Line data Source code
1 : /*
2 : * IEEE 802.11 RSN / WPA Authenticator
3 : * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
4 : *
5 : * This software may be distributed under the terms of the BSD license.
6 : * See README for more details.
7 : */
8 :
9 : #include "utils/includes.h"
10 :
11 : #include "utils/common.h"
12 : #include "utils/eloop.h"
13 : #include "utils/state_machine.h"
14 : #include "utils/bitfield.h"
15 : #include "common/ieee802_11_defs.h"
16 : #include "crypto/aes_wrap.h"
17 : #include "crypto/crypto.h"
18 : #include "crypto/sha1.h"
19 : #include "crypto/sha256.h"
20 : #include "crypto/random.h"
21 : #include "eapol_auth/eapol_auth_sm.h"
22 : #include "ap_config.h"
23 : #include "ieee802_11.h"
24 : #include "wpa_auth.h"
25 : #include "pmksa_cache_auth.h"
26 : #include "wpa_auth_i.h"
27 : #include "wpa_auth_ie.h"
28 :
29 : #define STATE_MACHINE_DATA struct wpa_state_machine
30 : #define STATE_MACHINE_DEBUG_PREFIX "WPA"
31 : #define STATE_MACHINE_ADDR sm->addr
32 :
33 :
34 : static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
35 : static int wpa_sm_step(struct wpa_state_machine *sm);
36 : static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
37 : size_t data_len);
38 : static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
39 : static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
40 : struct wpa_group *group);
41 : static void wpa_request_new_ptk(struct wpa_state_machine *sm);
42 : static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
43 : struct wpa_group *group);
44 : static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
45 : struct wpa_group *group);
46 : static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
47 : const u8 *pmk, struct wpa_ptk *ptk);
48 :
49 : static const u32 dot11RSNAConfigGroupUpdateCount = 4;
50 : static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
51 : static const u32 eapol_key_timeout_first = 100; /* ms */
52 : static const u32 eapol_key_timeout_subseq = 1000; /* ms */
53 : static const u32 eapol_key_timeout_first_group = 500; /* ms */
54 :
55 : /* TODO: make these configurable */
56 : static const int dot11RSNAConfigPMKLifetime = 43200;
57 : static const int dot11RSNAConfigPMKReauthThreshold = 70;
58 : static const int dot11RSNAConfigSATimeout = 60;
59 :
60 :
61 4 : static inline int wpa_auth_mic_failure_report(
62 : struct wpa_authenticator *wpa_auth, const u8 *addr)
63 : {
64 4 : if (wpa_auth->cb.mic_failure_report)
65 4 : return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr);
66 0 : return 0;
67 : }
68 :
69 :
70 18946 : static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
71 : const u8 *addr, wpa_eapol_variable var,
72 : int value)
73 : {
74 18946 : if (wpa_auth->cb.set_eapol)
75 18946 : wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value);
76 18946 : }
77 :
78 :
79 13620 : static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
80 : const u8 *addr, wpa_eapol_variable var)
81 : {
82 13620 : if (wpa_auth->cb.get_eapol == NULL)
83 0 : return -1;
84 13620 : return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var);
85 : }
86 :
87 :
88 2141 : static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
89 : const u8 *addr,
90 : const u8 *p2p_dev_addr,
91 : const u8 *prev_psk)
92 : {
93 2141 : if (wpa_auth->cb.get_psk == NULL)
94 0 : return NULL;
95 2141 : return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr,
96 : prev_psk);
97 : }
98 :
99 :
100 644 : static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
101 : const u8 *addr, u8 *msk, size_t *len)
102 : {
103 644 : if (wpa_auth->cb.get_msk == NULL)
104 0 : return -1;
105 644 : return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len);
106 : }
107 :
108 :
109 13065 : static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
110 : int vlan_id,
111 : enum wpa_alg alg, const u8 *addr, int idx,
112 : u8 *key, size_t key_len)
113 : {
114 13065 : if (wpa_auth->cb.set_key == NULL)
115 0 : return -1;
116 13065 : return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx,
117 : key, key_len);
118 : }
119 :
120 :
121 1424 : static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
122 : const u8 *addr, int idx, u8 *seq)
123 : {
124 1424 : if (wpa_auth->cb.get_seqnum == NULL)
125 12 : return -1;
126 1412 : return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq);
127 : }
128 :
129 :
130 : static inline int
131 2791 : wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
132 : const u8 *data, size_t data_len, int encrypt)
133 : {
134 2791 : if (wpa_auth->cb.send_eapol == NULL)
135 0 : return -1;
136 2791 : return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len,
137 : encrypt);
138 : }
139 :
140 :
141 : #ifdef CONFIG_MESH
142 13 : static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
143 : const u8 *addr)
144 : {
145 13 : if (wpa_auth->cb.start_ampe == NULL)
146 5 : return -1;
147 8 : return wpa_auth->cb.start_ampe(wpa_auth->cb.ctx, addr);
148 : }
149 : #endif /* CONFIG_MESH */
150 :
151 :
152 341 : int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
153 : int (*cb)(struct wpa_state_machine *sm, void *ctx),
154 : void *cb_ctx)
155 : {
156 341 : if (wpa_auth->cb.for_each_sta == NULL)
157 0 : return 0;
158 341 : return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx);
159 : }
160 :
161 :
162 6 : int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
163 : int (*cb)(struct wpa_authenticator *a, void *ctx),
164 : void *cb_ctx)
165 : {
166 6 : if (wpa_auth->cb.for_each_auth == NULL)
167 0 : return 0;
168 6 : return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx);
169 : }
170 :
171 :
172 12552 : void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
173 : logger_level level, const char *txt)
174 : {
175 12552 : if (wpa_auth->cb.logger == NULL)
176 12552 : return;
177 12552 : wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt);
178 : }
179 :
180 :
181 7816 : void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
182 : logger_level level, const char *fmt, ...)
183 : {
184 : char *format;
185 : int maxlen;
186 : va_list ap;
187 :
188 7816 : if (wpa_auth->cb.logger == NULL)
189 4 : return;
190 :
191 7816 : maxlen = os_strlen(fmt) + 100;
192 7816 : format = os_malloc(maxlen);
193 7816 : if (!format)
194 4 : return;
195 :
196 7812 : va_start(ap, fmt);
197 7812 : vsnprintf(format, maxlen, fmt, ap);
198 7812 : va_end(ap);
199 :
200 7812 : wpa_auth_logger(wpa_auth, addr, level, format);
201 :
202 7812 : os_free(format);
203 : }
204 :
205 :
206 21 : static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
207 : const u8 *addr)
208 : {
209 21 : if (wpa_auth->cb.disconnect == NULL)
210 21 : return;
211 21 : wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
212 21 : wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr,
213 : WLAN_REASON_PREV_AUTH_NOT_VALID);
214 : }
215 :
216 :
217 8148 : static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
218 : {
219 8148 : int ret = 0;
220 : #ifdef CONFIG_IEEE80211R
221 8148 : if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
222 157 : ret = 1;
223 : #endif /* CONFIG_IEEE80211R */
224 : #ifdef CONFIG_IEEE80211W
225 8148 : if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
226 180 : ret = 1;
227 : #endif /* CONFIG_IEEE80211W */
228 8148 : if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
229 8 : ret = 1;
230 8148 : return ret;
231 : }
232 :
233 :
234 1 : static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
235 : {
236 1 : struct wpa_authenticator *wpa_auth = eloop_ctx;
237 :
238 1 : if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
239 0 : wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
240 : "initialization.");
241 : } else {
242 1 : wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
243 1 : wpa_hexdump_key(MSG_DEBUG, "GMK",
244 1 : wpa_auth->group->GMK, WPA_GMK_LEN);
245 : }
246 :
247 1 : if (wpa_auth->conf.wpa_gmk_rekey) {
248 1 : eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
249 : wpa_rekey_gmk, wpa_auth, NULL);
250 : }
251 1 : }
252 :
253 :
254 10 : static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
255 : {
256 10 : struct wpa_authenticator *wpa_auth = eloop_ctx;
257 : struct wpa_group *group;
258 :
259 10 : wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
260 20 : for (group = wpa_auth->group; group; group = group->next) {
261 10 : group->GTKReKey = TRUE;
262 : do {
263 12 : group->changed = FALSE;
264 12 : wpa_group_sm_step(wpa_auth, group);
265 12 : } while (group->changed);
266 : }
267 :
268 10 : if (wpa_auth->conf.wpa_group_rekey) {
269 10 : eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
270 : 0, wpa_rekey_gtk, wpa_auth, NULL);
271 : }
272 10 : }
273 :
274 :
275 3 : static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
276 : {
277 3 : struct wpa_authenticator *wpa_auth = eloop_ctx;
278 3 : struct wpa_state_machine *sm = timeout_ctx;
279 :
280 3 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
281 3 : wpa_request_new_ptk(sm);
282 3 : wpa_sm_step(sm);
283 3 : }
284 :
285 :
286 329 : static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
287 : {
288 329 : if (sm->pmksa == ctx)
289 2 : sm->pmksa = NULL;
290 329 : return 0;
291 : }
292 :
293 :
294 321 : static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
295 : void *ctx)
296 : {
297 321 : struct wpa_authenticator *wpa_auth = ctx;
298 321 : wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
299 321 : }
300 :
301 :
302 1713 : static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
303 : struct wpa_group *group)
304 : {
305 : u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
306 : u8 rkey[32];
307 : unsigned long ptr;
308 :
309 1713 : if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
310 0 : return -1;
311 1713 : wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
312 :
313 : /*
314 : * Counter = PRF-256(Random number, "Init Counter",
315 : * Local MAC Address || Time)
316 : */
317 1713 : os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
318 1713 : wpa_get_ntp_timestamp(buf + ETH_ALEN);
319 1713 : ptr = (unsigned long) group;
320 1713 : os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
321 1713 : if (random_get_bytes(rkey, sizeof(rkey)) < 0)
322 0 : return -1;
323 :
324 1713 : if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
325 1713 : group->Counter, WPA_NONCE_LEN) < 0)
326 0 : return -1;
327 1713 : wpa_hexdump_key(MSG_DEBUG, "Key Counter",
328 1713 : group->Counter, WPA_NONCE_LEN);
329 :
330 1713 : return 0;
331 : }
332 :
333 :
334 998 : static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
335 : int vlan_id, int delay_init)
336 : {
337 : struct wpa_group *group;
338 :
339 998 : group = os_zalloc(sizeof(struct wpa_group));
340 998 : if (group == NULL)
341 0 : return NULL;
342 :
343 998 : group->GTKAuthenticator = TRUE;
344 998 : group->vlan_id = vlan_id;
345 998 : group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
346 :
347 : if (random_pool_ready() != 1) {
348 : wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
349 : "for secure operations - update keys later when "
350 : "the first station connects");
351 : }
352 :
353 : /*
354 : * Set initial GMK/Counter value here. The actual values that will be
355 : * used in negotiations will be set once the first station tries to
356 : * connect. This allows more time for collecting additional randomness
357 : * on embedded devices.
358 : */
359 998 : if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
360 0 : wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
361 : "initialization.");
362 0 : os_free(group);
363 0 : return NULL;
364 : }
365 :
366 998 : group->GInit = TRUE;
367 998 : if (delay_init) {
368 990 : wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
369 : "until Beacon frames have been configured");
370 : /* Initialization is completed in wpa_init_keys(). */
371 : } else {
372 8 : wpa_group_sm_step(wpa_auth, group);
373 8 : group->GInit = FALSE;
374 8 : wpa_group_sm_step(wpa_auth, group);
375 : }
376 :
377 998 : return group;
378 : }
379 :
380 :
381 : /**
382 : * wpa_init - Initialize WPA authenticator
383 : * @addr: Authenticator address
384 : * @conf: Configuration for WPA authenticator
385 : * @cb: Callback functions for WPA authenticator
386 : * Returns: Pointer to WPA authenticator data or %NULL on failure
387 : */
388 990 : struct wpa_authenticator * wpa_init(const u8 *addr,
389 : struct wpa_auth_config *conf,
390 : struct wpa_auth_callbacks *cb)
391 : {
392 : struct wpa_authenticator *wpa_auth;
393 :
394 990 : wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
395 990 : if (wpa_auth == NULL)
396 0 : return NULL;
397 990 : os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
398 990 : os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
399 990 : os_memcpy(&wpa_auth->cb, cb, sizeof(*cb));
400 :
401 990 : if (wpa_auth_gen_wpa_ie(wpa_auth)) {
402 0 : wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
403 0 : os_free(wpa_auth);
404 0 : return NULL;
405 : }
406 :
407 990 : wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
408 990 : if (wpa_auth->group == NULL) {
409 0 : os_free(wpa_auth->wpa_ie);
410 0 : os_free(wpa_auth);
411 0 : return NULL;
412 : }
413 :
414 990 : wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
415 : wpa_auth);
416 990 : if (wpa_auth->pmksa == NULL) {
417 0 : wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
418 0 : os_free(wpa_auth->group);
419 0 : os_free(wpa_auth->wpa_ie);
420 0 : os_free(wpa_auth);
421 0 : return NULL;
422 : }
423 :
424 : #ifdef CONFIG_IEEE80211R
425 990 : wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
426 990 : if (wpa_auth->ft_pmk_cache == NULL) {
427 0 : wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
428 0 : os_free(wpa_auth->group);
429 0 : os_free(wpa_auth->wpa_ie);
430 0 : pmksa_cache_auth_deinit(wpa_auth->pmksa);
431 0 : os_free(wpa_auth);
432 0 : return NULL;
433 : }
434 : #endif /* CONFIG_IEEE80211R */
435 :
436 990 : if (wpa_auth->conf.wpa_gmk_rekey) {
437 972 : eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
438 : wpa_rekey_gmk, wpa_auth, NULL);
439 : }
440 :
441 990 : if (wpa_auth->conf.wpa_group_rekey) {
442 990 : eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
443 : wpa_rekey_gtk, wpa_auth, NULL);
444 : }
445 :
446 : #ifdef CONFIG_P2P
447 322 : if (WPA_GET_BE32(conf->ip_addr_start)) {
448 246 : int count = WPA_GET_BE32(conf->ip_addr_end) -
449 164 : WPA_GET_BE32(conf->ip_addr_start) + 1;
450 82 : if (count > 1000)
451 0 : count = 1000;
452 82 : if (count > 0)
453 82 : wpa_auth->ip_pool = bitfield_alloc(count);
454 : }
455 : #endif /* CONFIG_P2P */
456 :
457 990 : return wpa_auth;
458 : }
459 :
460 :
461 975 : int wpa_init_keys(struct wpa_authenticator *wpa_auth)
462 : {
463 975 : struct wpa_group *group = wpa_auth->group;
464 :
465 975 : wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
466 : "keys");
467 975 : wpa_group_sm_step(wpa_auth, group);
468 975 : group->GInit = FALSE;
469 975 : wpa_group_sm_step(wpa_auth, group);
470 975 : if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
471 0 : return -1;
472 975 : return 0;
473 : }
474 :
475 :
476 : /**
477 : * wpa_deinit - Deinitialize WPA authenticator
478 : * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
479 : */
480 990 : void wpa_deinit(struct wpa_authenticator *wpa_auth)
481 : {
482 : struct wpa_group *group, *prev;
483 :
484 990 : eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
485 990 : eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
486 :
487 : #ifdef CONFIG_PEERKEY
488 1980 : while (wpa_auth->stsl_negotiations)
489 0 : wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations);
490 : #endif /* CONFIG_PEERKEY */
491 :
492 990 : pmksa_cache_auth_deinit(wpa_auth->pmksa);
493 :
494 : #ifdef CONFIG_IEEE80211R
495 990 : wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
496 990 : wpa_auth->ft_pmk_cache = NULL;
497 : #endif /* CONFIG_IEEE80211R */
498 :
499 : #ifdef CONFIG_P2P
500 322 : bitfield_free(wpa_auth->ip_pool);
501 : #endif /* CONFIG_P2P */
502 :
503 :
504 990 : os_free(wpa_auth->wpa_ie);
505 :
506 990 : group = wpa_auth->group;
507 2978 : while (group) {
508 998 : prev = group;
509 998 : group = group->next;
510 998 : os_free(prev);
511 : }
512 :
513 990 : os_free(wpa_auth);
514 990 : }
515 :
516 :
517 : /**
518 : * wpa_reconfig - Update WPA authenticator configuration
519 : * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
520 : * @conf: Configuration for WPA authenticator
521 : */
522 2 : int wpa_reconfig(struct wpa_authenticator *wpa_auth,
523 : struct wpa_auth_config *conf)
524 : {
525 : struct wpa_group *group;
526 2 : if (wpa_auth == NULL)
527 0 : return 0;
528 :
529 2 : os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
530 2 : if (wpa_auth_gen_wpa_ie(wpa_auth)) {
531 0 : wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
532 0 : return -1;
533 : }
534 :
535 : /*
536 : * Reinitialize GTK to make sure it is suitable for the new
537 : * configuration.
538 : */
539 2 : group = wpa_auth->group;
540 2 : group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
541 2 : group->GInit = TRUE;
542 2 : wpa_group_sm_step(wpa_auth, group);
543 2 : group->GInit = FALSE;
544 2 : wpa_group_sm_step(wpa_auth, group);
545 :
546 2 : return 0;
547 : }
548 :
549 :
550 : struct wpa_state_machine *
551 1670 : wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
552 : const u8 *p2p_dev_addr)
553 : {
554 : struct wpa_state_machine *sm;
555 :
556 1670 : if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
557 0 : return NULL;
558 :
559 1670 : sm = os_zalloc(sizeof(struct wpa_state_machine));
560 1670 : if (sm == NULL)
561 0 : return NULL;
562 1670 : os_memcpy(sm->addr, addr, ETH_ALEN);
563 1670 : if (p2p_dev_addr)
564 191 : os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
565 :
566 1670 : sm->wpa_auth = wpa_auth;
567 1670 : sm->group = wpa_auth->group;
568 :
569 1670 : return sm;
570 : }
571 :
572 :
573 2560 : int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
574 : struct wpa_state_machine *sm)
575 : {
576 2560 : if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
577 634 : return -1;
578 :
579 : #ifdef CONFIG_IEEE80211R
580 1926 : if (sm->ft_completed) {
581 221 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
582 : "FT authentication already completed - do not "
583 : "start 4-way handshake");
584 : /* Go to PTKINITDONE state to allow GTK rekeying */
585 221 : sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
586 221 : return 0;
587 : }
588 : #endif /* CONFIG_IEEE80211R */
589 :
590 1705 : if (sm->started) {
591 71 : os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
592 71 : sm->ReAuthenticationRequest = TRUE;
593 71 : return wpa_sm_step(sm);
594 : }
595 :
596 1634 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
597 : "start authentication");
598 1634 : sm->started = 1;
599 :
600 1634 : sm->Init = TRUE;
601 1634 : if (wpa_sm_step(sm) == 1)
602 0 : return 1; /* should not really happen */
603 1634 : sm->Init = FALSE;
604 1634 : sm->AuthenticationRequest = TRUE;
605 1634 : return wpa_sm_step(sm);
606 : }
607 :
608 :
609 634 : void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
610 : {
611 : /* WPA/RSN was not used - clear WPA state. This is needed if the STA
612 : * reassociates back to the same AP while the previous entry for the
613 : * STA has not yet been removed. */
614 634 : if (sm == NULL)
615 1268 : return;
616 :
617 0 : sm->wpa_key_mgmt = 0;
618 : }
619 :
620 :
621 1670 : static void wpa_free_sta_sm(struct wpa_state_machine *sm)
622 : {
623 : #ifdef CONFIG_P2P
624 239 : if (WPA_GET_BE32(sm->ip_addr)) {
625 : u32 start;
626 720 : wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
627 : "address %u.%u.%u.%u from " MACSTR,
628 144 : sm->ip_addr[0], sm->ip_addr[1],
629 144 : sm->ip_addr[2], sm->ip_addr[3],
630 432 : MAC2STR(sm->addr));
631 72 : start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
632 72 : bitfield_clear(sm->wpa_auth->ip_pool,
633 72 : WPA_GET_BE32(sm->ip_addr) - start);
634 : }
635 : #endif /* CONFIG_P2P */
636 1670 : if (sm->GUpdateStationKeys) {
637 1 : sm->group->GKeyDoneStations--;
638 1 : sm->GUpdateStationKeys = FALSE;
639 : }
640 : #ifdef CONFIG_IEEE80211R
641 1670 : os_free(sm->assoc_resp_ftie);
642 1670 : wpabuf_free(sm->ft_pending_req_ies);
643 : #endif /* CONFIG_IEEE80211R */
644 1670 : os_free(sm->last_rx_eapol_key);
645 1670 : os_free(sm->wpa_ie);
646 1670 : os_free(sm);
647 1670 : }
648 :
649 :
650 2338 : void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
651 : {
652 2338 : if (sm == NULL)
653 3006 : return;
654 :
655 1670 : if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
656 2 : wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
657 : "strict rekeying - force GTK rekey since STA "
658 : "is leaving");
659 2 : eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
660 2 : eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
661 : NULL);
662 : }
663 :
664 1670 : eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
665 1670 : sm->pending_1_of_4_timeout = 0;
666 1670 : eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
667 1670 : eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
668 1670 : if (sm->in_step_loop) {
669 : /* Must not free state machine while wpa_sm_step() is running.
670 : * Freeing will be completed in the end of wpa_sm_step(). */
671 0 : wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
672 0 : "machine deinit for " MACSTR, MAC2STR(sm->addr));
673 0 : sm->pending_deinit = 1;
674 : } else
675 1670 : wpa_free_sta_sm(sm);
676 : }
677 :
678 :
679 8 : static void wpa_request_new_ptk(struct wpa_state_machine *sm)
680 : {
681 8 : if (sm == NULL)
682 8 : return;
683 :
684 8 : sm->PTKRequest = TRUE;
685 8 : sm->PTK_valid = 0;
686 : }
687 :
688 :
689 2760 : static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
690 : const u8 *replay_counter)
691 : {
692 : int i;
693 2768 : for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
694 2768 : if (!ctr[i].valid)
695 5 : break;
696 2763 : if (os_memcmp(replay_counter, ctr[i].counter,
697 : WPA_REPLAY_COUNTER_LEN) == 0)
698 2755 : return 1;
699 : }
700 5 : return 0;
701 : }
702 :
703 :
704 5498 : static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
705 : const u8 *replay_counter)
706 : {
707 : int i;
708 27490 : for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
709 21992 : if (ctr[i].valid &&
710 2755 : (replay_counter == NULL ||
711 2755 : os_memcmp(replay_counter, ctr[i].counter,
712 : WPA_REPLAY_COUNTER_LEN) == 0))
713 2755 : ctr[i].valid = FALSE;
714 : }
715 5498 : }
716 :
717 :
718 : #ifdef CONFIG_IEEE80211R
719 25 : static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
720 : struct wpa_state_machine *sm,
721 : struct wpa_eapol_ie_parse *kde)
722 : {
723 : struct wpa_ie_data ie;
724 : struct rsn_mdie *mdie;
725 :
726 50 : if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
727 50 : ie.num_pmkid != 1 || ie.pmkid == NULL) {
728 0 : wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
729 : "FT 4-way handshake message 2/4");
730 0 : return -1;
731 : }
732 :
733 25 : os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
734 25 : wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
735 25 : sm->sup_pmk_r1_name, PMKID_LEN);
736 :
737 25 : if (!kde->mdie || !kde->ftie) {
738 0 : wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
739 0 : "message 2/4", kde->mdie ? "FTIE" : "MDIE");
740 0 : return -1;
741 : }
742 :
743 25 : mdie = (struct rsn_mdie *) (kde->mdie + 2);
744 50 : if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
745 25 : os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
746 : MOBILITY_DOMAIN_ID_LEN) != 0) {
747 0 : wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
748 0 : return -1;
749 : }
750 :
751 50 : if (sm->assoc_resp_ftie &&
752 50 : (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
753 25 : os_memcmp(kde->ftie, sm->assoc_resp_ftie,
754 : 2 + sm->assoc_resp_ftie[1]) != 0)) {
755 0 : wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
756 0 : wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
757 0 : kde->ftie, kde->ftie_len);
758 0 : wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
759 0 : sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
760 0 : return -1;
761 : }
762 :
763 25 : return 0;
764 : }
765 : #endif /* CONFIG_IEEE80211R */
766 :
767 :
768 4 : static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
769 : struct wpa_state_machine *sm, int group)
770 : {
771 : /* Supplicant reported a Michael MIC error */
772 4 : wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
773 : "received EAPOL-Key Error Request "
774 : "(STA detected Michael MIC failure (group=%d))",
775 : group);
776 :
777 4 : if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
778 0 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
779 : "ignore Michael MIC failure report since "
780 : "group cipher is not TKIP");
781 4 : } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
782 0 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
783 : "ignore Michael MIC failure report since "
784 : "pairwise cipher is not TKIP");
785 : } else {
786 4 : if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
787 2 : return 1; /* STA entry was removed */
788 2 : sm->dot11RSNAStatsTKIPRemoteMICFailures++;
789 2 : wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
790 : }
791 :
792 : /*
793 : * Error report is not a request for a new key handshake, but since
794 : * Authenticator may do it, let's change the keys now anyway.
795 : */
796 2 : wpa_request_new_ptk(sm);
797 2 : return 0;
798 : }
799 :
800 :
801 1 : static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
802 : size_t data_len)
803 : {
804 : struct wpa_ptk PTK;
805 1 : int ok = 0;
806 1 : const u8 *pmk = NULL;
807 :
808 : for (;;) {
809 1 : if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
810 1 : pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
811 1 : sm->p2p_dev_addr, pmk);
812 1 : if (pmk == NULL)
813 0 : break;
814 : } else
815 0 : pmk = sm->PMK;
816 :
817 1 : wpa_derive_ptk(sm, sm->alt_SNonce, pmk, &PTK);
818 :
819 1 : if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, data, data_len)
820 : == 0) {
821 1 : ok = 1;
822 1 : break;
823 : }
824 :
825 0 : if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
826 0 : break;
827 0 : }
828 :
829 1 : if (!ok) {
830 0 : wpa_printf(MSG_DEBUG,
831 : "WPA: Earlier SNonce did not result in matching MIC");
832 0 : return -1;
833 : }
834 :
835 1 : wpa_printf(MSG_DEBUG,
836 : "WPA: Earlier SNonce resulted in matching MIC");
837 1 : sm->alt_snonce_valid = 0;
838 1 : os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
839 1 : os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
840 1 : sm->PTK_valid = TRUE;
841 :
842 1 : return 0;
843 : }
844 :
845 :
846 2780 : void wpa_receive(struct wpa_authenticator *wpa_auth,
847 : struct wpa_state_machine *sm,
848 : u8 *data, size_t data_len)
849 : {
850 : struct ieee802_1x_hdr *hdr;
851 : struct wpa_eapol_key *key;
852 : struct wpa_eapol_key_192 *key192;
853 : u16 key_info, key_data_length;
854 : enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
855 : SMK_M1, SMK_M3, SMK_ERROR } msg;
856 : char *msgtxt;
857 : struct wpa_eapol_ie_parse kde;
858 : int ft;
859 : const u8 *eapol_key_ie, *key_data;
860 : size_t eapol_key_ie_len, keyhdrlen, mic_len;
861 :
862 2780 : if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
863 28 : return;
864 :
865 2778 : mic_len = wpa_mic_len(sm->wpa_key_mgmt);
866 2778 : keyhdrlen = mic_len == 24 ? sizeof(*key192) : sizeof(*key);
867 :
868 2778 : if (data_len < sizeof(*hdr) + keyhdrlen)
869 0 : return;
870 :
871 2778 : hdr = (struct ieee802_1x_hdr *) data;
872 2778 : key = (struct wpa_eapol_key *) (hdr + 1);
873 2778 : key192 = (struct wpa_eapol_key_192 *) (hdr + 1);
874 2778 : key_info = WPA_GET_BE16(key->key_info);
875 2778 : if (mic_len == 24) {
876 4 : key_data = (const u8 *) (key192 + 1);
877 4 : key_data_length = WPA_GET_BE16(key192->key_data_length);
878 : } else {
879 2774 : key_data = (const u8 *) (key + 1);
880 2774 : key_data_length = WPA_GET_BE16(key->key_data_length);
881 : }
882 22224 : wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
883 : " key_info=0x%x type=%u key_data_length=%u",
884 19446 : MAC2STR(sm->addr), key_info, key->type, key_data_length);
885 2778 : if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
886 1 : wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
887 : "key_data overflow (%d > %lu)",
888 : key_data_length,
889 1 : (unsigned long) (data_len - sizeof(*hdr) -
890 : keyhdrlen));
891 1 : return;
892 : }
893 :
894 2777 : if (sm->wpa == WPA_VERSION_WPA2) {
895 2703 : if (key->type == EAPOL_KEY_TYPE_WPA) {
896 : /*
897 : * Some deployed station implementations seem to send
898 : * msg 4/4 with incorrect type value in WPA2 mode.
899 : */
900 1 : wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
901 : "with unexpected WPA type in RSN mode");
902 2702 : } else if (key->type != EAPOL_KEY_TYPE_RSN) {
903 0 : wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
904 : "unexpected type %d in RSN mode",
905 0 : key->type);
906 0 : return;
907 : }
908 : } else {
909 74 : if (key->type != EAPOL_KEY_TYPE_WPA) {
910 1 : wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
911 : "unexpected type %d in WPA mode",
912 1 : key->type);
913 1 : return;
914 : }
915 : }
916 :
917 2776 : wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
918 : WPA_NONCE_LEN);
919 2776 : wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
920 2776 : key->replay_counter, WPA_REPLAY_COUNTER_LEN);
921 :
922 : /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
923 : * are set */
924 :
925 2776 : if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
926 : (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
927 8 : if (key_info & WPA_KEY_INFO_ERROR) {
928 3 : msg = SMK_ERROR;
929 3 : msgtxt = "SMK Error";
930 : } else {
931 5 : msg = SMK_M1;
932 5 : msgtxt = "SMK M1";
933 : }
934 2768 : } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
935 2 : msg = SMK_M3;
936 2 : msgtxt = "SMK M3";
937 2766 : } else if (key_info & WPA_KEY_INFO_REQUEST) {
938 11 : msg = REQUEST;
939 11 : msgtxt = "Request";
940 2755 : } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
941 31 : msg = GROUP_2;
942 31 : msgtxt = "2/2 Group";
943 2724 : } else if (key_data_length == 0) {
944 1350 : msg = PAIRWISE_4;
945 1350 : msgtxt = "4/4 Pairwise";
946 : } else {
947 1374 : msg = PAIRWISE_2;
948 1374 : msgtxt = "2/4 Pairwise";
949 : }
950 :
951 : /* TODO: key_info type validation for PeerKey */
952 2776 : if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
953 : msg == GROUP_2) {
954 2766 : u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
955 2854 : if (sm->pairwise == WPA_CIPHER_CCMP ||
956 88 : sm->pairwise == WPA_CIPHER_GCMP) {
957 2799 : if (wpa_use_aes_cmac(sm) &&
958 226 : sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
959 218 : !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
960 : ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
961 0 : wpa_auth_logger(wpa_auth, sm->addr,
962 : LOGGER_WARNING,
963 : "advertised support for "
964 : "AES-128-CMAC, but did not "
965 : "use it");
966 0 : return;
967 : }
968 :
969 2684 : if (!wpa_use_aes_cmac(sm) &&
970 : ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
971 1 : wpa_auth_logger(wpa_auth, sm->addr,
972 : LOGGER_WARNING,
973 : "did not use HMAC-SHA1-AES "
974 : "with CCMP/GCMP");
975 1 : return;
976 : }
977 : }
978 :
979 2765 : if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
980 : ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
981 0 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
982 : "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
983 0 : return;
984 : }
985 : }
986 :
987 2775 : if (key_info & WPA_KEY_INFO_REQUEST) {
988 24 : if (sm->req_replay_counter_used &&
989 5 : os_memcmp(key->replay_counter, sm->req_replay_counter,
990 : WPA_REPLAY_COUNTER_LEN) <= 0) {
991 1 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
992 : "received EAPOL-Key request with "
993 : "replayed counter");
994 1 : return;
995 : }
996 : }
997 :
998 5530 : if (!(key_info & WPA_KEY_INFO_REQUEST) &&
999 2756 : !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
1000 : int i;
1001 :
1002 8 : if (msg == PAIRWISE_2 &&
1003 3 : wpa_replay_counter_valid(sm->prev_key_replay,
1004 6 : key->replay_counter) &&
1005 6 : sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1006 3 : os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1007 : {
1008 : /*
1009 : * Some supplicant implementations (e.g., Windows XP
1010 : * WZC) update SNonce for each EAPOL-Key 2/4. This
1011 : * breaks the workaround on accepting any of the
1012 : * pending requests, so allow the SNonce to be updated
1013 : * even if we have already sent out EAPOL-Key 3/4.
1014 : */
1015 2 : wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1016 : "Process SNonce update from STA "
1017 : "based on retransmitted EAPOL-Key "
1018 : "1/4");
1019 2 : sm->update_snonce = 1;
1020 2 : os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1021 2 : sm->alt_snonce_valid = TRUE;
1022 2 : os_memcpy(sm->alt_replay_counter,
1023 : sm->key_replay[0].counter,
1024 : WPA_REPLAY_COUNTER_LEN);
1025 2 : goto continue_processing;
1026 : }
1027 :
1028 5 : if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1029 4 : sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1030 2 : os_memcmp(key->replay_counter, sm->alt_replay_counter,
1031 : WPA_REPLAY_COUNTER_LEN) == 0) {
1032 : /*
1033 : * Supplicant may still be using the old SNonce since
1034 : * there was two EAPOL-Key 2/4 messages and they had
1035 : * different SNonce values.
1036 : */
1037 2 : wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1038 : "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
1039 2 : goto continue_processing;
1040 : }
1041 :
1042 2 : if (msg == PAIRWISE_2 &&
1043 1 : wpa_replay_counter_valid(sm->prev_key_replay,
1044 2 : key->replay_counter) &&
1045 1 : sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1046 1 : wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1047 : "ignore retransmitted EAPOL-Key %s - "
1048 : "SNonce did not change", msgtxt);
1049 : } else {
1050 0 : wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1051 : "received EAPOL-Key %s with "
1052 : "unexpected replay counter", msgtxt);
1053 : }
1054 2 : for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1055 2 : if (!sm->key_replay[i].valid)
1056 1 : break;
1057 1 : wpa_hexdump(MSG_DEBUG, "pending replay counter",
1058 1 : sm->key_replay[i].counter,
1059 : WPA_REPLAY_COUNTER_LEN);
1060 : }
1061 1 : wpa_hexdump(MSG_DEBUG, "received replay counter",
1062 1 : key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1063 1 : return;
1064 : }
1065 :
1066 : continue_processing:
1067 2773 : switch (msg) {
1068 : case PAIRWISE_2:
1069 1378 : if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
1070 10 : sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1071 7 : (!sm->update_snonce ||
1072 2 : sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
1073 3 : wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1074 : "received EAPOL-Key msg 2/4 in "
1075 : "invalid state (%d) - dropped",
1076 3 : sm->wpa_ptk_state);
1077 3 : return;
1078 : }
1079 : random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
1080 1370 : if (sm->group->reject_4way_hs_for_entropy) {
1081 : /*
1082 : * The system did not have enough entropy to generate
1083 : * strong random numbers. Reject the first 4-way
1084 : * handshake(s) and collect some entropy based on the
1085 : * information from it. Once enough entropy is
1086 : * available, the next atempt will trigger GMK/Key
1087 : * Counter update and the station will be allowed to
1088 : * continue.
1089 : */
1090 0 : wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1091 : "collect more entropy for random number "
1092 : "generation");
1093 : random_mark_pool_ready();
1094 0 : wpa_sta_disconnect(wpa_auth, sm->addr);
1095 0 : return;
1096 : }
1097 1370 : if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
1098 0 : wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1099 : "received EAPOL-Key msg 2/4 with "
1100 : "invalid Key Data contents");
1101 0 : return;
1102 : }
1103 1370 : if (kde.rsn_ie) {
1104 1346 : eapol_key_ie = kde.rsn_ie;
1105 1346 : eapol_key_ie_len = kde.rsn_ie_len;
1106 24 : } else if (kde.osen) {
1107 2 : eapol_key_ie = kde.osen;
1108 2 : eapol_key_ie_len = kde.osen_len;
1109 : } else {
1110 22 : eapol_key_ie = kde.wpa_ie;
1111 22 : eapol_key_ie_len = kde.wpa_ie_len;
1112 : }
1113 2718 : ft = sm->wpa == WPA_VERSION_WPA2 &&
1114 1348 : wpa_key_mgmt_ft(sm->wpa_key_mgmt);
1115 2740 : if (sm->wpa_ie == NULL ||
1116 2740 : wpa_compare_rsn_ie(ft,
1117 1370 : sm->wpa_ie, sm->wpa_ie_len,
1118 : eapol_key_ie, eapol_key_ie_len)) {
1119 0 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1120 : "WPA IE from (Re)AssocReq did not "
1121 : "match with msg 2/4");
1122 0 : if (sm->wpa_ie) {
1123 0 : wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
1124 0 : sm->wpa_ie, sm->wpa_ie_len);
1125 : }
1126 0 : wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
1127 : eapol_key_ie, eapol_key_ie_len);
1128 : /* MLME-DEAUTHENTICATE.request */
1129 0 : wpa_sta_disconnect(wpa_auth, sm->addr);
1130 0 : return;
1131 : }
1132 : #ifdef CONFIG_IEEE80211R
1133 1370 : if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
1134 0 : wpa_sta_disconnect(wpa_auth, sm->addr);
1135 0 : return;
1136 : }
1137 : #endif /* CONFIG_IEEE80211R */
1138 : #ifdef CONFIG_P2P
1139 442 : if (kde.ip_addr_req && kde.ip_addr_req[0] &&
1140 278 : wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
1141 : int idx;
1142 72 : wpa_printf(MSG_DEBUG, "P2P: IP address requested in "
1143 : "EAPOL-Key exchange");
1144 72 : idx = bitfield_get_first_zero(wpa_auth->ip_pool);
1145 72 : if (idx >= 0) {
1146 72 : u32 start = WPA_GET_BE32(wpa_auth->conf.
1147 : ip_addr_start);
1148 72 : bitfield_set(wpa_auth->ip_pool, idx);
1149 72 : WPA_PUT_BE32(sm->ip_addr, start + idx);
1150 720 : wpa_printf(MSG_DEBUG, "P2P: Assigned IP "
1151 : "address %u.%u.%u.%u to " MACSTR,
1152 144 : sm->ip_addr[0], sm->ip_addr[1],
1153 144 : sm->ip_addr[2], sm->ip_addr[3],
1154 432 : MAC2STR(sm->addr));
1155 : }
1156 : }
1157 : #endif /* CONFIG_P2P */
1158 1370 : break;
1159 : case PAIRWISE_4:
1160 2698 : if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1161 1348 : !sm->PTK_valid) {
1162 2 : wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1163 : "received EAPOL-Key msg 4/4 in "
1164 : "invalid state (%d) - dropped",
1165 2 : sm->wpa_ptk_state);
1166 2 : return;
1167 : }
1168 1348 : break;
1169 : case GROUP_2:
1170 30 : if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1171 30 : || !sm->PTK_valid) {
1172 0 : wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1173 : "received EAPOL-Key msg 2/2 in "
1174 : "invalid state (%d) - dropped",
1175 0 : sm->wpa_ptk_group_state);
1176 0 : return;
1177 : }
1178 30 : break;
1179 : #ifdef CONFIG_PEERKEY
1180 : case SMK_M1:
1181 : case SMK_M3:
1182 : case SMK_ERROR:
1183 10 : if (!wpa_auth->conf.peerkey) {
1184 3 : wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1185 : "PeerKey use disabled - ignoring message");
1186 3 : return;
1187 : }
1188 7 : if (!sm->PTK_valid) {
1189 0 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1190 : "received EAPOL-Key msg SMK in "
1191 : "invalid state - dropped");
1192 0 : return;
1193 : }
1194 7 : break;
1195 : #else /* CONFIG_PEERKEY */
1196 : case SMK_M1:
1197 : case SMK_M3:
1198 : case SMK_ERROR:
1199 : return; /* STSL disabled - ignore SMK messages */
1200 : #endif /* CONFIG_PEERKEY */
1201 : case REQUEST:
1202 10 : break;
1203 : }
1204 :
1205 2765 : wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1206 : "received EAPOL-Key frame (%s)", msgtxt);
1207 :
1208 2765 : if (key_info & WPA_KEY_INFO_ACK) {
1209 0 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1210 : "received invalid EAPOL-Key: Key Ack set");
1211 0 : return;
1212 : }
1213 :
1214 2765 : if (!(key_info & WPA_KEY_INFO_MIC)) {
1215 0 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1216 : "received invalid EAPOL-Key: Key MIC not set");
1217 0 : return;
1218 : }
1219 :
1220 2765 : sm->MICVerified = FALSE;
1221 2765 : if (sm->PTK_valid && !sm->update_snonce) {
1222 1393 : if (wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data,
1223 1 : data_len) &&
1224 2 : (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1225 1 : wpa_try_alt_snonce(sm, data, data_len))) {
1226 0 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1227 : "received EAPOL-Key with invalid MIC");
1228 0 : return;
1229 : }
1230 1393 : sm->MICVerified = TRUE;
1231 1393 : eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1232 1393 : sm->pending_1_of_4_timeout = 0;
1233 : }
1234 :
1235 2765 : if (key_info & WPA_KEY_INFO_REQUEST) {
1236 16 : if (sm->MICVerified) {
1237 14 : sm->req_replay_counter_used = 1;
1238 14 : os_memcpy(sm->req_replay_counter, key->replay_counter,
1239 : WPA_REPLAY_COUNTER_LEN);
1240 : } else {
1241 2 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1242 : "received EAPOL-Key request with "
1243 : "invalid MIC");
1244 2 : return;
1245 : }
1246 :
1247 : /*
1248 : * TODO: should decrypt key data field if encryption was used;
1249 : * even though MAC address KDE is not normally encrypted,
1250 : * supplicant is allowed to encrypt it.
1251 : */
1252 14 : if (msg == SMK_ERROR) {
1253 : #ifdef CONFIG_PEERKEY
1254 2 : wpa_smk_error(wpa_auth, sm, key_data, key_data_length);
1255 : #endif /* CONFIG_PEERKEY */
1256 2 : return;
1257 12 : } else if (key_info & WPA_KEY_INFO_ERROR) {
1258 4 : if (wpa_receive_error_report(
1259 : wpa_auth, sm,
1260 4 : !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1261 2 : return; /* STA entry was removed */
1262 8 : } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1263 3 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1264 : "received EAPOL-Key Request for new "
1265 : "4-Way Handshake");
1266 3 : wpa_request_new_ptk(sm);
1267 : #ifdef CONFIG_PEERKEY
1268 5 : } else if (msg == SMK_M1) {
1269 4 : wpa_smk_m1(wpa_auth, sm, key, key_data,
1270 : key_data_length);
1271 : #endif /* CONFIG_PEERKEY */
1272 2 : } else if (key_data_length > 0 &&
1273 1 : wpa_parse_kde_ies(key_data, key_data_length,
1274 1 : &kde) == 0 &&
1275 1 : kde.mac_addr) {
1276 : } else {
1277 1 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1278 : "received EAPOL-Key Request for GTK "
1279 : "rekeying");
1280 1 : eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1281 1 : wpa_rekey_gtk(wpa_auth, NULL);
1282 : }
1283 : } else {
1284 : /* Do not allow the same key replay counter to be reused. */
1285 2749 : wpa_replay_counter_mark_invalid(sm->key_replay,
1286 2749 : key->replay_counter);
1287 :
1288 2749 : if (msg == PAIRWISE_2) {
1289 : /*
1290 : * Maintain a copy of the pending EAPOL-Key frames in
1291 : * case the EAPOL-Key frame was retransmitted. This is
1292 : * needed to allow EAPOL-Key msg 2/4 reply to another
1293 : * pending msg 1/4 to update the SNonce to work around
1294 : * unexpected supplicant behavior.
1295 : */
1296 1370 : os_memcpy(sm->prev_key_replay, sm->key_replay,
1297 : sizeof(sm->key_replay));
1298 : } else {
1299 1379 : os_memset(sm->prev_key_replay, 0,
1300 : sizeof(sm->prev_key_replay));
1301 : }
1302 :
1303 : /*
1304 : * Make sure old valid counters are not accepted anymore and
1305 : * do not get copied again.
1306 : */
1307 2749 : wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1308 : }
1309 :
1310 : #ifdef CONFIG_PEERKEY
1311 2759 : if (msg == SMK_M3) {
1312 1 : wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length);
1313 1 : return;
1314 : }
1315 : #endif /* CONFIG_PEERKEY */
1316 :
1317 2758 : os_free(sm->last_rx_eapol_key);
1318 2758 : sm->last_rx_eapol_key = os_malloc(data_len);
1319 2758 : if (sm->last_rx_eapol_key == NULL)
1320 4 : return;
1321 2754 : os_memcpy(sm->last_rx_eapol_key, data, data_len);
1322 2754 : sm->last_rx_eapol_key_len = data_len;
1323 :
1324 2754 : sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1325 2754 : sm->EAPOLKeyReceived = TRUE;
1326 2754 : sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1327 2754 : sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1328 2754 : os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1329 2754 : wpa_sm_step(sm);
1330 : }
1331 :
1332 :
1333 1974 : static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1334 : const u8 *gnonce, u8 *gtk, size_t gtk_len)
1335 : {
1336 : u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1337 : u8 *pos;
1338 1974 : int ret = 0;
1339 :
1340 : /* GTK = PRF-X(GMK, "Group key expansion",
1341 : * AA || GNonce || Time || random data)
1342 : * The example described in the IEEE 802.11 standard uses only AA and
1343 : * GNonce as inputs here. Add some more entropy since this derivation
1344 : * is done only at the Authenticator and as such, does not need to be
1345 : * exactly same.
1346 : */
1347 1974 : os_memcpy(data, addr, ETH_ALEN);
1348 1974 : os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1349 1974 : pos = data + ETH_ALEN + WPA_NONCE_LEN;
1350 1974 : wpa_get_ntp_timestamp(pos);
1351 1974 : pos += 8;
1352 1974 : if (random_get_bytes(pos, 16) < 0)
1353 0 : ret = -1;
1354 :
1355 : #ifdef CONFIG_IEEE80211W
1356 1974 : sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
1357 : #else /* CONFIG_IEEE80211W */
1358 : if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1359 : < 0)
1360 : ret = -1;
1361 : #endif /* CONFIG_IEEE80211W */
1362 :
1363 1974 : return ret;
1364 : }
1365 :
1366 :
1367 34 : static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1368 : {
1369 34 : struct wpa_authenticator *wpa_auth = eloop_ctx;
1370 34 : struct wpa_state_machine *sm = timeout_ctx;
1371 :
1372 34 : sm->pending_1_of_4_timeout = 0;
1373 34 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1374 34 : sm->TimeoutEvt = TRUE;
1375 34 : wpa_sm_step(sm);
1376 34 : }
1377 :
1378 :
1379 2792 : void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1380 : struct wpa_state_machine *sm, int key_info,
1381 : const u8 *key_rsc, const u8 *nonce,
1382 : const u8 *kde, size_t kde_len,
1383 : int keyidx, int encr, int force_version)
1384 : {
1385 : struct ieee802_1x_hdr *hdr;
1386 : struct wpa_eapol_key *key;
1387 : struct wpa_eapol_key_192 *key192;
1388 : size_t len, mic_len, keyhdrlen;
1389 : int alg;
1390 2792 : int key_data_len, pad_len = 0;
1391 : u8 *buf, *pos;
1392 : int version, pairwise;
1393 : int i;
1394 : u8 *key_data;
1395 :
1396 2792 : mic_len = wpa_mic_len(sm->wpa_key_mgmt);
1397 2792 : keyhdrlen = mic_len == 24 ? sizeof(*key192) : sizeof(*key);
1398 :
1399 2792 : len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
1400 :
1401 2792 : if (force_version)
1402 0 : version = force_version;
1403 5580 : else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1404 2788 : wpa_key_mgmt_suite_b(sm->wpa_key_mgmt))
1405 12 : version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
1406 2780 : else if (wpa_use_aes_cmac(sm))
1407 107 : version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1408 2673 : else if (sm->pairwise != WPA_CIPHER_TKIP)
1409 2603 : version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1410 : else
1411 70 : version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1412 :
1413 2792 : pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1414 :
1415 11168 : wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1416 : "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1417 : "encr=%d)",
1418 : version,
1419 2792 : (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1420 2792 : (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1421 2792 : (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1422 2792 : (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1423 : pairwise, (unsigned long) kde_len, keyidx, encr);
1424 :
1425 2792 : key_data_len = kde_len;
1426 :
1427 2981 : if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1428 374 : sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1429 362 : wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1430 2722 : version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1431 1339 : pad_len = key_data_len % 8;
1432 1339 : if (pad_len)
1433 1256 : pad_len = 8 - pad_len;
1434 1339 : key_data_len += pad_len + 8;
1435 : }
1436 :
1437 2792 : len += key_data_len;
1438 :
1439 2792 : hdr = os_zalloc(len);
1440 2792 : if (hdr == NULL)
1441 1 : return;
1442 2791 : hdr->version = wpa_auth->conf.eapol_version;
1443 2791 : hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1444 2791 : hdr->length = host_to_be16(len - sizeof(*hdr));
1445 2791 : key = (struct wpa_eapol_key *) (hdr + 1);
1446 2791 : key192 = (struct wpa_eapol_key_192 *) (hdr + 1);
1447 2791 : key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
1448 :
1449 2791 : key->type = sm->wpa == WPA_VERSION_WPA2 ?
1450 : EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1451 2791 : key_info |= version;
1452 2791 : if (encr && sm->wpa == WPA_VERSION_WPA2)
1453 1340 : key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1454 2791 : if (sm->wpa != WPA_VERSION_WPA2)
1455 67 : key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1456 2791 : WPA_PUT_BE16(key->key_info, key_info);
1457 :
1458 2791 : alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
1459 2791 : WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
1460 2791 : if (key_info & WPA_KEY_INFO_SMK_MESSAGE)
1461 8 : WPA_PUT_BE16(key->key_length, 0);
1462 :
1463 : /* FIX: STSL: what to use as key_replay_counter? */
1464 11164 : for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1465 8373 : sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1466 8373 : os_memcpy(sm->key_replay[i].counter,
1467 : sm->key_replay[i - 1].counter,
1468 : WPA_REPLAY_COUNTER_LEN);
1469 : }
1470 2791 : inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1471 2791 : os_memcpy(key->replay_counter, sm->key_replay[0].counter,
1472 : WPA_REPLAY_COUNTER_LEN);
1473 2791 : wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1474 2791 : key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1475 2791 : sm->key_replay[0].valid = TRUE;
1476 :
1477 2791 : if (nonce)
1478 2788 : os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1479 :
1480 2791 : if (key_rsc)
1481 1361 : os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1482 :
1483 2791 : if (kde && !encr) {
1484 681 : os_memcpy(key_data, kde, kde_len);
1485 1362 : if (mic_len == 24)
1486 1 : WPA_PUT_BE16(key192->key_data_length, kde_len);
1487 : else
1488 680 : WPA_PUT_BE16(key->key_data_length, kde_len);
1489 2110 : } else if (encr && kde) {
1490 1363 : buf = os_zalloc(key_data_len);
1491 1363 : if (buf == NULL) {
1492 0 : os_free(hdr);
1493 0 : return;
1494 : }
1495 1363 : pos = buf;
1496 1363 : os_memcpy(pos, kde, kde_len);
1497 1363 : pos += kde_len;
1498 :
1499 1363 : if (pad_len)
1500 1256 : *pos++ = 0xdd;
1501 :
1502 1363 : wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1503 : buf, key_data_len);
1504 1448 : if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1505 168 : sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1506 162 : wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1507 : version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1508 1339 : if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
1509 1339 : (key_data_len - 8) / 8, buf, key_data)) {
1510 0 : os_free(hdr);
1511 0 : os_free(buf);
1512 0 : return;
1513 : }
1514 2678 : if (mic_len == 24)
1515 2 : WPA_PUT_BE16(key192->key_data_length,
1516 : key_data_len);
1517 : else
1518 1337 : WPA_PUT_BE16(key->key_data_length,
1519 : key_data_len);
1520 24 : } else if (sm->PTK.kek_len == 16) {
1521 : u8 ek[32];
1522 24 : os_memcpy(key->key_iv,
1523 : sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1524 24 : inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1525 24 : os_memcpy(ek, key->key_iv, 16);
1526 24 : os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
1527 24 : os_memcpy(key_data, buf, key_data_len);
1528 24 : rc4_skip(ek, 32, 256, key_data, key_data_len);
1529 24 : if (mic_len == 24)
1530 0 : WPA_PUT_BE16(key192->key_data_length,
1531 : key_data_len);
1532 : else
1533 24 : WPA_PUT_BE16(key->key_data_length,
1534 : key_data_len);
1535 : } else {
1536 0 : os_free(hdr);
1537 0 : os_free(buf);
1538 0 : return;
1539 : }
1540 1363 : os_free(buf);
1541 : }
1542 :
1543 2791 : if (key_info & WPA_KEY_INFO_MIC) {
1544 : u8 *key_mic;
1545 :
1546 1391 : if (!sm->PTK_valid) {
1547 0 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1548 : "PTK not valid when sending EAPOL-Key "
1549 : "frame");
1550 0 : os_free(hdr);
1551 0 : return;
1552 : }
1553 :
1554 1391 : key_mic = key192->key_mic; /* same offset for key and key192 */
1555 1391 : wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1556 : sm->wpa_key_mgmt, version,
1557 : (u8 *) hdr, len, key_mic);
1558 : #ifdef CONFIG_TESTING_OPTIONS
1559 1431 : if (!pairwise &&
1560 40 : wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
1561 0 : drand48() <
1562 0 : wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1563 0 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1564 : "Corrupting group EAPOL-Key Key MIC");
1565 0 : key_mic[0]++;
1566 : }
1567 : #endif /* CONFIG_TESTING_OPTIONS */
1568 : }
1569 :
1570 2791 : wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1571 : 1);
1572 2791 : wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1573 2791 : sm->pairwise_set);
1574 2791 : os_free(hdr);
1575 : }
1576 :
1577 :
1578 2784 : static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1579 : struct wpa_state_machine *sm, int key_info,
1580 : const u8 *key_rsc, const u8 *nonce,
1581 : const u8 *kde, size_t kde_len,
1582 : int keyidx, int encr)
1583 : {
1584 : int timeout_ms;
1585 2784 : int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1586 : int ctr;
1587 :
1588 2784 : if (sm == NULL)
1589 2784 : return;
1590 :
1591 2784 : __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1592 : keyidx, encr, 0);
1593 :
1594 2784 : ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
1595 2784 : if (ctr == 1 && wpa_auth->conf.tx_status)
1596 2718 : timeout_ms = pairwise ? eapol_key_timeout_first :
1597 : eapol_key_timeout_first_group;
1598 : else
1599 66 : timeout_ms = eapol_key_timeout_subseq;
1600 2784 : if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1601 1366 : sm->pending_1_of_4_timeout = 1;
1602 2784 : wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
1603 : "counter %d)", timeout_ms, ctr);
1604 2784 : eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1605 : wpa_send_eapol_timeout, wpa_auth, sm);
1606 : }
1607 :
1608 :
1609 2762 : static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
1610 : size_t data_len)
1611 : {
1612 : struct ieee802_1x_hdr *hdr;
1613 : struct wpa_eapol_key *key;
1614 : struct wpa_eapol_key_192 *key192;
1615 : u16 key_info;
1616 2762 : int ret = 0;
1617 : u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
1618 2762 : size_t mic_len = wpa_mic_len(akmp);
1619 :
1620 2762 : if (data_len < sizeof(*hdr) + sizeof(*key))
1621 0 : return -1;
1622 :
1623 2762 : hdr = (struct ieee802_1x_hdr *) data;
1624 2762 : key = (struct wpa_eapol_key *) (hdr + 1);
1625 2762 : key192 = (struct wpa_eapol_key_192 *) (hdr + 1);
1626 2762 : key_info = WPA_GET_BE16(key->key_info);
1627 2762 : os_memcpy(mic, key192->key_mic, mic_len);
1628 2762 : os_memset(key192->key_mic, 0, mic_len);
1629 2762 : if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1630 : key_info & WPA_KEY_INFO_TYPE_MASK,
1631 5524 : data, data_len, key192->key_mic) ||
1632 2762 : os_memcmp_const(mic, key192->key_mic, mic_len) != 0)
1633 17 : ret = -1;
1634 2762 : os_memcpy(key192->key_mic, mic, mic_len);
1635 2762 : return ret;
1636 : }
1637 :
1638 :
1639 9745 : void wpa_remove_ptk(struct wpa_state_machine *sm)
1640 : {
1641 9745 : sm->PTK_valid = FALSE;
1642 9745 : os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1643 9745 : wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0);
1644 9745 : sm->pairwise_set = FALSE;
1645 9745 : eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
1646 9745 : }
1647 :
1648 :
1649 7422 : int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event)
1650 : {
1651 7422 : int remove_ptk = 1;
1652 :
1653 7422 : if (sm == NULL)
1654 3806 : return -1;
1655 :
1656 3616 : wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1657 : "event %d notification", event);
1658 :
1659 3616 : switch (event) {
1660 : case WPA_AUTH:
1661 : #ifdef CONFIG_MESH
1662 : /* PTKs are derived through AMPE */
1663 13 : if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1664 : /* not mesh */
1665 5 : break;
1666 : }
1667 8 : return 0;
1668 : #endif /* CONFIG_MESH */
1669 : case WPA_ASSOC:
1670 1785 : break;
1671 : case WPA_DEAUTH:
1672 : case WPA_DISASSOC:
1673 1504 : sm->DeauthenticationRequest = TRUE;
1674 1504 : break;
1675 : case WPA_REAUTH:
1676 : case WPA_REAUTH_EAPOL:
1677 93 : if (!sm->started) {
1678 : /*
1679 : * When using WPS, we may end up here if the STA
1680 : * manages to re-associate without the previous STA
1681 : * entry getting removed. Consequently, we need to make
1682 : * sure that the WPA state machines gets initialized
1683 : * properly at this point.
1684 : */
1685 0 : wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1686 : "started - initialize now");
1687 0 : sm->started = 1;
1688 0 : sm->Init = TRUE;
1689 0 : if (wpa_sm_step(sm) == 1)
1690 0 : return 1; /* should not really happen */
1691 0 : sm->Init = FALSE;
1692 0 : sm->AuthenticationRequest = TRUE;
1693 0 : break;
1694 : }
1695 93 : if (sm->GUpdateStationKeys) {
1696 : /*
1697 : * Reauthentication cancels the pending group key
1698 : * update for this STA.
1699 : */
1700 0 : sm->group->GKeyDoneStations--;
1701 0 : sm->GUpdateStationKeys = FALSE;
1702 0 : sm->PtkGroupInit = TRUE;
1703 : }
1704 93 : sm->ReAuthenticationRequest = TRUE;
1705 93 : break;
1706 : case WPA_ASSOC_FT:
1707 : #ifdef CONFIG_IEEE80211R
1708 221 : wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1709 : "after association");
1710 221 : wpa_ft_install_ptk(sm);
1711 :
1712 : /* Using FT protocol, not WPA auth state machine */
1713 221 : sm->ft_completed = 1;
1714 221 : return 0;
1715 : #else /* CONFIG_IEEE80211R */
1716 : break;
1717 : #endif /* CONFIG_IEEE80211R */
1718 : }
1719 :
1720 : #ifdef CONFIG_IEEE80211R
1721 3387 : sm->ft_completed = 0;
1722 : #endif /* CONFIG_IEEE80211R */
1723 :
1724 : #ifdef CONFIG_IEEE80211W
1725 3387 : if (sm->mgmt_frame_prot && event == WPA_AUTH)
1726 4 : remove_ptk = 0;
1727 : #endif /* CONFIG_IEEE80211W */
1728 :
1729 3387 : if (remove_ptk) {
1730 3383 : sm->PTK_valid = FALSE;
1731 3383 : os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1732 :
1733 3383 : if (event != WPA_REAUTH_EAPOL)
1734 3297 : wpa_remove_ptk(sm);
1735 : }
1736 :
1737 3387 : return wpa_sm_step(sm);
1738 : }
1739 :
1740 :
1741 3140 : SM_STATE(WPA_PTK, INITIALIZE)
1742 : {
1743 3140 : SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1744 3140 : if (sm->Init) {
1745 : /* Init flag is not cleared here, so avoid busy
1746 : * loop by claiming nothing changed. */
1747 1634 : sm->changed = FALSE;
1748 : }
1749 :
1750 3140 : sm->keycount = 0;
1751 3140 : if (sm->GUpdateStationKeys)
1752 0 : sm->group->GKeyDoneStations--;
1753 3140 : sm->GUpdateStationKeys = FALSE;
1754 3140 : if (sm->wpa == WPA_VERSION_WPA)
1755 31 : sm->PInitAKeys = FALSE;
1756 : if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1757 : * Local AA > Remote AA)) */) {
1758 3140 : sm->Pair = TRUE;
1759 : }
1760 3140 : wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1761 3140 : wpa_remove_ptk(sm);
1762 3140 : wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1763 3140 : sm->TimeoutCtr = 0;
1764 3140 : if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1765 1220 : wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1766 : WPA_EAPOL_authorized, 0);
1767 : }
1768 3140 : }
1769 :
1770 :
1771 21 : SM_STATE(WPA_PTK, DISCONNECT)
1772 : {
1773 21 : SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1774 21 : sm->Disconnect = FALSE;
1775 21 : wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1776 21 : }
1777 :
1778 :
1779 1506 : SM_STATE(WPA_PTK, DISCONNECTED)
1780 : {
1781 1506 : SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1782 1506 : sm->DeauthenticationRequest = FALSE;
1783 1506 : }
1784 :
1785 :
1786 1634 : SM_STATE(WPA_PTK, AUTHENTICATION)
1787 : {
1788 1634 : SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1789 1634 : os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1790 1634 : sm->PTK_valid = FALSE;
1791 1634 : wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1792 : 1);
1793 1634 : wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1794 1634 : sm->AuthenticationRequest = FALSE;
1795 1634 : }
1796 :
1797 :
1798 1798 : static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1799 : struct wpa_group *group)
1800 : {
1801 1798 : if (group->first_sta_seen)
1802 2881 : return;
1803 : /*
1804 : * System has run bit further than at the time hostapd was started
1805 : * potentially very early during boot up. This provides better chances
1806 : * of collecting more randomness on embedded systems. Re-initialize the
1807 : * GMK and Counter here to improve their strength if there was not
1808 : * enough entropy available immediately after system startup.
1809 : */
1810 715 : wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1811 : "station");
1812 : if (random_pool_ready() != 1) {
1813 : wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1814 : "to proceed - reject first 4-way handshake");
1815 : group->reject_4way_hs_for_entropy = TRUE;
1816 : } else {
1817 715 : group->first_sta_seen = TRUE;
1818 715 : group->reject_4way_hs_for_entropy = FALSE;
1819 : }
1820 :
1821 715 : wpa_group_init_gmk_and_counter(wpa_auth, group);
1822 715 : wpa_gtk_update(wpa_auth, group);
1823 715 : wpa_group_config_group_keys(wpa_auth, group);
1824 : }
1825 :
1826 :
1827 1798 : SM_STATE(WPA_PTK, AUTHENTICATION2)
1828 : {
1829 1798 : SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1830 :
1831 1798 : wpa_group_ensure_init(sm->wpa_auth, sm->group);
1832 1798 : sm->ReAuthenticationRequest = FALSE;
1833 :
1834 : /*
1835 : * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1836 : * ambiguous. The Authenticator state machine uses a counter that is
1837 : * incremented by one for each 4-way handshake. However, the security
1838 : * analysis of 4-way handshake points out that unpredictable nonces
1839 : * help in preventing precomputation attacks. Instead of the state
1840 : * machine definition, use an unpredictable nonce value here to provide
1841 : * stronger protection against potential precomputation attacks.
1842 : */
1843 1798 : if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1844 0 : wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1845 : "ANonce.");
1846 0 : sm->Disconnect = TRUE;
1847 1798 : return;
1848 : }
1849 1798 : wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1850 : WPA_NONCE_LEN);
1851 : /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1852 : * logical place than INITIALIZE since AUTHENTICATION2 can be
1853 : * re-entered on ReAuthenticationRequest without going through
1854 : * INITIALIZE. */
1855 1798 : sm->TimeoutCtr = 0;
1856 : }
1857 :
1858 :
1859 675 : SM_STATE(WPA_PTK, INITPMK)
1860 : {
1861 : u8 msk[2 * PMK_LEN];
1862 675 : size_t len = 2 * PMK_LEN;
1863 :
1864 675 : SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
1865 : #ifdef CONFIG_IEEE80211R
1866 675 : sm->xxkey_len = 0;
1867 : #endif /* CONFIG_IEEE80211R */
1868 675 : if (sm->pmksa) {
1869 31 : wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
1870 31 : os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN);
1871 644 : } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
1872 628 : wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
1873 : "(len=%lu)", (unsigned long) len);
1874 628 : os_memcpy(sm->PMK, msk, PMK_LEN);
1875 : #ifdef CONFIG_IEEE80211R
1876 628 : if (len >= 2 * PMK_LEN) {
1877 628 : os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1878 628 : sm->xxkey_len = PMK_LEN;
1879 : }
1880 : #endif /* CONFIG_IEEE80211R */
1881 : } else {
1882 16 : wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
1883 16 : sm->wpa_auth->cb.get_msk);
1884 16 : sm->Disconnect = TRUE;
1885 691 : return;
1886 : }
1887 659 : os_memset(msk, 0, sizeof(msk));
1888 :
1889 659 : sm->req_replay_counter_used = 0;
1890 : /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
1891 : * will break reauthentication since EAPOL state machines may not be
1892 : * get into AUTHENTICATING state that clears keyRun before WPA state
1893 : * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
1894 : * state and takes PMK from the previously used AAA Key. This will
1895 : * eventually fail in 4-Way Handshake because Supplicant uses PMK
1896 : * derived from the new AAA Key. Setting keyRun = FALSE here seems to
1897 : * be good workaround for this issue. */
1898 659 : wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
1899 : }
1900 :
1901 :
1902 707 : SM_STATE(WPA_PTK, INITPSK)
1903 : {
1904 : const u8 *psk;
1905 707 : SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
1906 707 : psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL);
1907 707 : if (psk) {
1908 707 : os_memcpy(sm->PMK, psk, PMK_LEN);
1909 : #ifdef CONFIG_IEEE80211R
1910 707 : os_memcpy(sm->xxkey, psk, PMK_LEN);
1911 707 : sm->xxkey_len = PMK_LEN;
1912 : #endif /* CONFIG_IEEE80211R */
1913 : }
1914 707 : sm->req_replay_counter_used = 0;
1915 707 : }
1916 :
1917 :
1918 1406 : SM_STATE(WPA_PTK, PTKSTART)
1919 : {
1920 1406 : u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
1921 1406 : size_t pmkid_len = 0;
1922 :
1923 1406 : SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
1924 1406 : sm->PTKRequest = FALSE;
1925 1406 : sm->TimeoutEvt = FALSE;
1926 1406 : sm->alt_snonce_valid = FALSE;
1927 :
1928 1406 : sm->TimeoutCtr++;
1929 1406 : if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
1930 : /* No point in sending the EAPOL-Key - we will disconnect
1931 : * immediately following this. */
1932 1411 : return;
1933 : }
1934 :
1935 1401 : wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1936 : "sending 1/4 msg of 4-Way Handshake");
1937 : /*
1938 : * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
1939 : * one possible PSK for this STA.
1940 : */
1941 2780 : if (sm->wpa == WPA_VERSION_WPA2 &&
1942 2037 : wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
1943 658 : sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
1944 656 : pmkid = buf;
1945 656 : pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
1946 656 : pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
1947 656 : pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
1948 656 : RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
1949 656 : if (sm->pmksa) {
1950 31 : os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
1951 : sm->pmksa->pmkid, PMKID_LEN);
1952 625 : } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
1953 : /* No KCK available to derive PMKID */
1954 2 : pmkid = NULL;
1955 : } else {
1956 : /*
1957 : * Calculate PMKID since no PMKSA cache entry was
1958 : * available with pre-calculated PMKID.
1959 : */
1960 1246 : rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr,
1961 623 : sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
1962 : wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
1963 : }
1964 : }
1965 1401 : wpa_send_eapol(sm->wpa_auth, sm,
1966 : WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
1967 1401 : sm->ANonce, pmkid, pmkid_len, 0, 0);
1968 : }
1969 :
1970 :
1971 1369 : static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
1972 : const u8 *pmk, struct wpa_ptk *ptk)
1973 : {
1974 : #ifdef CONFIG_IEEE80211R
1975 1369 : if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
1976 25 : return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
1977 : #endif /* CONFIG_IEEE80211R */
1978 :
1979 2688 : return wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion",
1980 1344 : sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
1981 : ptk, sm->wpa_key_mgmt, sm->pairwise);
1982 : }
1983 :
1984 :
1985 1368 : SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
1986 : {
1987 : struct wpa_ptk PTK;
1988 1368 : int ok = 0;
1989 1368 : const u8 *pmk = NULL;
1990 :
1991 1368 : SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
1992 1368 : sm->EAPOLKeyReceived = FALSE;
1993 1368 : sm->update_snonce = FALSE;
1994 :
1995 : /* WPA with IEEE 802.1X: use the derived PMK from EAP
1996 : * WPA-PSK: iterate through possible PSKs and select the one matching
1997 : * the packet */
1998 : for (;;) {
1999 1384 : if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2000 726 : pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
2001 726 : sm->p2p_dev_addr, pmk);
2002 726 : if (pmk == NULL)
2003 16 : break;
2004 : } else
2005 658 : pmk = sm->PMK;
2006 :
2007 1368 : wpa_derive_ptk(sm, sm->SNonce, pmk, &PTK);
2008 :
2009 1368 : if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK,
2010 : sm->last_rx_eapol_key,
2011 : sm->last_rx_eapol_key_len) == 0) {
2012 1352 : ok = 1;
2013 1352 : break;
2014 : }
2015 :
2016 16 : if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
2017 0 : break;
2018 16 : }
2019 :
2020 1368 : if (!ok) {
2021 16 : wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2022 : "invalid MIC in msg 2/4 of 4-Way Handshake");
2023 16 : return;
2024 : }
2025 :
2026 : #ifdef CONFIG_IEEE80211R
2027 1352 : if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2028 : /*
2029 : * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2030 : * with the value we derived.
2031 : */
2032 25 : if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2033 : WPA_PMK_NAME_LEN) != 0) {
2034 0 : wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2035 : "PMKR1Name mismatch in FT 4-way "
2036 : "handshake");
2037 0 : wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2038 : "Supplicant",
2039 0 : sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2040 0 : wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2041 0 : sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2042 0 : return;
2043 : }
2044 : }
2045 : #endif /* CONFIG_IEEE80211R */
2046 :
2047 1352 : sm->pending_1_of_4_timeout = 0;
2048 1352 : eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2049 :
2050 1352 : if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2051 : /* PSK may have changed from the previous choice, so update
2052 : * state machine data based on whatever PSK was selected here.
2053 : */
2054 694 : os_memcpy(sm->PMK, pmk, PMK_LEN);
2055 : }
2056 :
2057 1352 : sm->MICVerified = TRUE;
2058 :
2059 1352 : os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
2060 1352 : sm->PTK_valid = TRUE;
2061 : }
2062 :
2063 :
2064 1352 : SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
2065 : {
2066 1352 : SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
2067 1352 : sm->TimeoutCtr = 0;
2068 1352 : }
2069 :
2070 :
2071 : #ifdef CONFIG_IEEE80211W
2072 :
2073 1362 : static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2074 : {
2075 1362 : if (sm->mgmt_frame_prot) {
2076 : size_t len;
2077 46 : len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2078 46 : return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
2079 : }
2080 :
2081 1316 : return 0;
2082 : }
2083 :
2084 :
2085 1360 : static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2086 : {
2087 : struct wpa_igtk_kde igtk;
2088 1360 : struct wpa_group *gsm = sm->group;
2089 : u8 rsc[WPA_KEY_RSC_LEN];
2090 1360 : size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2091 :
2092 1360 : if (!sm->mgmt_frame_prot)
2093 1314 : return pos;
2094 :
2095 46 : igtk.keyid[0] = gsm->GN_igtk;
2096 46 : igtk.keyid[1] = 0;
2097 92 : if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
2098 46 : wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
2099 0 : os_memset(igtk.pn, 0, sizeof(igtk.pn));
2100 : else
2101 46 : os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
2102 46 : os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
2103 46 : if (sm->wpa_auth->conf.disable_gtk) {
2104 : /*
2105 : * Provide unique random IGTK to each STA to prevent use of
2106 : * IGTK in the BSS.
2107 : */
2108 2 : if (random_get_bytes(igtk.igtk, len) < 0)
2109 0 : return pos;
2110 : }
2111 46 : pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
2112 : (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
2113 : NULL, 0);
2114 :
2115 46 : return pos;
2116 : }
2117 :
2118 : #else /* CONFIG_IEEE80211W */
2119 :
2120 : static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2121 : {
2122 : return 0;
2123 : }
2124 :
2125 :
2126 : static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2127 : {
2128 : return pos;
2129 : }
2130 :
2131 : #endif /* CONFIG_IEEE80211W */
2132 :
2133 :
2134 1353 : SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
2135 : {
2136 : u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
2137 : size_t gtk_len, kde_len;
2138 1353 : struct wpa_group *gsm = sm->group;
2139 : u8 *wpa_ie;
2140 1353 : int wpa_ie_len, secure, keyidx, encr = 0;
2141 :
2142 1353 : SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
2143 1353 : sm->TimeoutEvt = FALSE;
2144 :
2145 1353 : sm->TimeoutCtr++;
2146 1353 : if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
2147 : /* No point in sending the EAPOL-Key - we will disconnect
2148 : * immediately following this. */
2149 2 : return;
2150 : }
2151 :
2152 : /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
2153 : GTK[GN], IGTK, [FTIE], [TIE * 2])
2154 : */
2155 1353 : os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2156 1353 : wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
2157 : /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
2158 1353 : wpa_ie = sm->wpa_auth->wpa_ie;
2159 1353 : wpa_ie_len = sm->wpa_auth->wpa_ie_len;
2160 1375 : if (sm->wpa == WPA_VERSION_WPA &&
2161 27 : (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
2162 10 : wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
2163 : /* WPA-only STA, remove RSN IE and possible MDIE */
2164 5 : wpa_ie = wpa_ie + wpa_ie[1] + 2;
2165 5 : if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
2166 2 : wpa_ie = wpa_ie + wpa_ie[1] + 2;
2167 5 : wpa_ie_len = wpa_ie[1] + 2;
2168 : }
2169 1353 : wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2170 : "sending 3/4 msg of 4-Way Handshake");
2171 1353 : if (sm->wpa == WPA_VERSION_WPA2) {
2172 : /* WPA2 send GTK in the 4-way handshake */
2173 1331 : secure = 1;
2174 1331 : gtk = gsm->GTK[gsm->GN - 1];
2175 1331 : gtk_len = gsm->GTK_len;
2176 1331 : if (sm->wpa_auth->conf.disable_gtk) {
2177 : /*
2178 : * Provide unique random GTK to each STA to prevent use
2179 : * of GTK in the BSS.
2180 : */
2181 10 : if (random_get_bytes(dummy_gtk, gtk_len) < 0)
2182 0 : return;
2183 10 : gtk = dummy_gtk;
2184 : }
2185 1331 : keyidx = gsm->GN;
2186 1331 : _rsc = rsc;
2187 1331 : encr = 1;
2188 : } else {
2189 : /* WPA does not include GTK in msg 3/4 */
2190 22 : secure = 0;
2191 22 : gtk = NULL;
2192 22 : gtk_len = 0;
2193 22 : keyidx = 0;
2194 22 : _rsc = NULL;
2195 22 : if (sm->rx_eapol_key_secure) {
2196 : /*
2197 : * It looks like Windows 7 supplicant tries to use
2198 : * Secure bit in msg 2/4 after having reported Michael
2199 : * MIC failure and it then rejects the 4-way handshake
2200 : * if msg 3/4 does not set Secure bit. Work around this
2201 : * by setting the Secure bit here even in the case of
2202 : * WPA if the supplicant used it first.
2203 : */
2204 0 : wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2205 : "STA used Secure bit in WPA msg 2/4 - "
2206 : "set Secure for 3/4 as workaround");
2207 0 : secure = 1;
2208 : }
2209 : }
2210 :
2211 1353 : kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
2212 1353 : if (gtk)
2213 1331 : kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
2214 : #ifdef CONFIG_IEEE80211R
2215 1353 : if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2216 25 : kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
2217 25 : kde_len += 300; /* FTIE + 2 * TIE */
2218 : }
2219 : #endif /* CONFIG_IEEE80211R */
2220 : #ifdef CONFIG_P2P
2221 220 : if (WPA_GET_BE32(sm->ip_addr) > 0)
2222 72 : kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
2223 : #endif /* CONFIG_P2P */
2224 1353 : kde = os_malloc(kde_len);
2225 1353 : if (kde == NULL)
2226 2 : return;
2227 :
2228 1351 : pos = kde;
2229 1351 : os_memcpy(pos, wpa_ie, wpa_ie_len);
2230 1351 : pos += wpa_ie_len;
2231 : #ifdef CONFIG_IEEE80211R
2232 1351 : if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2233 25 : int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name);
2234 25 : if (res < 0) {
2235 0 : wpa_printf(MSG_ERROR, "FT: Failed to insert "
2236 : "PMKR1Name into RSN IE in EAPOL-Key data");
2237 0 : os_free(kde);
2238 0 : return;
2239 : }
2240 25 : pos += res;
2241 : }
2242 : #endif /* CONFIG_IEEE80211R */
2243 1351 : if (gtk) {
2244 : u8 hdr[2];
2245 1329 : hdr[0] = keyidx & 0x03;
2246 1329 : hdr[1] = 0;
2247 1329 : pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2248 : gtk, gtk_len);
2249 : }
2250 1351 : pos = ieee80211w_kde_add(sm, pos);
2251 :
2252 : #ifdef CONFIG_IEEE80211R
2253 1351 : if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2254 : int res;
2255 : struct wpa_auth_config *conf;
2256 :
2257 25 : conf = &sm->wpa_auth->conf;
2258 25 : res = wpa_write_ftie(conf, conf->r0_key_holder,
2259 : conf->r0_key_holder_len,
2260 25 : NULL, NULL, pos, kde + kde_len - pos,
2261 : NULL, 0);
2262 25 : if (res < 0) {
2263 0 : wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2264 : "into EAPOL-Key Key Data");
2265 0 : os_free(kde);
2266 0 : return;
2267 : }
2268 25 : pos += res;
2269 :
2270 : /* TIE[ReassociationDeadline] (TU) */
2271 25 : *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2272 25 : *pos++ = 5;
2273 25 : *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
2274 25 : WPA_PUT_LE32(pos, conf->reassociation_deadline);
2275 25 : pos += 4;
2276 :
2277 : /* TIE[KeyLifetime] (seconds) */
2278 25 : *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2279 25 : *pos++ = 5;
2280 25 : *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
2281 25 : WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
2282 25 : pos += 4;
2283 : }
2284 : #endif /* CONFIG_IEEE80211R */
2285 : #ifdef CONFIG_P2P
2286 220 : if (WPA_GET_BE32(sm->ip_addr) > 0) {
2287 : u8 addr[3 * 4];
2288 72 : os_memcpy(addr, sm->ip_addr, 4);
2289 72 : os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
2290 72 : os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
2291 72 : pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
2292 : addr, sizeof(addr), NULL, 0);
2293 : }
2294 : #endif /* CONFIG_P2P */
2295 :
2296 2702 : wpa_send_eapol(sm->wpa_auth, sm,
2297 : (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC |
2298 : WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
2299 : WPA_KEY_INFO_KEY_TYPE,
2300 2702 : _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
2301 1351 : os_free(kde);
2302 : }
2303 :
2304 :
2305 1346 : SM_STATE(WPA_PTK, PTKINITDONE)
2306 : {
2307 1346 : SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
2308 1346 : sm->EAPOLKeyReceived = FALSE;
2309 1346 : if (sm->Pair) {
2310 1346 : enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
2311 1346 : int klen = wpa_cipher_key_len(sm->pairwise);
2312 2692 : if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2313 1346 : sm->PTK.tk, klen)) {
2314 0 : wpa_sta_disconnect(sm->wpa_auth, sm->addr);
2315 1346 : return;
2316 : }
2317 : /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
2318 1346 : sm->pairwise_set = TRUE;
2319 :
2320 1346 : if (sm->wpa_auth->conf.wpa_ptk_rekey) {
2321 6 : eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2322 6 : eloop_register_timeout(sm->wpa_auth->conf.
2323 : wpa_ptk_rekey, 0, wpa_rekey_ptk,
2324 6 : sm->wpa_auth, sm);
2325 : }
2326 :
2327 1346 : if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2328 690 : wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2329 : WPA_EAPOL_authorized, 1);
2330 : }
2331 : }
2332 :
2333 : if (0 /* IBSS == TRUE */) {
2334 : sm->keycount++;
2335 : if (sm->keycount == 2) {
2336 : wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2337 : WPA_EAPOL_portValid, 1);
2338 : }
2339 : } else {
2340 1346 : wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
2341 : 1);
2342 : }
2343 1346 : wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
2344 1346 : wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
2345 1346 : if (sm->wpa == WPA_VERSION_WPA)
2346 22 : sm->PInitAKeys = TRUE;
2347 : else
2348 1324 : sm->has_GTK = TRUE;
2349 1346 : wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2350 : "pairwise key handshake completed (%s)",
2351 1346 : sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2352 :
2353 : #ifdef CONFIG_IEEE80211R
2354 1346 : wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
2355 : #endif /* CONFIG_IEEE80211R */
2356 : }
2357 :
2358 :
2359 37500 : SM_STEP(WPA_PTK)
2360 : {
2361 37500 : struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2362 :
2363 37500 : if (sm->Init)
2364 1634 : SM_ENTER(WPA_PTK, INITIALIZE);
2365 35866 : else if (sm->Disconnect
2366 : /* || FIX: dot11RSNAConfigSALifetime timeout */) {
2367 16 : wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
2368 : "WPA_PTK: sm->Disconnect");
2369 16 : SM_ENTER(WPA_PTK, DISCONNECT);
2370 : }
2371 35850 : else if (sm->DeauthenticationRequest)
2372 1504 : SM_ENTER(WPA_PTK, DISCONNECTED);
2373 34346 : else if (sm->AuthenticationRequest)
2374 1634 : SM_ENTER(WPA_PTK, AUTHENTICATION);
2375 32712 : else if (sm->ReAuthenticationRequest)
2376 164 : SM_ENTER(WPA_PTK, AUTHENTICATION2);
2377 32548 : else if (sm->PTKRequest)
2378 8 : SM_ENTER(WPA_PTK, PTKSTART);
2379 32540 : else switch (sm->wpa_ptk_state) {
2380 : case WPA_PTK_INITIALIZE:
2381 3746 : break;
2382 : case WPA_PTK_DISCONNECT:
2383 2 : SM_ENTER(WPA_PTK, DISCONNECTED);
2384 2 : break;
2385 : case WPA_PTK_DISCONNECTED:
2386 1506 : SM_ENTER(WPA_PTK, INITIALIZE);
2387 1506 : break;
2388 : case WPA_PTK_AUTHENTICATION:
2389 1634 : SM_ENTER(WPA_PTK, AUTHENTICATION2);
2390 1634 : break;
2391 : case WPA_PTK_AUTHENTICATION2:
2392 26629 : if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
2393 12961 : wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2394 : WPA_EAPOL_keyRun) > 0)
2395 675 : SM_ENTER(WPA_PTK, INITPMK);
2396 12993 : else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)
2397 : /* FIX: && 802.1X::keyRun */)
2398 707 : SM_ENTER(WPA_PTK, INITPSK);
2399 13668 : break;
2400 : case WPA_PTK_INITPMK:
2401 659 : if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2402 : WPA_EAPOL_keyAvailable) > 0)
2403 659 : SM_ENTER(WPA_PTK, PTKSTART);
2404 : else {
2405 0 : wpa_auth->dot11RSNA4WayHandshakeFailures++;
2406 0 : wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2407 : "INITPMK - keyAvailable = false");
2408 0 : SM_ENTER(WPA_PTK, DISCONNECT);
2409 : }
2410 659 : break;
2411 : case WPA_PTK_INITPSK:
2412 707 : if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
2413 : NULL))
2414 707 : SM_ENTER(WPA_PTK, PTKSTART);
2415 : else {
2416 0 : wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2417 : "no PSK configured for the STA");
2418 0 : wpa_auth->dot11RSNA4WayHandshakeFailures++;
2419 0 : SM_ENTER(WPA_PTK, DISCONNECT);
2420 : }
2421 707 : break;
2422 : case WPA_PTK_PTKSTART:
2423 4242 : if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2424 1366 : sm->EAPOLKeyPairwise)
2425 1366 : SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2426 3020 : else if (sm->TimeoutCtr >
2427 1510 : (int) dot11RSNAConfigPairwiseUpdateCount) {
2428 5 : wpa_auth->dot11RSNA4WayHandshakeFailures++;
2429 5 : wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2430 : "PTKSTART: Retry limit %d reached",
2431 : dot11RSNAConfigPairwiseUpdateCount);
2432 5 : SM_ENTER(WPA_PTK, DISCONNECT);
2433 1505 : } else if (sm->TimeoutEvt)
2434 17 : SM_ENTER(WPA_PTK, PTKSTART);
2435 2876 : break;
2436 : case WPA_PTK_PTKCALCNEGOTIATING:
2437 1383 : if (sm->MICVerified)
2438 1352 : SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
2439 31 : else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2440 0 : sm->EAPOLKeyPairwise)
2441 0 : SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2442 31 : else if (sm->TimeoutEvt)
2443 15 : SM_ENTER(WPA_PTK, PTKSTART);
2444 1383 : break;
2445 : case WPA_PTK_PTKCALCNEGOTIATING2:
2446 1352 : SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2447 1352 : break;
2448 : case WPA_PTK_PTKINITNEGOTIATING:
2449 2707 : if (sm->update_snonce)
2450 2 : SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2451 4051 : else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2452 2692 : sm->EAPOLKeyPairwise && sm->MICVerified)
2453 1346 : SM_ENTER(WPA_PTK, PTKINITDONE);
2454 2718 : else if (sm->TimeoutCtr >
2455 1359 : (int) dot11RSNAConfigPairwiseUpdateCount) {
2456 0 : wpa_auth->dot11RSNA4WayHandshakeFailures++;
2457 0 : wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2458 : "PTKINITNEGOTIATING: Retry limit %d "
2459 : "reached",
2460 : dot11RSNAConfigPairwiseUpdateCount);
2461 0 : SM_ENTER(WPA_PTK, DISCONNECT);
2462 1359 : } else if (sm->TimeoutEvt)
2463 1 : SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2464 2707 : break;
2465 : case WPA_PTK_PTKINITDONE:
2466 2300 : break;
2467 : }
2468 37500 : }
2469 :
2470 :
2471 1664 : SM_STATE(WPA_PTK_GROUP, IDLE)
2472 : {
2473 1664 : SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
2474 1664 : if (sm->Init) {
2475 : /* Init flag is not cleared here, so avoid busy
2476 : * loop by claiming nothing changed. */
2477 1634 : sm->changed = FALSE;
2478 : }
2479 1664 : sm->GTimeoutCtr = 0;
2480 1664 : }
2481 :
2482 :
2483 32 : SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
2484 : {
2485 : u8 rsc[WPA_KEY_RSC_LEN];
2486 32 : struct wpa_group *gsm = sm->group;
2487 : const u8 *kde;
2488 32 : u8 *kde_buf = NULL, *pos, hdr[2];
2489 : size_t kde_len;
2490 : u8 *gtk, dummy_gtk[32];
2491 :
2492 32 : SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
2493 :
2494 32 : sm->GTimeoutCtr++;
2495 32 : if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) {
2496 : /* No point in sending the EAPOL-Key - we will disconnect
2497 : * immediately following this. */
2498 0 : return;
2499 : }
2500 :
2501 32 : if (sm->wpa == WPA_VERSION_WPA)
2502 23 : sm->PInitAKeys = FALSE;
2503 32 : sm->TimeoutEvt = FALSE;
2504 : /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
2505 32 : os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2506 32 : if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
2507 23 : wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
2508 32 : wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2509 : "sending 1/2 msg of Group Key Handshake");
2510 :
2511 32 : gtk = gsm->GTK[gsm->GN - 1];
2512 32 : if (sm->wpa_auth->conf.disable_gtk) {
2513 : /*
2514 : * Provide unique random GTK to each STA to prevent use
2515 : * of GTK in the BSS.
2516 : */
2517 0 : if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
2518 0 : return;
2519 0 : gtk = dummy_gtk;
2520 : }
2521 32 : if (sm->wpa == WPA_VERSION_WPA2) {
2522 18 : kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
2523 9 : ieee80211w_kde_len(sm);
2524 9 : kde_buf = os_malloc(kde_len);
2525 9 : if (kde_buf == NULL)
2526 0 : return;
2527 :
2528 9 : kde = pos = kde_buf;
2529 9 : hdr[0] = gsm->GN & 0x03;
2530 9 : hdr[1] = 0;
2531 9 : pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2532 9 : gtk, gsm->GTK_len);
2533 9 : pos = ieee80211w_kde_add(sm, pos);
2534 9 : kde_len = pos - kde;
2535 : } else {
2536 23 : kde = gtk;
2537 23 : kde_len = gsm->GTK_len;
2538 : }
2539 :
2540 64 : wpa_send_eapol(sm->wpa_auth, sm,
2541 : WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
2542 : WPA_KEY_INFO_ACK |
2543 32 : (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
2544 32 : rsc, gsm->GNonce, kde, kde_len, gsm->GN, 1);
2545 :
2546 32 : os_free(kde_buf);
2547 : }
2548 :
2549 :
2550 30 : SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
2551 : {
2552 30 : SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
2553 30 : sm->EAPOLKeyReceived = FALSE;
2554 30 : if (sm->GUpdateStationKeys)
2555 9 : sm->group->GKeyDoneStations--;
2556 30 : sm->GUpdateStationKeys = FALSE;
2557 30 : sm->GTimeoutCtr = 0;
2558 : /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
2559 30 : wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2560 : "group key handshake completed (%s)",
2561 30 : sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2562 30 : sm->has_GTK = TRUE;
2563 30 : }
2564 :
2565 :
2566 0 : SM_STATE(WPA_PTK_GROUP, KEYERROR)
2567 : {
2568 0 : SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
2569 0 : if (sm->GUpdateStationKeys)
2570 0 : sm->group->GKeyDoneStations--;
2571 0 : sm->GUpdateStationKeys = FALSE;
2572 0 : sm->Disconnect = TRUE;
2573 0 : }
2574 :
2575 :
2576 37500 : SM_STEP(WPA_PTK_GROUP)
2577 : {
2578 37500 : if (sm->Init || sm->PtkGroupInit) {
2579 1634 : SM_ENTER(WPA_PTK_GROUP, IDLE);
2580 1634 : sm->PtkGroupInit = FALSE;
2581 35866 : } else switch (sm->wpa_ptk_group_state) {
2582 : case WPA_PTK_GROUP_IDLE:
2583 71526 : if (sm->GUpdateStationKeys ||
2584 36097 : (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
2585 32 : SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2586 35768 : break;
2587 : case WPA_PTK_GROUP_REKEYNEGOTIATING:
2588 98 : if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2589 60 : !sm->EAPOLKeyPairwise && sm->MICVerified)
2590 30 : SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
2591 76 : else if (sm->GTimeoutCtr >
2592 38 : (int) dot11RSNAConfigGroupUpdateCount)
2593 0 : SM_ENTER(WPA_PTK_GROUP, KEYERROR);
2594 38 : else if (sm->TimeoutEvt)
2595 0 : SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2596 68 : break;
2597 : case WPA_PTK_GROUP_KEYERROR:
2598 0 : SM_ENTER(WPA_PTK_GROUP, IDLE);
2599 0 : break;
2600 : case WPA_PTK_GROUP_REKEYESTABLISHED:
2601 30 : SM_ENTER(WPA_PTK_GROUP, IDLE);
2602 30 : break;
2603 : }
2604 37500 : }
2605 :
2606 :
2607 1716 : static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
2608 : struct wpa_group *group)
2609 : {
2610 1716 : int ret = 0;
2611 :
2612 1716 : os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2613 1716 : inc_byte_array(group->Counter, WPA_NONCE_LEN);
2614 3432 : if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
2615 1716 : wpa_auth->addr, group->GNonce,
2616 3432 : group->GTK[group->GN - 1], group->GTK_len) < 0)
2617 0 : ret = -1;
2618 3432 : wpa_hexdump_key(MSG_DEBUG, "GTK",
2619 3432 : group->GTK[group->GN - 1], group->GTK_len);
2620 :
2621 : #ifdef CONFIG_IEEE80211W
2622 1716 : if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
2623 : size_t len;
2624 258 : len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
2625 258 : os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2626 258 : inc_byte_array(group->Counter, WPA_NONCE_LEN);
2627 258 : if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
2628 258 : wpa_auth->addr, group->GNonce,
2629 258 : group->IGTK[group->GN_igtk - 4], len) < 0)
2630 0 : ret = -1;
2631 258 : wpa_hexdump_key(MSG_DEBUG, "IGTK",
2632 258 : group->IGTK[group->GN_igtk - 4], len);
2633 : }
2634 : #endif /* CONFIG_IEEE80211W */
2635 :
2636 1716 : return ret;
2637 : }
2638 :
2639 :
2640 985 : static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
2641 : struct wpa_group *group)
2642 : {
2643 985 : wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2644 : "GTK_INIT (VLAN-ID %d)", group->vlan_id);
2645 985 : group->changed = FALSE; /* GInit is not cleared here; avoid loop */
2646 985 : group->wpa_group_state = WPA_GROUP_GTK_INIT;
2647 :
2648 : /* GTK[0..N] = 0 */
2649 985 : os_memset(group->GTK, 0, sizeof(group->GTK));
2650 985 : group->GN = 1;
2651 985 : group->GM = 2;
2652 : #ifdef CONFIG_IEEE80211W
2653 985 : group->GN_igtk = 4;
2654 985 : group->GM_igtk = 5;
2655 : #endif /* CONFIG_IEEE80211W */
2656 : /* GTK[GN] = CalcGTK() */
2657 985 : wpa_gtk_update(wpa_auth, group);
2658 985 : }
2659 :
2660 :
2661 11 : static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
2662 : {
2663 11 : if (ctx != NULL && ctx != sm->group)
2664 0 : return 0;
2665 :
2666 11 : if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
2667 1 : wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2668 : "Not in PTKINITDONE; skip Group Key update");
2669 1 : sm->GUpdateStationKeys = FALSE;
2670 1 : return 0;
2671 : }
2672 10 : if (sm->GUpdateStationKeys) {
2673 : /*
2674 : * This should not really happen, so add a debug log entry.
2675 : * Since we clear the GKeyDoneStations before the loop, the
2676 : * station needs to be counted here anyway.
2677 : */
2678 0 : wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2679 : "GUpdateStationKeys was already set when "
2680 : "marking station for GTK rekeying");
2681 : }
2682 :
2683 : /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
2684 10 : if (sm->is_wnmsleep)
2685 0 : return 0;
2686 :
2687 10 : sm->group->GKeyDoneStations++;
2688 10 : sm->GUpdateStationKeys = TRUE;
2689 :
2690 10 : wpa_sm_step(sm);
2691 10 : return 0;
2692 : }
2693 :
2694 :
2695 : #ifdef CONFIG_WNM
2696 : /* update GTK when exiting WNM-Sleep Mode */
2697 4 : void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
2698 : {
2699 4 : if (sm == NULL || sm->is_wnmsleep)
2700 7 : return;
2701 :
2702 1 : wpa_group_update_sta(sm, NULL);
2703 : }
2704 :
2705 :
2706 10 : void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
2707 : {
2708 10 : if (sm)
2709 4 : sm->is_wnmsleep = !!flag;
2710 10 : }
2711 :
2712 :
2713 1 : int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2714 : {
2715 1 : struct wpa_group *gsm = sm->group;
2716 1 : u8 *start = pos;
2717 :
2718 : /*
2719 : * GTK subelement:
2720 : * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
2721 : * Key[5..32]
2722 : */
2723 1 : *pos++ = WNM_SLEEP_SUBELEM_GTK;
2724 1 : *pos++ = 11 + gsm->GTK_len;
2725 : /* Key ID in B0-B1 of Key Info */
2726 1 : WPA_PUT_LE16(pos, gsm->GN & 0x03);
2727 1 : pos += 2;
2728 1 : *pos++ = gsm->GTK_len;
2729 1 : if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
2730 0 : return 0;
2731 1 : pos += 8;
2732 1 : os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
2733 1 : pos += gsm->GTK_len;
2734 :
2735 1 : wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
2736 : gsm->GN);
2737 2 : wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
2738 2 : gsm->GTK[gsm->GN - 1], gsm->GTK_len);
2739 :
2740 1 : return pos - start;
2741 : }
2742 :
2743 :
2744 : #ifdef CONFIG_IEEE80211W
2745 1 : int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2746 : {
2747 1 : struct wpa_group *gsm = sm->group;
2748 1 : u8 *start = pos;
2749 1 : size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2750 :
2751 : /*
2752 : * IGTK subelement:
2753 : * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
2754 : */
2755 1 : *pos++ = WNM_SLEEP_SUBELEM_IGTK;
2756 1 : *pos++ = 2 + 6 + len;
2757 1 : WPA_PUT_LE16(pos, gsm->GN_igtk);
2758 1 : pos += 2;
2759 1 : if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
2760 0 : return 0;
2761 1 : pos += 6;
2762 :
2763 1 : os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
2764 1 : pos += len;
2765 :
2766 1 : wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
2767 : gsm->GN_igtk);
2768 1 : wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
2769 1 : gsm->IGTK[gsm->GN_igtk - 4], len);
2770 :
2771 1 : return pos - start;
2772 : }
2773 : #endif /* CONFIG_IEEE80211W */
2774 : #endif /* CONFIG_WNM */
2775 :
2776 :
2777 10 : static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
2778 : struct wpa_group *group)
2779 : {
2780 : int tmp;
2781 :
2782 10 : wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2783 : "SETKEYS (VLAN-ID %d)", group->vlan_id);
2784 10 : group->changed = TRUE;
2785 10 : group->wpa_group_state = WPA_GROUP_SETKEYS;
2786 10 : group->GTKReKey = FALSE;
2787 10 : tmp = group->GM;
2788 10 : group->GM = group->GN;
2789 10 : group->GN = tmp;
2790 : #ifdef CONFIG_IEEE80211W
2791 10 : tmp = group->GM_igtk;
2792 10 : group->GM_igtk = group->GN_igtk;
2793 10 : group->GN_igtk = tmp;
2794 : #endif /* CONFIG_IEEE80211W */
2795 : /* "GKeyDoneStations = GNoStations" is done in more robust way by
2796 : * counting the STAs that are marked with GUpdateStationKeys instead of
2797 : * including all STAs that could be in not-yet-completed state. */
2798 10 : wpa_gtk_update(wpa_auth, group);
2799 :
2800 10 : if (group->GKeyDoneStations) {
2801 0 : wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
2802 : "GKeyDoneStations=%d when starting new GTK rekey",
2803 : group->GKeyDoneStations);
2804 0 : group->GKeyDoneStations = 0;
2805 : }
2806 10 : wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
2807 10 : wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
2808 : group->GKeyDoneStations);
2809 10 : }
2810 :
2811 :
2812 1716 : static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
2813 : struct wpa_group *group)
2814 : {
2815 1716 : int ret = 0;
2816 :
2817 5148 : if (wpa_auth_set_key(wpa_auth, group->vlan_id,
2818 1716 : wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
2819 : broadcast_ether_addr, group->GN,
2820 3432 : group->GTK[group->GN - 1], group->GTK_len) < 0)
2821 0 : ret = -1;
2822 :
2823 : #ifdef CONFIG_IEEE80211W
2824 1716 : if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
2825 : enum wpa_alg alg;
2826 : size_t len;
2827 :
2828 258 : alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
2829 258 : len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
2830 :
2831 516 : if (ret == 0 &&
2832 258 : wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
2833 : broadcast_ether_addr, group->GN_igtk,
2834 258 : group->IGTK[group->GN_igtk - 4], len) < 0)
2835 0 : ret = -1;
2836 : }
2837 : #endif /* CONFIG_IEEE80211W */
2838 :
2839 1716 : return ret;
2840 : }
2841 :
2842 :
2843 0 : static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
2844 : {
2845 0 : if (sm->group == ctx) {
2846 0 : wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
2847 : " for discconnection due to fatal failure",
2848 0 : MAC2STR(sm->addr));
2849 0 : sm->Disconnect = TRUE;
2850 : }
2851 :
2852 0 : return 0;
2853 : }
2854 :
2855 :
2856 0 : static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
2857 : struct wpa_group *group)
2858 : {
2859 0 : wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
2860 0 : group->changed = TRUE;
2861 0 : group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
2862 0 : wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
2863 0 : }
2864 :
2865 :
2866 994 : static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
2867 : struct wpa_group *group)
2868 : {
2869 994 : wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2870 : "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
2871 994 : group->changed = TRUE;
2872 994 : group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
2873 :
2874 994 : if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
2875 0 : wpa_group_fatal_failure(wpa_auth, group);
2876 0 : return -1;
2877 : }
2878 :
2879 994 : return 0;
2880 : }
2881 :
2882 :
2883 39482 : static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
2884 : struct wpa_group *group)
2885 : {
2886 39482 : if (group->GInit) {
2887 985 : wpa_group_gtk_init(wpa_auth, group);
2888 38497 : } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
2889 : /* Do not allow group operations */
2890 39482 : } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
2891 985 : group->GTKAuthenticator) {
2892 985 : wpa_group_setkeysdone(wpa_auth, group);
2893 74997 : } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
2894 37485 : group->GTKReKey) {
2895 10 : wpa_group_setkeys(wpa_auth, group);
2896 37502 : } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
2897 27 : if (group->GKeyDoneStations == 0)
2898 9 : wpa_group_setkeysdone(wpa_auth, group);
2899 18 : else if (group->GTKReKey)
2900 0 : wpa_group_setkeys(wpa_auth, group);
2901 : }
2902 39482 : }
2903 :
2904 :
2905 22777 : static int wpa_sm_step(struct wpa_state_machine *sm)
2906 : {
2907 22777 : if (sm == NULL)
2908 0 : return 0;
2909 :
2910 22777 : if (sm->in_step_loop) {
2911 : /* This should not happen, but if it does, make sure we do not
2912 : * end up freeing the state machine too early by exiting the
2913 : * recursive call. */
2914 19 : wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
2915 19 : return 0;
2916 : }
2917 :
2918 22758 : sm->in_step_loop = 1;
2919 : do {
2920 37500 : if (sm->pending_deinit)
2921 0 : break;
2922 :
2923 37500 : sm->changed = FALSE;
2924 37500 : sm->wpa_auth->group->changed = FALSE;
2925 :
2926 37500 : SM_STEP_RUN(WPA_PTK);
2927 37500 : if (sm->pending_deinit)
2928 0 : break;
2929 37500 : SM_STEP_RUN(WPA_PTK_GROUP);
2930 37500 : if (sm->pending_deinit)
2931 0 : break;
2932 37500 : wpa_group_sm_step(sm->wpa_auth, sm->group);
2933 37500 : } while (sm->changed || sm->wpa_auth->group->changed);
2934 22758 : sm->in_step_loop = 0;
2935 :
2936 22758 : if (sm->pending_deinit) {
2937 0 : wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
2938 0 : "machine deinit for " MACSTR, MAC2STR(sm->addr));
2939 0 : wpa_free_sta_sm(sm);
2940 0 : return 1;
2941 : }
2942 22758 : return 0;
2943 : }
2944 :
2945 :
2946 13250 : static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
2947 : {
2948 13250 : struct wpa_state_machine *sm = eloop_ctx;
2949 13250 : wpa_sm_step(sm);
2950 13250 : }
2951 :
2952 :
2953 16002 : void wpa_auth_sm_notify(struct wpa_state_machine *sm)
2954 : {
2955 16002 : if (sm == NULL)
2956 18682 : return;
2957 13322 : eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
2958 : }
2959 :
2960 :
2961 3 : void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
2962 : {
2963 : int tmp, i;
2964 : struct wpa_group *group;
2965 :
2966 3 : if (wpa_auth == NULL)
2967 3 : return;
2968 :
2969 3 : group = wpa_auth->group;
2970 :
2971 9 : for (i = 0; i < 2; i++) {
2972 6 : tmp = group->GM;
2973 6 : group->GM = group->GN;
2974 6 : group->GN = tmp;
2975 : #ifdef CONFIG_IEEE80211W
2976 6 : tmp = group->GM_igtk;
2977 6 : group->GM_igtk = group->GN_igtk;
2978 6 : group->GN_igtk = tmp;
2979 : #endif /* CONFIG_IEEE80211W */
2980 6 : wpa_gtk_update(wpa_auth, group);
2981 6 : wpa_group_config_group_keys(wpa_auth, group);
2982 : }
2983 : }
2984 :
2985 :
2986 24 : static const char * wpa_bool_txt(int bool)
2987 : {
2988 24 : return bool ? "TRUE" : "FALSE";
2989 : }
2990 :
2991 :
2992 : #define RSN_SUITE "%02x-%02x-%02x-%d"
2993 : #define RSN_SUITE_ARG(s) \
2994 : ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2995 :
2996 8 : int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
2997 : {
2998 8 : int len = 0, ret;
2999 : char pmkid_txt[PMKID_LEN * 2 + 1];
3000 : #ifdef CONFIG_RSN_PREAUTH
3001 8 : const int preauth = 1;
3002 : #else /* CONFIG_RSN_PREAUTH */
3003 0 : const int preauth = 0;
3004 : #endif /* CONFIG_RSN_PREAUTH */
3005 :
3006 8 : if (wpa_auth == NULL)
3007 0 : return len;
3008 :
3009 16 : ret = os_snprintf(buf + len, buflen - len,
3010 : "dot11RSNAOptionImplemented=TRUE\n"
3011 : "dot11RSNAPreauthenticationImplemented=%s\n"
3012 : "dot11RSNAEnabled=%s\n"
3013 : "dot11RSNAPreauthenticationEnabled=%s\n",
3014 : wpa_bool_txt(preauth),
3015 8 : wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
3016 : wpa_bool_txt(wpa_auth->conf.rsn_preauth));
3017 8 : if (os_snprintf_error(buflen - len, ret))
3018 0 : return len;
3019 8 : len += ret;
3020 :
3021 8 : wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3022 8 : wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
3023 :
3024 216 : ret = os_snprintf(
3025 : buf + len, buflen - len,
3026 : "dot11RSNAConfigVersion=%u\n"
3027 : "dot11RSNAConfigPairwiseKeysSupported=9999\n"
3028 : /* FIX: dot11RSNAConfigGroupCipher */
3029 : /* FIX: dot11RSNAConfigGroupRekeyMethod */
3030 : /* FIX: dot11RSNAConfigGroupRekeyTime */
3031 : /* FIX: dot11RSNAConfigGroupRekeyPackets */
3032 : "dot11RSNAConfigGroupRekeyStrict=%u\n"
3033 : "dot11RSNAConfigGroupUpdateCount=%u\n"
3034 : "dot11RSNAConfigPairwiseUpdateCount=%u\n"
3035 : "dot11RSNAConfigGroupCipherSize=%u\n"
3036 : "dot11RSNAConfigPMKLifetime=%u\n"
3037 : "dot11RSNAConfigPMKReauthThreshold=%u\n"
3038 : "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
3039 : "dot11RSNAConfigSATimeout=%u\n"
3040 : "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3041 : "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3042 : "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3043 : "dot11RSNAPMKIDUsed=%s\n"
3044 : "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3045 : "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3046 : "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3047 : "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
3048 : "dot11RSNA4WayHandshakeFailures=%u\n"
3049 : "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
3050 : RSN_VERSION,
3051 8 : !!wpa_auth->conf.wpa_strict_rekey,
3052 : dot11RSNAConfigGroupUpdateCount,
3053 : dot11RSNAConfigPairwiseUpdateCount,
3054 8 : wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
3055 : dot11RSNAConfigPMKLifetime,
3056 : dot11RSNAConfigPMKReauthThreshold,
3057 : dot11RSNAConfigSATimeout,
3058 32 : RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
3059 32 : RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
3060 32 : RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
3061 : pmkid_txt,
3062 32 : RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
3063 32 : RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
3064 32 : RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
3065 : wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
3066 : wpa_auth->dot11RSNA4WayHandshakeFailures);
3067 8 : if (os_snprintf_error(buflen - len, ret))
3068 0 : return len;
3069 8 : len += ret;
3070 :
3071 : /* TODO: dot11RSNAConfigPairwiseCiphersTable */
3072 : /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
3073 :
3074 : /* Private MIB */
3075 8 : ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
3076 8 : wpa_auth->group->wpa_group_state);
3077 8 : if (os_snprintf_error(buflen - len, ret))
3078 0 : return len;
3079 8 : len += ret;
3080 :
3081 8 : return len;
3082 : }
3083 :
3084 :
3085 81 : int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
3086 : {
3087 81 : int len = 0, ret;
3088 81 : u32 pairwise = 0;
3089 :
3090 81 : if (sm == NULL)
3091 58 : return 0;
3092 :
3093 : /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
3094 :
3095 : /* dot11RSNAStatsEntry */
3096 :
3097 23 : pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
3098 : WPA_PROTO_RSN : WPA_PROTO_WPA,
3099 : sm->pairwise);
3100 23 : if (pairwise == 0)
3101 0 : return 0;
3102 :
3103 207 : ret = os_snprintf(
3104 : buf + len, buflen - len,
3105 : /* TODO: dot11RSNAStatsIndex */
3106 : "dot11RSNAStatsSTAAddress=" MACSTR "\n"
3107 : "dot11RSNAStatsVersion=1\n"
3108 : "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
3109 : /* TODO: dot11RSNAStatsTKIPICVErrors */
3110 : "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
3111 : "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
3112 : /* TODO: dot11RSNAStatsCCMPReplays */
3113 : /* TODO: dot11RSNAStatsCCMPDecryptErrors */
3114 : /* TODO: dot11RSNAStatsTKIPReplays */,
3115 138 : MAC2STR(sm->addr),
3116 46 : RSN_SUITE_ARG(pairwise),
3117 : sm->dot11RSNAStatsTKIPLocalMICFailures,
3118 : sm->dot11RSNAStatsTKIPRemoteMICFailures);
3119 23 : if (os_snprintf_error(buflen - len, ret))
3120 0 : return len;
3121 23 : len += ret;
3122 :
3123 : /* Private MIB */
3124 23 : ret = os_snprintf(buf + len, buflen - len,
3125 : "hostapdWPAPTKState=%d\n"
3126 : "hostapdWPAPTKGroupState=%d\n",
3127 23 : sm->wpa_ptk_state,
3128 23 : sm->wpa_ptk_group_state);
3129 23 : if (os_snprintf_error(buflen - len, ret))
3130 0 : return len;
3131 23 : len += ret;
3132 :
3133 23 : return len;
3134 : }
3135 :
3136 :
3137 3 : void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
3138 : {
3139 3 : if (wpa_auth)
3140 3 : wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
3141 3 : }
3142 :
3143 :
3144 6760 : int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
3145 : {
3146 6760 : return sm && sm->pairwise_set;
3147 : }
3148 :
3149 :
3150 5647 : int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
3151 : {
3152 5647 : return sm->pairwise;
3153 : }
3154 :
3155 :
3156 10657 : int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
3157 : {
3158 10657 : if (sm == NULL)
3159 2022 : return -1;
3160 8635 : return sm->wpa_key_mgmt;
3161 : }
3162 :
3163 :
3164 3750 : int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
3165 : {
3166 3750 : if (sm == NULL)
3167 0 : return 0;
3168 3750 : return sm->wpa;
3169 : }
3170 :
3171 :
3172 1 : int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
3173 : struct rsn_pmksa_cache_entry *entry)
3174 : {
3175 1 : if (sm == NULL || sm->pmksa != entry)
3176 0 : return -1;
3177 1 : sm->pmksa = NULL;
3178 1 : return 0;
3179 : }
3180 :
3181 :
3182 : struct rsn_pmksa_cache_entry *
3183 2365 : wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
3184 : {
3185 2365 : return sm ? sm->pmksa : NULL;
3186 : }
3187 :
3188 :
3189 2 : void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
3190 : {
3191 2 : if (sm)
3192 2 : sm->dot11RSNAStatsTKIPLocalMICFailures++;
3193 2 : }
3194 :
3195 :
3196 6300 : const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
3197 : {
3198 6300 : if (wpa_auth == NULL)
3199 1279 : return NULL;
3200 5021 : *len = wpa_auth->wpa_ie_len;
3201 5021 : return wpa_auth->wpa_ie;
3202 : }
3203 :
3204 :
3205 630 : int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
3206 : int session_timeout, struct eapol_state_machine *eapol)
3207 : {
3208 1249 : if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
3209 619 : sm->wpa_auth->conf.disable_pmksa_caching)
3210 52 : return -1;
3211 :
3212 1734 : if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN,
3213 578 : sm->PTK.kck, sm->PTK.kck_len,
3214 578 : sm->wpa_auth->addr, sm->addr, session_timeout,
3215 : eapol, sm->wpa_key_mgmt))
3216 577 : return 0;
3217 :
3218 1 : return -1;
3219 : }
3220 :
3221 :
3222 2 : int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
3223 : const u8 *pmk, size_t len, const u8 *sta_addr,
3224 : int session_timeout,
3225 : struct eapol_state_machine *eapol)
3226 : {
3227 2 : if (wpa_auth == NULL)
3228 0 : return -1;
3229 :
3230 2 : if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len,
3231 : NULL, 0,
3232 2 : wpa_auth->addr,
3233 : sta_addr, session_timeout, eapol,
3234 : WPA_KEY_MGMT_IEEE8021X))
3235 2 : return 0;
3236 :
3237 0 : return -1;
3238 : }
3239 :
3240 :
3241 35 : int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
3242 : const u8 *pmk)
3243 : {
3244 35 : if (wpa_auth->conf.disable_pmksa_caching)
3245 2 : return -1;
3246 :
3247 33 : if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN,
3248 : NULL, 0,
3249 33 : wpa_auth->addr, addr, 0, NULL,
3250 : WPA_KEY_MGMT_SAE))
3251 33 : return 0;
3252 :
3253 0 : return -1;
3254 : }
3255 :
3256 :
3257 10 : void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
3258 : const u8 *sta_addr)
3259 : {
3260 : struct rsn_pmksa_cache_entry *pmksa;
3261 :
3262 10 : if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
3263 12 : return;
3264 8 : pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
3265 8 : if (pmksa) {
3266 42 : wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
3267 42 : MACSTR " based on request", MAC2STR(sta_addr));
3268 7 : pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
3269 : }
3270 : }
3271 :
3272 :
3273 : static struct wpa_group *
3274 8 : wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
3275 : {
3276 : struct wpa_group *group;
3277 :
3278 8 : if (wpa_auth == NULL || wpa_auth->group == NULL)
3279 0 : return NULL;
3280 :
3281 8 : wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
3282 : vlan_id);
3283 8 : group = wpa_group_init(wpa_auth, vlan_id, 0);
3284 8 : if (group == NULL)
3285 0 : return NULL;
3286 :
3287 8 : group->next = wpa_auth->group->next;
3288 8 : wpa_auth->group->next = group;
3289 :
3290 8 : return group;
3291 : }
3292 :
3293 :
3294 14 : int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
3295 : {
3296 : struct wpa_group *group;
3297 :
3298 14 : if (sm == NULL || sm->wpa_auth == NULL)
3299 6 : return 0;
3300 :
3301 8 : group = sm->wpa_auth->group;
3302 29 : while (group) {
3303 13 : if (group->vlan_id == vlan_id)
3304 0 : break;
3305 13 : group = group->next;
3306 : }
3307 :
3308 8 : if (group == NULL) {
3309 8 : group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
3310 8 : if (group == NULL)
3311 0 : return -1;
3312 : }
3313 :
3314 8 : if (sm->group == group)
3315 0 : return 0;
3316 :
3317 8 : if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
3318 0 : return -1;
3319 :
3320 48 : wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
3321 48 : "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
3322 :
3323 8 : sm->group = group;
3324 8 : return 0;
3325 : }
3326 :
3327 :
3328 2280 : void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
3329 : struct wpa_state_machine *sm, int ack)
3330 : {
3331 2280 : if (wpa_auth == NULL || sm == NULL)
3332 2280 : return;
3333 13680 : wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
3334 13680 : " ack=%d", MAC2STR(sm->addr), ack);
3335 2280 : if (sm->pending_1_of_4_timeout && ack) {
3336 : /*
3337 : * Some deployed supplicant implementations update their SNonce
3338 : * for each EAPOL-Key 2/4 message even within the same 4-way
3339 : * handshake and then fail to use the first SNonce when
3340 : * deriving the PTK. This results in unsuccessful 4-way
3341 : * handshake whenever the relatively short initial timeout is
3342 : * reached and EAPOL-Key 1/4 is retransmitted. Try to work
3343 : * around this by increasing the timeout now that we know that
3344 : * the station has received the frame.
3345 : */
3346 1112 : int timeout_ms = eapol_key_timeout_subseq;
3347 1112 : wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
3348 : "timeout by %u ms because of acknowledged frame",
3349 : timeout_ms);
3350 1112 : eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
3351 1112 : eloop_register_timeout(timeout_ms / 1000,
3352 1112 : (timeout_ms % 1000) * 1000,
3353 : wpa_send_eapol_timeout, wpa_auth, sm);
3354 : }
3355 : }
3356 :
3357 :
3358 3834 : int wpa_auth_uses_sae(struct wpa_state_machine *sm)
3359 : {
3360 3834 : if (sm == NULL)
3361 0 : return 0;
3362 3834 : return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
3363 : }
3364 :
3365 :
3366 4 : int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
3367 : {
3368 4 : if (sm == NULL)
3369 0 : return 0;
3370 4 : return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
3371 : }
3372 :
3373 :
3374 : #ifdef CONFIG_P2P
3375 215 : int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
3376 : {
3377 215 : if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
3378 143 : return -1;
3379 72 : os_memcpy(addr, sm->ip_addr, 4);
3380 72 : return 0;
3381 : }
3382 : #endif /* CONFIG_P2P */
3383 :
3384 :
3385 13 : int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
3386 : struct radius_das_attrs *attr)
3387 : {
3388 13 : return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
3389 : }
3390 :
3391 :
3392 3 : void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
3393 : {
3394 : struct wpa_group *group;
3395 :
3396 3 : if (!wpa_auth)
3397 5 : return;
3398 2 : for (group = wpa_auth->group; group; group = group->next)
3399 1 : wpa_group_config_group_keys(wpa_auth, group);
3400 : }
|
