2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
4 * Copyright(c) 2015 Intel Deutschland GmbH
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
13 #include "crypto/aes.h"
14 #include "crypto/aes_wrap.h"
15 #include "crypto/crypto.h"
16 #include "crypto/random.h"
17 #include "crypto/aes_siv.h"
18 #include "crypto/sha256.h"
19 #include "crypto/sha384.h"
20 #include "crypto/sha512.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/ieee802_11_common.h"
23 #include "eap_common/eap_defs.h"
24 #include "eapol_supp/eapol_supp_sm.h"
28 #include "pmksa_cache.h"
33 static const u8 null_rsc[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };
37 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
38 * @sm: Pointer to WPA state machine data from wpa_sm_init()
39 * @ptk: PTK for Key Confirmation/Encryption Key
40 * @ver: Version field from Key Info
41 * @dest: Destination address for the frame
42 * @proto: Ethertype (usually ETH_P_EAPOL)
43 * @msg: EAPOL-Key message
44 * @msg_len: Length of message
45 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
46 * Returns: >= 0 on success, < 0 on failure
48 int wpa_eapol_key_send(struct wpa_sm *sm, struct wpa_ptk *ptk,
49 int ver, const u8 *dest, u16 proto,
50 u8 *msg, size_t msg_len, u8 *key_mic)
53 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
55 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
56 " ver=%d mic_len=%d key_mgmt=0x%x",
57 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
58 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
60 * Association event was not yet received; try to fetch
61 * BSSID from the driver.
63 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
64 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
65 "WPA: Failed to read BSSID for "
66 "EAPOL-Key destination address");
69 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
70 "WPA: Use BSSID (" MACSTR
71 ") as the destination for EAPOL-Key",
77 if (key_mic && (!ptk || !ptk->kck_len))
81 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
82 msg, msg_len, key_mic)) {
83 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
84 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
89 wpa_hexdump_key(MSG_DEBUG, "WPA: KCK",
90 ptk->kck, ptk->kck_len);
91 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
95 /* AEAD cipher - Key MIC field not used */
96 struct ieee802_1x_hdr *s_hdr, *hdr;
97 struct wpa_eapol_key *s_key, *key;
98 u8 *buf, *s_key_data, *key_data;
99 size_t buf_len = msg_len + AES_BLOCK_SIZE;
105 if (!ptk || !ptk->kek_len)
108 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
109 sizeof(struct wpa_eapol_key) - 2;
111 buf = os_malloc(buf_len);
115 os_memcpy(buf, msg, msg_len);
116 hdr = (struct ieee802_1x_hdr *) buf;
117 key = (struct wpa_eapol_key *) (hdr + 1);
118 key_data = ((u8 *) (key + 1)) + 2;
120 /* Update EAPOL header to include AES-SIV overhead */
121 eapol_len = be_to_host16(hdr->length);
122 eapol_len += AES_BLOCK_SIZE;
123 hdr->length = host_to_be16(eapol_len);
125 /* Update Key Data Length field to include AES-SIV overhead */
126 WPA_PUT_BE16((u8 *) (key + 1), AES_BLOCK_SIZE + key_data_len);
128 s_hdr = (struct ieee802_1x_hdr *) msg;
129 s_key = (struct wpa_eapol_key *) (s_hdr + 1);
130 s_key_data = ((u8 *) (s_key + 1)) + 2;
132 wpa_hexdump_key(MSG_DEBUG, "WPA: Plaintext Key Data",
133 s_key_data, key_data_len);
135 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
136 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
137 * to Key Data (exclusive). */
139 aad_len[0] = key_data - buf;
140 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
141 s_key_data, key_data_len,
142 1, aad, aad_len, key_data) < 0) {
147 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
148 key_data, AES_BLOCK_SIZE + key_data_len);
153 #else /* CONFIG_FILS */
155 #endif /* CONFIG_FILS */
158 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
159 ret = wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
160 eapol_sm_notify_tx_eapol_key(sm->eapol);
168 * wpa_sm_key_request - Send EAPOL-Key Request
169 * @sm: Pointer to WPA state machine data from wpa_sm_init()
170 * @error: Indicate whether this is an Michael MIC error report
171 * @pairwise: 1 = error report for pairwise packet, 0 = for group packet
173 * Send an EAPOL-Key Request to the current authenticator. This function is
174 * used to request rekeying and it is usually called when a local Michael MIC
175 * failure is detected.
177 void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
179 size_t mic_len, hdrlen, rlen;
180 struct wpa_eapol_key *reply;
182 u8 bssid[ETH_ALEN], *rbuf, *key_mic, *mic;
184 if (wpa_use_akm_defined(sm->key_mgmt))
185 ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
186 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
187 wpa_key_mgmt_sha256(sm->key_mgmt))
188 ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
189 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
190 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
192 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
194 if (wpa_sm_get_bssid(sm, bssid) < 0) {
195 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
196 "Failed to read BSSID for EAPOL-Key request");
200 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
201 hdrlen = sizeof(*reply) + mic_len + 2;
202 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
203 hdrlen, &rlen, (void *) &reply);
207 reply->type = (sm->proto == WPA_PROTO_RSN ||
208 sm->proto == WPA_PROTO_OSEN) ?
209 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
210 key_info = WPA_KEY_INFO_REQUEST | ver;
212 key_info |= WPA_KEY_INFO_SECURE;
213 if (sm->ptk_set && mic_len)
214 key_info |= WPA_KEY_INFO_MIC;
216 key_info |= WPA_KEY_INFO_ERROR;
218 key_info |= WPA_KEY_INFO_KEY_TYPE;
219 WPA_PUT_BE16(reply->key_info, key_info);
220 WPA_PUT_BE16(reply->key_length, 0);
221 os_memcpy(reply->replay_counter, sm->request_counter,
222 WPA_REPLAY_COUNTER_LEN);
223 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
225 mic = (u8 *) (reply + 1);
226 WPA_PUT_BE16(mic + mic_len, 0);
227 if (!(key_info & WPA_KEY_INFO_MIC))
232 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
233 "WPA: Sending EAPOL-Key Request (error=%d "
234 "pairwise=%d ptk_set=%d len=%lu)",
235 error, pairwise, sm->ptk_set, (unsigned long) rlen);
236 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen,
241 static void wpa_supplicant_key_mgmt_set_pmk(struct wpa_sm *sm)
243 #ifdef CONFIG_IEEE80211R
244 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
245 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
246 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
247 "RSN: Cannot set low order 256 bits of MSK for key management offload");
249 #endif /* CONFIG_IEEE80211R */
250 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
251 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
252 "RSN: Cannot set PMK for key management offload");
253 #ifdef CONFIG_IEEE80211R
255 #endif /* CONFIG_IEEE80211R */
259 static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
260 const unsigned char *src_addr,
263 int abort_cached = 0;
265 if (pmkid && !sm->cur_pmksa) {
266 /* When using drivers that generate RSN IE, wpa_supplicant may
267 * not have enough time to get the association information
268 * event before receiving this 1/4 message, so try to find a
269 * matching PMKSA cache entry here. */
270 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid,
273 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
274 "RSN: found matching PMKID from PMKSA cache");
276 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
277 "RSN: no matching PMKID found");
282 if (pmkid && sm->cur_pmksa &&
283 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
284 wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
285 wpa_sm_set_pmk_from_pmksa(sm);
286 wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
287 sm->pmk, sm->pmk_len);
288 eapol_sm_notify_cached(sm->eapol);
289 #ifdef CONFIG_IEEE80211R
292 if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE &&
293 sm->pmk_len == PMK_LEN) {
294 /* Need to allow FT key derivation to proceed with
295 * PMK from SAE being used as the XXKey in cases where
296 * the PMKID in msg 1/4 matches the PMKSA entry that was
297 * just added based on SAE authentication for the
298 * initial mobility domain association. */
299 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
300 sm->xxkey_len = sm->pmk_len;
302 #endif /* CONFIG_SAE */
303 #endif /* CONFIG_IEEE80211R */
304 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
307 if (wpa_key_mgmt_sha384(sm->key_mgmt))
308 pmk_len = PMK_LEN_SUITE_B_192;
311 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
313 if (pmk_len == PMK_LEN) {
315 * EAP-LEAP is an exception from other EAP
316 * methods: it uses only 16-byte PMK.
318 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
322 #ifdef CONFIG_IEEE80211R
324 if (eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0)
326 if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
327 os_memcpy(sm->xxkey, buf,
329 sm->xxkey_len = SHA384_MAC_LEN;
331 os_memcpy(sm->xxkey, buf + PMK_LEN,
333 sm->xxkey_len = PMK_LEN;
335 os_memset(buf, 0, sizeof(buf));
337 #endif /* CONFIG_IEEE80211R */
340 struct rsn_pmksa_cache_entry *sa = NULL;
341 const u8 *fils_cache_id = NULL;
344 if (sm->fils_cache_id_set)
345 fils_cache_id = sm->fils_cache_id;
346 #endif /* CONFIG_FILS */
348 wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
349 "machines", sm->pmk, pmk_len);
350 sm->pmk_len = pmk_len;
351 wpa_supplicant_key_mgmt_set_pmk(sm);
352 if (sm->proto == WPA_PROTO_RSN &&
353 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
354 !wpa_key_mgmt_ft(sm->key_mgmt)) {
355 sa = pmksa_cache_add(sm->pmksa,
356 sm->pmk, pmk_len, NULL,
358 src_addr, sm->own_addr,
363 if (!sm->cur_pmksa && pmkid &&
364 pmksa_cache_get(sm->pmksa, src_addr, pmkid, NULL,
366 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
367 "RSN: the new PMK matches with the "
370 } else if (sa && !sm->cur_pmksa && pmkid) {
372 * It looks like the authentication server
373 * derived mismatching MSK. This should not
374 * really happen, but bugs happen.. There is not
375 * much we can do here without knowing what
376 * exactly caused the server to misbehave.
378 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
379 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
386 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
387 "WPA: Failed to get master session key from "
388 "EAPOL state machines - key handshake "
391 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
392 "RSN: Cancelled PMKSA caching "
394 sm->cur_pmksa = NULL;
396 } else if (!abort_cached) {
402 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
403 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
404 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
406 /* Send EAPOL-Start to trigger full EAP authentication. */
410 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
411 "RSN: no PMKSA entry found - trigger "
412 "full EAP authentication");
413 buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
414 NULL, 0, &buflen, NULL);
416 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
430 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
431 * @sm: Pointer to WPA state machine data from wpa_sm_init()
432 * @dst: Destination address for the frame
433 * @key: Pointer to the EAPOL-Key frame header
434 * @ver: Version bits from EAPOL-Key Key Info
435 * @nonce: Nonce value for the EAPOL-Key frame
436 * @wpa_ie: WPA/RSN IE
437 * @wpa_ie_len: Length of the WPA/RSN IE
438 * @ptk: PTK to use for keyed hash and encryption
439 * Returns: >= 0 on success, < 0 on failure
441 int wpa_supplicant_send_2_of_4(struct wpa_sm *sm, const unsigned char *dst,
442 const struct wpa_eapol_key *key,
443 int ver, const u8 *nonce,
444 const u8 *wpa_ie, size_t wpa_ie_len,
447 size_t mic_len, hdrlen, rlen;
448 struct wpa_eapol_key *reply;
450 u8 *rsn_ie_buf = NULL;
453 if (wpa_ie == NULL) {
454 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
455 "cannot generate msg 2/4");
459 #ifdef CONFIG_IEEE80211R
460 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
464 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
465 * FTIE from (Re)Association Response.
467 rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
468 sm->assoc_resp_ies_len);
469 if (rsn_ie_buf == NULL)
471 os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
472 res = wpa_insert_pmkid(rsn_ie_buf, &wpa_ie_len,
479 if (sm->assoc_resp_ies) {
480 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
481 sm->assoc_resp_ies_len);
482 wpa_ie_len += sm->assoc_resp_ies_len;
487 #endif /* CONFIG_IEEE80211R */
489 wpa_hexdump(MSG_DEBUG, "WPA: WPA IE for msg 2/4", wpa_ie, wpa_ie_len);
491 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
492 hdrlen = sizeof(*reply) + mic_len + 2;
493 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
494 NULL, hdrlen + wpa_ie_len,
495 &rlen, (void *) &reply);
501 reply->type = (sm->proto == WPA_PROTO_RSN ||
502 sm->proto == WPA_PROTO_OSEN) ?
503 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
504 key_info = ver | WPA_KEY_INFO_KEY_TYPE;
506 key_info |= WPA_KEY_INFO_MIC;
508 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
509 WPA_PUT_BE16(reply->key_info, key_info);
510 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
511 WPA_PUT_BE16(reply->key_length, 0);
513 os_memcpy(reply->key_length, key->key_length, 2);
514 os_memcpy(reply->replay_counter, key->replay_counter,
515 WPA_REPLAY_COUNTER_LEN);
516 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
517 WPA_REPLAY_COUNTER_LEN);
519 key_mic = (u8 *) (reply + 1);
520 WPA_PUT_BE16(key_mic + mic_len, wpa_ie_len); /* Key Data Length */
521 os_memcpy(key_mic + mic_len + 2, wpa_ie, wpa_ie_len); /* Key Data */
524 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
526 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
527 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
532 static int wpa_derive_ptk(struct wpa_sm *sm, const unsigned char *src_addr,
533 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
535 #ifdef CONFIG_IEEE80211R
536 if (wpa_key_mgmt_ft(sm->key_mgmt))
537 return wpa_derive_ptk_ft(sm, src_addr, key, ptk);
538 #endif /* CONFIG_IEEE80211R */
540 return wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
541 sm->own_addr, sm->bssid, sm->snonce,
542 key->key_nonce, ptk, sm->key_mgmt,
543 sm->pairwise_cipher);
547 static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
548 const unsigned char *src_addr,
549 const struct wpa_eapol_key *key,
550 u16 ver, const u8 *key_data,
553 struct wpa_eapol_ie_parse ie;
556 u8 *kde, *kde_buf = NULL;
559 if (wpa_sm_get_network_ctx(sm) == NULL) {
560 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
561 "found (msg 1 of 4)");
565 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
566 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way "
567 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
569 os_memset(&ie, 0, sizeof(ie));
571 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
572 /* RSN: msg 1/4 should contain PMKID for the selected PMK */
573 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data",
574 key_data, key_data_len);
575 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
578 wpa_hexdump(MSG_DEBUG, "RSN: PMKID from "
579 "Authenticator", ie.pmkid, PMKID_LEN);
583 res = wpa_supplicant_get_pmk(sm, src_addr, ie.pmkid);
585 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
586 "msg 1/4 - requesting full EAP authentication");
592 if (sm->renew_snonce) {
593 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
594 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
595 "WPA: Failed to get random data for SNonce");
598 sm->renew_snonce = 0;
599 wpa_hexdump(MSG_DEBUG, "WPA: Renewed SNonce",
600 sm->snonce, WPA_NONCE_LEN);
603 /* Calculate PTK which will be stored as a temporary PTK until it has
604 * been verified when processing message 3/4. */
606 if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
608 if (sm->pairwise_cipher == WPA_CIPHER_TKIP) {
610 /* Supplicant: swap tx/rx Mic keys */
611 os_memcpy(buf, &ptk->tk[16], 8);
612 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
613 os_memcpy(&ptk->tk[24], buf, 8);
614 os_memset(buf, 0, sizeof(buf));
618 kde = sm->assoc_wpa_ie;
619 kde_len = sm->assoc_wpa_ie_len;
623 kde_buf = os_malloc(kde_len + 2 + RSN_SELECTOR_LEN + 1);
626 wpa_printf(MSG_DEBUG, "P2P: Add IP Address Request KDE "
627 "into EAPOL-Key 2/4");
628 os_memcpy(kde_buf, kde, kde_len);
631 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
632 *pos++ = RSN_SELECTOR_LEN + 1;
633 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
634 pos += RSN_SELECTOR_LEN;
639 #endif /* CONFIG_P2P */
641 if (wpa_supplicant_send_2_of_4(sm, sm->bssid, key, ver, sm->snonce,
642 kde, kde_len, ptk) < 0)
646 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
651 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
655 static void wpa_sm_start_preauth(void *eloop_ctx, void *timeout_ctx)
657 struct wpa_sm *sm = eloop_ctx;
658 rsn_preauth_candidate_process(sm);
662 static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm,
663 const u8 *addr, int secure)
665 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
666 "WPA: Key negotiation completed with "
667 MACSTR " [PTK=%s GTK=%s]", MAC2STR(addr),
668 wpa_cipher_txt(sm->pairwise_cipher),
669 wpa_cipher_txt(sm->group_cipher));
670 wpa_sm_cancel_auth_timeout(sm);
671 wpa_sm_set_state(sm, WPA_COMPLETED);
674 wpa_sm_mlme_setprotection(
675 sm, addr, MLME_SETPROTECTION_PROTECT_TYPE_RX_TX,
676 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
677 eapol_sm_notify_portValid(sm->eapol, TRUE);
678 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
679 sm->key_mgmt == WPA_KEY_MGMT_DPP ||
680 sm->key_mgmt == WPA_KEY_MGMT_OWE)
681 eapol_sm_notify_eap_success(sm->eapol, TRUE);
683 * Start preauthentication after a short wait to avoid a
684 * possible race condition between the data receive and key
685 * configuration after the 4-Way Handshake. This increases the
686 * likelihood of the first preauth EAPOL-Start frame getting to
689 eloop_register_timeout(1, 0, wpa_sm_start_preauth, sm, NULL);
692 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
693 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
694 "RSN: Authenticator accepted "
695 "opportunistic PMKSA entry - marking it valid");
696 sm->cur_pmksa->opportunistic = 0;
699 #ifdef CONFIG_IEEE80211R
700 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
701 /* Prepare for the next transition */
702 wpa_ft_prepare_auth_request(sm, NULL);
704 #endif /* CONFIG_IEEE80211R */
708 static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
710 struct wpa_sm *sm = eloop_ctx;
711 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
712 wpa_sm_key_request(sm, 0, 1);
716 static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
717 const struct wpa_eapol_key *key)
723 if (sm->ptk.installed) {
724 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
725 "WPA: Do not re-install same PTK to the driver");
729 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
730 "WPA: Installing PTK to the driver");
732 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
733 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
734 "Suite: NONE - do not use pairwise keys");
738 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
739 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
740 "WPA: Unsupported pairwise cipher %d",
741 sm->pairwise_cipher);
745 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
746 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
747 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
748 wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",
749 keylen, (long unsigned int) sm->ptk.tk_len);
752 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
754 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
757 key_rsc = key->key_rsc;
758 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, rsclen);
761 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, key_rsc, rsclen,
762 sm->ptk.tk, keylen) < 0) {
763 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
764 "WPA: Failed to set PTK to the "
765 "driver (alg=%d keylen=%d bssid=" MACSTR ")",
766 alg, keylen, MAC2STR(sm->bssid));
770 /* TK is not needed anymore in supplicant */
771 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
773 sm->ptk.installed = 1;
775 if (sm->wpa_ptk_rekey) {
776 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
777 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
785 static int wpa_supplicant_check_group_cipher(struct wpa_sm *sm,
787 int keylen, int maxkeylen,
793 *alg = wpa_cipher_to_alg(group_cipher);
794 if (*alg == WPA_ALG_NONE) {
795 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
796 "WPA: Unsupported Group Cipher %d",
800 *key_rsc_len = wpa_cipher_rsc_len(group_cipher);
802 klen = wpa_cipher_key_len(group_cipher);
803 if (keylen != klen || maxkeylen < klen) {
804 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
805 "WPA: Unsupported %s Group Cipher key length %d (%d)",
806 wpa_cipher_txt(group_cipher), keylen, maxkeylen);
813 struct wpa_gtk_data {
815 int tx, key_rsc_len, keyidx;
821 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
822 const struct wpa_gtk_data *gd,
823 const u8 *key_rsc, int wnm_sleep)
825 const u8 *_gtk = gd->gtk;
828 /* Detect possible key reinstallation */
829 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
830 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
831 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
832 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
833 sm->gtk_wnm_sleep.gtk_len) == 0)) {
834 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
835 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
836 gd->keyidx, gd->tx, gd->gtk_len);
840 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
841 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
842 "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
843 gd->keyidx, gd->tx, gd->gtk_len);
844 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
845 if (sm->group_cipher == WPA_CIPHER_TKIP) {
846 /* Swap Tx/Rx keys for Michael MIC */
847 os_memcpy(gtk_buf, gd->gtk, 16);
848 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
849 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
852 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
853 if (wpa_sm_set_key(sm, gd->alg, NULL,
854 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
855 _gtk, gd->gtk_len) < 0) {
856 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
857 "WPA: Failed to set GTK to the driver "
859 os_memset(gtk_buf, 0, sizeof(gtk_buf));
862 } else if (wpa_sm_set_key(sm, gd->alg, broadcast_ether_addr,
863 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
864 _gtk, gd->gtk_len) < 0) {
865 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
866 "WPA: Failed to set GTK to "
867 "the driver (alg=%d keylen=%d keyidx=%d)",
868 gd->alg, gd->gtk_len, gd->keyidx);
869 os_memset(gtk_buf, 0, sizeof(gtk_buf));
872 os_memset(gtk_buf, 0, sizeof(gtk_buf));
875 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
876 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
877 sm->gtk_wnm_sleep.gtk_len);
879 sm->gtk.gtk_len = gd->gtk_len;
880 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
887 static int wpa_supplicant_gtk_tx_bit_workaround(const struct wpa_sm *sm,
890 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
891 /* Ignore Tx bit for GTK if a pairwise key is used. One AP
892 * seemed to set this bit (incorrectly, since Tx is only when
893 * doing Group Key only APs) and without this workaround, the
894 * data connection does not work because wpa_supplicant
895 * configured non-zero keyidx to be used for unicast. */
896 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
897 "WPA: Tx bit set for GTK, but pairwise "
898 "keys are used - ignore Tx bit");
905 static int wpa_supplicant_rsc_relaxation(const struct wpa_sm *sm,
910 if (!sm->wpa_rsc_relaxation)
913 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
916 * Try to detect RSC (endian) corruption issue where the AP sends
917 * the RSC bytes in EAPOL-Key message in the wrong order, both if
918 * it's actually a 6-byte field (as it should be) and if it treats
919 * it as an 8-byte field.
920 * An AP model known to have this bug is the Sapido RB-1632.
922 if (rsclen == 6 && ((rsc[5] && !rsc[0]) || rsc[6] || rsc[7])) {
923 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
924 "RSC %02x%02x%02x%02x%02x%02x%02x%02x is likely bogus, using 0",
925 rsc[0], rsc[1], rsc[2], rsc[3],
926 rsc[4], rsc[5], rsc[6], rsc[7]);
935 static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
936 const struct wpa_eapol_key *key,
937 const u8 *gtk, size_t gtk_len,
940 struct wpa_gtk_data gd;
944 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
946 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
947 * Reserved [bits 0-7]
951 os_memset(&gd, 0, sizeof(gd));
952 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in pairwise handshake",
955 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
958 gd.keyidx = gtk[0] & 0x3;
959 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
960 !!(gtk[0] & BIT(2)));
964 os_memcpy(gd.gtk, gtk, gtk_len);
965 gd.gtk_len = gtk_len;
967 key_rsc = key->key_rsc;
968 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
971 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
972 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
974 &gd.key_rsc_len, &gd.alg) ||
975 wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
976 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
977 "RSN: Failed to install GTK");
978 os_memset(&gd, 0, sizeof(gd));
981 os_memset(&gd, 0, sizeof(gd));
983 wpa_supplicant_key_neg_complete(sm, sm->bssid,
984 key_info & WPA_KEY_INFO_SECURE);
989 #ifdef CONFIG_IEEE80211W
990 static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
991 const struct wpa_igtk_kde *igtk,
994 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
995 u16 keyidx = WPA_GET_LE16(igtk->keyid);
997 /* Detect possible key reinstallation */
998 if ((sm->igtk.igtk_len == len &&
999 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
1000 (sm->igtk_wnm_sleep.igtk_len == len &&
1001 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1002 sm->igtk_wnm_sleep.igtk_len) == 0)) {
1003 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1004 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1009 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1010 "WPA: IGTK keyid %d pn " COMPACT_MACSTR,
1011 keyidx, MAC2STR(igtk->pn));
1012 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
1013 if (keyidx > 4095) {
1014 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1015 "WPA: Invalid IGTK KeyID %d", keyidx);
1018 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1019 broadcast_ether_addr,
1020 keyidx, 0, igtk->pn, sizeof(igtk->pn),
1021 igtk->igtk, len) < 0) {
1022 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1023 "WPA: Failed to configure IGTK to the driver");
1028 sm->igtk_wnm_sleep.igtk_len = len;
1029 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1030 sm->igtk_wnm_sleep.igtk_len);
1032 sm->igtk.igtk_len = len;
1033 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
1038 #endif /* CONFIG_IEEE80211W */
1041 static int ieee80211w_set_keys(struct wpa_sm *sm,
1042 struct wpa_eapol_ie_parse *ie)
1044 #ifdef CONFIG_IEEE80211W
1045 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher))
1050 const struct wpa_igtk_kde *igtk;
1052 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1053 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
1056 igtk = (const struct wpa_igtk_kde *) ie->igtk;
1057 if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
1062 #else /* CONFIG_IEEE80211W */
1064 #endif /* CONFIG_IEEE80211W */
1068 static void wpa_report_ie_mismatch(struct wpa_sm *sm,
1069 const char *reason, const u8 *src_addr,
1070 const u8 *wpa_ie, size_t wpa_ie_len,
1071 const u8 *rsn_ie, size_t rsn_ie_len)
1073 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
1074 reason, MAC2STR(src_addr));
1076 if (sm->ap_wpa_ie) {
1077 wpa_hexdump(MSG_INFO, "WPA: WPA IE in Beacon/ProbeResp",
1078 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
1081 if (!sm->ap_wpa_ie) {
1082 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1083 "WPA: No WPA IE in Beacon/ProbeResp");
1085 wpa_hexdump(MSG_INFO, "WPA: WPA IE in 3/4 msg",
1086 wpa_ie, wpa_ie_len);
1089 if (sm->ap_rsn_ie) {
1090 wpa_hexdump(MSG_INFO, "WPA: RSN IE in Beacon/ProbeResp",
1091 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1094 if (!sm->ap_rsn_ie) {
1095 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1096 "WPA: No RSN IE in Beacon/ProbeResp");
1098 wpa_hexdump(MSG_INFO, "WPA: RSN IE in 3/4 msg",
1099 rsn_ie, rsn_ie_len);
1102 wpa_sm_deauthenticate(sm, WLAN_REASON_IE_IN_4WAY_DIFFERS);
1106 #ifdef CONFIG_IEEE80211R
1108 static int ft_validate_mdie(struct wpa_sm *sm,
1109 const unsigned char *src_addr,
1110 struct wpa_eapol_ie_parse *ie,
1111 const u8 *assoc_resp_mdie)
1113 struct rsn_mdie *mdie;
1115 mdie = (struct rsn_mdie *) (ie->mdie + 2);
1116 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
1117 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
1118 MOBILITY_DOMAIN_ID_LEN) != 0) {
1119 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
1120 "not match with the current mobility domain");
1124 if (assoc_resp_mdie &&
1125 (assoc_resp_mdie[1] != ie->mdie[1] ||
1126 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
1127 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
1128 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
1129 ie->mdie, 2 + ie->mdie[1]);
1130 wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
1131 assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
1139 static int ft_validate_ftie(struct wpa_sm *sm,
1140 const unsigned char *src_addr,
1141 struct wpa_eapol_ie_parse *ie,
1142 const u8 *assoc_resp_ftie)
1144 if (ie->ftie == NULL) {
1145 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1146 "FT: No FTIE in EAPOL-Key msg 3/4");
1150 if (assoc_resp_ftie == NULL)
1153 if (assoc_resp_ftie[1] != ie->ftie[1] ||
1154 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
1155 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
1156 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
1157 ie->ftie, 2 + ie->ftie[1]);
1158 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
1159 assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
1167 static int ft_validate_rsnie(struct wpa_sm *sm,
1168 const unsigned char *src_addr,
1169 struct wpa_eapol_ie_parse *ie)
1171 struct wpa_ie_data rsn;
1177 * Verify that PMKR1Name from EAPOL-Key message 3/4
1178 * matches with the value we derived.
1180 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
1181 rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
1182 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
1183 "FT 4-way handshake message 3/4");
1187 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
1189 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1190 "FT: PMKR1Name mismatch in "
1191 "FT 4-way handshake message 3/4");
1192 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
1193 rsn.pmkid, WPA_PMK_NAME_LEN);
1194 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1195 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1203 static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
1204 const unsigned char *src_addr,
1205 struct wpa_eapol_ie_parse *ie)
1207 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
1209 if (sm->assoc_resp_ies) {
1210 pos = sm->assoc_resp_ies;
1211 end = pos + sm->assoc_resp_ies_len;
1212 while (end - pos > 2) {
1213 if (2 + pos[1] > end - pos)
1216 case WLAN_EID_MOBILITY_DOMAIN:
1219 case WLAN_EID_FAST_BSS_TRANSITION:
1227 if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
1228 ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
1229 ft_validate_rsnie(sm, src_addr, ie) < 0)
1235 #endif /* CONFIG_IEEE80211R */
1238 static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
1239 const unsigned char *src_addr,
1240 struct wpa_eapol_ie_parse *ie)
1242 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
1243 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1244 "WPA: No WPA/RSN IE for this AP known. "
1245 "Trying to get from scan results");
1246 if (wpa_sm_get_beacon_ie(sm) < 0) {
1247 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1248 "WPA: Could not find AP from "
1249 "the scan results");
1251 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
1252 "WPA: Found the current AP from "
1253 "updated scan results");
1257 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
1258 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
1259 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1260 "with IE in Beacon/ProbeResp (no IE?)",
1261 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1262 ie->rsn_ie, ie->rsn_ie_len);
1266 if ((ie->wpa_ie && sm->ap_wpa_ie &&
1267 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
1268 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
1269 (ie->rsn_ie && sm->ap_rsn_ie &&
1270 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
1271 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
1272 ie->rsn_ie, ie->rsn_ie_len))) {
1273 wpa_report_ie_mismatch(sm, "IE in 3/4 msg does not match "
1274 "with IE in Beacon/ProbeResp",
1275 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1276 ie->rsn_ie, ie->rsn_ie_len);
1280 if (sm->proto == WPA_PROTO_WPA &&
1281 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
1282 wpa_report_ie_mismatch(sm, "Possible downgrade attack "
1283 "detected - RSN was enabled and RSN IE "
1284 "was in msg 3/4, but not in "
1286 src_addr, ie->wpa_ie, ie->wpa_ie_len,
1287 ie->rsn_ie, ie->rsn_ie_len);
1291 #ifdef CONFIG_IEEE80211R
1292 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
1293 wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
1295 #endif /* CONFIG_IEEE80211R */
1302 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
1303 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1304 * @dst: Destination address for the frame
1305 * @key: Pointer to the EAPOL-Key frame header
1306 * @ver: Version bits from EAPOL-Key Key Info
1307 * @key_info: Key Info
1308 * @ptk: PTK to use for keyed hash and encryption
1309 * Returns: >= 0 on success, < 0 on failure
1311 int wpa_supplicant_send_4_of_4(struct wpa_sm *sm, const unsigned char *dst,
1312 const struct wpa_eapol_key *key,
1313 u16 ver, u16 key_info,
1314 struct wpa_ptk *ptk)
1316 size_t mic_len, hdrlen, rlen;
1317 struct wpa_eapol_key *reply;
1320 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1321 hdrlen = sizeof(*reply) + mic_len + 2;
1322 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1323 hdrlen, &rlen, (void *) &reply);
1327 reply->type = (sm->proto == WPA_PROTO_RSN ||
1328 sm->proto == WPA_PROTO_OSEN) ?
1329 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1330 key_info &= WPA_KEY_INFO_SECURE;
1331 key_info |= ver | WPA_KEY_INFO_KEY_TYPE;
1333 key_info |= WPA_KEY_INFO_MIC;
1335 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1336 WPA_PUT_BE16(reply->key_info, key_info);
1337 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
1338 WPA_PUT_BE16(reply->key_length, 0);
1340 os_memcpy(reply->key_length, key->key_length, 2);
1341 os_memcpy(reply->replay_counter, key->replay_counter,
1342 WPA_REPLAY_COUNTER_LEN);
1344 key_mic = (u8 *) (reply + 1);
1345 WPA_PUT_BE16(key_mic + mic_len, 0);
1347 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
1348 return wpa_eapol_key_send(sm, ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
1353 static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
1354 const struct wpa_eapol_key *key,
1355 u16 ver, const u8 *key_data,
1356 size_t key_data_len)
1358 u16 key_info, keylen;
1359 struct wpa_eapol_ie_parse ie;
1361 wpa_sm_set_state(sm, WPA_4WAY_HANDSHAKE);
1362 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 3 of 4-Way "
1363 "Handshake from " MACSTR " (ver=%d)", MAC2STR(sm->bssid), ver);
1365 key_info = WPA_GET_BE16(key->key_info);
1367 wpa_hexdump(MSG_DEBUG, "WPA: IE KeyData", key_data, key_data_len);
1368 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0)
1370 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1371 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1372 "WPA: GTK IE in unencrypted key data");
1375 #ifdef CONFIG_IEEE80211W
1376 if (ie.igtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1377 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1378 "WPA: IGTK KDE in unencrypted key data");
1383 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
1384 ie.igtk_len != WPA_IGTK_KDE_PREFIX_LEN +
1385 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
1386 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1387 "WPA: Invalid IGTK KDE length %lu",
1388 (unsigned long) ie.igtk_len);
1391 #endif /* CONFIG_IEEE80211W */
1393 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
1396 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
1397 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1398 "WPA: ANonce from message 1 of 4-Way Handshake "
1399 "differs from 3 of 4-Way Handshake - drop packet (src="
1400 MACSTR ")", MAC2STR(sm->bssid));
1404 keylen = WPA_GET_BE16(key->key_length);
1405 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
1406 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1407 "WPA: Invalid %s key length %d (src=" MACSTR
1408 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
1409 MAC2STR(sm->bssid));
1414 if (ie.ip_addr_alloc) {
1415 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
1416 wpa_hexdump(MSG_DEBUG, "P2P: IP address info",
1417 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
1419 #endif /* CONFIG_P2P */
1421 if (wpa_supplicant_send_4_of_4(sm, sm->bssid, key, ver, key_info,
1426 /* SNonce was successfully used in msg 3/4, so mark it to be renewed
1427 * for the next 4-Way Handshake. If msg 3 is received again, the old
1428 * SNonce will still be used to avoid changing PTK. */
1429 sm->renew_snonce = 1;
1431 if (key_info & WPA_KEY_INFO_INSTALL) {
1432 if (wpa_supplicant_install_ptk(sm, key))
1436 if (key_info & WPA_KEY_INFO_SECURE) {
1437 wpa_sm_mlme_setprotection(
1438 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
1439 MLME_SETPROTECTION_KEY_TYPE_PAIRWISE);
1440 eapol_sm_notify_portValid(sm->eapol, TRUE);
1442 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1444 if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
1445 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1446 key_info & WPA_KEY_INFO_SECURE);
1447 } else if (ie.gtk &&
1448 wpa_supplicant_pairwise_gtk(sm, key,
1449 ie.gtk, ie.gtk_len, key_info) < 0) {
1450 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1451 "RSN: Failed to configure GTK");
1455 if (ieee80211w_set_keys(sm, &ie) < 0) {
1456 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1457 "RSN: Failed to configure IGTK");
1462 wpa_sm_set_rekey_offload(sm);
1464 /* Add PMKSA cache entry for Suite B AKMs here since PMKID can be
1465 * calculated only after KCK has been derived. Though, do not replace an
1466 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
1467 * to avoid unnecessary changes of PMKID while continuing to use the
1469 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
1471 struct rsn_pmksa_cache_entry *sa;
1473 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
1474 sm->ptk.kck, sm->ptk.kck_len,
1475 sm->bssid, sm->own_addr,
1476 sm->network_ctx, sm->key_mgmt, NULL);
1481 sm->msg_3_of_4_ok = 1;
1485 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1489 static int wpa_supplicant_process_1_of_2_rsn(struct wpa_sm *sm,
1493 struct wpa_gtk_data *gd)
1496 struct wpa_eapol_ie_parse ie;
1498 wpa_hexdump_key(MSG_DEBUG, "RSN: msg 1/2 key data",
1499 keydata, keydatalen);
1500 if (wpa_supplicant_parse_ies(keydata, keydatalen, &ie) < 0)
1502 if (ie.gtk && !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1503 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1504 "WPA: GTK IE in unencrypted key data");
1507 if (ie.gtk == NULL) {
1508 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1509 "WPA: No GTK IE in Group Key msg 1/2");
1512 maxkeylen = gd->gtk_len = ie.gtk_len - 2;
1514 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1515 gd->gtk_len, maxkeylen,
1516 &gd->key_rsc_len, &gd->alg))
1519 wpa_hexdump_key(MSG_DEBUG, "RSN: received GTK in group key handshake",
1520 ie.gtk, ie.gtk_len);
1521 gd->keyidx = ie.gtk[0] & 0x3;
1522 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
1523 !!(ie.gtk[0] & BIT(2)));
1524 if (ie.gtk_len - 2 > sizeof(gd->gtk)) {
1525 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1526 "RSN: Too long GTK in GTK IE (len=%lu)",
1527 (unsigned long) ie.gtk_len - 2);
1530 os_memcpy(gd->gtk, ie.gtk + 2, ie.gtk_len - 2);
1532 if (ieee80211w_set_keys(sm, &ie) < 0)
1533 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1534 "RSN: Failed to configure IGTK");
1540 static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
1541 const struct wpa_eapol_key *key,
1543 size_t key_data_len, u16 key_info,
1544 u16 ver, struct wpa_gtk_data *gd)
1549 gtk_len = WPA_GET_BE16(key->key_length);
1550 maxkeylen = key_data_len;
1551 if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1552 if (maxkeylen < 8) {
1553 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1554 "WPA: Too short maxkeylen (%lu)",
1555 (unsigned long) maxkeylen);
1561 if (gtk_len > maxkeylen ||
1562 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1564 &gd->key_rsc_len, &gd->alg))
1567 gd->gtk_len = gtk_len;
1568 gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1569 WPA_KEY_INFO_KEY_INDEX_SHIFT;
1570 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
1571 #ifdef CONFIG_NO_RC4
1572 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1573 "WPA: RC4 not supported in the build");
1575 #else /* CONFIG_NO_RC4 */
1577 if (key_data_len > sizeof(gd->gtk)) {
1578 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1579 "WPA: RC4 key data too long (%lu)",
1580 (unsigned long) key_data_len);
1583 os_memcpy(ek, key->key_iv, 16);
1584 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
1585 os_memcpy(gd->gtk, key_data, key_data_len);
1586 if (rc4_skip(ek, 32, 256, gd->gtk, key_data_len)) {
1587 os_memset(ek, 0, sizeof(ek));
1588 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1592 os_memset(ek, 0, sizeof(ek));
1593 #endif /* CONFIG_NO_RC4 */
1594 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1595 if (maxkeylen % 8) {
1596 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1597 "WPA: Unsupported AES-WRAP len %lu",
1598 (unsigned long) maxkeylen);
1601 if (maxkeylen > sizeof(gd->gtk)) {
1602 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1603 "WPA: AES-WRAP key data "
1604 "too long (keydatalen=%lu maxkeylen=%lu)",
1605 (unsigned long) key_data_len,
1606 (unsigned long) maxkeylen);
1609 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
1610 key_data, gd->gtk)) {
1611 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1612 "WPA: AES unwrap failed - could not decrypt "
1617 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1618 "WPA: Unsupported key_info type %d", ver);
1621 gd->tx = wpa_supplicant_gtk_tx_bit_workaround(
1622 sm, !!(key_info & WPA_KEY_INFO_TXRX));
1627 static int wpa_supplicant_send_2_of_2(struct wpa_sm *sm,
1628 const struct wpa_eapol_key *key,
1629 int ver, u16 key_info)
1631 size_t mic_len, hdrlen, rlen;
1632 struct wpa_eapol_key *reply;
1635 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1636 hdrlen = sizeof(*reply) + mic_len + 2;
1637 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1638 hdrlen, &rlen, (void *) &reply);
1642 reply->type = (sm->proto == WPA_PROTO_RSN ||
1643 sm->proto == WPA_PROTO_OSEN) ?
1644 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1645 key_info &= WPA_KEY_INFO_KEY_INDEX_MASK;
1646 key_info |= ver | WPA_KEY_INFO_SECURE;
1648 key_info |= WPA_KEY_INFO_MIC;
1650 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1651 WPA_PUT_BE16(reply->key_info, key_info);
1652 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
1653 WPA_PUT_BE16(reply->key_length, 0);
1655 os_memcpy(reply->key_length, key->key_length, 2);
1656 os_memcpy(reply->replay_counter, key->replay_counter,
1657 WPA_REPLAY_COUNTER_LEN);
1659 key_mic = (u8 *) (reply + 1);
1660 WPA_PUT_BE16(key_mic + mic_len, 0);
1662 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
1663 return wpa_eapol_key_send(sm, &sm->ptk, ver, sm->bssid, ETH_P_EAPOL,
1664 rbuf, rlen, key_mic);
1668 static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
1669 const unsigned char *src_addr,
1670 const struct wpa_eapol_key *key,
1672 size_t key_data_len, u16 ver)
1676 struct wpa_gtk_data gd;
1679 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
1680 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1681 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
1685 os_memset(&gd, 0, sizeof(gd));
1687 rekey = wpa_sm_get_state(sm) == WPA_COMPLETED;
1688 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of Group Key "
1689 "Handshake from " MACSTR " (ver=%d)", MAC2STR(src_addr), ver);
1691 key_info = WPA_GET_BE16(key->key_info);
1693 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
1694 ret = wpa_supplicant_process_1_of_2_rsn(sm, key_data,
1695 key_data_len, key_info,
1698 ret = wpa_supplicant_process_1_of_2_wpa(sm, key, key_data,
1700 key_info, ver, &gd);
1703 wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
1708 key_rsc = key->key_rsc;
1709 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1712 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
1713 wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
1715 os_memset(&gd, 0, sizeof(gd));
1718 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Group rekeying "
1719 "completed with " MACSTR " [GTK=%s]",
1720 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
1721 wpa_sm_cancel_auth_timeout(sm);
1722 wpa_sm_set_state(sm, WPA_COMPLETED);
1724 wpa_supplicant_key_neg_complete(sm, sm->bssid,
1726 WPA_KEY_INFO_SECURE);
1729 wpa_sm_set_rekey_offload(sm);
1734 os_memset(&gd, 0, sizeof(gd));
1735 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
1739 static int wpa_supplicant_verify_eapol_key_mic(struct wpa_sm *sm,
1740 struct wpa_eapol_key *key,
1742 const u8 *buf, size_t len)
1744 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
1746 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
1748 os_memcpy(mic, key + 1, mic_len);
1750 os_memset(key + 1, 0, mic_len);
1751 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
1753 ver, buf, len, (u8 *) (key + 1)) < 0 ||
1754 os_memcmp_const(mic, key + 1, mic_len) != 0) {
1755 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1756 "WPA: Invalid EAPOL-Key MIC "
1757 "when using TPTK - ignoring TPTK");
1762 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
1763 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
1765 * This assures the same TPTK in sm->tptk can never be
1766 * copied twice to sm->ptk as the new PTK. In
1767 * combination with the installed flag in the wpa_ptk
1768 * struct, this assures the same PTK is only installed
1771 sm->renew_snonce = 1;
1775 if (!ok && sm->ptk_set) {
1776 os_memset(key + 1, 0, mic_len);
1777 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
1779 ver, buf, len, (u8 *) (key + 1)) < 0 ||
1780 os_memcmp_const(mic, key + 1, mic_len) != 0) {
1781 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1782 "WPA: Invalid EAPOL-Key MIC - "
1790 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1791 "WPA: Could not verify EAPOL-Key MIC - "
1796 os_memcpy(sm->rx_replay_counter, key->replay_counter,
1797 WPA_REPLAY_COUNTER_LEN);
1798 sm->rx_replay_counter_set = 1;
1803 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
1804 static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
1805 struct wpa_eapol_key *key,
1806 size_t mic_len, u16 ver,
1807 u8 *key_data, size_t *key_data_len)
1809 wpa_hexdump(MSG_DEBUG, "RSN: encrypted key data",
1810 key_data, *key_data_len);
1812 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1813 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
1818 /* Decrypt key data here so that this operation does not need
1819 * to be implemented separately for each message type. */
1820 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
1821 #ifdef CONFIG_NO_RC4
1822 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1823 "WPA: RC4 not supported in the build");
1825 #else /* CONFIG_NO_RC4 */
1828 wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
1829 os_memcpy(ek, key->key_iv, 16);
1830 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
1831 if (rc4_skip(ek, 32, 256, key_data, *key_data_len)) {
1832 os_memset(ek, 0, sizeof(ek));
1833 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1837 os_memset(ek, 0, sizeof(ek));
1838 #endif /* CONFIG_NO_RC4 */
1839 } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1840 ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
1841 wpa_use_aes_key_wrap(sm->key_mgmt)) {
1844 wpa_printf(MSG_DEBUG,
1845 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
1846 (unsigned int) sm->ptk.kek_len);
1847 if (*key_data_len < 8 || *key_data_len % 8) {
1848 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1849 "WPA: Unsupported AES-WRAP len %u",
1850 (unsigned int) *key_data_len);
1853 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
1854 buf = os_malloc(*key_data_len);
1856 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1857 "WPA: No memory for AES-UNWRAP buffer");
1860 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
1862 bin_clear_free(buf, *key_data_len);
1863 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1864 "WPA: AES unwrap failed - "
1865 "could not decrypt EAPOL-Key key data");
1868 os_memcpy(key_data, buf, *key_data_len);
1869 bin_clear_free(buf, *key_data_len);
1870 WPA_PUT_BE16(((u8 *) (key + 1)) + mic_len, *key_data_len);
1872 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1873 "WPA: Unsupported key_info type %d", ver);
1876 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
1877 key_data, *key_data_len);
1883 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
1884 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1886 void wpa_sm_aborted_cached(struct wpa_sm *sm)
1888 if (sm && sm->cur_pmksa) {
1889 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1890 "RSN: Cancelling PMKSA caching attempt");
1891 sm->cur_pmksa = NULL;
1896 static void wpa_eapol_key_dump(struct wpa_sm *sm,
1897 const struct wpa_eapol_key *key,
1898 unsigned int key_data_len,
1899 const u8 *mic, unsigned int mic_len)
1901 #ifndef CONFIG_NO_STDOUT_DEBUG
1902 u16 key_info = WPA_GET_BE16(key->key_info);
1904 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
1905 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1906 " key_info 0x%x (ver=%d keyidx=%d rsvd=%d %s%s%s%s%s%s%s%s)",
1907 key_info, key_info & WPA_KEY_INFO_TYPE_MASK,
1908 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
1909 WPA_KEY_INFO_KEY_INDEX_SHIFT,
1910 (key_info & (BIT(13) | BIT(14) | BIT(15))) >> 13,
1911 key_info & WPA_KEY_INFO_KEY_TYPE ? "Pairwise" : "Group",
1912 key_info & WPA_KEY_INFO_INSTALL ? " Install" : "",
1913 key_info & WPA_KEY_INFO_ACK ? " Ack" : "",
1914 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
1915 key_info & WPA_KEY_INFO_SECURE ? " Secure" : "",
1916 key_info & WPA_KEY_INFO_ERROR ? " Error" : "",
1917 key_info & WPA_KEY_INFO_REQUEST ? " Request" : "",
1918 key_info & WPA_KEY_INFO_ENCR_KEY_DATA ? " Encr" : "");
1919 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1920 " key_length=%u key_data_length=%u",
1921 WPA_GET_BE16(key->key_length), key_data_len);
1922 wpa_hexdump(MSG_DEBUG, " replay_counter",
1923 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1924 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
1925 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
1926 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
1927 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
1928 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
1929 #endif /* CONFIG_NO_STDOUT_DEBUG */
1934 static int wpa_supp_aead_decrypt(struct wpa_sm *sm, u8 *buf, size_t buf_len,
1935 size_t *key_data_len)
1937 struct wpa_ptk *ptk;
1938 struct ieee802_1x_hdr *hdr;
1939 struct wpa_eapol_key *key;
1944 if (*key_data_len < AES_BLOCK_SIZE) {
1945 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
1951 else if (sm->ptk_set)
1956 hdr = (struct ieee802_1x_hdr *) buf;
1957 key = (struct wpa_eapol_key *) (hdr + 1);
1958 pos = (u8 *) (key + 1);
1959 pos += 2; /* Pointing at the Encrypted Key Data field */
1961 tmp = os_malloc(*key_data_len);
1965 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1966 * to Key Data (exclusive). */
1968 aad_len[0] = pos - buf;
1969 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
1970 1, aad, aad_len, tmp) < 0) {
1971 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
1972 bin_clear_free(tmp, *key_data_len);
1976 /* AEAD decryption and validation completed successfully */
1977 (*key_data_len) -= AES_BLOCK_SIZE;
1978 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
1979 tmp, *key_data_len);
1981 /* Replace Key Data field with the decrypted version */
1982 os_memcpy(pos, tmp, *key_data_len);
1983 pos -= 2; /* Key Data Length field */
1984 WPA_PUT_BE16(pos, *key_data_len);
1985 bin_clear_free(tmp, *key_data_len);
1990 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
1991 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
1994 os_memcpy(sm->rx_replay_counter, key->replay_counter,
1995 WPA_REPLAY_COUNTER_LEN);
1996 sm->rx_replay_counter_set = 1;
2000 #endif /* CONFIG_FILS */
2004 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
2005 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2006 * @src_addr: Source MAC address of the EAPOL packet
2007 * @buf: Pointer to the beginning of the EAPOL data (EAPOL header)
2008 * @len: Length of the EAPOL frame
2009 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
2011 * This function is called for each received EAPOL frame. Other than EAPOL-Key
2012 * frames can be skipped if filtering is done elsewhere. wpa_sm_rx_eapol() is
2013 * only processing WPA and WPA2 EAPOL-Key frames.
2015 * The received EAPOL-Key packets are validated and valid packets are replied
2016 * to. In addition, key material (PTK, GTK) is configured at the end of a
2017 * successful key handshake.
2019 int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
2020 const u8 *buf, size_t len)
2022 size_t plen, data_len, key_data_len;
2023 const struct ieee802_1x_hdr *hdr;
2024 struct wpa_eapol_key *key;
2029 size_t mic_len, keyhdrlen;
2031 #ifdef CONFIG_IEEE80211R
2032 sm->ft_completed = 0;
2033 #endif /* CONFIG_IEEE80211R */
2035 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2036 keyhdrlen = sizeof(*key) + mic_len + 2;
2038 if (len < sizeof(*hdr) + keyhdrlen) {
2039 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2040 "WPA: EAPOL frame too short to be a WPA "
2041 "EAPOL-Key (len %lu, expecting at least %lu)",
2042 (unsigned long) len,
2043 (unsigned long) sizeof(*hdr) + keyhdrlen);
2047 hdr = (const struct ieee802_1x_hdr *) buf;
2048 plen = be_to_host16(hdr->length);
2049 data_len = plen + sizeof(*hdr);
2050 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2051 "IEEE 802.1X RX: version=%d type=%d length=%lu",
2052 hdr->version, hdr->type, (unsigned long) plen);
2054 if (hdr->version < EAPOL_VERSION) {
2055 /* TODO: backwards compatibility */
2057 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
2058 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2059 "WPA: EAPOL frame (type %u) discarded, "
2060 "not a Key frame", hdr->type);
2064 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
2065 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
2066 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2067 "WPA: EAPOL frame payload size %lu "
2068 "invalid (frame size %lu)",
2069 (unsigned long) plen, (unsigned long) len);
2073 if (data_len < len) {
2074 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2075 "WPA: ignoring %lu bytes after the IEEE 802.1X data",
2076 (unsigned long) len - data_len);
2080 * Make a copy of the frame since we need to modify the buffer during
2081 * MAC validation and Key Data decryption.
2083 tmp = os_memdup(buf, data_len);
2086 key = (struct wpa_eapol_key *) (tmp + sizeof(struct ieee802_1x_hdr));
2087 mic = (u8 *) (key + 1);
2088 key_data = mic + mic_len + 2;
2090 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
2092 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2093 "WPA: EAPOL-Key type (%d) unknown, discarded",
2099 key_data_len = WPA_GET_BE16(mic + mic_len);
2100 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
2102 if (key_data_len > plen - keyhdrlen) {
2103 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
2104 "frame - key_data overflow (%u > %u)",
2105 (unsigned int) key_data_len,
2106 (unsigned int) (plen - keyhdrlen));
2110 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
2111 key_info = WPA_GET_BE16(key->key_info);
2112 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
2113 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
2114 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
2115 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2116 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
2117 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
2118 !wpa_use_akm_defined(sm->key_mgmt)) {
2119 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2120 "WPA: Unsupported EAPOL-Key descriptor version %d",
2125 if (wpa_use_akm_defined(sm->key_mgmt) &&
2126 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
2127 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2128 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
2133 #ifdef CONFIG_IEEE80211R
2134 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
2135 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
2136 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2137 !wpa_use_akm_defined(sm->key_mgmt)) {
2138 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2139 "FT: AP did not use AES-128-CMAC");
2143 #endif /* CONFIG_IEEE80211R */
2144 #ifdef CONFIG_IEEE80211W
2145 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
2146 if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
2147 !wpa_use_akm_defined(sm->key_mgmt)) {
2148 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2149 "WPA: AP did not use the "
2150 "negotiated AES-128-CMAC");
2154 #endif /* CONFIG_IEEE80211W */
2155 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
2156 !wpa_use_akm_defined(sm->key_mgmt) &&
2157 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2158 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2159 "WPA: CCMP is used, but EAPOL-Key "
2160 "descriptor version (%d) is not 2", ver);
2161 if (sm->group_cipher != WPA_CIPHER_CCMP &&
2162 !(key_info & WPA_KEY_INFO_KEY_TYPE)) {
2163 /* Earlier versions of IEEE 802.11i did not explicitly
2164 * require version 2 descriptor for all EAPOL-Key
2165 * packets, so allow group keys to use version 1 if
2166 * CCMP is not used for them. */
2167 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2168 "WPA: Backwards compatibility: allow invalid "
2169 "version for non-CCMP group keys");
2170 } else if (ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
2171 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2172 "WPA: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
2175 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
2176 !wpa_use_akm_defined(sm->key_mgmt) &&
2177 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
2178 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2179 "WPA: GCMP is used, but EAPOL-Key "
2180 "descriptor version (%d) is not 2", ver);
2184 if (sm->rx_replay_counter_set &&
2185 os_memcmp(key->replay_counter, sm->rx_replay_counter,
2186 WPA_REPLAY_COUNTER_LEN) <= 0) {
2187 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2188 "WPA: EAPOL-Key Replay Counter did not increase - "
2193 if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
2194 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2195 "WPA: Unsupported SMK bit in key_info");
2199 if (!(key_info & WPA_KEY_INFO_ACK)) {
2200 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2201 "WPA: No Ack bit in key_info");
2205 if (key_info & WPA_KEY_INFO_REQUEST) {
2206 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2207 "WPA: EAPOL-Key with Request bit - dropped");
2211 if ((key_info & WPA_KEY_INFO_MIC) &&
2212 wpa_supplicant_verify_eapol_key_mic(sm, key, ver, tmp, data_len))
2216 if (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
2217 if (wpa_supp_aead_decrypt(sm, tmp, data_len, &key_data_len))
2220 #endif /* CONFIG_FILS */
2222 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
2223 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
2225 * Only decrypt the Key Data field if the frame's authenticity
2226 * was verified. When using AES-SIV (FILS), the MIC flag is not
2227 * set, so this check should only be performed if mic_len != 0
2228 * which is the case in this code branch.
2230 if (!(key_info & WPA_KEY_INFO_MIC)) {
2231 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2232 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
2235 if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
2241 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
2242 if (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) {
2243 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2244 "WPA: Ignored EAPOL-Key (Pairwise) with "
2245 "non-zero key index");
2248 if (key_info & (WPA_KEY_INFO_MIC |
2249 WPA_KEY_INFO_ENCR_KEY_DATA)) {
2250 /* 3/4 4-Way Handshake */
2251 wpa_supplicant_process_3_of_4(sm, key, ver, key_data,
2254 /* 1/4 4-Way Handshake */
2255 wpa_supplicant_process_1_of_4(sm, src_addr, key,
2260 if ((mic_len && (key_info & WPA_KEY_INFO_MIC)) ||
2261 (!mic_len && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA))) {
2262 /* 1/2 Group Key Handshake */
2263 wpa_supplicant_process_1_of_2(sm, src_addr, key,
2264 key_data, key_data_len,
2267 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2268 "WPA: EAPOL-Key (Group) without Mic/Encr bit - "
2276 bin_clear_free(tmp, data_len);
2281 #ifdef CONFIG_CTRL_IFACE
2282 static u32 wpa_key_mgmt_suite(struct wpa_sm *sm)
2284 switch (sm->key_mgmt) {
2285 case WPA_KEY_MGMT_IEEE8021X:
2286 return ((sm->proto == WPA_PROTO_RSN ||
2287 sm->proto == WPA_PROTO_OSEN) ?
2288 RSN_AUTH_KEY_MGMT_UNSPEC_802_1X :
2289 WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
2290 case WPA_KEY_MGMT_PSK:
2291 return (sm->proto == WPA_PROTO_RSN ?
2292 RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X :
2293 WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
2294 #ifdef CONFIG_IEEE80211R
2295 case WPA_KEY_MGMT_FT_IEEE8021X:
2296 return RSN_AUTH_KEY_MGMT_FT_802_1X;
2297 case WPA_KEY_MGMT_FT_PSK:
2298 return RSN_AUTH_KEY_MGMT_FT_PSK;
2299 #endif /* CONFIG_IEEE80211R */
2300 #ifdef CONFIG_IEEE80211W
2301 case WPA_KEY_MGMT_IEEE8021X_SHA256:
2302 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2303 case WPA_KEY_MGMT_PSK_SHA256:
2304 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2305 #endif /* CONFIG_IEEE80211W */
2306 case WPA_KEY_MGMT_CCKM:
2307 return (sm->proto == WPA_PROTO_RSN ?
2308 RSN_AUTH_KEY_MGMT_CCKM:
2309 WPA_AUTH_KEY_MGMT_CCKM);
2310 case WPA_KEY_MGMT_WPA_NONE:
2311 return WPA_AUTH_KEY_MGMT_NONE;
2312 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2313 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
2314 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2315 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
2322 #define RSN_SUITE "%02x-%02x-%02x-%d"
2323 #define RSN_SUITE_ARG(s) \
2324 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2327 * wpa_sm_get_mib - Dump text list of MIB entries
2328 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2329 * @buf: Buffer for the list
2330 * @buflen: Length of the buffer
2331 * Returns: Number of bytes written to buffer
2333 * This function is used fetch dot11 MIB variables.
2335 int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
2337 char pmkid_txt[PMKID_LEN * 2 + 1];
2341 if (sm->cur_pmksa) {
2342 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2343 sm->cur_pmksa->pmkid, PMKID_LEN);
2345 pmkid_txt[0] = '\0';
2347 if ((wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
2348 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
2349 sm->proto == WPA_PROTO_RSN)
2354 ret = os_snprintf(buf, buflen,
2355 "dot11RSNAOptionImplemented=TRUE\n"
2356 "dot11RSNAPreauthenticationImplemented=TRUE\n"
2357 "dot11RSNAEnabled=%s\n"
2358 "dot11RSNAPreauthenticationEnabled=%s\n"
2359 "dot11RSNAConfigVersion=%d\n"
2360 "dot11RSNAConfigPairwiseKeysSupported=5\n"
2361 "dot11RSNAConfigGroupCipherSize=%d\n"
2362 "dot11RSNAConfigPMKLifetime=%d\n"
2363 "dot11RSNAConfigPMKReauthThreshold=%d\n"
2364 "dot11RSNAConfigNumberOfPTKSAReplayCounters=1\n"
2365 "dot11RSNAConfigSATimeout=%d\n",
2366 rsna ? "TRUE" : "FALSE",
2367 rsna ? "TRUE" : "FALSE",
2369 wpa_cipher_key_len(sm->group_cipher) * 8,
2370 sm->dot11RSNAConfigPMKLifetime,
2371 sm->dot11RSNAConfigPMKReauthThreshold,
2372 sm->dot11RSNAConfigSATimeout);
2373 if (os_snprintf_error(buflen, ret))
2378 buf + len, buflen - len,
2379 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2380 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2381 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2382 "dot11RSNAPMKIDUsed=%s\n"
2383 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2384 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2385 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2386 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n"
2387 "dot11RSNA4WayHandshakeFailures=%u\n",
2388 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
2389 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2390 sm->pairwise_cipher)),
2391 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2394 RSN_SUITE_ARG(wpa_key_mgmt_suite(sm)),
2395 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2396 sm->pairwise_cipher)),
2397 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
2399 sm->dot11RSNA4WayHandshakeFailures);
2400 if (!os_snprintf_error(buflen - len, ret))
2405 #endif /* CONFIG_CTRL_IFACE */
2408 static void wpa_sm_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
2409 void *ctx, enum pmksa_free_reason reason)
2411 struct wpa_sm *sm = ctx;
2414 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
2415 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
2417 if (sm->cur_pmksa == entry) {
2418 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2419 "RSN: %s current PMKSA entry",
2420 reason == PMKSA_REPLACE ? "replaced" : "removed");
2421 pmksa_cache_clear_current(sm);
2424 * If an entry is simply being replaced, there's no need to
2425 * deauthenticate because it will be immediately re-added.
2426 * This happens when EAP authentication is completed again
2427 * (reauth or failed PMKSA caching attempt).
2429 if (reason != PMKSA_REPLACE)
2433 if (reason == PMKSA_EXPIRE &&
2434 (sm->pmk_len == entry->pmk_len &&
2435 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
2436 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2437 "RSN: deauthenticating due to expired PMK");
2438 pmksa_cache_clear_current(sm);
2444 os_memset(sm->pmk, 0, sizeof(sm->pmk));
2445 wpa_sm_deauthenticate(sm, WLAN_REASON_UNSPECIFIED);
2451 * wpa_sm_init - Initialize WPA state machine
2452 * @ctx: Context pointer for callbacks; this needs to be an allocated buffer
2453 * Returns: Pointer to the allocated WPA state machine data
2455 * This function is used to allocate a new WPA state machine and the returned
2456 * value is passed to all WPA state machine calls.
2458 struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
2462 sm = os_zalloc(sizeof(*sm));
2465 dl_list_init(&sm->pmksa_candidates);
2466 sm->renew_snonce = 1;
2469 sm->dot11RSNAConfigPMKLifetime = 43200;
2470 sm->dot11RSNAConfigPMKReauthThreshold = 70;
2471 sm->dot11RSNAConfigSATimeout = 60;
2473 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb, sm, sm);
2474 if (sm->pmksa == NULL) {
2475 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2476 "RSN: PMKSA cache initialization failed");
2486 * wpa_sm_deinit - Deinitialize WPA state machine
2487 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2489 void wpa_sm_deinit(struct wpa_sm *sm)
2493 pmksa_cache_deinit(sm->pmksa);
2494 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
2495 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
2496 os_free(sm->assoc_wpa_ie);
2497 os_free(sm->ap_wpa_ie);
2498 os_free(sm->ap_rsn_ie);
2501 #ifdef CONFIG_IEEE80211R
2502 os_free(sm->assoc_resp_ies);
2503 #endif /* CONFIG_IEEE80211R */
2504 #ifdef CONFIG_TESTING_OPTIONS
2505 wpabuf_free(sm->test_assoc_ie);
2506 #endif /* CONFIG_TESTING_OPTIONS */
2507 #ifdef CONFIG_FILS_SK_PFS
2508 crypto_ecdh_deinit(sm->fils_ecdh);
2509 #endif /* CONFIG_FILS_SK_PFS */
2511 wpabuf_free(sm->fils_ft_ies);
2512 #endif /* CONFIG_FILS */
2514 crypto_ecdh_deinit(sm->owe_ecdh);
2515 #endif /* CONFIG_OWE */
2521 * wpa_sm_notify_assoc - Notify WPA state machine about association
2522 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2523 * @bssid: The BSSID of the new association
2525 * This function is called to let WPA state machine know that the connection
2528 void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
2535 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2536 "WPA: Association event - clear replay counter");
2537 os_memcpy(sm->bssid, bssid, ETH_ALEN);
2538 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
2539 sm->rx_replay_counter_set = 0;
2540 sm->renew_snonce = 1;
2541 if (os_memcmp(sm->preauth_bssid, bssid, ETH_ALEN) == 0)
2542 rsn_preauth_deinit(sm);
2544 #ifdef CONFIG_IEEE80211R
2545 if (wpa_ft_is_completed(sm)) {
2547 * Clear portValid to kick EAPOL state machine to re-enter
2548 * AUTHENTICATED state to get the EAPOL port Authorized.
2550 eapol_sm_notify_portValid(sm->eapol, FALSE);
2551 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2553 /* Prepare for the next transition */
2554 wpa_ft_prepare_auth_request(sm, NULL);
2558 #endif /* CONFIG_IEEE80211R */
2560 if (sm->fils_completed) {
2562 * Clear portValid to kick EAPOL state machine to re-enter
2563 * AUTHENTICATED state to get the EAPOL port Authorized.
2565 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
2568 #endif /* CONFIG_FILS */
2572 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
2573 * this is not part of a Fast BSS Transition.
2575 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
2577 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
2579 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
2580 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
2581 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
2582 #ifdef CONFIG_IEEE80211W
2583 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
2584 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
2585 #endif /* CONFIG_IEEE80211W */
2590 #endif /* CONFIG_TDLS */
2593 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
2594 #endif /* CONFIG_P2P */
2599 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
2600 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2602 * This function is called to let WPA state machine know that the connection
2603 * was lost. This will abort any existing pre-authentication session.
2605 void wpa_sm_notify_disassoc(struct wpa_sm *sm)
2607 eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
2608 eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
2609 rsn_preauth_deinit(sm);
2610 pmksa_cache_clear_current(sm);
2611 if (wpa_sm_get_state(sm) == WPA_4WAY_HANDSHAKE)
2612 sm->dot11RSNA4WayHandshakeFailures++;
2614 wpa_tdls_disassoc(sm);
2615 #endif /* CONFIG_TDLS */
2617 sm->fils_completed = 0;
2618 #endif /* CONFIG_FILS */
2619 #ifdef CONFIG_IEEE80211R
2620 sm->ft_reassoc_completed = 0;
2621 #endif /* CONFIG_IEEE80211R */
2623 /* Keys are not needed in the WPA state machine anymore */
2626 sm->msg_3_of_4_ok = 0;
2627 os_memset(sm->bssid, 0, ETH_ALEN);
2632 * wpa_sm_set_pmk - Set PMK
2633 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2635 * @pmk_len: The length of the new PMK in bytes
2636 * @pmkid: Calculated PMKID
2637 * @bssid: AA to add into PMKSA cache or %NULL to not cache the PMK
2639 * Configure the PMK for WPA state machine.
2641 void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
2642 const u8 *pmkid, const u8 *bssid)
2647 wpa_hexdump_key(MSG_DEBUG, "WPA: Set PMK based on external data",
2649 sm->pmk_len = pmk_len;
2650 os_memcpy(sm->pmk, pmk, pmk_len);
2652 #ifdef CONFIG_IEEE80211R
2653 /* Set XXKey to be PSK for FT key derivation */
2654 sm->xxkey_len = pmk_len;
2655 os_memcpy(sm->xxkey, pmk, pmk_len);
2656 #endif /* CONFIG_IEEE80211R */
2659 pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
2660 bssid, sm->own_addr,
2661 sm->network_ctx, sm->key_mgmt, NULL);
2667 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
2668 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2670 * Take the PMK from the current PMKSA into use. If no PMKSA is active, the PMK
2673 void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
2678 if (sm->cur_pmksa) {
2679 wpa_hexdump_key(MSG_DEBUG,
2680 "WPA: Set PMK based on current PMKSA",
2681 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len);
2682 sm->pmk_len = sm->cur_pmksa->pmk_len;
2683 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
2685 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK");
2687 os_memset(sm->pmk, 0, PMK_LEN_MAX);
2693 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
2694 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2695 * @fast_reauth: Whether fast reauthentication (EAP) is allowed
2697 void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
2700 sm->fast_reauth = fast_reauth;
2705 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
2706 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2707 * @scard_ctx: Context pointer for smartcard related callback functions
2709 void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
2713 sm->scard_ctx = scard_ctx;
2714 if (sm->preauth_eapol)
2715 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
2720 * wpa_sm_set_config - Notification of current configration change
2721 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2722 * @config: Pointer to current network configuration
2724 * Notify WPA state machine that configuration has changed. config will be
2725 * stored as a backpointer to network configuration. This can be %NULL to clear
2726 * the stored pointed.
2728 void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config)
2734 sm->network_ctx = config->network_ctx;
2735 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
2736 sm->proactive_key_caching = config->proactive_key_caching;
2737 sm->eap_workaround = config->eap_workaround;
2738 sm->eap_conf_ctx = config->eap_conf_ctx;
2740 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
2741 sm->ssid_len = config->ssid_len;
2744 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
2745 sm->p2p = config->p2p;
2746 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
2748 if (config->fils_cache_id) {
2749 sm->fils_cache_id_set = 1;
2750 os_memcpy(sm->fils_cache_id, config->fils_cache_id,
2753 sm->fils_cache_id_set = 0;
2755 #endif /* CONFIG_FILS */
2757 sm->network_ctx = NULL;
2758 sm->allowed_pairwise_cipher = 0;
2759 sm->proactive_key_caching = 0;
2760 sm->eap_workaround = 0;
2761 sm->eap_conf_ctx = NULL;
2763 sm->wpa_ptk_rekey = 0;
2765 sm->wpa_rsc_relaxation = 0;
2771 * wpa_sm_set_own_addr - Set own MAC address
2772 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2773 * @addr: Own MAC address
2775 void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
2778 os_memcpy(sm->own_addr, addr, ETH_ALEN);
2783 * wpa_sm_set_ifname - Set network interface name
2784 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2785 * @ifname: Interface name
2786 * @bridge_ifname: Optional bridge interface name (for pre-auth)
2788 void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
2789 const char *bridge_ifname)
2792 sm->ifname = ifname;
2793 sm->bridge_ifname = bridge_ifname;
2799 * wpa_sm_set_eapol - Set EAPOL state machine pointer
2800 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2801 * @eapol: Pointer to EAPOL state machine allocated with eapol_sm_init()
2803 void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
2811 * wpa_sm_set_param - Set WPA state machine parameters
2812 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2813 * @param: Parameter field
2814 * @value: Parameter value
2815 * Returns: 0 on success, -1 on failure
2817 int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
2826 case RSNA_PMK_LIFETIME:
2828 sm->dot11RSNAConfigPMKLifetime = value;
2832 case RSNA_PMK_REAUTH_THRESHOLD:
2833 if (value > 0 && value <= 100)
2834 sm->dot11RSNAConfigPMKReauthThreshold = value;
2838 case RSNA_SA_TIMEOUT:
2840 sm->dot11RSNAConfigSATimeout = value;
2844 case WPA_PARAM_PROTO:
2847 case WPA_PARAM_PAIRWISE:
2848 sm->pairwise_cipher = value;
2850 case WPA_PARAM_GROUP:
2851 sm->group_cipher = value;
2853 case WPA_PARAM_KEY_MGMT:
2854 sm->key_mgmt = value;
2856 #ifdef CONFIG_IEEE80211W
2857 case WPA_PARAM_MGMT_GROUP:
2858 sm->mgmt_group_cipher = value;
2860 #endif /* CONFIG_IEEE80211W */
2861 case WPA_PARAM_RSN_ENABLED:
2862 sm->rsn_enabled = value;
2876 * wpa_sm_get_status - Get WPA state machine
2877 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2878 * @buf: Buffer for status information
2879 * @buflen: Maximum buffer length
2880 * @verbose: Whether to include verbose status information
2881 * Returns: Number of bytes written to buf.
2883 * Query WPA state machine for status information. This function fills in
2884 * a text area with current status information. If the buffer (buf) is not
2885 * large enough, status information will be truncated to fit the buffer.
2887 int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
2890 char *pos = buf, *end = buf + buflen;
2893 ret = os_snprintf(pos, end - pos,
2894 "pairwise_cipher=%s\n"
2897 wpa_cipher_txt(sm->pairwise_cipher),
2898 wpa_cipher_txt(sm->group_cipher),
2899 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
2900 if (os_snprintf_error(end - pos, ret))
2904 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
2905 struct wpa_ie_data rsn;
2906 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
2908 rsn.capabilities & (WPA_CAPABILITY_MFPR |
2909 WPA_CAPABILITY_MFPC)) {
2910 ret = os_snprintf(pos, end - pos, "pmf=%d\n"
2911 "mgmt_group_cipher=%s\n",
2913 WPA_CAPABILITY_MFPR) ? 2 : 1,
2915 sm->mgmt_group_cipher));
2916 if (os_snprintf_error(end - pos, ret))
2926 int wpa_sm_pmf_enabled(struct wpa_sm *sm)
2928 struct wpa_ie_data rsn;
2930 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
2933 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
2934 rsn.capabilities & (WPA_CAPABILITY_MFPR | WPA_CAPABILITY_MFPC))
2942 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
2943 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2944 * @wpa_ie: Pointer to buffer for WPA/RSN IE
2945 * @wpa_ie_len: Pointer to the length of the wpa_ie buffer
2946 * Returns: 0 on success, -1 on failure
2948 int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
2956 #ifdef CONFIG_TESTING_OPTIONS
2957 if (sm->test_assoc_ie) {
2958 wpa_printf(MSG_DEBUG,
2959 "TESTING: Replace association WPA/RSN IE");
2960 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
2962 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
2963 wpabuf_len(sm->test_assoc_ie));
2964 res = wpabuf_len(sm->test_assoc_ie);
2966 #endif /* CONFIG_TESTING_OPTIONS */
2967 res = wpa_gen_wpa_ie(sm, wpa_ie, *wpa_ie_len);
2972 wpa_hexdump(MSG_DEBUG, "WPA: Set own WPA IE default",
2973 wpa_ie, *wpa_ie_len);
2975 if (sm->assoc_wpa_ie == NULL) {
2977 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
2978 * the correct version of the IE even if PMKSA caching is
2979 * aborted (which would remove PMKID from IE generation).
2981 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
2982 if (sm->assoc_wpa_ie == NULL)
2985 sm->assoc_wpa_ie_len = *wpa_ie_len;
2987 wpa_hexdump(MSG_DEBUG,
2988 "WPA: Leave previously set WPA IE default",
2989 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
2997 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
2998 * @sm: Pointer to WPA state machine data from wpa_sm_init()
2999 * @ie: Pointer to IE data (starting from id)
3001 * Returns: 0 on success, -1 on failure
3003 * Inform WPA state machine about the WPA/RSN IE used in (Re)Association
3004 * Request frame. The IE will be used to override the default value generated
3005 * with wpa_sm_set_assoc_wpa_ie_default().
3007 int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3012 os_free(sm->assoc_wpa_ie);
3013 if (ie == NULL || len == 0) {
3014 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3015 "WPA: clearing own WPA/RSN IE");
3016 sm->assoc_wpa_ie = NULL;
3017 sm->assoc_wpa_ie_len = 0;
3019 wpa_hexdump(MSG_DEBUG, "WPA: set own WPA/RSN IE", ie, len);
3020 sm->assoc_wpa_ie = os_memdup(ie, len);
3021 if (sm->assoc_wpa_ie == NULL)
3024 sm->assoc_wpa_ie_len = len;
3032 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
3033 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3034 * @ie: Pointer to IE data (starting from id)
3036 * Returns: 0 on success, -1 on failure
3038 * Inform WPA state machine about the WPA IE used in Beacon / Probe Response
3041 int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3046 os_free(sm->ap_wpa_ie);
3047 if (ie == NULL || len == 0) {
3048 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3049 "WPA: clearing AP WPA IE");
3050 sm->ap_wpa_ie = NULL;
3051 sm->ap_wpa_ie_len = 0;
3053 wpa_hexdump(MSG_DEBUG, "WPA: set AP WPA IE", ie, len);
3054 sm->ap_wpa_ie = os_memdup(ie, len);
3055 if (sm->ap_wpa_ie == NULL)
3058 sm->ap_wpa_ie_len = len;
3066 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
3067 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3068 * @ie: Pointer to IE data (starting from id)
3070 * Returns: 0 on success, -1 on failure
3072 * Inform WPA state machine about the RSN IE used in Beacon / Probe Response
3075 int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len)
3080 os_free(sm->ap_rsn_ie);
3081 if (ie == NULL || len == 0) {
3082 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3083 "WPA: clearing AP RSN IE");
3084 sm->ap_rsn_ie = NULL;
3085 sm->ap_rsn_ie_len = 0;
3087 wpa_hexdump(MSG_DEBUG, "WPA: set AP RSN IE", ie, len);
3088 sm->ap_rsn_ie = os_memdup(ie, len);
3089 if (sm->ap_rsn_ie == NULL)
3092 sm->ap_rsn_ie_len = len;
3100 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
3101 * @sm: Pointer to WPA state machine data from wpa_sm_init()
3102 * @data: Pointer to data area for parsing results
3103 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
3105 * Parse the contents of the own WPA or RSN IE from (Re)AssocReq and write the
3106 * parsed data into data.
3108 int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data)
3113 if (sm->assoc_wpa_ie == NULL) {
3114 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3115 "WPA: No WPA/RSN IE available from association info");
3118 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
3124 int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len)
3126 return pmksa_cache_list(sm->pmksa, buf, len);
3130 struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm)
3132 return pmksa_cache_head(sm->pmksa);
3136 struct rsn_pmksa_cache_entry *
3137 wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
3138 struct rsn_pmksa_cache_entry * entry)
3140 return pmksa_cache_add_entry(sm->pmksa, entry);
3144 void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
3145 const u8 *pmkid, const u8 *bssid,
3146 const u8 *fils_cache_id)
3148 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
3149 bssid, sm->own_addr, sm->network_ctx,
3150 sm->key_mgmt, fils_cache_id);
3154 int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid,
3155 const void *network_ctx)
3157 return pmksa_cache_get(sm->pmksa, bssid, NULL, network_ctx, 0) != NULL;
3161 void wpa_sm_drop_sa(struct wpa_sm *sm)
3163 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
3167 os_memset(sm->pmk, 0, sizeof(sm->pmk));
3168 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
3169 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3170 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
3171 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
3172 #ifdef CONFIG_IEEE80211W
3173 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
3174 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
3175 #endif /* CONFIG_IEEE80211W */
3176 #ifdef CONFIG_IEEE80211R
3177 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
3179 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
3181 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
3183 #endif /* CONFIG_IEEE80211R */
3187 int wpa_sm_has_ptk(struct wpa_sm *sm)
3195 void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr)
3197 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
3201 void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx)
3203 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0);
3208 int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
3211 u8 keylen; /* plaintext key len */
3214 if (subelem_id == WNM_SLEEP_SUBELEM_GTK) {
3215 struct wpa_gtk_data gd;
3217 os_memset(&gd, 0, sizeof(gd));
3218 keylen = wpa_cipher_key_len(sm->group_cipher);
3219 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
3220 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
3221 if (gd.alg == WPA_ALG_NONE) {
3222 wpa_printf(MSG_DEBUG, "Unsupported group cipher suite");
3227 keyinfo = WPA_GET_LE16(buf + 2);
3228 gd.gtk_len = keylen;
3229 if (gd.gtk_len != buf[4]) {
3230 wpa_printf(MSG_DEBUG, "GTK len mismatch len %d vs %d",
3231 gd.gtk_len, buf[4]);
3234 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
3235 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(
3236 sm, !!(keyinfo & WPA_KEY_INFO_TXRX));
3238 os_memcpy(gd.gtk, buf + 13, gd.gtk_len);
3240 wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
3241 gd.gtk, gd.gtk_len);
3242 if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
3243 os_memset(&gd, 0, sizeof(gd));
3244 wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
3248 os_memset(&gd, 0, sizeof(gd));
3249 #ifdef CONFIG_IEEE80211W
3250 } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
3251 const struct wpa_igtk_kde *igtk;
3253 igtk = (const struct wpa_igtk_kde *) (buf + 2);
3254 if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
3256 #endif /* CONFIG_IEEE80211W */
3258 wpa_printf(MSG_DEBUG, "Unknown element id");
3264 #endif /* CONFIG_WNM */
3269 int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf)
3271 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
3273 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
3277 #endif /* CONFIG_P2P */
3280 void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter)
3282 if (rx_replay_counter == NULL)
3285 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
3286 WPA_REPLAY_COUNTER_LEN);
3287 sm->rx_replay_counter_set = 1;
3288 wpa_printf(MSG_DEBUG, "Updated key replay counter");
3292 void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
3293 const u8 *ptk_kck, size_t ptk_kck_len,
3294 const u8 *ptk_kek, size_t ptk_kek_len)
3296 if (ptk_kck && ptk_kck_len <= WPA_KCK_MAX_LEN) {
3297 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
3298 sm->ptk.kck_len = ptk_kck_len;
3299 wpa_printf(MSG_DEBUG, "Updated PTK KCK");
3301 if (ptk_kek && ptk_kek_len <= WPA_KEK_MAX_LEN) {
3302 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
3303 sm->ptk.kek_len = ptk_kek_len;
3304 wpa_printf(MSG_DEBUG, "Updated PTK KEK");
3310 #ifdef CONFIG_TESTING_OPTIONS
3312 void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf)
3314 wpabuf_free(sm->test_assoc_ie);
3315 sm->test_assoc_ie = buf;
3319 const u8 * wpa_sm_get_anonce(struct wpa_sm *sm)
3324 #endif /* CONFIG_TESTING_OPTIONS */
3327 unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm)
3329 return sm->key_mgmt;
3335 struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md)
3337 struct wpabuf *buf = NULL;
3338 struct wpabuf *erp_msg;
3339 struct wpabuf *pub = NULL;
3341 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
3342 if (!erp_msg && !sm->cur_pmksa) {
3343 wpa_printf(MSG_DEBUG,
3344 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
3348 wpa_printf(MSG_DEBUG, "FILS: Try to use FILS (erp=%d pmksa_cache=%d)",
3349 erp_msg != NULL, sm->cur_pmksa != NULL);
3351 sm->fils_completed = 0;
3353 if (!sm->assoc_wpa_ie) {
3354 wpa_printf(MSG_INFO, "FILS: No own RSN IE set for FILS");
3358 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
3359 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
3362 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Nonce",
3363 sm->fils_nonce, FILS_NONCE_LEN);
3364 wpa_hexdump(MSG_DEBUG, "FILS: Generated FILS Session",
3365 sm->fils_session, FILS_SESSION_LEN);
3367 #ifdef CONFIG_FILS_SK_PFS
3368 sm->fils_dh_group = dh_group;
3370 crypto_ecdh_deinit(sm->fils_ecdh);
3371 sm->fils_ecdh = crypto_ecdh_init(dh_group);
3372 if (!sm->fils_ecdh) {
3373 wpa_printf(MSG_INFO,
3374 "FILS: Could not initialize ECDH with group %d",
3378 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
3381 wpa_hexdump_buf(MSG_DEBUG, "FILS: Element (DH public key)",
3383 sm->fils_dh_elem_len = wpabuf_len(pub);
3385 #endif /* CONFIG_FILS_SK_PFS */
3387 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
3388 (pub ? wpabuf_len(pub) : 0));
3392 /* Fields following the Authentication algorithm number field */
3394 /* Authentication Transaction seq# */
3395 wpabuf_put_le16(buf, 1);
3398 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
3401 #ifdef CONFIG_FILS_SK_PFS
3403 /* Finite Cyclic Group */
3404 wpabuf_put_le16(buf, dh_group);
3406 wpabuf_put_buf(buf, pub);
3408 #endif /* CONFIG_FILS_SK_PFS */
3411 wpa_hexdump(MSG_DEBUG, "FILS: RSNE in FILS Authentication frame",
3412 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3413 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
3416 /* MDE when using FILS for FT initial association */
3417 struct rsn_mdie *mdie;
3419 wpabuf_put_u8(buf, WLAN_EID_MOBILITY_DOMAIN);
3420 wpabuf_put_u8(buf, sizeof(*mdie));
3421 mdie = wpabuf_put(buf, sizeof(*mdie));
3422 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
3427 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3428 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); /* Length */
3429 /* Element ID Extension */
3430 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
3431 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
3434 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3435 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
3436 /* Element ID Extension */
3437 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
3438 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
3440 /* FILS Wrapped Data */
3441 sm->fils_erp_pmkid_set = 0;
3443 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3444 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg)); /* Length */
3445 /* Element ID Extension */
3446 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_WRAPPED_DATA);
3447 wpabuf_put_buf(buf, erp_msg);
3448 /* Calculate pending PMKID here so that we do not need to
3449 * maintain a copy of the EAP-Initiate/Reauth message. */
3450 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
3451 wpabuf_len(erp_msg),
3452 sm->fils_erp_pmkid) == 0)
3453 sm->fils_erp_pmkid_set = 1;
3456 wpa_hexdump_buf(MSG_DEBUG, "RSN: FILS fields for Authentication frame",
3460 wpabuf_free(erp_msg);
3466 int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
3469 const u8 *pos, *end;
3470 struct ieee802_11_elems elems;
3471 struct wpa_ie_data rsn;
3472 int pmkid_match = 0;
3473 u8 ick[FILS_ICK_MAX_LEN];
3476 struct wpabuf *dh_ss = NULL;
3477 const u8 *g_sta = NULL;
3478 size_t g_sta_len = 0;
3479 const u8 *g_ap = NULL;
3480 size_t g_ap_len = 0;
3481 struct wpabuf *pub = NULL;
3483 os_memcpy(sm->bssid, bssid, ETH_ALEN);
3485 wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
3491 #ifdef CONFIG_FILS_SK_PFS
3492 if (sm->fils_dh_group) {
3495 /* Using FILS PFS */
3497 /* Finite Cyclic Group */
3498 if (end - pos < 2) {
3499 wpa_printf(MSG_DEBUG,
3500 "FILS: No room for Finite Cyclic Group");
3503 group = WPA_GET_LE16(pos);
3505 if (group != sm->fils_dh_group) {
3506 wpa_printf(MSG_DEBUG,
3507 "FILS: Unexpected change in Finite Cyclic Group: %u (expected %u)",
3508 group, sm->fils_dh_group);
3513 if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
3514 wpa_printf(MSG_DEBUG, "FILS: No room for Element");
3518 if (!sm->fils_ecdh) {
3519 wpa_printf(MSG_DEBUG, "FILS: No ECDH state available");
3522 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
3523 sm->fils_dh_elem_len);
3525 wpa_printf(MSG_DEBUG, "FILS: ECDH operation failed");
3528 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: DH_SS", dh_ss);
3530 g_ap_len = sm->fils_dh_elem_len;
3531 pos += sm->fils_dh_elem_len;
3533 #endif /* CONFIG_FILS_SK_PFS */
3535 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
3536 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
3537 wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
3542 wpa_hexdump(MSG_DEBUG, "FILS: RSN element", elems.rsn_ie,
3544 if (!elems.rsn_ie ||
3545 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
3547 wpa_printf(MSG_DEBUG, "FILS: No RSN element");
3551 if (!elems.fils_nonce) {
3552 wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
3555 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
3556 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
3558 #ifdef CONFIG_IEEE80211R
3559 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
3560 struct wpa_ft_ies parse;
3562 if (!elems.mdie || !elems.ftie) {
3563 wpa_printf(MSG_DEBUG, "FILS+FT: No MDE or FTE");
3567 if (wpa_ft_parse_ies(pos, end - pos, &parse,
3568 wpa_key_mgmt_sha384(sm->key_mgmt)) < 0) {
3569 wpa_printf(MSG_DEBUG, "FILS+FT: Failed to parse IEs");
3573 if (!parse.r0kh_id) {
3574 wpa_printf(MSG_DEBUG,
3575 "FILS+FT: No R0KH-ID subelem in FTE");
3578 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
3579 sm->r0kh_id_len = parse.r0kh_id_len;
3580 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
3581 sm->r0kh_id, sm->r0kh_id_len);
3583 if (!parse.r1kh_id) {
3584 wpa_printf(MSG_DEBUG,
3585 "FILS+FT: No R1KH-ID subelem in FTE");
3588 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
3589 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID",
3590 sm->r1kh_id, FT_R1KH_ID_LEN);
3592 /* TODO: Check MDE and FTE payload */
3594 wpabuf_free(sm->fils_ft_ies);
3595 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len +
3596 2 + elems.ftie_len);
3597 if (!sm->fils_ft_ies)
3599 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2,
3600 2 + elems.mdie_len);
3601 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2,
3602 2 + elems.ftie_len);
3604 wpabuf_free(sm->fils_ft_ies);
3605 sm->fils_ft_ies = NULL;
3607 #endif /* CONFIG_IEEE80211R */
3610 if (rsn.pmkid && rsn.num_pmkid > 0) {
3611 wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
3612 rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
3614 if (rsn.num_pmkid != 1) {
3615 wpa_printf(MSG_DEBUG, "FILS: Invalid PMKID selection");
3618 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", rsn.pmkid, PMKID_LEN);
3619 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
3621 wpa_printf(MSG_DEBUG, "FILS: PMKID mismatch");
3622 wpa_hexdump(MSG_DEBUG, "FILS: Expected PMKID",
3623 sm->cur_pmksa->pmkid, PMKID_LEN);
3626 wpa_printf(MSG_DEBUG,
3627 "FILS: Matching PMKID - continue using PMKSA caching");
3630 if (!pmkid_match && sm->cur_pmksa) {
3631 wpa_printf(MSG_DEBUG,
3632 "FILS: No PMKID match - cannot use cached PMKSA entry");
3633 sm->cur_pmksa = NULL;
3637 if (!elems.fils_session) {
3638 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
3641 wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
3643 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
3645 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
3646 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
3647 sm->fils_session, FILS_SESSION_LEN);
3651 /* FILS Wrapped Data */
3652 if (!sm->cur_pmksa && elems.fils_wrapped_data) {
3653 u8 rmsk[ERP_MAX_KEY_LEN];
3656 wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
3657 elems.fils_wrapped_data,
3658 elems.fils_wrapped_data_len);
3659 eapol_sm_process_erp_finish(sm->eapol, elems.fils_wrapped_data,
3660 elems.fils_wrapped_data_len);
3661 if (eapol_sm_failed(sm->eapol))
3664 rmsk_len = ERP_MAX_KEY_LEN;
3665 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
3666 if (res == PMK_LEN) {
3668 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
3673 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
3674 sm->fils_nonce, sm->fils_anonce,
3675 dh_ss ? wpabuf_head(dh_ss) : NULL,
3676 dh_ss ? wpabuf_len(dh_ss) : 0,
3677 sm->pmk, &sm->pmk_len);
3678 os_memset(rmsk, 0, sizeof(rmsk));
3680 /* Don't use DHss in PTK derivation if PMKSA caching is not
3682 wpabuf_clear_free(dh_ss);
3688 if (!sm->fils_erp_pmkid_set) {
3689 wpa_printf(MSG_DEBUG, "FILS: PMKID not available");
3692 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
3694 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
3695 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
3696 sm->fils_erp_pmkid, NULL, 0,
3697 sm->bssid, sm->own_addr,
3698 sm->network_ctx, sm->key_mgmt,
3702 if (!sm->cur_pmksa) {
3703 wpa_printf(MSG_DEBUG,
3704 "FILS: No remaining options to continue FILS authentication");
3708 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr, sm->bssid,
3709 sm->fils_nonce, sm->fils_anonce,
3710 dh_ss ? wpabuf_head(dh_ss) : NULL,
3711 dh_ss ? wpabuf_len(dh_ss) : 0,
3712 &sm->ptk, ick, &ick_len,
3713 sm->key_mgmt, sm->pairwise_cipher,
3714 sm->fils_ft, &sm->fils_ft_len) < 0) {
3715 wpa_printf(MSG_DEBUG, "FILS: Failed to derive PTK");
3719 wpabuf_clear_free(dh_ss);
3724 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3726 #ifdef CONFIG_FILS_SK_PFS
3727 if (sm->fils_dh_group) {
3728 if (!sm->fils_ecdh) {
3729 wpa_printf(MSG_INFO, "FILS: ECDH not initialized");
3732 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
3735 wpa_hexdump_buf(MSG_DEBUG, "FILS: gSTA", pub);
3736 g_sta = wpabuf_head(pub);
3737 g_sta_len = wpabuf_len(pub);
3739 wpa_printf(MSG_INFO, "FILS: gAP not available");
3742 wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
3744 #endif /* CONFIG_FILS_SK_PFS */
3746 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
3747 sm->fils_anonce, sm->own_addr, sm->bssid,
3748 g_sta, g_sta_len, g_ap, g_ap_len,
3749 sm->key_mgmt, sm->fils_key_auth_sta,
3750 sm->fils_key_auth_ap,
3751 &sm->fils_key_auth_len);
3753 os_memset(ick, 0, sizeof(ick));
3757 wpabuf_clear_free(dh_ss);
3762 #ifdef CONFIG_IEEE80211R
3763 static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
3765 struct rsn_ie_hdr *rsnie;
3768 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
3770 /* RSNIE[PMKR0Name/PMKR1Name] */
3771 rsnie = wpabuf_put(buf, sizeof(*rsnie));
3772 rsnie->elem_id = WLAN_EID_RSN;
3773 WPA_PUT_LE16(rsnie->version, RSN_VERSION);
3775 /* Group Suite Selector */
3776 if (!wpa_cipher_valid_group(sm->group_cipher)) {
3777 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
3781 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
3782 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
3785 /* Pairwise Suite Count */
3786 wpabuf_put_le16(buf, 1);
3788 /* Pairwise Suite List */
3789 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
3790 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
3791 sm->pairwise_cipher);
3794 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
3795 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
3796 sm->pairwise_cipher));
3798 /* Authenticated Key Management Suite Count */
3799 wpabuf_put_le16(buf, 1);
3801 /* Authenticated Key Management Suite List */
3802 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
3803 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
3804 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
3805 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384)
3806 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
3808 wpa_printf(MSG_WARNING,
3809 "FILS+FT: Invalid key management type (%d)",
3814 /* RSN Capabilities */
3816 #ifdef CONFIG_IEEE80211W
3817 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC)
3818 capab |= WPA_CAPABILITY_MFPC;
3819 #endif /* CONFIG_IEEE80211W */
3820 wpabuf_put_le16(buf, capab);
3823 wpabuf_put_le16(buf, 1);
3825 /* PMKID List [PMKR1Name] */
3826 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)",
3827 sm->fils_ft, sm->fils_ft_len);
3828 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len);
3829 wpa_hexdump(MSG_DEBUG, "FILS+FT: MDID",
3830 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
3831 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
3832 sm->r0kh_id, sm->r0kh_id_len);
3833 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid,
3834 sm->ssid_len, sm->mobility_domain,
3835 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
3836 sm->pmk_r0, sm->pmk_r0_name, use_sha384) < 0) {
3837 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0");
3840 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
3841 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0",
3842 sm->pmk_r0, sm->pmk_r0_len);
3843 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name",
3844 sm->pmk_r0_name, WPA_PMK_NAME_LEN);
3845 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR,
3846 MAC2STR(sm->r1kh_id));
3847 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
3848 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
3849 pos, use_sha384) < 0) {
3850 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
3853 wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", pos, WPA_PMK_NAME_LEN);
3855 #ifdef CONFIG_IEEE80211W
3856 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
3857 /* Management Group Cipher Suite */
3858 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
3859 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
3861 #endif /* CONFIG_IEEE80211W */
3863 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2;
3866 #endif /* CONFIG_IEEE80211R */
3869 struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
3870 size_t *kek_len, const u8 **snonce,
3872 const struct wpabuf **hlp,
3873 unsigned int num_hlp)
3880 #ifdef CONFIG_IEEE80211R
3881 if (sm->fils_ft_ies)
3882 len += wpabuf_len(sm->fils_ft_ies);
3883 if (wpa_key_mgmt_ft(sm->key_mgmt))
3885 #endif /* CONFIG_IEEE80211R */
3886 for (i = 0; hlp && i < num_hlp; i++)
3887 len += 10 + wpabuf_len(hlp[i]);
3888 buf = wpabuf_alloc(len);
3892 #ifdef CONFIG_IEEE80211R
3893 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
3894 /* MDE and FTE when using FILS+FT */
3895 wpabuf_put_buf(buf, sm->fils_ft_ies);
3896 /* RSNE with PMKR1Name in PMKID field */
3897 if (fils_ft_build_assoc_req_rsne(sm, buf) < 0) {
3902 #endif /* CONFIG_IEEE80211R */
3905 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3906 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); /* Length */
3907 /* Element ID Extension */
3908 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
3909 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
3911 /* Everything after FILS Session element gets encrypted in the driver
3912 * with KEK. The buffer returned from here is the plaintext version. */
3914 /* TODO: FILS Public Key */
3916 /* FILS Key Confirm */
3917 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3918 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
3919 /* Element ID Extension */
3920 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_KEY_CONFIRM);
3921 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
3923 /* FILS HLP Container */
3924 for (i = 0; hlp && i < num_hlp; i++) {
3925 const u8 *pos = wpabuf_head(hlp[i]);
3926 size_t left = wpabuf_len(hlp[i]);
3928 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); /* Element ID */
3933 wpabuf_put_u8(buf, len); /* Length */
3934 /* Element ID Extension */
3935 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_HLP_CONTAINER);
3936 /* Destination MAC Address, Source MAC Address, HLP Packet.
3937 * HLP Packet is in MSDU format (i.e., included the LLC/SNAP
3938 * header when LPD is used). */
3939 wpabuf_put_data(buf, pos, len - 1);
3943 wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
3944 len = left > 255 ? 255 : left;
3945 wpabuf_put_u8(buf, len);
3946 wpabuf_put_data(buf, pos, len);
3952 /* TODO: FILS IP Address Assignment */
3954 wpa_hexdump_buf(MSG_DEBUG, "FILS: Association Request plaintext", buf);
3957 *kek_len = sm->ptk.kek_len;
3958 wpa_hexdump_key(MSG_DEBUG, "FILS: KEK for AEAD", *kek, *kek_len);
3959 *snonce = sm->fils_nonce;
3960 wpa_hexdump(MSG_DEBUG, "FILS: SNonce for AEAD AAD",
3961 *snonce, FILS_NONCE_LEN);
3962 *anonce = sm->fils_anonce;
3963 wpa_hexdump(MSG_DEBUG, "FILS: ANonce for AEAD AAD",
3964 *anonce, FILS_NONCE_LEN);
3970 static void fils_process_hlp_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
3972 const u8 *pos, *end;
3974 wpa_hexdump(MSG_MSGDUMP, "FILS: HLP response", resp, len);
3975 if (len < 2 * ETH_ALEN)
3977 pos = resp + 2 * ETH_ALEN;
3979 if (end - pos >= 6 &&
3980 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
3981 pos += 6; /* Remove SNAP/LLC header */
3982 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
3986 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
3989 const u8 *end = pos + len;
3992 /* Check if there are any FILS HLP Container elements */
3993 while (end - pos >= 2) {
3994 if (2 + pos[1] > end - pos)
3996 if (pos[0] == WLAN_EID_EXTENSION &&
3997 pos[1] >= 1 + 2 * ETH_ALEN &&
3998 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
4003 return; /* No FILS HLP Container elements */
4005 tmp = os_malloc(end - pos);
4009 while (end - pos >= 2) {
4010 if (2 + pos[1] > end - pos ||
4011 pos[0] != WLAN_EID_EXTENSION ||
4012 pos[1] < 1 + 2 * ETH_ALEN ||
4013 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
4016 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
4017 tmp_pos += pos[1] - 1;
4020 /* Add possible fragments */
4021 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
4022 2 + pos[1] <= end - pos) {
4023 os_memcpy(tmp_pos, pos + 2, pos[1]);
4028 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
4035 int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
4037 const struct ieee80211_mgmt *mgmt;
4038 const u8 *end, *ie_start;
4039 struct ieee802_11_elems elems;
4042 struct wpa_gtk_data gd;
4044 struct wpa_eapol_ie_parse kde;
4046 if (!sm || !sm->ptk_set) {
4047 wpa_printf(MSG_DEBUG, "FILS: No KEK available");
4051 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
4052 wpa_printf(MSG_DEBUG, "FILS: Not a FILS AKM");
4056 if (sm->fils_completed) {
4057 wpa_printf(MSG_DEBUG,
4058 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
4062 wpa_hexdump(MSG_DEBUG, "FILS: (Re)Association Response frame",
4065 mgmt = (const struct ieee80211_mgmt *) resp;
4066 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
4070 /* Same offset for Association Response and Reassociation Response */
4071 ie_start = mgmt->u.assoc_resp.variable;
4073 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
4075 wpa_printf(MSG_DEBUG,
4076 "FILS: Failed to parse decrypted elements");
4080 if (!elems.fils_session) {
4081 wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
4084 if (os_memcmp(elems.fils_session, sm->fils_session,
4085 FILS_SESSION_LEN) != 0) {
4086 wpa_printf(MSG_DEBUG, "FILS: FILS Session mismatch");
4087 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
4088 elems.fils_session, FILS_SESSION_LEN);
4089 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
4090 sm->fils_session, FILS_SESSION_LEN);
4093 /* TODO: FILS Public Key */
4095 if (!elems.fils_key_confirm) {
4096 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
4099 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
4100 wpa_printf(MSG_DEBUG,
4101 "FILS: Unexpected Key-Auth length %d (expected %d)",
4102 elems.fils_key_confirm_len,
4103 (int) sm->fils_key_auth_len);
4106 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
4107 sm->fils_key_auth_len) != 0) {
4108 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
4109 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
4110 elems.fils_key_confirm,
4111 elems.fils_key_confirm_len);
4112 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
4113 sm->fils_key_auth_ap, sm->fils_key_auth_len);
4118 if (!elems.key_delivery) {
4119 wpa_printf(MSG_DEBUG, "FILS: No Key Delivery element");
4123 /* Parse GTK and set the key to the driver */
4124 os_memset(&gd, 0, sizeof(gd));
4125 if (wpa_supplicant_parse_ies(elems.key_delivery + WPA_KEY_RSC_LEN,
4126 elems.key_delivery_len - WPA_KEY_RSC_LEN,
4128 wpa_printf(MSG_DEBUG, "FILS: Failed to parse KDEs");
4132 wpa_printf(MSG_DEBUG, "FILS: No GTK KDE");
4135 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
4136 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
4137 gd.gtk_len, maxkeylen,
4138 &gd.key_rsc_len, &gd.alg))
4141 wpa_hexdump_key(MSG_DEBUG, "FILS: Received GTK", kde.gtk, kde.gtk_len);
4142 gd.keyidx = kde.gtk[0] & 0x3;
4143 gd.tx = wpa_supplicant_gtk_tx_bit_workaround(sm,
4144 !!(kde.gtk[0] & BIT(2)));
4145 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
4146 wpa_printf(MSG_DEBUG, "FILS: Too long GTK in GTK KDE (len=%lu)",
4147 (unsigned long) kde.gtk_len - 2);
4150 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
4152 wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
4153 if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
4154 wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
4158 if (ieee80211w_set_keys(sm, &kde) < 0) {
4159 wpa_printf(MSG_DEBUG, "FILS: Failed to set IGTK");
4163 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
4164 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
4165 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
4166 wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
4167 keylen, (long unsigned int) sm->ptk.tk_len);
4170 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
4171 wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
4172 sm->ptk.tk, keylen);
4173 if (wpa_sm_set_key(sm, alg, sm->bssid, 0, 1, null_rsc, rsclen,
4174 sm->ptk.tk, keylen) < 0) {
4175 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
4176 "FILS: Failed to set PTK to the driver (alg=%d keylen=%d bssid="
4178 alg, keylen, MAC2STR(sm->bssid));
4182 /* TODO: TK could be cleared after auth frame exchange now that driver
4183 * takes care of association frame encryption/decryption. */
4184 /* TK is not needed anymore in supplicant */
4185 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
4187 sm->ptk.installed = 1;
4189 /* FILS HLP Container */
4190 fils_process_hlp_container(sm, ie_start, end - ie_start);
4192 /* TODO: FILS IP Address Assignment */
4194 wpa_printf(MSG_DEBUG, "FILS: Auth+Assoc completed successfully");
4195 sm->fils_completed = 1;
4203 void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set)
4206 sm->fils_completed = !!set;
4209 #endif /* CONFIG_FILS */
4212 int wpa_fils_is_completed(struct wpa_sm *sm)
4215 return sm && sm->fils_completed;
4216 #else /* CONFIG_FILS */
4218 #endif /* CONFIG_FILS */
4224 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group)
4226 struct wpabuf *ie = NULL, *pub = NULL;
4231 else if (group == 20)
4233 else if (group == 21)
4238 crypto_ecdh_deinit(sm->owe_ecdh);
4239 sm->owe_ecdh = crypto_ecdh_init(group);
4242 sm->owe_group = group;
4243 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
4244 pub = wpabuf_zeropad(pub, prime_len);
4248 ie = wpabuf_alloc(5 + wpabuf_len(pub));
4251 wpabuf_put_u8(ie, WLAN_EID_EXTENSION);
4252 wpabuf_put_u8(ie, 1 + 2 + wpabuf_len(pub));
4253 wpabuf_put_u8(ie, WLAN_EID_EXT_OWE_DH_PARAM);
4254 wpabuf_put_le16(ie, group);
4255 wpabuf_put_buf(ie, pub);
4257 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
4263 crypto_ecdh_deinit(sm->owe_ecdh);
4264 sm->owe_ecdh = NULL;
4269 int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
4270 const u8 *resp_ies, size_t resp_ies_len)
4272 struct ieee802_11_elems elems;
4274 struct wpabuf *secret, *pub, *hkey;
4276 u8 prk[SHA512_MAC_LEN], pmkid[SHA512_MAC_LEN];
4277 const char *info = "OWE Key Generation";
4280 size_t hash_len, prime_len;
4281 struct wpa_ie_data data;
4284 ieee802_11_parse_elems(resp_ies, resp_ies_len, &elems, 1) ==
4286 wpa_printf(MSG_INFO,
4287 "OWE: Could not parse Association Response frame elements");
4291 if (sm->cur_pmksa && elems.rsn_ie &&
4292 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len,
4294 data.num_pmkid == 1 && data.pmkid &&
4295 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) {
4296 wpa_printf(MSG_DEBUG, "OWE: Use PMKSA caching");
4297 wpa_sm_set_pmk_from_pmksa(sm);
4301 if (!elems.owe_dh) {
4302 wpa_printf(MSG_INFO,
4303 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
4307 group = WPA_GET_LE16(elems.owe_dh);
4308 if (group != sm->owe_group) {
4309 wpa_printf(MSG_INFO,
4310 "OWE: Unexpected Diffie-Hellman group in response: %u",
4315 if (!sm->owe_ecdh) {
4316 wpa_printf(MSG_INFO, "OWE: No ECDH state available");
4322 else if (group == 20)
4324 else if (group == 21)
4329 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
4331 elems.owe_dh_len - 2);
4332 secret = wpabuf_zeropad(secret, prime_len);
4334 wpa_printf(MSG_DEBUG, "OWE: Invalid peer DH public key");
4337 wpa_hexdump_buf_key(MSG_DEBUG, "OWE: DH shared secret", secret);
4339 /* prk = HKDF-extract(C | A | group, z) */
4341 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
4343 wpabuf_clear_free(secret);
4347 /* PMKID = Truncate-128(Hash(C | A)) */
4348 addr[0] = wpabuf_head(pub);
4349 len[0] = wpabuf_len(pub);
4350 addr[1] = elems.owe_dh + 2;
4351 len[1] = elems.owe_dh_len - 2;
4353 res = sha256_vector(2, addr, len, pmkid);
4354 hash_len = SHA256_MAC_LEN;
4355 } else if (group == 20) {
4356 res = sha384_vector(2, addr, len, pmkid);
4357 hash_len = SHA384_MAC_LEN;
4358 } else if (group == 21) {
4359 res = sha512_vector(2, addr, len, pmkid);
4360 hash_len = SHA512_MAC_LEN;
4365 pub = wpabuf_zeropad(pub, prime_len);
4366 if (res < 0 || !pub) {
4368 wpabuf_clear_free(secret);
4372 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
4375 wpabuf_clear_free(secret);
4379 wpabuf_put_buf(hkey, pub); /* C */
4381 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
4382 wpabuf_put_le16(hkey, sm->owe_group); /* group */
4384 res = hmac_sha256(wpabuf_head(hkey), wpabuf_len(hkey),
4385 wpabuf_head(secret), wpabuf_len(secret), prk);
4386 else if (group == 20)
4387 res = hmac_sha384(wpabuf_head(hkey), wpabuf_len(hkey),
4388 wpabuf_head(secret), wpabuf_len(secret), prk);
4389 else if (group == 21)
4390 res = hmac_sha512(wpabuf_head(hkey), wpabuf_len(hkey),
4391 wpabuf_head(secret), wpabuf_len(secret), prk);
4392 wpabuf_clear_free(hkey);
4393 wpabuf_clear_free(secret);
4397 wpa_hexdump_key(MSG_DEBUG, "OWE: prk", prk, hash_len);
4399 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
4402 res = hmac_sha256_kdf(prk, hash_len, NULL, (const u8 *) info,
4403 os_strlen(info), sm->pmk, hash_len);
4404 else if (group == 20)
4405 res = hmac_sha384_kdf(prk, hash_len, NULL, (const u8 *) info,
4406 os_strlen(info), sm->pmk, hash_len);
4407 else if (group == 21)
4408 res = hmac_sha512_kdf(prk, hash_len, NULL, (const u8 *) info,
4409 os_strlen(info), sm->pmk, hash_len);
4410 os_memset(prk, 0, SHA512_MAC_LEN);
4415 sm->pmk_len = hash_len;
4417 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
4418 wpa_hexdump(MSG_DEBUG, "OWE: PMKID", pmkid, PMKID_LEN);
4419 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
4420 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
4426 #endif /* CONFIG_OWE */
4429 void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id)
4432 if (sm && fils_cache_id) {
4433 sm->fils_cache_id_set = 1;
4434 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN);
4436 #endif /* CONFIG_FILS */