1 /*
2  * IEEE 802.11 RSN / WPA Authenticator
3  * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/state_machine.h"
14 #include "utils/bitfield.h"
15 #include "common/ieee802_11_defs.h"
16 #include "crypto/aes.h"
17 #include "crypto/aes_wrap.h"
18 #include "crypto/aes_siv.h"
19 #include "crypto/crypto.h"
20 #include "crypto/sha1.h"
21 #include "crypto/sha256.h"
22 #include "crypto/random.h"
23 #include "eapol_auth/eapol_auth_sm.h"
24 #include "ap_config.h"
25 #include "ieee802_11.h"
26 #include "wpa_auth.h"
27 #include "pmksa_cache_auth.h"
28 #include "wpa_auth_i.h"
29 #include "wpa_auth_ie.h"
30 
31 #define STATE_MACHINE_DATA struct wpa_state_machine
32 #define STATE_MACHINE_DEBUG_PREFIX "WPA"
33 #define STATE_MACHINE_ADDR sm->addr
34 
35 
36 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
37 static int wpa_sm_step(struct wpa_state_machine *sm);
38 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
39 			      u8 *data, size_t data_len);
40 #ifdef CONFIG_FILS
41 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
42 			    u8 *buf, size_t buf_len, u16 *_key_data_len);
43 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
44 					     const struct wpabuf *hlp);
45 #endif /* CONFIG_FILS */
46 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
47 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
48 			      struct wpa_group *group);
49 static void wpa_request_new_ptk(struct wpa_state_machine *sm);
50 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
51 			  struct wpa_group *group);
52 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
53 				       struct wpa_group *group);
54 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
55 			  const u8 *pmk, unsigned int pmk_len,
56 			  struct wpa_ptk *ptk);
57 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
58 			   struct wpa_group *group);
59 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
60 			  struct wpa_group *group);
61 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
62 			  struct wpa_group *group);
63 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
64 
65 static const u32 eapol_key_timeout_first = 100; /* ms */
66 static const u32 eapol_key_timeout_subseq = 1000; /* ms */
67 static const u32 eapol_key_timeout_first_group = 500; /* ms */
68 static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
69 
70 /* TODO: make these configurable */
71 static const int dot11RSNAConfigPMKLifetime = 43200;
72 static const int dot11RSNAConfigPMKReauthThreshold = 70;
73 static const int dot11RSNAConfigSATimeout = 60;
74 
75 
wpa_auth_mic_failure_report(struct wpa_authenticator * wpa_auth,const u8 * addr)76 static inline int wpa_auth_mic_failure_report(
77 	struct wpa_authenticator *wpa_auth, const u8 *addr)
78 {
79 	if (wpa_auth->cb->mic_failure_report)
80 		return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
81 	return 0;
82 }
83 
84 
wpa_auth_psk_failure_report(struct wpa_authenticator * wpa_auth,const u8 * addr)85 static inline void wpa_auth_psk_failure_report(
86 	struct wpa_authenticator *wpa_auth, const u8 *addr)
87 {
88 	if (wpa_auth->cb->psk_failure_report)
89 		wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
90 }
91 
92 
wpa_auth_set_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var,int value)93 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
94 				      const u8 *addr, wpa_eapol_variable var,
95 				      int value)
96 {
97 	if (wpa_auth->cb->set_eapol)
98 		wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
99 }
100 
101 
wpa_auth_get_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var)102 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
103 				     const u8 *addr, wpa_eapol_variable var)
104 {
105 	if (wpa_auth->cb->get_eapol == NULL)
106 		return -1;
107 	return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
108 }
109 
110 
wpa_auth_get_psk(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * p2p_dev_addr,const u8 * prev_psk,size_t * psk_len)111 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
112 					  const u8 *addr,
113 					  const u8 *p2p_dev_addr,
114 					  const u8 *prev_psk, size_t *psk_len)
115 {
116 	if (wpa_auth->cb->get_psk == NULL)
117 		return NULL;
118 	return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
119 				     prev_psk, psk_len);
120 }
121 
122 
wpa_auth_get_msk(struct wpa_authenticator * wpa_auth,const u8 * addr,u8 * msk,size_t * len)123 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
124 				   const u8 *addr, u8 *msk, size_t *len)
125 {
126 	if (wpa_auth->cb->get_msk == NULL)
127 		return -1;
128 	return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
129 }
130 
131 
wpa_auth_set_key(struct wpa_authenticator * wpa_auth,int vlan_id,enum wpa_alg alg,const u8 * addr,int idx,u8 * key,size_t key_len)132 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
133 				   int vlan_id,
134 				   enum wpa_alg alg, const u8 *addr, int idx,
135 				   u8 *key, size_t key_len)
136 {
137 	if (wpa_auth->cb->set_key == NULL)
138 		return -1;
139 	return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
140 				     key, key_len);
141 }
142 
143 
wpa_auth_get_seqnum(struct wpa_authenticator * wpa_auth,const u8 * addr,int idx,u8 * seq)144 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
145 				      const u8 *addr, int idx, u8 *seq)
146 {
147 	if (wpa_auth->cb->get_seqnum == NULL)
148 		return -1;
149 	return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
150 }
151 
152 
153 static inline int
wpa_auth_send_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * data,size_t data_len,int encrypt)154 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
155 		    const u8 *data, size_t data_len, int encrypt)
156 {
157 	if (wpa_auth->cb->send_eapol == NULL)
158 		return -1;
159 	return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
160 					encrypt);
161 }
162 
163 
164 #ifdef CONFIG_MESH
wpa_auth_start_ampe(struct wpa_authenticator * wpa_auth,const u8 * addr)165 static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
166 				      const u8 *addr)
167 {
168 	if (wpa_auth->cb->start_ampe == NULL)
169 		return -1;
170 	return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
171 }
172 #endif /* CONFIG_MESH */
173 
174 
wpa_auth_for_each_sta(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_state_machine * sm,void * ctx),void * cb_ctx)175 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
176 			  int (*cb)(struct wpa_state_machine *sm, void *ctx),
177 			  void *cb_ctx)
178 {
179 	if (wpa_auth->cb->for_each_sta == NULL)
180 		return 0;
181 	return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
182 }
183 
184 
wpa_auth_for_each_auth(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_authenticator * a,void * ctx),void * cb_ctx)185 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
186 			   int (*cb)(struct wpa_authenticator *a, void *ctx),
187 			   void *cb_ctx)
188 {
189 	if (wpa_auth->cb->for_each_auth == NULL)
190 		return 0;
191 	return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
192 }
193 
194 
wpa_auth_logger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * txt)195 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
196 		     logger_level level, const char *txt)
197 {
198 	if (wpa_auth->cb->logger == NULL)
199 		return;
200 	wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
201 }
202 
203 
wpa_auth_vlogger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * fmt,...)204 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
205 		      logger_level level, const char *fmt, ...)
206 {
207 	char *format;
208 	int maxlen;
209 	va_list ap;
210 
211 	if (wpa_auth->cb->logger == NULL)
212 		return;
213 
214 	maxlen = os_strlen(fmt) + 100;
215 	format = os_malloc(maxlen);
216 	if (!format)
217 		return;
218 
219 	va_start(ap, fmt);
220 	vsnprintf(format, maxlen, fmt, ap);
221 	va_end(ap);
222 
223 	wpa_auth_logger(wpa_auth, addr, level, format);
224 
225 	os_free(format);
226 }
227 
228 
wpa_sta_disconnect(struct wpa_authenticator * wpa_auth,const u8 * addr,u16 reason)229 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
230 			       const u8 *addr, u16 reason)
231 {
232 	if (wpa_auth->cb->disconnect == NULL)
233 		return;
234 	wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR " (reason %u)",
235 		   MAC2STR(addr), reason);
236 	wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr, reason);
237 }
238 
239 
wpa_use_aes_cmac(struct wpa_state_machine * sm)240 static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
241 {
242 	int ret = 0;
243 #ifdef CONFIG_IEEE80211R_AP
244 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
245 		ret = 1;
246 #endif /* CONFIG_IEEE80211R_AP */
247 #ifdef CONFIG_IEEE80211W
248 	if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
249 		ret = 1;
250 #endif /* CONFIG_IEEE80211W */
251 	if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
252 		ret = 1;
253 	return ret;
254 }
255 
256 
wpa_rekey_gmk(void * eloop_ctx,void * timeout_ctx)257 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
258 {
259 	struct wpa_authenticator *wpa_auth = eloop_ctx;
260 
261 	if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
262 		wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
263 			   "initialization.");
264 	} else {
265 		wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
266 		wpa_hexdump_key(MSG_DEBUG, "GMK",
267 				wpa_auth->group->GMK, WPA_GMK_LEN);
268 	}
269 
270 	if (wpa_auth->conf.wpa_gmk_rekey) {
271 		eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
272 				       wpa_rekey_gmk, wpa_auth, NULL);
273 	}
274 }
275 
276 
wpa_rekey_gtk(void * eloop_ctx,void * timeout_ctx)277 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
278 {
279 	struct wpa_authenticator *wpa_auth = eloop_ctx;
280 	struct wpa_group *group, *next;
281 
282 	wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
283 	group = wpa_auth->group;
284 	while (group) {
285 		wpa_group_get(wpa_auth, group);
286 
287 		group->GTKReKey = TRUE;
288 		do {
289 			group->changed = FALSE;
290 			wpa_group_sm_step(wpa_auth, group);
291 		} while (group->changed);
292 
293 		next = group->next;
294 		wpa_group_put(wpa_auth, group);
295 		group = next;
296 	}
297 
298 	if (wpa_auth->conf.wpa_group_rekey) {
299 		eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
300 				       0, wpa_rekey_gtk, wpa_auth, NULL);
301 	}
302 }
303 
304 
wpa_rekey_ptk(void * eloop_ctx,void * timeout_ctx)305 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
306 {
307 	struct wpa_authenticator *wpa_auth = eloop_ctx;
308 	struct wpa_state_machine *sm = timeout_ctx;
309 
310 	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
311 	wpa_request_new_ptk(sm);
312 	wpa_sm_step(sm);
313 }
314 
315 
wpa_auth_pmksa_clear_cb(struct wpa_state_machine * sm,void * ctx)316 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
317 {
318 	if (sm->pmksa == ctx)
319 		sm->pmksa = NULL;
320 	return 0;
321 }
322 
323 
wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)324 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
325 				   void *ctx)
326 {
327 	struct wpa_authenticator *wpa_auth = ctx;
328 	wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
329 }
330 
331 
wpa_group_init_gmk_and_counter(struct wpa_authenticator * wpa_auth,struct wpa_group * group)332 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
333 					  struct wpa_group *group)
334 {
335 	u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
336 	u8 rkey[32];
337 	unsigned long ptr;
338 
339 	if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
340 		return -1;
341 	wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
342 
343 	/*
344 	 * Counter = PRF-256(Random number, "Init Counter",
345 	 *                   Local MAC Address || Time)
346 	 */
347 	os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
348 	wpa_get_ntp_timestamp(buf + ETH_ALEN);
349 	ptr = (unsigned long) group;
350 	os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
351 	if (random_get_bytes(rkey, sizeof(rkey)) < 0)
352 		return -1;
353 
354 	if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
355 		     group->Counter, WPA_NONCE_LEN) < 0)
356 		return -1;
357 	wpa_hexdump_key(MSG_DEBUG, "Key Counter",
358 			group->Counter, WPA_NONCE_LEN);
359 
360 	return 0;
361 }
362 
363 
wpa_group_init(struct wpa_authenticator * wpa_auth,int vlan_id,int delay_init)364 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
365 					 int vlan_id, int delay_init)
366 {
367 	struct wpa_group *group;
368 
369 	group = os_zalloc(sizeof(struct wpa_group));
370 	if (group == NULL)
371 		return NULL;
372 
373 	group->GTKAuthenticator = TRUE;
374 	group->vlan_id = vlan_id;
375 	group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
376 
377 	if (random_pool_ready() != 1) {
378 		wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
379 			   "for secure operations - update keys later when "
380 			   "the first station connects");
381 	}
382 
383 	/*
384 	 * Set initial GMK/Counter value here. The actual values that will be
385 	 * used in negotiations will be set once the first station tries to
386 	 * connect. This allows more time for collecting additional randomness
387 	 * on embedded devices.
388 	 */
389 	if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
390 		wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
391 			   "initialization.");
392 		os_free(group);
393 		return NULL;
394 	}
395 
396 	group->GInit = TRUE;
397 	if (delay_init) {
398 		wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
399 			   "until Beacon frames have been configured");
400 		/* Initialization is completed in wpa_init_keys(). */
401 	} else {
402 		wpa_group_sm_step(wpa_auth, group);
403 		group->GInit = FALSE;
404 		wpa_group_sm_step(wpa_auth, group);
405 	}
406 
407 	return group;
408 }
409 
410 
411 /**
412  * wpa_init - Initialize WPA authenticator
413  * @addr: Authenticator address
414  * @conf: Configuration for WPA authenticator
415  * @cb: Callback functions for WPA authenticator
416  * Returns: Pointer to WPA authenticator data or %NULL on failure
417  */
wpa_init(const u8 * addr,struct wpa_auth_config * conf,const struct wpa_auth_callbacks * cb,void * cb_ctx)418 struct wpa_authenticator * wpa_init(const u8 *addr,
419 				    struct wpa_auth_config *conf,
420 				    const struct wpa_auth_callbacks *cb,
421 				    void *cb_ctx)
422 {
423 	struct wpa_authenticator *wpa_auth;
424 
425 	wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
426 	if (wpa_auth == NULL)
427 		return NULL;
428 	os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
429 	os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
430 	wpa_auth->cb = cb;
431 	wpa_auth->cb_ctx = cb_ctx;
432 
433 	if (wpa_auth_gen_wpa_ie(wpa_auth)) {
434 		wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
435 		os_free(wpa_auth);
436 		return NULL;
437 	}
438 
439 	wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
440 	if (wpa_auth->group == NULL) {
441 		os_free(wpa_auth->wpa_ie);
442 		os_free(wpa_auth);
443 		return NULL;
444 	}
445 
446 	wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
447 						wpa_auth);
448 	if (wpa_auth->pmksa == NULL) {
449 		wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
450 		os_free(wpa_auth->group);
451 		os_free(wpa_auth->wpa_ie);
452 		os_free(wpa_auth);
453 		return NULL;
454 	}
455 
456 #ifdef CONFIG_IEEE80211R_AP
457 	wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
458 	if (wpa_auth->ft_pmk_cache == NULL) {
459 		wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
460 		os_free(wpa_auth->group);
461 		os_free(wpa_auth->wpa_ie);
462 		pmksa_cache_auth_deinit(wpa_auth->pmksa);
463 		os_free(wpa_auth);
464 		return NULL;
465 	}
466 #endif /* CONFIG_IEEE80211R_AP */
467 
468 	if (wpa_auth->conf.wpa_gmk_rekey) {
469 		eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
470 				       wpa_rekey_gmk, wpa_auth, NULL);
471 	}
472 
473 	if (wpa_auth->conf.wpa_group_rekey) {
474 		eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
475 				       wpa_rekey_gtk, wpa_auth, NULL);
476 	}
477 
478 #ifdef CONFIG_P2P
479 	if (WPA_GET_BE32(conf->ip_addr_start)) {
480 		int count = WPA_GET_BE32(conf->ip_addr_end) -
481 			WPA_GET_BE32(conf->ip_addr_start) + 1;
482 		if (count > 1000)
483 			count = 1000;
484 		if (count > 0)
485 			wpa_auth->ip_pool = bitfield_alloc(count);
486 	}
487 #endif /* CONFIG_P2P */
488 
489 	return wpa_auth;
490 }
491 
492 
wpa_init_keys(struct wpa_authenticator * wpa_auth)493 int wpa_init_keys(struct wpa_authenticator *wpa_auth)
494 {
495 	struct wpa_group *group = wpa_auth->group;
496 
497 	wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
498 		   "keys");
499 	wpa_group_sm_step(wpa_auth, group);
500 	group->GInit = FALSE;
501 	wpa_group_sm_step(wpa_auth, group);
502 	if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
503 		return -1;
504 	return 0;
505 }
506 
507 
508 /**
509  * wpa_deinit - Deinitialize WPA authenticator
510  * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
511  */
wpa_deinit(struct wpa_authenticator * wpa_auth)512 void wpa_deinit(struct wpa_authenticator *wpa_auth)
513 {
514 	struct wpa_group *group, *prev;
515 
516 	eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
517 	eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
518 
519 	pmksa_cache_auth_deinit(wpa_auth->pmksa);
520 
521 #ifdef CONFIG_IEEE80211R_AP
522 	wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
523 	wpa_auth->ft_pmk_cache = NULL;
524 	wpa_ft_deinit(wpa_auth);
525 #endif /* CONFIG_IEEE80211R_AP */
526 
527 #ifdef CONFIG_P2P
528 	bitfield_free(wpa_auth->ip_pool);
529 #endif /* CONFIG_P2P */
530 
531 
532 	os_free(wpa_auth->wpa_ie);
533 
534 	group = wpa_auth->group;
535 	while (group) {
536 		prev = group;
537 		group = group->next;
538 		os_free(prev);
539 	}
540 
541 	os_free(wpa_auth);
542 }
543 
544 
545 /**
546  * wpa_reconfig - Update WPA authenticator configuration
547  * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
548  * @conf: Configuration for WPA authenticator
549  */
wpa_reconfig(struct wpa_authenticator * wpa_auth,struct wpa_auth_config * conf)550 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
551 		 struct wpa_auth_config *conf)
552 {
553 	struct wpa_group *group;
554 	if (wpa_auth == NULL)
555 		return 0;
556 
557 	os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
558 	if (wpa_auth_gen_wpa_ie(wpa_auth)) {
559 		wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
560 		return -1;
561 	}
562 
563 	/*
564 	 * Reinitialize GTK to make sure it is suitable for the new
565 	 * configuration.
566 	 */
567 	group = wpa_auth->group;
568 	group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
569 	group->GInit = TRUE;
570 	wpa_group_sm_step(wpa_auth, group);
571 	group->GInit = FALSE;
572 	wpa_group_sm_step(wpa_auth, group);
573 
574 	return 0;
575 }
576 
577 
578 struct wpa_state_machine *
wpa_auth_sta_init(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * p2p_dev_addr)579 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
580 		  const u8 *p2p_dev_addr)
581 {
582 	struct wpa_state_machine *sm;
583 
584 	if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
585 		return NULL;
586 
587 	sm = os_zalloc(sizeof(struct wpa_state_machine));
588 	if (sm == NULL)
589 		return NULL;
590 	os_memcpy(sm->addr, addr, ETH_ALEN);
591 	if (p2p_dev_addr)
592 		os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
593 
594 	sm->wpa_auth = wpa_auth;
595 	sm->group = wpa_auth->group;
596 	wpa_group_get(sm->wpa_auth, sm->group);
597 
598 	return sm;
599 }
600 
601 
wpa_auth_sta_associated(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm)602 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
603 			    struct wpa_state_machine *sm)
604 {
605 	if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
606 		return -1;
607 
608 #ifdef CONFIG_IEEE80211R_AP
609 	if (sm->ft_completed) {
610 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
611 				"FT authentication already completed - do not "
612 				"start 4-way handshake");
613 		/* Go to PTKINITDONE state to allow GTK rekeying */
614 		sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
615 		sm->Pair = TRUE;
616 		return 0;
617 	}
618 #endif /* CONFIG_IEEE80211R_AP */
619 
620 #ifdef CONFIG_FILS
621 	if (sm->fils_completed) {
622 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
623 				"FILS authentication already completed - do not start 4-way handshake");
624 		/* Go to PTKINITDONE state to allow GTK rekeying */
625 		sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
626 		sm->Pair = TRUE;
627 		return 0;
628 	}
629 #endif /* CONFIG_FILS */
630 
631 	if (sm->started) {
632 		os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
633 		sm->ReAuthenticationRequest = TRUE;
634 		return wpa_sm_step(sm);
635 	}
636 
637 	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
638 			"start authentication");
639 	sm->started = 1;
640 
641 	sm->Init = TRUE;
642 	if (wpa_sm_step(sm) == 1)
643 		return 1; /* should not really happen */
644 	sm->Init = FALSE;
645 	sm->AuthenticationRequest = TRUE;
646 	return wpa_sm_step(sm);
647 }
648 
649 
wpa_auth_sta_no_wpa(struct wpa_state_machine * sm)650 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
651 {
652 	/* WPA/RSN was not used - clear WPA state. This is needed if the STA
653 	 * reassociates back to the same AP while the previous entry for the
654 	 * STA has not yet been removed. */
655 	if (sm == NULL)
656 		return;
657 
658 	sm->wpa_key_mgmt = 0;
659 }
660 
661 
wpa_free_sta_sm(struct wpa_state_machine * sm)662 static void wpa_free_sta_sm(struct wpa_state_machine *sm)
663 {
664 #ifdef CONFIG_P2P
665 	if (WPA_GET_BE32(sm->ip_addr)) {
666 		u32 start;
667 		wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
668 			   "address %u.%u.%u.%u from " MACSTR,
669 			   sm->ip_addr[0], sm->ip_addr[1],
670 			   sm->ip_addr[2], sm->ip_addr[3],
671 			   MAC2STR(sm->addr));
672 		start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
673 		bitfield_clear(sm->wpa_auth->ip_pool,
674 			       WPA_GET_BE32(sm->ip_addr) - start);
675 	}
676 #endif /* CONFIG_P2P */
677 	if (sm->GUpdateStationKeys) {
678 		sm->group->GKeyDoneStations--;
679 		sm->GUpdateStationKeys = FALSE;
680 	}
681 #ifdef CONFIG_IEEE80211R_AP
682 	os_free(sm->assoc_resp_ftie);
683 	wpabuf_free(sm->ft_pending_req_ies);
684 #endif /* CONFIG_IEEE80211R_AP */
685 	os_free(sm->last_rx_eapol_key);
686 	os_free(sm->wpa_ie);
687 	wpa_group_put(sm->wpa_auth, sm->group);
688 	os_free(sm);
689 }
690 
691 
wpa_auth_sta_deinit(struct wpa_state_machine * sm)692 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
693 {
694 	if (sm == NULL)
695 		return;
696 
697 	if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
698 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
699 				"strict rekeying - force GTK rekey since STA "
700 				"is leaving");
701 		eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
702 		eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
703 				       NULL);
704 	}
705 
706 	eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
707 	sm->pending_1_of_4_timeout = 0;
708 	eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
709 	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
710 #ifdef CONFIG_IEEE80211R_AP
711 	wpa_ft_sta_deinit(sm);
712 #endif /* CONFIG_IEEE80211R_AP */
713 	if (sm->in_step_loop) {
714 		/* Must not free state machine while wpa_sm_step() is running.
715 		 * Freeing will be completed in the end of wpa_sm_step(). */
716 		wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
717 			   "machine deinit for " MACSTR, MAC2STR(sm->addr));
718 		sm->pending_deinit = 1;
719 	} else
720 		wpa_free_sta_sm(sm);
721 }
722 
723 
wpa_request_new_ptk(struct wpa_state_machine * sm)724 static void wpa_request_new_ptk(struct wpa_state_machine *sm)
725 {
726 	if (sm == NULL)
727 		return;
728 
729 	sm->PTKRequest = TRUE;
730 	sm->PTK_valid = 0;
731 }
732 
733 
wpa_replay_counter_valid(struct wpa_key_replay_counter * ctr,const u8 * replay_counter)734 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
735 				    const u8 *replay_counter)
736 {
737 	int i;
738 	for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
739 		if (!ctr[i].valid)
740 			break;
741 		if (os_memcmp(replay_counter, ctr[i].counter,
742 			      WPA_REPLAY_COUNTER_LEN) == 0)
743 			return 1;
744 	}
745 	return 0;
746 }
747 
748 
wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter * ctr,const u8 * replay_counter)749 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
750 					    const u8 *replay_counter)
751 {
752 	int i;
753 	for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
754 		if (ctr[i].valid &&
755 		    (replay_counter == NULL ||
756 		     os_memcmp(replay_counter, ctr[i].counter,
757 			       WPA_REPLAY_COUNTER_LEN) == 0))
758 			ctr[i].valid = FALSE;
759 	}
760 }
761 
762 
763 #ifdef CONFIG_IEEE80211R_AP
ft_check_msg_2_of_4(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,struct wpa_eapol_ie_parse * kde)764 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
765 			       struct wpa_state_machine *sm,
766 			       struct wpa_eapol_ie_parse *kde)
767 {
768 	struct wpa_ie_data ie;
769 	struct rsn_mdie *mdie;
770 
771 	if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
772 	    ie.num_pmkid != 1 || ie.pmkid == NULL) {
773 		wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
774 			   "FT 4-way handshake message 2/4");
775 		return -1;
776 	}
777 
778 	os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
779 	wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
780 		    sm->sup_pmk_r1_name, PMKID_LEN);
781 
782 	if (!kde->mdie || !kde->ftie) {
783 		wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
784 			   "message 2/4", kde->mdie ? "FTIE" : "MDIE");
785 		return -1;
786 	}
787 
788 	mdie = (struct rsn_mdie *) (kde->mdie + 2);
789 	if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
790 	    os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
791 		      MOBILITY_DOMAIN_ID_LEN) != 0) {
792 		wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
793 		return -1;
794 	}
795 
796 	if (sm->assoc_resp_ftie &&
797 	    (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
798 	     os_memcmp(kde->ftie, sm->assoc_resp_ftie,
799 		       2 + sm->assoc_resp_ftie[1]) != 0)) {
800 		wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
801 		wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
802 			    kde->ftie, kde->ftie_len);
803 		wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
804 			    sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
805 		return -1;
806 	}
807 
808 	return 0;
809 }
810 #endif /* CONFIG_IEEE80211R_AP */
811 
812 
wpa_receive_error_report(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int group)813 static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
814 				    struct wpa_state_machine *sm, int group)
815 {
816 	/* Supplicant reported a Michael MIC error */
817 	wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
818 			 "received EAPOL-Key Error Request "
819 			 "(STA detected Michael MIC failure (group=%d))",
820 			 group);
821 
822 	if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
823 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
824 				"ignore Michael MIC failure report since "
825 				"group cipher is not TKIP");
826 	} else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
827 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
828 				"ignore Michael MIC failure report since "
829 				"pairwise cipher is not TKIP");
830 	} else {
831 		if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
832 			return 1; /* STA entry was removed */
833 		sm->dot11RSNAStatsTKIPRemoteMICFailures++;
834 		wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
835 	}
836 
837 	/*
838 	 * Error report is not a request for a new key handshake, but since
839 	 * Authenticator may do it, let's change the keys now anyway.
840 	 */
841 	wpa_request_new_ptk(sm);
842 	return 0;
843 }
844 
845 
wpa_try_alt_snonce(struct wpa_state_machine * sm,u8 * data,size_t data_len)846 static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
847 			      size_t data_len)
848 {
849 	struct wpa_ptk PTK;
850 	int ok = 0;
851 	const u8 *pmk = NULL;
852 	size_t pmk_len;
853 
854 	os_memset(&PTK, 0, sizeof(PTK));
855 	for (;;) {
856 		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
857 		    !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
858 			pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
859 					       sm->p2p_dev_addr, pmk, &pmk_len);
860 			if (pmk == NULL)
861 				break;
862 		} else {
863 			pmk = sm->PMK;
864 			pmk_len = sm->pmk_len;
865 		}
866 
867 		if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0)
868 			break;
869 
870 		if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
871 				       data, data_len) == 0) {
872 			ok = 1;
873 			break;
874 		}
875 
876 		if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
877 			break;
878 	}
879 
880 	if (!ok) {
881 		wpa_printf(MSG_DEBUG,
882 			   "WPA: Earlier SNonce did not result in matching MIC");
883 		return -1;
884 	}
885 
886 	wpa_printf(MSG_DEBUG,
887 		   "WPA: Earlier SNonce resulted in matching MIC");
888 	sm->alt_snonce_valid = 0;
889 	os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
890 	os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
891 	sm->PTK_valid = TRUE;
892 
893 	return 0;
894 }
895 
896 
wpa_receive(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,u8 * data,size_t data_len)897 void wpa_receive(struct wpa_authenticator *wpa_auth,
898 		 struct wpa_state_machine *sm,
899 		 u8 *data, size_t data_len)
900 {
901 	struct ieee802_1x_hdr *hdr;
902 	struct wpa_eapol_key *key;
903 	u16 key_info, key_data_length;
904 	enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST } msg;
905 	char *msgtxt;
906 	struct wpa_eapol_ie_parse kde;
907 	const u8 *key_data;
908 	size_t keyhdrlen, mic_len;
909 	u8 *mic;
910 
911 	if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
912 		return;
913 	wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
914 
915 	mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
916 	keyhdrlen = sizeof(*key) + mic_len + 2;
917 
918 	if (data_len < sizeof(*hdr) + keyhdrlen) {
919 		wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
920 		return;
921 	}
922 
923 	hdr = (struct ieee802_1x_hdr *) data;
924 	key = (struct wpa_eapol_key *) (hdr + 1);
925 	mic = (u8 *) (key + 1);
926 	key_info = WPA_GET_BE16(key->key_info);
927 	key_data = mic + mic_len + 2;
928 	key_data_length = WPA_GET_BE16(mic + mic_len);
929 	wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
930 		   " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
931 		   MAC2STR(sm->addr), key_info, key->type,
932 		   (unsigned int) mic_len, key_data_length);
933 	wpa_hexdump(MSG_MSGDUMP,
934 		    "WPA: EAPOL-Key header (ending before Key MIC)",
935 		    key, sizeof(*key));
936 	wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
937 		    mic, mic_len);
938 	if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
939 		wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
940 			   "key_data overflow (%d > %lu)",
941 			   key_data_length,
942 			   (unsigned long) (data_len - sizeof(*hdr) -
943 					    keyhdrlen));
944 		return;
945 	}
946 
947 	if (sm->wpa == WPA_VERSION_WPA2) {
948 		if (key->type == EAPOL_KEY_TYPE_WPA) {
949 			/*
950 			 * Some deployed station implementations seem to send
951 			 * msg 4/4 with incorrect type value in WPA2 mode.
952 			 */
953 			wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
954 				   "with unexpected WPA type in RSN mode");
955 		} else if (key->type != EAPOL_KEY_TYPE_RSN) {
956 			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
957 				   "unexpected type %d in RSN mode",
958 				   key->type);
959 			return;
960 		}
961 	} else {
962 		if (key->type != EAPOL_KEY_TYPE_WPA) {
963 			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
964 				   "unexpected type %d in WPA mode",
965 				   key->type);
966 			return;
967 		}
968 	}
969 
970 	wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
971 		    WPA_NONCE_LEN);
972 	wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
973 		    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
974 
975 	/* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
976 	 * are set */
977 
978 	if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
979 		wpa_printf(MSG_DEBUG, "WPA: Ignore SMK message");
980 		return;
981 	}
982 
983 	if (key_info & WPA_KEY_INFO_REQUEST) {
984 		msg = REQUEST;
985 		msgtxt = "Request";
986 	} else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
987 		msg = GROUP_2;
988 		msgtxt = "2/2 Group";
989 	} else if (key_data_length == 0 ||
990 		   (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
991 		    key_data_length == AES_BLOCK_SIZE)) {
992 		msg = PAIRWISE_4;
993 		msgtxt = "4/4 Pairwise";
994 	} else {
995 		msg = PAIRWISE_2;
996 		msgtxt = "2/4 Pairwise";
997 	}
998 
999 	if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1000 	    msg == GROUP_2) {
1001 		u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
1002 		if (sm->pairwise == WPA_CIPHER_CCMP ||
1003 		    sm->pairwise == WPA_CIPHER_GCMP) {
1004 			if (wpa_use_aes_cmac(sm) &&
1005 			    sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
1006 			    !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
1007 			    !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1008 			    ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1009 				wpa_auth_logger(wpa_auth, sm->addr,
1010 						LOGGER_WARNING,
1011 						"advertised support for "
1012 						"AES-128-CMAC, but did not "
1013 						"use it");
1014 				return;
1015 			}
1016 
1017 			if (!wpa_use_aes_cmac(sm) &&
1018 			    !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
1019 			    !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1020 			    sm->wpa_key_mgmt != WPA_KEY_MGMT_OWE &&
1021 			    sm->wpa_key_mgmt != WPA_KEY_MGMT_DPP &&
1022 			    ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1023 				wpa_auth_logger(wpa_auth, sm->addr,
1024 						LOGGER_WARNING,
1025 						"did not use HMAC-SHA1-AES "
1026 						"with CCMP/GCMP");
1027 				return;
1028 			}
1029 		}
1030 
1031 		if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1032 		     wpa_key_mgmt_fils(sm->wpa_key_mgmt) ||
1033 		     sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
1034 		     sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) &&
1035 		    ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1036 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1037 					"did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1038 			return;
1039 		}
1040 	}
1041 
1042 	if (key_info & WPA_KEY_INFO_REQUEST) {
1043 		if (sm->req_replay_counter_used &&
1044 		    os_memcmp(key->replay_counter, sm->req_replay_counter,
1045 			      WPA_REPLAY_COUNTER_LEN) <= 0) {
1046 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1047 					"received EAPOL-Key request with "
1048 					"replayed counter");
1049 			return;
1050 		}
1051 	}
1052 
1053 	if (!(key_info & WPA_KEY_INFO_REQUEST) &&
1054 	    !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
1055 		int i;
1056 
1057 		if (msg == PAIRWISE_2 &&
1058 		    wpa_replay_counter_valid(sm->prev_key_replay,
1059 					     key->replay_counter) &&
1060 		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1061 		    os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1062 		{
1063 			/*
1064 			 * Some supplicant implementations (e.g., Windows XP
1065 			 * WZC) update SNonce for each EAPOL-Key 2/4. This
1066 			 * breaks the workaround on accepting any of the
1067 			 * pending requests, so allow the SNonce to be updated
1068 			 * even if we have already sent out EAPOL-Key 3/4.
1069 			 */
1070 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1071 					 "Process SNonce update from STA "
1072 					 "based on retransmitted EAPOL-Key "
1073 					 "1/4");
1074 			sm->update_snonce = 1;
1075 			os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1076 			sm->alt_snonce_valid = TRUE;
1077 			os_memcpy(sm->alt_replay_counter,
1078 				  sm->key_replay[0].counter,
1079 				  WPA_REPLAY_COUNTER_LEN);
1080 			goto continue_processing;
1081 		}
1082 
1083 		if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1084 		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1085 		    os_memcmp(key->replay_counter, sm->alt_replay_counter,
1086 			      WPA_REPLAY_COUNTER_LEN) == 0) {
1087 			/*
1088 			 * Supplicant may still be using the old SNonce since
1089 			 * there was two EAPOL-Key 2/4 messages and they had
1090 			 * different SNonce values.
1091 			 */
1092 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1093 					 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
1094 			goto continue_processing;
1095 		}
1096 
1097 		if (msg == PAIRWISE_2 &&
1098 		    wpa_replay_counter_valid(sm->prev_key_replay,
1099 					     key->replay_counter) &&
1100 		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1101 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1102 					 "ignore retransmitted EAPOL-Key %s - "
1103 					 "SNonce did not change", msgtxt);
1104 		} else {
1105 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1106 					 "received EAPOL-Key %s with "
1107 					 "unexpected replay counter", msgtxt);
1108 		}
1109 		for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1110 			if (!sm->key_replay[i].valid)
1111 				break;
1112 			wpa_hexdump(MSG_DEBUG, "pending replay counter",
1113 				    sm->key_replay[i].counter,
1114 				    WPA_REPLAY_COUNTER_LEN);
1115 		}
1116 		wpa_hexdump(MSG_DEBUG, "received replay counter",
1117 			    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1118 		return;
1119 	}
1120 
1121 continue_processing:
1122 #ifdef CONFIG_FILS
1123 	if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1124 	    !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1125 		wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1126 				 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1127 		return;
1128 	}
1129 #endif /* CONFIG_FILS */
1130 
1131 	switch (msg) {
1132 	case PAIRWISE_2:
1133 		if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
1134 		    sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1135 		    (!sm->update_snonce ||
1136 		     sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
1137 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1138 					 "received EAPOL-Key msg 2/4 in "
1139 					 "invalid state (%d) - dropped",
1140 					 sm->wpa_ptk_state);
1141 			return;
1142 		}
1143 		random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
1144 		if (sm->group->reject_4way_hs_for_entropy) {
1145 			/*
1146 			 * The system did not have enough entropy to generate
1147 			 * strong random numbers. Reject the first 4-way
1148 			 * handshake(s) and collect some entropy based on the
1149 			 * information from it. Once enough entropy is
1150 			 * available, the next atempt will trigger GMK/Key
1151 			 * Counter update and the station will be allowed to
1152 			 * continue.
1153 			 */
1154 			wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1155 				   "collect more entropy for random number "
1156 				   "generation");
1157 			random_mark_pool_ready();
1158 			wpa_sta_disconnect(wpa_auth, sm->addr,
1159 					   WLAN_REASON_PREV_AUTH_NOT_VALID);
1160 			return;
1161 		}
1162 		break;
1163 	case PAIRWISE_4:
1164 		if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1165 		    !sm->PTK_valid) {
1166 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1167 					 "received EAPOL-Key msg 4/4 in "
1168 					 "invalid state (%d) - dropped",
1169 					 sm->wpa_ptk_state);
1170 			return;
1171 		}
1172 		break;
1173 	case GROUP_2:
1174 		if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1175 		    || !sm->PTK_valid) {
1176 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1177 					 "received EAPOL-Key msg 2/2 in "
1178 					 "invalid state (%d) - dropped",
1179 					 sm->wpa_ptk_group_state);
1180 			return;
1181 		}
1182 		break;
1183 	case REQUEST:
1184 		break;
1185 	}
1186 
1187 	wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1188 			 "received EAPOL-Key frame (%s)", msgtxt);
1189 
1190 	if (key_info & WPA_KEY_INFO_ACK) {
1191 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1192 				"received invalid EAPOL-Key: Key Ack set");
1193 		return;
1194 	}
1195 
1196 	if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1197 	    !(key_info & WPA_KEY_INFO_MIC)) {
1198 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1199 				"received invalid EAPOL-Key: Key MIC not set");
1200 		return;
1201 	}
1202 
1203 #ifdef CONFIG_FILS
1204 	if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1205 	    (key_info & WPA_KEY_INFO_MIC)) {
1206 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1207 				"received invalid EAPOL-Key: Key MIC set");
1208 		return;
1209 	}
1210 #endif /* CONFIG_FILS */
1211 
1212 	sm->MICVerified = FALSE;
1213 	if (sm->PTK_valid && !sm->update_snonce) {
1214 		if (mic_len &&
1215 		    wpa_verify_key_mic(sm->wpa_key_mgmt, sm->pmk_len, &sm->PTK,
1216 				       data, data_len) &&
1217 		    (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1218 		     wpa_try_alt_snonce(sm, data, data_len))) {
1219 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1220 					"received EAPOL-Key with invalid MIC");
1221 			return;
1222 		}
1223 #ifdef CONFIG_FILS
1224 		if (!mic_len &&
1225 		    wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1226 				     &key_data_length) < 0) {
1227 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1228 					"received EAPOL-Key with invalid MIC");
1229 			return;
1230 		}
1231 #endif /* CONFIG_FILS */
1232 		sm->MICVerified = TRUE;
1233 		eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1234 		sm->pending_1_of_4_timeout = 0;
1235 	}
1236 
1237 	if (key_info & WPA_KEY_INFO_REQUEST) {
1238 		if (sm->MICVerified) {
1239 			sm->req_replay_counter_used = 1;
1240 			os_memcpy(sm->req_replay_counter, key->replay_counter,
1241 				  WPA_REPLAY_COUNTER_LEN);
1242 		} else {
1243 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1244 					"received EAPOL-Key request with "
1245 					"invalid MIC");
1246 			return;
1247 		}
1248 
1249 		/*
1250 		 * TODO: should decrypt key data field if encryption was used;
1251 		 * even though MAC address KDE is not normally encrypted,
1252 		 * supplicant is allowed to encrypt it.
1253 		 */
1254 		if (key_info & WPA_KEY_INFO_ERROR) {
1255 			if (wpa_receive_error_report(
1256 				    wpa_auth, sm,
1257 				    !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1258 				return; /* STA entry was removed */
1259 		} else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1260 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1261 					"received EAPOL-Key Request for new "
1262 					"4-Way Handshake");
1263 			wpa_request_new_ptk(sm);
1264 		} else if (key_data_length > 0 &&
1265 			   wpa_parse_kde_ies(key_data, key_data_length,
1266 					     &kde) == 0 &&
1267 			   kde.mac_addr) {
1268 		} else {
1269 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1270 					"received EAPOL-Key Request for GTK "
1271 					"rekeying");
1272 			eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1273 			wpa_rekey_gtk(wpa_auth, NULL);
1274 		}
1275 	} else {
1276 		/* Do not allow the same key replay counter to be reused. */
1277 		wpa_replay_counter_mark_invalid(sm->key_replay,
1278 						key->replay_counter);
1279 
1280 		if (msg == PAIRWISE_2) {
1281 			/*
1282 			 * Maintain a copy of the pending EAPOL-Key frames in
1283 			 * case the EAPOL-Key frame was retransmitted. This is
1284 			 * needed to allow EAPOL-Key msg 2/4 reply to another
1285 			 * pending msg 1/4 to update the SNonce to work around
1286 			 * unexpected supplicant behavior.
1287 			 */
1288 			os_memcpy(sm->prev_key_replay, sm->key_replay,
1289 				  sizeof(sm->key_replay));
1290 		} else {
1291 			os_memset(sm->prev_key_replay, 0,
1292 				  sizeof(sm->prev_key_replay));
1293 		}
1294 
1295 		/*
1296 		 * Make sure old valid counters are not accepted anymore and
1297 		 * do not get copied again.
1298 		 */
1299 		wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1300 	}
1301 
1302 	os_free(sm->last_rx_eapol_key);
1303 	sm->last_rx_eapol_key = os_memdup(data, data_len);
1304 	if (sm->last_rx_eapol_key == NULL)
1305 		return;
1306 	sm->last_rx_eapol_key_len = data_len;
1307 
1308 	sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1309 	sm->EAPOLKeyReceived = TRUE;
1310 	sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1311 	sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1312 	os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1313 	wpa_sm_step(sm);
1314 }
1315 
1316 
wpa_gmk_to_gtk(const u8 * gmk,const char * label,const u8 * addr,const u8 * gnonce,u8 * gtk,size_t gtk_len)1317 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1318 			  const u8 *gnonce, u8 *gtk, size_t gtk_len)
1319 {
1320 	u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1321 	u8 *pos;
1322 	int ret = 0;
1323 
1324 	/* GTK = PRF-X(GMK, "Group key expansion",
1325 	 *	AA || GNonce || Time || random data)
1326 	 * The example described in the IEEE 802.11 standard uses only AA and
1327 	 * GNonce as inputs here. Add some more entropy since this derivation
1328 	 * is done only at the Authenticator and as such, does not need to be
1329 	 * exactly same.
1330 	 */
1331 	os_memcpy(data, addr, ETH_ALEN);
1332 	os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1333 	pos = data + ETH_ALEN + WPA_NONCE_LEN;
1334 	wpa_get_ntp_timestamp(pos);
1335 	pos += 8;
1336 	if (random_get_bytes(pos, 16) < 0)
1337 		ret = -1;
1338 
1339 #ifdef CONFIG_IEEE80211W
1340 	sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
1341 #else /* CONFIG_IEEE80211W */
1342 	if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1343 	    < 0)
1344 		ret = -1;
1345 #endif /* CONFIG_IEEE80211W */
1346 
1347 	return ret;
1348 }
1349 
1350 
wpa_send_eapol_timeout(void * eloop_ctx,void * timeout_ctx)1351 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1352 {
1353 	struct wpa_authenticator *wpa_auth = eloop_ctx;
1354 	struct wpa_state_machine *sm = timeout_ctx;
1355 
1356 	sm->pending_1_of_4_timeout = 0;
1357 	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1358 	sm->TimeoutEvt = TRUE;
1359 	wpa_sm_step(sm);
1360 }
1361 
1362 
__wpa_send_eapol(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int key_info,const u8 * key_rsc,const u8 * nonce,const u8 * kde,size_t kde_len,int keyidx,int encr,int force_version)1363 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1364 		      struct wpa_state_machine *sm, int key_info,
1365 		      const u8 *key_rsc, const u8 *nonce,
1366 		      const u8 *kde, size_t kde_len,
1367 		      int keyidx, int encr, int force_version)
1368 {
1369 	struct ieee802_1x_hdr *hdr;
1370 	struct wpa_eapol_key *key;
1371 	size_t len, mic_len, keyhdrlen;
1372 	int alg;
1373 	int key_data_len, pad_len = 0;
1374 	u8 *buf, *pos;
1375 	int version, pairwise;
1376 	int i;
1377 	u8 *key_mic, *key_data;
1378 
1379 	mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
1380 	keyhdrlen = sizeof(*key) + mic_len + 2;
1381 
1382 	len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
1383 
1384 	if (force_version)
1385 		version = force_version;
1386 	else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1387 		 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
1388 		 sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
1389 		 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1390 		 wpa_key_mgmt_fils(sm->wpa_key_mgmt))
1391 		version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
1392 	else if (wpa_use_aes_cmac(sm))
1393 		version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1394 	else if (sm->pairwise != WPA_CIPHER_TKIP)
1395 		version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1396 	else
1397 		version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1398 
1399 	pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1400 
1401 	wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1402 		   "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1403 		   "encr=%d)",
1404 		   version,
1405 		   (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1406 		   (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1407 		   (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1408 		   (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1409 		   pairwise, (unsigned long) kde_len, keyidx, encr);
1410 
1411 	key_data_len = kde_len;
1412 
1413 	if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1414 	     sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
1415 	     sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
1416 	     sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1417 	     wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1418 	     version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1419 		pad_len = key_data_len % 8;
1420 		if (pad_len)
1421 			pad_len = 8 - pad_len;
1422 		key_data_len += pad_len + 8;
1423 	}
1424 
1425 	len += key_data_len;
1426 	if (!mic_len && encr)
1427 		len += AES_BLOCK_SIZE;
1428 
1429 	hdr = os_zalloc(len);
1430 	if (hdr == NULL)
1431 		return;
1432 	hdr->version = wpa_auth->conf.eapol_version;
1433 	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1434 	hdr->length = host_to_be16(len  - sizeof(*hdr));
1435 	key = (struct wpa_eapol_key *) (hdr + 1);
1436 	key_mic = (u8 *) (key + 1);
1437 	key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
1438 
1439 	key->type = sm->wpa == WPA_VERSION_WPA2 ?
1440 		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1441 	key_info |= version;
1442 	if (encr && sm->wpa == WPA_VERSION_WPA2)
1443 		key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1444 	if (sm->wpa != WPA_VERSION_WPA2)
1445 		key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1446 	WPA_PUT_BE16(key->key_info, key_info);
1447 
1448 	alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
1449 	if (sm->wpa == WPA_VERSION_WPA2 && !pairwise)
1450 		WPA_PUT_BE16(key->key_length, 0);
1451 	else
1452 		WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
1453 
1454 	for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1455 		sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1456 		os_memcpy(sm->key_replay[i].counter,
1457 			  sm->key_replay[i - 1].counter,
1458 			  WPA_REPLAY_COUNTER_LEN);
1459 	}
1460 	inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1461 	os_memcpy(key->replay_counter, sm->key_replay[0].counter,
1462 		  WPA_REPLAY_COUNTER_LEN);
1463 	wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1464 		    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1465 	sm->key_replay[0].valid = TRUE;
1466 
1467 	if (nonce)
1468 		os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1469 
1470 	if (key_rsc)
1471 		os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1472 
1473 	if (kde && !encr) {
1474 		os_memcpy(key_data, kde, kde_len);
1475 		WPA_PUT_BE16(key_mic + mic_len, kde_len);
1476 #ifdef CONFIG_FILS
1477 	} else if (!mic_len) {
1478 		const u8 *aad[1];
1479 		size_t aad_len[1];
1480 
1481 		WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1482 		wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1483 				kde, kde_len);
1484 
1485 		wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1486 				sm->PTK.kek, sm->PTK.kek_len);
1487 		/* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1488 		 * to Key Data (exclusive). */
1489 		aad[0] = (u8 *) hdr;
1490 		aad_len[0] = key_mic + 2 - (u8 *) hdr;
1491 		if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1492 				    1, aad, aad_len, key_mic + 2) < 0) {
1493 			wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1494 			return;
1495 		}
1496 
1497 		wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1498 			    key_mic + 2, AES_BLOCK_SIZE + kde_len);
1499 #endif /* CONFIG_FILS */
1500 	} else if (encr && kde) {
1501 		buf = os_zalloc(key_data_len);
1502 		if (buf == NULL) {
1503 			os_free(hdr);
1504 			return;
1505 		}
1506 		pos = buf;
1507 		os_memcpy(pos, kde, kde_len);
1508 		pos += kde_len;
1509 
1510 		if (pad_len)
1511 			*pos++ = 0xdd;
1512 
1513 		wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1514 				buf, key_data_len);
1515 		if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1516 		    sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
1517 		    sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
1518 		    sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1519 		    wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1520 		    version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1521 			wpa_printf(MSG_DEBUG,
1522 				   "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)",
1523 				   (unsigned int) sm->PTK.kek_len);
1524 			if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
1525 				     (key_data_len - 8) / 8, buf, key_data)) {
1526 				os_free(hdr);
1527 				os_free(buf);
1528 				return;
1529 			}
1530 			WPA_PUT_BE16(key_mic + mic_len, key_data_len);
1531 #ifndef CONFIG_NO_RC4
1532 		} else if (sm->PTK.kek_len == 16) {
1533 			u8 ek[32];
1534 
1535 			wpa_printf(MSG_DEBUG,
1536 				   "WPA: Encrypt Key Data using RC4");
1537 			os_memcpy(key->key_iv,
1538 				  sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1539 			inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1540 			os_memcpy(ek, key->key_iv, 16);
1541 			os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
1542 			os_memcpy(key_data, buf, key_data_len);
1543 			rc4_skip(ek, 32, 256, key_data, key_data_len);
1544 			WPA_PUT_BE16(key_mic + mic_len, key_data_len);
1545 #endif /* CONFIG_NO_RC4 */
1546 		} else {
1547 			os_free(hdr);
1548 			os_free(buf);
1549 			return;
1550 		}
1551 		os_free(buf);
1552 	}
1553 
1554 	if (key_info & WPA_KEY_INFO_MIC) {
1555 		if (!sm->PTK_valid || !mic_len) {
1556 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1557 					"PTK not valid when sending EAPOL-Key "
1558 					"frame");
1559 			os_free(hdr);
1560 			return;
1561 		}
1562 
1563 		wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1564 				  sm->wpa_key_mgmt, version,
1565 				  (u8 *) hdr, len, key_mic);
1566 #ifdef CONFIG_TESTING_OPTIONS
1567 		if (!pairwise &&
1568 		    wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
1569 		    drand48() <
1570 		    wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1571 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1572 					"Corrupting group EAPOL-Key Key MIC");
1573 			key_mic[0]++;
1574 		}
1575 #endif /* CONFIG_TESTING_OPTIONS */
1576 	}
1577 
1578 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1579 			   1);
1580 	wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1581 			    sm->pairwise_set);
1582 	os_free(hdr);
1583 }
1584 
1585 
wpa_send_eapol(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int key_info,const u8 * key_rsc,const u8 * nonce,const u8 * kde,size_t kde_len,int keyidx,int encr)1586 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1587 			   struct wpa_state_machine *sm, int key_info,
1588 			   const u8 *key_rsc, const u8 *nonce,
1589 			   const u8 *kde, size_t kde_len,
1590 			   int keyidx, int encr)
1591 {
1592 	int timeout_ms;
1593 	int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1594 	u32 ctr;
1595 
1596 	if (sm == NULL)
1597 		return;
1598 
1599 	__wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1600 			 keyidx, encr, 0);
1601 
1602 	ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
1603 	if (ctr == 1 && wpa_auth->conf.tx_status)
1604 		timeout_ms = pairwise ? eapol_key_timeout_first :
1605 			eapol_key_timeout_first_group;
1606 	else
1607 		timeout_ms = eapol_key_timeout_subseq;
1608 	if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
1609 	    (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
1610 		timeout_ms = eapol_key_timeout_no_retrans;
1611 	if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1612 		sm->pending_1_of_4_timeout = 1;
1613 	wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
1614 		   "counter %u)", timeout_ms, ctr);
1615 	eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1616 			       wpa_send_eapol_timeout, wpa_auth, sm);
1617 }
1618 
1619 
wpa_verify_key_mic(int akmp,size_t pmk_len,struct wpa_ptk * PTK,u8 * data,size_t data_len)1620 static int wpa_verify_key_mic(int akmp, size_t pmk_len, struct wpa_ptk *PTK,
1621 			      u8 *data, size_t data_len)
1622 {
1623 	struct ieee802_1x_hdr *hdr;
1624 	struct wpa_eapol_key *key;
1625 	u16 key_info;
1626 	int ret = 0;
1627 	u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
1628 	size_t mic_len = wpa_mic_len(akmp, pmk_len);
1629 
1630 	if (data_len < sizeof(*hdr) + sizeof(*key))
1631 		return -1;
1632 
1633 	hdr = (struct ieee802_1x_hdr *) data;
1634 	key = (struct wpa_eapol_key *) (hdr + 1);
1635 	mic_pos = (u8 *) (key + 1);
1636 	key_info = WPA_GET_BE16(key->key_info);
1637 	os_memcpy(mic, mic_pos, mic_len);
1638 	os_memset(mic_pos, 0, mic_len);
1639 	if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1640 			      key_info & WPA_KEY_INFO_TYPE_MASK,
1641 			      data, data_len, mic_pos) ||
1642 	    os_memcmp_const(mic, mic_pos, mic_len) != 0)
1643 		ret = -1;
1644 	os_memcpy(mic_pos, mic, mic_len);
1645 	return ret;
1646 }
1647 
1648 
wpa_remove_ptk(struct wpa_state_machine * sm)1649 void wpa_remove_ptk(struct wpa_state_machine *sm)
1650 {
1651 	sm->PTK_valid = FALSE;
1652 	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1653 	if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1654 			     0))
1655 		wpa_printf(MSG_DEBUG,
1656 			   "RSN: PTK removal from the driver failed");
1657 	sm->pairwise_set = FALSE;
1658 	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
1659 }
1660 
1661 
wpa_auth_sm_event(struct wpa_state_machine * sm,enum wpa_event event)1662 int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
1663 {
1664 	int remove_ptk = 1;
1665 
1666 	if (sm == NULL)
1667 		return -1;
1668 
1669 	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1670 			 "event %d notification", event);
1671 
1672 	switch (event) {
1673 	case WPA_AUTH:
1674 #ifdef CONFIG_MESH
1675 		/* PTKs are derived through AMPE */
1676 		if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1677 			/* not mesh */
1678 			break;
1679 		}
1680 		return 0;
1681 #endif /* CONFIG_MESH */
1682 	case WPA_ASSOC:
1683 		break;
1684 	case WPA_DEAUTH:
1685 	case WPA_DISASSOC:
1686 		sm->DeauthenticationRequest = TRUE;
1687 		break;
1688 	case WPA_REAUTH:
1689 	case WPA_REAUTH_EAPOL:
1690 		if (!sm->started) {
1691 			/*
1692 			 * When using WPS, we may end up here if the STA
1693 			 * manages to re-associate without the previous STA
1694 			 * entry getting removed. Consequently, we need to make
1695 			 * sure that the WPA state machines gets initialized
1696 			 * properly at this point.
1697 			 */
1698 			wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1699 				   "started - initialize now");
1700 			sm->started = 1;
1701 			sm->Init = TRUE;
1702 			if (wpa_sm_step(sm) == 1)
1703 				return 1; /* should not really happen */
1704 			sm->Init = FALSE;
1705 			sm->AuthenticationRequest = TRUE;
1706 			break;
1707 		}
1708 		if (sm->GUpdateStationKeys) {
1709 			/*
1710 			 * Reauthentication cancels the pending group key
1711 			 * update for this STA.
1712 			 */
1713 			sm->group->GKeyDoneStations--;
1714 			sm->GUpdateStationKeys = FALSE;
1715 			sm->PtkGroupInit = TRUE;
1716 		}
1717 		sm->ReAuthenticationRequest = TRUE;
1718 		break;
1719 	case WPA_ASSOC_FT:
1720 #ifdef CONFIG_IEEE80211R_AP
1721 		wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1722 			   "after association");
1723 		wpa_ft_install_ptk(sm);
1724 
1725 		/* Using FT protocol, not WPA auth state machine */
1726 		sm->ft_completed = 1;
1727 		return 0;
1728 #else /* CONFIG_IEEE80211R_AP */
1729 		break;
1730 #endif /* CONFIG_IEEE80211R_AP */
1731 	case WPA_ASSOC_FILS:
1732 #ifdef CONFIG_FILS
1733 		wpa_printf(MSG_DEBUG,
1734 			   "FILS: TK configuration after association");
1735 		fils_set_tk(sm);
1736 		sm->fils_completed = 1;
1737 		return 0;
1738 #else /* CONFIG_FILS */
1739 		break;
1740 #endif /* CONFIG_FILS */
1741 	case WPA_DRV_STA_REMOVED:
1742 		sm->tk_already_set = FALSE;
1743 		return 0;
1744 	}
1745 
1746 #ifdef CONFIG_IEEE80211R_AP
1747 	sm->ft_completed = 0;
1748 #endif /* CONFIG_IEEE80211R_AP */
1749 
1750 #ifdef CONFIG_IEEE80211W
1751 	if (sm->mgmt_frame_prot && event == WPA_AUTH)
1752 		remove_ptk = 0;
1753 #endif /* CONFIG_IEEE80211W */
1754 #ifdef CONFIG_FILS
1755 	if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1756 	    (event == WPA_AUTH || event == WPA_ASSOC))
1757 		remove_ptk = 0;
1758 #endif /* CONFIG_FILS */
1759 
1760 	if (remove_ptk) {
1761 		sm->PTK_valid = FALSE;
1762 		os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1763 
1764 		if (event != WPA_REAUTH_EAPOL)
1765 			wpa_remove_ptk(sm);
1766 	}
1767 
1768 	if (sm->in_step_loop) {
1769 		/*
1770 		 * wpa_sm_step() is already running - avoid recursive call to
1771 		 * it by making the existing loop process the new update.
1772 		 */
1773 		sm->changed = TRUE;
1774 		return 0;
1775 	}
1776 	return wpa_sm_step(sm);
1777 }
1778 
1779 
SM_STATE(WPA_PTK,INITIALIZE)1780 SM_STATE(WPA_PTK, INITIALIZE)
1781 {
1782 	SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1783 	if (sm->Init) {
1784 		/* Init flag is not cleared here, so avoid busy
1785 		 * loop by claiming nothing changed. */
1786 		sm->changed = FALSE;
1787 	}
1788 
1789 	sm->keycount = 0;
1790 	if (sm->GUpdateStationKeys)
1791 		sm->group->GKeyDoneStations--;
1792 	sm->GUpdateStationKeys = FALSE;
1793 	if (sm->wpa == WPA_VERSION_WPA)
1794 		sm->PInitAKeys = FALSE;
1795 	if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1796 	       * Local AA > Remote AA)) */) {
1797 		sm->Pair = TRUE;
1798 	}
1799 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1800 	wpa_remove_ptk(sm);
1801 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1802 	sm->TimeoutCtr = 0;
1803 	if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
1804 	    sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
1805 	    sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
1806 		wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1807 				   WPA_EAPOL_authorized, 0);
1808 	}
1809 }
1810 
1811 
SM_STATE(WPA_PTK,DISCONNECT)1812 SM_STATE(WPA_PTK, DISCONNECT)
1813 {
1814 	u16 reason = sm->disconnect_reason;
1815 
1816 	SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1817 	sm->Disconnect = FALSE;
1818 	sm->disconnect_reason = 0;
1819 	if (!reason)
1820 		reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
1821 	wpa_sta_disconnect(sm->wpa_auth, sm->addr, reason);
1822 }
1823 
1824 
SM_STATE(WPA_PTK,DISCONNECTED)1825 SM_STATE(WPA_PTK, DISCONNECTED)
1826 {
1827 	SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1828 	sm->DeauthenticationRequest = FALSE;
1829 }
1830 
1831 
SM_STATE(WPA_PTK,AUTHENTICATION)1832 SM_STATE(WPA_PTK, AUTHENTICATION)
1833 {
1834 	SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1835 	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1836 	sm->PTK_valid = FALSE;
1837 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1838 			   1);
1839 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1840 	sm->AuthenticationRequest = FALSE;
1841 }
1842 
1843 
wpa_group_ensure_init(struct wpa_authenticator * wpa_auth,struct wpa_group * group)1844 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1845 				  struct wpa_group *group)
1846 {
1847 	if (group->first_sta_seen)
1848 		return;
1849 	/*
1850 	 * System has run bit further than at the time hostapd was started
1851 	 * potentially very early during boot up. This provides better chances
1852 	 * of collecting more randomness on embedded systems. Re-initialize the
1853 	 * GMK and Counter here to improve their strength if there was not
1854 	 * enough entropy available immediately after system startup.
1855 	 */
1856 	wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1857 		   "station");
1858 	if (random_pool_ready() != 1) {
1859 		wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1860 			   "to proceed - reject first 4-way handshake");
1861 		group->reject_4way_hs_for_entropy = TRUE;
1862 	} else {
1863 		group->first_sta_seen = TRUE;
1864 		group->reject_4way_hs_for_entropy = FALSE;
1865 	}
1866 
1867 	if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1868 	    wpa_gtk_update(wpa_auth, group) < 0 ||
1869 	    wpa_group_config_group_keys(wpa_auth, group) < 0) {
1870 		wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1871 		group->first_sta_seen = FALSE;
1872 		group->reject_4way_hs_for_entropy = TRUE;
1873 	}
1874 }
1875 
1876 
SM_STATE(WPA_PTK,AUTHENTICATION2)1877 SM_STATE(WPA_PTK, AUTHENTICATION2)
1878 {
1879 	SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1880 
1881 	wpa_group_ensure_init(sm->wpa_auth, sm->group);
1882 	sm->ReAuthenticationRequest = FALSE;
1883 
1884 	/*
1885 	 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1886 	 * ambiguous. The Authenticator state machine uses a counter that is
1887 	 * incremented by one for each 4-way handshake. However, the security
1888 	 * analysis of 4-way handshake points out that unpredictable nonces
1889 	 * help in preventing precomputation attacks. Instead of the state
1890 	 * machine definition, use an unpredictable nonce value here to provide
1891 	 * stronger protection against potential precomputation attacks.
1892 	 */
1893 	if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1894 		wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1895 			   "ANonce.");
1896 		sm->Disconnect = TRUE;
1897 		return;
1898 	}
1899 	wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1900 		    WPA_NONCE_LEN);
1901 	/* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1902 	 * logical place than INITIALIZE since AUTHENTICATION2 can be
1903 	 * re-entered on ReAuthenticationRequest without going through
1904 	 * INITIALIZE. */
1905 	sm->TimeoutCtr = 0;
1906 }
1907 
1908 
wpa_auth_sm_ptk_update(struct wpa_state_machine * sm)1909 static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
1910 {
1911 	if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1912 		wpa_printf(MSG_ERROR,
1913 			   "WPA: Failed to get random data for ANonce");
1914 		sm->Disconnect = TRUE;
1915 		return -1;
1916 	}
1917 	wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
1918 		    WPA_NONCE_LEN);
1919 	sm->TimeoutCtr = 0;
1920 	return 0;
1921 }
1922 
1923 
SM_STATE(WPA_PTK,INITPMK)1924 SM_STATE(WPA_PTK, INITPMK)
1925 {
1926 	u8 msk[2 * PMK_LEN];
1927 	size_t len = 2 * PMK_LEN;
1928 
1929 	SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
1930 #ifdef CONFIG_IEEE80211R_AP
1931 	sm->xxkey_len = 0;
1932 #endif /* CONFIG_IEEE80211R_AP */
1933 	if (sm->pmksa) {
1934 		wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
1935 		os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1936 		sm->pmk_len = sm->pmksa->pmk_len;
1937 #ifdef CONFIG_DPP
1938 	} else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP) {
1939 		wpa_printf(MSG_DEBUG,
1940 			   "DPP: No PMKSA cache entry for STA - reject connection");
1941 		sm->Disconnect = TRUE;
1942 		sm->disconnect_reason = WLAN_REASON_INVALID_PMKID;
1943 		return;
1944 #endif /* CONFIG_DPP */
1945 	} else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
1946 		unsigned int pmk_len;
1947 
1948 		if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
1949 			pmk_len = PMK_LEN_SUITE_B_192;
1950 		else
1951 			pmk_len = PMK_LEN;
1952 		wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
1953 			   "(MSK len=%lu PMK len=%u)", (unsigned long) len,
1954 			   pmk_len);
1955 		if (len < pmk_len) {
1956 			wpa_printf(MSG_DEBUG,
1957 				   "WPA: MSK not long enough (%u) to create PMK (%u)",
1958 				   (unsigned int) len, (unsigned int) pmk_len);
1959 			sm->Disconnect = TRUE;
1960 			return;
1961 		}
1962 		os_memcpy(sm->PMK, msk, pmk_len);
1963 		sm->pmk_len = pmk_len;
1964 #ifdef CONFIG_IEEE80211R_AP
1965 		if (len >= 2 * PMK_LEN) {
1966 			os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1967 			sm->xxkey_len = PMK_LEN;
1968 		}
1969 #endif /* CONFIG_IEEE80211R_AP */
1970 	} else {
1971 		wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
1972 			   sm->wpa_auth->cb->get_msk);
1973 		sm->Disconnect = TRUE;
1974 		return;
1975 	}
1976 	os_memset(msk, 0, sizeof(msk));
1977 
1978 	sm->req_replay_counter_used = 0;
1979 	/* IEEE 802.11i does not set keyRun to FALSE, but not doing this
1980 	 * will break reauthentication since EAPOL state machines may not be
1981 	 * get into AUTHENTICATING state that clears keyRun before WPA state
1982 	 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
1983 	 * state and takes PMK from the previously used AAA Key. This will
1984 	 * eventually fail in 4-Way Handshake because Supplicant uses PMK
1985 	 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
1986 	 * be good workaround for this issue. */
1987 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
1988 }
1989 
1990 
SM_STATE(WPA_PTK,INITPSK)1991 SM_STATE(WPA_PTK, INITPSK)
1992 {
1993 	const u8 *psk;
1994 	size_t psk_len;
1995 
1996 	SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
1997 	psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL,
1998 			       &psk_len);
1999 	if (psk) {
2000 		os_memcpy(sm->PMK, psk, psk_len);
2001 		sm->pmk_len = psk_len;
2002 #ifdef CONFIG_IEEE80211R_AP
2003 		os_memcpy(sm->xxkey, psk, PMK_LEN);
2004 		sm->xxkey_len = PMK_LEN;
2005 #endif /* CONFIG_IEEE80211R_AP */
2006 	}
2007 #ifdef CONFIG_SAE
2008 	if (wpa_auth_uses_sae(sm) && sm->pmksa) {
2009 		wpa_printf(MSG_DEBUG, "SAE: PMK from PMKSA cache");
2010 		os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
2011 		sm->pmk_len = sm->pmksa->pmk_len;
2012 	}
2013 #endif /* CONFIG_SAE */
2014 	sm->req_replay_counter_used = 0;
2015 }
2016 
2017 
SM_STATE(WPA_PTK,PTKSTART)2018 SM_STATE(WPA_PTK, PTKSTART)
2019 {
2020 	u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
2021 	size_t pmkid_len = 0;
2022 
2023 	SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2024 	sm->PTKRequest = FALSE;
2025 	sm->TimeoutEvt = FALSE;
2026 	sm->alt_snonce_valid = FALSE;
2027 
2028 	sm->TimeoutCtr++;
2029 	if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
2030 		/* No point in sending the EAPOL-Key - we will disconnect
2031 		 * immediately following this. */
2032 		return;
2033 	}
2034 
2035 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2036 			"sending 1/4 msg of 4-Way Handshake");
2037 	/*
2038 	 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
2039 	 * one possible PSK for this STA.
2040 	 */
2041 	if (sm->wpa == WPA_VERSION_WPA2 &&
2042 	    (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) ||
2043 	     (sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE && sm->pmksa) ||
2044 	     wpa_key_mgmt_sae(sm->wpa_key_mgmt)) &&
2045 	    sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
2046 		pmkid = buf;
2047 		pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2048 		pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2049 		pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2050 		RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
2051 		if (sm->pmksa) {
2052 			os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2053 				  sm->pmksa->pmkid, PMKID_LEN);
2054 		} else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2055 			/* No KCK available to derive PMKID */
2056 			pmkid = NULL;
2057 		} else {
2058 			/*
2059 			 * Calculate PMKID since no PMKSA cache entry was
2060 			 * available with pre-calculated PMKID.
2061 			 */
2062 			rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
2063 				  sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
2064 				  sm->wpa_key_mgmt);
2065 		}
2066 	}
2067 	wpa_send_eapol(sm->wpa_auth, sm,
2068 		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2069 		       sm->ANonce, pmkid, pmkid_len, 0, 0);
2070 }
2071 
2072 
wpa_derive_ptk(struct wpa_state_machine * sm,const u8 * snonce,const u8 * pmk,unsigned int pmk_len,struct wpa_ptk * ptk)2073 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
2074 			  const u8 *pmk, unsigned int pmk_len,
2075 			  struct wpa_ptk *ptk)
2076 {
2077 #ifdef CONFIG_IEEE80211R_AP
2078 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
2079 		return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
2080 #endif /* CONFIG_IEEE80211R_AP */
2081 
2082 	return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
2083 			      sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
2084 			      ptk, sm->wpa_key_mgmt, sm->pairwise);
2085 }
2086 
2087 
2088 #ifdef CONFIG_FILS
2089 
fils_auth_pmk_to_ptk(struct wpa_state_machine * sm,const u8 * pmk,size_t pmk_len,const u8 * snonce,const u8 * anonce,const u8 * dhss,size_t dhss_len,struct wpabuf * g_sta,struct wpabuf * g_ap)2090 int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
2091 			 size_t pmk_len, const u8 *snonce, const u8 *anonce,
2092 			 const u8 *dhss, size_t dhss_len,
2093 			 struct wpabuf *g_sta, struct wpabuf *g_ap)
2094 {
2095 	u8 ick[FILS_ICK_MAX_LEN];
2096 	size_t ick_len;
2097 	int res;
2098 	u8 fils_ft[FILS_FT_MAX_LEN];
2099 	size_t fils_ft_len = 0;
2100 
2101 	res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
2102 			      snonce, anonce, dhss, dhss_len,
2103 			      &sm->PTK, ick, &ick_len,
2104 			      sm->wpa_key_mgmt, sm->pairwise,
2105 			      fils_ft, &fils_ft_len);
2106 	if (res < 0)
2107 		return res;
2108 	sm->PTK_valid = TRUE;
2109 	sm->tk_already_set = FALSE;
2110 
2111 #ifdef CONFIG_IEEE80211R_AP
2112 	if (fils_ft_len) {
2113 		struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2114 		struct wpa_auth_config *conf = &wpa_auth->conf;
2115 		u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN];
2116 
2117 		if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
2118 				      conf->ssid, conf->ssid_len,
2119 				      conf->mobility_domain,
2120 				      conf->r0_key_holder,
2121 				      conf->r0_key_holder_len,
2122 				      sm->addr, pmk_r0, pmk_r0_name) < 0)
2123 			return -1;
2124 
2125 		wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0", pmk_r0, PMK_LEN);
2126 		wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name",
2127 			    pmk_r0_name, WPA_PMK_NAME_LEN);
2128 		wpa_ft_store_pmk_r0(wpa_auth, sm->addr, pmk_r0, pmk_r0_name,
2129 				    sm->pairwise);
2130 		os_memset(fils_ft, 0, sizeof(fils_ft));
2131 	}
2132 #endif /* CONFIG_IEEE80211R_AP */
2133 
2134 	res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2135 			       sm->addr, sm->wpa_auth->addr,
2136 			       g_sta ? wpabuf_head(g_sta) : NULL,
2137 			       g_sta ? wpabuf_len(g_sta) : 0,
2138 			       g_ap ? wpabuf_head(g_ap) : NULL,
2139 			       g_ap ? wpabuf_len(g_ap) : 0,
2140 			       sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2141 			       sm->fils_key_auth_ap,
2142 			       &sm->fils_key_auth_len);
2143 	os_memset(ick, 0, sizeof(ick));
2144 
2145 	/* Store nonces for (Re)Association Request/Response frame processing */
2146 	os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2147 	os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2148 
2149 	return res;
2150 }
2151 
2152 
wpa_aead_decrypt(struct wpa_state_machine * sm,struct wpa_ptk * ptk,u8 * buf,size_t buf_len,u16 * _key_data_len)2153 static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
2154 			    u8 *buf, size_t buf_len, u16 *_key_data_len)
2155 {
2156 	struct ieee802_1x_hdr *hdr;
2157 	struct wpa_eapol_key *key;
2158 	u8 *pos;
2159 	u16 key_data_len;
2160 	u8 *tmp;
2161 	const u8 *aad[1];
2162 	size_t aad_len[1];
2163 
2164 	hdr = (struct ieee802_1x_hdr *) buf;
2165 	key = (struct wpa_eapol_key *) (hdr + 1);
2166 	pos = (u8 *) (key + 1);
2167 	key_data_len = WPA_GET_BE16(pos);
2168 	if (key_data_len < AES_BLOCK_SIZE ||
2169 	    key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2170 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2171 				"No room for AES-SIV data in the frame");
2172 		return -1;
2173 	}
2174 	pos += 2; /* Pointing at the Encrypted Key Data field */
2175 
2176 	tmp = os_malloc(key_data_len);
2177 	if (!tmp)
2178 		return -1;
2179 
2180 	/* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2181 	 * to Key Data (exclusive). */
2182 	aad[0] = buf;
2183 	aad_len[0] = pos - buf;
2184 	if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2185 			    1, aad, aad_len, tmp) < 0) {
2186 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2187 				"Invalid AES-SIV data in the frame");
2188 		bin_clear_free(tmp, key_data_len);
2189 		return -1;
2190 	}
2191 
2192 	/* AEAD decryption and validation completed successfully */
2193 	key_data_len -= AES_BLOCK_SIZE;
2194 	wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2195 			tmp, key_data_len);
2196 
2197 	/* Replace Key Data field with the decrypted version */
2198 	os_memcpy(pos, tmp, key_data_len);
2199 	pos -= 2; /* Key Data Length field */
2200 	WPA_PUT_BE16(pos, key_data_len);
2201 	bin_clear_free(tmp, key_data_len);
2202 	if (_key_data_len)
2203 		*_key_data_len = key_data_len;
2204 	return 0;
2205 }
2206 
2207 
wpa_fils_validate_fils_session(struct wpa_state_machine * sm,const u8 * ies,size_t ies_len,const u8 * fils_session)2208 const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
2209 					  const u8 *ies, size_t ies_len,
2210 					  const u8 *fils_session)
2211 {
2212 	const u8 *ie, *end;
2213 	const u8 *session = NULL;
2214 
2215 	if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2216 		wpa_printf(MSG_DEBUG,
2217 			   "FILS: Not a FILS AKM - reject association");
2218 		return NULL;
2219 	}
2220 
2221 	/* Verify Session element */
2222 	ie = ies;
2223 	end = ((const u8 *) ie) + ies_len;
2224 	while (ie + 1 < end) {
2225 		if (ie + 2 + ie[1] > end)
2226 			break;
2227 		if (ie[0] == WLAN_EID_EXTENSION &&
2228 		    ie[1] >= 1 + FILS_SESSION_LEN &&
2229 		    ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2230 			session = ie;
2231 			break;
2232 		}
2233 		ie += 2 + ie[1];
2234 	}
2235 
2236 	if (!session) {
2237 		wpa_printf(MSG_DEBUG,
2238 			   "FILS: %s: Could not find FILS Session element in Assoc Req - reject",
2239 			   __func__);
2240 		return NULL;
2241 	}
2242 
2243 	if (!fils_session) {
2244 		wpa_printf(MSG_DEBUG,
2245 			   "FILS: %s: Could not find FILS Session element in STA entry - reject",
2246 			   __func__);
2247 		return NULL;
2248 	}
2249 
2250 	if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2251 		wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2252 		wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2253 			    fils_session, FILS_SESSION_LEN);
2254 		wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2255 			    session + 3, FILS_SESSION_LEN);
2256 		return NULL;
2257 	}
2258 	return session;
2259 }
2260 
2261 
wpa_fils_validate_key_confirm(struct wpa_state_machine * sm,const u8 * ies,size_t ies_len)2262 int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
2263 				  size_t ies_len)
2264 {
2265 	struct ieee802_11_elems elems;
2266 
2267 	if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
2268 		wpa_printf(MSG_DEBUG,
2269 			   "FILS: Failed to parse decrypted elements");
2270 		return -1;
2271 	}
2272 
2273 	if (!elems.fils_session) {
2274 		wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
2275 		return -1;
2276 	}
2277 
2278 	if (!elems.fils_key_confirm) {
2279 		wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2280 		return -1;
2281 	}
2282 
2283 	if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2284 		wpa_printf(MSG_DEBUG,
2285 			   "FILS: Unexpected Key-Auth length %d (expected %d)",
2286 			   elems.fils_key_confirm_len,
2287 			   (int) sm->fils_key_auth_len);
2288 		return -1;
2289 	}
2290 
2291 	if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2292 		      sm->fils_key_auth_len) != 0) {
2293 		wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2294 		wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2295 			    elems.fils_key_confirm, elems.fils_key_confirm_len);
2296 		wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2297 			    sm->fils_key_auth_sta, sm->fils_key_auth_len);
2298 		return -1;
2299 	}
2300 
2301 	return 0;
2302 }
2303 
2304 
fils_decrypt_assoc(struct wpa_state_machine * sm,const u8 * fils_session,const struct ieee80211_mgmt * mgmt,size_t frame_len,u8 * pos,size_t left)2305 int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2306 		       const struct ieee80211_mgmt *mgmt, size_t frame_len,
2307 		       u8 *pos, size_t left)
2308 {
2309 	u16 fc, stype;
2310 	const u8 *end, *ie_start, *ie, *session, *crypt;
2311 	const u8 *aad[5];
2312 	size_t aad_len[5];
2313 
2314 	if (!sm || !sm->PTK_valid) {
2315 		wpa_printf(MSG_DEBUG,
2316 			   "FILS: No KEK to decrypt Assocication Request frame");
2317 		return -1;
2318 	}
2319 
2320 	if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2321 		wpa_printf(MSG_DEBUG,
2322 			   "FILS: Not a FILS AKM - reject association");
2323 		return -1;
2324 	}
2325 
2326 	end = ((const u8 *) mgmt) + frame_len;
2327 	fc = le_to_host16(mgmt->frame_control);
2328 	stype = WLAN_FC_GET_STYPE(fc);
2329 	if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2330 		ie_start = mgmt->u.reassoc_req.variable;
2331 	else
2332 		ie_start = mgmt->u.assoc_req.variable;
2333 	ie = ie_start;
2334 
2335 	/*
2336 	 * Find FILS Session element which is the last unencrypted element in
2337 	 * the frame.
2338 	 */
2339 	session = wpa_fils_validate_fils_session(sm, ie, end - ie,
2340 						 fils_session);
2341 	if (!session) {
2342 		wpa_printf(MSG_DEBUG, "FILS: Session validation failed");
2343 		return -1;
2344 	}
2345 
2346 	crypt = session + 2 + session[1];
2347 
2348 	if (end - crypt < AES_BLOCK_SIZE) {
2349 		wpa_printf(MSG_DEBUG,
2350 			   "FILS: Too short frame to include AES-SIV data");
2351 		return -1;
2352 	}
2353 
2354 	/* AES-SIV AAD vectors */
2355 
2356 	/* The STA's MAC address */
2357 	aad[0] = mgmt->sa;
2358 	aad_len[0] = ETH_ALEN;
2359 	/* The AP's BSSID */
2360 	aad[1] = mgmt->da;
2361 	aad_len[1] = ETH_ALEN;
2362 	/* The STA's nonce */
2363 	aad[2] = sm->SNonce;
2364 	aad_len[2] = FILS_NONCE_LEN;
2365 	/* The AP's nonce */
2366 	aad[3] = sm->ANonce;
2367 	aad_len[3] = FILS_NONCE_LEN;
2368 	/*
2369 	 * The (Re)Association Request frame from the Capability Information
2370 	 * field to the FILS Session element (both inclusive).
2371 	 */
2372 	aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
2373 	aad_len[4] = crypt - aad[4];
2374 
2375 	if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
2376 			    5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
2377 		wpa_printf(MSG_DEBUG,
2378 			   "FILS: Invalid AES-SIV data in the frame");
2379 		return -1;
2380 	}
2381 	wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2382 		    pos, left - AES_BLOCK_SIZE);
2383 
2384 	if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
2385 		wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
2386 		return -1;
2387 	}
2388 
2389 	return left - AES_BLOCK_SIZE;
2390 }
2391 
2392 
fils_encrypt_assoc(struct wpa_state_machine * sm,u8 * buf,size_t current_len,size_t max_len,const struct wpabuf * hlp)2393 int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
2394 		       size_t current_len, size_t max_len,
2395 		       const struct wpabuf *hlp)
2396 {
2397 	u8 *end = buf + max_len;
2398 	u8 *pos = buf + current_len;
2399 	struct ieee80211_mgmt *mgmt;
2400 	struct wpabuf *plain;
2401 	const u8 *aad[5];
2402 	size_t aad_len[5];
2403 
2404 	if (!sm || !sm->PTK_valid)
2405 		return -1;
2406 
2407 	wpa_hexdump(MSG_DEBUG,
2408 		    "FILS: Association Response frame before FILS processing",
2409 		    buf, current_len);
2410 
2411 	mgmt = (struct ieee80211_mgmt *) buf;
2412 
2413 	/* AES-SIV AAD vectors */
2414 
2415 	/* The AP's BSSID */
2416 	aad[0] = mgmt->sa;
2417 	aad_len[0] = ETH_ALEN;
2418 	/* The STA's MAC address */
2419 	aad[1] = mgmt->da;
2420 	aad_len[1] = ETH_ALEN;
2421 	/* The AP's nonce */
2422 	aad[2] = sm->ANonce;
2423 	aad_len[2] = FILS_NONCE_LEN;
2424 	/* The STA's nonce */
2425 	aad[3] = sm->SNonce;
2426 	aad_len[3] = FILS_NONCE_LEN;
2427 	/*
2428 	 * The (Re)Association Response frame from the Capability Information
2429 	 * field (the same offset in both Association and Reassociation
2430 	 * Response frames) to the FILS Session element (both inclusive).
2431 	 */
2432 	aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2433 	aad_len[4] = pos - aad[4];
2434 
2435 	/* The following elements will be encrypted with AES-SIV */
2436 	plain = fils_prepare_plainbuf(sm, hlp);
2437 	if (!plain) {
2438 		wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2439 		return -1;
2440 	}
2441 
2442 	if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2443 		wpa_printf(MSG_DEBUG,
2444 			   "FILS: Not enough room for FILS elements");
2445 		wpabuf_free(plain);
2446 		return -1;
2447 	}
2448 
2449 	wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2450 			    plain);
2451 
2452 	if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2453 			    wpabuf_head(plain), wpabuf_len(plain),
2454 			    5, aad, aad_len, pos) < 0) {
2455 		wpabuf_free(plain);
2456 		return -1;
2457 	}
2458 
2459 	wpa_hexdump(MSG_DEBUG,
2460 		    "FILS: Encrypted Association Response elements",
2461 		    pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2462 	current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2463 	wpabuf_free(plain);
2464 
2465 	sm->fils_completed = 1;
2466 
2467 	return current_len;
2468 }
2469 
2470 
fils_prepare_plainbuf(struct wpa_state_machine * sm,const struct wpabuf * hlp)2471 static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
2472 					     const struct wpabuf *hlp)
2473 {
2474 	struct wpabuf *plain;
2475 	u8 *len, *tmp, *tmp2;
2476 	u8 hdr[2];
2477 	u8 *gtk, dummy_gtk[32];
2478 	size_t gtk_len;
2479 	struct wpa_group *gsm;
2480 
2481 	plain = wpabuf_alloc(1000);
2482 	if (!plain)
2483 		return NULL;
2484 
2485 	/* TODO: FILS Public Key */
2486 
2487 	/* FILS Key Confirmation */
2488 	wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2489 	wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2490 	/* Element ID Extension */
2491 	wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2492 	wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2493 
2494 	/* FILS HLP Container */
2495 	if (hlp)
2496 		wpabuf_put_buf(plain, hlp);
2497 
2498 	/* TODO: FILS IP Address Assignment */
2499 
2500 	/* Key Delivery */
2501 	gsm = sm->group;
2502 	wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2503 	len = wpabuf_put(plain, 1);
2504 	wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2505 	wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2506 			    wpabuf_put(plain, WPA_KEY_RSC_LEN));
2507 	/* GTK KDE */
2508 	gtk = gsm->GTK[gsm->GN - 1];
2509 	gtk_len = gsm->GTK_len;
2510 	if (sm->wpa_auth->conf.disable_gtk) {
2511 		/*
2512 		 * Provide unique random GTK to each STA to prevent use
2513 		 * of GTK in the BSS.
2514 		 */
2515 		if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
2516 			wpabuf_free(plain);
2517 			return NULL;
2518 		}
2519 		gtk = dummy_gtk;
2520 	}
2521 	hdr[0] = gsm->GN & 0x03;
2522 	hdr[1] = 0;
2523 	tmp = wpabuf_put(plain, 0);
2524 	tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2525 			   gtk, gtk_len);
2526 	wpabuf_put(plain, tmp2 - tmp);
2527 
2528 	/* IGTK KDE */
2529 	tmp = wpabuf_put(plain, 0);
2530 	tmp2 = ieee80211w_kde_add(sm, tmp);
2531 	wpabuf_put(plain, tmp2 - tmp);
2532 
2533 	*len = (u8 *) wpabuf_put(plain, 0) - len - 1;
2534 	return plain;
2535 }
2536 
2537 
fils_set_tk(struct wpa_state_machine * sm)2538 int fils_set_tk(struct wpa_state_machine *sm)
2539 {
2540 	enum wpa_alg alg;
2541 	int klen;
2542 
2543 	if (!sm || !sm->PTK_valid) {
2544 		wpa_printf(MSG_DEBUG, "FILS: No valid PTK available to set TK");
2545 		return -1;
2546 	}
2547 	if (sm->tk_already_set) {
2548 		wpa_printf(MSG_DEBUG, "FILS: TK already set to the driver");
2549 		return -1;
2550 	}
2551 
2552 	alg = wpa_cipher_to_alg(sm->pairwise);
2553 	klen = wpa_cipher_key_len(sm->pairwise);
2554 
2555 	wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
2556 	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2557 			     sm->PTK.tk, klen)) {
2558 		wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
2559 		return -1;
2560 	}
2561 	sm->tk_already_set = TRUE;
2562 
2563 	return 0;
2564 }
2565 
2566 
hostapd_eid_assoc_fils_session(struct wpa_state_machine * sm,u8 * buf,const u8 * fils_session,struct wpabuf * hlp)2567 u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
2568 				    const u8 *fils_session, struct wpabuf *hlp)
2569 {
2570 	struct wpabuf *plain;
2571 	u8 *pos = buf;
2572 
2573 	/* FILS Session */
2574 	*pos++ = WLAN_EID_EXTENSION; /* Element ID */
2575 	*pos++ = 1 + FILS_SESSION_LEN; /* Length */
2576 	*pos++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
2577 	os_memcpy(pos, fils_session, FILS_SESSION_LEN);
2578 	pos += FILS_SESSION_LEN;
2579 
2580 	plain = fils_prepare_plainbuf(sm, hlp);
2581 	if (!plain) {
2582 		wpa_printf(MSG_DEBUG, "FILS: Plain buffer prep failed");
2583 		return NULL;
2584 	}
2585 
2586 	os_memcpy(pos, wpabuf_head(plain), wpabuf_len(plain));
2587 	pos += wpabuf_len(plain);
2588 
2589 	wpa_printf(MSG_DEBUG, "%s: plain buf_len: %u", __func__,
2590 		   (unsigned int) wpabuf_len(plain));
2591 	wpabuf_free(plain);
2592 	sm->fils_completed = 1;
2593 	return pos;
2594 }
2595 
2596 #endif /* CONFIG_FILS */
2597 
2598 
SM_STATE(WPA_PTK,PTKCALCNEGOTIATING)2599 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2600 {
2601 	struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2602 	struct wpa_ptk PTK;
2603 	int ok = 0, psk_found = 0;
2604 	const u8 *pmk = NULL;
2605 	size_t pmk_len;
2606 	int ft;
2607 	const u8 *eapol_key_ie, *key_data, *mic;
2608 	u16 key_data_length;
2609 	size_t mic_len, eapol_key_ie_len;
2610 	struct ieee802_1x_hdr *hdr;
2611 	struct wpa_eapol_key *key;
2612 	struct wpa_eapol_ie_parse kde;
2613 
2614 	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2615 	sm->EAPOLKeyReceived = FALSE;
2616 	sm->update_snonce = FALSE;
2617 	os_memset(&PTK, 0, sizeof(PTK));
2618 
2619 	mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
2620 
2621 	/* WPA with IEEE 802.1X: use the derived PMK from EAP
2622 	 * WPA-PSK: iterate through possible PSKs and select the one matching
2623 	 * the packet */
2624 	for (;;) {
2625 		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
2626 		    !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
2627 			pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
2628 					       sm->p2p_dev_addr, pmk, &pmk_len);
2629 			if (pmk == NULL)
2630 				break;
2631 			psk_found = 1;
2632 		} else {
2633 			pmk = sm->PMK;
2634 			pmk_len = sm->pmk_len;
2635 		}
2636 
2637 		if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0)
2638 			break;
2639 
2640 		if (mic_len &&
2641 		    wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
2642 				       sm->last_rx_eapol_key,
2643 				       sm->last_rx_eapol_key_len) == 0) {
2644 			ok = 1;
2645 			break;
2646 		}
2647 
2648 #ifdef CONFIG_FILS
2649 		if (!mic_len &&
2650 		    wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2651 				     sm->last_rx_eapol_key_len, NULL) == 0) {
2652 			ok = 1;
2653 			break;
2654 		}
2655 #endif /* CONFIG_FILS */
2656 
2657 		if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
2658 			break;
2659 	}
2660 
2661 	if (!ok) {
2662 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2663 				"invalid MIC in msg 2/4 of 4-Way Handshake");
2664 		if (psk_found)
2665 			wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
2666 		return;
2667 	}
2668 
2669 	/*
2670 	 * Note: last_rx_eapol_key length fields have already been validated in
2671 	 * wpa_receive().
2672 	 */
2673 	hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2674 	key = (struct wpa_eapol_key *) (hdr + 1);
2675 	mic = (u8 *) (key + 1);
2676 	key_data = mic + mic_len + 2;
2677 	key_data_length = WPA_GET_BE16(mic + mic_len);
2678 	if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2679 	    sizeof(*key) - mic_len - 2)
2680 		return;
2681 
2682 	if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2683 		wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2684 				 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2685 		return;
2686 	}
2687 	if (kde.rsn_ie) {
2688 		eapol_key_ie = kde.rsn_ie;
2689 		eapol_key_ie_len = kde.rsn_ie_len;
2690 	} else if (kde.osen) {
2691 		eapol_key_ie = kde.osen;
2692 		eapol_key_ie_len = kde.osen_len;
2693 	} else {
2694 		eapol_key_ie = kde.wpa_ie;
2695 		eapol_key_ie_len = kde.wpa_ie_len;
2696 	}
2697 	ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2698 	if (sm->wpa_ie == NULL ||
2699 	    wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2700 			       eapol_key_ie, eapol_key_ie_len)) {
2701 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2702 				"WPA IE from (Re)AssocReq did not match with msg 2/4");
2703 		if (sm->wpa_ie) {
2704 			wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2705 				    sm->wpa_ie, sm->wpa_ie_len);
2706 		}
2707 		wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2708 			    eapol_key_ie, eapol_key_ie_len);
2709 		/* MLME-DEAUTHENTICATE.request */
2710 		wpa_sta_disconnect(wpa_auth, sm->addr,
2711 				   WLAN_REASON_PREV_AUTH_NOT_VALID);
2712 		return;
2713 	}
2714 #ifdef CONFIG_IEEE80211R_AP
2715 	if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
2716 		wpa_sta_disconnect(wpa_auth, sm->addr,
2717 				   WLAN_REASON_PREV_AUTH_NOT_VALID);
2718 		return;
2719 	}
2720 #endif /* CONFIG_IEEE80211R_AP */
2721 #ifdef CONFIG_P2P
2722 	if (kde.ip_addr_req && kde.ip_addr_req[0] &&
2723 	    wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
2724 		int idx;
2725 		wpa_printf(MSG_DEBUG,
2726 			   "P2P: IP address requested in EAPOL-Key exchange");
2727 		idx = bitfield_get_first_zero(wpa_auth->ip_pool);
2728 		if (idx >= 0) {
2729 			u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
2730 			bitfield_set(wpa_auth->ip_pool, idx);
2731 			WPA_PUT_BE32(sm->ip_addr, start + idx);
2732 			wpa_printf(MSG_DEBUG,
2733 				   "P2P: Assigned IP address %u.%u.%u.%u to "
2734 				   MACSTR, sm->ip_addr[0], sm->ip_addr[1],
2735 				   sm->ip_addr[2], sm->ip_addr[3],
2736 				   MAC2STR(sm->addr));
2737 		}
2738 	}
2739 #endif /* CONFIG_P2P */
2740 
2741 #ifdef CONFIG_IEEE80211R_AP
2742 	if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2743 		/*
2744 		 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2745 		 * with the value we derived.
2746 		 */
2747 		if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2748 				    WPA_PMK_NAME_LEN) != 0) {
2749 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2750 					"PMKR1Name mismatch in FT 4-way "
2751 					"handshake");
2752 			wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2753 				    "Supplicant",
2754 				    sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2755 			wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2756 				    sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2757 			return;
2758 		}
2759 	}
2760 #endif /* CONFIG_IEEE80211R_AP */
2761 
2762 	sm->pending_1_of_4_timeout = 0;
2763 	eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2764 
2765 	if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2766 		/* PSK may have changed from the previous choice, so update
2767 		 * state machine data based on whatever PSK was selected here.
2768 		 */
2769 		os_memcpy(sm->PMK, pmk, PMK_LEN);
2770 		sm->pmk_len = PMK_LEN;
2771 	}
2772 
2773 	sm->MICVerified = TRUE;
2774 
2775 	os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
2776 	sm->PTK_valid = TRUE;
2777 }
2778 
2779 
SM_STATE(WPA_PTK,PTKCALCNEGOTIATING2)2780 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
2781 {
2782 	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
2783 	sm->TimeoutCtr = 0;
2784 }
2785 
2786 
2787 #ifdef CONFIG_IEEE80211W
2788 
ieee80211w_kde_len(struct wpa_state_machine * sm)2789 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2790 {
2791 	if (sm->mgmt_frame_prot) {
2792 		size_t len;
2793 		len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2794 		return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
2795 	}
2796 
2797 	return 0;
2798 }
2799 
2800 
ieee80211w_kde_add(struct wpa_state_machine * sm,u8 * pos)2801 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2802 {
2803 	struct wpa_igtk_kde igtk;
2804 	struct wpa_group *gsm = sm->group;
2805 	u8 rsc[WPA_KEY_RSC_LEN];
2806 	size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2807 
2808 	if (!sm->mgmt_frame_prot)
2809 		return pos;
2810 
2811 	igtk.keyid[0] = gsm->GN_igtk;
2812 	igtk.keyid[1] = 0;
2813 	if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
2814 	    wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
2815 		os_memset(igtk.pn, 0, sizeof(igtk.pn));
2816 	else
2817 		os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
2818 	os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
2819 	if (sm->wpa_auth->conf.disable_gtk) {
2820 		/*
2821 		 * Provide unique random IGTK to each STA to prevent use of
2822 		 * IGTK in the BSS.
2823 		 */
2824 		if (random_get_bytes(igtk.igtk, len) < 0)
2825 			return pos;
2826 	}
2827 	pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
2828 			  (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
2829 			  NULL, 0);
2830 
2831 	return pos;
2832 }
2833 
2834 #else /* CONFIG_IEEE80211W */
2835 
ieee80211w_kde_len(struct wpa_state_machine * sm)2836 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2837 {
2838 	return 0;
2839 }
2840 
2841 
ieee80211w_kde_add(struct wpa_state_machine * sm,u8 * pos)2842 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2843 {
2844 	return pos;
2845 }
2846 
2847 #endif /* CONFIG_IEEE80211W */
2848 
2849 
SM_STATE(WPA_PTK,PTKINITNEGOTIATING)2850 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
2851 {
2852 	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
2853 	size_t gtk_len, kde_len;
2854 	struct wpa_group *gsm = sm->group;
2855 	u8 *wpa_ie;
2856 	int wpa_ie_len, secure, keyidx, encr = 0;
2857 
2858 	SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
2859 	sm->TimeoutEvt = FALSE;
2860 
2861 	sm->TimeoutCtr++;
2862 	if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
2863 	    sm->TimeoutCtr > 1) {
2864 		/* Do not allow retransmission of EAPOL-Key msg 3/4 */
2865 		return;
2866 	}
2867 	if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
2868 		/* No point in sending the EAPOL-Key - we will disconnect
2869 		 * immediately following this. */
2870 		return;
2871 	}
2872 
2873 	/* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
2874 	   GTK[GN], IGTK, [FTIE], [TIE * 2])
2875 	 */
2876 	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2877 	wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
2878 	/* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
2879 	wpa_ie = sm->wpa_auth->wpa_ie;
2880 	wpa_ie_len = sm->wpa_auth->wpa_ie_len;
2881 	if (sm->wpa == WPA_VERSION_WPA &&
2882 	    (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
2883 	    wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
2884 		/* WPA-only STA, remove RSN IE and possible MDIE */
2885 		wpa_ie = wpa_ie + wpa_ie[1] + 2;
2886 		if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
2887 			wpa_ie = wpa_ie + wpa_ie[1] + 2;
2888 		wpa_ie_len = wpa_ie[1] + 2;
2889 	}
2890 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2891 			"sending 3/4 msg of 4-Way Handshake");
2892 	if (sm->wpa == WPA_VERSION_WPA2) {
2893 		/* WPA2 send GTK in the 4-way handshake */
2894 		secure = 1;
2895 		gtk = gsm->GTK[gsm->GN - 1];
2896 		gtk_len = gsm->GTK_len;
2897 		if (sm->wpa_auth->conf.disable_gtk) {
2898 			/*
2899 			 * Provide unique random GTK to each STA to prevent use
2900 			 * of GTK in the BSS.
2901 			 */
2902 			if (random_get_bytes(dummy_gtk, gtk_len) < 0)
2903 				return;
2904 			gtk = dummy_gtk;
2905 		}
2906 		keyidx = gsm->GN;
2907 		_rsc = rsc;
2908 		encr = 1;
2909 	} else {
2910 		/* WPA does not include GTK in msg 3/4 */
2911 		secure = 0;
2912 		gtk = NULL;
2913 		gtk_len = 0;
2914 		keyidx = 0;
2915 		_rsc = NULL;
2916 		if (sm->rx_eapol_key_secure) {
2917 			/*
2918 			 * It looks like Windows 7 supplicant tries to use
2919 			 * Secure bit in msg 2/4 after having reported Michael
2920 			 * MIC failure and it then rejects the 4-way handshake
2921 			 * if msg 3/4 does not set Secure bit. Work around this
2922 			 * by setting the Secure bit here even in the case of
2923 			 * WPA if the supplicant used it first.
2924 			 */
2925 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2926 					"STA used Secure bit in WPA msg 2/4 - "
2927 					"set Secure for 3/4 as workaround");
2928 			secure = 1;
2929 		}
2930 	}
2931 
2932 	kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
2933 	if (gtk)
2934 		kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
2935 #ifdef CONFIG_IEEE80211R_AP
2936 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2937 		kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
2938 		kde_len += 300; /* FTIE + 2 * TIE */
2939 	}
2940 #endif /* CONFIG_IEEE80211R_AP */
2941 #ifdef CONFIG_P2P
2942 	if (WPA_GET_BE32(sm->ip_addr) > 0)
2943 		kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
2944 #endif /* CONFIG_P2P */
2945 	kde = os_malloc(kde_len);
2946 	if (kde == NULL)
2947 		return;
2948 
2949 	pos = kde;
2950 	os_memcpy(pos, wpa_ie, wpa_ie_len);
2951 	pos += wpa_ie_len;
2952 #ifdef CONFIG_IEEE80211R_AP
2953 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2954 		int res;
2955 		size_t elen;
2956 
2957 		elen = pos - kde;
2958 		res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
2959 		if (res < 0) {
2960 			wpa_printf(MSG_ERROR, "FT: Failed to insert "
2961 				   "PMKR1Name into RSN IE in EAPOL-Key data");
2962 			os_free(kde);
2963 			return;
2964 		}
2965 		pos -= wpa_ie_len;
2966 		pos += elen;
2967 	}
2968 #endif /* CONFIG_IEEE80211R_AP */
2969 	if (gtk) {
2970 		u8 hdr[2];
2971 		hdr[0] = keyidx & 0x03;
2972 		hdr[1] = 0;
2973 		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2974 				  gtk, gtk_len);
2975 	}
2976 	pos = ieee80211w_kde_add(sm, pos);
2977 
2978 #ifdef CONFIG_IEEE80211R_AP
2979 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2980 		int res;
2981 		struct wpa_auth_config *conf;
2982 
2983 		conf = &sm->wpa_auth->conf;
2984 		if (sm->assoc_resp_ftie &&
2985 		    kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
2986 			os_memcpy(pos, sm->assoc_resp_ftie,
2987 				  2 + sm->assoc_resp_ftie[1]);
2988 			res = 2 + sm->assoc_resp_ftie[1];
2989 		} else {
2990 			res = wpa_write_ftie(conf, conf->r0_key_holder,
2991 					     conf->r0_key_holder_len,
2992 					     NULL, NULL, pos,
2993 					     kde + kde_len - pos,
2994 					     NULL, 0);
2995 		}
2996 		if (res < 0) {
2997 			wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2998 				   "into EAPOL-Key Key Data");
2999 			os_free(kde);
3000 			return;
3001 		}
3002 		pos += res;
3003 
3004 		/* TIE[ReassociationDeadline] (TU) */
3005 		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3006 		*pos++ = 5;
3007 		*pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
3008 		WPA_PUT_LE32(pos, conf->reassociation_deadline);
3009 		pos += 4;
3010 
3011 		/* TIE[KeyLifetime] (seconds) */
3012 		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
3013 		*pos++ = 5;
3014 		*pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
3015 		WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
3016 		pos += 4;
3017 	}
3018 #endif /* CONFIG_IEEE80211R_AP */
3019 #ifdef CONFIG_P2P
3020 	if (WPA_GET_BE32(sm->ip_addr) > 0) {
3021 		u8 addr[3 * 4];
3022 		os_memcpy(addr, sm->ip_addr, 4);
3023 		os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
3024 		os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
3025 		pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
3026 				  addr, sizeof(addr), NULL, 0);
3027 	}
3028 #endif /* CONFIG_P2P */
3029 
3030 	wpa_send_eapol(sm->wpa_auth, sm,
3031 		       (secure ? WPA_KEY_INFO_SECURE : 0) |
3032 		       (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3033 			WPA_KEY_INFO_MIC : 0) |
3034 		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
3035 		       WPA_KEY_INFO_KEY_TYPE,
3036 		       _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
3037 	os_free(kde);
3038 }
3039 
3040 
SM_STATE(WPA_PTK,PTKINITDONE)3041 SM_STATE(WPA_PTK, PTKINITDONE)
3042 {
3043 	SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
3044 	sm->EAPOLKeyReceived = FALSE;
3045 	if (sm->Pair) {
3046 		enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
3047 		int klen = wpa_cipher_key_len(sm->pairwise);
3048 		if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
3049 				     sm->PTK.tk, klen)) {
3050 			wpa_sta_disconnect(sm->wpa_auth, sm->addr,
3051 					   WLAN_REASON_PREV_AUTH_NOT_VALID);
3052 			return;
3053 		}
3054 		/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
3055 		sm->pairwise_set = TRUE;
3056 
3057 		if (sm->wpa_auth->conf.wpa_ptk_rekey) {
3058 			eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
3059 			eloop_register_timeout(sm->wpa_auth->conf.
3060 					       wpa_ptk_rekey, 0, wpa_rekey_ptk,
3061 					       sm->wpa_auth, sm);
3062 		}
3063 
3064 		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3065 		    sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
3066 		    sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
3067 			wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3068 					   WPA_EAPOL_authorized, 1);
3069 		}
3070 	}
3071 
3072 	if (0 /* IBSS == TRUE */) {
3073 		sm->keycount++;
3074 		if (sm->keycount == 2) {
3075 			wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
3076 					   WPA_EAPOL_portValid, 1);
3077 		}
3078 	} else {
3079 		wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
3080 				   1);
3081 	}
3082 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
3083 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
3084 	if (sm->wpa == WPA_VERSION_WPA)
3085 		sm->PInitAKeys = TRUE;
3086 	else
3087 		sm->has_GTK = TRUE;
3088 	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3089 			 "pairwise key handshake completed (%s)",
3090 			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3091 
3092 #ifdef CONFIG_IEEE80211R_AP
3093 	wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
3094 #endif /* CONFIG_IEEE80211R_AP */
3095 }
3096 
3097 
SM_STEP(WPA_PTK)3098 SM_STEP(WPA_PTK)
3099 {
3100 	struct wpa_authenticator *wpa_auth = sm->wpa_auth;
3101 
3102 	if (sm->Init)
3103 		SM_ENTER(WPA_PTK, INITIALIZE);
3104 	else if (sm->Disconnect
3105 		 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
3106 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
3107 				"WPA_PTK: sm->Disconnect");
3108 		SM_ENTER(WPA_PTK, DISCONNECT);
3109 	}
3110 	else if (sm->DeauthenticationRequest)
3111 		SM_ENTER(WPA_PTK, DISCONNECTED);
3112 	else if (sm->AuthenticationRequest)
3113 		SM_ENTER(WPA_PTK, AUTHENTICATION);
3114 	else if (sm->ReAuthenticationRequest)
3115 		SM_ENTER(WPA_PTK, AUTHENTICATION2);
3116 	else if (sm->PTKRequest) {
3117 		if (wpa_auth_sm_ptk_update(sm) < 0)
3118 			SM_ENTER(WPA_PTK, DISCONNECTED);
3119 		else
3120 			SM_ENTER(WPA_PTK, PTKSTART);
3121 	} else switch (sm->wpa_ptk_state) {
3122 	case WPA_PTK_INITIALIZE:
3123 		break;
3124 	case WPA_PTK_DISCONNECT:
3125 		SM_ENTER(WPA_PTK, DISCONNECTED);
3126 		break;
3127 	case WPA_PTK_DISCONNECTED:
3128 		SM_ENTER(WPA_PTK, INITIALIZE);
3129 		break;
3130 	case WPA_PTK_AUTHENTICATION:
3131 		SM_ENTER(WPA_PTK, AUTHENTICATION2);
3132 		break;
3133 	case WPA_PTK_AUTHENTICATION2:
3134 		if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
3135 		    wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
3136 				       WPA_EAPOL_keyRun) > 0)
3137 			SM_ENTER(WPA_PTK, INITPMK);
3138 		else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
3139 			 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
3140 			 /* FIX: && 802.1X::keyRun */)
3141 			SM_ENTER(WPA_PTK, INITPSK);
3142 		else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP)
3143 			SM_ENTER(WPA_PTK, INITPMK);
3144 		break;
3145 	case WPA_PTK_INITPMK:
3146 		if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
3147 				       WPA_EAPOL_keyAvailable) > 0) {
3148 			SM_ENTER(WPA_PTK, PTKSTART);
3149 #ifdef CONFIG_DPP
3150 		} else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->pmksa) {
3151 			SM_ENTER(WPA_PTK, PTKSTART);
3152 #endif /* CONFIG_DPP */
3153 		} else {
3154 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
3155 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3156 					"INITPMK - keyAvailable = false");
3157 			SM_ENTER(WPA_PTK, DISCONNECT);
3158 		}
3159 		break;
3160 	case WPA_PTK_INITPSK:
3161 		if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
3162 				     NULL, NULL)) {
3163 			SM_ENTER(WPA_PTK, PTKSTART);
3164 #ifdef CONFIG_SAE
3165 		} else if (wpa_auth_uses_sae(sm) && sm->pmksa) {
3166 			SM_ENTER(WPA_PTK, PTKSTART);
3167 #endif /* CONFIG_SAE */
3168 		} else {
3169 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3170 					"no PSK configured for the STA");
3171 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
3172 			SM_ENTER(WPA_PTK, DISCONNECT);
3173 		}
3174 		break;
3175 	case WPA_PTK_PTKSTART:
3176 		if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3177 		    sm->EAPOLKeyPairwise)
3178 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3179 		else if (sm->TimeoutCtr >
3180 			 sm->wpa_auth->conf.wpa_pairwise_update_count) {
3181 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
3182 			wpa_auth_vlogger(
3183 				sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3184 				"PTKSTART: Retry limit %u reached",
3185 				sm->wpa_auth->conf.wpa_pairwise_update_count);
3186 			SM_ENTER(WPA_PTK, DISCONNECT);
3187 		} else if (sm->TimeoutEvt)
3188 			SM_ENTER(WPA_PTK, PTKSTART);
3189 		break;
3190 	case WPA_PTK_PTKCALCNEGOTIATING:
3191 		if (sm->MICVerified)
3192 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
3193 		else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3194 			 sm->EAPOLKeyPairwise)
3195 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3196 		else if (sm->TimeoutEvt)
3197 			SM_ENTER(WPA_PTK, PTKSTART);
3198 		break;
3199 	case WPA_PTK_PTKCALCNEGOTIATING2:
3200 		SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3201 		break;
3202 	case WPA_PTK_PTKINITNEGOTIATING:
3203 		if (sm->update_snonce)
3204 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3205 		else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3206 			 sm->EAPOLKeyPairwise && sm->MICVerified)
3207 			SM_ENTER(WPA_PTK, PTKINITDONE);
3208 		else if (sm->TimeoutCtr >
3209 			 sm->wpa_auth->conf.wpa_pairwise_update_count ||
3210 			 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3211 			  sm->TimeoutCtr > 1)) {
3212 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
3213 			wpa_auth_vlogger(
3214 				sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3215 				"PTKINITNEGOTIATING: Retry limit %u reached",
3216 				sm->wpa_auth->conf.wpa_pairwise_update_count);
3217 			SM_ENTER(WPA_PTK, DISCONNECT);
3218 		} else if (sm->TimeoutEvt)
3219 			SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3220 		break;
3221 	case WPA_PTK_PTKINITDONE:
3222 		break;
3223 	}
3224 }
3225 
3226 
SM_STATE(WPA_PTK_GROUP,IDLE)3227 SM_STATE(WPA_PTK_GROUP, IDLE)
3228 {
3229 	SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
3230 	if (sm->Init) {
3231 		/* Init flag is not cleared here, so avoid busy
3232 		 * loop by claiming nothing changed. */
3233 		sm->changed = FALSE;
3234 	}
3235 	sm->GTimeoutCtr = 0;
3236 }
3237 
3238 
SM_STATE(WPA_PTK_GROUP,REKEYNEGOTIATING)3239 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3240 {
3241 	u8 rsc[WPA_KEY_RSC_LEN];
3242 	struct wpa_group *gsm = sm->group;
3243 	const u8 *kde;
3244 	u8 *kde_buf = NULL, *pos, hdr[2];
3245 	size_t kde_len;
3246 	u8 *gtk, dummy_gtk[32];
3247 
3248 	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
3249 
3250 	sm->GTimeoutCtr++;
3251 	if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3252 	    sm->GTimeoutCtr > 1) {
3253 		/* Do not allow retransmission of EAPOL-Key group msg 1/2 */
3254 		return;
3255 	}
3256 	if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
3257 		/* No point in sending the EAPOL-Key - we will disconnect
3258 		 * immediately following this. */
3259 		return;
3260 	}
3261 
3262 	if (sm->wpa == WPA_VERSION_WPA)
3263 		sm->PInitAKeys = FALSE;
3264 	sm->TimeoutEvt = FALSE;
3265 	/* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3266 	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3267 	if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3268 		wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3269 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3270 			"sending 1/2 msg of Group Key Handshake");
3271 
3272 	gtk = gsm->GTK[gsm->GN - 1];
3273 	if (sm->wpa_auth->conf.disable_gtk) {
3274 		/*
3275 		 * Provide unique random GTK to each STA to prevent use
3276 		 * of GTK in the BSS.
3277 		 */
3278 		if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
3279 			return;
3280 		gtk = dummy_gtk;
3281 	}
3282 	if (sm->wpa == WPA_VERSION_WPA2) {
3283 		kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
3284 			ieee80211w_kde_len(sm);
3285 		kde_buf = os_malloc(kde_len);
3286 		if (kde_buf == NULL)
3287 			return;
3288 
3289 		kde = pos = kde_buf;
3290 		hdr[0] = gsm->GN & 0x03;
3291 		hdr[1] = 0;
3292 		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
3293 				  gtk, gsm->GTK_len);
3294 		pos = ieee80211w_kde_add(sm, pos);
3295 		kde_len = pos - kde;
3296 	} else {
3297 		kde = gtk;
3298 		kde_len = gsm->GTK_len;
3299 	}
3300 
3301 	wpa_send_eapol(sm->wpa_auth, sm,
3302 		       WPA_KEY_INFO_SECURE |
3303 		       (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
3304 			WPA_KEY_INFO_MIC : 0) |
3305 		       WPA_KEY_INFO_ACK |
3306 		       (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
3307 		       rsc, NULL, kde, kde_len, gsm->GN, 1);
3308 
3309 	os_free(kde_buf);
3310 }
3311 
3312 
SM_STATE(WPA_PTK_GROUP,REKEYESTABLISHED)3313 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3314 {
3315 	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3316 	sm->EAPOLKeyReceived = FALSE;
3317 	if (sm->GUpdateStationKeys)
3318 		sm->group->GKeyDoneStations--;
3319 	sm->GUpdateStationKeys = FALSE;
3320 	sm->GTimeoutCtr = 0;
3321 	/* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
3322 	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3323 			 "group key handshake completed (%s)",
3324 			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3325 	sm->has_GTK = TRUE;
3326 }
3327 
3328 
SM_STATE(WPA_PTK_GROUP,KEYERROR)3329 SM_STATE(WPA_PTK_GROUP, KEYERROR)
3330 {
3331 	SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
3332 	if (sm->GUpdateStationKeys)
3333 		sm->group->GKeyDoneStations--;
3334 	sm->GUpdateStationKeys = FALSE;
3335 	sm->Disconnect = TRUE;
3336 	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3337 			 "group key handshake failed (%s) after %u tries",
3338 			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
3339 			 sm->wpa_auth->conf.wpa_group_update_count);
3340 }
3341 
3342 
SM_STEP(WPA_PTK_GROUP)3343 SM_STEP(WPA_PTK_GROUP)
3344 {
3345 	if (sm->Init || sm->PtkGroupInit) {
3346 		SM_ENTER(WPA_PTK_GROUP, IDLE);
3347 		sm->PtkGroupInit = FALSE;
3348 	} else switch (sm->wpa_ptk_group_state) {
3349 	case WPA_PTK_GROUP_IDLE:
3350 		if (sm->GUpdateStationKeys ||
3351 		    (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
3352 			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3353 		break;
3354 	case WPA_PTK_GROUP_REKEYNEGOTIATING:
3355 		if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3356 		    !sm->EAPOLKeyPairwise && sm->MICVerified)
3357 			SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
3358 		else if (sm->GTimeoutCtr >
3359 			 sm->wpa_auth->conf.wpa_group_update_count ||
3360 			 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
3361 			  sm->GTimeoutCtr > 1))
3362 			SM_ENTER(WPA_PTK_GROUP, KEYERROR);
3363 		else if (sm->TimeoutEvt)
3364 			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3365 		break;
3366 	case WPA_PTK_GROUP_KEYERROR:
3367 		SM_ENTER(WPA_PTK_GROUP, IDLE);
3368 		break;
3369 	case WPA_PTK_GROUP_REKEYESTABLISHED:
3370 		SM_ENTER(WPA_PTK_GROUP, IDLE);
3371 		break;
3372 	}
3373 }
3374 
3375 
wpa_gtk_update(struct wpa_authenticator * wpa_auth,struct wpa_group * group)3376 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
3377 			  struct wpa_group *group)
3378 {
3379 	int ret = 0;
3380 
3381 	os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3382 	inc_byte_array(group->Counter, WPA_NONCE_LEN);
3383 	if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
3384 			   wpa_auth->addr, group->GNonce,
3385 			   group->GTK[group->GN - 1], group->GTK_len) < 0)
3386 		ret = -1;
3387 	wpa_hexdump_key(MSG_DEBUG, "GTK",
3388 			group->GTK[group->GN - 1], group->GTK_len);
3389 
3390 #ifdef CONFIG_IEEE80211W
3391 	if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3392 		size_t len;
3393 		len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3394 		os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3395 		inc_byte_array(group->Counter, WPA_NONCE_LEN);
3396 		if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
3397 				   wpa_auth->addr, group->GNonce,
3398 				   group->IGTK[group->GN_igtk - 4], len) < 0)
3399 			ret = -1;
3400 		wpa_hexdump_key(MSG_DEBUG, "IGTK",
3401 				group->IGTK[group->GN_igtk - 4], len);
3402 	}
3403 #endif /* CONFIG_IEEE80211W */
3404 
3405 	return ret;
3406 }
3407 
3408 
wpa_group_gtk_init(struct wpa_authenticator * wpa_auth,struct wpa_group * group)3409 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
3410 			       struct wpa_group *group)
3411 {
3412 	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3413 		   "GTK_INIT (VLAN-ID %d)", group->vlan_id);
3414 	group->changed = FALSE; /* GInit is not cleared here; avoid loop */
3415 	group->wpa_group_state = WPA_GROUP_GTK_INIT;
3416 
3417 	/* GTK[0..N] = 0 */
3418 	os_memset(group->GTK, 0, sizeof(group->GTK));
3419 	group->GN = 1;
3420 	group->GM = 2;
3421 #ifdef CONFIG_IEEE80211W
3422 	group->GN_igtk = 4;
3423 	group->GM_igtk = 5;
3424 #endif /* CONFIG_IEEE80211W */
3425 	/* GTK[GN] = CalcGTK() */
3426 	wpa_gtk_update(wpa_auth, group);
3427 }
3428 
3429 
wpa_group_update_sta(struct wpa_state_machine * sm,void * ctx)3430 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
3431 {
3432 	if (ctx != NULL && ctx != sm->group)
3433 		return 0;
3434 
3435 	if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
3436 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3437 				"Not in PTKINITDONE; skip Group Key update");
3438 		sm->GUpdateStationKeys = FALSE;
3439 		return 0;
3440 	}
3441 	if (sm->GUpdateStationKeys) {
3442 		/*
3443 		 * This should not really happen, so add a debug log entry.
3444 		 * Since we clear the GKeyDoneStations before the loop, the
3445 		 * station needs to be counted here anyway.
3446 		 */
3447 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3448 				"GUpdateStationKeys was already set when "
3449 				"marking station for GTK rekeying");
3450 	}
3451 
3452 	/* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
3453 	if (sm->is_wnmsleep)
3454 		return 0;
3455 
3456 	sm->group->GKeyDoneStations++;
3457 	sm->GUpdateStationKeys = TRUE;
3458 
3459 	wpa_sm_step(sm);
3460 	return 0;
3461 }
3462 
3463 
3464 #ifdef CONFIG_WNM_AP
3465 /* update GTK when exiting WNM-Sleep Mode */
wpa_wnmsleep_rekey_gtk(struct wpa_state_machine * sm)3466 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
3467 {
3468 	if (sm == NULL || sm->is_wnmsleep)
3469 		return;
3470 
3471 	wpa_group_update_sta(sm, NULL);
3472 }
3473 
3474 
wpa_set_wnmsleep(struct wpa_state_machine * sm,int flag)3475 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
3476 {
3477 	if (sm)
3478 		sm->is_wnmsleep = !!flag;
3479 }
3480 
3481 
wpa_wnmsleep_gtk_subelem(struct wpa_state_machine * sm,u8 * pos)3482 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3483 {
3484 	struct wpa_group *gsm = sm->group;
3485 	u8 *start = pos;
3486 
3487 	/*
3488 	 * GTK subelement:
3489 	 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
3490 	 * Key[5..32]
3491 	 */
3492 	*pos++ = WNM_SLEEP_SUBELEM_GTK;
3493 	*pos++ = 11 + gsm->GTK_len;
3494 	/* Key ID in B0-B1 of Key Info */
3495 	WPA_PUT_LE16(pos, gsm->GN & 0x03);
3496 	pos += 2;
3497 	*pos++ = gsm->GTK_len;
3498 	if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
3499 		return 0;
3500 	pos += 8;
3501 	os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3502 	pos += gsm->GTK_len;
3503 
3504 	wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
3505 		   gsm->GN);
3506 	wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
3507 			gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3508 
3509 	return pos - start;
3510 }
3511 
3512 
3513 #ifdef CONFIG_IEEE80211W
wpa_wnmsleep_igtk_subelem(struct wpa_state_machine * sm,u8 * pos)3514 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3515 {
3516 	struct wpa_group *gsm = sm->group;
3517 	u8 *start = pos;
3518 	size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
3519 
3520 	/*
3521 	 * IGTK subelement:
3522 	 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
3523 	 */
3524 	*pos++ = WNM_SLEEP_SUBELEM_IGTK;
3525 	*pos++ = 2 + 6 + len;
3526 	WPA_PUT_LE16(pos, gsm->GN_igtk);
3527 	pos += 2;
3528 	if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
3529 		return 0;
3530 	pos += 6;
3531 
3532 	os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
3533 	pos += len;
3534 
3535 	wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
3536 		   gsm->GN_igtk);
3537 	wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
3538 			gsm->IGTK[gsm->GN_igtk - 4], len);
3539 
3540 	return pos - start;
3541 }
3542 #endif /* CONFIG_IEEE80211W */
3543 #endif /* CONFIG_WNM_AP */
3544 
3545 
wpa_group_setkeys(struct wpa_authenticator * wpa_auth,struct wpa_group * group)3546 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
3547 			      struct wpa_group *group)
3548 {
3549 	int tmp;
3550 
3551 	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3552 		   "SETKEYS (VLAN-ID %d)", group->vlan_id);
3553 	group->changed = TRUE;
3554 	group->wpa_group_state = WPA_GROUP_SETKEYS;
3555 	group->GTKReKey = FALSE;
3556 	tmp = group->GM;
3557 	group->GM = group->GN;
3558 	group->GN = tmp;
3559 #ifdef CONFIG_IEEE80211W
3560 	tmp = group->GM_igtk;
3561 	group->GM_igtk = group->GN_igtk;
3562 	group->GN_igtk = tmp;
3563 #endif /* CONFIG_IEEE80211W */
3564 	/* "GKeyDoneStations = GNoStations" is done in more robust way by
3565 	 * counting the STAs that are marked with GUpdateStationKeys instead of
3566 	 * including all STAs that could be in not-yet-completed state. */
3567 	wpa_gtk_update(wpa_auth, group);
3568 
3569 	if (group->GKeyDoneStations) {
3570 		wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3571 			   "GKeyDoneStations=%d when starting new GTK rekey",
3572 			   group->GKeyDoneStations);
3573 		group->GKeyDoneStations = 0;
3574 	}
3575 	wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
3576 	wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3577 		   group->GKeyDoneStations);
3578 }
3579 
3580 
wpa_group_config_group_keys(struct wpa_authenticator * wpa_auth,struct wpa_group * group)3581 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3582 				       struct wpa_group *group)
3583 {
3584 	int ret = 0;
3585 
3586 	if (wpa_auth_set_key(wpa_auth, group->vlan_id,
3587 			     wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
3588 			     broadcast_ether_addr, group->GN,
3589 			     group->GTK[group->GN - 1], group->GTK_len) < 0)
3590 		ret = -1;
3591 
3592 #ifdef CONFIG_IEEE80211W
3593 	if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3594 		enum wpa_alg alg;
3595 		size_t len;
3596 
3597 		alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3598 		len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3599 
3600 		if (ret == 0 &&
3601 		    wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
3602 				     broadcast_ether_addr, group->GN_igtk,
3603 				     group->IGTK[group->GN_igtk - 4], len) < 0)
3604 			ret = -1;
3605 	}
3606 #endif /* CONFIG_IEEE80211W */
3607 
3608 	return ret;
3609 }
3610 
3611 
wpa_group_disconnect_cb(struct wpa_state_machine * sm,void * ctx)3612 static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
3613 {
3614 	if (sm->group == ctx) {
3615 		wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
3616 			   " for discconnection due to fatal failure",
3617 			   MAC2STR(sm->addr));
3618 		sm->Disconnect = TRUE;
3619 	}
3620 
3621 	return 0;
3622 }
3623 
3624 
wpa_group_fatal_failure(struct wpa_authenticator * wpa_auth,struct wpa_group * group)3625 static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
3626 				    struct wpa_group *group)
3627 {
3628 	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
3629 	group->changed = TRUE;
3630 	group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
3631 	wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
3632 }
3633 
3634 
wpa_group_setkeysdone(struct wpa_authenticator * wpa_auth,struct wpa_group * group)3635 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
3636 				 struct wpa_group *group)
3637 {
3638 	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3639 		   "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
3640 	group->changed = TRUE;
3641 	group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
3642 
3643 	if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
3644 		wpa_group_fatal_failure(wpa_auth, group);
3645 		return -1;
3646 	}
3647 
3648 	return 0;
3649 }
3650 
3651 
wpa_group_sm_step(struct wpa_authenticator * wpa_auth,struct wpa_group * group)3652 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
3653 			      struct wpa_group *group)
3654 {
3655 	if (group->GInit) {
3656 		wpa_group_gtk_init(wpa_auth, group);
3657 	} else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
3658 		/* Do not allow group operations */
3659 	} else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
3660 		   group->GTKAuthenticator) {
3661 		wpa_group_setkeysdone(wpa_auth, group);
3662 	} else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
3663 		   group->GTKReKey) {
3664 		wpa_group_setkeys(wpa_auth, group);
3665 	} else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
3666 		if (group->GKeyDoneStations == 0)
3667 			wpa_group_setkeysdone(wpa_auth, group);
3668 		else if (group->GTKReKey)
3669 			wpa_group_setkeys(wpa_auth, group);
3670 	}
3671 }
3672 
3673 
wpa_sm_step(struct wpa_state_machine * sm)3674 static int wpa_sm_step(struct wpa_state_machine *sm)
3675 {
3676 	if (sm == NULL)
3677 		return 0;
3678 
3679 	if (sm->in_step_loop) {
3680 		/* This should not happen, but if it does, make sure we do not
3681 		 * end up freeing the state machine too early by exiting the
3682 		 * recursive call. */
3683 		wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
3684 		return 0;
3685 	}
3686 
3687 	sm->in_step_loop = 1;
3688 	do {
3689 		if (sm->pending_deinit)
3690 			break;
3691 
3692 		sm->changed = FALSE;
3693 		sm->wpa_auth->group->changed = FALSE;
3694 
3695 		SM_STEP_RUN(WPA_PTK);
3696 		if (sm->pending_deinit)
3697 			break;
3698 		SM_STEP_RUN(WPA_PTK_GROUP);
3699 		if (sm->pending_deinit)
3700 			break;
3701 		wpa_group_sm_step(sm->wpa_auth, sm->group);
3702 	} while (sm->changed || sm->wpa_auth->group->changed);
3703 	sm->in_step_loop = 0;
3704 
3705 	if (sm->pending_deinit) {
3706 		wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
3707 			   "machine deinit for " MACSTR, MAC2STR(sm->addr));
3708 		wpa_free_sta_sm(sm);
3709 		return 1;
3710 	}
3711 	return 0;
3712 }
3713 
3714 
wpa_sm_call_step(void * eloop_ctx,void * timeout_ctx)3715 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
3716 {
3717 	struct wpa_state_machine *sm = eloop_ctx;
3718 	wpa_sm_step(sm);
3719 }
3720 
3721 
wpa_auth_sm_notify(struct wpa_state_machine * sm)3722 void wpa_auth_sm_notify(struct wpa_state_machine *sm)
3723 {
3724 	if (sm == NULL)
3725 		return;
3726 	eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
3727 }
3728 
3729 
wpa_gtk_rekey(struct wpa_authenticator * wpa_auth)3730 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
3731 {
3732 	int tmp, i;
3733 	struct wpa_group *group;
3734 
3735 	if (wpa_auth == NULL)
3736 		return;
3737 
3738 	group = wpa_auth->group;
3739 
3740 	for (i = 0; i < 2; i++) {
3741 		tmp = group->GM;
3742 		group->GM = group->GN;
3743 		group->GN = tmp;
3744 #ifdef CONFIG_IEEE80211W
3745 		tmp = group->GM_igtk;
3746 		group->GM_igtk = group->GN_igtk;
3747 		group->GN_igtk = tmp;
3748 #endif /* CONFIG_IEEE80211W */
3749 		wpa_gtk_update(wpa_auth, group);
3750 		wpa_group_config_group_keys(wpa_auth, group);
3751 	}
3752 }
3753 
3754 
wpa_bool_txt(int val)3755 static const char * wpa_bool_txt(int val)
3756 {
3757 	return val ? "TRUE" : "FALSE";
3758 }
3759 
3760 
3761 #define RSN_SUITE "%02x-%02x-%02x-%d"
3762 #define RSN_SUITE_ARG(s) \
3763 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
3764 
wpa_get_mib(struct wpa_authenticator * wpa_auth,char * buf,size_t buflen)3765 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
3766 {
3767 	int len = 0, ret;
3768 	char pmkid_txt[PMKID_LEN * 2 + 1];
3769 #ifdef CONFIG_RSN_PREAUTH
3770 	const int preauth = 1;
3771 #else /* CONFIG_RSN_PREAUTH */
3772 	const int preauth = 0;
3773 #endif /* CONFIG_RSN_PREAUTH */
3774 
3775 	if (wpa_auth == NULL)
3776 		return len;
3777 
3778 	ret = os_snprintf(buf + len, buflen - len,
3779 			  "dot11RSNAOptionImplemented=TRUE\n"
3780 			  "dot11RSNAPreauthenticationImplemented=%s\n"
3781 			  "dot11RSNAEnabled=%s\n"
3782 			  "dot11RSNAPreauthenticationEnabled=%s\n",
3783 			  wpa_bool_txt(preauth),
3784 			  wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
3785 			  wpa_bool_txt(wpa_auth->conf.rsn_preauth));
3786 	if (os_snprintf_error(buflen - len, ret))
3787 		return len;
3788 	len += ret;
3789 
3790 	wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3791 			 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
3792 
3793 	ret = os_snprintf(
3794 		buf + len, buflen - len,
3795 		"dot11RSNAConfigVersion=%u\n"
3796 		"dot11RSNAConfigPairwiseKeysSupported=9999\n"
3797 		/* FIX: dot11RSNAConfigGroupCipher */
3798 		/* FIX: dot11RSNAConfigGroupRekeyMethod */
3799 		/* FIX: dot11RSNAConfigGroupRekeyTime */
3800 		/* FIX: dot11RSNAConfigGroupRekeyPackets */
3801 		"dot11RSNAConfigGroupRekeyStrict=%u\n"
3802 		"dot11RSNAConfigGroupUpdateCount=%u\n"
3803 		"dot11RSNAConfigPairwiseUpdateCount=%u\n"
3804 		"dot11RSNAConfigGroupCipherSize=%u\n"
3805 		"dot11RSNAConfigPMKLifetime=%u\n"
3806 		"dot11RSNAConfigPMKReauthThreshold=%u\n"
3807 		"dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
3808 		"dot11RSNAConfigSATimeout=%u\n"
3809 		"dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3810 		"dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3811 		"dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3812 		"dot11RSNAPMKIDUsed=%s\n"
3813 		"dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3814 		"dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3815 		"dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3816 		"dot11RSNATKIPCounterMeasuresInvoked=%u\n"
3817 		"dot11RSNA4WayHandshakeFailures=%u\n"
3818 		"dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
3819 		RSN_VERSION,
3820 		!!wpa_auth->conf.wpa_strict_rekey,
3821 		wpa_auth->conf.wpa_group_update_count,
3822 		wpa_auth->conf.wpa_pairwise_update_count,
3823 		wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
3824 		dot11RSNAConfigPMKLifetime,
3825 		dot11RSNAConfigPMKReauthThreshold,
3826 		dot11RSNAConfigSATimeout,
3827 		RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
3828 		RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
3829 		RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
3830 		pmkid_txt,
3831 		RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
3832 		RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
3833 		RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
3834 		wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
3835 		wpa_auth->dot11RSNA4WayHandshakeFailures);
3836 	if (os_snprintf_error(buflen - len, ret))
3837 		return len;
3838 	len += ret;
3839 
3840 	/* TODO: dot11RSNAConfigPairwiseCiphersTable */
3841 	/* TODO: dot11RSNAConfigAuthenticationSuitesTable */
3842 
3843 	/* Private MIB */
3844 	ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
3845 			  wpa_auth->group->wpa_group_state);
3846 	if (os_snprintf_error(buflen - len, ret))
3847 		return len;
3848 	len += ret;
3849 
3850 	return len;
3851 }
3852 
3853 
wpa_get_mib_sta(struct wpa_state_machine * sm,char * buf,size_t buflen)3854 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
3855 {
3856 	int len = 0, ret;
3857 	u32 pairwise = 0;
3858 
3859 	if (sm == NULL)
3860 		return 0;
3861 
3862 	/* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
3863 
3864 	/* dot11RSNAStatsEntry */
3865 
3866 	pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
3867 				       WPA_PROTO_RSN : WPA_PROTO_WPA,
3868 				       sm->pairwise);
3869 	if (pairwise == 0)
3870 		return 0;
3871 
3872 	ret = os_snprintf(
3873 		buf + len, buflen - len,
3874 		/* TODO: dot11RSNAStatsIndex */
3875 		"dot11RSNAStatsSTAAddress=" MACSTR "\n"
3876 		"dot11RSNAStatsVersion=1\n"
3877 		"dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
3878 		/* TODO: dot11RSNAStatsTKIPICVErrors */
3879 		"dot11RSNAStatsTKIPLocalMICFailures=%u\n"
3880 		"dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
3881 		/* TODO: dot11RSNAStatsCCMPReplays */
3882 		/* TODO: dot11RSNAStatsCCMPDecryptErrors */
3883 		/* TODO: dot11RSNAStatsTKIPReplays */,
3884 		MAC2STR(sm->addr),
3885 		RSN_SUITE_ARG(pairwise),
3886 		sm->dot11RSNAStatsTKIPLocalMICFailures,
3887 		sm->dot11RSNAStatsTKIPRemoteMICFailures);
3888 	if (os_snprintf_error(buflen - len, ret))
3889 		return len;
3890 	len += ret;
3891 
3892 	/* Private MIB */
3893 	ret = os_snprintf(buf + len, buflen - len,
3894 			  "hostapdWPAPTKState=%d\n"
3895 			  "hostapdWPAPTKGroupState=%d\n",
3896 			  sm->wpa_ptk_state,
3897 			  sm->wpa_ptk_group_state);
3898 	if (os_snprintf_error(buflen - len, ret))
3899 		return len;
3900 	len += ret;
3901 
3902 	return len;
3903 }
3904 
3905 
wpa_auth_countermeasures_start(struct wpa_authenticator * wpa_auth)3906 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
3907 {
3908 	if (wpa_auth)
3909 		wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
3910 }
3911 
3912 
wpa_auth_pairwise_set(struct wpa_state_machine * sm)3913 int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
3914 {
3915 	return sm && sm->pairwise_set;
3916 }
3917 
3918 
wpa_auth_get_pairwise(struct wpa_state_machine * sm)3919 int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
3920 {
3921 	return sm->pairwise;
3922 }
3923 
3924 
wpa_auth_sta_key_mgmt(struct wpa_state_machine * sm)3925 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
3926 {
3927 	if (sm == NULL)
3928 		return -1;
3929 	return sm->wpa_key_mgmt;
3930 }
3931 
3932 
wpa_auth_sta_wpa_version(struct wpa_state_machine * sm)3933 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
3934 {
3935 	if (sm == NULL)
3936 		return 0;
3937 	return sm->wpa;
3938 }
3939 
3940 
wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine * sm)3941 int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
3942 {
3943 	if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
3944 		return 0;
3945 	return sm->tk_already_set;
3946 }
3947 
3948 
wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine * sm)3949 int wpa_auth_sta_fils_tk_already_set(struct wpa_state_machine *sm)
3950 {
3951 	if (!sm || !wpa_key_mgmt_fils(sm->wpa_key_mgmt))
3952 		return 0;
3953 	return sm->tk_already_set;
3954 }
3955 
3956 
wpa_auth_sta_clear_pmksa(struct wpa_state_machine * sm,struct rsn_pmksa_cache_entry * entry)3957 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
3958 			     struct rsn_pmksa_cache_entry *entry)
3959 {
3960 	if (sm == NULL || sm->pmksa != entry)
3961 		return -1;
3962 	sm->pmksa = NULL;
3963 	return 0;
3964 }
3965 
3966 
3967 struct rsn_pmksa_cache_entry *
wpa_auth_sta_get_pmksa(struct wpa_state_machine * sm)3968 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
3969 {
3970 	return sm ? sm->pmksa : NULL;
3971 }
3972 
3973 
wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine * sm)3974 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
3975 {
3976 	if (sm)
3977 		sm->dot11RSNAStatsTKIPLocalMICFailures++;
3978 }
3979 
3980 
wpa_auth_get_wpa_ie(struct wpa_authenticator * wpa_auth,size_t * len)3981 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
3982 {
3983 	if (wpa_auth == NULL)
3984 		return NULL;
3985 	*len = wpa_auth->wpa_ie_len;
3986 	return wpa_auth->wpa_ie;
3987 }
3988 
3989 
wpa_auth_pmksa_add(struct wpa_state_machine * sm,const u8 * pmk,unsigned int pmk_len,int session_timeout,struct eapol_state_machine * eapol)3990 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
3991 		       unsigned int pmk_len,
3992 		       int session_timeout, struct eapol_state_machine *eapol)
3993 {
3994 	if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
3995 	    sm->wpa_auth->conf.disable_pmksa_caching)
3996 		return -1;
3997 
3998 	if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
3999 		if (pmk_len > PMK_LEN_SUITE_B_192)
4000 			pmk_len = PMK_LEN_SUITE_B_192;
4001 	} else if (pmk_len > PMK_LEN) {
4002 		pmk_len = PMK_LEN;
4003 	}
4004 
4005 	if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
4006 				 sm->PTK.kck, sm->PTK.kck_len,
4007 				 sm->wpa_auth->addr, sm->addr, session_timeout,
4008 				 eapol, sm->wpa_key_mgmt))
4009 		return 0;
4010 
4011 	return -1;
4012 }
4013 
4014 
wpa_auth_pmksa_add_preauth(struct wpa_authenticator * wpa_auth,const u8 * pmk,size_t len,const u8 * sta_addr,int session_timeout,struct eapol_state_machine * eapol)4015 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
4016 			       const u8 *pmk, size_t len, const u8 *sta_addr,
4017 			       int session_timeout,
4018 			       struct eapol_state_machine *eapol)
4019 {
4020 	if (wpa_auth == NULL)
4021 		return -1;
4022 
4023 	if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
4024 				 NULL, 0,
4025 				 wpa_auth->addr,
4026 				 sta_addr, session_timeout, eapol,
4027 				 WPA_KEY_MGMT_IEEE8021X))
4028 		return 0;
4029 
4030 	return -1;
4031 }
4032 
4033 
wpa_auth_pmksa_add_sae(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * pmk,const u8 * pmkid)4034 int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
4035 			   const u8 *pmk, const u8 *pmkid)
4036 {
4037 	if (wpa_auth->conf.disable_pmksa_caching)
4038 		return -1;
4039 
4040 	if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
4041 				 NULL, 0,
4042 				 wpa_auth->addr, addr, 0, NULL,
4043 				 WPA_KEY_MGMT_SAE))
4044 		return 0;
4045 
4046 	return -1;
4047 }
4048 
4049 
wpa_auth_pmksa_add2(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * pmk,size_t pmk_len,const u8 * pmkid,int session_timeout,int akmp)4050 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
4051 			const u8 *pmk, size_t pmk_len, const u8 *pmkid,
4052 			int session_timeout, int akmp)
4053 {
4054 	if (wpa_auth->conf.disable_pmksa_caching)
4055 		return -1;
4056 
4057 	if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, pmk_len, pmkid,
4058 				 NULL, 0, wpa_auth->addr, addr, session_timeout,
4059 				 NULL, akmp))
4060 		return 0;
4061 
4062 	return -1;
4063 }
4064 
4065 
wpa_auth_pmksa_remove(struct wpa_authenticator * wpa_auth,const u8 * sta_addr)4066 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
4067 			   const u8 *sta_addr)
4068 {
4069 	struct rsn_pmksa_cache_entry *pmksa;
4070 
4071 	if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
4072 		return;
4073 	pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
4074 	if (pmksa) {
4075 		wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
4076 			   MACSTR " based on request", MAC2STR(sta_addr));
4077 		pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
4078 	}
4079 }
4080 
4081 
wpa_auth_pmksa_list(struct wpa_authenticator * wpa_auth,char * buf,size_t len)4082 int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
4083 			size_t len)
4084 {
4085 	if (!wpa_auth || !wpa_auth->pmksa)
4086 		return 0;
4087 	return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
4088 }
4089 
4090 
wpa_auth_pmksa_flush(struct wpa_authenticator * wpa_auth)4091 void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
4092 {
4093 	if (wpa_auth && wpa_auth->pmksa)
4094 		pmksa_cache_auth_flush(wpa_auth->pmksa);
4095 }
4096 
4097 
4098 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL
4099 #ifdef CONFIG_MESH
4100 
wpa_auth_pmksa_list_mesh(struct wpa_authenticator * wpa_auth,const u8 * addr,char * buf,size_t len)4101 int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
4102 			     char *buf, size_t len)
4103 {
4104 	if (!wpa_auth || !wpa_auth->pmksa)
4105 		return 0;
4106 
4107 	return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
4108 }
4109 
4110 
4111 struct rsn_pmksa_cache_entry *
wpa_auth_pmksa_create_entry(const u8 * aa,const u8 * spa,const u8 * pmk,const u8 * pmkid,int expiration)4112 wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
4113 			    const u8 *pmkid, int expiration)
4114 {
4115 	struct rsn_pmksa_cache_entry *entry;
4116 	struct os_reltime now;
4117 
4118 	entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa,
4119 					      spa, 0, NULL, WPA_KEY_MGMT_SAE);
4120 	if (!entry)
4121 		return NULL;
4122 
4123 	os_get_reltime(&now);
4124 	entry->expiration = now.sec + expiration;
4125 	return entry;
4126 }
4127 
4128 
wpa_auth_pmksa_add_entry(struct wpa_authenticator * wpa_auth,struct rsn_pmksa_cache_entry * entry)4129 int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
4130 			     struct rsn_pmksa_cache_entry *entry)
4131 {
4132 	int ret;
4133 
4134 	if (!wpa_auth || !wpa_auth->pmksa)
4135 		return -1;
4136 
4137 	ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
4138 	if (ret < 0)
4139 		wpa_printf(MSG_DEBUG,
4140 			   "RSN: Failed to store external PMKSA cache for "
4141 			   MACSTR, MAC2STR(entry->spa));
4142 
4143 	return ret;
4144 }
4145 
4146 #endif /* CONFIG_MESH */
4147 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
4148 
4149 
4150 struct rsn_pmksa_cache_entry *
wpa_auth_pmksa_get(struct wpa_authenticator * wpa_auth,const u8 * sta_addr,const u8 * pmkid)4151 wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
4152 		   const u8 *pmkid)
4153 {
4154 	if (!wpa_auth || !wpa_auth->pmksa)
4155 		return NULL;
4156 	return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
4157 }
4158 
4159 
wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry * pmksa,struct wpa_state_machine * sm,struct wpa_authenticator * wpa_auth,u8 * pmkid,u8 * pmk)4160 void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
4161 			      struct wpa_state_machine *sm,
4162 			      struct wpa_authenticator *wpa_auth,
4163 			      u8 *pmkid, u8 *pmk)
4164 {
4165 	if (!sm)
4166 		return;
4167 
4168 	sm->pmksa = pmksa;
4169 	os_memcpy(pmk, pmksa->pmk, PMK_LEN);
4170 	os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
4171 	os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
4172 }
4173 
4174 
4175 /*
4176  * Remove and free the group from wpa_authenticator. This is triggered by a
4177  * callback to make sure nobody is currently iterating the group list while it
4178  * gets modified.
4179  */
wpa_group_free(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4180 static void wpa_group_free(struct wpa_authenticator *wpa_auth,
4181 			   struct wpa_group *group)
4182 {
4183 	struct wpa_group *prev = wpa_auth->group;
4184 
4185 	wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
4186 		   group->vlan_id);
4187 
4188 	while (prev) {
4189 		if (prev->next == group) {
4190 			/* This never frees the special first group as needed */
4191 			prev->next = group->next;
4192 			os_free(group);
4193 			break;
4194 		}
4195 		prev = prev->next;
4196 	}
4197 
4198 }
4199 
4200 
4201 /* Increase the reference counter for group */
wpa_group_get(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4202 static void wpa_group_get(struct wpa_authenticator *wpa_auth,
4203 			  struct wpa_group *group)
4204 {
4205 	/* Skip the special first group */
4206 	if (wpa_auth->group == group)
4207 		return;
4208 
4209 	group->references++;
4210 }
4211 
4212 
4213 /* Decrease the reference counter and maybe free the group */
wpa_group_put(struct wpa_authenticator * wpa_auth,struct wpa_group * group)4214 static void wpa_group_put(struct wpa_authenticator *wpa_auth,
4215 			  struct wpa_group *group)
4216 {
4217 	/* Skip the special first group */
4218 	if (wpa_auth->group == group)
4219 		return;
4220 
4221 	group->references--;
4222 	if (group->references)
4223 		return;
4224 	wpa_group_free(wpa_auth, group);
4225 }
4226 
4227 
4228 /*
4229  * Add a group that has its references counter set to zero. Caller needs to
4230  * call wpa_group_get() on the return value to mark the entry in use.
4231  */
4232 static struct wpa_group *
wpa_auth_add_group(struct wpa_authenticator * wpa_auth,int vlan_id)4233 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4234 {
4235 	struct wpa_group *group;
4236 
4237 	if (wpa_auth == NULL || wpa_auth->group == NULL)
4238 		return NULL;
4239 
4240 	wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
4241 		   vlan_id);
4242 	group = wpa_group_init(wpa_auth, vlan_id, 0);
4243 	if (group == NULL)
4244 		return NULL;
4245 
4246 	group->next = wpa_auth->group->next;
4247 	wpa_auth->group->next = group;
4248 
4249 	return group;
4250 }
4251 
4252 
4253 /*
4254  * Enforce that the group state machine for the VLAN is running, increase
4255  * reference counter as interface is up. References might have been increased
4256  * even if a negative value is returned.
4257  * Returns: -1 on error (group missing, group already failed); otherwise, 0
4258  */
wpa_auth_ensure_group(struct wpa_authenticator * wpa_auth,int vlan_id)4259 int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4260 {
4261 	struct wpa_group *group;
4262 
4263 	if (wpa_auth == NULL)
4264 		return 0;
4265 
4266 	group = wpa_auth->group;
4267 	while (group) {
4268 		if (group->vlan_id == vlan_id)
4269 			break;
4270 		group = group->next;
4271 	}
4272 
4273 	if (group == NULL) {
4274 		group = wpa_auth_add_group(wpa_auth, vlan_id);
4275 		if (group == NULL)
4276 			return -1;
4277 	}
4278 
4279 	wpa_printf(MSG_DEBUG,
4280 		   "WPA: Ensure group state machine running for VLAN ID %d",
4281 		   vlan_id);
4282 
4283 	wpa_group_get(wpa_auth, group);
4284 	group->num_setup_iface++;
4285 
4286 	if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4287 		return -1;
4288 
4289 	return 0;
4290 }
4291 
4292 
4293 /*
4294  * Decrease reference counter, expected to be zero afterwards.
4295  * returns: -1 on error (group not found, group in fail state)
4296  *          -2 if wpa_group is still referenced
4297  *           0 else
4298  */
wpa_auth_release_group(struct wpa_authenticator * wpa_auth,int vlan_id)4299 int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4300 {
4301 	struct wpa_group *group;
4302 	int ret = 0;
4303 
4304 	if (wpa_auth == NULL)
4305 		return 0;
4306 
4307 	group = wpa_auth->group;
4308 	while (group) {
4309 		if (group->vlan_id == vlan_id)
4310 			break;
4311 		group = group->next;
4312 	}
4313 
4314 	if (group == NULL)
4315 		return -1;
4316 
4317 	wpa_printf(MSG_DEBUG,
4318 		   "WPA: Try stopping group state machine for VLAN ID %d",
4319 		   vlan_id);
4320 
4321 	if (group->num_setup_iface <= 0) {
4322 		wpa_printf(MSG_ERROR,
4323 			   "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
4324 			   vlan_id);
4325 		return -1;
4326 	}
4327 	group->num_setup_iface--;
4328 
4329 	if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4330 		ret = -1;
4331 
4332 	if (group->references > 1) {
4333 		wpa_printf(MSG_DEBUG,
4334 			   "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
4335 			   vlan_id);
4336 		ret = -2;
4337 	}
4338 
4339 	wpa_group_put(wpa_auth, group);
4340 
4341 	return ret;
4342 }
4343 
4344 
wpa_auth_sta_set_vlan(struct wpa_state_machine * sm,int vlan_id)4345 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
4346 {
4347 	struct wpa_group *group;
4348 
4349 	if (sm == NULL || sm->wpa_auth == NULL)
4350 		return 0;
4351 
4352 	group = sm->wpa_auth->group;
4353 	while (group) {
4354 		if (group->vlan_id == vlan_id)
4355 			break;
4356 		group = group->next;
4357 	}
4358 
4359 	if (group == NULL) {
4360 		group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
4361 		if (group == NULL)
4362 			return -1;
4363 	}
4364 
4365 	if (sm->group == group)
4366 		return 0;
4367 
4368 	if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4369 		return -1;
4370 
4371 	wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
4372 		   "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
4373 
4374 	wpa_group_get(sm->wpa_auth, group);
4375 	wpa_group_put(sm->wpa_auth, sm->group);
4376 	sm->group = group;
4377 
4378 	return 0;
4379 }
4380 
4381 
wpa_auth_eapol_key_tx_status(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int ack)4382 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
4383 				  struct wpa_state_machine *sm, int ack)
4384 {
4385 	if (wpa_auth == NULL || sm == NULL)
4386 		return;
4387 	wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
4388 		   " ack=%d", MAC2STR(sm->addr), ack);
4389 	if (sm->pending_1_of_4_timeout && ack) {
4390 		/*
4391 		 * Some deployed supplicant implementations update their SNonce
4392 		 * for each EAPOL-Key 2/4 message even within the same 4-way
4393 		 * handshake and then fail to use the first SNonce when
4394 		 * deriving the PTK. This results in unsuccessful 4-way
4395 		 * handshake whenever the relatively short initial timeout is
4396 		 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
4397 		 * around this by increasing the timeout now that we know that
4398 		 * the station has received the frame.
4399 		 */
4400 		int timeout_ms = eapol_key_timeout_subseq;
4401 		wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
4402 			   "timeout by %u ms because of acknowledged frame",
4403 			   timeout_ms);
4404 		eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
4405 		eloop_register_timeout(timeout_ms / 1000,
4406 				       (timeout_ms % 1000) * 1000,
4407 				       wpa_send_eapol_timeout, wpa_auth, sm);
4408 	}
4409 
4410 #ifdef CONFIG_TESTING_OPTIONS
4411 	if (sm->eapol_status_cb) {
4412 		sm->eapol_status_cb(sm->eapol_status_cb_ctx1,
4413 				    sm->eapol_status_cb_ctx2);
4414 		sm->eapol_status_cb = NULL;
4415 	}
4416 #endif /* CONFIG_TESTING_OPTIONS */
4417 }
4418 
4419 
wpa_auth_uses_sae(struct wpa_state_machine * sm)4420 int wpa_auth_uses_sae(struct wpa_state_machine *sm)
4421 {
4422 	if (sm == NULL)
4423 		return 0;
4424 	return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
4425 }
4426 
4427 
wpa_auth_uses_ft_sae(struct wpa_state_machine * sm)4428 int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
4429 {
4430 	if (sm == NULL)
4431 		return 0;
4432 	return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
4433 }
4434 
4435 
4436 #ifdef CONFIG_P2P
wpa_auth_get_ip_addr(struct wpa_state_machine * sm,u8 * addr)4437 int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
4438 {
4439 	if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
4440 		return -1;
4441 	os_memcpy(addr, sm->ip_addr, 4);
4442 	return 0;
4443 }
4444 #endif /* CONFIG_P2P */
4445 
4446 
wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator * wpa_auth,struct radius_das_attrs * attr)4447 int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
4448 					 struct radius_das_attrs *attr)
4449 {
4450 	return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
4451 }
4452 
4453 
wpa_auth_reconfig_group_keys(struct wpa_authenticator * wpa_auth)4454 void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
4455 {
4456 	struct wpa_group *group;
4457 
4458 	if (!wpa_auth)
4459 		return;
4460 	for (group = wpa_auth->group; group; group = group->next)
4461 		wpa_group_config_group_keys(wpa_auth, group);
4462 }
4463 
4464 
4465 #ifdef CONFIG_FILS
4466 
4467 struct wpa_auth_fils_iter_data {
4468 	struct wpa_authenticator *auth;
4469 	const u8 *cache_id;
4470 	struct rsn_pmksa_cache_entry *pmksa;
4471 	const u8 *spa;
4472 	const u8 *pmkid;
4473 };
4474 
4475 
wpa_auth_fils_iter(struct wpa_authenticator * a,void * ctx)4476 static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
4477 {
4478 	struct wpa_auth_fils_iter_data *data = ctx;
4479 
4480 	if (a == data->auth || !a->conf.fils_cache_id_set ||
4481 	    os_memcmp(a->conf.fils_cache_id, data->cache_id,
4482 		      FILS_CACHE_ID_LEN) != 0)
4483 		return 0;
4484 	data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
4485 	return data->pmksa != NULL;
4486 }
4487 
4488 
4489 struct rsn_pmksa_cache_entry *
wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator * wpa_auth,const u8 * sta_addr,const u8 * pmkid)4490 wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
4491 				 const u8 *sta_addr, const u8 *pmkid)
4492 {
4493 	struct wpa_auth_fils_iter_data idata;
4494 
4495 	if (!wpa_auth->conf.fils_cache_id_set)
4496 		return NULL;
4497 	idata.auth = wpa_auth;
4498 	idata.cache_id = wpa_auth->conf.fils_cache_id;
4499 	idata.pmksa = NULL;
4500 	idata.spa = sta_addr;
4501 	idata.pmkid = pmkid;
4502 	wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
4503 	return idata.pmksa;
4504 }
4505 
4506 
4507 #ifdef CONFIG_IEEE80211R_AP
wpa_auth_write_fte(struct wpa_authenticator * wpa_auth,u8 * buf,size_t len)4508 int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, u8 *buf, size_t len)
4509 {
4510 	struct wpa_auth_config *conf = &wpa_auth->conf;
4511 
4512 	return wpa_write_ftie(conf, conf->r0_key_holder,
4513 			      conf->r0_key_holder_len,
4514 			      NULL, NULL, buf, len, NULL, 0);
4515 }
4516 #endif /* CONFIG_IEEE80211R_AP */
4517 
4518 
wpa_auth_get_fils_aead_params(struct wpa_state_machine * sm,u8 * fils_anonce,u8 * fils_snonce,u8 * fils_kek,size_t * fils_kek_len)4519 void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
4520 				   u8 *fils_anonce, u8 *fils_snonce,
4521 				   u8 *fils_kek, size_t *fils_kek_len)
4522 {
4523 	os_memcpy(fils_anonce, sm->ANonce, WPA_NONCE_LEN);
4524 	os_memcpy(fils_snonce, sm->SNonce, WPA_NONCE_LEN);
4525 	os_memcpy(fils_kek, sm->PTK.kek, WPA_KEK_MAX_LEN);
4526 	*fils_kek_len = sm->PTK.kek_len;
4527 }
4528 
4529 #endif /* CONFIG_FILS */
4530 
4531 
4532 #if CONFIG_TESTING_OPTIONS
4533 
wpa_auth_resend_m1(struct wpa_state_machine * sm,int change_anonce,void (* cb)(void * ctx1,void * ctx2),void * ctx1,void * ctx2)4534 int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce,
4535 		       void (*cb)(void *ctx1, void *ctx2),
4536 		       void *ctx1, void *ctx2)
4537 {
4538 	const u8 *anonce = sm->ANonce;
4539 	u8 anonce_buf[WPA_NONCE_LEN];
4540 
4541 	if (change_anonce) {
4542 		if (random_get_bytes(anonce_buf, WPA_NONCE_LEN))
4543 			return -1;
4544 		anonce = anonce_buf;
4545 	}
4546 
4547 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4548 			"sending 1/4 msg of 4-Way Handshake (TESTING)");
4549 	wpa_send_eapol(sm->wpa_auth, sm,
4550 		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
4551 		       anonce, NULL, 0, 0, 0);
4552 	return 0;
4553 }
4554 
4555 
wpa_auth_resend_m3(struct wpa_state_machine * sm,void (* cb)(void * ctx1,void * ctx2),void * ctx1,void * ctx2)4556 int wpa_auth_resend_m3(struct wpa_state_machine *sm,
4557 		       void (*cb)(void *ctx1, void *ctx2),
4558 		       void *ctx1, void *ctx2)
4559 {
4560 	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, *opos;
4561 	size_t gtk_len, kde_len;
4562 	struct wpa_group *gsm = sm->group;
4563 	u8 *wpa_ie;
4564 	int wpa_ie_len, secure, keyidx, encr = 0;
4565 
4566 	/* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
4567 	   GTK[GN], IGTK, [FTIE], [TIE * 2])
4568 	 */
4569 
4570 	/* Use 0 RSC */
4571 	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
4572 	/* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
4573 	wpa_ie = sm->wpa_auth->wpa_ie;
4574 	wpa_ie_len = sm->wpa_auth->wpa_ie_len;
4575 	if (sm->wpa == WPA_VERSION_WPA &&
4576 	    (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
4577 	    wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
4578 		/* WPA-only STA, remove RSN IE and possible MDIE */
4579 		wpa_ie = wpa_ie + wpa_ie[1] + 2;
4580 		if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
4581 			wpa_ie = wpa_ie + wpa_ie[1] + 2;
4582 		wpa_ie_len = wpa_ie[1] + 2;
4583 	}
4584 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4585 			"sending 3/4 msg of 4-Way Handshake (TESTING)");
4586 	if (sm->wpa == WPA_VERSION_WPA2) {
4587 		/* WPA2 send GTK in the 4-way handshake */
4588 		secure = 1;
4589 		gtk = gsm->GTK[gsm->GN - 1];
4590 		gtk_len = gsm->GTK_len;
4591 		keyidx = gsm->GN;
4592 		_rsc = rsc;
4593 		encr = 1;
4594 	} else {
4595 		/* WPA does not include GTK in msg 3/4 */
4596 		secure = 0;
4597 		gtk = NULL;
4598 		gtk_len = 0;
4599 		keyidx = 0;
4600 		_rsc = NULL;
4601 		if (sm->rx_eapol_key_secure) {
4602 			/*
4603 			 * It looks like Windows 7 supplicant tries to use
4604 			 * Secure bit in msg 2/4 after having reported Michael
4605 			 * MIC failure and it then rejects the 4-way handshake
4606 			 * if msg 3/4 does not set Secure bit. Work around this
4607 			 * by setting the Secure bit here even in the case of
4608 			 * WPA if the supplicant used it first.
4609 			 */
4610 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4611 					"STA used Secure bit in WPA msg 2/4 - "
4612 					"set Secure for 3/4 as workaround");
4613 			secure = 1;
4614 		}
4615 	}
4616 
4617 	kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
4618 	if (gtk)
4619 		kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4620 #ifdef CONFIG_IEEE80211R_AP
4621 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4622 		kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
4623 		kde_len += 300; /* FTIE + 2 * TIE */
4624 	}
4625 #endif /* CONFIG_IEEE80211R_AP */
4626 	kde = os_malloc(kde_len);
4627 	if (kde == NULL)
4628 		return -1;
4629 
4630 	pos = kde;
4631 	os_memcpy(pos, wpa_ie, wpa_ie_len);
4632 	pos += wpa_ie_len;
4633 #ifdef CONFIG_IEEE80211R_AP
4634 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4635 		int res;
4636 		size_t elen;
4637 
4638 		elen = pos - kde;
4639 		res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
4640 		if (res < 0) {
4641 			wpa_printf(MSG_ERROR, "FT: Failed to insert "
4642 				   "PMKR1Name into RSN IE in EAPOL-Key data");
4643 			os_free(kde);
4644 			return -1;
4645 		}
4646 		pos -= wpa_ie_len;
4647 		pos += elen;
4648 	}
4649 #endif /* CONFIG_IEEE80211R_AP */
4650 	if (gtk) {
4651 		u8 hdr[2];
4652 		hdr[0] = keyidx & 0x03;
4653 		hdr[1] = 0;
4654 		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
4655 				  gtk, gtk_len);
4656 	}
4657 	opos = pos;
4658 	pos = ieee80211w_kde_add(sm, pos);
4659 	if (pos - opos >= WPA_IGTK_KDE_PREFIX_LEN) {
4660 		opos += 2; /* skip keyid */
4661 		os_memset(opos, 0, 6); /* clear PN */
4662 	}
4663 
4664 #ifdef CONFIG_IEEE80211R_AP
4665 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
4666 		int res;
4667 		struct wpa_auth_config *conf;
4668 
4669 		conf = &sm->wpa_auth->conf;
4670 		if (sm->assoc_resp_ftie &&
4671 		    kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
4672 			os_memcpy(pos, sm->assoc_resp_ftie,
4673 				  2 + sm->assoc_resp_ftie[1]);
4674 			res = 2 + sm->assoc_resp_ftie[1];
4675 		} else {
4676 			res = wpa_write_ftie(conf, conf->r0_key_holder,
4677 					     conf->r0_key_holder_len,
4678 					     NULL, NULL, pos,
4679 					     kde + kde_len - pos,
4680 					     NULL, 0);
4681 		}
4682 		if (res < 0) {
4683 			wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
4684 				   "into EAPOL-Key Key Data");
4685 			os_free(kde);
4686 			return -1;
4687 		}
4688 		pos += res;
4689 
4690 		/* TIE[ReassociationDeadline] (TU) */
4691 		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
4692 		*pos++ = 5;
4693 		*pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
4694 		WPA_PUT_LE32(pos, conf->reassociation_deadline);
4695 		pos += 4;
4696 
4697 		/* TIE[KeyLifetime] (seconds) */
4698 		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
4699 		*pos++ = 5;
4700 		*pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
4701 		WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
4702 		pos += 4;
4703 	}
4704 #endif /* CONFIG_IEEE80211R_AP */
4705 
4706 	wpa_send_eapol(sm->wpa_auth, sm,
4707 		       (secure ? WPA_KEY_INFO_SECURE : 0) |
4708 		       (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
4709 			WPA_KEY_INFO_MIC : 0) |
4710 		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
4711 		       WPA_KEY_INFO_KEY_TYPE,
4712 		       _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
4713 	os_free(kde);
4714 	return 0;
4715 }
4716 
4717 
wpa_auth_resend_group_m1(struct wpa_state_machine * sm,void (* cb)(void * ctx1,void * ctx2),void * ctx1,void * ctx2)4718 int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
4719 			     void (*cb)(void *ctx1, void *ctx2),
4720 			     void *ctx1, void *ctx2)
4721 {
4722 	u8 rsc[WPA_KEY_RSC_LEN];
4723 	struct wpa_group *gsm = sm->group;
4724 	const u8 *kde;
4725 	u8 *kde_buf = NULL, *pos, *opos, hdr[2];
4726 	size_t kde_len;
4727 	u8 *gtk;
4728 
4729 	/* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
4730 	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
4731 	/* Use 0 RSC */
4732 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4733 			"sending 1/2 msg of Group Key Handshake (TESTING)");
4734 
4735 	gtk = gsm->GTK[gsm->GN - 1];
4736 	if (sm->wpa == WPA_VERSION_WPA2) {
4737 		kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
4738 			ieee80211w_kde_len(sm);
4739 		kde_buf = os_malloc(kde_len);
4740 		if (kde_buf == NULL)
4741 			return -1;
4742 
4743 		kde = pos = kde_buf;
4744 		hdr[0] = gsm->GN & 0x03;
4745 		hdr[1] = 0;
4746 		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
4747 				  gtk, gsm->GTK_len);
4748 		opos = pos;
4749 		pos = ieee80211w_kde_add(sm, pos);
4750 		if (pos - opos >= WPA_IGTK_KDE_PREFIX_LEN) {
4751 			opos += 2; /* skip keyid */
4752 			os_memset(opos, 0, 6); /* clear PN */
4753 		}
4754 		kde_len = pos - kde;
4755 	} else {
4756 		kde = gtk;
4757 		kde_len = gsm->GTK_len;
4758 	}
4759 
4760 	sm->eapol_status_cb = cb;
4761 	sm->eapol_status_cb_ctx1 = ctx1;
4762 	sm->eapol_status_cb_ctx2 = ctx2;
4763 
4764 	wpa_send_eapol(sm->wpa_auth, sm,
4765 		       WPA_KEY_INFO_SECURE |
4766 		       (wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len) ?
4767 			WPA_KEY_INFO_MIC : 0) |
4768 		       WPA_KEY_INFO_ACK |
4769 		       (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
4770 		       rsc, NULL, kde, kde_len, gsm->GN, 1);
4771 
4772 	os_free(kde_buf);
4773 	return 0;
4774 }
4775 
4776 #endif /* CONFIG_TESTING_OPTIONS */
4777