = sm->mlo.valid_links;
2722 int i;
2723
2724 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
2725 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO,
2726 "RSN: RX message 3 of 4-Way Handshake from " MACSTR
2727 " (ver=%d)%s", MAC2STR(sm->bssid), ver, mlo ? " (MLO)" : "");
2728
2729 key_info = WPA_GET_BE16(key->key_info);
2730
2731 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
2732 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
2733 goto failed;
2734
2735 if (sm->ssid_protection) {
2736 if (!ie.ssid) {
2737 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2738 "RSN: No SSID included in EAPOL-Key msg 3/4");
2739 goto failed;
2740 }
2741
2742 if (ie.ssid_len != sm->ssid_len ||
2743 os_memcmp(ie.ssid, sm->ssid, sm->ssid_len) != 0) {
2744 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2745 "RSN: SSID mismatch in EAPOL-Key msg 3/4");
2746 wpa_hexdump_ascii(MSG_DEBUG, "RSN: Received SSID",
2747 ie.ssid, ie.ssid_len);
2748 wpa_hexdump_ascii(MSG_DEBUG, "RSN: Expected SSID",
2749 sm->ssid, sm->ssid_len);
2750 goto failed;
2751 }
2752
2753 wpa_sm_ssid_verified(sm);
2754 }
2755
2756 if (mlo && !ie.valid_mlo_gtks) {
2757 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2758 "MLO RSN: No GTK KDE included in EAPOL-Key msg 3/4");
2759 goto failed;
2760 }
2761 if (mlo &&
2762 (key_info &
2763 (WPA_KEY_INFO_ENCR_KEY_DATA | WPA_KEY_INFO_INSTALL |
2764 WPA_KEY_INFO_SECURE)) !=
2765 (WPA_KEY_INFO_ENCR_KEY_DATA | WPA_KEY_INFO_INSTALL |
2766 WPA_KEY_INFO_SECURE)) {
2767 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2768 "RSN MLO: Invalid key info (0x%x) in EAPOL-Key msg 3/4",
2769 key_info);
2770 goto failed;
2771 }
2772
2773 if (mlo && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) {
2774 wpa_printf(MSG_DEBUG, "RSN: Invalid AP MLD MAC address KDE");
2775 goto failed;
2776 }
2777
2778 for (i = 0; mlo && i < MAX_NUM_MLD_LINKS; i++) {
2779 if (!(sm->mlo.req_links & BIT(i)))
2780 continue;
2781
2782 if (wpa_supplicant_validate_link_kde(
2783 sm, i, ie.mlo_link[i], ie.mlo_link_len[i],
2784 ie.rsn_override_link[i],
2785 ie.rsn_override_link_len[i]) < 0)
2786 goto failed;
2787
2788 if (!(sm->mlo.valid_links & BIT(i)))
2789 continue;
2790
2791 if (!ie.mlo_gtk[i]) {
2792 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2793 "RSN: GTK not found for link ID %u", i);
2794 goto failed;
2795 }
2796
2797 if (sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
2798 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
2799 wpa_validate_mlo_ieee80211w_kdes(sm, i, &ie) < 0)
2800 goto failed;
2801 }
2802
2803 #ifdef CONFIG_IEEE80211R
2804 if (mlo && wpa_key_mgmt_ft(sm->key_mgmt) &&
2805 wpa_supplicant_validate_ie_ft(sm, sm->bssid, &ie) < 0)
2806 goto failed;
2807 #endif /* CONFIG_IEEE80211R */
2808
2809 if (!mlo && ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2810 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2811 "WPA: GTK IE in unencrypted key data");
2812 goto failed;
2813 }
2814 if (!mlo && ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2815 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2816 "WPA: IGTK KDE in unencrypted key data");
2817 goto failed;
2818 }
2819
2820 if (!mlo && ie.igtk &&
2821 sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
2822 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
2823 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
2824 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2825 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2826 "WPA: Invalid IGTK KDE length %lu",
2827 (unsigned long) ie.igtk_len);
2828 goto failed;
2829 }
2830
2831 if (!mlo && wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
2832 goto failed;
2833
2834 if (wpa_handle_ext_key_id(sm, &ie))
2835 goto failed;
2836
2837 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2838 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2839 "WPA: ANonce from message 1 of 4-Way Handshake "
2840 "differs from 3 of 4-Way Handshake - drop packet (src="
2841 MACSTR ")", MAC2STR(sm->bssid));
2842 goto failed;
2843 }
2844
2845 keylen = WPA_GET_BE16(key->key_length);
2846 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
2847 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2848 "WPA: Invalid %s key length %d (src=" MACSTR
2849 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
2850 MAC2STR(sm->bssid));
2851 goto failed;
2852 }
2853
2854 #ifdef CONFIG_P2P
2855 if (ie.ip_addr_alloc) {
2856 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
2857 wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
2858 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
2859 }
2860 #endif /* CONFIG_P2P */
2861
2862 #ifdef CONFIG_OCV
2863 if (wpa_sm_ocv_enabled(sm)) {
2864 struct wpa_channel_info ci;
2865
2866 if (wpa_sm_channel_info(sm, &ci) != 0) {
2867 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2868 "Failed to get channel info to validate received OCI in EAPOL-Key 3/4");
2869 return;
2870 }
2871
2872 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
2873 channel_width_to_int(ci.chanwidth),
2874 ci.seg1_idx) != OCI_SUCCESS) {
2875 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
2876 "addr=" MACSTR " frame=eapol-key-m3 error=%s",
2877 MAC2STR(sm->bssid), ocv_errorstr);
2878 return;
2879 }
2880 }
2881 #endif /* CONFIG_OCV */
2882
2883 #ifdef CONFIG_DPP2
2884 if (DPP_VERSION > 1 && ie.dpp_kde) {
2885 wpa_printf(MSG_DEBUG,
2886 "DPP: peer Protocol Version %u Flags 0x%x",
2887 ie.dpp_kde[0], ie.dpp_kde[1]);
2888 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_pfs != 2 &&
2889 (ie.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && !sm->dpp_z) {
2890 wpa_printf(MSG_INFO,
2891 "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
2892 goto failed;
2893 }
2894 }
2895 #endif /* CONFIG_DPP2 */
2896
2897 if (sm->use_ext_key_id &&
2898 wpa_supplicant_install_ptk(sm, key, KEY_FLAG_RX))
2899 goto failed;
2900
2901 if (wpa_supplicant_send_4_of_4(sm, wpa_sm_get_auth_addr(sm), key, ver,
2902 key_info, &sm->ptk) < 0)
2903 goto failed;
2904
2905 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
2906 * for the next 4-Way Handshake. If msg 3 is received again, the old
2907 * SNonce will still be used to avoid changing PTK. */
2908 sm->renew_snonce = 1;
2909
2910 if (key_info & WPA_KEY_INFO_INSTALL) {
2911 int res;
2912
2913 if (sm->use_ext_key_id)
2914 res = wpa_supplicant_activate_ptk(sm);
2915 else
2916 res = wpa_supplicant_install_ptk(sm, key,
2917 KEY_FLAG_RX_TX);
2918 if (res)
2919 goto failed;
2920 }
2921
2922 if (key_info & WPA_KEY_INFO_SECURE) {
2923 wpa_sm_mlme_setprotection(
2924 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2925 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
2926 eapol_sm_notify_portValid(sm->eapol, true);
2927 }
2928 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
2929
2930 if (mlo) {
2931 if (wpa_supplicant_pairwise_mlo_gtk(sm, key, &ie,
2932 key_info) < 0) {
2933 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2934 "MLO RSN: Failed to configure MLO GTKs");
2935 goto failed;
2936 }
2937 } else if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
2938 /* No GTK to be set to the driver */
2939 } else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) {
2940 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2941 "RSN: No GTK KDE included in EAPOL-Key msg 3/4");
2942 goto failed;
2943 } else if (ie.gtk &&
2944 wpa_supplicant_pairwise_gtk(sm, key,
2945 ie.gtk, ie.gtk_len, key_info) < 0) {
2946 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2947 "RSN: Failed to configure GTK");
2948 goto failed;
2949 }
2950
2951 if ((mlo && mlo_ieee80211w_set_keys(sm, &ie) < 0) ||
2952 (!mlo && ieee80211w_set_keys(sm, &ie) < 0)) {
2953 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2954 "RSN: Failed to configure IGTK");
2955 goto failed;
2956 }
2957
2958 if (mlo || sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk)
2959 wpa_supplicant_key_neg_complete(sm, sm->bssid,
2960 key_info & WPA_KEY_INFO_SECURE);
2961
2962 if (mlo || ie.gtk)
2963 wpa_sm_set_rekey_offload(sm);
2964
2965 /* Add PMKSA cache entry for Suite B AKMs here since PMKID can be
2966 * calculated only after KCK has been derived. Though, do not replace an
2967 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
2968 * to avoid unnecessary changes of PMKID while continuing to use the
2969 * same PMK. */
2970 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
2971 !sm->cur_pmksa) {
2972 struct rsn_pmksa_cache_entry *sa;
2973
2974 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
2975 sm->ptk.kck, sm->ptk.kck_len,
2976 wpa_sm_get_auth_addr(sm), sm->own_addr,
2977 sm->network_ctx, sm->key_mgmt, NULL);
2978 if (!sm->cur_pmksa)
2979 sm->cur_pmksa = sa;
2980 }
2981
2982 if (ie.transition_disable)
2983 wpa_sm_transition_disable(sm, ie.transition_disable[0]);
2984 sm->msg_3_of_4_ok = 1;
2985 return;
2986
2987 failed:
2988 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2989 }
2990
2991
wpa_supplicant_send_2_of_2(struct wpa_sm * sm,const struct wpa_eapol_key * key,int ver,u16 key_info)2992 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
2993 const struct wpa_eapol_key *key,
2994 int ver, u16 key_info)
2995 {
2996 size_t mic_len, hdrlen, rlen;
2997 struct wpa_eapol_key *reply;
2998 u8 *rbuf, *key_mic;
2999 size_t kde_len = 0;
3000
3001 #ifdef CONFIG_TESTING_OPTIONS
3002 if (sm->disable_eapol_g2_tx) {
3003 wpa_printf(MSG_INFO, "TEST: Disable sending EAPOL-Key 2/2");
3004 return 0;
3005 }
3006 #endif /* CONFIG_TESTING_OPTIONS */
3007
3008 #ifdef CONFIG_OCV
3009 if (wpa_sm_ocv_enabled(sm))
3010 kde_len = OCV_OCI_KDE_LEN;
3011 #endif /* CONFIG_OCV */
3012
3013 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
3014 hdrlen = sizeof(*reply) + mic_len + 2;
3015 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
3016 hdrlen + kde_len, &rlen, (void *) &reply);
3017 if (rbuf == NULL)
3018 return -1;
3019
3020 reply->type = (sm->proto == WPA_PROTO_RSN ||
3021 sm->proto == WPA_PROTO_OSEN) ?
3022 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
3023 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
3024 key_info |= ver | WPA_KEY_INFO_SECURE;
3025 if (mic_len)
3026 key_info |= WPA_KEY_INFO_MIC;
3027 else
3028 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
3029 WPA_PUT_BE16(reply->key_info, key_info);
3030 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
3031 WPA_PUT_BE16(reply->key_length, 0);
3032 else
3033 os_memcpy(reply->key_length, key->key_length, 2);
3034 os_memcpy(reply->replay_counter, key->replay_counter,
3035 WPA_REPLAY_COUNTER_LEN);
3036
3037 key_mic = (u8 *) (reply + 1);
3038 WPA_PUT_BE16(key_mic + mic_len, kde_len); /* Key Data Length */
3039
3040 #ifdef CONFIG_OCV
3041 if (wpa_sm_ocv_enabled(sm)) {
3042 struct wpa_channel_info ci;
3043 u8 *pos;
3044
3045 if (wpa_sm_channel_info(sm, &ci) != 0) {
3046 wpa_printf(MSG_WARNING,
3047 "Failed to get channel info for OCI element in EAPOL-Key 2/2");
3048 os_free(rbuf);
3049 return -1;
3050 }
3051 #ifdef CONFIG_TESTING_OPTIONS
3052 if (sm->oci_freq_override_eapol_g2) {
3053 wpa_printf(MSG_INFO,
3054 "TEST: Override OCI KDE frequency %d -> %d MHz",
3055 ci.frequency,
3056 sm->oci_freq_override_eapol_g2);
3057 ci.frequency = sm->oci_freq_override_eapol_g2;
3058 }
3059 #endif /* CONFIG_TESTING_OPTIONS */
3060
3061 pos = key_mic + mic_len + 2; /* Key Data */
3062 if (ocv_insert_oci_kde(&ci, &pos) < 0) {
3063 os_free(rbuf);
3064 return -1;
3065 }
3066 }
3067 #endif /* CONFIG_OCV */
3068
3069 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
3070 return wpa_eapol_key_send(sm, &sm->ptk, ver, wpa_sm_get_auth_addr(sm),
3071 ETH_P_EAPOL, rbuf, rlen, key_mic);
3072 }
3073
3074
wpa_supplicant_process_mlo_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)3075 static void wpa_supplicant_process_mlo_1_of_2(struct wpa_sm *sm,
3076 const unsigned char *src_addr,
3077 const struct wpa_eapol_key *key,
3078 const u8 *key_data,
3079 size_t key_data_len, u16 ver)
3080 {
3081 u16 key_info;
3082 u8 i;
3083 struct wpa_eapol_ie_parse ie;
3084
3085 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
3086 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3087 "MLO RSN: Group Key Handshake started prior to completion of 4-way handshake");
3088 goto failed;
3089 }
3090
3091 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "MLO RSN: RX message 1 of Group "
3092 "Key Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr),
3093 ver);
3094
3095 key_info = WPA_GET_BE16(key->key_info);
3096
3097 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3098
3099 wpa_hexdump_key(MSG_DEBUG, "MLO RSN: msg 1/2 key data", key_data,
3100 key_data_len);
3101 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
3102 goto failed;
3103
3104 if (!ie.valid_mlo_gtks) {
3105 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3106 "MLO RSN: No MLO GTK KDE in Group Key msg 1/2");
3107 goto failed;
3108 }
3109
3110 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3111 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3112 "MLO RSN: MLO GTK KDE in unencrypted key data");
3113 goto failed;
3114 }
3115
3116 #ifdef CONFIG_OCV
3117 if (wpa_sm_ocv_enabled(sm)) {
3118 struct wpa_channel_info ci;
3119
3120 if (wpa_sm_channel_info(sm, &ci) != 0) {
3121 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3122 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
3123 goto failed;
3124 }
3125
3126 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
3127 channel_width_to_int(ci.chanwidth),
3128 ci.seg1_idx) != OCI_SUCCESS) {
3129 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
3130 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
3131 MAC2STR(sm->bssid), ocv_errorstr);
3132 goto failed;
3133 }
3134 }
3135 #endif /* CONFIG_OCV */
3136
3137 if (mlo_ieee80211w_set_keys(sm, &ie) < 0)
3138 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3139 "MLO RSN: Failed to configure MLO IGTK");
3140
3141 for_each_link(sm->mlo.valid_links, i) {
3142 /*
3143 * AP may send group keys for subset of the all links during
3144 * rekey
3145 */
3146 if (!ie.mlo_gtk[i])
3147 continue;
3148
3149 if (wpa_supplicant_mlo_gtk(sm, i, ie.mlo_gtk[i],
3150 ie.mlo_gtk_len[i], key_info))
3151 goto failed;
3152 }
3153
3154 if (wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
3155 goto failed;
3156
3157 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "MLO RSN: Group rekeying completed "
3158 "with " MACSTR " [GTK=%s]", MAC2STR(sm->mlo.ap_mld_addr),
3159 wpa_cipher_txt(sm->group_cipher));
3160 wpa_sm_cancel_auth_timeout(sm);
3161 wpa_sm_set_state(sm, WPA_COMPLETED);
3162
3163 wpa_sm_set_rekey_offload(sm);
3164
3165 return;
3166
3167 failed:
3168 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3169 }
3170
3171
wpa_supplicant_process_1_of_2_wpa(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)3172 static void wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
3173 const unsigned char *src_addr,
3174 const struct wpa_eapol_key *key,
3175 const u8 *key_data,
3176 size_t key_data_len, u16 ver)
3177 {
3178 u16 key_info;
3179 int rekey;
3180 struct wpa_gtk_data gd;
3181 const u8 *key_rsc;
3182 size_t maxkeylen;
3183 u16 gtk_len;
3184
3185 if (!sm->msg_3_of_4_ok) {
3186 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3187 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
3188 goto failed;
3189 }
3190
3191 os_memset(&gd, 0, sizeof(gd));
3192
3193 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
3194 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3195 "WPA: RX message 1 of Group Key Handshake from " MACSTR
3196 " (ver=%d)", MAC2STR(src_addr), ver);
3197
3198 key_info = WPA_GET_BE16(key->key_info);
3199
3200 gtk_len = WPA_GET_BE16(key->key_length);
3201 maxkeylen = key_data_len;
3202 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3203 if (maxkeylen < 8) {
3204 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3205 "WPA: Too short maxkeylen (%lu)",
3206 (unsigned long) maxkeylen);
3207 goto failed;
3208 }
3209 maxkeylen -= 8;
3210 }
3211
3212 if (gtk_len > maxkeylen ||
3213 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3214 gtk_len, maxkeylen,
3215 &gd.key_rsc_len, &gd.alg))
3216 goto failed;
3217
3218 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3219
3220 gd.gtk_len = gtk_len;
3221 gd.keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
3222 WPA_KEY_INFO_KEY_INDEX_SHIFT;
3223 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
3224 #if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS)
3225 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3226 "WPA: RC4 not supported in the build");
3227 goto failed;
3228 #else /* CONFIG_NO_RC4 || CONFIG_FIPS */
3229 u8 ek[32];
3230 if (key_data_len > sizeof(gd.gtk)) {
3231 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3232 "WPA: RC4 key data too long (%lu)",
3233 (unsigned long) key_data_len);
3234 goto failed;
3235 }
3236 os_memcpy(ek, key->key_iv, 16);
3237 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
3238 os_memcpy(gd.gtk, key_data, key_data_len);
3239 if (rc4_skip(ek, 32, 256, gd.gtk, key_data_len)) {
3240 forced_memzero(ek, sizeof(ek));
3241 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
3242 "WPA: RC4 failed");
3243 goto failed;
3244 }
3245 forced_memzero(ek, sizeof(ek));
3246 #endif /* CONFIG_NO_RC4 || CONFIG_FIPS */
3247 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3248 if (maxkeylen % 8) {
3249 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3250 "WPA: Unsupported AES-WRAP len %lu",
3251 (unsigned long) maxkeylen);
3252 goto failed;
3253 }
3254 if (maxkeylen > sizeof(gd.gtk)) {
3255 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3256 "WPA: AES-WRAP key data "
3257 "too long (keydatalen=%lu maxkeylen=%lu)",
3258 (unsigned long) key_data_len,
3259 (unsigned long) maxkeylen);
3260 goto failed;
3261 }
3262 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
3263 key_data, gd.gtk)) {
3264 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3265 "WPA: AES unwrap failed - could not decrypt "
3266 "GTK");
3267 goto failed;
3268 }
3269 } else {
3270 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3271 "WPA: Unsupported key_info type %d", ver);
3272 goto failed;
3273 }
3274 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
3275 sm, !!(key_info & WPA_KEY_INFO_TXRX));
3276
3277 key_rsc = key->key_rsc;
3278 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
3279 key_rsc = null_rsc;
3280
3281 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
3282 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
3283 goto failed;
3284 forced_memzero(&gd, sizeof(gd));
3285
3286 if (rekey) {
3287 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3288 "WPA: Group rekeying completed with " MACSTR
3289 " [GTK=%s]",
3290 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
3291 wpa_sm_cancel_auth_timeout(sm);
3292 wpa_sm_set_state(sm, WPA_COMPLETED);
3293 } else {
3294 wpa_supplicant_key_neg_complete(sm, sm->bssid,
3295 key_info & WPA_KEY_INFO_SECURE);
3296 }
3297
3298 wpa_sm_set_rekey_offload(sm);
3299
3300 return;
3301
3302 failed:
3303 forced_memzero(&gd, sizeof(gd));
3304 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3305 }
3306
3307
wpa_supplicant_process_1_of_2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 ver)3308 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
3309 const unsigned char *src_addr,
3310 const struct wpa_eapol_key *key,
3311 const u8 *key_data,
3312 size_t key_data_len, u16 ver)
3313 {
3314 u16 key_info;
3315 struct wpa_gtk_data gd;
3316 const u8 *key_rsc;
3317 int maxkeylen;
3318 struct wpa_eapol_ie_parse ie;
3319 u16 gtk_len;
3320
3321 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
3322 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3323 "RSN: Group Key Handshake started prior to completion of 4-way handshake");
3324 goto failed;
3325 }
3326
3327 os_memset(&gd, 0, sizeof(gd));
3328
3329 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3330 "RSN: RX message 1 of Group Key Handshake from " MACSTR
3331 " (ver=%d)", MAC2STR(src_addr), ver);
3332
3333 key_info = WPA_GET_BE16(key->key_info);
3334
3335 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
3336 key_data, key_data_len);
3337 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
3338 goto failed;
3339
3340 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
3341
3342 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
3343 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3344 "RSN: GTK KDE in unencrypted key data");
3345 goto failed;
3346 }
3347 if (!ie.gtk) {
3348 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3349 "RSN: No GTK KDE in Group Key msg 1/2");
3350 goto failed;
3351 }
3352 gtk_len = ie.gtk_len;
3353 if (gtk_len < 2) {
3354 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3355 "RSN: Invalid GTK KDE length (%u) in Group Key msg 1/2",
3356 gtk_len);
3357 goto failed;
3358 }
3359 gtk_len -= 2;
3360 if (gtk_len > sizeof(gd.gtk)) {
3361 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3362 "RSN: Too long GTK in GTK KDE (len=%u)", gtk_len);
3363 goto failed;
3364 }
3365 maxkeylen = gd.gtk_len = gtk_len;
3366
3367 #ifdef CONFIG_OCV
3368 if (wpa_sm_ocv_enabled(sm)) {
3369 struct wpa_channel_info ci;
3370
3371 if (wpa_sm_channel_info(sm, &ci) != 0) {
3372 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3373 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
3374 goto failed;
3375 }
3376
3377 if (ocv_verify_tx_params(ie.oci, ie.oci_len, &ci,
3378 channel_width_to_int(ci.chanwidth),
3379 ci.seg1_idx) != OCI_SUCCESS) {
3380 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
3381 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
3382 MAC2STR(sm->bssid), ocv_errorstr);
3383 goto failed;
3384 }
3385 }
3386 #endif /* CONFIG_OCV */
3387
3388 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3389 gtk_len, maxkeylen,
3390 &gd.key_rsc_len, &gd.alg))
3391 goto failed;
3392
3393 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
3394 ie.gtk, 2 + gtk_len);
3395 gd.keyidx = ie.gtk[0] & 0x3;
3396 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
3397 !!(ie.gtk[0] & BIT(2)));
3398 os_memcpy(gd.gtk, ie.gtk + 2, gtk_len);
3399
3400 if (ieee80211w_set_keys(sm, &ie) < 0)
3401 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3402 "RSN: Failed to configure IGTK");
3403
3404 key_rsc = key->key_rsc;
3405 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
3406 key_rsc = null_rsc;
3407
3408 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
3409 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
3410 goto failed;
3411 forced_memzero(&gd, sizeof(gd));
3412
3413 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3414 "RSN: Group rekeying completed with " MACSTR " [GTK=%s]",
3415 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
3416 wpa_sm_cancel_auth_timeout(sm);
3417 wpa_sm_set_state(sm, WPA_COMPLETED);
3418
3419 wpa_sm_set_rekey_offload(sm);
3420
3421 return;
3422
3423 failed:
3424 forced_memzero(&gd, sizeof(gd));
3425 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
3426 }
3427
3428
wpa_supplicant_verify_eapol_key_mic(struct wpa_sm * sm,struct wpa_eapol_key * key,u16 ver,const u8 * buf,size_t len)3429 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
3430 struct wpa_eapol_key *key,
3431 u16 ver,
3432 const u8 *buf, size_t len)
3433 {
3434 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
3435 int ok = 0;
3436 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
3437
3438 os_memcpy(mic, key + 1, mic_len);
3439 if (sm->tptk_set) {
3440 os_memset(key + 1, 0, mic_len);
3441 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
3442 sm->key_mgmt,
3443 ver, buf, len, (u8 *) (key + 1)) < 0 ||
3444 os_memcmp_const(mic, key + 1, mic_len) != 0) {
3445 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3446 "WPA: Invalid EAPOL-Key MIC "
3447 "when using TPTK - ignoring TPTK");
3448 #ifdef TEST_FUZZ
3449 wpa_printf(MSG_INFO,
3450 "TEST: Ignore Key MIC failure for fuzz testing");
3451 goto continue_fuzz;
3452 #endif /* TEST_FUZZ */
3453 } else {
3454 #ifdef TEST_FUZZ
3455 continue_fuzz:
3456 #endif /* TEST_FUZZ */
3457 ok = 1;
3458 sm->tptk_set = 0;
3459 sm->ptk_set = 1;
3460 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
3461 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3462 /*
3463 * This assures the same TPTK in sm->tptk can never be
3464 * copied twice to sm->ptk as the new PTK. In
3465 * combination with the installed flag in the wpa_ptk
3466 * struct, this assures the same PTK is only installed
3467 * once.
3468 */
3469 sm->renew_snonce = 1;
3470 }
3471 }
3472
3473 if (!ok && sm->ptk_set) {
3474 os_memset(key + 1, 0, mic_len);
3475 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
3476 sm->key_mgmt,
3477 ver, buf, len, (u8 *) (key + 1)) < 0 ||
3478 os_memcmp_const(mic, key + 1, mic_len) != 0) {
3479 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3480 "WPA: Invalid EAPOL-Key MIC - "
3481 "dropping packet");
3482 #ifdef TEST_FUZZ
3483 wpa_printf(MSG_INFO,
3484 "TEST: Ignore Key MIC failure for fuzz testing");
3485 goto continue_fuzz2;
3486 #endif /* TEST_FUZZ */
3487 return -1;
3488 }
3489 #ifdef TEST_FUZZ
3490 continue_fuzz2:
3491 #endif /* TEST_FUZZ */
3492 ok = 1;
3493 }
3494
3495 if (!ok) {
3496 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3497 "WPA: Could not verify EAPOL-Key MIC - "
3498 "dropping packet");
3499 return -1;
3500 }
3501
3502 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3503 WPA_REPLAY_COUNTER_LEN);
3504 sm->rx_replay_counter_set = 1;
3505 return 0;
3506 }
3507
3508
3509 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
wpa_supplicant_decrypt_key_data(struct wpa_sm * sm,struct wpa_eapol_key * key,size_t mic_len,u16 ver,u8 * key_data,size_t * key_data_len)3510 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
3511 struct wpa_eapol_key *key,
3512 size_t mic_len, u16 ver,
3513 u8 *key_data, size_t *key_data_len)
3514 {
3515 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
3516 key_data, *key_data_len);
3517 if (!sm->ptk_set) {
3518 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3519 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
3520 "Data");
3521 return -1;
3522 }
3523
3524 /* Decrypt key data here so that this operation does not need
3525 * to be implemented separately for each message type. */
3526 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
3527 #if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS)
3528 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3529 "WPA: RC4 not supported in the build");
3530 return -1;
3531 #else /* CONFIG_NO_RC4 || CONFIG_FIPS */
3532 u8 ek[32];
3533
3534 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
3535 os_memcpy(ek, key->key_iv, 16);
3536 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
3537 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
3538 forced_memzero(ek, sizeof(ek));
3539 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
3540 "WPA: RC4 failed");
3541 return -1;
3542 }
3543 forced_memzero(ek, sizeof(ek));
3544 #endif /* CONFIG_NO_RC4 || CONFIG_FIPS */
3545 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
3546 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
3547 wpa_use_aes_key_wrap(sm->key_mgmt)) {
3548 u8 *buf;
3549
3550 wpa_printf(MSG_DEBUG,
3551 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
3552 (unsigned int) sm->ptk.kek_len);
3553 if (*key_data_len < 8 || *key_data_len % 8) {
3554 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3555 "WPA: Unsupported AES-WRAP len %u",
3556 (unsigned int) *key_data_len);
3557 return -1;
3558 }
3559 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
3560 buf = os_malloc(*key_data_len);
3561 if (buf == NULL) {
3562 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3563 "WPA: No memory for AES-UNWRAP buffer");
3564 return -1;
3565 }
3566 #ifdef TEST_FUZZ
3567 os_memset(buf, 0x11, *key_data_len);
3568 #endif /* TEST_FUZZ */
3569 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
3570 key_data, buf)) {
3571 #ifdef TEST_FUZZ
3572 wpa_printf(MSG_INFO,
3573 "TEST: Ignore AES unwrap failure for fuzz testing");
3574 goto continue_fuzz;
3575 #endif /* TEST_FUZZ */
3576 bin_clear_free(buf, *key_data_len);
3577 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3578 "WPA: AES unwrap failed - "
3579 "could not decrypt EAPOL-Key key data");
3580 return -1;
3581 }
3582 #ifdef TEST_FUZZ
3583 continue_fuzz:
3584 #endif /* TEST_FUZZ */
3585 os_memcpy(key_data, buf, *key_data_len);
3586 bin_clear_free(buf, *key_data_len);
3587 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
3588 } else {
3589 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3590 "WPA: Unsupported key_info type %d", ver);
3591 return -1;
3592 }
3593 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
3594 key_data, *key_data_len);
3595 return 0;
3596 }
3597
3598
3599 /**
3600 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
3601 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3602 */
wpa_sm_aborted_cached(struct wpa_sm * sm)3603 void wpa_sm_aborted_cached(struct wpa_sm *sm)
3604 {
3605 if (sm && sm->cur_pmksa) {
3606 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3607 "RSN: Cancelling PMKSA caching attempt");
3608 sm->cur_pmksa = NULL;
3609 }
3610 }
3611
3612
wpa_sm_aborted_external_cached(struct wpa_sm * sm)3613 void wpa_sm_aborted_external_cached(struct wpa_sm *sm)
3614 {
3615 if (sm && sm->cur_pmksa && sm->cur_pmksa->external) {
3616 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3617 "RSN: Cancelling external PMKSA caching attempt");
3618 sm->cur_pmksa = NULL;
3619 }
3620 }
3621
3622
wpa_eapol_key_dump(struct wpa_sm * sm,const struct wpa_eapol_key * key,unsigned int key_data_len,const u8 * mic,unsigned int mic_len)3623 static void wpa_eapol_key_dump(struct wpa_sm *sm,
3624 const struct wpa_eapol_key *key,
3625 unsigned int key_data_len,
3626 const u8 *mic, unsigned int mic_len)
3627 {
3628 #ifndef CONFIG_NO_STDOUT_DEBUG
3629 u16 key_info = WPA_GET_BE16(key->key_info);
3630
3631 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
3632 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3633 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
3634 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
3635 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
3636 WPA_KEY_INFO_KEY_INDEX_SHIFT,
3637 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
3638 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
3639 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
3640 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
3641 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
3642 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
3643 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
3644 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
3645 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
3646 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3647 " key_length=%u key_data_length=%u",
3648 WPA_GET_BE16(key->key_length), key_data_len);
3649 wpa_hexdump(MSG_DEBUG, " replay_counter",
3650 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
3651 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
3652 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
3653 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
3654 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
3655 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
3656 #endif /* CONFIG_NO_STDOUT_DEBUG */
3657 }
3658
3659
3660 #ifdef CONFIG_FILS
wpa_supp_aead_decrypt(struct wpa_sm * sm,u8 * buf,size_t buf_len,size_t * key_data_len)3661 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
3662 size_t *key_data_len)
3663 {
3664 struct wpa_ptk *ptk;
3665 struct ieee802_1x_hdr *hdr;
3666 struct wpa_eapol_key *key;
3667 u8 *pos, *tmp;
3668 const u8 *aad[1];
3669 size_t aad_len[1];
3670
3671 if (*key_data_len < AES_BLOCK_SIZE) {
3672 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
3673 return -1;
3674 }
3675
3676 if (sm->tptk_set)
3677 ptk = &sm->tptk;
3678 else if (sm->ptk_set)
3679 ptk = &sm->ptk;
3680 else
3681 return -1;
3682
3683 hdr = (struct ieee802_1x_hdr *) buf;
3684 key = (struct wpa_eapol_key *) (hdr + 1);
3685 pos = (u8 *) (key + 1);
3686 pos += 2; /* Pointing at the Encrypted Key Data field */
3687
3688 tmp = os_malloc(*key_data_len);
3689 if (!tmp)
3690 return -1;
3691
3692 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
3693 * to Key Data (exclusive). */
3694 aad[0] = buf;
3695 aad_len[0] = pos - buf;
3696 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
3697 1, aad, aad_len, tmp) < 0) {
3698 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
3699 bin_clear_free(tmp, *key_data_len);
3700 return -1;
3701 }
3702
3703 /* AEAD decryption and validation completed successfully */
3704 (*key_data_len) -= AES_BLOCK_SIZE;
3705 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
3706 tmp, *key_data_len);
3707
3708 /* Replace Key Data field with the decrypted version */
3709 os_memcpy(pos, tmp, *key_data_len);
3710 pos -= 2; /* Key Data Length field */
3711 WPA_PUT_BE16(pos, *key_data_len);
3712 bin_clear_free(tmp, *key_data_len);
3713
3714 if (sm->tptk_set) {
3715 sm->tptk_set = 0;
3716 sm->ptk_set = 1;
3717 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
3718 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3719 }
3720
3721 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3722 WPA_REPLAY_COUNTER_LEN);
3723 sm->rx_replay_counter_set = 1;
3724
3725 return 0;
3726 }
3727 #endif /* CONFIG_FILS */
3728
3729
wpa_sm_rx_eapol_wpa(struct wpa_sm * sm,const u8 * src_addr,struct wpa_eapol_key * key,enum frame_encryption encrypted,const u8 * tmp,size_t data_len,u8 * key_data,size_t key_data_len)3730 static int wpa_sm_rx_eapol_wpa(struct wpa_sm *sm, const u8 *src_addr,
3731 struct wpa_eapol_key *key,
3732 enum frame_encryption encrypted,
3733 const u8 *tmp, size_t data_len,
3734 u8 *key_data, size_t key_data_len)
3735 {
3736 u16 key_info, ver;
3737
3738 key_info = WPA_GET_BE16(key->key_info);
3739
3740 if (key->type != EAPOL_KEY_TYPE_WPA) {
3741 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3742 "WPA: Unsupported EAPOL-Key type %d", key->type);
3743 return -1;
3744 }
3745
3746 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3747 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3748 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3749 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3750 "WPA: Unsupported EAPOL-Key descriptor version %d",
3751 ver);
3752 return -1;
3753 }
3754
3755 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
3756 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
3757 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3758 "WPA: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2",
3759 ver);
3760 if (sm->group_cipher != WPA_CIPHER_CCMP &&
3761 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
3762 /* Earlier versions of IEEE 802.11i did not explicitly
3763 * require version 2 descriptor for all EAPOL-Key
3764 * packets, so allow group keys to use version 1 if
3765 * CCMP is not used for them. */
3766 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3767 "WPA: Backwards compatibility: allow invalid version for non-CCMP group keys");
3768 } else
3769 return -1;
3770 }
3771
3772 if ((key_info & WPA_KEY_INFO_MIC) &&
3773 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
3774 return -1;
3775
3776 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
3777 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
3778 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3779 "WPA: Ignored EAPOL-Key (Pairwise) with non-zero key index");
3780 return -1;
3781 }
3782 if (key_info & (WPA_KEY_INFO_MIC |
3783 WPA_KEY_INFO_ENCR_KEY_DATA)) {
3784 /* 3/4 4-Way Handshake */
3785 wpa_supplicant_process_3_of_4_wpa(sm, key, ver,
3786 key_data,
3787 key_data_len);
3788 } else {
3789 /* 1/4 4-Way Handshake */
3790 wpa_supplicant_process_1_of_4_wpa(sm, src_addr, key,
3791 ver, key_data,
3792 key_data_len,
3793 encrypted);
3794 }
3795 } else {
3796 if (key_info & WPA_KEY_INFO_MIC) {
3797 /* 1/2 Group Key Handshake */
3798 wpa_supplicant_process_1_of_2_wpa(sm, src_addr, key,
3799 key_data,
3800 key_data_len,
3801 ver);
3802 } else {
3803 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3804 "WPA: EAPOL-Key (Group) without Mic/Encr bit - dropped");
3805 }
3806 }
3807
3808 return 1;
3809 }
3810
3811
3812 /**
3813 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
3814 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3815 * @src_addr: Source MAC address of the EAPOL packet
3816 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
3817 * @len: Length of the EAPOL frame
3818 * @encrypted: Whether the frame was encrypted
3819 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
3820 *
3821 * This function is called for each received EAPOL frame. Other than EAPOL-Key
3822 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
3823 * only processing WPA and WPA2 EAPOL-Key frames.
3824 *
3825 * The received EAPOL-Key packets are validated and valid packets are replied
3826 * to. In addition, key material (PTK, GTK) is configured at the end of a
3827 * successful key handshake.
3828 */
wpa_sm_rx_eapol(struct wpa_sm * sm,const u8 * src_addr,const u8 * buf,size_t len,enum frame_encryption encrypted)3829 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
3830 const u8 *buf, size_t len, enum frame_encryption encrypted)
3831 {
3832 size_t plen, data_len, key_data_len;
3833 const struct ieee802_1x_hdr *hdr;
3834 struct wpa_eapol_key *key;
3835 u16 key_info, ver;
3836 u8 *tmp = NULL;
3837 int ret = -1;
3838 u8 *mic, *key_data;
3839 size_t mic_len, keyhdrlen, pmk_len;
3840
3841 #ifdef CONFIG_IEEE80211R
3842 sm->ft_completed = 0;
3843 #endif /* CONFIG_IEEE80211R */
3844
3845 pmk_len = sm->pmk_len;
3846 if (!pmk_len && sm->cur_pmksa)
3847 pmk_len = sm->cur_pmksa->pmk_len;
3848 mic_len = wpa_mic_len(sm->key_mgmt, pmk_len);
3849 keyhdrlen = sizeof(*key) + mic_len + 2;
3850
3851 if (len < sizeof(*hdr) + keyhdrlen) {
3852 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3853 "WPA: EAPOL frame too short to be a WPA "
3854 "EAPOL-Key (len %lu, expecting at least %lu)",
3855 (unsigned long) len,
3856 (unsigned long) sizeof(*hdr) + keyhdrlen);
3857 return 0;
3858 }
3859
3860 hdr = (const struct ieee802_1x_hdr *) buf;
3861 plen = be_to_host16(hdr->length);
3862 data_len = plen + sizeof(*hdr);
3863 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3864 "IEEE 802.1X RX: version=%d type=%d length=%lu",
3865 hdr->version, hdr->type, (unsigned long) plen);
3866
3867 if (hdr->version < EAPOL_VERSION) {
3868 /* TODO: backwards compatibility */
3869 }
3870 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
3871 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3872 "WPA: EAPOL frame (type %u) discarded, "
3873 "not a Key frame", hdr->type);
3874 ret = 0;
3875 goto out;
3876 }
3877 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
3878 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
3879 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3880 "WPA: EAPOL frame payload size %lu "
3881 "invalid (frame size %lu)",
3882 (unsigned long) plen, (unsigned long) len);
3883 ret = 0;
3884 goto out;
3885 }
3886 if (data_len < len) {
3887 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3888 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
3889 (unsigned long) len - data_len);
3890 }
3891
3892 /*
3893 * Make a copy of the frame since we need to modify the buffer during
3894 * MAC validation and Key Data decryption.
3895 */
3896 tmp = os_memdup(buf, data_len);
3897 if (tmp == NULL)
3898 goto out;
3899 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
3900 mic = (u8 *) (key + 1);
3901 key_data = mic + mic_len + 2;
3902
3903 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
3904 {
3905 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3906 "WPA: EAPOL-Key type (%d) unknown, discarded",
3907 key->type);
3908 ret = 0;
3909 goto out;
3910 }
3911
3912 key_data_len = WPA_GET_BE16(mic + mic_len);
3913 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
3914
3915 if (key_data_len > plen - keyhdrlen) {
3916 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
3917 "frame - key_data overflow (%u > %u)",
3918 (unsigned int) key_data_len,
3919 (unsigned int) (plen - keyhdrlen));
3920 goto out;
3921 }
3922
3923 if (sm->rx_replay_counter_set &&
3924 os_memcmp(key->replay_counter, sm->rx_replay_counter,
3925 WPA_REPLAY_COUNTER_LEN) <= 0) {
3926 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3927 "WPA: EAPOL-Key Replay Counter did not increase - dropping packet");
3928 goto out;
3929 }
3930
3931 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
3932
3933 key_info = WPA_GET_BE16(key->key_info);
3934
3935 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
3936 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3937 "WPA: Unsupported SMK bit in key_info");
3938 goto out;
3939 }
3940
3941 if (!(key_info & WPA_KEY_INFO_ACK)) {
3942 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3943 "WPA: No Ack bit in key_info");
3944 goto out;
3945 }
3946
3947 if (key_info & WPA_KEY_INFO_REQUEST) {
3948 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3949 "WPA: EAPOL-Key with Request bit - dropped");
3950 goto out;
3951 }
3952
3953 if (sm->proto == WPA_PROTO_WPA) {
3954 ret = wpa_sm_rx_eapol_wpa(sm, src_addr, key, encrypted,
3955 tmp, data_len,
3956 key_data, key_data_len);
3957 goto out;
3958 }
3959
3960 if (key->type != EAPOL_KEY_TYPE_RSN) {
3961 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3962 "RSN: Unsupported EAPOL-Key type %d", key->type);
3963 goto out;
3964 }
3965
3966 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
3967 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3968 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
3969 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
3970 !wpa_use_akm_defined(sm->key_mgmt)) {
3971 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3972 "RSN: Unsupported EAPOL-Key descriptor version %d",
3973 ver);
3974 goto out;
3975 }
3976
3977 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
3978 sm->pairwise_cipher != WPA_CIPHER_TKIP) {
3979 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3980 "RSN: EAPOL-Key descriptor version %d not allowed without TKIP as the pairwise cipher",
3981 ver);
3982 goto out;
3983 }
3984
3985 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
3986 (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X &&
3987 sm->key_mgmt != WPA_KEY_MGMT_PSK)) {
3988 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3989 "RSN: EAPOL-Key descriptor version %d not allowed due to negotiated AKM (0x%x)",
3990 ver, sm->key_mgmt);
3991 goto out;
3992 }
3993
3994 if (wpa_use_akm_defined(sm->key_mgmt) &&
3995 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
3996 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3997 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
3998 ver);
3999 goto out;
4000 }
4001
4002 #ifdef CONFIG_IEEE80211R
4003 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
4004 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
4005 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
4006 !wpa_use_akm_defined(sm->key_mgmt)) {
4007 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4008 "FT: AP did not use AES-128-CMAC");
4009 goto out;
4010 }
4011 } else
4012 #endif /* CONFIG_IEEE80211R */
4013 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
4014 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
4015 !wpa_use_akm_defined(sm->key_mgmt)) {
4016 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4017 "RSN: AP did not use the negotiated AES-128-CMAC");
4018 goto out;
4019 }
4020 } else if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
4021 !wpa_use_akm_defined(sm->key_mgmt) &&
4022 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
4023 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4024 "RSN: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2", ver);
4025 if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
4026 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4027 "RSN: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
4028 } else {
4029 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4030 "RSN: Unexpected descriptor version %u", ver);
4031 goto out;
4032 }
4033 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
4034 !wpa_use_akm_defined(sm->key_mgmt) &&
4035 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
4036 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
4037 "RSN: GCMP is used, but EAPOL-Key descriptor version (%d) is not 2",
4038 ver);
4039 goto out;
4040 }
4041
4042 if ((key_info & WPA_KEY_INFO_MIC) &&
4043 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
4044 goto out;
4045
4046 #ifdef CONFIG_FILS
4047 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
4048 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
4049 goto out;
4050 }
4051 #endif /* CONFIG_FILS */
4052
4053 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
4054 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
4055 /*
4056 * Only decrypt the Key Data field if the frame's authenticity
4057 * was verified. When using AES-SIV (FILS), the MIC flag is not
4058 * set, so this check should only be performed if mic_len != 0
4059 * which is the case in this code branch.
4060 */
4061 if (!(key_info & WPA_KEY_INFO_MIC)) {
4062 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4063 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
4064 goto out;
4065 }
4066 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
4067 ver, key_data,
4068 &key_data_len))
4069 goto out;
4070 }
4071
4072 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
4073 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
4074 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4075 "RSN: Ignored EAPOL-Key (Pairwise) with non-zero key index");
4076 goto out;
4077 }
4078 if (key_info & (WPA_KEY_INFO_MIC |
4079 WPA_KEY_INFO_ENCR_KEY_DATA)) {
4080 /* 3/4 4-Way Handshake */
4081 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
4082 key_data_len);
4083 } else {
4084 /* 1/4 4-Way Handshake */
4085 wpa_supplicant_process_1_of_4(sm, src_addr, key,
4086 ver, key_data,
4087 key_data_len,
4088 encrypted);
4089 }
4090 } else {
4091 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
4092 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
4093 /* 1/2 Group Key Handshake */
4094 if (sm->mlo.valid_links)
4095 wpa_supplicant_process_mlo_1_of_2(sm, src_addr,
4096 key, key_data,
4097 key_data_len,
4098 ver);
4099 else
4100 wpa_supplicant_process_1_of_2(sm, src_addr, key,
4101 key_data,
4102 key_data_len,
4103 ver);
4104 } else {
4105 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4106 "RSN: EAPOL-Key (Group) without Mic/Encr bit - dropped");
4107 }
4108 }
4109
4110 ret = 1;
4111
4112 out:
4113 bin_clear_free(tmp, data_len);
4114 return ret;
4115 }
4116
4117
4118 #ifdef CONFIG_CTRL_IFACE
wpa_key_mgmt_suite(struct wpa_sm * sm)4119 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
4120 {
4121 switch (sm->key_mgmt) {
4122 case WPA_KEY_MGMT_IEEE8021X:
4123 return ((sm->proto == WPA_PROTO_RSN ||
4124 sm->proto == WPA_PROTO_OSEN) ?
4125 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
4126 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
4127 case WPA_KEY_MGMT_PSK:
4128 return (sm->proto == WPA_PROTO_RSN ?
4129 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
4130 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
4131 #ifdef CONFIG_IEEE80211R
4132 case WPA_KEY_MGMT_FT_IEEE8021X:
4133 return RSN_AUTH_KEY_MGMT_FT_802_1X;
4134 case WPA_KEY_MGMT_FT_PSK:
4135 return RSN_AUTH_KEY_MGMT_FT_PSK;
4136 #endif /* CONFIG_IEEE80211R */
4137 case WPA_KEY_MGMT_IEEE8021X_SHA256:
4138 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
4139 case WPA_KEY_MGMT_PSK_SHA256:
4140 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
4141 case WPA_KEY_MGMT_CCKM:
4142 return (sm->proto == WPA_PROTO_RSN ?
4143 RSN_AUTH_KEY_MGMT_CCKM:
4144 WPA_AUTH_KEY_MGMT_CCKM);
4145 case WPA_KEY_MGMT_WPA_NONE:
4146 return WPA_AUTH_KEY_MGMT_NONE;
4147 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
4148 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
4149 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
4150 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
4151 case WPA_KEY_MGMT_IEEE8021X_SHA384:
4152 return RSN_AUTH_KEY_MGMT_802_1X_SHA384;
4153 default:
4154 return 0;
4155 }
4156 }
4157
4158
4159 #define RSN_SUITE "%02x-%02x-%02x-%d"
4160 #define RSN_SUITE_ARG(s) \
4161 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
4162
4163 /**
4164 * wpa_sm_get_mib - Dump text list of MIB entries
4165 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4166 * @buf: Buffer for the list
4167 * @buflen: Length of the buffer
4168 * Returns: Number of bytes written to buffer
4169 *
4170 * This function is used fetch dot11 MIB variables.
4171 */
wpa_sm_get_mib(struct wpa_sm * sm,char * buf,size_t buflen)4172 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
4173 {
4174 char pmkid_txt[PMKID_LEN * 2 + 1];
4175 bool rsna;
4176 int ret;
4177 size_t len;
4178
4179 if (sm->cur_pmksa) {
4180 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
4181 sm->cur_pmksa->pmkid, PMKID_LEN);
4182 } else
4183 pmkid_txt[0] = '\0';
4184
4185 rsna = (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
4186 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
4187 sm->proto == WPA_PROTO_RSN;
4188
4189 ret = os_snprintf(buf, buflen,
4190 "dot11RSNAOptionImplemented=TRUE\n"
4191 "dot11RSNAPreauthenticationImplemented=TRUE\n"
4192 "dot11RSNAEnabled=%s\n"
4193 "dot11RSNAPreauthenticationEnabled=%s\n"
4194 "dot11RSNAConfigVersion=%d\n"
4195 "dot11RSNAConfigPairwiseKeysSupported=5\n"
4196 "dot11RSNAConfigGroupCipherSize=%d\n"
4197 "dot11RSNAConfigPMKLifetime=%d\n"
4198 "dot11RSNAConfigPMKReauthThreshold=%d\n"
4199 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
4200 "dot11RSNAConfigSATimeout=%d\n",
4201 rsna ? "TRUE" : "FALSE",
4202 rsna ? "TRUE" : "FALSE",
4203 RSN_VERSION,
4204 wpa_cipher_key_len(sm->group_cipher) * 8,
4205 sm->dot11RSNAConfigPMKLifetime,
4206 sm->dot11RSNAConfigPMKReauthThreshold,
4207 sm->dot11RSNAConfigSATimeout);
4208 if (os_snprintf_error(buflen, ret))
4209 return 0;
4210 len = ret;
4211
4212 ret = os_snprintf(
4213 buf + len, buflen - len,
4214 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
4215 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
4216 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
4217 "dot11RSNAPMKIDUsed=%s\n"
4218 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
4219 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
4220 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
4221 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
4222 "dot11RSNA4WayHandshakeFailures=%u\n",
4223 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
4224 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4225 sm->pairwise_cipher)),
4226 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4227 sm->group_cipher)),
4228 pmkid_txt,
4229 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
4230 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4231 sm->pairwise_cipher)),
4232 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4233 sm->group_cipher)),
4234 sm->dot11RSNA4WayHandshakeFailures);
4235 if (!os_snprintf_error(buflen - len, ret))
4236 len += ret;
4237
4238 return (int) len;
4239 }
4240 #endif /* CONFIG_CTRL_IFACE */
4241
4242
wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx,enum pmksa_free_reason reason)4243 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
4244 void *ctx, enum pmksa_free_reason reason)
4245 {
4246 struct wpa_sm *sm = ctx;
4247 int deauth = 0;
4248
4249 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
4250 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
4251
4252 if (sm->cur_pmksa == entry) {
4253 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4254 "RSN: %s current PMKSA entry",
4255 reason == PMKSA_REPLACE ? "replaced" : "removed");
4256 pmksa_cache_clear_current(sm);
4257
4258 /*
4259 * If an entry is simply being replaced, there's no need to
4260 * deauthenticate because it will be immediately re-added.
4261 * This happens when EAP authentication is completed again
4262 * (reauth or failed PMKSA caching attempt).
4263 */
4264 if (reason != PMKSA_REPLACE)
4265 deauth = 1;
4266 }
4267
4268 if (reason == PMKSA_EXPIRE &&
4269 (sm->pmk_len == entry->pmk_len &&
4270 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
4271 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4272 "RSN: deauthenticating due to expired PMK");
4273 pmksa_cache_clear_current(sm);
4274 deauth = 1;
4275 }
4276
4277 if (deauth) {
4278 sm->pmk_len = 0;
4279 os_memset(sm->pmk, 0, sizeof(sm->pmk));
4280 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
4281 }
4282 }
4283
4284
wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)4285 static bool wpa_sm_pmksa_is_current_cb(struct rsn_pmksa_cache_entry *entry,
4286 void *ctx)
4287 {
4288 struct wpa_sm *sm = ctx;
4289
4290 return sm->cur_pmksa == entry;
4291 }
4292
4293
wpa_sm_pmksa_notify_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)4294 static void wpa_sm_pmksa_notify_cb(struct rsn_pmksa_cache_entry *entry,
4295 void *ctx)
4296 {
4297 struct wpa_sm *sm = ctx;
4298
4299 wpa_sm_notify_pmksa_cache_entry(sm, entry);
4300 }
4301
4302
4303 /**
4304 * wpa_sm_init - Initialize WPA state machine
4305 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
4306 * Returns: Pointer to the allocated WPA state machine data
4307 *
4308 * This function is used to allocate a new WPA state machine and the returned
4309 * value is passed to all WPA state machine calls.
4310 */
wpa_sm_init(struct wpa_sm_ctx * ctx)4311 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
4312 {
4313 struct wpa_sm *sm;
4314
4315 sm = os_zalloc(sizeof(*sm));
4316 if (sm == NULL)
4317 return NULL;
4318 dl_list_init(&sm->pmksa_candidates);
4319 sm->renew_snonce = 1;
4320 sm->ctx = ctx;
4321
4322 sm->dot11RSNAConfigPMKLifetime = 43200;
4323 sm->dot11RSNAConfigPMKReauthThreshold = 70;
4324 sm->dot11RSNAConfigSATimeout = 60;
4325
4326 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb,
4327 wpa_sm_pmksa_is_current_cb,
4328 wpa_sm_pmksa_notify_cb, sm, sm);
4329 if (sm->pmksa == NULL) {
4330 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
4331 "RSN: PMKSA cache initialization failed");
4332 os_free(sm);
4333 return NULL;
4334 }
4335
4336 return sm;
4337 }
4338
4339
4340 /**
4341 * wpa_sm_deinit - Deinitialize WPA state machine
4342 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4343 */
wpa_sm_deinit(struct wpa_sm * sm)4344 void wpa_sm_deinit(struct wpa_sm *sm)
4345 {
4346 int i;
4347
4348 if (sm == NULL)
4349 return;
4350 pmksa_cache_deinit(sm->pmksa);
4351 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
4352 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
4353 os_free(sm->assoc_wpa_ie);
4354 os_free(sm->assoc_rsnxe);
4355 os_free(sm->ap_wpa_ie);
4356 os_free(sm->ap_rsn_ie);
4357 os_free(sm->ap_rsnxe);
4358 os_free(sm->ap_rsne_override);
4359 os_free(sm->ap_rsne_override_2);
4360 os_free(sm->ap_rsnxe_override);
4361 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4362 os_free(sm->mlo.links[i].ap_rsne);
4363 os_free(sm->mlo.links[i].ap_rsnxe);
4364 os_free(sm->mlo.links[i].ap_rsnoe);
4365 os_free(sm->mlo.links[i].ap_rsno2e);
4366 os_free(sm->mlo.links[i].ap_rsnxoe);
4367 }
4368 wpa_sm_drop_sa(sm);
4369 os_free(sm->ctx);
4370 #ifdef CONFIG_IEEE80211R
4371 os_free(sm->assoc_resp_ies);
4372 #endif /* CONFIG_IEEE80211R */
4373 #ifdef CONFIG_TESTING_OPTIONS
4374 wpabuf_free(sm->test_assoc_ie);
4375 wpabuf_free(sm->test_eapol_m2_elems);
4376 wpabuf_free(sm->test_eapol_m4_elems);
4377 #endif /* CONFIG_TESTING_OPTIONS */
4378 #ifdef CONFIG_FILS_SK_PFS
4379 crypto_ecdh_deinit(sm->fils_ecdh);
4380 #endif /* CONFIG_FILS_SK_PFS */
4381 #ifdef CONFIG_FILS
4382 wpabuf_free(sm->fils_ft_ies);
4383 #endif /* CONFIG_FILS */
4384 #ifdef CONFIG_OWE
4385 crypto_ecdh_deinit(sm->owe_ecdh);
4386 #endif /* CONFIG_OWE */
4387 #ifdef CONFIG_DPP2
4388 wpabuf_clear_free(sm->dpp_z);
4389 #endif /* CONFIG_DPP2 */
4390 os_free(sm);
4391 }
4392
4393
wpa_sm_clear_ptk(struct wpa_sm * sm)4394 static void wpa_sm_clear_ptk(struct wpa_sm *sm)
4395 {
4396 int i;
4397
4398 sm->ptk_set = 0;
4399 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
4400 sm->tptk_set = 0;
4401 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
4402 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
4403 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
4404 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
4405 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
4406 os_memset(&sm->bigtk, 0, sizeof(sm->bigtk));
4407 os_memset(&sm->bigtk_wnm_sleep, 0, sizeof(sm->bigtk_wnm_sleep));
4408 sm->tk_set = false;
4409 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4410 os_memset(&sm->mlo.links[i].gtk, 0,
4411 sizeof(sm->mlo.links[i].gtk));
4412 os_memset(&sm->mlo.links[i].gtk_wnm_sleep, 0,
4413 sizeof(sm->mlo.links[i].gtk_wnm_sleep));
4414 os_memset(&sm->mlo.links[i].igtk, 0,
4415 sizeof(sm->mlo.links[i].igtk));
4416 os_memset(&sm->mlo.links[i].igtk_wnm_sleep, 0,
4417 sizeof(sm->mlo.links[i].igtk_wnm_sleep));
4418 os_memset(&sm->mlo.links[i].bigtk, 0,
4419 sizeof(sm->mlo.links[i].bigtk));
4420 os_memset(&sm->mlo.links[i].bigtk_wnm_sleep, 0,
4421 sizeof(sm->mlo.links[i].bigtk_wnm_sleep));
4422 }
4423 }
4424
4425
4426 /**
4427 * wpa_sm_notify_assoc - Notify WPA state machine about association
4428 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4429 * @bssid: The BSSID of the new association
4430 *
4431 * This function is called to let WPA state machine know that the connection
4432 * was established.
4433 */
wpa_sm_notify_assoc(struct wpa_sm * sm,const u8 * bssid)4434 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
4435 {
4436 int clear_keys = 1;
4437
4438 if (sm == NULL)
4439 return;
4440
4441 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4442 "WPA: Association event - clear replay counter");
4443 os_memcpy(sm->bssid, bssid, ETH_ALEN);
4444 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
4445 sm->rx_replay_counter_set = 0;
4446 sm->renew_snonce = 1;
4447 if (ether_addr_equal(sm->preauth_bssid, bssid))
4448 rsn_preauth_deinit(sm);
4449
4450 #ifdef CONFIG_IEEE80211R
4451 if (wpa_ft_is_completed(sm)) {
4452 /*
4453 * Clear portValid to kick EAPOL state machine to re-enter
4454 * AUTHENTICATED state to get the EAPOL port Authorized.
4455 */
4456 eapol_sm_notify_portValid(sm->eapol, false);
4457 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
4458
4459 /* Prepare for the next transition */
4460 wpa_ft_prepare_auth_request(sm, NULL);
4461
4462 clear_keys = 0;
4463 sm->ft_protocol = 1;
4464 } else {
4465 sm->ft_protocol = 0;
4466 }
4467 #endif /* CONFIG_IEEE80211R */
4468 #ifdef CONFIG_FILS
4469 if (sm->fils_completed) {
4470 /*
4471 * Clear portValid to kick EAPOL state machine to re-enter
4472 * AUTHENTICATED state to get the EAPOL port Authorized.
4473 */
4474 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
4475 clear_keys = 0;
4476 }
4477 #endif /* CONFIG_FILS */
4478
4479 if (clear_keys) {
4480 /*
4481 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
4482 * this is not part of a Fast BSS Transition.
4483 */
4484 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
4485 wpa_sm_clear_ptk(sm);
4486 }
4487
4488 #ifdef CONFIG_TDLS
4489 wpa_tdls_assoc(sm);
4490 #endif /* CONFIG_TDLS */
4491
4492 #ifdef CONFIG_P2P
4493 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
4494 #endif /* CONFIG_P2P */
4495
4496 sm->keyidx_active = 0;
4497 }
4498
4499
4500 /**
4501 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
4502 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4503 *
4504 * This function is called to let WPA state machine know that the connection
4505 * was lost. This will abort any existing pre-authentication session.
4506 */
wpa_sm_notify_disassoc(struct wpa_sm * sm)4507 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
4508 {
4509 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
4510 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
4511 rsn_preauth_deinit(sm);
4512 pmksa_cache_clear_current(sm);
4513 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
4514 sm->dot11RSNA4WayHandshakeFailures++;
4515 #ifdef CONFIG_TDLS
4516 wpa_tdls_disassoc(sm);
4517 #endif /* CONFIG_TDLS */
4518 #ifdef CONFIG_FILS
4519 sm->fils_completed = 0;
4520 #endif /* CONFIG_FILS */
4521 #ifdef CONFIG_IEEE80211R
4522 sm->ft_reassoc_completed = 0;
4523 sm->ft_protocol = 0;
4524 #endif /* CONFIG_IEEE80211R */
4525
4526 /* Keys are not needed in the WPA state machine anymore */
4527 wpa_sm_drop_sa(sm);
4528 sm->keyidx_active = 0;
4529
4530 sm->msg_3_of_4_ok = 0;
4531 os_memset(sm->bssid, 0, ETH_ALEN);
4532 }
4533
4534
4535 /**
4536 * wpa_sm_set_pmk - Set PMK
4537 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4538 * @pmk: The new PMK
4539 * @pmk_len: The length of the new PMK in bytes
4540 * @pmkid: Calculated PMKID
4541 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
4542 *
4543 * Configure the PMK for WPA state machine.
4544 */
wpa_sm_set_pmk(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid)4545 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
4546 const u8 *pmkid, const u8 *bssid)
4547 {
4548 if (sm == NULL)
4549 return;
4550
4551 wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data",
4552 pmk, pmk_len);
4553 sm->pmk_len = pmk_len;
4554 os_memcpy(sm->pmk, pmk, pmk_len);
4555
4556 #ifdef CONFIG_IEEE80211R
4557 /* Set XXKey to be PSK for FT key derivation */
4558 sm->xxkey_len = pmk_len;
4559 os_memcpy(sm->xxkey, pmk, pmk_len);
4560 #endif /* CONFIG_IEEE80211R */
4561
4562 if (bssid) {
4563 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len,
4564 pmkid, NULL, 0, bssid,
4565 sm->own_addr,
4566 sm->network_ctx, sm->key_mgmt,
4567 NULL);
4568 }
4569 }
4570
4571
4572 /**
4573 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
4574 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4575 *
4576 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
4577 * will be cleared.
4578 */
wpa_sm_set_pmk_from_pmksa(struct wpa_sm * sm)4579 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
4580 {
4581 if (sm == NULL)
4582 return;
4583
4584 if (sm->cur_pmksa) {
4585 wpa_hexdump_key(MSG_DEBUG,
4586 "WPA: Set PMK based on current PMKSA",
4587 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len);
4588 sm->pmk_len = sm->cur_pmksa->pmk_len;
4589 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
4590 } else {
4591 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK");
4592 sm->pmk_len = 0;
4593 os_memset(sm->pmk, 0, PMK_LEN_MAX);
4594 }
4595 }
4596
4597
4598 /**
4599 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
4600 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4601 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
4602 */
wpa_sm_set_fast_reauth(struct wpa_sm * sm,int fast_reauth)4603 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
4604 {
4605 if (sm)
4606 sm->fast_reauth = fast_reauth;
4607 }
4608
4609
4610 /**
4611 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
4612 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4613 * @scard_ctx: Context pointer for smartcard related callback functions
4614 */
wpa_sm_set_scard_ctx(struct wpa_sm * sm,void * scard_ctx)4615 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
4616 {
4617 if (sm == NULL)
4618 return;
4619 sm->scard_ctx = scard_ctx;
4620 if (sm->preauth_eapol)
4621 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
4622 }
4623
4624
4625 /**
4626 * wpa_sm_set_config - Notification of current configuration change
4627 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4628 * @config: Pointer to current network configuration
4629 *
4630 * Notify WPA state machine that configuration has changed. config will be
4631 * stored as a backpointer to network configuration. This can be %NULL to clear
4632 * the stored pointed.
4633 */
wpa_sm_set_config(struct wpa_sm * sm,struct rsn_supp_config * config)4634 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
4635 {
4636 if (!sm)
4637 return;
4638
4639 if (config) {
4640 sm->network_ctx = config->network_ctx;
4641 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
4642 sm->proactive_key_caching = config->proactive_key_caching;
4643 sm->eap_workaround = config->eap_workaround;
4644 sm->eap_conf_ctx = config->eap_conf_ctx;
4645 if (config->ssid) {
4646 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
4647 sm->ssid_len = config->ssid_len;
4648 } else
4649 sm->ssid_len = 0;
4650 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
4651 sm->p2p = config->p2p;
4652 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
4653 sm->owe_ptk_workaround = config->owe_ptk_workaround;
4654 sm->force_kdk_derivation = config->force_kdk_derivation;
4655 #ifdef CONFIG_FILS
4656 if (config->fils_cache_id) {
4657 sm->fils_cache_id_set = 1;
4658 os_memcpy(sm->fils_cache_id, config->fils_cache_id,
4659 FILS_CACHE_ID_LEN);
4660 } else {
4661 sm->fils_cache_id_set = 0;
4662 }
4663 #endif /* CONFIG_FILS */
4664 sm->beacon_prot = config->beacon_prot;
4665 } else {
4666 sm->network_ctx = NULL;
4667 sm->allowed_pairwise_cipher = 0;
4668 sm->proactive_key_caching = 0;
4669 sm->eap_workaround = 0;
4670 sm->eap_conf_ctx = NULL;
4671 sm->ssid_len = 0;
4672 sm->wpa_ptk_rekey = 0;
4673 sm->p2p = 0;
4674 sm->wpa_rsc_relaxation = 0;
4675 sm->owe_ptk_workaround = 0;
4676 sm->beacon_prot = 0;
4677 sm->force_kdk_derivation = false;
4678 }
4679 }
4680
4681
wpa_sm_set_ssid(struct wpa_sm * sm,const u8 * ssid,size_t ssid_len)4682 void wpa_sm_set_ssid(struct wpa_sm *sm, const u8 *ssid, size_t ssid_len)
4683 {
4684 if (!sm)
4685 return;
4686
4687 if (ssid) {
4688 os_memcpy(sm->ssid, ssid, ssid_len);
4689 sm->ssid_len = ssid_len;
4690 } else {
4691 sm->ssid_len = 0;
4692 }
4693 }
4694
4695
wpa_sm_set_mlo_params(struct wpa_sm * sm,const struct wpa_sm_mlo * mlo)4696 int wpa_sm_set_mlo_params(struct wpa_sm *sm, const struct wpa_sm_mlo *mlo)
4697 {
4698 int i;
4699
4700 if (!sm)
4701 return -1;
4702
4703 os_memcpy(sm->mlo.ap_mld_addr, mlo->ap_mld_addr, ETH_ALEN);
4704 sm->mlo.assoc_link_id = mlo->assoc_link_id;
4705 sm->mlo.valid_links = mlo->valid_links;
4706 sm->mlo.req_links = mlo->req_links;
4707
4708 for (i = 0; i < MAX_NUM_MLD_LINKS; i++) {
4709 const u8 *ie;
4710 size_t len;
4711
4712 if (sm->mlo.req_links & BIT(i)) {
4713 if (!mlo->links[i].ap_rsne ||
4714 mlo->links[i].ap_rsne_len == 0) {
4715 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO,
4716 "RSN: No RSNE for AP MLO link %d with BSSID "
4717 MACSTR,
4718 i, MAC2STR(mlo->links[i].bssid));
4719 return -1;
4720
4721 }
4722 os_memcpy(sm->mlo.links[i].addr, mlo->links[i].addr,
4723 ETH_ALEN);
4724 os_memcpy(sm->mlo.links[i].bssid, mlo->links[i].bssid,
4725 ETH_ALEN);
4726 }
4727
4728 ie = mlo->links[i].ap_rsne;
4729 len = mlo->links[i].ap_rsne_len;
4730 os_free(sm->mlo.links[i].ap_rsne);
4731 if (!ie || len == 0) {
4732 if (sm->mlo.links[i].ap_rsne)
4733 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4734 "RSN: Clearing MLO link[%u] AP RSNE",
4735 i);
4736 sm->mlo.links[i].ap_rsne = NULL;
4737 sm->mlo.links[i].ap_rsne_len = 0;
4738 } else {
4739 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNE",
4740 ie, len);
4741 sm->mlo.links[i].ap_rsne = os_memdup(ie, len);
4742 if (!sm->mlo.links[i].ap_rsne) {
4743 sm->mlo.links[i].ap_rsne_len = 0;
4744 return -1;
4745 }
4746 sm->mlo.links[i].ap_rsne_len = len;
4747 }
4748
4749 ie = mlo->links[i].ap_rsnxe;
4750 len = mlo->links[i].ap_rsnxe_len;
4751 os_free(sm->mlo.links[i].ap_rsnxe);
4752 if (!ie || len == 0) {
4753 if (sm->mlo.links[i].ap_rsnxe)
4754 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4755 "RSN: Clearing MLO link[%u] AP RSNXE",
4756 i);
4757 sm->mlo.links[i].ap_rsnxe = NULL;
4758 sm->mlo.links[i].ap_rsnxe_len = 0;
4759 } else {
4760 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNXE", ie,
4761 len);
4762 sm->mlo.links[i].ap_rsnxe = os_memdup(ie, len);
4763 if (!sm->mlo.links[i].ap_rsnxe) {
4764 sm->mlo.links[i].ap_rsnxe_len = 0;
4765 return -1;
4766 }
4767 sm->mlo.links[i].ap_rsnxe_len = len;
4768 }
4769
4770 ie = mlo->links[i].ap_rsnoe;
4771 len = mlo->links[i].ap_rsnoe_len;
4772 os_free(sm->mlo.links[i].ap_rsnoe);
4773 if (!ie || len == 0) {
4774 if (sm->mlo.links[i].ap_rsnoe)
4775 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4776 "RSN: Clearing MLO link[%u] AP RSNOE",
4777 i);
4778 sm->mlo.links[i].ap_rsnoe = NULL;
4779 sm->mlo.links[i].ap_rsnoe_len = 0;
4780 } else {
4781 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNOE",
4782 ie, len);
4783 sm->mlo.links[i].ap_rsnoe = os_memdup(ie, len);
4784 if (!sm->mlo.links[i].ap_rsnoe) {
4785 sm->mlo.links[i].ap_rsnoe_len = 0;
4786 return -1;
4787 }
4788 sm->mlo.links[i].ap_rsnoe_len = len;
4789 }
4790
4791 ie = mlo->links[i].ap_rsno2e;
4792 len = mlo->links[i].ap_rsno2e_len;
4793 os_free(sm->mlo.links[i].ap_rsno2e);
4794 if (!ie || len == 0) {
4795 if (sm->mlo.links[i].ap_rsno2e)
4796 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4797 "RSN: Clearing MLO link[%u] AP RSNO2E",
4798 i);
4799 sm->mlo.links[i].ap_rsno2e = NULL;
4800 sm->mlo.links[i].ap_rsno2e_len = 0;
4801 } else {
4802 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNO2E",
4803 ie, len);
4804 sm->mlo.links[i].ap_rsno2e = os_memdup(ie, len);
4805 if (!sm->mlo.links[i].ap_rsno2e) {
4806 sm->mlo.links[i].ap_rsno2e_len = 0;
4807 return -1;
4808 }
4809 sm->mlo.links[i].ap_rsno2e_len = len;
4810 }
4811
4812 ie = mlo->links[i].ap_rsnxoe;
4813 len = mlo->links[i].ap_rsnxoe_len;
4814 os_free(sm->mlo.links[i].ap_rsnxoe);
4815 if (!ie || len == 0) {
4816 if (sm->mlo.links[i].ap_rsnxoe)
4817 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4818 "RSN: Clearing MLO link[%u] AP RSNXOE",
4819 i);
4820 sm->mlo.links[i].ap_rsnxoe = NULL;
4821 sm->mlo.links[i].ap_rsnxoe_len = 0;
4822 } else {
4823 wpa_hexdump_link(MSG_DEBUG, i, "RSN: Set AP RSNXOE",
4824 ie, len);
4825 sm->mlo.links[i].ap_rsnxoe = os_memdup(ie, len);
4826 if (!sm->mlo.links[i].ap_rsnxoe) {
4827 sm->mlo.links[i].ap_rsnxoe_len = 0;
4828 return -1;
4829 }
4830 sm->mlo.links[i].ap_rsnxoe_len = len;
4831 }
4832 }
4833
4834 return 0;
4835 }
4836
4837
4838 /**
4839 * wpa_sm_set_own_addr - Set own MAC address
4840 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4841 * @addr: Own MAC address
4842 */
wpa_sm_set_own_addr(struct wpa_sm * sm,const u8 * addr)4843 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
4844 {
4845 if (sm)
4846 os_memcpy(sm->own_addr, addr, ETH_ALEN);
4847 }
4848
4849
4850 /**
4851 * wpa_sm_set_ifname - Set network interface name
4852 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4853 * @ifname: Interface name
4854 * @bridge_ifname: Optional bridge interface name (for pre-auth)
4855 */
wpa_sm_set_ifname(struct wpa_sm * sm,const char * ifname,const char * bridge_ifname)4856 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
4857 const char *bridge_ifname)
4858 {
4859 if (sm) {
4860 sm->ifname = ifname;
4861 sm->bridge_ifname = bridge_ifname;
4862 }
4863 }
4864
4865
4866 /**
4867 * wpa_sm_set_eapol - Set EAPOL state machine pointer
4868 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4869 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
4870 */
wpa_sm_set_eapol(struct wpa_sm * sm,struct eapol_sm * eapol)4871 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
4872 {
4873 if (sm)
4874 sm->eapol = eapol;
4875 }
4876
4877
4878 /**
4879 * wpa_sm_set_param - Set WPA state machine parameters
4880 * @sm: Pointer to WPA state machine data from wpa_sm_init()
4881 * @param: Parameter field
4882 * @value: Parameter value
4883 * Returns: 0 on success, -1 on failure
4884 */
wpa_sm_set_param(struct wpa_sm * sm,enum wpa_sm_conf_params param,unsigned int value)4885 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
4886 unsigned int value)
4887 {
4888 int ret = 0;
4889
4890 if (sm == NULL)
4891 return -1;
4892
4893 switch (param) {
4894 case RSNA_PMK_LIFETIME:
4895 if (value > 0)
4896 sm->dot11RSNAConfigPMKLifetime = value;
4897 else
4898 ret = -1;
4899 break;
4900 case RSNA_PMK_REAUTH_THRESHOLD:
4901 if (value > 0 && value <= 100)
4902 sm->dot11RSNAConfigPMKReauthThreshold = value;
4903 else
4904 ret = -1;
4905 break;
4906 case RSNA_SA_TIMEOUT:
4907 if (value > 0)
4908 sm->dot11RSNAConfigSATimeout = value;
4909 else
4910 ret = -1;
4911 break;
4912 case WPA_PARAM_PROTO:
4913 sm->proto = value;
4914 break;
4915 case WPA_PARAM_PAIRWISE:
4916 sm->pairwise_cipher = value;
4917 break;
4918 case WPA_PARAM_GROUP:
4919 sm->group_cipher = value;
4920 break;
4921 case WPA_PARAM_KEY_MGMT:
4922 sm->key_mgmt = value;
4923 break;
4924 case WPA_PARAM_MGMT_GROUP:
4925 sm->mgmt_group_cipher = value;
4926 break;
4927 case WPA_PARAM_RSN_ENABLED:
4928 sm->rsn_enabled = value;
4929 break;
4930 case WPA_PARAM_MFP:
4931 sm->mfp = value;
4932 break;
4933 case WPA_PARAM_OCV:
4934 sm->ocv = value;
4935 break;
4936 case WPA_PARAM_SAE_PWE:
4937 sm->sae_pwe = value;
4938 break;
4939 case WPA_PARAM_SAE_PK:
4940 sm->sae_pk = value;
4941 break;
4942 case WPA_PARAM_DENY_PTK0_REKEY:
4943 sm->wpa_deny_ptk0_rekey = value;
4944 break;
4945 case WPA_PARAM_EXT_KEY_ID:
4946 sm->ext_key_id = value;
4947 break;
4948 case WPA_PARAM_USE_EXT_KEY_ID:
4949 sm->use_ext_key_id = value;
4950 break;
4951 #ifdef CONFIG_TESTING_OPTIONS
4952 case WPA_PARAM_FT_RSNXE_USED:
4953 sm->ft_rsnxe_used = value;
4954 break;
4955 case WPA_PARAM_OCI_FREQ_EAPOL:
4956 sm->oci_freq_override_eapol = value;
4957 break;
4958 case WPA_PARAM_OCI_FREQ_EAPOL_G2:
4959 sm->oci_freq_override_eapol_g2 = value;
4960 break;
4961 case WPA_PARAM_OCI_FREQ_FT_ASSOC:
4962 sm->oci_freq_override_ft_assoc = value;
4963 break;
4964 case WPA_PARAM_OCI_FREQ_FILS_ASSOC:
4965 sm->oci_freq_override_fils_assoc = value;
4966 break;
4967 case WPA_PARAM_DISABLE_EAPOL_G2_TX:
4968 sm->disable_eapol_g2_tx = value;
4969 break;
4970 case WPA_PARAM_ENCRYPT_EAPOL_M2:
4971 sm->encrypt_eapol_m2 = value;
4972 break;
4973 case WPA_PARAM_ENCRYPT_EAPOL_M4:
4974 sm->encrypt_eapol_m4 = value;
4975 break;
4976 #endif /* CONFIG_TESTING_OPTIONS */
4977 #ifdef CONFIG_DPP2
4978 case WPA_PARAM_DPP_PFS:
4979 sm->dpp_pfs = value;
4980 break;
4981 #endif /* CONFIG_DPP2 */
4982 case WPA_PARAM_WMM_ENABLED:
4983 sm->wmm_enabled = value;
4984 break;
4985 case WPA_PARAM_FT_PREPEND_PMKID:
4986 sm->ft_prepend_pmkid = value;
4987 break;
4988 case WPA_PARAM_SSID_PROTECTION:
4989 sm->ssid_protection = value;
4990 break;
4991 case WPA_PARAM_RSN_OVERRIDE:
4992 sm->rsn_override = value;
4993 break;
4994 case WPA_PARAM_RSN_OVERRIDE_SUPPORT:
4995 sm->rsn_override_support = value;
4996 break;
4997 default:
4998 break;
4999 }
5000
5001 return ret;
5002 }
5003
5004
wpa_sm_get_ap_rsne(struct wpa_sm * sm,size_t * len)5005 static const u8 * wpa_sm_get_ap_rsne(struct wpa_sm *sm, size_t *len)
5006 {
5007 if (sm->rsn_override == RSN_OVERRIDE_RSNE_OVERRIDE) {
5008 *len = sm->ap_rsne_override_len;
5009 return sm->ap_rsne_override;
5010 }
5011
5012 if (sm->rsn_override == RSN_OVERRIDE_RSNE_OVERRIDE_2) {
5013 *len = sm->ap_rsne_override_2_len;
5014 return sm->ap_rsne_override_2;
5015 }
5016
5017 *len = sm->ap_rsn_ie_len;
5018 return sm->ap_rsn_ie;
5019 }
5020
5021
5022 /**
5023 * wpa_sm_get_status - Get WPA state machine
5024 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5025 * @buf: Buffer for status information
5026 * @buflen: Maximum buffer length
5027 * @verbose: Whether to include verbose status information
5028 * Returns: Number of bytes written to buf.
5029 *
5030 * Query WPA state machine for status information. This function fills in
5031 * a text area with current status information. If the buffer (buf) is not
5032 * large enough, status information will be truncated to fit the buffer.
5033 */
wpa_sm_get_status(struct wpa_sm * sm,char * buf,size_t buflen,int verbose)5034 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
5035 int verbose)
5036 {
5037 char *pos = buf, *end = buf + buflen;
5038 int ret;
5039 const u8 *rsne;
5040 size_t rsne_len;
5041
5042 rsne = wpa_sm_get_ap_rsne(sm, &rsne_len);
5043
5044 ret = os_snprintf(pos, end - pos,
5045 "pairwise_cipher=%s\n"
5046 "group_cipher=%s\n"
5047 "key_mgmt=%s\n",
5048 wpa_cipher_txt(sm->pairwise_cipher),
5049 wpa_cipher_txt(sm->group_cipher),
5050 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
5051 if (os_snprintf_error(end - pos, ret))
5052 return pos - buf;
5053 pos += ret;
5054
5055 #ifdef CONFIG_DPP2
5056 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
5057 ret = os_snprintf(pos, end - pos, "dpp_pfs=1\n");
5058 if (os_snprintf_error(end - pos, ret))
5059 return pos - buf;
5060 pos += ret;
5061 }
5062 #endif /* CONFIG_DPP2 */
5063
5064 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && rsne) {
5065 struct wpa_ie_data rsn;
5066
5067 if (wpa_parse_wpa_ie_rsn(rsne, rsne_len, &rsn) >= 0 &&
5068 rsn.capabilities & (WPA_CAPABILITY_MFPR |
5069 WPA_CAPABILITY_MFPC)) {
5070 ret = os_snprintf(pos, end - pos, "pmf=%d\n"
5071 "mgmt_group_cipher=%s\n",
5072 (rsn.capabilities &
5073 WPA_CAPABILITY_MFPR) ? 2 : 1,
5074 wpa_cipher_txt(
5075 sm->mgmt_group_cipher));
5076 if (os_snprintf_error(end - pos, ret))
5077 return pos - buf;
5078 pos += ret;
5079 }
5080 }
5081
5082 return pos - buf;
5083 }
5084
5085
wpa_sm_pmf_enabled(struct wpa_sm * sm)5086 int wpa_sm_pmf_enabled(struct wpa_sm *sm)
5087 {
5088 struct wpa_ie_data rsn;
5089 const u8 *rsne;
5090 size_t rsne_len;
5091
5092 rsne = wpa_sm_get_ap_rsne(sm, &rsne_len);
5093
5094 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !rsne)
5095 return 0;
5096
5097 if (wpa_parse_wpa_ie_rsn(rsne, rsne_len, &rsn) >= 0 &&
5098 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
5099 return 1;
5100
5101 return 0;
5102 }
5103
5104
wpa_sm_rsn_overriding_supported(struct wpa_sm * sm)5105 bool wpa_sm_rsn_overriding_supported(struct wpa_sm *sm)
5106 {
5107 const u8 *rsne;
5108 size_t rsne_len;
5109
5110 rsne = wpa_sm_get_ap_rsne(sm, &rsne_len);
5111
5112 return sm->rsn_override_support && rsne;
5113 }
5114
5115
wpa_sm_ext_key_id(struct wpa_sm * sm)5116 int wpa_sm_ext_key_id(struct wpa_sm *sm)
5117 {
5118 return sm ? sm->ext_key_id : 0;
5119 }
5120
5121
wpa_sm_ext_key_id_active(struct wpa_sm * sm)5122 int wpa_sm_ext_key_id_active(struct wpa_sm *sm)
5123 {
5124 return sm ? sm->use_ext_key_id : 0;
5125 }
5126
5127
wpa_sm_ocv_enabled(struct wpa_sm * sm)5128 int wpa_sm_ocv_enabled(struct wpa_sm *sm)
5129 {
5130 struct wpa_ie_data rsn;
5131 const u8 *rsne;
5132 size_t rsne_len;
5133
5134 rsne = wpa_sm_get_ap_rsne(sm, &rsne_len);
5135 if (!sm->ocv || !rsne)
5136 return 0;
5137
5138 return wpa_parse_wpa_ie_rsn(rsne, rsne_len, &rsn) >= 0 &&
5139 (rsn.capabilities & WPA_CAPABILITY_OCVC);
5140 }
5141
5142
5143 /**
5144 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
5145 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5146 * @wpa_ie: Pointer to buffer for WPA/RSN IE
5147 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
5148 * Returns: 0 on success, -1 on failure
5149 */
wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm * sm,u8 * wpa_ie,size_t * wpa_ie_len)5150 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
5151 size_t *wpa_ie_len)
5152 {
5153 int res;
5154
5155 if (sm == NULL)
5156 return -1;
5157
5158 #ifdef CONFIG_TESTING_OPTIONS
5159 if (sm->test_assoc_ie) {
5160 wpa_printf(MSG_DEBUG,
5161 "TESTING: Replace association WPA/RSN IE");
5162 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
5163 return -1;
5164 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
5165 wpabuf_len(sm->test_assoc_ie));
5166 res = wpabuf_len(sm->test_assoc_ie);
5167 } else
5168 #endif /* CONFIG_TESTING_OPTIONS */
5169 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
5170 if (res < 0)
5171 return -1;
5172 *wpa_ie_len = res;
5173
5174 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
5175 wpa_ie, *wpa_ie_len);
5176
5177 if (sm->assoc_wpa_ie == NULL) {
5178 /*
5179 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
5180 * the correct version of the IE even if PMKSA caching is
5181 * aborted (which would remove PMKID from IE generation).
5182 */
5183 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
5184 if (sm->assoc_wpa_ie == NULL)
5185 return -1;
5186
5187 sm->assoc_wpa_ie_len = *wpa_ie_len;
5188 } else {
5189 wpa_hexdump(MSG_DEBUG,
5190 "WPA: Leave previously set WPA IE default",
5191 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5192 }
5193
5194 return 0;
5195 }
5196
5197
5198 /**
5199 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
5200 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5201 * @ie: Pointer to IE data (starting from id)
5202 * @len: IE length
5203 * Returns: 0 on success, -1 on failure
5204 *
5205 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
5206 * Request frame. The IE will be used to override the default value generated
5207 * with wpa_sm_set_assoc_wpa_ie_default().
5208 */
wpa_sm_set_assoc_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)5209 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
5210 {
5211 if (sm == NULL)
5212 return -1;
5213
5214 os_free(sm->assoc_wpa_ie);
5215 if (ie == NULL || len == 0) {
5216 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5217 "WPA: clearing own WPA/RSN IE");
5218 sm->assoc_wpa_ie = NULL;
5219 sm->assoc_wpa_ie_len = 0;
5220 } else {
5221 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
5222 sm->assoc_wpa_ie = os_memdup(ie, len);
5223 if (sm->assoc_wpa_ie == NULL)
5224 return -1;
5225
5226 sm->assoc_wpa_ie_len = len;
5227 }
5228
5229 return 0;
5230 }
5231
5232
5233 /**
5234 * wpa_sm_set_assoc_rsnxe_default - Generate own RSNXE from configuration
5235 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5236 * @rsnxe: Pointer to buffer for RSNXE
5237 * @rsnxe_len: Pointer to the length of the rsne buffer
5238 * Returns: 0 on success, -1 on failure
5239 */
wpa_sm_set_assoc_rsnxe_default(struct wpa_sm * sm,u8 * rsnxe,size_t * rsnxe_len)5240 int wpa_sm_set_assoc_rsnxe_default(struct wpa_sm *sm, u8 *rsnxe,
5241 size_t *rsnxe_len)
5242 {
5243 int res;
5244
5245 if (!sm)
5246 return -1;
5247
5248 res = wpa_gen_rsnxe(sm, rsnxe, *rsnxe_len);
5249 if (res < 0)
5250 return -1;
5251 *rsnxe_len = res;
5252
5253 wpa_hexdump(MSG_DEBUG, "RSN: Set own RSNXE default", rsnxe, *rsnxe_len);
5254
5255 if (sm->assoc_rsnxe) {
5256 wpa_hexdump(MSG_DEBUG,
5257 "RSN: Leave previously set RSNXE default",
5258 sm->assoc_rsnxe, sm->assoc_rsnxe_len);
5259 } else if (*rsnxe_len > 0) {
5260 /*
5261 * Make a copy of the RSNXE so that 4-Way Handshake gets the
5262 * correct version of the IE even if it gets changed.
5263 */
5264 sm->assoc_rsnxe = os_memdup(rsnxe, *rsnxe_len);
5265 if (!sm->assoc_rsnxe)
5266 return -1;
5267
5268 sm->assoc_rsnxe_len = *rsnxe_len;
5269 }
5270
5271 return 0;
5272 }
5273
5274
5275 /**
5276 * wpa_sm_set_assoc_rsnxe - Set own RSNXE from (Re)AssocReq
5277 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5278 * @ie: Pointer to IE data (starting from id)
5279 * @len: IE length
5280 * Returns: 0 on success, -1 on failure
5281 *
5282 * Inform WPA state machine about the RSNXE used in (Re)Association Request
5283 * frame. The IE will be used to override the default value generated
5284 * with wpa_sm_set_assoc_rsnxe_default().
5285 */
wpa_sm_set_assoc_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)5286 int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
5287 {
5288 if (!sm)
5289 return -1;
5290
5291 os_free(sm->assoc_rsnxe);
5292 if (!ie || len == 0) {
5293 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5294 "RSN: clearing own RSNXE");
5295 sm->assoc_rsnxe = NULL;
5296 sm->assoc_rsnxe_len = 0;
5297 } else {
5298 wpa_hexdump(MSG_DEBUG, "RSN: set own RSNXE", ie, len);
5299 sm->assoc_rsnxe = os_memdup(ie, len);
5300 if (!sm->assoc_rsnxe)
5301 return -1;
5302
5303 sm->assoc_rsnxe_len = len;
5304 }
5305
5306 if (sm->ssid_protection &&
5307 !ieee802_11_rsnx_capab(sm->assoc_rsnxe,
5308 WLAN_RSNX_CAPAB_SSID_PROTECTION)) {
5309 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5310 "RSN: Disabling SSID protection based on own RSNXE update");
5311 sm->ssid_protection = 0;
5312 }
5313
5314 return 0;
5315 }
5316
5317
5318 /**
5319 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
5320 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5321 * @ie: Pointer to IE data (starting from id)
5322 * @len: IE length
5323 * Returns: 0 on success, -1 on failure
5324 *
5325 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
5326 * frame.
5327 */
wpa_sm_set_ap_wpa_ie(struct wpa_sm * sm,const u8 * ie,size_t len)5328 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
5329 {
5330 if (sm == NULL)
5331 return -1;
5332
5333 os_free(sm->ap_wpa_ie);
5334 if (ie == NULL || len == 0) {
5335 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5336 "WPA: clearing AP WPA IE");
5337 sm->ap_wpa_ie = NULL;
5338 sm->ap_wpa_ie_len = 0;
5339 } else {
5340 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
5341 sm->ap_wpa_ie = os_memdup(ie, len);
5342 if (sm->ap_wpa_ie == NULL)
5343 return -1;
5344
5345 sm->ap_wpa_ie_len = len;
5346 }
5347
5348 return 0;
5349 }
5350
5351
5352 /**
5353 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
5354 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5355 * @ie: Pointer to IE data (starting from id)
5356 * @len: IE length
5357 * Returns: 0 on success, -1 on failure
5358 *
5359 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
5360 * frame.
5361 */
wpa_sm_set_ap_rsn_ie(struct wpa_sm * sm,const u8 * ie,size_t len)5362 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
5363 {
5364 if (sm == NULL)
5365 return -1;
5366
5367 os_free(sm->ap_rsn_ie);
5368 if (ie == NULL || len == 0) {
5369 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5370 "WPA: clearing AP RSN IE");
5371 sm->ap_rsn_ie = NULL;
5372 sm->ap_rsn_ie_len = 0;
5373 } else {
5374 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
5375 sm->ap_rsn_ie = os_memdup(ie, len);
5376 if (sm->ap_rsn_ie == NULL)
5377 return -1;
5378
5379 sm->ap_rsn_ie_len = len;
5380 }
5381
5382 return 0;
5383 }
5384
5385
5386 /**
5387 * wpa_sm_set_ap_rsnxe - Set AP RSNXE from Beacon/ProbeResp
5388 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5389 * @ie: Pointer to IE data (starting from id)
5390 * @len: IE length
5391 * Returns: 0 on success, -1 on failure
5392 *
5393 * Inform WPA state machine about the RSNXE used in Beacon / Probe Response
5394 * frame.
5395 */
wpa_sm_set_ap_rsnxe(struct wpa_sm * sm,const u8 * ie,size_t len)5396 int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len)
5397 {
5398 if (!sm)
5399 return -1;
5400
5401 os_free(sm->ap_rsnxe);
5402 if (!ie || len == 0) {
5403 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE");
5404 sm->ap_rsnxe = NULL;
5405 sm->ap_rsnxe_len = 0;
5406 } else {
5407 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSNXE", ie, len);
5408 sm->ap_rsnxe = os_memdup(ie, len);
5409 if (!sm->ap_rsnxe)
5410 return -1;
5411
5412 sm->ap_rsnxe_len = len;
5413 }
5414
5415 return 0;
5416 }
5417
5418
wpa_sm_set_ap_rsne_override(struct wpa_sm * sm,const u8 * ie,size_t len)5419 int wpa_sm_set_ap_rsne_override(struct wpa_sm *sm, const u8 *ie, size_t len)
5420 {
5421 if (!sm)
5422 return -1;
5423
5424 os_free(sm->ap_rsne_override);
5425 if (!ie || len == 0) {
5426 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5427 "RSN: Clearing AP RSNE Override element");
5428 sm->ap_rsne_override = NULL;
5429 sm->ap_rsne_override_len = 0;
5430 } else {
5431 wpa_hexdump(MSG_DEBUG, "RSN: Set AP RSNE Override element",
5432 ie, len);
5433 sm->ap_rsne_override = os_memdup(ie, len);
5434 if (!sm->ap_rsne_override)
5435 return -1;
5436
5437 sm->ap_rsne_override_len = len;
5438 }
5439
5440 return 0;
5441 }
5442
5443
wpa_sm_set_ap_rsne_override_2(struct wpa_sm * sm,const u8 * ie,size_t len)5444 int wpa_sm_set_ap_rsne_override_2(struct wpa_sm *sm, const u8 *ie, size_t len)
5445 {
5446 if (!sm)
5447 return -1;
5448
5449 os_free(sm->ap_rsne_override_2);
5450 if (!ie || len == 0) {
5451 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5452 "RSN: Clearing AP RSNE Override 2 element");
5453 sm->ap_rsne_override_2 = NULL;
5454 sm->ap_rsne_override_2_len = 0;
5455 } else {
5456 wpa_hexdump(MSG_DEBUG, "RSN: Set AP RSNE Override 2 element",
5457 ie, len);
5458 sm->ap_rsne_override_2 = os_memdup(ie, len);
5459 if (!sm->ap_rsne_override_2)
5460 return -1;
5461
5462 sm->ap_rsne_override_2_len = len;
5463 }
5464
5465 return 0;
5466 }
5467
5468
wpa_sm_set_ap_rsnxe_override(struct wpa_sm * sm,const u8 * ie,size_t len)5469 int wpa_sm_set_ap_rsnxe_override(struct wpa_sm *sm, const u8 *ie, size_t len)
5470 {
5471 if (!sm)
5472 return -1;
5473
5474 os_free(sm->ap_rsnxe_override);
5475 if (!ie || len == 0) {
5476 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5477 "RSN: Clearing AP RSNXE Override element");
5478 sm->ap_rsnxe_override = NULL;
5479 sm->ap_rsnxe_override_len = 0;
5480 } else {
5481 wpa_hexdump(MSG_DEBUG, "RSN: Set AP RSNXE Override element",
5482 ie, len);
5483 sm->ap_rsnxe_override = os_memdup(ie, len);
5484 if (!sm->ap_rsnxe_override)
5485 return -1;
5486
5487 sm->ap_rsnxe_override_len = len;
5488 }
5489
5490 return 0;
5491 }
5492
5493
5494 /**
5495 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
5496 * @sm: Pointer to WPA state machine data from wpa_sm_init()
5497 * @data: Pointer to data area for parsing results
5498 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
5499 *
5500 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
5501 * parsed data into data.
5502 */
wpa_sm_parse_own_wpa_ie(struct wpa_sm * sm,struct wpa_ie_data * data)5503 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
5504 {
5505 if (sm == NULL)
5506 return -1;
5507
5508 if (sm->assoc_wpa_ie == NULL) {
5509 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5510 "WPA: No WPA/RSN IE available from association info");
5511 return -1;
5512 }
5513 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
5514 return -2;
5515 return 0;
5516 }
5517
5518
wpa_sm_pmksa_cache_list(struct wpa_sm * sm,char * buf,size_t len)5519 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
5520 {
5521 return pmksa_cache_list(sm->pmksa, buf, len);
5522 }
5523
5524
wpa_sm_pmksa_cache_head(struct wpa_sm * sm)5525 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
5526 {
5527 return pmksa_cache_head(sm->pmksa);
5528 }
5529
5530
5531 struct rsn_pmksa_cache_entry *
wpa_sm_pmksa_cache_add_entry(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)5532 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
5533 struct rsn_pmksa_cache_entry * entry)
5534 {
5535 return pmksa_cache_add_entry(sm->pmksa, entry);
5536 }
5537
5538
wpa_sm_pmksa_cache_add(struct wpa_sm * sm,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * bssid,const u8 * fils_cache_id)5539 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
5540 const u8 *pmkid, const u8 *bssid,
5541 const u8 *fils_cache_id)
5542 {
5543 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
5544 bssid, sm->own_addr, sm->network_ctx,
5545 sm->key_mgmt, fils_cache_id);
5546 }
5547
5548
wpa_sm_pmksa_exists(struct wpa_sm * sm,const u8 * bssid,const u8 * own_addr,const void * network_ctx)5549 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid, const u8 *own_addr,
5550 const void *network_ctx)
5551 {
5552 return pmksa_cache_get(sm->pmksa, bssid, own_addr, NULL, network_ctx,
5553 0) != NULL;
5554 }
5555
5556
wpa_sm_pmksa_cache_get(struct wpa_sm * sm,const u8 * aa,const u8 * pmkid,const void * network_ctx,int akmp)5557 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_get(struct wpa_sm *sm,
5558 const u8 *aa,
5559 const u8 *pmkid,
5560 const void *network_ctx,
5561 int akmp)
5562 {
5563 return pmksa_cache_get(sm->pmksa, aa, sm->own_addr, pmkid, network_ctx,
5564 akmp);
5565 }
5566
5567
wpa_sm_pmksa_cache_remove(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)5568 void wpa_sm_pmksa_cache_remove(struct wpa_sm *sm,
5569 struct rsn_pmksa_cache_entry *entry)
5570 {
5571 if (sm && sm->pmksa)
5572 pmksa_cache_remove(sm->pmksa, entry);
5573 }
5574
5575
wpa_sm_drop_sa(struct wpa_sm * sm)5576 void wpa_sm_drop_sa(struct wpa_sm *sm)
5577 {
5578 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
5579 wpa_sm_clear_ptk(sm);
5580 sm->pmk_len = 0;
5581 os_memset(sm->pmk, 0, sizeof(sm->pmk));
5582 #ifdef CONFIG_IEEE80211R
5583 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
5584 sm->xxkey_len = 0;
5585 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
5586 sm->pmk_r0_len = 0;
5587 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
5588 sm->pmk_r1_len = 0;
5589 #ifdef CONFIG_PASN
5590 os_free(sm->pasn_r1kh);
5591 sm->pasn_r1kh = NULL;
5592 sm->n_pasn_r1kh = 0;
5593 #endif /* CONFIG_PASN */
5594 #endif /* CONFIG_IEEE80211R */
5595 }
5596
5597
5598 #ifdef CONFIG_IEEE80211R
wpa_sm_has_ft_keys(struct wpa_sm * sm,const u8 * md)5599 bool wpa_sm_has_ft_keys(struct wpa_sm *sm, const u8 *md)
5600 {
5601 if (!sm)
5602 return false;
5603 if (!wpa_key_mgmt_ft(sm->key_mgmt) ||
5604 os_memcmp(md, sm->key_mobility_domain,
5605 MOBILITY_DOMAIN_ID_LEN) != 0) {
5606 /* Do not allow FT protocol to be used even if we were to have
5607 * an PTK since the mobility domain has changed. */
5608 return false;
5609 }
5610 return sm->ptk_set;
5611 }
5612 #endif /* CONFIG_IEEE80211R */
5613
5614
wpa_sm_has_ptk_installed(struct wpa_sm * sm)5615 int wpa_sm_has_ptk_installed(struct wpa_sm *sm)
5616 {
5617 if (!sm)
5618 return 0;
5619 return sm->tk_set || sm->ptk.installed;
5620 }
5621
5622
wpa_sm_update_replay_ctr(struct wpa_sm * sm,const u8 * replay_ctr)5623 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
5624 {
5625 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
5626 }
5627
5628
wpa_sm_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)5629 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
5630 {
5631 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, false);
5632 }
5633
5634
wpa_sm_external_pmksa_cache_flush(struct wpa_sm * sm,void * network_ctx)5635 void wpa_sm_external_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
5636 {
5637 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, true);
5638 }
5639
5640 #if defined(CONFIG_DRIVER_NL80211_BRCM) || defined(CONFIG_DRIVER_NL80211_SYNA)
wpa_sm_install_pmk(struct wpa_sm * sm)5641 void wpa_sm_install_pmk(struct wpa_sm *sm)
5642 {
5643 /* In case the driver wants to handle re-assocs, pass it down the PMK. */
5644 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->pairwise_cipher), NULL, 0, 0, NULL, 0,
5645 (u8*)sm->pmk, sm->pmk_len, KEY_FLAG_PMK) < 0) {
5646 wpa_hexdump(MSG_DEBUG, "PSK: Install PMK to the driver for driver reassociations",
5647 (u8*)sm->pmk, sm->pmk_len);
5648 /* No harm if the driver doesn't support. */
5649 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
5650 "WPA: Failed to set PMK to the driver");
5651 }
5652 }
5653
wpa_sm_notify_brcm_ft_reassoc(struct wpa_sm * sm,const u8 * bssid)5654 void wpa_sm_notify_brcm_ft_reassoc(struct wpa_sm *sm, const u8 *bssid)
5655 {
5656 u8 buf[256];
5657 struct wpa_supplicant *wpa_s = sm->ctx->ctx;
5658
5659 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5660 "WPA: BRCM FT Reassociation event - clear replay counter");
5661 os_memcpy(sm->bssid, bssid, ETH_ALEN);
5662 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
5663 sm->rx_replay_counter_set = 0;
5664
5665 if (wpa_drv_driver_cmd(wpa_s, "GET_FTKEY", (char *)buf, sizeof(buf)) < 0) {
5666 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
5667 "WPA: Failed to get FT KEY information");
5668 wpa_supplicant_deauthenticate(
5669 wpa_s, WLAN_REASON_DEAUTH_LEAVING);
5670
5671 } else {
5672 /* update kck and kek */
5673 os_memcpy(sm->ptk.kck, buf, 16);
5674 os_memcpy(sm->ptk.kek, buf + 16, 16);
5675 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
5676 "WPA: Updated KCK and KEK after FT reassoc");
5677 }
5678 }
5679 #endif /* CONFIG_DRIVER_NL80211_BRCM || CONFIG_DRIVER_NL80211_SYNA */
5680
5681
5682 #ifdef CONFIG_WNM
wpa_wnmsleep_install_key(struct wpa_sm * sm,u8 subelem_id,u8 * buf)5683 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
5684 {
5685 u16 keyinfo;
5686 u8 keylen; /* plaintext key len */
5687 u8 *key_rsc;
5688
5689 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
5690 struct wpa_gtk_data gd;
5691
5692 os_memset(&gd, 0, sizeof(gd));
5693 keylen = wpa_cipher_key_len(sm->group_cipher);
5694 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
5695 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
5696 if (gd.alg == WPA_ALG_NONE) {
5697 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
5698 return -1;
5699 }
5700
5701 key_rsc = buf + 5;
5702 keyinfo = WPA_GET_LE16(buf + 2);
5703 gd.gtk_len = keylen;
5704 if (gd.gtk_len != buf[4]) {
5705 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
5706 gd.gtk_len, buf[4]);
5707 return -1;
5708 }
5709 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
5710 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
5711 sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
5712
5713 os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
5714
5715 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
5716 gd.gtk, gd.gtk_len);
5717 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
5718 forced_memzero(&gd, sizeof(gd));
5719 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
5720 "WNM mode");
5721 return -1;
5722 }
5723 forced_memzero(&gd, sizeof(gd));
5724 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
5725 const struct wpa_igtk_kde *igtk;
5726
5727 igtk = (const struct wpa_igtk_kde *) (buf + 2);
5728 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
5729 return -1;
5730 } else if (subelem_id == WNM_SLEEP_SUBELEM_BIGTK) {
5731 const struct wpa_bigtk_kde *bigtk;
5732
5733 bigtk = (const struct wpa_bigtk_kde *) (buf + 2);
5734 if (sm->beacon_prot &&
5735 wpa_supplicant_install_bigtk(sm, bigtk, 1) < 0)
5736 return -1;
5737 } else {
5738 wpa_printf(MSG_DEBUG, "Unknown element id");
5739 return -1;
5740 }
5741
5742 return 0;
5743 }
5744 #endif /* CONFIG_WNM */
5745
5746
5747 #ifdef CONFIG_P2P
5748
wpa_sm_get_p2p_ip_addr(struct wpa_sm * sm,u8 * buf)5749 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
5750 {
5751 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
5752 return -1;
5753 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
5754 return 0;
5755 }
5756
5757 #endif /* CONFIG_P2P */
5758
5759
wpa_sm_set_rx_replay_ctr(struct wpa_sm * sm,const u8 * rx_replay_counter)5760 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
5761 {
5762 if (rx_replay_counter == NULL)
5763 return;
5764
5765 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
5766 WPA_REPLAY_COUNTER_LEN);
5767 sm->rx_replay_counter_set = 1;
5768 wpa_printf(MSG_DEBUG, "Updated key replay counter");
5769 }
5770
5771
wpa_sm_set_ptk_kck_kek(struct wpa_sm * sm,const u8 * ptk_kck,size_t ptk_kck_len,const u8 * ptk_kek,size_t ptk_kek_len)5772 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
5773 const u8 *ptk_kck, size_t ptk_kck_len,
5774 const u8 *ptk_kek, size_t ptk_kek_len)
5775 {
5776 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
5777 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
5778 sm->ptk.kck_len = ptk_kck_len;
5779 wpa_printf(MSG_DEBUG, "Updated PTK KCK");
5780 }
5781 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
5782 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
5783 sm->ptk.kek_len = ptk_kek_len;
5784 wpa_printf(MSG_DEBUG, "Updated PTK KEK");
5785 }
5786 sm->ptk_set = 1;
5787 }
5788
5789
5790 #ifdef CONFIG_TESTING_OPTIONS
5791
wpa_sm_set_test_assoc_ie(struct wpa_sm * sm,struct wpabuf * buf)5792 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
5793 {
5794 wpabuf_free(sm->test_assoc_ie);
5795 sm->test_assoc_ie = buf;
5796 }
5797
5798
wpa_sm_set_test_eapol_m2_elems(struct wpa_sm * sm,struct wpabuf * buf)5799 void wpa_sm_set_test_eapol_m2_elems(struct wpa_sm *sm, struct wpabuf *buf)
5800 {
5801 wpabuf_free(sm->test_eapol_m2_elems);
5802 sm->test_eapol_m2_elems = buf;
5803 }
5804
5805
wpa_sm_set_test_eapol_m4_elems(struct wpa_sm * sm,struct wpabuf * buf)5806 void wpa_sm_set_test_eapol_m4_elems(struct wpa_sm *sm, struct wpabuf *buf)
5807 {
5808 wpabuf_free(sm->test_eapol_m4_elems);
5809 sm->test_eapol_m4_elems = buf;
5810 }
5811
5812
wpa_sm_get_anonce(struct wpa_sm * sm)5813 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm)
5814 {
5815 return sm->anonce;
5816 }
5817
5818 #endif /* CONFIG_TESTING_OPTIONS */
5819
5820
wpa_sm_get_key_mgmt(struct wpa_sm * sm)5821 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm)
5822 {
5823 return sm->key_mgmt;
5824 }
5825
5826
wpa_sm_get_auth_addr(struct wpa_sm * sm)5827 const u8 * wpa_sm_get_auth_addr(struct wpa_sm *sm)
5828 {
5829 return sm->mlo.valid_links ? sm->mlo.ap_mld_addr : sm->bssid;
5830 }
5831
5832
5833 #ifdef CONFIG_FILS
5834
fils_build_auth(struct wpa_sm * sm,int dh_group,const u8 * md)5835 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md)
5836 {
5837 struct wpabuf *buf = NULL;
5838 struct wpabuf *erp_msg;
5839 struct wpabuf *pub = NULL;
5840
5841 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
5842 if (!erp_msg && !sm->cur_pmksa) {
5843 wpa_printf(MSG_DEBUG,
5844 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
5845 goto fail;
5846 }
5847
5848 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
5849 erp_msg != NULL, sm->cur_pmksa != NULL);
5850
5851 sm->fils_completed = 0;
5852
5853 if (!sm->assoc_wpa_ie) {
5854 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
5855 goto fail;
5856 }
5857
5858 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
5859 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
5860 goto fail;
5861
5862 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
5863 sm->fils_nonce, FILS_NONCE_LEN);
5864 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
5865 sm->fils_session, FILS_SESSION_LEN);
5866
5867 #ifdef CONFIG_FILS_SK_PFS
5868 sm->fils_dh_group = dh_group;
5869 if (dh_group) {
5870 crypto_ecdh_deinit(sm->fils_ecdh);
5871 sm->fils_ecdh = crypto_ecdh_init(dh_group);
5872 if (!sm->fils_ecdh) {
5873 wpa_printf(MSG_INFO,
5874 "FILS: Could not initialize ECDH with group %d",
5875 dh_group);
5876 goto fail;
5877 }
5878 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
5879 if (!pub)
5880 goto fail;
5881 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)",
5882 pub);
5883 sm->fils_dh_elem_len = wpabuf_len(pub);
5884 }
5885 #endif /* CONFIG_FILS_SK_PFS */
5886
5887 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
5888 (pub ? wpabuf_len(pub) : 0));
5889 if (!buf)
5890 goto fail;
5891
5892 /* Fields following the Authentication algorithm number field */
5893
5894 /* Authentication Transaction seq# */
5895 wpabuf_put_le16(buf, 1);
5896
5897 /* Status Code */
5898 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
5899
5900 /* TODO: FILS PK */
5901 #ifdef CONFIG_FILS_SK_PFS
5902 if (dh_group) {
5903 /* Finite Cyclic Group */
5904 wpabuf_put_le16(buf, dh_group);
5905 /* Element */
5906 wpabuf_put_buf(buf, pub);
5907 }
5908 #endif /* CONFIG_FILS_SK_PFS */
5909
5910 /* RSNE */
5911 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
5912 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5913 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5914
5915 if (md) {
5916 /* MDE when using FILS for FT initial association */
5917 struct rsn_mdie *mdie;
5918
5919 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN);
5920 wpabuf_put_u8(buf, sizeof(*mdie));
5921 mdie = wpabuf_put(buf, sizeof(*mdie));
5922 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
5923 mdie->ft_capab = 0;
5924 }
5925
5926 /* FILS Nonce */
5927 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5928 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
5929 /* Element ID Extension */
5930 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
5931 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
5932
5933 /* FILS Session */
5934 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5935 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
5936 /* Element ID Extension */
5937 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
5938 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
5939
5940 /* Wrapped Data */
5941 sm->fils_erp_pmkid_set = 0;
5942 if (erp_msg) {
5943 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
5944 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
5945 /* Element ID Extension */
5946 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
5947 wpabuf_put_buf(buf, erp_msg);
5948 /* Calculate pending PMKID here so that we do not need to
5949 * maintain a copy of the EAP-Initiate/Reauth message. */
5950 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
5951 wpabuf_len(erp_msg),
5952 sm->fils_erp_pmkid) == 0)
5953 sm->fils_erp_pmkid_set = 1;
5954 }
5955
5956 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
5957 buf);
5958
5959 fail:
5960 wpabuf_free(erp_msg);
5961 wpabuf_free(pub);
5962 return buf;
5963 }
5964
5965
fils_process_auth(struct wpa_sm * sm,const u8 * bssid,const u8 * data,size_t len)5966 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
5967 size_t len)
5968 {
5969 const u8 *pos, *end;
5970 struct ieee802_11_elems elems;
5971 struct wpa_ie_data rsn;
5972 int pmkid_match = 0;
5973 u8 ick[FILS_ICK_MAX_LEN];
5974 size_t ick_len;
5975 int res;
5976 struct wpabuf *dh_ss = NULL;
5977 const u8 *g_sta = NULL;
5978 size_t g_sta_len = 0;
5979 const u8 *g_ap = NULL;
5980 size_t g_ap_len = 0, kdk_len;
5981 struct wpabuf *pub = NULL;
5982 #ifdef CONFIG_IEEE80211R
5983 struct wpa_ft_ies parse;
5984
5985 os_memset(&parse, 0, sizeof(parse));
5986 #endif /* CONFIG_IEEE80211R */
5987
5988 os_memcpy(sm->bssid, bssid, ETH_ALEN);
5989
5990 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
5991 data, len);
5992 pos = data;
5993 end = data + len;
5994
5995 /* TODO: FILS PK */
5996 #ifdef CONFIG_FILS_SK_PFS
5997 if (sm->fils_dh_group) {
5998 u16 group;
5999
6000 /* Using FILS PFS */
6001
6002 /* Finite Cyclic Group */
6003 if (end - pos < 2) {
6004 wpa_printf(MSG_DEBUG,
6005 "FILS: No room for Finite Cyclic Group");
6006 goto fail;
6007 }
6008 group = WPA_GET_LE16(pos);
6009 pos += 2;
6010 if (group != sm->fils_dh_group) {
6011 wpa_printf(MSG_DEBUG,
6012 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
6013 group, sm->fils_dh_group);
6014 goto fail;
6015 }
6016
6017 /* Element */
6018 if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
6019 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
6020 goto fail;
6021 }
6022
6023 if (!sm->fils_ecdh) {
6024 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available");
6025 goto fail;
6026 }
6027 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
6028 sm->fils_dh_elem_len);
6029 if (!dh_ss) {
6030 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
6031 goto fail;
6032 }
6033 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss);
6034 g_ap = pos;
6035 g_ap_len = sm->fils_dh_elem_len;
6036 pos += sm->fils_dh_elem_len;
6037 }
6038 #endif /* CONFIG_FILS_SK_PFS */
6039
6040 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
6041 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
6042 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
6043 goto fail;
6044 }
6045
6046 /* RSNE */
6047 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
6048 elems.rsn_ie_len);
6049 if (!elems.rsn_ie ||
6050 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
6051 &rsn) < 0) {
6052 wpa_printf(MSG_DEBUG, "FILS: No RSN element");
6053 goto fail;
6054 }
6055
6056 if (!elems.fils_nonce) {
6057 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
6058 goto fail;
6059 }
6060 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
6061 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
6062
6063 #ifdef CONFIG_IEEE80211R
6064 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
6065 if (!elems.mdie || !elems.ftie) {
6066 wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE");
6067 goto fail;
6068 }
6069
6070 if (wpa_ft_parse_ies(pos, end - pos, &parse,
6071 sm->key_mgmt, false) < 0) {
6072 wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs");
6073 goto fail;
6074 }
6075
6076 if (!parse.r0kh_id) {
6077 wpa_printf(MSG_DEBUG,
6078 "FILS+FT: No R0KH-ID subelem in FTE");
6079 goto fail;
6080 }
6081 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
6082 sm->r0kh_id_len = parse.r0kh_id_len;
6083 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
6084 sm->r0kh_id, sm->r0kh_id_len);
6085
6086 if (!parse.r1kh_id) {
6087 wpa_printf(MSG_DEBUG,
6088 "FILS+FT: No R1KH-ID subelem in FTE");
6089 goto fail;
6090 }
6091 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
6092 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID",
6093 sm->r1kh_id, FT_R1KH_ID_LEN);
6094
6095 /* TODO: Check MDE and FTE payload */
6096
6097 wpabuf_free(sm->fils_ft_ies);
6098 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len +
6099 2 + elems.ftie_len);
6100 if (!sm->fils_ft_ies)
6101 goto fail;
6102 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2,
6103 2 + elems.mdie_len);
6104 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2,
6105 2 + elems.ftie_len);
6106 } else {
6107 wpabuf_free(sm->fils_ft_ies);
6108 sm->fils_ft_ies = NULL;
6109 }
6110 #endif /* CONFIG_IEEE80211R */
6111
6112 /* PMKID List */
6113 if (rsn.pmkid && rsn.num_pmkid > 0) {
6114 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
6115 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
6116
6117 if (rsn.num_pmkid != 1) {
6118 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
6119 goto fail;
6120 }
6121 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
6122 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
6123 {
6124 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
6125 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
6126 sm->cur_pmksa->pmkid, PMKID_LEN);
6127 goto fail;
6128 }
6129 wpa_printf(MSG_DEBUG,
6130 "FILS: Matching PMKID - continue using PMKSA caching");
6131 pmkid_match = 1;
6132 }
6133 if (!pmkid_match && sm->cur_pmksa) {
6134 wpa_printf(MSG_DEBUG,
6135 "FILS: No PMKID match - cannot use cached PMKSA entry");
6136 sm->cur_pmksa = NULL;
6137 }
6138
6139 /* FILS Session */
6140 if (!elems.fils_session) {
6141 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
6142 goto fail;
6143 }
6144 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
6145 FILS_SESSION_LEN);
6146 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
6147 != 0) {
6148 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
6149 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
6150 sm->fils_session, FILS_SESSION_LEN);
6151 goto fail;
6152 }
6153
6154 /* Wrapped Data */
6155 if (!sm->cur_pmksa && elems.wrapped_data) {
6156 u8 rmsk[ERP_MAX_KEY_LEN];
6157 size_t rmsk_len;
6158
6159 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
6160 elems.wrapped_data,
6161 elems.wrapped_data_len);
6162 eapol_sm_process_erp_finish(sm->eapol, elems.wrapped_data,
6163 elems.wrapped_data_len);
6164 if (eapol_sm_failed(sm->eapol))
6165 goto fail;
6166
6167 rmsk_len = ERP_MAX_KEY_LEN;
6168 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
6169 if (res == PMK_LEN) {
6170 rmsk_len = PMK_LEN;
6171 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
6172 }
6173 if (res)
6174 goto fail;
6175
6176 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
6177 sm->fils_nonce, sm->fils_anonce,
6178 dh_ss ? wpabuf_head(dh_ss) : NULL,
6179 dh_ss ? wpabuf_len(dh_ss) : 0,
6180 sm->pmk, &sm->pmk_len);
6181 forced_memzero(rmsk, sizeof(rmsk));
6182
6183 /* Don't use DHss in PTK derivation if PMKSA caching is not
6184 * used. */
6185 wpabuf_clear_free(dh_ss);
6186 dh_ss = NULL;
6187
6188 if (res)
6189 goto fail;
6190
6191 if (!sm->fils_erp_pmkid_set) {
6192 wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
6193 goto fail;
6194 }
6195 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
6196 PMKID_LEN);
6197 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
6198 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
6199 sm->fils_erp_pmkid, NULL, 0,
6200 sm->bssid, sm->own_addr,
6201 sm->network_ctx, sm->key_mgmt,
6202 NULL);
6203 }
6204
6205 if (!sm->cur_pmksa) {
6206 wpa_printf(MSG_DEBUG,
6207 "FILS: No remaining options to continue FILS authentication");
6208 goto fail;
6209 }
6210
6211 if (sm->force_kdk_derivation ||
6212 (sm->secure_ltf &&
6213 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
6214 kdk_len = WPA_KDK_MAX_LEN;
6215 else
6216 kdk_len = 0;
6217
6218 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr,
6219 wpa_sm_get_auth_addr(sm),
6220 sm->fils_nonce, sm->fils_anonce,
6221 dh_ss ? wpabuf_head(dh_ss) : NULL,
6222 dh_ss ? wpabuf_len(dh_ss) : 0,
6223 &sm->ptk, ick, &ick_len,
6224 sm->key_mgmt, sm->pairwise_cipher,
6225 sm->fils_ft, &sm->fils_ft_len,
6226 kdk_len) < 0) {
6227 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
6228 goto fail;
6229 }
6230
6231 #ifdef CONFIG_PASN
6232 if (sm->secure_ltf &&
6233 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
6234 wpa_ltf_keyseed(&sm->ptk, sm->key_mgmt, sm->pairwise_cipher)) {
6235 wpa_printf(MSG_DEBUG, "FILS: Failed to derive LTF keyseed");
6236 goto fail;
6237 }
6238 #endif /* CONFIG_PASN */
6239
6240 wpabuf_clear_free(dh_ss);
6241 dh_ss = NULL;
6242
6243 sm->ptk_set = 1;
6244 sm->tptk_set = 0;
6245 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
6246
6247 #ifdef CONFIG_FILS_SK_PFS
6248 if (sm->fils_dh_group) {
6249 if (!sm->fils_ecdh) {
6250 wpa_printf(MSG_INFO, "FILS: ECDH not initialized");
6251 goto fail;
6252 }
6253 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
6254 if (!pub)
6255 goto fail;
6256 wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub);
6257 g_sta = wpabuf_head(pub);
6258 g_sta_len = wpabuf_len(pub);
6259 if (!g_ap) {
6260 wpa_printf(MSG_INFO, "FILS: gAP not available");
6261 goto fail;
6262 }
6263 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
6264 }
6265 #endif /* CONFIG_FILS_SK_PFS */
6266
6267 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
6268 sm->fils_anonce, sm->own_addr, sm->bssid,
6269 g_sta, g_sta_len, g_ap, g_ap_len,
6270 sm->key_mgmt, sm->fils_key_auth_sta,
6271 sm->fils_key_auth_ap,
6272 &sm->fils_key_auth_len);
6273 wpabuf_free(pub);
6274 forced_memzero(ick, sizeof(ick));
6275 #ifdef CONFIG_IEEE80211R
6276 wpa_ft_parse_ies_free(&parse);
6277 #endif /* CONFIG_IEEE80211R */
6278 return res;
6279 fail:
6280 wpabuf_free(pub);
6281 wpabuf_clear_free(dh_ss);
6282 #ifdef CONFIG_IEEE80211R
6283 wpa_ft_parse_ies_free(&parse);
6284 #endif /* CONFIG_IEEE80211R */
6285 return -1;
6286 }
6287
6288
6289 #ifdef CONFIG_IEEE80211R
fils_ft_build_assoc_req_rsne(struct wpa_sm * sm,struct wpabuf * buf)6290 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
6291 {
6292 struct rsn_ie_hdr *rsnie;
6293 u16 capab;
6294 u8 *pos;
6295 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
6296
6297 /* RSNIE[PMKR0Name/PMKR1Name] */
6298 rsnie = wpabuf_put(buf, sizeof(*rsnie));
6299 rsnie->elem_id = WLAN_EID_RSN;
6300 WPA_PUT_LE16(rsnie->version, RSN_VERSION);
6301
6302 /* Group Suite Selector */
6303 if (!wpa_cipher_valid_group(sm->group_cipher)) {
6304 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
6305 sm->group_cipher);
6306 return -1;
6307 }
6308 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6309 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
6310 sm->group_cipher));
6311
6312 /* Pairwise Suite Count */
6313 wpabuf_put_le16(buf, 1);
6314
6315 /* Pairwise Suite List */
6316 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
6317 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
6318 sm->pairwise_cipher);
6319 return -1;
6320 }
6321 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6322 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
6323 sm->pairwise_cipher));
6324
6325 /* Authenticated Key Management Suite Count */
6326 wpabuf_put_le16(buf, 1);
6327
6328 /* Authenticated Key Management Suite List */
6329 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6330 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
6331 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
6332 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384)
6333 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
6334 else {
6335 wpa_printf(MSG_WARNING,
6336 "FILS+FT: Invalid key management type (%d)",
6337 sm->key_mgmt);
6338 return -1;
6339 }
6340
6341 /* RSN Capabilities */
6342 capab = 0;
6343 if (sm->mfp)
6344 capab |= WPA_CAPABILITY_MFPC;
6345 if (sm->mfp == 2)
6346 capab |= WPA_CAPABILITY_MFPR;
6347 if (sm->ocv)
6348 capab |= WPA_CAPABILITY_OCVC;
6349 if (sm->ext_key_id)
6350 capab |= WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST;
6351 wpabuf_put_le16(buf, capab);
6352
6353 /* PMKID Count */
6354 wpabuf_put_le16(buf, 1);
6355
6356 /* PMKID List [PMKR1Name] */
6357 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)",
6358 sm->fils_ft, sm->fils_ft_len);
6359 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len);
6360 wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID",
6361 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
6362 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
6363 sm->r0kh_id, sm->r0kh_id_len);
6364 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid,
6365 sm->ssid_len, sm->mobility_domain,
6366 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
6367 sm->pmk_r0, sm->pmk_r0_name, sm->key_mgmt) < 0) {
6368 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0");
6369 return -1;
6370 }
6371 if (wpa_key_mgmt_sae_ext_key(sm->key_mgmt))
6372 sm->pmk_r0_len = sm->fils_ft_len;
6373 else
6374 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
6375 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR,
6376 MAC2STR(sm->r1kh_id));
6377 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
6378 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
6379 sm->pmk_r1_name, sm->fils_ft_len) < 0) {
6380 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
6381 return -1;
6382 }
6383 os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN);
6384
6385 os_memcpy(sm->key_mobility_domain, sm->mobility_domain,
6386 MOBILITY_DOMAIN_ID_LEN);
6387
6388 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
6389 /* Management Group Cipher Suite */
6390 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
6391 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
6392 }
6393
6394 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2;
6395 return 0;
6396 }
6397 #endif /* CONFIG_IEEE80211R */
6398
6399
fils_build_assoc_req(struct wpa_sm * sm,const u8 ** kek,size_t * kek_len,const u8 ** snonce,const u8 ** anonce,const struct wpabuf ** hlp,unsigned int num_hlp)6400 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
6401 size_t *kek_len, const u8 **snonce,
6402 const u8 **anonce,
6403 const struct wpabuf **hlp,
6404 unsigned int num_hlp)
6405 {
6406 struct wpabuf *buf;
6407 size_t len;
6408 unsigned int i;
6409
6410 len = 1000;
6411 #ifdef CONFIG_IEEE80211R
6412 if (sm->fils_ft_ies)
6413 len += wpabuf_len(sm->fils_ft_ies);
6414 if (wpa_key_mgmt_ft(sm->key_mgmt))
6415 len += 256;
6416 #endif /* CONFIG_IEEE80211R */
6417 for (i = 0; hlp && i < num_hlp; i++)
6418 len += 10 + wpabuf_len(hlp[i]);
6419 buf = wpabuf_alloc(len);
6420 if (!buf)
6421 return NULL;
6422
6423 #ifdef CONFIG_IEEE80211R
6424 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
6425 /* MDE and FTE when using FILS+FT */
6426 wpabuf_put_buf(buf, sm->fils_ft_ies);
6427 /* RSNE with PMKR1Name in PMKID field */
6428 if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) {
6429 wpabuf_free(buf);
6430 return NULL;
6431 }
6432 }
6433 #endif /* CONFIG_IEEE80211R */
6434
6435 /* FILS Session */
6436 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6437 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
6438 /* Element ID Extension */
6439 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
6440 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
6441
6442 /* Everything after FILS Session element gets encrypted in the driver
6443 * with KEK. The buffer returned from here is the plaintext version. */
6444
6445 /* TODO: FILS Public Key */
6446
6447 /* FILS Key Confirm */
6448 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6449 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
6450 /* Element ID Extension */
6451 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
6452 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
6453
6454 /* FILS HLP Container */
6455 for (i = 0; hlp && i < num_hlp; i++) {
6456 const u8 *pos = wpabuf_head(hlp[i]);
6457 size_t left = wpabuf_len(hlp[i]);
6458
6459 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
6460 if (left <= 254)
6461 len = 1 + left;
6462 else
6463 len = 255;
6464 wpabuf_put_u8(buf, len); /* Length */
6465 /* Element ID Extension */
6466 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
6467 /* Destination MAC Address, Source MAC Address, HLP Packet.
6468 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
6469 * header when LPD is used). */
6470 wpabuf_put_data(buf, pos, len - 1);
6471 pos += len - 1;
6472 left -= len - 1;
6473 while (left) {
6474 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
6475 len = left > 255 ? 255 : left;
6476 wpabuf_put_u8(buf, len);
6477 wpabuf_put_data(buf, pos, len);
6478 pos += len;
6479 left -= len;
6480 }
6481 }
6482
6483 /* TODO: FILS IP Address Assignment */
6484
6485 #ifdef CONFIG_OCV
6486 if (wpa_sm_ocv_enabled(sm)) {
6487 struct wpa_channel_info ci;
6488 u8 *pos;
6489
6490 if (wpa_sm_channel_info(sm, &ci) != 0) {
6491 wpa_printf(MSG_WARNING,
6492 "FILS: Failed to get channel info for OCI element");
6493 wpabuf_free(buf);
6494 return NULL;
6495 }
6496 #ifdef CONFIG_TESTING_OPTIONS
6497 if (sm->oci_freq_override_fils_assoc) {
6498 wpa_printf(MSG_INFO,
6499 "TEST: Override OCI KDE frequency %d -> %d MHz",
6500 ci.frequency,
6501 sm->oci_freq_override_fils_assoc);
6502 ci.frequency = sm->oci_freq_override_fils_assoc;
6503 }
6504 #endif /* CONFIG_TESTING_OPTIONS */
6505
6506 pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN);
6507 if (ocv_insert_extended_oci(&ci, pos) < 0) {
6508 wpabuf_free(buf);
6509 return NULL;
6510 }
6511 }
6512 #endif /* CONFIG_OCV */
6513
6514 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
6515
6516 *kek = sm->ptk.kek;
6517 *kek_len = sm->ptk.kek_len;
6518 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
6519 *snonce = sm->fils_nonce;
6520 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
6521 *snonce, FILS_NONCE_LEN);
6522 *anonce = sm->fils_anonce;
6523 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
6524 *anonce, FILS_NONCE_LEN);
6525
6526 return buf;
6527 }
6528
6529
fils_process_hlp_resp(struct wpa_sm * sm,const u8 * resp,size_t len)6530 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
6531 {
6532 const u8 *pos, *end;
6533
6534 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
6535 if (len < 2 * ETH_ALEN)
6536 return;
6537 pos = resp + 2 * ETH_ALEN;
6538 end = resp + len;
6539 if (end - pos >= 6 &&
6540 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
6541 pos += 6; /* Remove SNAP/LLC header */
6542 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
6543 }
6544
6545
fils_process_hlp_container(struct wpa_sm * sm,const u8 * pos,size_t len)6546 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
6547 size_t len)
6548 {
6549 const u8 *end = pos + len;
6550 u8 *tmp, *tmp_pos;
6551
6552 /* Check if there are any FILS HLP Container elements */
6553 while (end - pos >= 2) {
6554 if (2 + pos[1] > end - pos)
6555 return;
6556 if (pos[0] == WLAN_EID_EXTENSION &&
6557 pos[1] >= 1 + 2 * ETH_ALEN &&
6558 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
6559 break;
6560 pos += 2 + pos[1];
6561 }
6562 if (end - pos < 2)
6563 return; /* No FILS HLP Container elements */
6564
6565 tmp = os_malloc(end - pos);
6566 if (!tmp)
6567 return;
6568
6569 while (end - pos >= 2) {
6570 if (2 + pos[1] > end - pos ||
6571 pos[0] != WLAN_EID_EXTENSION ||
6572 pos[1] < 1 + 2 * ETH_ALEN ||
6573 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
6574 break;
6575 tmp_pos = tmp;
6576 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
6577 tmp_pos += pos[1] - 1;
6578 pos += 2 + pos[1];
6579
6580 /* Add possible fragments */
6581 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
6582 2 + pos[1] <= end - pos) {
6583 os_memcpy(tmp_pos, pos + 2, pos[1]);
6584 tmp_pos += pos[1];
6585 pos += 2 + pos[1];
6586 }
6587
6588 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
6589 }
6590
6591 os_free(tmp);
6592 }
6593
6594
fils_process_assoc_resp(struct wpa_sm * sm,const u8 * resp,size_t len)6595 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
6596 {
6597 const struct ieee80211_mgmt *mgmt;
6598 const u8 *end, *ie_start;
6599 struct ieee802_11_elems elems;
6600 int keylen, rsclen;
6601 enum wpa_alg alg;
6602 struct wpa_gtk_data gd;
6603 int maxkeylen;
6604 struct wpa_eapol_ie_parse kde;
6605
6606 if (!sm || !sm->ptk_set) {
6607 wpa_printf(MSG_DEBUG, "FILS: No KEK available");
6608 return -1;
6609 }
6610
6611 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
6612 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
6613 return -1;
6614 }
6615
6616 if (sm->fils_completed) {
6617 wpa_printf(MSG_DEBUG,
6618 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
6619 return -1;
6620 }
6621
6622 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
6623 resp, len);
6624
6625 mgmt = (const struct ieee80211_mgmt *) resp;
6626 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
6627 return -1;
6628
6629 end = resp + len;
6630 /* Same offset for Association Response and Reassociation Response */
6631 ie_start = mgmt->u.assoc_resp.variable;
6632
6633 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
6634 ParseFailed) {
6635 wpa_printf(MSG_DEBUG,
6636 "FILS: Failed to parse decrypted elements");
6637 goto fail;
6638 }
6639
6640 if (!elems.fils_session) {
6641 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
6642 return -1;
6643 }
6644 if (os_memcmp(elems.fils_session, sm->fils_session,
6645 FILS_SESSION_LEN) != 0) {
6646 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
6647 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
6648 elems.fils_session, FILS_SESSION_LEN);
6649 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
6650 sm->fils_session, FILS_SESSION_LEN);
6651 }
6652
6653 if (!elems.rsn_ie) {
6654 wpa_printf(MSG_DEBUG,
6655 "FILS: No RSNE in (Re)Association Response");
6656 /* As an interop workaround, allow this for now since IEEE Std
6657 * 802.11ai-2016 did not include all the needed changes to make
6658 * a FILS AP include RSNE in the frame. This workaround might
6659 * eventually be removed and replaced with rejection (goto fail)
6660 * to follow a strict interpretation of the standard. */
6661 } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
6662 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
6663 elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
6664 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
6665 "FILS: RSNE mismatch between Beacon/Probe Response and (Re)Association Response");
6666 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in Beacon/Probe Response",
6667 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
6668 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in (Re)Association Response",
6669 elems.rsn_ie, elems.rsn_ie_len);
6670 goto fail;
6671 }
6672
6673 /* TODO: FILS Public Key */
6674
6675 if (!elems.fils_key_confirm) {
6676 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
6677 goto fail;
6678 }
6679 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
6680 wpa_printf(MSG_DEBUG,
6681 "FILS: Unexpected Key-Auth length %d (expected %d)",
6682 elems.fils_key_confirm_len,
6683 (int) sm->fils_key_auth_len);
6684 goto fail;
6685 }
6686 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
6687 sm->fils_key_auth_len) != 0) {
6688 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
6689 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
6690 elems.fils_key_confirm,
6691 elems.fils_key_confirm_len);
6692 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
6693 sm->fils_key_auth_ap, sm->fils_key_auth_len);
6694 goto fail;
6695 }
6696
6697 #ifdef CONFIG_OCV
6698 if (wpa_sm_ocv_enabled(sm)) {
6699 struct wpa_channel_info ci;
6700
6701 if (wpa_sm_channel_info(sm, &ci) != 0) {
6702 wpa_printf(MSG_WARNING,
6703 "Failed to get channel info to validate received OCI in FILS (Re)Association Response frame");
6704 goto fail;
6705 }
6706
6707 if (ocv_verify_tx_params(elems.oci, elems.oci_len, &ci,
6708 channel_width_to_int(ci.chanwidth),
6709 ci.seg1_idx) != OCI_SUCCESS) {
6710 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
6711 "addr=" MACSTR " frame=fils-assoc error=%s",
6712 MAC2STR(sm->bssid), ocv_errorstr);
6713 goto fail;
6714 }
6715 }
6716 #endif /* CONFIG_OCV */
6717
6718 #ifdef CONFIG_IEEE80211R
6719 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
6720 struct wpa_ie_data rsn;
6721
6722 /* Check that PMKR1Name derived by the AP matches */
6723 if (!elems.rsn_ie ||
6724 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
6725 &rsn) < 0 ||
6726 !rsn.pmkid || rsn.num_pmkid != 1 ||
6727 os_memcmp(rsn.pmkid, sm->pmk_r1_name,
6728 WPA_PMK_NAME_LEN) != 0) {
6729 wpa_printf(MSG_DEBUG,
6730 "FILS+FT: No RSNE[PMKR1Name] match in AssocResp");
6731 goto fail;
6732 }
6733 }
6734 #endif /* CONFIG_IEEE80211R */
6735
6736 /* Key Delivery */
6737 if (!elems.key_delivery) {
6738 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
6739 goto fail;
6740 }
6741
6742 /* Parse GTK and set the key to the driver */
6743 os_memset(&gd, 0, sizeof(gd));
6744 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
6745 elems.key_delivery_len - WPA_KEY_RSC_LEN,
6746 &kde) < 0) {
6747 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
6748 goto fail;
6749 }
6750 if (!kde.gtk) {
6751 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
6752 goto fail;
6753 }
6754 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
6755 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
6756 gd.gtk_len, maxkeylen,
6757 &gd.key_rsc_len, &gd.alg))
6758 goto fail;
6759
6760 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
6761 gd.keyidx = kde.gtk[0] & 0x3;
6762 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
6763 !!(kde.gtk[0] & BIT(2)));
6764 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
6765 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
6766 (unsigned long) kde.gtk_len - 2);
6767 goto fail;
6768 }
6769 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
6770
6771 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
6772 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
6773 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
6774 goto fail;
6775 }
6776
6777 if (ieee80211w_set_keys(sm, &kde) < 0) {
6778 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
6779 goto fail;
6780 }
6781
6782 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
6783 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
6784 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
6785 wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
6786 keylen, (long unsigned int) sm->ptk.tk_len);
6787 goto fail;
6788 }
6789
6790 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
6791 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
6792 sm->ptk.tk, keylen);
6793 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm), 0, 1,
6794 null_rsc, rsclen,
6795 sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE_RX_TX) < 0) {
6796 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
6797 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d auth_addr="
6798 MACSTR ")",
6799 alg, keylen, MAC2STR(wpa_sm_get_auth_addr(sm)));
6800 goto fail;
6801 }
6802
6803 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
6804 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
6805
6806 /* TODO: TK could be cleared after auth frame exchange now that driver
6807 * takes care of association frame encryption/decryption. */
6808 /* TK is not needed anymore in supplicant */
6809 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
6810 sm->ptk.tk_len = 0;
6811 sm->ptk.installed = 1;
6812 sm->tk_set = true;
6813
6814 /* FILS HLP Container */
6815 fils_process_hlp_container(sm, ie_start, end - ie_start);
6816
6817 /* TODO: FILS IP Address Assignment */
6818
6819 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
6820 sm->fils_completed = 1;
6821 forced_memzero(&gd, sizeof(gd));
6822
6823 if (kde.transition_disable)
6824 wpa_sm_transition_disable(sm, kde.transition_disable[0]);
6825
6826 return 0;
6827 fail:
6828 forced_memzero(&gd, sizeof(gd));
6829 return -1;
6830 }
6831
6832
wpa_sm_set_reset_fils_completed(struct wpa_sm * sm,int set)6833 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set)
6834 {
6835 if (sm)
6836 sm->fils_completed = !!set;
6837 }
6838
6839 #endif /* CONFIG_FILS */
6840
6841
wpa_fils_is_completed(struct wpa_sm * sm)6842 int wpa_fils_is_completed(struct wpa_sm *sm)
6843 {
6844 #ifdef CONFIG_FILS
6845 return sm && sm->fils_completed;
6846 #else /* CONFIG_FILS */
6847 return 0;
6848 #endif /* CONFIG_FILS */
6849 }
6850
6851
6852 #ifdef CONFIG_OWE
6853
owe_build_assoc_req(struct wpa_sm * sm,u16 group)6854 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group)
6855 {
6856 struct wpabuf *ie = NULL, *pub = NULL;
6857 size_t prime_len;
6858
6859 if (group == 19)
6860 prime_len = 32;
6861 else if (group == 20)
6862 prime_len = 48;
6863 else if (group == 21)
6864 prime_len = 66;
6865 else
6866 return NULL;
6867
6868 crypto_ecdh_deinit(sm->owe_ecdh);
6869 sm->owe_ecdh = crypto_ecdh_init(group);
6870 if (!sm->owe_ecdh)
6871 goto fail;
6872 sm->owe_group = group;
6873 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
6874 pub = wpabuf_zeropad(pub, prime_len);
6875 if (!pub)
6876 goto fail;
6877
6878 ie = wpabuf_alloc(5 + wpabuf_len(pub));
6879 if (!ie)
6880 goto fail;
6881 wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
6882 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
6883 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
6884 wpabuf_put_le16(ie, group);
6885 wpabuf_put_buf(ie, pub);
6886 wpabuf_free(pub);
6887 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
6888 ie);
6889
6890 return ie;
6891 fail:
6892 wpabuf_free(pub);
6893 crypto_ecdh_deinit(sm->owe_ecdh);
6894 sm->owe_ecdh = NULL;
6895 return NULL;
6896 }
6897
6898
owe_process_assoc_resp(struct wpa_sm * sm,const u8 * bssid,const u8 * resp_ies,size_t resp_ies_len)6899 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
6900 const u8 *resp_ies, size_t resp_ies_len)
6901 {
6902 struct ieee802_11_elems elems;
6903 u16 group;
6904 struct wpabuf *secret, *pub, *hkey;
6905 int res;
6906 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
6907 const char *info = "OWE Key Generation";
6908 const u8 *addr[2];
6909 size_t len[2];
6910 size_t hash_len, prime_len;
6911 struct wpa_ie_data data;
6912
6913 if (!resp_ies ||
6914 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
6915 ParseFailed) {
6916 wpa_printf(MSG_INFO,
6917 "OWE: Could not parse Association Response frame elements");
6918 return -1;
6919 }
6920
6921 if (sm->cur_pmksa && elems.rsn_ie &&
6922 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len,
6923 &data) == 0 &&
6924 data.num_pmkid == 1 && data.pmkid &&
6925 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) {
6926 wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching");
6927 wpa_sm_set_pmk_from_pmksa(sm);
6928 return 0;
6929 }
6930
6931 if (!elems.owe_dh) {
6932 wpa_printf(MSG_INFO,
6933 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
6934 return -1;
6935 }
6936
6937 group = WPA_GET_LE16(elems.owe_dh);
6938 if (group != sm->owe_group) {
6939 wpa_printf(MSG_INFO,
6940 "OWE: Unexpected Diffie-Hellman group in response: %u",
6941 group);
6942 return -1;
6943 }
6944
6945 if (!sm->owe_ecdh) {
6946 wpa_printf(MSG_INFO, "OWE: No ECDH state available");
6947 return -1;
6948 }
6949
6950 if (group == 19)
6951 prime_len = 32;
6952 else if (group == 20)
6953 prime_len = 48;
6954 else if (group == 21)
6955 prime_len = 66;
6956 else
6957 return -1;
6958
6959 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
6960 elems.owe_dh + 2,
6961 elems.owe_dh_len - 2);
6962 secret = wpabuf_zeropad(secret, prime_len);
6963 if (!secret) {
6964 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
6965 return -1;
6966 }
6967 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
6968
6969 /* prk = HKDF-extract(C | A | group, z) */
6970
6971 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
6972 if (!pub) {
6973 wpabuf_clear_free(secret);
6974 return -1;
6975 }
6976
6977 /* PMKID = Truncate-128(Hash(C | A)) */
6978 addr[0] = wpabuf_head(pub);
6979 len[0] = wpabuf_len(pub);
6980 addr[1] = elems.owe_dh + 2;
6981 len[1] = elems.owe_dh_len - 2;
6982 if (group == 19) {
6983 res = sha256_vector(2, addr, len, pmkid);
6984 hash_len = SHA256_MAC_LEN;
6985 } else if (group == 20) {
6986 res = sha384_vector(2, addr, len, pmkid);
6987 hash_len = SHA384_MAC_LEN;
6988 } else if (group == 21) {
6989 res = sha512_vector(2, addr, len, pmkid);
6990 hash_len = SHA512_MAC_LEN;
6991 } else {
6992 res = -1;
6993 hash_len = 0;
6994 }
6995 pub = wpabuf_zeropad(pub, prime_len);
6996 if (res < 0 || !pub) {
6997 wpabuf_free(pub);
6998 wpabuf_clear_free(secret);
6999 return -1;
7000 }
7001
7002 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
7003 if (!hkey) {
7004 wpabuf_free(pub);
7005 wpabuf_clear_free(secret);
7006 return -1;
7007 }
7008
7009 wpabuf_put_buf(hkey, pub); /* C */
7010 wpabuf_free(pub);
7011 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
7012 wpabuf_put_le16(hkey, sm->owe_group); /* group */
7013 if (group == 19)
7014 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
7015 wpabuf_head(secret), wpabuf_len(secret), prk);
7016 else if (group == 20)
7017 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
7018 wpabuf_head(secret), wpabuf_len(secret), prk);
7019 else if (group == 21)
7020 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
7021 wpabuf_head(secret), wpabuf_len(secret), prk);
7022 wpabuf_clear_free(hkey);
7023 wpabuf_clear_free(secret);
7024 if (res < 0)
7025 return -1;
7026
7027 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
7028
7029 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
7030
7031 if (group == 19)
7032 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
7033 os_strlen(info), sm->pmk, hash_len);
7034 else if (group == 20)
7035 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
7036 os_strlen(info), sm->pmk, hash_len);
7037 else if (group == 21)
7038 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
7039 os_strlen(info), sm->pmk, hash_len);
7040 forced_memzero(prk, SHA512_MAC_LEN);
7041 if (res < 0) {
7042 sm->pmk_len = 0;
7043 return -1;
7044 }
7045 sm->pmk_len = hash_len;
7046
7047 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
7048 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
7049 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
7050 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
7051 NULL);
7052
7053 return 0;
7054 }
7055
7056 #endif /* CONFIG_OWE */
7057
7058
wpa_sm_set_fils_cache_id(struct wpa_sm * sm,const u8 * fils_cache_id)7059 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id)
7060 {
7061 #ifdef CONFIG_FILS
7062 if (sm && fils_cache_id) {
7063 sm->fils_cache_id_set = 1;
7064 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN);
7065 }
7066 #endif /* CONFIG_FILS */
7067 }
7068
7069
7070 #ifdef CONFIG_DPP2
wpa_sm_set_dpp_z(struct wpa_sm * sm,const struct wpabuf * z)7071 void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z)
7072 {
7073 if (sm) {
7074 wpabuf_clear_free(sm->dpp_z);
7075 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
7076 }
7077 }
7078 #endif /* CONFIG_DPP2 */
7079
7080
7081 #ifdef CONFIG_PASN
7082
wpa_pasn_sm_set_caps(struct wpa_sm * sm,unsigned int flags2)7083 void wpa_pasn_sm_set_caps(struct wpa_sm *sm, unsigned int flags2)
7084 {
7085 if (flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_STA)
7086 sm->secure_ltf = 1;
7087 if (flags2 & WPA_DRIVER_FLAGS2_SEC_RTT_STA)
7088 sm->secure_rtt = 1;
7089 if (flags2 & WPA_DRIVER_FLAGS2_PROT_RANGE_NEG_STA)
7090 sm->prot_range_neg = 1;
7091 }
7092
7093 #endif /* CONFIG_PASN */
7094
7095
wpa_sm_pmksa_cache_reconfig(struct wpa_sm * sm)7096 void wpa_sm_pmksa_cache_reconfig(struct wpa_sm *sm)
7097 {
7098 if (sm)
7099 pmksa_cache_reconfig(sm->pmksa);
7100 }
7101
7102
wpa_sm_get_pmksa_cache(struct wpa_sm * sm)7103 struct rsn_pmksa_cache * wpa_sm_get_pmksa_cache(struct wpa_sm *sm)
7104 {
7105 return sm ? sm->pmksa : NULL;
7106 }
7107
7108
wpa_sm_set_cur_pmksa(struct wpa_sm * sm,struct rsn_pmksa_cache_entry * entry)7109 void wpa_sm_set_cur_pmksa(struct wpa_sm *sm,
7110 struct rsn_pmksa_cache_entry *entry)
7111 {
7112 if (sm)
7113 sm->cur_pmksa = entry;
7114 }
7115
7116
wpa_sm_set_driver_bss_selection(struct wpa_sm * sm,bool driver_bss_selection)7117 void wpa_sm_set_driver_bss_selection(struct wpa_sm *sm,
7118 bool driver_bss_selection)
7119 {
7120 if (sm)
7121 sm->driver_bss_selection = driver_bss_selection;
7122 }
7123