Lines Matching +full:mic +full:- +full:pos
2 * WPA Supplicant - WPA state machine and EAPOL-Key processing
3 * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
80 * wpa_eapol_key_send - Send WPA/RSN EAPOL-Key message
86 * @msg: EAPOL-Key message
88 * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
95 int ret = -1;
96 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
98 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL-Key frame to " MACSTR
100 MAC2STR(dest), ver, (int) mic_len, sm->key_mgmt);
101 if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
106 if (wpa_sm_get_bssid(sm, sm->bssid) < 0) {
107 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
109 "EAPOL-Key destination address");
111 dest = sm->bssid;
112 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
114 ") as the destination for EAPOL-Key",
120 if (key_mic && (!ptk || !ptk->kck_len))
124 wpa_eapol_key_mic(ptk->kck, ptk->kck_len, sm->key_mgmt, ver,
126 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
127 "WPA: Failed to generate EAPOL-Key version %d key_mgmt 0x%x MIC",
128 ver, sm->key_mgmt);
133 ptk->kck, ptk->kck_len);
134 wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC",
138 /* AEAD cipher - Key MIC field not used */
148 if (!ptk || !ptk->kek_len)
151 key_data_len = msg_len - sizeof(struct ieee802_1x_hdr) -
152 sizeof(struct wpa_eapol_key) - 2;
163 /* Update EAPOL header to include AES-SIV overhead */
164 eapol_len = be_to_host16(hdr->length);
166 hdr->length = host_to_be16(eapol_len);
168 /* Update Key Data Length field to include AES-SIV overhead */
178 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
179 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
182 aad_len[0] = key_data - buf;
183 if (aes_siv_encrypt(ptk->kek, ptk->kek_len,
201 wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
203 eapol_sm_notify_tx_eapol_key(sm->eapol);
211 * wpa_sm_key_request - Send EAPOL-Key Request
213 * @error: Indicate whether this is an Michael MIC error report
216 * Send an EAPOL-Key Request to the current authenticator. This function is
217 * used to request rekeying and it is usually called when a local Michael MIC
225 u8 *rbuf, *key_mic, *mic;
227 if (pairwise && sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
229 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
235 if (!sm->ptk_set) {
237 "WPA: No PTK derived yet - cannot send EAPOL-Key Request");
241 if (wpa_use_akm_defined(sm->key_mgmt))
243 else if (wpa_key_mgmt_ft(sm->key_mgmt) ||
244 wpa_key_mgmt_sha256(sm->key_mgmt))
246 else if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
251 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
258 reply->type = (sm->proto == WPA_PROTO_RSN ||
259 sm->proto == WPA_PROTO_OSEN) ?
271 WPA_PUT_BE16(reply->key_info, key_info);
272 WPA_PUT_BE16(reply->key_length, 0);
273 os_memcpy(reply->replay_counter, sm->request_counter,
275 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
277 mic = (u8 *) (reply + 1);
278 WPA_PUT_BE16(mic + mic_len, 0);
282 key_mic = mic;
284 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
285 "WPA: Sending EAPOL-Key Request (error=%d "
287 error, pairwise, sm->ptk_set, (unsigned long) rlen);
288 wpa_eapol_key_send(sm, &sm->ptk, ver, wpa_sm_get_auth_addr(sm),
296 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
297 if (wpa_sm_key_mgmt_set_pmk(sm, sm->xxkey, sm->xxkey_len))
298 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
302 if (wpa_sm_key_mgmt_set_pmk(sm, sm->pmk, sm->pmk_len))
303 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
317 if (pmkid && !sm->cur_pmksa) {
322 sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr,
323 sm->own_addr, pmkid,
325 if (sm->cur_pmksa) {
326 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
329 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
335 if (pmkid && sm->cur_pmksa &&
336 os_memcmp_const(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
340 sm->pmk, sm->pmk_len);
341 eapol_sm_notify_cached(sm->eapol);
343 sm->xxkey_len = 0;
345 if ((sm->key_mgmt == WPA_KEY_MGMT_FT_SAE ||
346 sm->key_mgmt == WPA_KEY_MGMT_FT_SAE_EXT_KEY) &&
347 sm->pmk_len == PMK_LEN) {
353 os_memcpy(sm->xxkey, sm->pmk, sm->pmk_len);
354 sm->xxkey_len = sm->pmk_len;
358 } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
364 if (wpa_key_mgmt_sha384(sm->key_mgmt))
368 res = eapol_sm_get_key(sm->eapol, sm->pmk, pmk_len);
372 * EAP-LEAP is an exception from other EAP
373 * methods: it uses only 16-byte PMK.
375 res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
381 eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) {
382 if (wpa_key_mgmt_sha384(sm->key_mgmt)) {
383 os_memcpy(sm->xxkey, buf, SHA384_MAC_LEN);
384 sm->xxkey_len = SHA384_MAC_LEN;
386 os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
387 sm->xxkey_len = PMK_LEN;
390 if (sm->proto == WPA_PROTO_RSN &&
391 wpa_key_mgmt_ft(sm->key_mgmt)) {
396 if (sm->fils_cache_id_set)
397 fils_cache_id = sm->fils_cache_id;
401 sm->xxkey, sm->xxkey_len);
402 sa = pmksa_cache_add(sm->pmksa,
403 sm->xxkey, sm->xxkey_len,
405 src_addr, sm->own_addr,
406 sm->network_ctx,
407 sm->key_mgmt,
409 if (!sm->cur_pmksa)
410 sm->cur_pmksa = sa;
419 if (sm->fils_cache_id_set)
420 fils_cache_id = sm->fils_cache_id;
424 "machines", sm->pmk, pmk_len);
425 sm->pmk_len = pmk_len;
427 if (sm->proto == WPA_PROTO_RSN &&
428 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
429 !wpa_key_mgmt_ft(sm->key_mgmt)) {
430 sa = pmksa_cache_add(sm->pmksa,
431 sm->pmk, pmk_len, NULL,
433 src_addr, sm->own_addr,
434 sm->network_ctx,
435 sm->key_mgmt,
438 if (!sm->cur_pmksa && pmkid &&
439 pmksa_cache_get(sm->pmksa, src_addr, sm->own_addr,
441 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
445 } else if (sa && !sm->cur_pmksa && pmkid) {
453 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
454 "RSN: PMKID mismatch - authentication server may have derived different MSK?!");
455 return -1;
458 if (!sm->cur_pmksa)
459 sm->cur_pmksa = sa;
461 } else if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->ft_protocol) {
463 "FT: Continue 4-way handshake without PMK/PMKID for association using FT protocol");
466 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
468 "EAPOL state machines - key handshake "
470 if (sm->cur_pmksa) {
471 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
474 sm->cur_pmksa = NULL;
477 return -1;
482 if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
483 !wpa_key_mgmt_suite_b(sm->key_mgmt) &&
484 !wpa_key_mgmt_ft(sm->key_mgmt) && sm->key_mgmt != WPA_KEY_MGMT_OSEN)
486 /* Send EAPOL-Start to trigger full EAP authentication. */
490 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
491 "RSN: no PMKSA entry found - trigger "
498 eapol_sm_notify_eap_fail(sm->eapol, true);
499 eapol_sm_notify_eap_fail(sm->eapol, false);
500 wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
503 return -2;
506 return -1;
514 * wpa_supplicant_send_2_of_4 - Send message 2 of WPA/RSN 4-Way Handshake
517 * @key: Pointer to the EAPOL-Key frame header
518 * @ver: Version bits from EAPOL-Key Key Info
519 * @nonce: Nonce value for the EAPOL-Key frame
541 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No wpa_ie set - "
543 return -1;
547 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
553 * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
557 sm->assoc_resp_ies_len);
559 return -1;
562 sm->pmk_r1_name, !sm->ft_prepend_pmkid);
565 return -1;
571 if (sm->assoc_resp_ies) {
573 sm->assoc_resp_ies,
574 sm->assoc_resp_ies_len);
575 os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
576 sm->assoc_resp_ies_len);
577 wpa_ie_len += sm->assoc_resp_ies_len;
587 if (sm->test_eapol_m2_elems)
588 extra_len = wpabuf_len(sm->test_eapol_m2_elems);
589 if (sm->encrypt_eapol_m2) {
592 pad_len = 8 - pad_len;
597 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
604 return -1;
607 reply->type = (sm->proto == WPA_PROTO_RSN ||
608 sm->proto == WPA_PROTO_OSEN) ?
611 if (sm->ptk_set && sm->proto != WPA_PROTO_WPA)
618 if (sm->encrypt_eapol_m2)
621 WPA_PUT_BE16(reply->key_info, key_info);
622 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
623 WPA_PUT_BE16(reply->key_length, 0);
625 os_memcpy(reply->key_length, key->key_length, 2);
626 os_memcpy(reply->replay_counter, key->replay_counter,
628 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter", reply->replay_counter,
637 if (sm->test_eapol_m2_elems) {
639 wpabuf_head(sm->test_eapol_m2_elems),
640 wpabuf_len(sm->test_eapol_m2_elems));
643 if (sm->encrypt_eapol_m2) {
647 if (sm->test_eapol_m2_elems)
648 extra_len = wpabuf_len(sm->test_eapol_m2_elems);
655 return -1;
658 plain[plain_len - pad_len] = 0xdd;
660 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK",
661 ptk->kek, ptk->kek_len);
662 if (aes_wrap(ptk->kek, ptk->kek_len, plain_len / 8, plain,
666 return -1;
669 "RSN: Encrypted Key Data from AES-WRAP",
675 os_memcpy(reply->key_nonce, nonce, WPA_NONCE_LEN);
677 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/4");
692 if (wpa_key_mgmt_ft(sm->key_mgmt))
697 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
698 z = wpabuf_head(sm->dpp_z);
699 z_len = wpabuf_len(sm->dpp_z);
703 akmp = sm->key_mgmt;
705 if (sm->owe_ptk_workaround && akmp == WPA_KEY_MGMT_OWE &&
706 sm->pmk_len > 32) {
713 if (sm->force_kdk_derivation ||
714 (sm->secure_ltf &&
715 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
720 ret = wpa_pmk_to_ptk(sm->pmk, sm->pmk_len, "Pairwise key expansion",
721 sm->own_addr, wpa_sm_get_auth_addr(sm), sm->snonce,
722 key->key_nonce, ptk, akmp,
723 sm->pairwise_cipher, z, z_len,
731 if (sm->secure_ltf &&
732 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF))
733 ret = wpa_ltf_keyseed(ptk, akmp, sm->pairwise_cipher);
743 if (sm->ext_key_id) {
746 if (!kde->key_id) {
747 wpa_msg(sm->ctx->msg_ctx,
748 sm->use_ext_key_id ? MSG_INFO : MSG_DEBUG,
750 sm->keyidx_active = 0;
751 return sm->use_ext_key_id ? -1 : 0;
754 key_id = kde->key_id[0] & 0x03;
756 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
758 return -1;
760 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
762 sm->keyidx_active = key_id;
763 sm->use_ext_key_id = 1;
765 if (kde->key_id && (kde->key_id[0] & 0x03)) {
766 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
767 "RSN: Non-zero Extended Key ID Key ID in PTK0 handshake");
768 return -1;
771 if (kde->key_id) {
774 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
777 sm->keyidx_active = 0;
778 sm->use_ext_key_id = 0;
785 static u8 * rsn_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len)
787 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
788 *pos++ = RSN_SELECTOR_LEN + data_len;
789 RSN_SELECTOR_PUT(pos, kde);
790 pos += RSN_SELECTOR_LEN;
791 os_memcpy(pos, data, data_len);
792 pos += data_len;
794 return pos;
803 for_each_link(sm->mlo.req_links, i) {
804 if (sm->mlo.assoc_link_id != i)
812 static u8 * wpa_mlo_link_kde(struct wpa_sm *sm, u8 *pos)
817 for_each_link(sm->mlo.req_links, i) {
818 if (sm->mlo.assoc_link_id == i)
822 "MLO: Add MLO Link %d KDE in EAPOL-Key 2/4", i);
824 os_memcpy(&hdr[1], sm->mlo.links[i].addr, ETH_ALEN);
825 pos = rsn_add_kde(pos, RSN_KEY_DATA_MLO_LINK, hdr, sizeof(hdr));
828 return pos;
835 ether_addr_equal(mac_kde, sm->mlo.ap_mld_addr);
843 /* Supplicant: swap tx/rx Mic keys */
844 os_memcpy(buf, &ptk->tk[16], 8);
845 os_memcpy(&ptk->tk[16], &ptk->tk[24], 8);
846 os_memcpy(&ptk->tk[24], buf, 8);
863 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
868 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
869 "WPA: RX message 1 of 4-Way Handshake from " MACSTR
875 if (res == -2) {
876 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
877 "WPA: Do not reply to msg 1/4 - requesting full EAP authentication");
885 if (sm->renew_snonce) {
886 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
887 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
891 sm->renew_snonce = 0;
893 sm->snonce, WPA_NONCE_LEN);
898 ptk = &sm->tptk;
901 if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
903 sm->tptk_set = 1;
906 sm->snonce, sm->assoc_wpa_ie,
907 sm->assoc_wpa_ie_len, ptk) < 0)
910 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
932 if (encrypted == FRAME_NOT_ENCRYPTED && sm->tk_set &&
935 "RSN: Discard unencrypted EAPOL-Key msg 1/4 when TK is set and PMF is enabled");
940 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: No SSID info "
945 if (sm->wpa_deny_ptk0_rekey && !sm->use_ext_key_id &&
947 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
953 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: RX message 1 of 4-Way "
962 "RSN: Discard EAPOL-Key msg 1/4 with invalid IEs/KDEs");
970 if (sm->mlo.valid_links && !is_valid_ap_mld_mac_kde(sm, ie.mac_addr)) {
972 "RSN: Discard EAPOL-Key msg 1/4 with invalid AP MLD MAC address KDE");
977 if (res == -2) {
978 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: Do not reply to "
979 "msg 1/4 - requesting full EAP authentication");
987 if (sm->renew_snonce) {
988 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
989 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
993 sm->renew_snonce = 0;
995 sm->snonce, WPA_NONCE_LEN);
1000 ptk = &sm->tptk;
1003 if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
1005 sm->tptk_set = 1;
1008 if (sm->mlo.valid_links)
1012 kde = sm->assoc_wpa_ie;
1013 kde_len = sm->assoc_wpa_ie_len;
1016 sm->assoc_rsnxe_len +
1028 u8 *pos;
1030 pos = kde + kde_len;
1033 "Failed to get channel info for OCI element in EAPOL-Key 2/4");
1037 if (sm->oci_freq_override_eapol) {
1039 "TEST: Override OCI KDE frequency %d -> %d MHz",
1040 ci.frequency, sm->oci_freq_override_eapol);
1041 ci.frequency = sm->oci_freq_override_eapol;
1045 if (ocv_insert_oci_kde(&ci, &pos) < 0)
1047 kde_len = pos - kde;
1051 if (sm->assoc_rsnxe && sm->assoc_rsnxe_len) {
1052 os_memcpy(kde + kde_len, sm->assoc_rsnxe, sm->assoc_rsnxe_len);
1053 kde_len += sm->assoc_rsnxe_len;
1057 if (sm->p2p) {
1058 u8 *pos;
1061 "P2P: Add IP Address Request KDE into EAPOL-Key 2/4");
1062 pos = kde + kde_len;
1063 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
1064 *pos++ = RSN_SELECTOR_LEN + 1;
1065 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_IP_ADDR_REQ);
1066 pos += RSN_SELECTOR_LEN;
1067 *pos++ = 0x01;
1068 kde_len = pos - kde;
1073 if (DPP_VERSION > 1 && sm->key_mgmt == WPA_KEY_MGMT_DPP) {
1074 u8 *pos;
1076 wpa_printf(MSG_DEBUG, "DPP: Add DPP KDE into EAPOL-Key 2/4");
1077 pos = kde + kde_len;
1078 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
1079 *pos++ = RSN_SELECTOR_LEN + 2;
1080 RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_DPP);
1081 pos += RSN_SELECTOR_LEN;
1082 *pos++ = DPP_VERSION; /* Protocol Version */
1083 *pos = 0; /* Flags */
1084 if (sm->dpp_pfs == 0)
1085 *pos |= DPP_KDE_PFS_ALLOWED;
1086 else if (sm->dpp_pfs == 1)
1087 *pos |= DPP_KDE_PFS_ALLOWED | DPP_KDE_PFS_REQUIRED;
1088 pos++;
1089 kde_len = pos - kde;
1093 if (sm->mlo.valid_links) {
1094 u8 *pos;
1097 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 2/4");
1098 pos = kde + kde_len;
1099 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
1103 wpa_printf(MSG_DEBUG, "Add MLO Link KDE(s) into EAPOL-Key 2/4");
1104 pos = wpa_mlo_link_kde(sm, pos);
1105 kde_len = pos - kde;
1109 sm->snonce, kde, kde_len, ptk) < 0)
1113 os_memcpy(sm->anonce, key->key_nonce, WPA_NONCE_LEN);
1132 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1135 wpa_cipher_txt(sm->pairwise_cipher),
1136 wpa_cipher_txt(sm->group_cipher));
1144 eapol_sm_notify_portValid(sm->eapol, true);
1145 if (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
1146 sm->key_mgmt == WPA_KEY_MGMT_DPP ||
1147 sm->key_mgmt == WPA_KEY_MGMT_OWE)
1148 eapol_sm_notify_eap_success(sm->eapol, true);
1152 * configuration after the 4-Way Handshake. This increases the
1153 * likelihood of the first preauth EAPOL-Start frame getting to
1156 if (!dl_list_empty(&sm->pmksa_candidates))
1161 if (sm->cur_pmksa && sm->cur_pmksa->opportunistic) {
1162 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1164 "opportunistic PMKSA entry - marking it valid");
1165 sm->cur_pmksa->opportunistic = 0;
1169 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
1180 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Request PTK rekeying");
1193 if (sm->ptk.installed) {
1194 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1195 "WPA: Do not re-install same PTK to the driver");
1199 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1202 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1203 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Pairwise Cipher "
1204 "Suite: NONE - do not use pairwise keys");
1208 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
1209 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1211 sm->pairwise_cipher);
1212 return -1;
1215 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
1216 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
1217 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
1219 keylen, (long unsigned int) sm->ptk.tk_len);
1220 return -1;
1222 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
1224 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
1227 key_rsc = key->key_rsc;
1231 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm),
1232 sm->keyidx_active, 1, key_rsc, rsclen, sm->ptk.tk,
1234 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1238 sm->keyidx_active, key_flag);
1239 return -1;
1243 if (sm->secure_ltf &&
1244 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
1245 wpa_sm_set_ltf_keyseed(sm, sm->own_addr, sm->bssid,
1246 sm->ptk.ltf_keyseed_len,
1247 sm->ptk.ltf_keyseed) < 0) {
1248 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1250 MACSTR ")", sm->ptk.ltf_keyseed_len,
1251 MAC2STR(sm->bssid));
1252 return -1;
1256 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
1257 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
1260 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
1261 sm->ptk.tk_len = 0;
1262 sm->ptk.installed = 1;
1263 sm->tk_set = true;
1265 if (sm->wpa_ptk_rekey) {
1267 eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
1276 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1278 sm->keyidx_active, MAC2STR(wpa_sm_get_auth_addr(sm)));
1280 if (wpa_sm_set_key(sm, -1, 0, wpa_sm_get_auth_addr(sm),
1281 sm->keyidx_active, 0, NULL, 0, NULL, 0,
1283 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1285 MACSTR ")", sm->keyidx_active,
1287 return -1;
1303 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1306 return -1;
1312 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1315 return -1;
1333 const u8 *_gtk = gd->gtk;
1337 if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
1338 os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
1339 (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
1340 os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
1341 sm->gtk_wnm_sleep.gtk_len) == 0)) {
1342 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1343 "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
1344 gd->keyidx, gd->tx, gd->gtk_len);
1348 wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
1349 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1351 gd->keyidx, gd->tx, gd->gtk_len);
1352 wpa_hexdump(MSG_DEBUG, "WPA: RSC", key_rsc, gd->key_rsc_len);
1353 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1354 /* Swap Tx/Rx keys for Michael MIC */
1355 os_memcpy(gtk_buf, gd->gtk, 16);
1356 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1357 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1360 if (sm->pairwise_cipher == WPA_CIPHER_NONE) {
1361 if (wpa_sm_set_key(sm, -1, gd->alg, NULL,
1362 gd->keyidx, 1, key_rsc, gd->key_rsc_len,
1363 _gtk, gd->gtk_len,
1365 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1369 return -1;
1371 } else if (wpa_sm_set_key(sm, -1, gd->alg, broadcast_ether_addr,
1372 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len,
1373 _gtk, gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1374 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1377 gd->alg, gd->gtk_len, gd->keyidx);
1379 return -1;
1384 sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
1385 os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
1386 sm->gtk_wnm_sleep.gtk_len);
1388 sm->gtk.gtk_len = gd->gtk_len;
1389 os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
1400 const u8 *gtk = gd->gtk;
1404 if ((sm->mlo.links[link_id].gtk.gtk_len == (size_t) gd->gtk_len &&
1405 os_memcmp(sm->mlo.links[link_id].gtk.gtk, gd->gtk,
1406 sm->mlo.links[link_id].gtk.gtk_len) == 0) ||
1407 (sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len ==
1408 (size_t) gd->gtk_len &&
1409 os_memcmp(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk,
1410 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len) == 0)) {
1411 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1412 "RSN: Not reinstalling already in-use GTK to the driver (link_id=%d keyidx=%d tx=%d len=%d)",
1413 link_id, gd->keyidx, gd->tx, gd->gtk_len);
1417 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: Group Key", gd->gtk,
1418 gd->gtk_len);
1419 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1421 link_id, gd->keyidx, gd->tx, gd->gtk_len);
1423 key_rsc, gd->key_rsc_len);
1424 if (sm->group_cipher == WPA_CIPHER_TKIP) {
1425 /* Swap Tx/Rx keys for Michael MIC */
1426 os_memcpy(gtk_buf, gd->gtk, 16);
1427 os_memcpy(gtk_buf + 16, gd->gtk + 24, 8);
1428 os_memcpy(gtk_buf + 24, gd->gtk + 16, 8);
1431 if (wpa_sm_set_key(sm, link_id, gd->alg, broadcast_ether_addr,
1432 gd->keyidx, gd->tx, key_rsc, gd->key_rsc_len, gtk,
1433 gd->gtk_len, KEY_FLAG_GROUP_RX) < 0) {
1434 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1436 link_id, gd->alg, gd->gtk_len, gd->keyidx);
1438 return -1;
1443 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len = gd->gtk_len;
1444 os_memcpy(sm->mlo.links[link_id].gtk_wnm_sleep.gtk, gd->gtk,
1445 sm->mlo.links[link_id].gtk_wnm_sleep.gtk_len);
1447 sm->mlo.links[link_id].gtk.gtk_len = gd->gtk_len;
1448 os_memcpy(sm->mlo.links[link_id].gtk.gtk, gd->gtk,
1449 sm->mlo.links[link_id].gtk.gtk_len);
1459 if (tx && sm->pairwise_cipher != WPA_CIPHER_NONE) {
1464 * configured non-zero keyidx to be used for unicast. */
1465 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1467 "keys are used - ignore Tx bit");
1479 if (!sm->wpa_rsc_relaxation)
1482 rsclen = wpa_cipher_rsc_len(sm->group_cipher);
1486 * the RSC bytes in EAPOL-Key message in the wrong order, both if
1487 * it's actually a 6-byte field (as it should be) and if it treats
1488 * it as an 8-byte field.
1489 * An AP model known to have this bug is the Sapido RB-1632.
1492 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1513 * KeyID[bits 0-1], Tx [bit 2], Reserved [bit 3], link id [4-7]
1523 gtk_len - RSN_MLO_GTK_KDE_PREFIX_LENGTH > sizeof(gd.gtk))
1524 return -1;
1528 gtk_len -= 1;
1533 gtk_len -= 6;
1539 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher, gtk_len,
1543 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1546 ret = -1;
1563 for_each_link(sm->mlo.valid_links, i) {
1564 if (!ie->mlo_gtk[i]) {
1565 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
1567 return -1;
1570 if (wpa_supplicant_mlo_gtk(sm, i, ie->mlo_gtk[i],
1571 ie->mlo_gtk_len[i], key_info))
1572 return -1;
1588 * IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames - Figure 43x
1590 * KeyID[bits 0-1], Tx [bit 2], Reserved [bits 3-7]
1591 * Reserved [bits 0-7]
1599 if (gtk_len < 2 || gtk_len - 2 > sizeof(gd.gtk))
1600 return -1;
1606 gtk_len -= 2;
1611 key_rsc = key->key_rsc;
1612 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
1615 if (sm->group_cipher != WPA_CIPHER_GTK_NOT_USED &&
1616 (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
1620 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1623 return -1;
1635 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1636 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1639 if ((sm->igtk.igtk_len == len &&
1640 os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
1641 (sm->igtk_wnm_sleep.igtk_len == len &&
1642 os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1643 sm->igtk_wnm_sleep.igtk_len) == 0)) {
1644 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1645 "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
1650 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1652 keyidx, MAC2STR(igtk->pn));
1653 wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
1655 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1657 return -1;
1659 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1661 keyidx, 0, igtk->pn, sizeof(igtk->pn),
1662 igtk->igtk, len, KEY_FLAG_GROUP_RX) < 0) {
1670 * received group-addressed robust management frames due
1677 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1680 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1682 return -1;
1687 sm->igtk_wnm_sleep.igtk_len = len;
1688 os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
1689 sm->igtk_wnm_sleep.igtk_len);
1691 sm->igtk.igtk_len = len;
1692 os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
1703 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1704 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1707 if ((sm->bigtk.bigtk_len == len &&
1708 os_memcmp(sm->bigtk.bigtk, bigtk->bigtk,
1709 sm->bigtk.bigtk_len) == 0) ||
1710 (sm->bigtk_wnm_sleep.bigtk_len == len &&
1711 os_memcmp(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1712 sm->bigtk_wnm_sleep.bigtk_len) == 0)) {
1713 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1714 "WPA: Not reinstalling already in-use BIGTK to the driver (keyidx=%d)",
1719 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1721 keyidx, MAC2STR(bigtk->pn));
1722 wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK", bigtk->bigtk, len);
1724 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1726 return -1;
1728 if (wpa_sm_set_key(sm, -1, wpa_cipher_to_alg(sm->mgmt_group_cipher),
1730 keyidx, 0, bigtk->pn, sizeof(bigtk->pn),
1731 bigtk->bigtk, len, KEY_FLAG_GROUP_RX) < 0) {
1732 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1734 return -1;
1738 sm->bigtk_wnm_sleep.bigtk_len = len;
1739 os_memcpy(sm->bigtk_wnm_sleep.bigtk, bigtk->bigtk,
1740 sm->bigtk_wnm_sleep.bigtk_len);
1742 sm->bigtk.bigtk_len = len;
1743 os_memcpy(sm->bigtk.bigtk, bigtk->bigtk, sm->bigtk.bigtk_len);
1754 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1755 u16 keyidx = WPA_GET_LE16(igtk->keyid);
1758 if ((sm->mlo.links[link_id].igtk.igtk_len == len &&
1759 os_memcmp(sm->mlo.links[link_id].igtk.igtk, igtk->igtk,
1760 sm->mlo.links[link_id].igtk.igtk_len) == 0) ||
1761 (sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len == len &&
1762 os_memcmp(sm->mlo.links[link_id].igtk_wnm_sleep.igtk, igtk->igtk,
1763 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len) == 0)) {
1764 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1765 "RSN: Not reinstalling already in-use IGTK to the driver (link_id=%d keyidx=%d)",
1770 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1772 link_id, keyidx, MAC2STR(igtk->pn));
1773 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: IGTK", igtk->igtk, len);
1775 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1778 return -1;
1781 wpa_cipher_to_alg(sm->mgmt_group_cipher),
1782 broadcast_ether_addr, keyidx, 0, igtk->pn,
1783 sizeof(igtk->pn), igtk->igtk, len,
1785 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1788 return -1;
1792 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len = len;
1793 os_memcpy(sm->mlo.links[link_id].igtk_wnm_sleep.igtk,
1794 igtk->igtk,
1795 sm->mlo.links[link_id].igtk_wnm_sleep.igtk_len);
1797 sm->mlo.links[link_id].igtk.igtk_len = len;
1798 os_memcpy(sm->mlo.links[link_id].igtk.igtk, igtk->igtk,
1799 sm->mlo.links[link_id].igtk.igtk_len);
1811 size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1812 u16 keyidx = WPA_GET_LE16(bigtk->keyid);
1815 if ((sm->mlo.links[link_id].bigtk.bigtk_len == len &&
1816 os_memcmp(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk,
1817 sm->mlo.links[link_id].bigtk.bigtk_len) == 0) ||
1818 (sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len == len &&
1819 os_memcmp(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk,
1820 bigtk->bigtk,
1821 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len) ==
1823 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1824 "RSN: Not reinstalling already in-use BIGTK to the driver (link_id=%d keyidx=%d)",
1829 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
1831 link_id, keyidx, MAC2STR(bigtk->pn));
1832 wpa_hexdump_link_key(MSG_DEBUG, link_id, "RSN: BIGTK", bigtk->bigtk,
1835 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1838 return -1;
1841 wpa_cipher_to_alg(sm->mgmt_group_cipher),
1842 broadcast_ether_addr, keyidx, 0, bigtk->pn,
1843 sizeof(bigtk->pn), bigtk->bigtk, len,
1845 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1848 return -1;
1852 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len = len;
1853 os_memcpy(sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk,
1854 bigtk->bigtk,
1855 sm->mlo.links[link_id].bigtk_wnm_sleep.bigtk_len);
1857 sm->mlo.links[link_id].bigtk.bigtk_len = len;
1858 os_memcpy(sm->mlo.links[link_id].bigtk.bigtk, bigtk->bigtk,
1859 sm->mlo.links[link_id].bigtk.bigtk_len);
1871 if (ie->mlo_igtk[link_id]) {
1872 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1873 if (ie->mlo_igtk_len[link_id] !=
1875 return -1;
1880 ie->mlo_igtk[link_id],
1882 return -1;
1885 if (ie->mlo_bigtk[link_id] && sm->beacon_prot) {
1886 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1887 if (ie->mlo_bigtk_len[link_id] !=
1889 return -1;
1894 ie->mlo_bigtk[link_id],
1896 return -1;
1908 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1909 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1912 for_each_link(sm->mlo.valid_links, i) {
1914 return -1;
1926 if (!wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) ||
1927 sm->mgmt_group_cipher == WPA_CIPHER_GTK_NOT_USED)
1930 if (ie->igtk) {
1933 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1934 if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
1935 return -1;
1937 igtk = (const struct wpa_igtk_kde *) ie->igtk;
1939 return -1;
1942 if (ie->bigtk && sm->beacon_prot) {
1945 len = wpa_cipher_key_len(sm->mgmt_group_cipher);
1946 if (ie->bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + len)
1947 return -1;
1949 bigtk = (const struct wpa_bigtk_kde *) ie->bigtk;
1951 return -1;
1963 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: %s (src=" MACSTR ")",
1966 if (sm->ap_wpa_ie) {
1968 sm->ap_wpa_ie, sm->ap_wpa_ie_len);
1971 if (!sm->ap_wpa_ie) {
1972 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
1979 if (sm->ap_rsn_ie) {
1981 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
1984 if (!sm->ap_rsn_ie) {
1985 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2005 mdie = (struct rsn_mdie *) (ie->mdie + 2);
2006 if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
2007 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
2009 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE in msg 3/4 did "
2011 return -1;
2015 (assoc_resp_mdie[1] != ie->mdie[1] ||
2016 os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
2017 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: MDIE mismatch");
2018 wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
2019 ie->mdie, 2 + ie->mdie[1]);
2022 return -1;
2034 if (ie->ftie == NULL) {
2035 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2036 "FT: No FTIE in EAPOL-Key msg 3/4");
2037 return -1;
2043 if (assoc_resp_ftie[1] != ie->ftie[1] ||
2044 os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
2045 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: FTIE mismatch");
2046 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
2047 ie->ftie, 2 + ie->ftie[1]);
2050 return -1;
2063 if (!ie->rsn_ie)
2067 * Verify that PMKR1Name from EAPOL-Key message 3/4
2070 if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
2072 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "FT: No PMKR1Name in "
2073 "FT 4-way handshake message 3/4");
2074 return -1;
2077 if (os_memcmp_const(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0)
2079 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2081 "FT 4-way handshake message 3/4");
2085 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2086 return -1;
2097 const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
2099 if (sm->assoc_resp_ies) {
2100 pos = sm->assoc_resp_ies;
2101 end = pos + sm->assoc_resp_ies_len;
2102 while (end - pos > 2) {
2103 if (2 + pos[1] > end - pos)
2105 switch (*pos) {
2107 mdie = pos;
2110 ftie = pos;
2113 pos += 2 + pos[1];
2120 return -1;
2132 if (sm->ap_wpa_ie == NULL && sm->ap_rsn_ie == NULL) {
2133 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2137 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2140 return -1;
2142 wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG,
2146 if (ie->wpa_ie == NULL && ie->rsn_ie == NULL &&
2147 (sm->ap_wpa_ie || sm->ap_rsn_ie)) {
2150 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2151 ie->rsn_ie, ie->rsn_ie_len);
2152 return -1;
2155 if ((ie->wpa_ie && sm->ap_wpa_ie &&
2156 (ie->wpa_ie_len != sm->ap_wpa_ie_len ||
2157 os_memcmp(ie->wpa_ie, sm->ap_wpa_ie, ie->wpa_ie_len) != 0)) ||
2158 (ie->rsn_ie && sm->ap_rsn_ie &&
2159 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2160 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
2161 ie->rsn_ie, ie->rsn_ie_len))) {
2164 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2165 ie->rsn_ie, ie->rsn_ie_len);
2166 return -1;
2169 if (sm->proto == WPA_PROTO_WPA &&
2170 ie->rsn_ie && sm->ap_rsn_ie == NULL && sm->rsn_enabled) {
2172 "detected - RSN was enabled and RSN IE "
2175 src_addr, ie->wpa_ie, ie->wpa_ie_len,
2176 ie->rsn_ie, ie->rsn_ie_len);
2177 return -1;
2180 if (sm->proto == WPA_PROTO_RSN &&
2181 ((sm->ap_rsnxe && !ie->rsnxe) ||
2182 (!sm->ap_rsnxe && ie->rsnxe) ||
2183 (sm->ap_rsnxe && ie->rsnxe &&
2184 (sm->ap_rsnxe_len != ie->rsnxe_len ||
2185 os_memcmp(sm->ap_rsnxe, ie->rsnxe, sm->ap_rsnxe_len) != 0)))) {
2186 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2187 "WPA: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4");
2189 sm->ap_rsnxe, sm->ap_rsnxe_len);
2190 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
2191 ie->rsnxe, ie->rsnxe_len);
2193 return -1;
2197 if (wpa_key_mgmt_ft(sm->key_mgmt) &&
2199 return -1;
2207 * wpa_supplicant_send_4_of_4 - Send message 4 of WPA/RSN 4-Way Handshake
2210 * @key: Pointer to the EAPOL-Key frame header
2211 * @ver: Version bits from EAPOL-Key Key Info
2230 if (sm->mlo.valid_links) {
2231 u8 *pos;
2235 return -1;
2238 wpa_printf(MSG_DEBUG, "MLO: Add MAC KDE into EAPOL-Key 4/4");
2239 pos = kde;
2240 pos = rsn_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, sm->own_addr,
2242 kde_len = pos - kde;
2246 if (sm->test_eapol_m4_elems)
2247 extra_len = wpabuf_len(sm->test_eapol_m4_elems);
2248 if (sm->encrypt_eapol_m4) {
2251 pad_len = 8 - pad_len;
2256 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2263 return -1;
2266 reply->type = (sm->proto == WPA_PROTO_RSN ||
2267 sm->proto == WPA_PROTO_OSEN) ?
2276 if (sm->encrypt_eapol_m4)
2279 WPA_PUT_BE16(reply->key_info, key_info);
2280 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
2281 WPA_PUT_BE16(reply->key_length, 0);
2283 os_memcpy(reply->key_length, key->key_length, 2);
2284 os_memcpy(reply->replay_counter, key->replay_counter,
2296 if (sm->test_eapol_m4_elems) {
2298 wpabuf_head(sm->test_eapol_m4_elems),
2299 wpabuf_len(sm->test_eapol_m4_elems));
2302 if (sm->encrypt_eapol_m4) {
2306 if (sm->test_eapol_m4_elems)
2307 extra_len = wpabuf_len(sm->test_eapol_m4_elems);
2314 return -1;
2317 plain[plain_len - pad_len] = 0xdd;
2319 wpa_hexdump_key(MSG_DEBUG, "RSN: AES-WRAP using KEK",
2320 ptk->kek, ptk->kek_len);
2321 if (aes_wrap(ptk->kek, ptk->kek_len, plain_len / 8, plain,
2325 return -1;
2328 "RSN: Encrypted Key Data from AES-WRAP",
2334 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 4/4");
2349 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2352 return -1;
2355 if (!ether_addr_equal(sm->mlo.links[link_id].bssid,
2357 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2362 MAC2STR(sm->mlo.links[link_id].bssid));
2363 return -1;
2371 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2374 return -1;
2381 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2383 return -1;
2392 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2395 return -1;
2401 if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
2402 sm->mlo.links[link_id].ap_rsne,
2403 sm->mlo.links[link_id].ap_rsne_len,
2405 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2409 sm->mlo.links[link_id].ap_rsne,
2410 sm->mlo.links[link_id].ap_rsne_len);
2411 wpa_hexdump(MSG_INFO, "RSNE in EAPOL-Key msg 3/4",
2413 return -1;
2416 if ((sm->mlo.links[link_id].ap_rsnxe && !rsnxe) ||
2417 (!sm->mlo.links[link_id].ap_rsnxe && rsnxe) ||
2418 (sm->mlo.links[link_id].ap_rsnxe && rsnxe &&
2419 (sm->mlo.links[link_id].ap_rsnxe_len != rsnxe_len ||
2420 os_memcmp(sm->mlo.links[link_id].ap_rsnxe, rsnxe,
2421 sm->mlo.links[link_id].ap_rsnxe_len) != 0))) {
2422 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2423 "RSN MLO: RSNXE mismatch between Beacon/ProbeResp and EAPOL-Key msg 3/4 for link ID %u",
2426 sm->mlo.links[link_id].ap_rsnxe,
2427 sm->mlo.links[link_id].ap_rsnxe_len);
2428 wpa_hexdump(MSG_INFO, "RSNXE in EAPOL-Key msg 3/4",
2431 return -1;
2442 if (ie->mlo_igtk[link_id] &&
2443 ie->mlo_igtk_len[link_id] != RSN_MLO_IGTK_KDE_PREFIX_LENGTH +
2444 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2445 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2447 (unsigned long) ie->mlo_igtk_len[link_id], link_id);
2448 return -1;
2451 if (!sm->beacon_prot)
2454 if (ie->mlo_bigtk[link_id] &&
2455 ie->mlo_bigtk_len[link_id] != RSN_MLO_BIGTK_KDE_PREFIX_LENGTH +
2456 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2457 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2459 (unsigned long) ie->mlo_bigtk_len[link_id], link_id);
2460 return -1;
2476 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2477 "WPA: RX message 3 of 4-Way Handshake from " MACSTR
2478 " (ver=%d)", MAC2STR(sm->bssid), ver);
2480 key_info = WPA_GET_BE16(key->key_info);
2486 if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
2489 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2490 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2491 "WPA: ANonce from message 1 of 4-Way Handshake differs from 3 of 4-Way Handshake - drop packet (src="
2492 MACSTR ")", MAC2STR(sm->bssid));
2496 keylen = WPA_GET_BE16(key->key_length);
2497 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
2498 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2500 wpa_cipher_txt(sm->pairwise_cipher), keylen,
2501 MAC2STR(sm->bssid));
2506 key_info, &sm->ptk) < 0)
2510 * for the next 4-Way Handshake. If msg 3 is received again, the old
2512 sm->renew_snonce = 1;
2520 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2522 eapol_sm_notify_portValid(sm->eapol, true);
2526 sm->msg_3_of_4_ok = 1;
2541 bool mlo = sm->mlo.valid_links;
2545 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
2546 "RSN: RX message 3 of 4-Way Handshake from " MACSTR
2547 " (ver=%d)%s", MAC2STR(sm->bssid), ver, mlo ? " (MLO)" : "");
2549 key_info = WPA_GET_BE16(key->key_info);
2555 if (sm->ssid_protection) {
2557 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2558 "RSN: No SSID included in EAPOL-Key msg 3/4");
2562 if (ie.ssid_len != sm->ssid_len ||
2563 os_memcmp(ie.ssid, sm->ssid, sm->ssid_len) != 0) {
2564 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2565 "RSN: SSID mismatch in EAPOL-Key msg 3/4");
2569 sm->ssid, sm->ssid_len);
2577 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2578 "MLO RSN: No GTK KDE included in EAPOL-Key msg 3/4");
2587 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2588 "RSN MLO: Invalid key info (0x%x) in EAPOL-Key msg 3/4",
2599 if (!(sm->mlo.req_links & BIT(i)))
2606 if (!(sm->mlo.valid_links & BIT(i)))
2610 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
2615 if (sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
2616 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
2622 if (mlo && wpa_key_mgmt_ft(sm->key_mgmt) &&
2623 wpa_supplicant_validate_ie_ft(sm, sm->bssid, &ie) < 0)
2628 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2633 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2639 sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
2640 wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
2642 (unsigned int) wpa_cipher_key_len(sm->mgmt_group_cipher)) {
2643 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2649 if (!mlo && wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
2655 if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
2656 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2657 "WPA: ANonce from message 1 of 4-Way Handshake "
2658 "differs from 3 of 4-Way Handshake - drop packet (src="
2659 MACSTR ")", MAC2STR(sm->bssid));
2663 keylen = WPA_GET_BE16(key->key_length);
2664 if (keylen != wpa_cipher_key_len(sm->pairwise_cipher)) {
2665 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2667 ")", wpa_cipher_txt(sm->pairwise_cipher), keylen,
2668 MAC2STR(sm->bssid));
2674 os_memcpy(sm->p2p_ip_addr, ie.ip_addr_alloc, 3 * 4);
2676 sm->p2p_ip_addr, sizeof(sm->p2p_ip_addr));
2685 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2686 "Failed to get channel info to validate received OCI in EAPOL-Key 3/4");
2693 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
2694 "addr=" MACSTR " frame=eapol-key-m3 error=%s",
2695 MAC2STR(sm->bssid), ocv_errorstr);
2706 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_pfs != 2 &&
2707 (ie.dpp_kde[1] & DPP_KDE_PFS_ALLOWED) && !sm->dpp_z) {
2715 if (sm->use_ext_key_id &&
2720 key_info, &sm->ptk) < 0)
2724 * for the next 4-Way Handshake. If msg 3 is received again, the old
2726 sm->renew_snonce = 1;
2731 if (sm->use_ext_key_id)
2742 sm, sm->bssid, MLME_SETPROTECTION_PROTECT_TYPE_RX,
2744 eapol_sm_notify_portValid(sm->eapol, true);
2751 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2755 } else if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
2757 } else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) {
2758 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2759 "RSN: No GTK KDE included in EAPOL-Key msg 3/4");
2764 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2771 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2776 if (mlo || sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk)
2777 wpa_supplicant_key_neg_complete(sm, sm->bssid,
2785 * existing PMKSA entry after each 4-way handshake (i.e., new KCK/PMKID)
2788 if (sm->proto == WPA_PROTO_RSN && wpa_key_mgmt_suite_b(sm->key_mgmt) &&
2789 !sm->cur_pmksa) {
2792 sa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, NULL,
2793 sm->ptk.kck, sm->ptk.kck_len,
2794 wpa_sm_get_auth_addr(sm), sm->own_addr,
2795 sm->network_ctx, sm->key_mgmt, NULL);
2796 if (!sm->cur_pmksa)
2797 sm->cur_pmksa = sa;
2802 sm->msg_3_of_4_ok = 1;
2820 if (sm->disable_eapol_g2_tx) {
2821 wpa_printf(MSG_INFO, "TEST: Disable sending EAPOL-Key 2/2");
2831 mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
2836 return -1;
2838 reply->type = (sm->proto == WPA_PROTO_RSN ||
2839 sm->proto == WPA_PROTO_OSEN) ?
2847 WPA_PUT_BE16(reply->key_info, key_info);
2848 if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN)
2849 WPA_PUT_BE16(reply->key_length, 0);
2851 os_memcpy(reply->key_length, key->key_length, 2);
2852 os_memcpy(reply->replay_counter, key->replay_counter,
2861 u8 *pos;
2865 "Failed to get channel info for OCI element in EAPOL-Key 2/2");
2867 return -1;
2870 if (sm->oci_freq_override_eapol_g2) {
2872 "TEST: Override OCI KDE frequency %d -> %d MHz",
2874 sm->oci_freq_override_eapol_g2);
2875 ci.frequency = sm->oci_freq_override_eapol_g2;
2879 pos = key_mic + mic_len + 2; /* Key Data */
2880 if (ocv_insert_oci_kde(&ci, &pos) < 0) {
2882 return -1;
2887 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Sending EAPOL-Key 2/2");
2888 return wpa_eapol_key_send(sm, &sm->ptk, ver, wpa_sm_get_auth_addr(sm),
2903 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
2904 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2905 "MLO RSN: Group Key Handshake started prior to completion of 4-way handshake");
2909 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "MLO RSN: RX message 1 of Group "
2913 key_info = WPA_GET_BE16(key->key_info);
2923 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2929 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2939 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
2940 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
2947 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
2948 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
2949 MAC2STR(sm->bssid), ocv_errorstr);
2956 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
2959 for_each_link(sm->mlo.valid_links, i) {
2975 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "MLO RSN: Group rekeying completed "
2976 "with " MACSTR " [GTK=%s]", MAC2STR(sm->mlo.ap_mld_addr),
2977 wpa_cipher_txt(sm->group_cipher));
3003 if (!sm->msg_3_of_4_ok) {
3004 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3005 "WPA: Group Key Handshake started prior to completion of 4-way handshake");
3012 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3016 key_info = WPA_GET_BE16(key->key_info);
3018 gtk_len = WPA_GET_BE16(key->key_length);
3022 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3027 maxkeylen -= 8;
3031 wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3041 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
3043 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3049 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3054 os_memcpy(ek, key->key_iv, 16);
3055 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
3059 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
3067 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3068 "WPA: Unsupported AES-WRAP len %lu",
3073 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3074 "WPA: AES-WRAP key data "
3080 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, maxkeylen / 8,
3082 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3083 "WPA: AES unwrap failed - could not decrypt "
3088 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3095 key_rsc = key->key_rsc;
3096 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
3105 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3108 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
3112 wpa_supplicant_key_neg_complete(sm, sm->bssid,
3139 if (!sm->msg_3_of_4_ok && !wpa_fils_is_completed(sm)) {
3140 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3141 "RSN: Group Key Handshake started prior to completion of 4-way handshake");
3147 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3151 key_info = WPA_GET_BE16(key->key_info);
3161 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3166 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3172 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3177 gtk_len -= 2;
3179 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3190 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3191 "Failed to get channel info to validate received OCI in EAPOL-Key group msg 1/2");
3198 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
3199 "addr=" MACSTR " frame=eapol-key-g1 error=%s",
3200 MAC2STR(sm->bssid), ocv_errorstr);
3206 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
3219 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3222 key_rsc = key->key_rsc;
3223 if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
3231 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3233 MAC2STR(sm->bssid), wpa_cipher_txt(sm->group_cipher));
3252 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
3254 size_t mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
3256 os_memcpy(mic, key + 1, mic_len);
3257 if (sm->tptk_set) {
3259 if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
3260 sm->key_mgmt,
3262 os_memcmp_const(mic, key + 1, mic_len) != 0) {
3263 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3264 "WPA: Invalid EAPOL-Key MIC "
3265 "when using TPTK - ignoring TPTK");
3268 "TEST: Ignore Key MIC failure for fuzz testing");
3276 sm->tptk_set = 0;
3277 sm->ptk_set = 1;
3278 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
3279 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3281 * This assures the same TPTK in sm->tptk can never be
3282 * copied twice to sm->ptk as the new PTK. In
3287 sm->renew_snonce = 1;
3291 if (!ok && sm->ptk_set) {
3293 if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
3294 sm->key_mgmt,
3296 os_memcmp_const(mic, key + 1, mic_len) != 0) {
3297 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3298 "WPA: Invalid EAPOL-Key MIC - "
3302 "TEST: Ignore Key MIC failure for fuzz testing");
3305 return -1;
3314 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3315 "WPA: Could not verify EAPOL-Key MIC - "
3317 return -1;
3320 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3322 sm->rx_replay_counter_set = 1;
3327 /* Decrypt RSN EAPOL-Key key data (RC4 or AES-WRAP) */
3335 if (!sm->ptk_set) {
3336 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3337 "WPA: PTK not available, cannot decrypt EAPOL-Key Key "
3339 return -1;
3344 if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
3346 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3348 return -1;
3353 os_memcpy(ek, key->key_iv, 16);
3354 os_memcpy(ek + 16, sm->ptk.kek, sm->ptk.kek_len);
3357 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
3359 return -1;
3365 wpa_use_aes_key_wrap(sm->key_mgmt)) {
3369 "WPA: Decrypt Key Data using AES-UNWRAP (KEK length %u)",
3370 (unsigned int) sm->ptk.kek_len);
3372 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3373 "WPA: Unsupported AES-WRAP len %u",
3375 return -1;
3377 *key_data_len -= 8; /* AES-WRAP adds 8 bytes */
3380 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3381 "WPA: No memory for AES-UNWRAP buffer");
3382 return -1;
3387 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, *key_data_len / 8,
3395 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3396 "WPA: AES unwrap failed - "
3397 "could not decrypt EAPOL-Key key data");
3398 return -1;
3407 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3409 return -1;
3411 wpa_hexdump_key(MSG_DEBUG, "WPA: decrypted EAPOL-Key key data",
3418 * wpa_sm_aborted_cached - Notify WPA that PMKSA caching was aborted
3423 if (sm && sm->cur_pmksa) {
3424 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3426 sm->cur_pmksa = NULL;
3433 if (sm && sm->cur_pmksa && sm->cur_pmksa->external) {
3434 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3436 sm->cur_pmksa = NULL;
3444 const u8 *mic, unsigned int mic_len)
3447 u16 key_info = WPA_GET_BE16(key->key_info);
3449 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, " EAPOL-Key type=%d", key->type);
3450 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3459 key_info & WPA_KEY_INFO_MIC ? " MIC" : "",
3464 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3466 WPA_GET_BE16(key->key_length), key_data_len);
3468 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
3469 wpa_hexdump(MSG_DEBUG, " key_nonce", key->key_nonce, WPA_NONCE_LEN);
3470 wpa_hexdump(MSG_DEBUG, " key_iv", key->key_iv, 16);
3471 wpa_hexdump(MSG_DEBUG, " key_rsc", key->key_rsc, 8);
3472 wpa_hexdump(MSG_DEBUG, " key_id (reserved)", key->key_id, 8);
3473 wpa_hexdump(MSG_DEBUG, " key_mic", mic, mic_len);
3485 u8 *pos, *tmp;
3490 wpa_printf(MSG_INFO, "No room for AES-SIV data in the frame");
3491 return -1;
3494 if (sm->tptk_set)
3495 ptk = &sm->tptk;
3496 else if (sm->ptk_set)
3497 ptk = &sm->ptk;
3499 return -1;
3503 pos = (u8 *) (key + 1);
3504 pos += 2; /* Pointing at the Encrypted Key Data field */
3508 return -1;
3510 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
3513 aad_len[0] = pos - buf;
3514 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, *key_data_len,
3516 wpa_printf(MSG_INFO, "Invalid AES-SIV data in the frame");
3518 return -1;
3522 (*key_data_len) -= AES_BLOCK_SIZE;
3527 os_memcpy(pos, tmp, *key_data_len);
3528 pos -= 2; /* Key Data Length field */
3529 WPA_PUT_BE16(pos, *key_data_len);
3532 if (sm->tptk_set) {
3533 sm->tptk_set = 0;
3534 sm->ptk_set = 1;
3535 os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
3536 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
3539 os_memcpy(sm->rx_replay_counter, key->replay_counter,
3541 sm->rx_replay_counter_set = 1;
3556 key_info = WPA_GET_BE16(key->key_info);
3558 if (key->type != EAPOL_KEY_TYPE_WPA) {
3559 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3560 "WPA: Unsupported EAPOL-Key type %d", key->type);
3561 return -1;
3567 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3568 "WPA: Unsupported EAPOL-Key descriptor version %d",
3570 return -1;
3573 if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
3575 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3576 "WPA: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2",
3578 if (sm->group_cipher != WPA_CIPHER_CCMP &&
3581 * require version 2 descriptor for all EAPOL-Key
3584 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3585 "WPA: Backwards compatibility: allow invalid version for non-CCMP group keys");
3587 return -1;
3592 return -1;
3596 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3597 "WPA: Ignored EAPOL-Key (Pairwise) with non-zero key index");
3598 return -1;
3602 /* 3/4 4-Way Handshake */
3607 /* 1/4 4-Way Handshake */
3621 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3622 "WPA: EAPOL-Key (Group) without Mic/Encr bit - dropped");
3631 * wpa_sm_rx_eapol - Process received WPA EAPOL frames
3637 * Returns: 1 = WPA EAPOL-Key processed, 0 = not a WPA EAPOL-Key, -1 failure
3639 * This function is called for each received EAPOL frame. Other than EAPOL-Key
3641 * only processing WPA and WPA2 EAPOL-Key frames.
3643 * The received EAPOL-Key packets are validated and valid packets are replied
3655 int ret = -1;
3656 u8 *mic, *key_data;
3660 sm->ft_completed = 0;
3663 pmk_len = sm->pmk_len;
3664 if (!pmk_len && sm->cur_pmksa)
3665 pmk_len = sm->cur_pmksa->pmk_len;
3666 mic_len = wpa_mic_len(sm->key_mgmt, pmk_len);
3670 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3672 "EAPOL-Key (len %lu, expecting at least %lu)",
3679 plen = be_to_host16(hdr->length);
3681 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3683 hdr->version, hdr->type, (unsigned long) plen);
3685 if (hdr->version < EAPOL_VERSION) {
3688 if (hdr->type != IEEE802_1X_TYPE_EAPOL_KEY) {
3689 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3691 "not a Key frame", hdr->type);
3695 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL-Key", buf, len);
3696 if (plen > len - sizeof(*hdr) || plen < keyhdrlen) {
3697 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3705 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3707 (unsigned long) len - data_len);
3718 mic = (u8 *) (key + 1);
3719 key_data = mic + mic_len + 2;
3721 if (key->type != EAPOL_KEY_TYPE_WPA && key->type != EAPOL_KEY_TYPE_RSN)
3723 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
3724 "WPA: EAPOL-Key type (%d) unknown, discarded",
3725 key->type);
3730 key_data_len = WPA_GET_BE16(mic + mic_len);
3731 wpa_eapol_key_dump(sm, key, key_data_len, mic, mic_len);
3733 if (key_data_len > plen - keyhdrlen) {
3734 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, "WPA: Invalid EAPOL-Key "
3735 "frame - key_data overflow (%u > %u)",
3737 (unsigned int) (plen - keyhdrlen));
3741 if (sm->rx_replay_counter_set &&
3742 os_memcmp(key->replay_counter, sm->rx_replay_counter,
3744 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3745 "WPA: EAPOL-Key Replay Counter did not increase - dropping packet");
3749 eapol_sm_notify_lower_layer_success(sm->eapol, 0);
3751 key_info = WPA_GET_BE16(key->key_info);
3754 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3760 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3766 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3767 "WPA: EAPOL-Key with Request bit - dropped");
3771 if (sm->proto == WPA_PROTO_WPA) {
3778 if (key->type != EAPOL_KEY_TYPE_RSN) {
3779 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3780 "RSN: Unsupported EAPOL-Key type %d", key->type);
3788 !wpa_use_akm_defined(sm->key_mgmt)) {
3789 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3790 "RSN: Unsupported EAPOL-Key descriptor version %d",
3796 sm->pairwise_cipher != WPA_CIPHER_TKIP) {
3797 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3798 "RSN: EAPOL-Key descriptor version %d not allowed without TKIP as the pairwise cipher",
3804 (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X &&
3805 sm->key_mgmt != WPA_KEY_MGMT_PSK)) {
3806 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3807 "RSN: EAPOL-Key descriptor version %d not allowed due to negotiated AKM (0x%x)",
3808 ver, sm->key_mgmt);
3812 if (wpa_use_akm_defined(sm->key_mgmt) &&
3814 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3815 "RSN: Unsupported EAPOL-Key descriptor version %d (expected AKM defined = 0)",
3821 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
3822 /* IEEE 802.11r uses a new key_info type (AES-128-CMAC). */
3824 !wpa_use_akm_defined(sm->key_mgmt)) {
3825 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3826 "FT: AP did not use AES-128-CMAC");
3831 if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
3833 !wpa_use_akm_defined(sm->key_mgmt)) {
3834 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3835 "RSN: AP did not use the negotiated AES-128-CMAC");
3838 } else if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
3839 !wpa_use_akm_defined(sm->key_mgmt) &&
3841 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3842 "RSN: CCMP is used, but EAPOL-Key descriptor version (%d) is not 2", ver);
3844 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3845 "RSN: Interoperability workaround: allow incorrect (should have been HMAC-SHA1), but stronger (is AES-128-CMAC), descriptor version to be used");
3847 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3851 } else if (sm->pairwise_cipher == WPA_CIPHER_GCMP &&
3852 !wpa_use_akm_defined(sm->key_mgmt) &&
3854 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
3855 "RSN: GCMP is used, but EAPOL-Key descriptor version (%d) is not 2",
3871 if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
3875 * was verified. When using AES-SIV (FILS), the MIC flag is not
3880 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3881 "WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
3892 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3893 "RSN: Ignored EAPOL-Key (Pairwise) with non-zero key index");
3898 /* 3/4 4-Way Handshake */
3902 /* 1/4 4-Way Handshake */
3912 if (sm->mlo.valid_links)
3923 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
3924 "RSN: EAPOL-Key (Group) without Mic/Encr bit - dropped");
3939 switch (sm->key_mgmt) {
3941 return ((sm->proto == WPA_PROTO_RSN ||
3942 sm->proto == WPA_PROTO_OSEN) ?
3946 return (sm->proto == WPA_PROTO_RSN ?
3960 return (sm->proto == WPA_PROTO_RSN ?
3977 #define RSN_SUITE "%02x-%02x-%02x-%d"
3982 * wpa_sm_get_mib - Dump text list of MIB entries
3997 if (sm->cur_pmksa) {
3999 sm->cur_pmksa->pmkid, PMKID_LEN);
4003 rsna = (wpa_key_mgmt_wpa_psk(sm->key_mgmt) ||
4004 wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) &&
4005 sm->proto == WPA_PROTO_RSN;
4022 wpa_cipher_key_len(sm->group_cipher) * 8,
4023 sm->dot11RSNAConfigPMKLifetime,
4024 sm->dot11RSNAConfigPMKReauthThreshold,
4025 sm->dot11RSNAConfigSATimeout);
4031 buf + len, buflen - len,
4042 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4043 sm->pairwise_cipher)),
4044 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4045 sm->group_cipher)),
4048 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4049 sm->pairwise_cipher)),
4050 RSN_SUITE_ARG(wpa_cipher_to_suite(sm->proto,
4051 sm->group_cipher)),
4052 sm->dot11RSNA4WayHandshakeFailures);
4053 if (!os_snprintf_error(buflen - len, ret))
4067 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: PMKSA cache entry free_cb: "
4068 MACSTR " reason=%d", MAC2STR(entry->aa), reason);
4070 if (sm->cur_pmksa == entry) {
4071 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4078 * deauthenticate because it will be immediately re-added.
4087 (sm->pmk_len == entry->pmk_len &&
4088 os_memcmp(sm->pmk, entry->pmk, sm->pmk_len) == 0)) {
4089 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4096 sm->pmk_len = 0;
4097 os_memset(sm->pmk, 0, sizeof(sm->pmk));
4108 return sm->cur_pmksa == entry;
4122 * wpa_sm_init - Initialize WPA state machine
4136 dl_list_init(&sm->pmksa_candidates);
4137 sm->renew_snonce = 1;
4138 sm->ctx = ctx;
4140 sm->dot11RSNAConfigPMKLifetime = 43200;
4141 sm->dot11RSNAConfigPMKReauthThreshold = 70;
4142 sm->dot11RSNAConfigSATimeout = 60;
4144 sm->pmksa = pmksa_cache_init(wpa_sm_pmksa_free_cb,
4147 if (sm->pmksa == NULL) {
4148 wpa_msg(sm->ctx->msg_ctx, MSG_ERROR,
4159 * wpa_sm_deinit - Deinitialize WPA state machine
4168 pmksa_cache_deinit(sm->pmksa);
4171 os_free(sm->assoc_wpa_ie);
4172 os_free(sm->assoc_rsnxe);
4173 os_free(sm->ap_wpa_ie);
4174 os_free(sm->ap_rsn_ie);
4175 os_free(sm->ap_rsnxe);
4177 os_free(sm->mlo.links[i].ap_rsne);
4178 os_free(sm->mlo.links[i].ap_rsnxe);
4181 os_free(sm->ctx);
4183 os_free(sm->assoc_resp_ies);
4186 wpabuf_free(sm->test_assoc_ie);
4187 wpabuf_free(sm->test_eapol_m2_elems);
4188 wpabuf_free(sm->test_eapol_m4_elems);
4191 crypto_ecdh_deinit(sm->fils_ecdh);
4194 wpabuf_free(sm->fils_ft_ies);
4197 crypto_ecdh_deinit(sm->owe_ecdh);
4200 wpabuf_clear_free(sm->dpp_z);
4210 sm->ptk_set = 0;
4211 os_memset(&sm->ptk, 0, sizeof(sm->ptk));
4212 sm->tptk_set = 0;
4213 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
4214 os_memset(&sm->gtk, 0, sizeof(sm->gtk));
4215 os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
4216 os_memset(&sm->igtk, 0, sizeof(sm->igtk));
4217 os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
4218 os_memset(&sm->bigtk, 0, sizeof(sm->bigtk));
4219 os_memset(&sm->bigtk_wnm_sleep, 0, sizeof(sm->bigtk_wnm_sleep));
4220 sm->tk_set = false;
4222 os_memset(&sm->mlo.links[i].gtk, 0,
4223 sizeof(sm->mlo.links[i].gtk));
4224 os_memset(&sm->mlo.links[i].gtk_wnm_sleep, 0,
4225 sizeof(sm->mlo.links[i].gtk_wnm_sleep));
4226 os_memset(&sm->mlo.links[i].igtk, 0,
4227 sizeof(sm->mlo.links[i].igtk));
4228 os_memset(&sm->mlo.links[i].igtk_wnm_sleep, 0,
4229 sizeof(sm->mlo.links[i].igtk_wnm_sleep));
4230 os_memset(&sm->mlo.links[i].bigtk, 0,
4231 sizeof(sm->mlo.links[i].bigtk));
4232 os_memset(&sm->mlo.links[i].bigtk_wnm_sleep, 0,
4233 sizeof(sm->mlo.links[i].bigtk_wnm_sleep));
4239 * wpa_sm_notify_assoc - Notify WPA state machine about association
4253 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4254 "WPA: Association event - clear replay counter");
4255 os_memcpy(sm->bssid, bssid, ETH_ALEN);
4256 os_memset(sm->rx_replay_counter, 0, WPA_REPLAY_COUNTER_LEN);
4257 sm->rx_replay_counter_set = 0;
4258 sm->renew_snonce = 1;
4259 if (ether_addr_equal(sm->preauth_bssid, bssid))
4265 * Clear portValid to kick EAPOL state machine to re-enter
4268 eapol_sm_notify_portValid(sm->eapol, false);
4269 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
4275 sm->ft_protocol = 1;
4277 sm->ft_protocol = 0;
4281 if (sm->fils_completed) {
4283 * Clear portValid to kick EAPOL state machine to re-enter
4286 wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
4296 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PTK");
4305 os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
4308 sm->keyidx_active = 0;
4313 * wpa_sm_notify_disassoc - Notify WPA state machine about disassociation
4317 * was lost. This will abort any existing pre-authentication session.
4326 sm->dot11RSNA4WayHandshakeFailures++;
4331 sm->fils_completed = 0;
4334 sm->ft_reassoc_completed = 0;
4335 sm->ft_protocol = 0;
4340 sm->keyidx_active = 0;
4342 sm->msg_3_of_4_ok = 0;
4343 os_memset(sm->bssid, 0, ETH_ALEN);
4348 * wpa_sm_set_pmk - Set PMK
4365 sm->pmk_len = pmk_len;
4366 os_memcpy(sm->pmk, pmk, pmk_len);
4370 sm->xxkey_len = pmk_len;
4371 os_memcpy(sm->xxkey, pmk, pmk_len);
4375 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len,
4377 sm->own_addr,
4378 sm->network_ctx, sm->key_mgmt,
4385 * wpa_sm_set_pmk_from_pmksa - Set PMK based on the current PMKSA
4396 if (sm->cur_pmksa) {
4399 sm->cur_pmksa->pmk, sm->cur_pmksa->pmk_len);
4400 sm->pmk_len = sm->cur_pmksa->pmk_len;
4401 os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
4403 wpa_printf(MSG_DEBUG, "WPA: No current PMKSA - clear PMK");
4404 sm->pmk_len = 0;
4405 os_memset(sm->pmk, 0, PMK_LEN_MAX);
4411 * wpa_sm_set_fast_reauth - Set fast reauthentication (EAP) enabled/disabled
4418 sm->fast_reauth = fast_reauth;
4423 * wpa_sm_set_scard_ctx - Set context pointer for smartcard callbacks
4431 sm->scard_ctx = scard_ctx;
4432 if (sm->preauth_eapol)
4433 eapol_sm_register_scard_ctx(sm->preauth_eapol, scard_ctx);
4438 * wpa_sm_set_config - Notification of current configuration change
4452 sm->network_ctx = config->network_ctx;
4453 sm->allowed_pairwise_cipher = config->allowed_pairwise_cipher;
4454 sm->proactive_key_caching = config->proactive_key_caching;
4455 sm->eap_workaround = config->eap_workaround;
4456 sm->eap_conf_ctx = config->eap_conf_ctx;
4457 if (config->ssid) {
4458 os_memcpy(sm->ssid, config->ssid, config->ssid_len);
4459 sm->ssid_len = config->ssid_len;
4461 sm->ssid_len = 0;
4462 sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
4463 sm->p2p = config->p2p;
4464 sm->wpa_rsc_relaxation = config->wpa_rsc_relaxation;
4465 sm->owe_ptk_workaround = config->owe_ptk_workaround;
4466 sm->force_kdk_derivation = config->force_kdk_derivation;
4468 if (config->fils_cache_id) {
4469 sm->fils_cache_id_set = 1;
4470 os_memcpy(sm->fils_cache_id, config->fils_cache_id,
4473 sm->fils_cache_id_set = 0;
4476 sm->beacon_prot = config->beacon_prot;
4478 sm->network_ctx = NULL;
4479 sm->allowed_pairwise_cipher = 0;
4480 sm->proactive_key_caching = 0;
4481 sm->eap_workaround = 0;
4482 sm->eap_conf_ctx = NULL;
4483 sm->ssid_len = 0;
4484 sm->wpa_ptk_rekey = 0;
4485 sm->p2p = 0;
4486 sm->wpa_rsc_relaxation = 0;
4487 sm->owe_ptk_workaround = 0;
4488 sm->beacon_prot = 0;
4489 sm->force_kdk_derivation = false;
4500 os_memcpy(sm->ssid, ssid, ssid_len);
4501 sm->ssid_len = ssid_len;
4503 sm->ssid_len = 0;
4513 return -1;
4515 os_memcpy(sm->mlo.ap_mld_addr, mlo->ap_mld_addr, ETH_ALEN);
4516 sm->mlo.assoc_link_id = mlo->assoc_link_id;
4517 sm->mlo.valid_links = mlo->valid_links;
4518 sm->mlo.req_links = mlo->req_links;
4524 if (sm->mlo.req_links & BIT(i)) {
4525 if (!mlo->links[i].ap_rsne ||
4526 mlo->links[i].ap_rsne_len == 0) {
4527 wpa_dbg(sm->ctx->msg_ctx, MSG_INFO,
4530 i, MAC2STR(mlo->links[i].bssid));
4531 return -1;
4534 os_memcpy(sm->mlo.links[i].addr, mlo->links[i].addr,
4536 os_memcpy(sm->mlo.links[i].bssid, mlo->links[i].bssid,
4540 ie = mlo->links[i].ap_rsne;
4541 len = mlo->links[i].ap_rsne_len;
4542 os_free(sm->mlo.links[i].ap_rsne);
4544 if (sm->mlo.links[i].ap_rsne)
4545 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4548 sm->mlo.links[i].ap_rsne = NULL;
4549 sm->mlo.links[i].ap_rsne_len = 0;
4553 sm->mlo.links[i].ap_rsne = os_memdup(ie, len);
4554 if (!sm->mlo.links[i].ap_rsne) {
4555 sm->mlo.links[i].ap_rsne_len = 0;
4556 return -1;
4558 sm->mlo.links[i].ap_rsne_len = len;
4561 ie = mlo->links[i].ap_rsnxe;
4562 len = mlo->links[i].ap_rsnxe_len;
4563 os_free(sm->mlo.links[i].ap_rsnxe);
4565 if (sm->mlo.links[i].ap_rsnxe)
4566 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4569 sm->mlo.links[i].ap_rsnxe = NULL;
4570 sm->mlo.links[i].ap_rsnxe_len = 0;
4574 sm->mlo.links[i].ap_rsnxe = os_memdup(ie, len);
4575 if (!sm->mlo.links[i].ap_rsnxe) {
4576 sm->mlo.links[i].ap_rsnxe_len = 0;
4577 return -1;
4579 sm->mlo.links[i].ap_rsnxe_len = len;
4588 * wpa_sm_set_own_addr - Set own MAC address
4595 os_memcpy(sm->own_addr, addr, ETH_ALEN);
4600 * wpa_sm_set_ifname - Set network interface name
4603 * @bridge_ifname: Optional bridge interface name (for pre-auth)
4609 sm->ifname = ifname;
4610 sm->bridge_ifname = bridge_ifname;
4616 * wpa_sm_set_eapol - Set EAPOL state machine pointer
4623 sm->eapol = eapol;
4628 * wpa_sm_set_param - Set WPA state machine parameters
4632 * Returns: 0 on success, -1 on failure
4640 return -1;
4645 sm->dot11RSNAConfigPMKLifetime = value;
4647 ret = -1;
4651 sm->dot11RSNAConfigPMKReauthThreshold = value;
4653 ret = -1;
4657 sm->dot11RSNAConfigSATimeout = value;
4659 ret = -1;
4662 sm->proto = value;
4665 sm->pairwise_cipher = value;
4668 sm->group_cipher = value;
4671 sm->key_mgmt = value;
4674 sm->mgmt_group_cipher = value;
4677 sm->rsn_enabled = value;
4680 sm->mfp = value;
4683 sm->ocv = value;
4686 sm->sae_pwe = value;
4689 sm->sae_pk = value;
4692 sm->wpa_deny_ptk0_rekey = value;
4695 sm->ext_key_id = value;
4698 sm->use_ext_key_id = value;
4702 sm->ft_rsnxe_used = value;
4705 sm->oci_freq_override_eapol = value;
4708 sm->oci_freq_override_eapol_g2 = value;
4711 sm->oci_freq_override_ft_assoc = value;
4714 sm->oci_freq_override_fils_assoc = value;
4717 sm->disable_eapol_g2_tx = value;
4720 sm->encrypt_eapol_m2 = value;
4723 sm->encrypt_eapol_m4 = value;
4728 sm->dpp_pfs = value;
4732 sm->wmm_enabled = value;
4735 sm->ft_prepend_pmkid = value;
4738 sm->ssid_protection = value;
4749 * wpa_sm_get_status - Get WPA state machine
4763 char *pos = buf, *end = buf + buflen;
4766 ret = os_snprintf(pos, end - pos,
4770 wpa_cipher_txt(sm->pairwise_cipher),
4771 wpa_cipher_txt(sm->group_cipher),
4772 wpa_key_mgmt_txt(sm->key_mgmt, sm->proto));
4773 if (os_snprintf_error(end - pos, ret))
4774 return pos - buf;
4775 pos += ret;
4778 if (sm->key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
4779 ret = os_snprintf(pos, end - pos, "dpp_pfs=1\n");
4780 if (os_snprintf_error(end - pos, ret))
4781 return pos - buf;
4782 pos += ret;
4786 if (sm->mfp != NO_MGMT_FRAME_PROTECTION && sm->ap_rsn_ie) {
4788 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn)
4792 ret = os_snprintf(pos, end - pos, "pmf=%d\n"
4797 sm->mgmt_group_cipher));
4798 if (os_snprintf_error(end - pos, ret))
4799 return pos - buf;
4800 pos += ret;
4804 return pos - buf;
4812 if (sm->mfp == NO_MGMT_FRAME_PROTECTION || !sm->ap_rsn_ie)
4815 if (wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &rsn) >= 0 &&
4825 return sm ? sm->ext_key_id : 0;
4831 return sm ? sm->use_ext_key_id : 0;
4839 if (!sm->ocv || !sm->ap_rsn_ie)
4842 return wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len,
4849 * wpa_sm_set_assoc_wpa_ie_default - Generate own WPA/RSN IE from configuration
4853 * Returns: 0 on success, -1 on failure
4861 return -1;
4864 if (sm->test_assoc_ie) {
4867 if (*wpa_ie_len < wpabuf_len(sm->test_assoc_ie))
4868 return -1;
4869 os_memcpy(wpa_ie, wpabuf_head(sm->test_assoc_ie),
4870 wpabuf_len(sm->test_assoc_ie));
4871 res = wpabuf_len(sm->test_assoc_ie);
4876 return -1;
4882 if (sm->assoc_wpa_ie == NULL) {
4884 * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets
4888 sm->assoc_wpa_ie = os_memdup(wpa_ie, *wpa_ie_len);
4889 if (sm->assoc_wpa_ie == NULL)
4890 return -1;
4892 sm->assoc_wpa_ie_len = *wpa_ie_len;
4896 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
4904 * wpa_sm_set_assoc_wpa_ie - Set own WPA/RSN IE from (Re)AssocReq
4908 * Returns: 0 on success, -1 on failure
4917 return -1;
4919 os_free(sm->assoc_wpa_ie);
4921 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
4923 sm->assoc_wpa_ie = NULL;
4924 sm->assoc_wpa_ie_len = 0;
4927 sm->assoc_wpa_ie = os_memdup(ie, len);
4928 if (sm->assoc_wpa_ie == NULL)
4929 return -1;
4931 sm->assoc_wpa_ie_len = len;
4939 * wpa_sm_set_assoc_rsnxe_default - Generate own RSNXE from configuration
4943 * Returns: 0 on success, -1 on failure
4951 return -1;
4955 return -1;
4960 if (sm->assoc_rsnxe) {
4963 sm->assoc_rsnxe, sm->assoc_rsnxe_len);
4966 * Make a copy of the RSNXE so that 4-Way Handshake gets the
4969 sm->assoc_rsnxe = os_memdup(rsnxe, *rsnxe_len);
4970 if (!sm->assoc_rsnxe)
4971 return -1;
4973 sm->assoc_rsnxe_len = *rsnxe_len;
4981 * wpa_sm_set_assoc_rsnxe - Set own RSNXE from (Re)AssocReq
4985 * Returns: 0 on success, -1 on failure
4994 return -1;
4996 os_free(sm->assoc_rsnxe);
4998 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5000 sm->assoc_rsnxe = NULL;
5001 sm->assoc_rsnxe_len = 0;
5004 sm->assoc_rsnxe = os_memdup(ie, len);
5005 if (!sm->assoc_rsnxe)
5006 return -1;
5008 sm->assoc_rsnxe_len = len;
5011 if (sm->ssid_protection &&
5012 !ieee802_11_rsnx_capab(sm->assoc_rsnxe,
5014 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5016 sm->ssid_protection = 0;
5024 * wpa_sm_set_ap_wpa_ie - Set AP WPA IE from Beacon/ProbeResp
5028 * Returns: 0 on success, -1 on failure
5036 return -1;
5038 os_free(sm->ap_wpa_ie);
5040 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5042 sm->ap_wpa_ie = NULL;
5043 sm->ap_wpa_ie_len = 0;
5046 sm->ap_wpa_ie = os_memdup(ie, len);
5047 if (sm->ap_wpa_ie == NULL)
5048 return -1;
5050 sm->ap_wpa_ie_len = len;
5058 * wpa_sm_set_ap_rsn_ie - Set AP RSN IE from Beacon/ProbeResp
5062 * Returns: 0 on success, -1 on failure
5070 return -1;
5072 os_free(sm->ap_rsn_ie);
5074 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5076 sm->ap_rsn_ie = NULL;
5077 sm->ap_rsn_ie_len = 0;
5080 sm->ap_rsn_ie = os_memdup(ie, len);
5081 if (sm->ap_rsn_ie == NULL)
5082 return -1;
5084 sm->ap_rsn_ie_len = len;
5092 * wpa_sm_set_ap_rsnxe - Set AP RSNXE from Beacon/ProbeResp
5096 * Returns: 0 on success, -1 on failure
5104 return -1;
5106 os_free(sm->ap_rsnxe);
5108 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: clearing AP RSNXE");
5109 sm->ap_rsnxe = NULL;
5110 sm->ap_rsnxe_len = 0;
5113 sm->ap_rsnxe = os_memdup(ie, len);
5114 if (!sm->ap_rsnxe)
5115 return -1;
5117 sm->ap_rsnxe_len = len;
5125 * wpa_sm_parse_own_wpa_ie - Parse own WPA/RSN IE
5128 * Returns: 0 on success, -1 if IE is not known, or -2 on parsing failure
5136 return -1;
5138 if (sm->assoc_wpa_ie == NULL) {
5139 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
5141 return -1;
5143 if (wpa_parse_wpa_ie(sm->assoc_wpa_ie, sm->assoc_wpa_ie_len, data))
5144 return -2;
5151 return pmksa_cache_list(sm->pmksa, buf, len);
5157 return pmksa_cache_head(sm->pmksa);
5165 return pmksa_cache_add_entry(sm->pmksa, entry);
5173 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, pmk, pmk_len, pmkid, NULL, 0,
5174 bssid, sm->own_addr, sm->network_ctx,
5175 sm->key_mgmt, fils_cache_id);
5182 return pmksa_cache_get(sm->pmksa, bssid, own_addr, NULL, network_ctx,
5193 return pmksa_cache_get(sm->pmksa, aa, sm->own_addr, pmkid, network_ctx,
5201 if (sm && sm->pmksa)
5202 pmksa_cache_remove(sm->pmksa, entry);
5208 wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: Clear old PMK and PTK");
5210 sm->pmk_len = 0;
5211 os_memset(sm->pmk, 0, sizeof(sm->pmk));
5213 os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
5214 sm->xxkey_len = 0;
5215 os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
5216 sm->pmk_r0_len = 0;
5217 os_memset(sm->pmk_r1, 0, sizeof(sm->pmk_r1));
5218 sm->pmk_r1_len = 0;
5220 os_free(sm->pasn_r1kh);
5221 sm->pasn_r1kh = NULL;
5222 sm->n_pasn_r1kh = 0;
5233 if (!wpa_key_mgmt_ft(sm->key_mgmt) ||
5234 os_memcmp(md, sm->key_mobility_domain,
5240 return sm->ptk_set;
5249 return sm->tk_set || sm->ptk.installed;
5255 os_memcpy(sm->rx_replay_counter, replay_ctr, WPA_REPLAY_COUNTER_LEN);
5261 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, false);
5267 pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0, true);
5282 keylen = wpa_cipher_key_len(sm->group_cipher);
5283 gd.key_rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
5284 gd.alg = wpa_cipher_to_alg(sm->group_cipher);
5287 return -1;
5296 return -1;
5298 gd.keyidx = keyinfo & 0x03; /* B0 - B1 */
5310 return -1;
5318 return -1;
5323 if (sm->beacon_prot &&
5325 return -1;
5328 return -1;
5340 if (sm == NULL || WPA_GET_BE32(sm->p2p_ip_addr) == 0)
5341 return -1;
5342 os_memcpy(buf, sm->p2p_ip_addr, 3 * 4);
5354 os_memcpy(sm->rx_replay_counter, rx_replay_counter,
5356 sm->rx_replay_counter_set = 1;
5366 os_memcpy(sm->ptk.kck, ptk_kck, ptk_kck_len);
5367 sm->ptk.kck_len = ptk_kck_len;
5371 os_memcpy(sm->ptk.kek, ptk_kek, ptk_kek_len);
5372 sm->ptk.kek_len = ptk_kek_len;
5375 sm->ptk_set = 1;
5383 wpabuf_free(sm->test_assoc_ie);
5384 sm->test_assoc_ie = buf;
5390 wpabuf_free(sm->test_eapol_m2_elems);
5391 sm->test_eapol_m2_elems = buf;
5397 wpabuf_free(sm->test_eapol_m4_elems);
5398 sm->test_eapol_m4_elems = buf;
5404 return sm->anonce;
5412 return sm->key_mgmt;
5418 return sm->mlo.valid_links ? sm->mlo.ap_mld_addr : sm->bssid;
5430 erp_msg = eapol_sm_build_erp_reauth_start(sm->eapol);
5431 if (!erp_msg && !sm->cur_pmksa) {
5433 "FILS: Neither ERP EAP-Initiate/Re-auth nor PMKSA cache entry is available - skip FILS");
5438 erp_msg != NULL, sm->cur_pmksa != NULL);
5440 sm->fils_completed = 0;
5442 if (!sm->assoc_wpa_ie) {
5447 if (random_get_bytes(sm->fils_nonce, FILS_NONCE_LEN) < 0 ||
5448 random_get_bytes(sm->fils_session, FILS_SESSION_LEN) < 0)
5452 sm->fils_nonce, FILS_NONCE_LEN);
5454 sm->fils_session, FILS_SESSION_LEN);
5457 sm->fils_dh_group = dh_group;
5459 crypto_ecdh_deinit(sm->fils_ecdh);
5460 sm->fils_ecdh = crypto_ecdh_init(dh_group);
5461 if (!sm->fils_ecdh) {
5467 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
5472 sm->fils_dh_elem_len = wpabuf_len(pub);
5476 buf = wpabuf_alloc(1000 + sm->assoc_wpa_ie_len +
5501 sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5502 wpabuf_put_data(buf, sm->assoc_wpa_ie, sm->assoc_wpa_ie_len);
5511 os_memcpy(mdie->mobility_domain, md, MOBILITY_DOMAIN_ID_LEN);
5512 mdie->ft_capab = 0;
5520 wpabuf_put_data(buf, sm->fils_nonce, FILS_NONCE_LEN);
5527 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
5530 sm->fils_erp_pmkid_set = 0;
5538 * maintain a copy of the EAP-Initiate/Reauth message. */
5539 if (fils_pmkid_erp(sm->key_mgmt, wpabuf_head(erp_msg),
5541 sm->fils_erp_pmkid) == 0)
5542 sm->fils_erp_pmkid_set = 1;
5558 const u8 *pos, *end;
5577 os_memcpy(sm->bssid, bssid, ETH_ALEN);
5581 pos = data;
5586 if (sm->fils_dh_group) {
5592 if (end - pos < 2) {
5597 group = WPA_GET_LE16(pos);
5598 pos += 2;
5599 if (group != sm->fils_dh_group) {
5602 group, sm->fils_dh_group);
5607 if ((size_t) (end - pos) < sm->fils_dh_elem_len) {
5612 if (!sm->fils_ecdh) {
5616 dh_ss = crypto_ecdh_set_peerkey(sm->fils_ecdh, 1, pos,
5617 sm->fils_dh_elem_len);
5623 g_ap = pos;
5624 g_ap_len = sm->fils_dh_elem_len;
5625 pos += sm->fils_dh_elem_len;
5629 wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
5630 if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
5639 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
5649 os_memcpy(sm->fils_anonce, elems.fils_nonce, FILS_NONCE_LEN);
5650 wpa_hexdump(MSG_DEBUG, "FILS: ANonce", sm->fils_anonce, FILS_NONCE_LEN);
5653 if (wpa_key_mgmt_ft(sm->key_mgmt)) {
5659 if (wpa_ft_parse_ies(pos, end - pos, &parse,
5660 sm->key_mgmt, false) < 0) {
5667 "FILS+FT: No R0KH-ID subelem in FTE");
5670 os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
5671 sm->r0kh_id_len = parse.r0kh_id_len;
5672 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
5673 sm->r0kh_id, sm->r0kh_id_len);
5677 "FILS+FT: No R1KH-ID subelem in FTE");
5680 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
5681 wpa_hexdump(MSG_DEBUG, "FILS+FT: R1KH-ID",
5682 sm->r1kh_id, FT_R1KH_ID_LEN);
5686 wpabuf_free(sm->fils_ft_ies);
5687 sm->fils_ft_ies = wpabuf_alloc(2 + elems.mdie_len +
5689 if (!sm->fils_ft_ies)
5691 wpabuf_put_data(sm->fils_ft_ies, elems.mdie - 2,
5693 wpabuf_put_data(sm->fils_ft_ies, elems.ftie - 2,
5696 wpabuf_free(sm->fils_ft_ies);
5697 sm->fils_ft_ies = NULL;
5711 if (os_memcmp(sm->cur_pmksa->pmkid, rsn.pmkid, PMKID_LEN) != 0)
5715 sm->cur_pmksa->pmkid, PMKID_LEN);
5719 "FILS: Matching PMKID - continue using PMKSA caching");
5722 if (!pmkid_match && sm->cur_pmksa) {
5724 "FILS: No PMKID match - cannot use cached PMKSA entry");
5725 sm->cur_pmksa = NULL;
5735 if (os_memcmp(sm->fils_session, elems.fils_session, FILS_SESSION_LEN)
5739 sm->fils_session, FILS_SESSION_LEN);
5744 if (!sm->cur_pmksa && elems.wrapped_data) {
5751 eapol_sm_process_erp_finish(sm->eapol, elems.wrapped_data,
5753 if (eapol_sm_failed(sm->eapol))
5757 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
5760 res = eapol_sm_get_key(sm->eapol, rmsk, rmsk_len);
5765 res = fils_rmsk_to_pmk(sm->key_mgmt, rmsk, rmsk_len,
5766 sm->fils_nonce, sm->fils_anonce,
5769 sm->pmk, &sm->pmk_len);
5780 if (!sm->fils_erp_pmkid_set) {
5784 wpa_hexdump(MSG_DEBUG, "FILS: PMKID", sm->fils_erp_pmkid,
5786 wpa_printf(MSG_DEBUG, "FILS: ERP processing succeeded - add PMKSA cache entry for the result");
5787 sm->cur_pmksa = pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len,
5788 sm->fils_erp_pmkid, NULL, 0,
5789 sm->bssid, sm->own_addr,
5790 sm->network_ctx, sm->key_mgmt,
5794 if (!sm->cur_pmksa) {
5800 if (sm->force_kdk_derivation ||
5801 (sm->secure_ltf &&
5802 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
5807 if (fils_pmk_to_ptk(sm->pmk, sm->pmk_len, sm->own_addr,
5809 sm->fils_nonce, sm->fils_anonce,
5812 &sm->ptk, ick, &ick_len,
5813 sm->key_mgmt, sm->pairwise_cipher,
5814 sm->fils_ft, &sm->fils_ft_len,
5821 if (sm->secure_ltf &&
5822 ieee802_11_rsnx_capab(sm->ap_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF) &&
5823 wpa_ltf_keyseed(&sm->ptk, sm->key_mgmt, sm->pairwise_cipher)) {
5832 sm->ptk_set = 1;
5833 sm->tptk_set = 0;
5834 os_memset(&sm->tptk, 0, sizeof(sm->tptk));
5837 if (sm->fils_dh_group) {
5838 if (!sm->fils_ecdh) {
5842 pub = crypto_ecdh_get_pubkey(sm->fils_ecdh, 1);
5856 res = fils_key_auth_sk(ick, ick_len, sm->fils_nonce,
5857 sm->fils_anonce, sm->own_addr, sm->bssid,
5859 sm->key_mgmt, sm->fils_key_auth_sta,
5860 sm->fils_key_auth_ap,
5861 &sm->fils_key_auth_len);
5874 return -1;
5883 u8 *pos;
5884 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt);
5888 rsnie->elem_id = WLAN_EID_RSN;
5889 WPA_PUT_LE16(rsnie->version, RSN_VERSION);
5892 if (!wpa_cipher_valid_group(sm->group_cipher)) {
5894 sm->group_cipher);
5895 return -1;
5897 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
5898 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
5899 sm->group_cipher));
5905 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
5907 sm->pairwise_cipher);
5908 return -1;
5910 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
5911 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
5912 sm->pairwise_cipher));
5918 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
5919 if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256)
5920 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
5921 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384)
5922 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
5926 sm->key_mgmt);
5927 return -1;
5932 if (sm->mfp)
5934 if (sm->mfp == 2)
5936 if (sm->ocv)
5938 if (sm->ext_key_id)
5946 wpa_hexdump_key(MSG_DEBUG, "FILS+FT: XXKey (FILS-FT)",
5947 sm->fils_ft, sm->fils_ft_len);
5948 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: SSID", sm->ssid, sm->ssid_len);
5950 sm->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
5951 wpa_hexdump_ascii(MSG_DEBUG, "FILS+FT: R0KH-ID",
5952 sm->r0kh_id, sm->r0kh_id_len);
5953 if (wpa_derive_pmk_r0(sm->fils_ft, sm->fils_ft_len, sm->ssid,
5954 sm->ssid_len, sm->mobility_domain,
5955 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
5956 sm->pmk_r0, sm->pmk_r0_name, sm->key_mgmt) < 0) {
5957 wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMK-R0");
5958 return -1;
5960 if (wpa_key_mgmt_sae_ext_key(sm->key_mgmt))
5961 sm->pmk_r0_len = sm->fils_ft_len;
5963 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
5964 wpa_printf(MSG_DEBUG, "FILS+FT: R1KH-ID: " MACSTR,
5965 MAC2STR(sm->r1kh_id));
5966 pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
5967 if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
5968 sm->pmk_r1_name, sm->fils_ft_len) < 0) {
5970 return -1;
5972 os_memcpy(pos, sm->pmk_r1_name, WPA_PMK_NAME_LEN);
5974 os_memcpy(sm->key_mobility_domain, sm->mobility_domain,
5977 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
5979 pos = wpabuf_put(buf, RSN_SELECTOR_LEN);
5980 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
5983 rsnie->len = ((u8 *) wpabuf_put(buf, 0) - (u8 *) rsnie) - 2;
6001 if (sm->fils_ft_ies)
6002 len += wpabuf_len(sm->fils_ft_ies);
6003 if (wpa_key_mgmt_ft(sm->key_mgmt))
6013 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
6015 wpabuf_put_buf(buf, sm->fils_ft_ies);
6029 wpabuf_put_data(buf, sm->fils_session, FILS_SESSION_LEN);
6038 wpabuf_put_u8(buf, 1 + sm->fils_key_auth_len); /* Length */
6041 wpabuf_put_data(buf, sm->fils_key_auth_sta, sm->fils_key_auth_len);
6045 const u8 *pos = wpabuf_head(hlp[i]);
6059 wpabuf_put_data(buf, pos, len - 1);
6060 pos += len - 1;
6061 left -= len - 1;
6066 wpabuf_put_data(buf, pos, len);
6067 pos += len;
6068 left -= len;
6077 u8 *pos;
6086 if (sm->oci_freq_override_fils_assoc) {
6088 "TEST: Override OCI KDE frequency %d -> %d MHz",
6090 sm->oci_freq_override_fils_assoc);
6091 ci.frequency = sm->oci_freq_override_fils_assoc;
6095 pos = wpabuf_put(buf, OCV_OCI_EXTENDED_LEN);
6096 if (ocv_insert_extended_oci(&ci, pos) < 0) {
6105 *kek = sm->ptk.kek;
6106 *kek_len = sm->ptk.kek_len;
6108 *snonce = sm->fils_nonce;
6111 *anonce = sm->fils_anonce;
6121 const u8 *pos, *end;
6126 pos = resp + 2 * ETH_ALEN;
6128 if (end - pos >= 6 &&
6129 os_memcmp(pos, "\xaa\xaa\x03\x00\x00\x00", 6) == 0)
6130 pos += 6; /* Remove SNAP/LLC header */
6131 wpa_sm_fils_hlp_rx(sm, resp, resp + ETH_ALEN, pos, end - pos);
6135 static void fils_process_hlp_container(struct wpa_sm *sm, const u8 *pos,
6138 const u8 *end = pos + len;
6142 while (end - pos >= 2) {
6143 if (2 + pos[1] > end - pos)
6145 if (pos[0] == WLAN_EID_EXTENSION &&
6146 pos[1] >= 1 + 2 * ETH_ALEN &&
6147 pos[2] == WLAN_EID_EXT_FILS_HLP_CONTAINER)
6149 pos += 2 + pos[1];
6151 if (end - pos < 2)
6154 tmp = os_malloc(end - pos);
6158 while (end - pos >= 2) {
6159 if (2 + pos[1] > end - pos ||
6160 pos[0] != WLAN_EID_EXTENSION ||
6161 pos[1] < 1 + 2 * ETH_ALEN ||
6162 pos[2] != WLAN_EID_EXT_FILS_HLP_CONTAINER)
6165 os_memcpy(tmp_pos, pos + 3, pos[1] - 1);
6166 tmp_pos += pos[1] - 1;
6167 pos += 2 + pos[1];
6170 while (end - pos >= 2 && pos[0] == WLAN_EID_FRAGMENT &&
6171 2 + pos[1] <= end - pos) {
6172 os_memcpy(tmp_pos, pos + 2, pos[1]);
6173 tmp_pos += pos[1];
6174 pos += 2 + pos[1];
6177 fils_process_hlp_resp(sm, tmp, tmp_pos - tmp);
6195 if (!sm || !sm->ptk_set) {
6197 return -1;
6200 if (!wpa_key_mgmt_fils(sm->key_mgmt)) {
6202 return -1;
6205 if (sm->fils_completed) {
6207 "FILS: Association has already been completed for this FILS authentication - ignore unexpected retransmission");
6208 return -1;
6215 if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.assoc_resp))
6216 return -1;
6220 ie_start = mgmt->u.assoc_resp.variable;
6222 if (ieee802_11_parse_elems(ie_start, end - ie_start, &elems, 1) ==
6231 return -1;
6233 if (os_memcmp(elems.fils_session, sm->fils_session,
6239 sm->fils_session, FILS_SESSION_LEN);
6246 * 802.11ai-2016 did not include all the needed changes to make
6250 } else if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm->key_mgmt),
6251 sm->ap_rsn_ie, sm->ap_rsn_ie_len,
6252 elems.rsn_ie - 2, elems.rsn_ie_len + 2)) {
6253 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
6256 sm->ap_rsn_ie, sm->ap_rsn_ie_len);
6268 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
6270 "FILS: Unexpected Key-Auth length %d (expected %d)",
6272 (int) sm->fils_key_auth_len);
6275 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_ap,
6276 sm->fils_key_auth_len) != 0) {
6277 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
6278 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
6281 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
6282 sm->fils_key_auth_ap, sm->fils_key_auth_len);
6299 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, OCV_FAILURE
6300 "addr=" MACSTR " frame=fils-assoc error=%s",
6301 MAC2STR(sm->bssid), ocv_errorstr);
6308 if (wpa_key_mgmt_ft(sm->key_mgmt) && sm->fils_ft_ies) {
6313 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
6316 os_memcmp(rsn.pmkid, sm->pmk_r1_name,
6334 elems.key_delivery_len - WPA_KEY_RSC_LEN,
6343 maxkeylen = gd.gtk_len = kde.gtk_len - 2;
6344 if (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
6353 if (kde.gtk_len - 2 > sizeof(gd.gtk)) {
6355 (unsigned long) kde.gtk_len - 2);
6358 os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
6371 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
6372 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
6373 if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
6375 keylen, (long unsigned int) sm->ptk.tk_len);
6379 rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
6381 sm->ptk.tk, keylen);
6382 if (wpa_sm_set_key(sm, -1, alg, wpa_sm_get_auth_addr(sm), 0, 1,
6384 sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE_RX_TX) < 0) {
6385 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
6392 wpa_sm_store_ptk(sm, sm->bssid, sm->pairwise_cipher,
6393 sm->dot11RSNAConfigPMKLifetime, &sm->ptk);
6398 os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
6399 sm->ptk.tk_len = 0;
6400 sm->ptk.installed = 1;
6401 sm->tk_set = true;
6404 fils_process_hlp_container(sm, ie_start, end - ie_start);
6409 sm->fils_completed = 1;
6418 return -1;
6425 sm->fils_completed = !!set;
6434 return sm && sm->fils_completed;
6457 crypto_ecdh_deinit(sm->owe_ecdh);
6458 sm->owe_ecdh = crypto_ecdh_init(group);
6459 if (!sm->owe_ecdh)
6461 sm->owe_group = group;
6462 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
6476 wpa_hexdump_buf(MSG_DEBUG, "OWE: Diffie-Hellman Parameter element",
6482 crypto_ecdh_deinit(sm->owe_ecdh);
6483 sm->owe_ecdh = NULL;
6507 return -1;
6510 if (sm->cur_pmksa && elems.rsn_ie &&
6511 wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, 2 + elems.rsn_ie_len,
6514 os_memcmp(sm->cur_pmksa->pmkid, data.pmkid, PMKID_LEN) == 0) {
6522 "OWE: No Diffie-Hellman Parameter element found in Association Response frame");
6523 return -1;
6527 if (group != sm->owe_group) {
6529 "OWE: Unexpected Diffie-Hellman group in response: %u",
6531 return -1;
6534 if (!sm->owe_ecdh) {
6536 return -1;
6546 return -1;
6548 secret = crypto_ecdh_set_peerkey(sm->owe_ecdh, 0,
6550 elems.owe_dh_len - 2);
6554 return -1;
6558 /* prk = HKDF-extract(C | A | group, z) */
6560 pub = crypto_ecdh_get_pubkey(sm->owe_ecdh, 0);
6563 return -1;
6566 /* PMKID = Truncate-128(Hash(C | A)) */
6570 len[1] = elems.owe_dh_len - 2;
6581 res = -1;
6588 return -1;
6591 hkey = wpabuf_alloc(wpabuf_len(pub) + elems.owe_dh_len - 2 + 2);
6595 return -1;
6600 wpabuf_put_data(hkey, elems.owe_dh + 2, elems.owe_dh_len - 2); /* A */
6601 wpabuf_put_le16(hkey, sm->owe_group); /* group */
6614 return -1;
6618 /* PMK = HKDF-expand(prk, "OWE Key Generation", n) */
6622 os_strlen(info), sm->pmk, hash_len);
6625 os_strlen(info), sm->pmk, hash_len);
6628 os_strlen(info), sm->pmk, hash_len);
6631 sm->pmk_len = 0;
6632 return -1;
6634 sm->pmk_len = hash_len;
6636 wpa_hexdump_key(MSG_DEBUG, "OWE: PMK", sm->pmk, sm->pmk_len);
6638 pmksa_cache_add(sm->pmksa, sm->pmk, sm->pmk_len, pmkid, NULL, 0,
6639 bssid, sm->own_addr, sm->network_ctx, sm->key_mgmt,
6652 sm->fils_cache_id_set = 1;
6653 os_memcpy(sm->fils_cache_id, fils_cache_id, FILS_CACHE_ID_LEN);
6663 wpabuf_clear_free(sm->dpp_z);
6664 sm->dpp_z = z ? wpabuf_dup(z) : NULL;
6675 sm->secure_ltf = 1;
6677 sm->secure_rtt = 1;
6679 sm->prot_range_neg = 1;
6688 pmksa_cache_reconfig(sm->pmksa);
6694 return sm ? sm->pmksa : NULL;
6702 sm->cur_pmksa = entry;
6710 sm->driver_bss_selection = driver_bss_selection;