Revert "Cumulative patch from commit 4ec1fd8e42bad9390f14a58225b6e5f6fb691950"
This reverts commit 78a5dac804c22aa6e4ec8226a864d3b0d6ccddbb.
Test: None
diff --git a/src/ap/Makefile b/src/ap/Makefile
index 3b01e63..98788fe 100644
--- a/src/ap/Makefile
+++ b/src/ap/Makefile
@@ -12,7 +12,7 @@
CFLAGS += -DNEED_AP_MLME
CFLAGS += -DCONFIG_HS20
CFLAGS += -DCONFIG_INTERWORKING
-CFLAGS += -DCONFIG_IEEE80211R_AP
+CFLAGS += -DCONFIG_IEEE80211R
CFLAGS += -DCONFIG_IEEE80211W
CFLAGS += -DCONFIG_WPS
CFLAGS += -DCONFIG_PROXYARP
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index c986574..228de2b 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -88,9 +88,9 @@
/* Set to -1 as defaults depends on HT in setup */
bss->wmm_enabled = -1;
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
bss->ft_over_ds = 1;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
bss->radius_das_time_window = 300;
@@ -477,7 +477,7 @@
hostapd_config_free_vlan(conf);
os_free(conf->time_zone);
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
{
struct ft_remote_r0kh *r0kh, *r0kh_prev;
struct ft_remote_r1kh *r1kh, *r1kh_prev;
@@ -498,7 +498,7 @@
os_free(r1kh_prev);
}
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_WPS
os_free(conf->wps_pin_requests);
@@ -802,7 +802,7 @@
}
}
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (full_config && wpa_key_mgmt_ft(bss->wpa_key_mgmt) &&
(bss->nas_identifier == NULL ||
os_strlen(bss->nas_identifier) < 1 ||
@@ -812,7 +812,7 @@
"string");
return -1;
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_IEEE80211N
if (full_config && conf->ieee80211n &&
@@ -848,16 +848,6 @@
wpa_printf(MSG_ERROR,
"VHT (IEEE 802.11ac) with WEP is not allowed, disabling VHT capabilities");
}
-
- if (full_config && conf->ieee80211ac && bss->wpa &&
- !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
- !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
- WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
- {
- bss->disable_11ac = 1;
- wpa_printf(MSG_ERROR,
- "VHT (IEEE 802.11ac) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling VHT capabilities");
- }
#endif /* CONFIG_IEEE80211AC */
#ifdef CONFIG_WPS
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index cace34c..8c8f7e2 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -329,7 +329,7 @@
char *rsn_preauth_interfaces;
int peerkey;
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
/* IEEE 802.11r - Fast BSS Transition */
u8 mobility_domain[MOBILITY_DOMAIN_ID_LEN];
u8 r1_key_holder[FT_R1KH_ID_LEN];
@@ -339,8 +339,7 @@
struct ft_remote_r1kh *r1kh_list;
int pmk_r1_push;
int ft_over_ds;
- int ft_psk_generate_local;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
char *ctrl_interface; /* directory for UNIX domain sockets */
#ifndef CONFIG_NATIVE_WINDOWS
@@ -596,11 +595,6 @@
int ftm_responder;
int ftm_initiator;
-
-#ifdef CONFIG_FILS
- u8 fils_cache_id[FILS_CACHE_ID_LEN];
- int fils_cache_id_set;
-#endif /* CONFIG_FILS */
};
@@ -713,7 +707,6 @@
struct wpabuf *lci;
struct wpabuf *civic;
- int stationary_ap;
};
diff --git a/src/ap/ap_mlme.c b/src/ap/ap_mlme.c
index db8a267..e7308a0 100644
--- a/src/ap/ap_mlme.c
+++ b/src/ap/ap_mlme.c
@@ -57,11 +57,7 @@
HOSTAPD_LEVEL_DEBUG,
"MLME-AUTHENTICATE.indication(" MACSTR ", %s)",
MAC2STR(sta->addr), mlme_auth_alg_str(sta->auth_alg));
- if (sta->auth_alg != WLAN_AUTH_FT &&
- sta->auth_alg != WLAN_AUTH_FILS_SK &&
- sta->auth_alg != WLAN_AUTH_FILS_SK_PFS &&
- sta->auth_alg != WLAN_AUTH_FILS_PK &&
- !(sta->flags & WLAN_STA_MFP))
+ if (sta->auth_alg != WLAN_AUTH_FT && !(sta->flags & WLAN_STA_MFP))
mlme_deletekeys_request(hapd, sta);
ap_sta_clear_disconnect_timeouts(hapd, sta);
}
@@ -109,10 +105,7 @@
HOSTAPD_LEVEL_DEBUG,
"MLME-ASSOCIATE.indication(" MACSTR ")",
MAC2STR(sta->addr));
- if (sta->auth_alg != WLAN_AUTH_FT &&
- sta->auth_alg != WLAN_AUTH_FILS_SK &&
- sta->auth_alg != WLAN_AUTH_FILS_SK_PFS &&
- sta->auth_alg != WLAN_AUTH_FILS_PK)
+ if (sta->auth_alg != WLAN_AUTH_FT)
mlme_deletekeys_request(hapd, sta);
ap_sta_clear_disconnect_timeouts(hapd, sta);
}
@@ -137,10 +130,7 @@
HOSTAPD_LEVEL_DEBUG,
"MLME-REASSOCIATE.indication(" MACSTR ")",
MAC2STR(sta->addr));
- if (sta->auth_alg != WLAN_AUTH_FT &&
- sta->auth_alg != WLAN_AUTH_FILS_SK &&
- sta->auth_alg != WLAN_AUTH_FILS_SK_PFS &&
- sta->auth_alg != WLAN_AUTH_FILS_PK)
+ if (sta->auth_alg != WLAN_AUTH_FT)
mlme_deletekeys_request(hapd, sta);
ap_sta_clear_disconnect_timeouts(hapd, sta);
}
diff --git a/src/ap/beacon.c b/src/ap/beacon.c
index 811bede..233320d 100644
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
@@ -491,11 +491,6 @@
pos = hostapd_eid_txpower_envelope(hapd, pos);
pos = hostapd_eid_wb_chsw_wrapper(hapd, pos);
}
-#endif /* CONFIG_IEEE80211AC */
-
- pos = hostapd_eid_fils_indic(hapd, pos, 0);
-
-#ifdef CONFIG_IEEE80211AC
if (hapd->conf->vendor_vht)
pos = hostapd_eid_vendor_vht(hapd, pos);
#endif /* CONFIG_IEEE80211AC */
@@ -623,7 +618,7 @@
}
-void sta_track_add(struct hostapd_iface *iface, const u8 *addr, int ssi_signal)
+void sta_track_add(struct hostapd_iface *iface, const u8 *addr)
{
struct hostapd_sta_info *info;
@@ -633,7 +628,6 @@
dl_list_del(&info->list);
dl_list_add_tail(&iface->sta_seen, &info->list);
os_get_reltime(&info->last_seen);
- info->ssi_signal = ssi_signal;
return;
}
@@ -643,7 +637,6 @@
return;
os_memcpy(info->addr, addr, ETH_ALEN);
os_get_reltime(&info->last_seen);
- info->ssi_signal = ssi_signal;
if (iface->num_sta_seen >= iface->conf->track_sta_max_num) {
/* Expire oldest entry to make room for a new one */
@@ -719,7 +712,7 @@
return;
ie = ((const u8 *) mgmt) + IEEE80211_HDRLEN;
if (hapd->iconf->track_sta_max_num)
- sta_track_add(hapd->iface, mgmt->sa, ssi_signal);
+ sta_track_add(hapd->iface, mgmt->sa);
ie_len = len - IEEE80211_HDRLEN;
for (i = 0; hapd->probereq_cb && i < hapd->num_probereq_cb; i++)
@@ -1162,11 +1155,6 @@
tailpos = hostapd_eid_txpower_envelope(hapd, tailpos);
tailpos = hostapd_eid_wb_chsw_wrapper(hapd, tailpos);
}
-#endif /* CONFIG_IEEE80211AC */
-
- tailpos = hostapd_eid_fils_indic(hapd, tailpos, 0);
-
-#ifdef CONFIG_IEEE80211AC
if (hapd->conf->vendor_vht)
tailpos = hostapd_eid_vendor_vht(hapd, tailpos);
#endif /* CONFIG_IEEE80211AC */
diff --git a/src/ap/beacon.h b/src/ap/beacon.h
index a26e308..fc71181 100644
--- a/src/ap/beacon.h
+++ b/src/ap/beacon.h
@@ -21,7 +21,7 @@
int ieee802_11_build_ap_params(struct hostapd_data *hapd,
struct wpa_driver_ap_params *params);
void ieee802_11_free_ap_params(struct wpa_driver_ap_params *params);
-void sta_track_add(struct hostapd_iface *iface, const u8 *addr, int ssi_signal);
+void sta_track_add(struct hostapd_iface *iface, const u8 *addr);
void sta_track_del(struct hostapd_sta_info *info);
void sta_track_expire(struct hostapd_iface *iface, int force);
struct hostapd_data *
diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
index f69c655..3552b3e 100644
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -45,10 +45,10 @@
struct ieee802_11_elems elems;
const u8 *ie;
size_t ielen;
-#if defined(CONFIG_IEEE80211R_AP) || defined(CONFIG_IEEE80211W)
+#if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
u8 buf[sizeof(struct ieee80211_mgmt) + 1024];
u8 *p = buf;
-#endif /* CONFIG_IEEE80211R_AP || CONFIG_IEEE80211W */
+#endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
u16 reason = WLAN_REASON_UNSPECIFIED;
u16 status = WLAN_STATUS_SUCCESS;
const u8 *p2p_dev_addr = NULL;
@@ -293,7 +293,7 @@
sta->flags &= ~WLAN_STA_MFP;
#endif /* CONFIG_IEEE80211W */
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (sta->auth_alg == WLAN_AUTH_FT) {
status = wpa_ft_validate_reassoc(sta->wpa_sm, req_ies,
req_ies_len);
@@ -307,7 +307,7 @@
goto fail;
}
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
} else if (hapd->conf->wps_state) {
#ifdef CONFIG_WPS
struct wpabuf *wps;
@@ -375,7 +375,7 @@
skip_wpa_check:
#endif /* CONFIG_WPS */
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
p = wpa_sm_write_assoc_resp_ies(sta->wpa_sm, buf, sizeof(buf),
sta->auth_alg, req_ies, req_ies_len);
@@ -383,11 +383,11 @@
if (sta->auth_alg == WLAN_AUTH_FT)
ap_sta_set_authorized(hapd, sta, 1);
-#else /* CONFIG_IEEE80211R_AP */
+#else /* CONFIG_IEEE80211R */
/* Keep compiler silent about unused variables */
if (status) {
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
new_assoc = (sta->flags & WLAN_STA_ASSOC) == 0;
sta->flags |= WLAN_STA_AUTH | WLAN_STA_ASSOC;
@@ -414,9 +414,9 @@
return 0;
fail:
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
hostapd_sta_assoc(hapd, addr, reassoc, status, buf, p - buf);
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
hostapd_drv_sta_disassoc(hapd, sta->addr, reason);
ap_free_sta(hapd, sta);
return -1;
@@ -471,7 +471,8 @@
HOSTAPD_LEVEL_INFO,
"disconnected due to excessive missing ACKs");
hostapd_drv_sta_disassoc(hapd, addr, WLAN_REASON_DISASSOC_LOW_ACK);
- ap_sta_disassociate(hapd, sta, WLAN_REASON_DISASSOC_LOW_ACK);
+ if (sta)
+ ap_sta_disassociate(hapd, sta, WLAN_REASON_DISASSOC_LOW_ACK);
}
@@ -689,7 +690,7 @@
#ifdef HOSTAPD
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
static void hostapd_notify_auth_ft_finish(void *ctx, const u8 *dst,
const u8 *bssid,
u16 auth_transaction, u16 status,
@@ -708,7 +709,7 @@
hostapd_sta_auth(hapd, dst, auth_transaction, status, ies, ies_len);
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
static void hostapd_notif_auth(struct hostapd_data *hapd,
@@ -729,7 +730,7 @@
}
sta->flags &= ~WLAN_STA_PREAUTH;
ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (rx_auth->auth_type == WLAN_AUTH_FT && hapd->wpa_auth) {
sta->auth_alg = WLAN_AUTH_FT;
if (sta->wpa_sm == NULL)
@@ -747,7 +748,7 @@
hostapd_notify_auth_ft_finish, hapd);
return;
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
fail:
hostapd_sta_auth(hapd, rx_auth->peer, rx_auth->auth_transaction + 1,
status, resp_ies, resp_ies_len);
@@ -780,13 +781,13 @@
wpa_printf(MSG_DEBUG, "%s: station not found", __func__);
return;
}
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (mgmt->u.action.category == WLAN_ACTION_FT) {
const u8 *payload = drv_mgmt->frame + 24 + 1;
wpa_ft_action_rx(sta->wpa_sm, payload, plen);
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_IEEE80211W
if (mgmt->u.action.category == WLAN_ACTION_SA_QUERY && plen >= 4) {
ieee802_11_sa_query_action(
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index 21a5408..9fafc7f 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -956,10 +956,10 @@
if (conf->wmm_enabled < 0)
conf->wmm_enabled = hapd->iconf->ieee80211n;
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (is_zero_ether_addr(conf->r1_key_holder))
os_memcpy(conf->r1_key_holder, hapd->own_addr, ETH_ALEN);
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_MESH
if (hapd->iface->mconf == NULL)
@@ -1561,7 +1561,7 @@
int vht = hapd->iconf->ieee80211ac && !hapd->conf->disable_11ac;
struct wpa_ssid_value ssid;
u8 channel, op_class;
- u8 center_freq1_idx = 0, center_freq2_idx = 0;
+ int center_freq1 = 0, center_freq2 = 0;
enum nr_chan_width width;
u32 bssid_info;
struct wpabuf *nr;
@@ -1604,14 +1604,16 @@
&op_class, &channel);
width = hostapd_get_nr_chan_width(hapd, ht, vht);
if (vht) {
- center_freq1_idx = hapd->iconf->vht_oper_centr_freq_seg0_idx;
+ center_freq1 = ieee80211_chan_to_freq(
+ NULL, op_class,
+ hapd->iconf->vht_oper_centr_freq_seg0_idx);
if (width == NR_CHAN_WIDTH_80P80)
- center_freq2_idx =
- hapd->iconf->vht_oper_centr_freq_seg1_idx;
+ center_freq2 = ieee80211_chan_to_freq(
+ NULL, op_class,
+ hapd->iconf->vht_oper_centr_freq_seg1_idx);
} else if (ht) {
- ieee80211_freq_to_chan(hapd->iface->freq +
- 10 * hapd->iconf->secondary_channel,
- ¢er_freq1_idx);
+ center_freq1 = hapd->iface->freq +
+ 10 * hapd->iconf->secondary_channel;
}
ssid.ssid_len = hapd->conf->ssid.ssid_len;
@@ -1639,11 +1641,11 @@
wpabuf_put_u8(nr, WNM_NEIGHBOR_WIDE_BW_CHAN);
wpabuf_put_u8(nr, 3);
wpabuf_put_u8(nr, width);
- wpabuf_put_u8(nr, center_freq1_idx);
- wpabuf_put_u8(nr, center_freq2_idx);
+ wpabuf_put_u8(nr, center_freq1);
+ wpabuf_put_u8(nr, center_freq2);
hostapd_neighbor_set(hapd, hapd->own_addr, &ssid, nr, hapd->iconf->lci,
- hapd->iconf->civic, hapd->iconf->stationary_ap);
+ hapd->iconf->civic);
wpabuf_free(nr);
#endif /* NEED_AP_MLME */
diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h
index fd5aaed..dec46f6 100644
--- a/src/ap/hostapd.h
+++ b/src/ap/hostapd.h
@@ -109,7 +109,6 @@
struct wpabuf *civic;
/* LCI update time */
struct os_time lci_date;
- int stationary;
};
/**
@@ -312,7 +311,6 @@
struct dl_list list;
u8 addr[ETH_ALEN];
struct os_reltime last_seen;
- int ssi_signal;
#ifdef CONFIG_TAXONOMY
struct wpabuf *probe_ie_taxonomy;
#endif /* CONFIG_TAXONOMY */
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 0b3d2f2..f1c396b 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -303,7 +303,7 @@
}
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
static void handle_auth_ft_finish(void *ctx, const u8 *dst, const u8 *bssid,
u16 auth_transaction, u16 status,
const u8 *ies, size_t ies_len)
@@ -334,7 +334,7 @@
sta->flags |= WLAN_STA_AUTH;
mlme_authenticate_indication(hapd, sta);
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_SAE
@@ -619,7 +619,7 @@
* message now to get alternating sequence of
* Authentication frames between the AP and STA.
* Confirm will be sent in
- * Committed -> Confirmed/Accepted transition
+ * Commited -> Confirmed/Accepted transition
* when receiving Confirm from STA.
*/
}
@@ -980,318 +980,6 @@
#endif /* CONFIG_SAE */
-static u16 wpa_res_to_status_code(int res)
-{
- if (res == WPA_INVALID_GROUP)
- return WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
- if (res == WPA_INVALID_PAIRWISE)
- return WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
- if (res == WPA_INVALID_AKMP)
- return WLAN_STATUS_AKMP_NOT_VALID;
- if (res == WPA_ALLOC_FAIL)
- return WLAN_STATUS_UNSPECIFIED_FAILURE;
-#ifdef CONFIG_IEEE80211W
- if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION)
- return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
- if (res == WPA_INVALID_MGMT_GROUP_CIPHER)
- return WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
-#endif /* CONFIG_IEEE80211W */
- if (res == WPA_INVALID_MDIE)
- return WLAN_STATUS_INVALID_MDIE;
- if (res != WPA_IE_OK)
- return WLAN_STATUS_INVALID_IE;
- return WLAN_STATUS_SUCCESS;
-}
-
-
-#ifdef CONFIG_FILS
-
-static void handle_auth_fils_finish(struct hostapd_data *hapd,
- struct sta_info *sta, u16 resp,
- struct rsn_pmksa_cache_entry *pmksa,
- struct wpabuf *erp_resp,
- const u8 *msk, size_t msk_len);
-
-static void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
- const struct ieee80211_mgmt *mgmt, size_t len,
- u16 auth_transaction, u16 status_code)
-{
- u16 resp = WLAN_STATUS_SUCCESS;
- const u8 *pos, *end;
- struct ieee802_11_elems elems;
- int res;
- struct wpa_ie_data rsn;
- struct rsn_pmksa_cache_entry *pmksa = NULL;
-
- if (auth_transaction != 1 || status_code != WLAN_STATUS_SUCCESS)
- return;
-
- pos = mgmt->u.auth.variable;
- end = ((const u8 *) mgmt) + len;
-
- wpa_hexdump(MSG_DEBUG, "FILS: Authentication frame fields",
- pos, end - pos);
-
- /* TODO: Finite Cyclic Group when using PK or PFS */
- /* TODO: Element when using PK or PFS */
-
- wpa_hexdump(MSG_DEBUG, "FILS: Remaining IEs", pos, end - pos);
- if (ieee802_11_parse_elems(pos, end - pos, &elems, 1) == ParseFailed) {
- wpa_printf(MSG_DEBUG, "FILS: Could not parse elements");
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
- }
-
- /* RSNE */
- wpa_hexdump(MSG_DEBUG, "FILS: RSN element",
- elems.rsn_ie, elems.rsn_ie_len);
- if (!elems.rsn_ie ||
- wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
- &rsn) < 0) {
- wpa_printf(MSG_DEBUG, "FILS: No valid RSN element");
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
- }
-
- if (!sta->wpa_sm)
- sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, sta->addr,
- NULL);
- if (!sta->wpa_sm) {
- wpa_printf(MSG_DEBUG,
- "FILS: Failed to initialize RSN state machine");
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
- }
-
- res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
- elems.rsn_ie - 2, elems.rsn_ie_len + 2,
- elems.mdie, elems.mdie_len);
- resp = wpa_res_to_status_code(res);
- if (resp != WLAN_STATUS_SUCCESS)
- goto fail;
-
- /* TODO: MDE when using FILS+FT */
- /* TODO: FTE when using FILS+FT */
-
- if (!elems.fils_nonce) {
- wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
- }
- wpa_hexdump(MSG_DEBUG, "FILS: SNonce", elems.fils_nonce,
- FILS_NONCE_LEN);
- os_memcpy(sta->fils_snonce, elems.fils_nonce, FILS_NONCE_LEN);
-
- /* PMKID List */
- if (rsn.pmkid && rsn.num_pmkid > 0) {
- u8 num;
- const u8 *pmkid;
-
- wpa_hexdump(MSG_DEBUG, "FILS: PMKID List",
- rsn.pmkid, rsn.num_pmkid * PMKID_LEN);
-
- pmkid = rsn.pmkid;
- num = rsn.num_pmkid;
- while (num) {
- wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
- pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr,
- pmkid);
- if (pmksa)
- break;
- pmkid += PMKID_LEN;
- num--;
- }
- }
- if (pmksa && wpa_auth_sta_key_mgmt(sta->wpa_sm) != pmksa->akmp) {
- wpa_printf(MSG_DEBUG,
- "FILS: Matching PMKSA cache entry has different AKMP (0x%x != 0x%x) - ignore",
- wpa_auth_sta_key_mgmt(sta->wpa_sm), pmksa->akmp);
- pmksa = NULL;
- }
- if (pmksa)
- wpa_printf(MSG_DEBUG, "FILS: Found matching PMKSA cache entry");
-
- /* FILS Session */
- if (!elems.fils_session) {
- wpa_printf(MSG_DEBUG, "FILS: No FILS Session element");
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
- }
- wpa_hexdump(MSG_DEBUG, "FILS: FILS Session", elems.fils_session,
- FILS_SESSION_LEN);
- os_memcpy(sta->fils_session, elems.fils_session, FILS_SESSION_LEN);
-
- /* FILS Wrapped Data */
- if (elems.fils_wrapped_data) {
- wpa_hexdump(MSG_DEBUG, "FILS: Wrapped Data",
- elems.fils_wrapped_data,
- elems.fils_wrapped_data_len);
- if (!pmksa) {
-#ifndef CONFIG_NO_RADIUS
- if (!sta->eapol_sm) {
- sta->eapol_sm =
- ieee802_1x_alloc_eapol_sm(hapd, sta);
- }
- wpa_printf(MSG_DEBUG,
- "FILS: Forward EAP-Identity/Re-auth Start to authentication server");
- ieee802_1x_encapsulate_radius(
- hapd, sta, elems.fils_wrapped_data,
- elems.fils_wrapped_data_len);
- wpa_printf(MSG_DEBUG,
- "FILS: Will send Authentication frame once the response from authentication server is available");
- sta->flags |= WLAN_STA_PENDING_FILS_ERP;
- return;
-#else /* CONFIG_NO_RADIUS */
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
-#endif /* CONFIG_NO_RADIUS */
- }
- }
-
-fail:
- handle_auth_fils_finish(hapd, sta, resp, pmksa, NULL, NULL, 0);
-}
-
-
-static void handle_auth_fils_finish(struct hostapd_data *hapd,
- struct sta_info *sta, u16 resp,
- struct rsn_pmksa_cache_entry *pmksa,
- struct wpabuf *erp_resp,
- const u8 *msk, size_t msk_len)
-{
- u8 fils_nonce[FILS_NONCE_LEN];
- size_t ielen;
- struct wpabuf *data = NULL;
- const u8 *ie;
- u8 *ie_buf = NULL;
- const u8 *pmk = NULL;
- size_t pmk_len = 0;
-
- if (resp != WLAN_STATUS_SUCCESS)
- goto fail;
-
- ie = wpa_auth_get_wpa_ie(hapd->wpa_auth, &ielen);
- if (!ie) {
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
- }
- if (pmksa) {
- /* Add PMKID of the selected PMKSA into RSNE */
- ie_buf = os_malloc(ielen + 2 + 2 + PMKID_LEN);
- if (!ie_buf) {
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
- }
- os_memcpy(ie_buf, ie, ielen);
- if (wpa_insert_pmkid(ie_buf, &ielen, pmksa->pmkid) < 0) {
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
- }
- ie = ie_buf;
- }
-
- if (random_get_bytes(fils_nonce, FILS_NONCE_LEN) < 0) {
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
- }
- wpa_hexdump(MSG_DEBUG, "RSN: Generated FILS Nonce",
- fils_nonce, FILS_NONCE_LEN);
-
- data = wpabuf_alloc(1000 + ielen);
- if (!data) {
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
- }
-
- /* TODO: Finite Cyclic Group when using PK or PFS */
- /* TODO: Element when using PK or PFS */
-
- /* RSNE */
- wpabuf_put_data(data, ie, ielen);
-
- /* TODO: MDE when using FILS+FT */
- /* TODO: FTE when using FILS+FT */
-
- /* FILS Nonce */
- wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
- wpabuf_put_u8(data, 1 + FILS_NONCE_LEN); /* Length */
- /* Element ID Extension */
- wpabuf_put_u8(data, WLAN_EID_EXT_FILS_NONCE);
- wpabuf_put_data(data, fils_nonce, FILS_NONCE_LEN);
-
- /* FILS Session */
- wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
- wpabuf_put_u8(data, 1 + FILS_SESSION_LEN); /* Length */
- /* Element ID Extension */
- wpabuf_put_u8(data, WLAN_EID_EXT_FILS_SESSION);
- wpabuf_put_data(data, sta->fils_session, FILS_SESSION_LEN);
-
- /* FILS Wrapped Data */
- if (!pmksa && erp_resp) {
- wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
- wpabuf_put_u8(data, 1 + wpabuf_len(erp_resp)); /* Length */
- /* Element ID Extension */
- wpabuf_put_u8(data, WLAN_EID_EXT_FILS_WRAPPED_DATA);
- wpabuf_put_buf(data, erp_resp);
-
- pmk = msk;
- pmk_len = msk_len > PMK_LEN ? PMK_LEN : msk_len;
- } else if (pmksa) {
- pmk = pmksa->pmk;
- pmk_len = pmksa->pmk_len;
- }
-
- if (!pmk) {
- wpa_printf(MSG_DEBUG, "FILS: No PMK available");
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- wpabuf_free(data);
- data = NULL;
- goto fail;
- }
-
- if (fils_auth_pmk_to_ptk(sta->wpa_sm, pmk, pmk_len,
- sta->fils_snonce, fils_nonce) < 0) {
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- wpabuf_free(data);
- data = NULL;
- goto fail;
- }
-
-fail:
- send_auth_reply(hapd, sta->addr, hapd->own_addr, WLAN_AUTH_FILS_SK, 2,
- resp,
- data ? wpabuf_head(data) : (u8 *) "",
- data ? wpabuf_len(data) : 0);
- wpabuf_free(data);
-
- if (resp == WLAN_STATUS_SUCCESS) {
- hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
- HOSTAPD_LEVEL_DEBUG,
- "authentication OK (FILS)");
- sta->flags |= WLAN_STA_AUTH;
- wpa_auth_sm_event(sta->wpa_sm, WPA_AUTH);
- sta->auth_alg = WLAN_AUTH_FILS_SK;
- mlme_authenticate_indication(hapd, sta);
- }
-
- os_free(ie_buf);
-}
-
-
-void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
- struct sta_info *sta, int success,
- struct wpabuf *erp_resp,
- const u8 *msk, size_t msk_len)
-{
- sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
- handle_auth_fils_finish(hapd, sta, success ? WLAN_STATUS_SUCCESS :
- WLAN_STATUS_UNSPECIFIED_FAILURE, NULL,
- erp_resp, msk, msk_len);
-}
-
-#endif /* CONFIG_FILS */
-
-
static void handle_auth(struct hostapd_data *hapd,
const struct ieee80211_mgmt *mgmt, size_t len)
{
@@ -1365,18 +1053,14 @@
if (!(((hapd->conf->auth_algs & WPA_AUTH_ALG_OPEN) &&
auth_alg == WLAN_AUTH_OPEN) ||
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
(hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
auth_alg == WLAN_AUTH_FT) ||
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_SAE
(hapd->conf->wpa && wpa_key_mgmt_sae(hapd->conf->wpa_key_mgmt) &&
auth_alg == WLAN_AUTH_SAE) ||
#endif /* CONFIG_SAE */
-#ifdef CONFIG_FILS
- (hapd->conf->wpa && wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt) &&
- auth_alg == WLAN_AUTH_FILS_SK) ||
-#endif /* CONFIG_FILS */
((hapd->conf->auth_algs & WPA_AUTH_ALG_SHARED) &&
auth_alg == WLAN_AUTH_SHARED_KEY))) {
wpa_printf(MSG_INFO, "Unsupported authentication algorithm (%d)",
@@ -1478,7 +1162,6 @@
sta = ap_get_sta(hapd, mgmt->sa);
if (sta) {
- sta->flags &= ~WLAN_STA_PENDING_FILS_ERP;
if ((fc & WLAN_FC_RETRY) &&
sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
sta->last_seq_ctrl == seq_ctrl &&
@@ -1633,7 +1316,7 @@
}
break;
#endif /* CONFIG_NO_RC4 */
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
case WLAN_AUTH_FT:
sta->auth_alg = WLAN_AUTH_FT;
if (sta->wpa_sm == NULL)
@@ -1652,7 +1335,7 @@
handle_auth_ft_finish, hapd);
/* handle_auth_ft_finish() callback will complete auth. */
return;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_SAE
case WLAN_AUTH_SAE:
#ifdef CONFIG_MESH
@@ -1674,12 +1357,6 @@
status_code);
return;
#endif /* CONFIG_SAE */
-#ifdef CONFIG_FILS
- case WLAN_AUTH_FILS_SK:
- handle_auth_fils(hapd, sta, mgmt, len, auth_transaction,
- status_code);
- return;
-#endif /* CONFIG_FILS */
}
fail:
@@ -1968,7 +1645,24 @@
res = wpa_validate_wpa_ie(hapd->wpa_auth, sta->wpa_sm,
wpa_ie, wpa_ie_len,
elems.mdie, elems.mdie_len);
- resp = wpa_res_to_status_code(res);
+ if (res == WPA_INVALID_GROUP)
+ resp = WLAN_STATUS_GROUP_CIPHER_NOT_VALID;
+ else if (res == WPA_INVALID_PAIRWISE)
+ resp = WLAN_STATUS_PAIRWISE_CIPHER_NOT_VALID;
+ else if (res == WPA_INVALID_AKMP)
+ resp = WLAN_STATUS_AKMP_NOT_VALID;
+ else if (res == WPA_ALLOC_FAIL)
+ resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
+#ifdef CONFIG_IEEE80211W
+ else if (res == WPA_MGMT_FRAME_PROTECTION_VIOLATION)
+ resp = WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
+ else if (res == WPA_INVALID_MGMT_GROUP_CIPHER)
+ resp = WLAN_STATUS_ROBUST_MGMT_FRAME_POLICY_VIOLATION;
+#endif /* CONFIG_IEEE80211W */
+ else if (res == WPA_INVALID_MDIE)
+ resp = WLAN_STATUS_INVALID_MDIE;
+ else if (res != WPA_IE_OK)
+ resp = WLAN_STATUS_INVALID_IE;
if (resp != WLAN_STATUS_SUCCESS)
return resp;
#ifdef CONFIG_IEEE80211W
@@ -1996,7 +1690,7 @@
sta->flags &= ~WLAN_STA_MFP;
#endif /* CONFIG_IEEE80211W */
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (sta->auth_alg == WLAN_AUTH_FT) {
if (!reassoc) {
wpa_printf(MSG_DEBUG, "FT: " MACSTR " tried "
@@ -2011,7 +1705,7 @@
if (resp != WLAN_STATUS_SUCCESS)
return resp;
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_SAE
if (wpa_auth_uses_sae(sta->wpa_sm) &&
@@ -2229,7 +1923,7 @@
/* Extended supported rates */
p = hostapd_eid_ext_supp_rates(hapd, p);
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (status_code == WLAN_STATUS_SUCCESS) {
/* IEEE 802.11r: Mobility Domain Information, Fast BSS
* Transition Information, RSN, [RIC Response] */
@@ -2237,7 +1931,7 @@
buf + sizeof(buf) - p,
sta->auth_alg, ies, ies_len);
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_IEEE80211W
if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY)
@@ -2347,31 +2041,6 @@
send_len += p - reply->u.assoc_resp.variable;
-#ifdef CONFIG_FILS
- if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
- sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
- sta->auth_alg == WLAN_AUTH_FILS_PK) &&
- status_code == WLAN_STATUS_SUCCESS) {
- struct ieee802_11_elems elems;
-
- if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
- ParseFailed || !elems.fils_session)
- return WLAN_STATUS_UNSPECIFIED_FAILURE;
-
- /* FILS Session */
- *p++ = WLAN_EID_EXTENSION; /* Element ID */
- *p++ = 1 + FILS_SESSION_LEN; /* Length */
- *p++ = WLAN_EID_EXT_FILS_SESSION; /* Element ID Extension */
- os_memcpy(p, elems.fils_session, FILS_SESSION_LEN);
- send_len += 2 + 1 + FILS_SESSION_LEN;
-
- send_len = fils_encrypt_assoc(sta->wpa_sm, buf, send_len,
- sizeof(buf));
- if (send_len < 0)
- return WLAN_STATUS_UNSPECIFIED_FAILURE;
- }
-#endif /* CONFIG_FILS */
-
if (hostapd_drv_send_mlme(hapd, reply, send_len, 0) < 0) {
wpa_printf(MSG_INFO, "Failed to send assoc resp: %s",
strerror(errno));
@@ -2391,7 +2060,6 @@
const u8 *pos;
int left, i;
struct sta_info *sta;
- u8 *tmp = NULL;
if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
sizeof(mgmt->u.assoc_req))) {
@@ -2449,7 +2117,7 @@
}
sta = ap_get_sta(hapd, mgmt->sa);
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (sta && sta->auth_alg == WLAN_AUTH_FT &&
(sta->flags & WLAN_STA_AUTH) == 0) {
wpa_printf(MSG_DEBUG, "FT: Allow STA " MACSTR " to associate "
@@ -2462,7 +2130,7 @@
*/
sta->flags |= WLAN_STA_AUTH;
} else
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
HOSTAPD_LEVEL_INFO, "Station tried to "
@@ -2517,30 +2185,6 @@
*/
sta->capability = capab_info;
-#ifdef CONFIG_FILS
- if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
- sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
- sta->auth_alg == WLAN_AUTH_FILS_PK) {
- /* The end of the payload is encrypted. Need to decrypt it
- * before parsing. */
-
- tmp = os_malloc(left);
- if (!tmp) {
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
- }
- os_memcpy(tmp, pos, left);
-
- left = fils_decrypt_assoc(sta->wpa_sm, sta->fils_session, mgmt,
- len, tmp, left);
- if (left < 0) {
- resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
- goto fail;
- }
- pos = tmp;
- }
-#endif /* CONFIG_FILS */
-
/* followed by SSID and Supported rates; and HT capabilities if 802.11n
* is used */
resp = check_assoc_ies(hapd, sta, pos, left, reassoc);
@@ -2650,7 +2294,6 @@
resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
reply_res = send_assoc_resp(hapd, sta, resp, reassoc, pos, left);
- os_free(tmp);
/*
* Remove the station in case tranmission of a success response fails
@@ -2863,14 +2506,14 @@
}
switch (mgmt->u.action.category) {
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
case WLAN_ACTION_FT:
if (!sta ||
wpa_ft_action_rx(sta->wpa_sm, (u8 *) &mgmt->u.action,
len - IEEE80211_HDRLEN))
break;
return 1;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
case WLAN_ACTION_WMM:
hostapd_wmm_action(hapd, mgmt, len);
return 1;
@@ -3029,7 +2672,7 @@
}
if (hapd->iconf->track_sta_max_num)
- sta_track_add(hapd->iface, mgmt->sa, fi->ssi_signal);
+ sta_track_add(hapd->iface, mgmt->sa);
switch (stype) {
case WLAN_FC_STYPE_AUTH:
@@ -3203,15 +2846,11 @@
new_assoc = 0;
sta->flags |= WLAN_STA_ASSOC;
sta->flags &= ~WLAN_STA_WNM_SLEEP_MODE;
- if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa &&
- !hapd->conf->osen) ||
- sta->auth_alg == WLAN_AUTH_FILS_SK ||
- sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
- sta->auth_alg == WLAN_AUTH_FILS_PK ||
+ if ((!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen) ||
sta->auth_alg == WLAN_AUTH_FT) {
/*
- * Open, static WEP, FT protocol, or FILS; no separate
- * authorization step.
+ * Open, static WEP, or FT protocol; no separate authorization
+ * step.
*/
ap_sta_set_authorized(hapd, sta, 1);
}
@@ -3258,18 +2897,6 @@
hapd->new_assoc_sta_cb(hapd, sta, !new_assoc);
ieee802_1x_notify_port_enabled(sta->eapol_sm, 1);
-#ifdef CONFIG_FILS
- if ((sta->auth_alg == WLAN_AUTH_FILS_SK ||
- sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
- sta->auth_alg == WLAN_AUTH_FILS_PK) &&
- fils_set_tk(sta->wpa_sm) < 0) {
- wpa_printf(MSG_DEBUG, "FILS: TK configuration failed");
- ap_sta_disconnect(hapd, sta, sta->addr,
- WLAN_REASON_UNSPECIFIED);
- return;
- }
-#endif /* CONFIG_FILS */
-
if (sta->pending_eapol_rx) {
struct os_reltime now, age;
diff --git a/src/ap/ieee802_11.h b/src/ap/ieee802_11.h
index 46c92b7..0327dec 100644
--- a/src/ap/ieee802_11.h
+++ b/src/ap/ieee802_11.h
@@ -135,10 +135,4 @@
const u8 *supp_op_classes,
size_t supp_op_classes_len);
-u8 * hostapd_eid_fils_indic(struct hostapd_data *hapd, u8 *eid, int hessid);
-void ieee802_11_finish_fils_auth(struct hostapd_data *hapd,
- struct sta_info *sta, int success,
- struct wpabuf *erp_resp,
- const u8 *msk, size_t msk_len);
-
#endif /* IEEE802_11_H */
diff --git a/src/ap/ieee802_11_shared.c b/src/ap/ieee802_11_shared.c
index 97b1d67..259413b 100644
--- a/src/ap/ieee802_11_shared.c
+++ b/src/ap/ieee802_11_shared.c
@@ -218,19 +218,11 @@
if (hapd->conf->ssid.utf8_ssid)
*pos |= 0x01; /* Bit 48 - UTF-8 SSID */
break;
- case 7: /* Bits 56-63 */
- break;
case 8: /* Bits 64-71 */
if (hapd->conf->ftm_responder)
*pos |= 0x40; /* Bit 70 - FTM responder */
if (hapd->conf->ftm_initiator)
*pos |= 0x80; /* Bit 71 - FTM initiator */
- case 9: /* Bits 72-79 */
-#ifdef CONFIG_FILS
- if ((hapd->conf->wpa & WPA_PROTO_RSN) &&
- wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt))
- *pos |= 0x01;
-#endif /* CONFIG_FILS */
break;
}
}
@@ -266,11 +258,6 @@
if (hapd->conf->mbo_enabled && len < 6)
len = 6;
#endif /* CONFIG_MBO */
-#ifdef CONFIG_FILS
- if ((!(hapd->conf->wpa & WPA_PROTO_RSN) ||
- !wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt)) && len < 10)
- len = 10;
-#endif /* CONFIG_FILS */
if (len < hapd->iface->extended_capa_len)
len = hapd->iface->extended_capa_len;
if (len == 0)
@@ -597,56 +584,3 @@
os_memcpy(sta->supp_op_classes + 1, supp_op_classes,
supp_op_classes_len);
}
-
-
-u8 * hostapd_eid_fils_indic(struct hostapd_data *hapd, u8 *eid, int hessid)
-{
- u8 *pos = eid;
-#ifdef CONFIG_FILS
- u8 *len;
- u16 fils_info = 0;
-
- if (!(hapd->conf->wpa & WPA_PROTO_RSN) ||
- !wpa_key_mgmt_fils(hapd->conf->wpa_key_mgmt))
- return pos;
-
- *pos++ = WLAN_EID_FILS_INDICATION;
- len = pos++;
- /* TODO: B0..B2: Number of Public Key Identifiers */
- if (hapd->conf->erp_domain) {
- /* TODO: Support for setting multiple domain identifiers */
- /* B3..B5: Number of Realm Identifiers */
- fils_info |= BIT(3);
- }
- /* TODO: B6: FILS IP Address Configuration */
- if (hapd->conf->fils_cache_id_set)
- fils_info |= BIT(7);
- if (hessid && !is_zero_ether_addr(hapd->conf->hessid))
- fils_info |= BIT(8); /* HESSID Included */
- /* FILS Shared Key Authentication without PFS Supported */
- fils_info |= BIT(9);
- /* TODO: B10: FILS Shared Key Authentication with PFS Supported */
- /* TODO: B11: FILS Public Key Authentication Supported */
- /* B12..B15: Reserved */
- WPA_PUT_LE16(pos, fils_info);
- pos += 2;
- if (hapd->conf->fils_cache_id_set) {
- os_memcpy(pos, hapd->conf->fils_cache_id, FILS_CACHE_ID_LEN);
- pos += FILS_CACHE_ID_LEN;
- }
- if (hessid && !is_zero_ether_addr(hapd->conf->hessid)) {
- os_memcpy(pos, hapd->conf->hessid, ETH_ALEN);
- pos += ETH_ALEN;
- }
- if (hapd->conf->erp_domain) {
- u16 hash;
-
- hash = fils_domain_name_hash(hapd->conf->erp_domain);
- WPA_PUT_LE16(pos, hash);
- pos += 2;
- }
- *len = pos - len - 1;
-#endif /* CONFIG_FILS */
-
- return pos;
-}
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 7ac337d..80ff996 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -31,8 +31,6 @@
#include "ap_drv_ops.h"
#include "wps_hostapd.h"
#include "hs20.h"
-/* FIX: Not really a good thing to require ieee802_11.h here.. (FILS) */
-#include "ieee802_11.h"
#include "ieee802_1x.h"
@@ -318,7 +316,6 @@
hdr->code != EAP_CODE_INITIATE))
return;
- eap_erp_update_identity(sm->eap, eap, len);
identity = eap_get_identity(sm->eap, &identity_len);
if (identity == NULL)
return;
@@ -475,7 +472,7 @@
}
}
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) &&
sta->wpa_sm &&
(wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) ||
@@ -488,7 +485,7 @@
wpa_printf(MSG_ERROR, "Could not add Mobility-Domain-Id");
return -1;
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
if ((hapd->conf->wpa || hapd->conf->osen) && sta->wpa_sm &&
add_common_radius_sta_attr_rsn(hapd, req_attr, sta, msg) < 0)
@@ -591,9 +588,9 @@
}
-void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
- struct sta_info *sta,
- const u8 *eap, size_t len)
+static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
+ struct sta_info *sta,
+ const u8 *eap, size_t len)
{
struct radius_msg *msg;
struct eapol_state_machine *sm = sta->eapol_sm;
@@ -848,7 +845,7 @@
}
-struct eapol_state_machine *
+static struct eapol_state_machine *
ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta)
{
int flags = 0;
@@ -1157,7 +1154,7 @@
sta->eapol_sm->eap_if->portEnabled = TRUE;
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (sta->auth_alg == WLAN_AUTH_FT) {
hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
HOSTAPD_LEVEL_DEBUG,
@@ -1176,29 +1173,7 @@
/* TODO: get vlan_id from R0KH using RRB message */
return;
}
-#endif /* CONFIG_IEEE80211R_AP */
-
-#ifdef CONFIG_FILS
- if (sta->auth_alg == WLAN_AUTH_FILS_SK ||
- sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
- sta->auth_alg == WLAN_AUTH_FILS_PK) {
- hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
- HOSTAPD_LEVEL_DEBUG,
- "PMK from FILS - skip IEEE 802.1X/EAP");
- /* Setup EAPOL state machines to already authenticated state
- * because of existing FILS information. */
- sta->eapol_sm->keyRun = TRUE;
- sta->eapol_sm->eap_if->eapKeyAvailable = TRUE;
- sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING;
- sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS;
- sta->eapol_sm->authSuccess = TRUE;
- sta->eapol_sm->authFail = FALSE;
- sta->eapol_sm->portValid = TRUE;
- if (sta->eapol_sm->eap)
- eap_sm_notify_cached(sta->eapol_sm->eap);
- return;
- }
-#endif /* CONFIG_FILS */
+#endif /* CONFIG_IEEE80211R */
pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
if (pmksa) {
@@ -1862,19 +1837,6 @@
if (override_eapReq)
sm->eap_if->aaaEapReq = FALSE;
-#ifdef CONFIG_FILS
-#ifdef NEED_AP_MLME
- if (sta->flags & WLAN_STA_PENDING_FILS_ERP) {
- /* TODO: Add a PMKSA entry on success? */
- ieee802_11_finish_fils_auth(
- hapd, sta, hdr->code == RADIUS_CODE_ACCESS_ACCEPT,
- sm->eap_if->aaaEapReqData,
- sm->eap_if->aaaEapKeyData,
- sm->eap_if->aaaEapKeyDataLen);
- }
-#endif /* NEED_AP_MLME */
-#endif /* CONFIG_FILS */
-
eapol_auth_step(sm);
return RADIUS_RX_QUEUED;
diff --git a/src/ap/ieee802_1x.h b/src/ap/ieee802_1x.h
index 9594661..ec80199 100644
--- a/src/ap/ieee802_1x.h
+++ b/src/ap/ieee802_1x.h
@@ -57,10 +57,5 @@
struct hostapd_radius_attr *req_attr,
struct sta_info *sta,
struct radius_msg *msg);
-void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd,
- struct sta_info *sta,
- const u8 *eap, size_t len);
-struct eapol_state_machine *
-ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta);
#endif /* IEEE802_1X_H */
diff --git a/src/ap/neighbor_db.c b/src/ap/neighbor_db.c
index b8fd592..a2efff6 100644
--- a/src/ap/neighbor_db.c
+++ b/src/ap/neighbor_db.c
@@ -43,7 +43,6 @@
nr->civic = NULL;
os_memset(nr->bssid, 0, sizeof(nr->bssid));
os_memset(&nr->ssid, 0, sizeof(nr->ssid));
- nr->stationary = 0;
}
@@ -65,7 +64,7 @@
int hostapd_neighbor_set(struct hostapd_data *hapd, const u8 *bssid,
const struct wpa_ssid_value *ssid,
const struct wpabuf *nr, const struct wpabuf *lci,
- const struct wpabuf *civic, int stationary)
+ const struct wpabuf *civic)
{
struct hostapd_neighbor_entry *entry;
@@ -84,20 +83,18 @@
if (!entry->nr)
goto fail;
- if (lci && wpabuf_len(lci)) {
+ if (lci) {
entry->lci = wpabuf_dup(lci);
if (!entry->lci || os_get_time(&entry->lci_date))
goto fail;
}
- if (civic && wpabuf_len(civic)) {
+ if (civic) {
entry->civic = wpabuf_dup(civic);
if (!entry->civic)
goto fail;
}
- entry->stationary = stationary;
-
return 0;
fail:
diff --git a/src/ap/neighbor_db.h b/src/ap/neighbor_db.h
index ba46d88..c22e043 100644
--- a/src/ap/neighbor_db.h
+++ b/src/ap/neighbor_db.h
@@ -16,7 +16,7 @@
int hostapd_neighbor_set(struct hostapd_data *hapd, const u8 *bssid,
const struct wpa_ssid_value *ssid,
const struct wpabuf *nr, const struct wpabuf *lci,
- const struct wpabuf *civic, int stationary);
+ const struct wpabuf *civic);
int hostapd_neighbor_remove(struct hostapd_data *hapd, const u8 *bssid,
const struct wpa_ssid_value *ssid);
void hostpad_free_neighbor_db(struct hostapd_data *hapd);
diff --git a/src/ap/rrm.c b/src/ap/rrm.c
index 5ca87c0..3569f95 100644
--- a/src/ap/rrm.c
+++ b/src/ap/rrm.c
@@ -129,12 +129,12 @@
struct os_time curr, diff;
unsigned long diff_l;
- if (nr->stationary || max_age == 0xffff)
- return 1;
-
if (!max_age)
return 0;
+ if (max_age == 0xffff)
+ return 1;
+
if (os_get_time(&curr))
return 0;
diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h
index a416337..099de62 100644
--- a/src/ap/sta_info.h
+++ b/src/ap/sta_info.h
@@ -17,7 +17,6 @@
#include "list.h"
#include "vlan.h"
-#include "common/ieee802_11_defs.h"
/* STA flags */
#define WLAN_STA_AUTH BIT(0)
@@ -39,7 +38,6 @@
#define WLAN_STA_WNM_SLEEP_MODE BIT(19)
#define WLAN_STA_VHT_OPMODE_ENABLED BIT(20)
#define WLAN_STA_VENDOR_VHT BIT(21)
-#define WLAN_STA_PENDING_FILS_ERP BIT(22)
#define WLAN_STA_PENDING_DISASSOC_CB BIT(29)
#define WLAN_STA_PENDING_DEAUTH_CB BIT(30)
#define WLAN_STA_NONERP BIT(31)
@@ -220,11 +218,6 @@
struct wpabuf *probe_ie_taxonomy;
struct wpabuf *assoc_ie_taxonomy;
#endif /* CONFIG_TAXONOMY */
-
-#ifdef CONFIG_FILS
- u8 fils_snonce[FILS_NONCE_LEN];
- u8 fils_session[FILS_SESSION_LEN];
-#endif /* CONFIG_FILS */
};
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 43e3558..3587086 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -13,9 +13,7 @@
#include "utils/state_machine.h"
#include "utils/bitfield.h"
#include "common/ieee802_11_defs.h"
-#include "crypto/aes.h"
#include "crypto/aes_wrap.h"
-#include "crypto/aes_siv.h"
#include "crypto/crypto.h"
#include "crypto/sha1.h"
#include "crypto/sha256.h"
@@ -37,10 +35,6 @@
static int wpa_sm_step(struct wpa_state_machine *sm);
static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
size_t data_len);
-#ifdef CONFIG_FILS
-static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
- u8 *buf, size_t buf_len, u16 *_key_data_len);
-#endif /* CONFIG_FILS */
static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
struct wpa_group *group);
@@ -58,7 +52,6 @@
struct wpa_group *group);
static void wpa_group_put(struct wpa_authenticator *wpa_auth,
struct wpa_group *group);
-static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
static const u32 dot11RSNAConfigGroupUpdateCount = 4;
static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
@@ -239,10 +232,10 @@
static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
{
int ret = 0;
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
ret = 1;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_IEEE80211W
if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
ret = 1;
@@ -450,7 +443,7 @@
return NULL;
}
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
if (wpa_auth->ft_pmk_cache == NULL) {
wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
@@ -460,7 +453,7 @@
os_free(wpa_auth);
return NULL;
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
if (wpa_auth->conf.wpa_gmk_rekey) {
eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
@@ -520,10 +513,10 @@
pmksa_cache_auth_deinit(wpa_auth->pmksa);
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
wpa_auth->ft_pmk_cache = NULL;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_P2P
bitfield_free(wpa_auth->ip_pool);
@@ -606,7 +599,7 @@
if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
return -1;
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (sm->ft_completed) {
wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
"FT authentication already completed - do not "
@@ -615,17 +608,7 @@
sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
return 0;
}
-#endif /* CONFIG_IEEE80211R_AP */
-
-#ifdef CONFIG_FILS
- if (sm->fils_completed) {
- wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
- "FILS authentication already completed - do not start 4-way handshake");
- /* Go to PTKINITDONE state to allow GTK rekeying */
- sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
- return 0;
- }
-#endif /* CONFIG_FILS */
+#endif /* CONFIG_IEEE80211R */
if (sm->started) {
os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
@@ -677,10 +660,10 @@
sm->group->GKeyDoneStations--;
sm->GUpdateStationKeys = FALSE;
}
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
os_free(sm->assoc_resp_ftie);
wpabuf_free(sm->ft_pending_req_ies);
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
os_free(sm->last_rx_eapol_key);
os_free(sm->wpa_ie);
wpa_group_put(sm->wpa_auth, sm->group);
@@ -756,7 +739,7 @@
}
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
struct wpa_state_machine *sm,
struct wpa_eapol_ie_parse *kde)
@@ -803,7 +786,7 @@
return 0;
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
@@ -847,7 +830,6 @@
const u8 *pmk = NULL;
unsigned int pmk_len;
- os_memset(&PTK, 0, sizeof(PTK));
for (;;) {
if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
@@ -895,42 +877,39 @@
{
struct ieee802_1x_hdr *hdr;
struct wpa_eapol_key *key;
+ struct wpa_eapol_key_192 *key192;
u16 key_info, key_data_length;
enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
SMK_M1, SMK_M3, SMK_ERROR } msg;
char *msgtxt;
struct wpa_eapol_ie_parse kde;
- const u8 *key_data;
- size_t keyhdrlen, mic_len;
- u8 *mic;
+ int ft;
+ const u8 *eapol_key_ie, *key_data;
+ size_t eapol_key_ie_len, keyhdrlen, mic_len;
if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
return;
- wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
mic_len = wpa_mic_len(sm->wpa_key_mgmt);
- keyhdrlen = sizeof(*key) + mic_len + 2;
+ keyhdrlen = mic_len == 24 ? sizeof(*key192) : sizeof(*key);
- if (data_len < sizeof(*hdr) + keyhdrlen) {
- wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
+ if (data_len < sizeof(*hdr) + keyhdrlen)
return;
- }
hdr = (struct ieee802_1x_hdr *) data;
key = (struct wpa_eapol_key *) (hdr + 1);
- mic = (u8 *) (key + 1);
+ key192 = (struct wpa_eapol_key_192 *) (hdr + 1);
key_info = WPA_GET_BE16(key->key_info);
- key_data = mic + mic_len + 2;
- key_data_length = WPA_GET_BE16(mic + mic_len);
+ if (mic_len == 24) {
+ key_data = (const u8 *) (key192 + 1);
+ key_data_length = WPA_GET_BE16(key192->key_data_length);
+ } else {
+ key_data = (const u8 *) (key + 1);
+ key_data_length = WPA_GET_BE16(key->key_data_length);
+ }
wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
- " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
- MAC2STR(sm->addr), key_info, key->type,
- (unsigned int) mic_len, key_data_length);
- wpa_hexdump(MSG_MSGDUMP,
- "WPA: EAPOL-Key header (ending before Key MIC)",
- key, sizeof(*key));
- wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
- mic, mic_len);
+ " key_info=0x%x type=%u key_data_length=%u",
+ MAC2STR(sm->addr), key_info, key->type, key_data_length);
if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
"key_data overflow (%d > %lu)",
@@ -989,9 +968,7 @@
} else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
msg = GROUP_2;
msgtxt = "2/2 Group";
- } else if (key_data_length == 0 ||
- (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
- key_data_length == AES_BLOCK_SIZE)) {
+ } else if (key_data_length == 0) {
msg = PAIRWISE_4;
msgtxt = "4/4 Pairwise";
} else {
@@ -1008,7 +985,6 @@
if (wpa_use_aes_cmac(sm) &&
sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
!wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
- !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
wpa_auth_logger(wpa_auth, sm->addr,
LOGGER_WARNING,
@@ -1019,7 +995,6 @@
}
if (!wpa_use_aes_cmac(sm) &&
- !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
wpa_auth_logger(wpa_auth, sm->addr,
LOGGER_WARNING,
@@ -1029,8 +1004,7 @@
}
}
- if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
- wpa_key_mgmt_fils(sm->wpa_key_mgmt)) &&
+ if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
"did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
@@ -1118,15 +1092,6 @@
}
continue_processing:
-#ifdef CONFIG_FILS
- if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
- !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
- wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
- "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
- return;
- }
-#endif /* CONFIG_FILS */
-
switch (msg) {
case PAIRWISE_2:
if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
@@ -1157,6 +1122,67 @@
wpa_sta_disconnect(wpa_auth, sm->addr);
return;
}
+ if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
+ wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
+ "received EAPOL-Key msg 2/4 with "
+ "invalid Key Data contents");
+ return;
+ }
+ if (kde.rsn_ie) {
+ eapol_key_ie = kde.rsn_ie;
+ eapol_key_ie_len = kde.rsn_ie_len;
+ } else if (kde.osen) {
+ eapol_key_ie = kde.osen;
+ eapol_key_ie_len = kde.osen_len;
+ } else {
+ eapol_key_ie = kde.wpa_ie;
+ eapol_key_ie_len = kde.wpa_ie_len;
+ }
+ ft = sm->wpa == WPA_VERSION_WPA2 &&
+ wpa_key_mgmt_ft(sm->wpa_key_mgmt);
+ if (sm->wpa_ie == NULL ||
+ wpa_compare_rsn_ie(ft,
+ sm->wpa_ie, sm->wpa_ie_len,
+ eapol_key_ie, eapol_key_ie_len)) {
+ wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
+ "WPA IE from (Re)AssocReq did not "
+ "match with msg 2/4");
+ if (sm->wpa_ie) {
+ wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
+ sm->wpa_ie, sm->wpa_ie_len);
+ }
+ wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
+ eapol_key_ie, eapol_key_ie_len);
+ /* MLME-DEAUTHENTICATE.request */
+ wpa_sta_disconnect(wpa_auth, sm->addr);
+ return;
+ }
+#ifdef CONFIG_IEEE80211R
+ if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
+ wpa_sta_disconnect(wpa_auth, sm->addr);
+ return;
+ }
+#endif /* CONFIG_IEEE80211R */
+#ifdef CONFIG_P2P
+ if (kde.ip_addr_req && kde.ip_addr_req[0] &&
+ wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
+ int idx;
+ wpa_printf(MSG_DEBUG, "P2P: IP address requested in "
+ "EAPOL-Key exchange");
+ idx = bitfield_get_first_zero(wpa_auth->ip_pool);
+ if (idx >= 0) {
+ u32 start = WPA_GET_BE32(wpa_auth->conf.
+ ip_addr_start);
+ bitfield_set(wpa_auth->ip_pool, idx);
+ WPA_PUT_BE32(sm->ip_addr, start + idx);
+ wpa_printf(MSG_DEBUG, "P2P: Assigned IP "
+ "address %u.%u.%u.%u to " MACSTR,
+ sm->ip_addr[0], sm->ip_addr[1],
+ sm->ip_addr[2], sm->ip_addr[3],
+ MAC2STR(sm->addr));
+ }
+ }
+#endif /* CONFIG_P2P */
break;
case PAIRWISE_4:
if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
@@ -1213,26 +1239,15 @@
return;
}
- if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
- !(key_info & WPA_KEY_INFO_MIC)) {
+ if (!(key_info & WPA_KEY_INFO_MIC)) {
wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
"received invalid EAPOL-Key: Key MIC not set");
return;
}
-#ifdef CONFIG_FILS
- if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
- (key_info & WPA_KEY_INFO_MIC)) {
- wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
- "received invalid EAPOL-Key: Key MIC set");
- return;
- }
-#endif /* CONFIG_FILS */
-
sm->MICVerified = FALSE;
if (sm->PTK_valid && !sm->update_snonce) {
- if (mic_len &&
- wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data,
+ if (wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data,
data_len) &&
(msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
wpa_try_alt_snonce(sm, data, data_len))) {
@@ -1240,15 +1255,6 @@
"received EAPOL-Key with invalid MIC");
return;
}
-#ifdef CONFIG_FILS
- if (!mic_len &&
- wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
- &key_data_length) < 0) {
- wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
- "received EAPOL-Key with invalid MIC");
- return;
- }
-#endif /* CONFIG_FILS */
sm->MICVerified = TRUE;
eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
sm->pending_1_of_4_timeout = 0;
@@ -1406,24 +1412,24 @@
{
struct ieee802_1x_hdr *hdr;
struct wpa_eapol_key *key;
+ struct wpa_eapol_key_192 *key192;
size_t len, mic_len, keyhdrlen;
int alg;
int key_data_len, pad_len = 0;
u8 *buf, *pos;
int version, pairwise;
int i;
- u8 *key_mic, *key_data;
+ u8 *key_data;
mic_len = wpa_mic_len(sm->wpa_key_mgmt);
- keyhdrlen = sizeof(*key) + mic_len + 2;
+ keyhdrlen = mic_len == 24 ? sizeof(*key192) : sizeof(*key);
len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
if (force_version)
version = force_version;
else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
- wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
- wpa_key_mgmt_fils(sm->wpa_key_mgmt))
+ wpa_key_mgmt_suite_b(sm->wpa_key_mgmt))
version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
else if (wpa_use_aes_cmac(sm))
version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
@@ -1457,8 +1463,6 @@
}
len += key_data_len;
- if (!mic_len && encr)
- len += AES_BLOCK_SIZE;
hdr = os_zalloc(len);
if (hdr == NULL)
@@ -1467,7 +1471,7 @@
hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
hdr->length = host_to_be16(len - sizeof(*hdr));
key = (struct wpa_eapol_key *) (hdr + 1);
- key_mic = (u8 *) (key + 1);
+ key192 = (struct wpa_eapol_key_192 *) (hdr + 1);
key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
key->type = sm->wpa == WPA_VERSION_WPA2 ?
@@ -1506,31 +1510,10 @@
if (kde && !encr) {
os_memcpy(key_data, kde, kde_len);
- WPA_PUT_BE16(key_mic + mic_len, kde_len);
-#ifdef CONFIG_FILS
- } else if (!mic_len) {
- const u8 *aad[1];
- size_t aad_len[1];
-
- WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
- wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
- kde, kde_len);
-
- wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
- sm->PTK.kek, sm->PTK.kek_len);
- /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
- * to Key Data (exclusive). */
- aad[0] = (u8 *) hdr;
- aad_len[0] = key_mic + 2 - (u8 *) hdr;
- if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
- 1, aad, aad_len, key_mic + 2) < 0) {
- wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
- return;
- }
-
- wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
- key_mic + 2, AES_BLOCK_SIZE + kde_len);
-#endif /* CONFIG_FILS */
+ if (mic_len == 24)
+ WPA_PUT_BE16(key192->key_data_length, kde_len);
+ else
+ WPA_PUT_BE16(key->key_data_length, kde_len);
} else if (encr && kde) {
buf = os_zalloc(key_data_len);
if (buf == NULL) {
@@ -1556,7 +1539,12 @@
os_free(buf);
return;
}
- WPA_PUT_BE16(key_mic + mic_len, key_data_len);
+ if (mic_len == 24)
+ WPA_PUT_BE16(key192->key_data_length,
+ key_data_len);
+ else
+ WPA_PUT_BE16(key->key_data_length,
+ key_data_len);
#ifndef CONFIG_NO_RC4
} else if (sm->PTK.kek_len == 16) {
u8 ek[32];
@@ -1567,7 +1555,12 @@
os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
os_memcpy(key_data, buf, key_data_len);
rc4_skip(ek, 32, 256, key_data, key_data_len);
- WPA_PUT_BE16(key_mic + mic_len, key_data_len);
+ if (mic_len == 24)
+ WPA_PUT_BE16(key192->key_data_length,
+ key_data_len);
+ else
+ WPA_PUT_BE16(key->key_data_length,
+ key_data_len);
#endif /* CONFIG_NO_RC4 */
} else {
os_free(hdr);
@@ -1578,7 +1571,9 @@
}
if (key_info & WPA_KEY_INFO_MIC) {
- if (!sm->PTK_valid || !mic_len) {
+ u8 *key_mic;
+
+ if (!sm->PTK_valid) {
wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
"PTK not valid when sending EAPOL-Key "
"frame");
@@ -1586,6 +1581,7 @@
return;
}
+ key_mic = key192->key_mic; /* same offset for key and key192 */
wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
sm->wpa_key_mgmt, version,
(u8 *) hdr, len, key_mic);
@@ -1645,9 +1641,10 @@
{
struct ieee802_1x_hdr *hdr;
struct wpa_eapol_key *key;
+ struct wpa_eapol_key_192 *key192;
u16 key_info;
int ret = 0;
- u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
+ u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
size_t mic_len = wpa_mic_len(akmp);
if (data_len < sizeof(*hdr) + sizeof(*key))
@@ -1655,16 +1652,16 @@
hdr = (struct ieee802_1x_hdr *) data;
key = (struct wpa_eapol_key *) (hdr + 1);
- mic_pos = (u8 *) (key + 1);
+ key192 = (struct wpa_eapol_key_192 *) (hdr + 1);
key_info = WPA_GET_BE16(key->key_info);
- os_memcpy(mic, mic_pos, mic_len);
- os_memset(mic_pos, 0, mic_len);
+ os_memcpy(mic, key192->key_mic, mic_len);
+ os_memset(key192->key_mic, 0, mic_len);
if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
key_info & WPA_KEY_INFO_TYPE_MASK,
- data, data_len, mic_pos) ||
- os_memcmp_const(mic, mic_pos, mic_len) != 0)
+ data, data_len, key192->key_mic) ||
+ os_memcmp_const(mic, key192->key_mic, mic_len) != 0)
ret = -1;
- os_memcpy(mic_pos, mic, mic_len);
+ os_memcpy(key192->key_mic, mic, mic_len);
return ret;
}
@@ -1673,10 +1670,7 @@
{
sm->PTK_valid = FALSE;
os_memset(&sm->PTK, 0, sizeof(sm->PTK));
- if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
- 0))
- wpa_printf(MSG_DEBUG,
- "RSN: PTK removal from the driver failed");
+ wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0);
sm->pairwise_set = FALSE;
eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
}
@@ -1740,7 +1734,7 @@
sm->ReAuthenticationRequest = TRUE;
break;
case WPA_ASSOC_FT:
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
"after association");
wpa_ft_install_ptk(sm);
@@ -1748,24 +1742,19 @@
/* Using FT protocol, not WPA auth state machine */
sm->ft_completed = 1;
return 0;
-#else /* CONFIG_IEEE80211R_AP */
+#else /* CONFIG_IEEE80211R */
break;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
}
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
sm->ft_completed = 0;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_IEEE80211W
if (sm->mgmt_frame_prot && event == WPA_AUTH)
remove_ptk = 0;
#endif /* CONFIG_IEEE80211W */
-#ifdef CONFIG_FILS
- if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
- (event == WPA_AUTH || event == WPA_ASSOC))
- remove_ptk = 0;
-#endif /* CONFIG_FILS */
if (remove_ptk) {
sm->PTK_valid = FALSE;
@@ -1915,9 +1904,9 @@
size_t len = 2 * PMK_LEN;
SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
sm->xxkey_len = 0;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
if (sm->pmksa) {
wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
@@ -1941,12 +1930,12 @@
}
os_memcpy(sm->PMK, msk, pmk_len);
sm->pmk_len = pmk_len;
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (len >= 2 * PMK_LEN) {
os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
sm->xxkey_len = PMK_LEN;
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
} else {
wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
sm->wpa_auth->cb.get_msk);
@@ -1976,10 +1965,10 @@
if (psk) {
os_memcpy(sm->PMK, psk, PMK_LEN);
sm->pmk_len = PMK_LEN;
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
os_memcpy(sm->xxkey, psk, PMK_LEN);
sm->xxkey_len = PMK_LEN;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
}
sm->req_replay_counter_used = 0;
}
@@ -2042,10 +2031,10 @@
const u8 *pmk, unsigned int pmk_len,
struct wpa_ptk *ptk)
{
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
@@ -2053,398 +2042,16 @@
}
-#ifdef CONFIG_FILS
-
-int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
- size_t pmk_len, const u8 *snonce, const u8 *anonce)
-{
- u8 ick[FILS_ICK_MAX_LEN];
- size_t ick_len;
- int res;
-
- res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
- snonce, anonce, &sm->PTK, ick, &ick_len,
- sm->wpa_key_mgmt, sm->pairwise);
- if (res < 0)
- return res;
- sm->PTK_valid = TRUE;
-
- res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
- sm->addr, sm->wpa_auth->addr,
- NULL, 0, NULL, 0, /* TODO: SK+PFS */
- sm->wpa_key_mgmt, sm->fils_key_auth_sta,
- sm->fils_key_auth_ap,
- &sm->fils_key_auth_len);
- os_memset(ick, 0, sizeof(ick));
-
- /* Store nonces for (Re)Association Request/Response frame processing */
- os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
- os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
-
- return res;
-}
-
-
-static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
- u8 *buf, size_t buf_len, u16 *_key_data_len)
-{
- struct ieee802_1x_hdr *hdr;
- struct wpa_eapol_key *key;
- u8 *pos;
- u16 key_data_len;
- u8 *tmp;
- const u8 *aad[1];
- size_t aad_len[1];
-
- hdr = (struct ieee802_1x_hdr *) buf;
- key = (struct wpa_eapol_key *) (hdr + 1);
- pos = (u8 *) (key + 1);
- key_data_len = WPA_GET_BE16(pos);
- if (key_data_len < AES_BLOCK_SIZE ||
- key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
- wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
- "No room for AES-SIV data in the frame");
- return -1;
- }
- pos += 2; /* Pointing at the Encrypted Key Data field */
-
- tmp = os_malloc(key_data_len);
- if (!tmp)
- return -1;
-
- /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
- * to Key Data (exclusive). */
- aad[0] = buf;
- aad_len[0] = pos - buf;
- if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
- 1, aad, aad_len, tmp) < 0) {
- wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
- "Invalid AES-SIV data in the frame");
- bin_clear_free(tmp, key_data_len);
- return -1;
- }
-
- /* AEAD decryption and validation completed successfully */
- key_data_len -= AES_BLOCK_SIZE;
- wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
- tmp, key_data_len);
-
- /* Replace Key Data field with the decrypted version */
- os_memcpy(pos, tmp, key_data_len);
- pos -= 2; /* Key Data Length field */
- WPA_PUT_BE16(pos, key_data_len);
- bin_clear_free(tmp, key_data_len);
- if (_key_data_len)
- *_key_data_len = key_data_len;
- return 0;
-}
-
-
-int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
- const struct ieee80211_mgmt *mgmt, size_t frame_len,
- u8 *pos, size_t left)
-{
- u16 fc, stype;
- const u8 *end, *ie_start, *ie, *session, *crypt;
- struct ieee802_11_elems elems;
- const u8 *aad[5];
- size_t aad_len[5];
-
- if (!sm || !sm->PTK_valid) {
- wpa_printf(MSG_DEBUG,
- "FILS: No KEK to decrypt Assocication Request frame");
- return -1;
- }
-
- if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
- wpa_printf(MSG_DEBUG,
- "FILS: Not a FILS AKM - reject association");
- return -1;
- }
-
- end = ((const u8 *) mgmt) + frame_len;
- fc = le_to_host16(mgmt->frame_control);
- stype = WLAN_FC_GET_STYPE(fc);
- if (stype == WLAN_FC_STYPE_REASSOC_REQ)
- ie_start = mgmt->u.reassoc_req.variable;
- else
- ie_start = mgmt->u.assoc_req.variable;
- ie = ie_start;
-
- /*
- * Find FILS Session element which is the last unencrypted element in
- * the frame.
- */
- session = NULL;
- while (ie + 1 < end) {
- if (ie + 2 + ie[1] > end)
- break;
- if (ie[0] == WLAN_EID_EXTENSION &&
- ie[1] >= 1 + FILS_SESSION_LEN &&
- ie[2] == WLAN_EID_EXT_FILS_SESSION) {
- session = ie;
- break;
- }
- ie += 2 + ie[1];
- }
-
- if (!session) {
- wpa_printf(MSG_DEBUG,
- "FILS: Could not find FILS Session element in Association Request frame - reject");
- return -1;
- }
- if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
- wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
- wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
- fils_session, FILS_SESSION_LEN);
- wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
- session + 3, FILS_SESSION_LEN);
- return -1;
- }
- crypt = session + 2 + session[1];
-
- if (end - crypt < AES_BLOCK_SIZE) {
- wpa_printf(MSG_DEBUG,
- "FILS: Too short frame to include AES-SIV data");
- return -1;
- }
-
- /* AES-SIV AAD vectors */
-
- /* The STA's MAC address */
- aad[0] = mgmt->sa;
- aad_len[0] = ETH_ALEN;
- /* The AP's BSSID */
- aad[1] = mgmt->da;
- aad_len[1] = ETH_ALEN;
- /* The STA's nonce */
- aad[2] = sm->SNonce;
- aad_len[2] = FILS_NONCE_LEN;
- /* The AP's nonce */
- aad[3] = sm->ANonce;
- aad_len[3] = FILS_NONCE_LEN;
- /*
- * The (Re)Association Request frame from the Capability Information
- * field to the FILS Session element (both inclusive).
- */
- aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
- aad_len[4] = crypt - aad[0];
-
- if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
- 1, aad, aad_len, pos + (crypt - ie_start)) < 0) {
- wpa_printf(MSG_DEBUG,
- "FILS: Invalid AES-SIV data in the frame");
- return -1;
- }
- wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
- pos, left - AES_BLOCK_SIZE);
-
- if (ieee802_11_parse_elems(pos, left - AES_BLOCK_SIZE, &elems, 1) ==
- ParseFailed) {
- wpa_printf(MSG_DEBUG,
- "FILS: Failed to parse decrypted elements");
- return -1;
- }
- if (!elems.fils_key_confirm) {
- wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
- return -1;
- }
- if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
- wpa_printf(MSG_DEBUG,
- "FILS: Unexpected Key-Auth length %d (expected %d)",
- elems.fils_key_confirm_len,
- (int) sm->fils_key_auth_len);
- return -1;
- }
- if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
- sm->fils_key_auth_len) != 0) {
- wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
- wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
- elems.fils_key_confirm,
- elems.fils_key_confirm_len);
- wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
- sm->fils_key_auth_sta, sm->fils_key_auth_len);
- return -1;
- }
-
- return left - AES_BLOCK_SIZE;
-}
-
-
-int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
- size_t current_len, size_t max_len)
-{
- u8 *end = buf + max_len;
- u8 *pos = buf + current_len;
- struct ieee80211_mgmt *mgmt;
- struct wpabuf *plain;
- u8 *len, *tmp, *tmp2;
- u8 hdr[2];
- u8 *gtk, dummy_gtk[32];
- size_t gtk_len;
- struct wpa_group *gsm;
- const u8 *aad[5];
- size_t aad_len[5];
-
- if (!sm || !sm->PTK_valid)
- return -1;
-
- wpa_hexdump(MSG_DEBUG,
- "FILS: Association Response frame before FILS processing",
- buf, current_len);
-
- mgmt = (struct ieee80211_mgmt *) buf;
-
- /* AES-SIV AAD vectors */
-
- /* The AP's BSSID */
- aad[0] = mgmt->sa;
- aad_len[0] = ETH_ALEN;
- /* The STA's MAC address */
- aad[1] = mgmt->da;
- aad_len[1] = ETH_ALEN;
- /* The AP's nonce */
- aad[2] = sm->ANonce;
- aad_len[2] = FILS_NONCE_LEN;
- /* The STA's nonce */
- aad[3] = sm->SNonce;
- aad_len[3] = FILS_NONCE_LEN;
- /*
- * The (Re)Association Response frame from the Capability Information
- * field (the same offset in both Association and Reassociation
- * Response frames) to the FILS Session element (both inclusive).
- */
- aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
- aad_len[4] = pos - aad[4];
-
- /* The following elements will be encrypted with AES-SIV */
-
- plain = wpabuf_alloc(1000);
- if (!plain)
- return -1;
-
- /* TODO: FILS Public Key */
-
- /* FILS Key Confirmation */
- wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
- wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
- /* Element ID Extension */
- wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
- wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
-
- /* TODO: FILS HLP Container */
-
- /* TODO: FILS IP Address Assignment */
-
- /* Key Delivery */
- gsm = sm->group;
- wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
- len = wpabuf_put(plain, 1);
- wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
- wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
- wpabuf_put(plain, WPA_KEY_RSC_LEN));
- /* GTK KDE */
- gtk = gsm->GTK[gsm->GN - 1];
- gtk_len = gsm->GTK_len;
- if (sm->wpa_auth->conf.disable_gtk) {
- /*
- * Provide unique random GTK to each STA to prevent use
- * of GTK in the BSS.
- */
- if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
- wpabuf_free(plain);
- return -1;
- }
- gtk = dummy_gtk;
- }
- hdr[0] = gsm->GN & 0x03;
- hdr[1] = 0;
- tmp = wpabuf_put(plain, 0);
- tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
- gtk, gtk_len);
- wpabuf_put(plain, tmp2 - tmp);
-
- /* IGTK KDE */
- tmp = wpabuf_put(plain, 0);
- tmp2 = ieee80211w_kde_add(sm, tmp);
- wpabuf_put(plain, tmp2 - tmp);
-
- *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
-
- if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
- wpa_printf(MSG_DEBUG,
- "FILS: Not enough room for FILS elements");
- wpabuf_free(plain);
- return -1;
- }
-
- wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
- plain);
-
- if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
- wpabuf_head(plain), wpabuf_len(plain),
- 5, aad, aad_len, pos) < 0) {
- wpabuf_free(plain);
- return -1;
- }
-
- wpa_hexdump(MSG_DEBUG,
- "FILS: Encrypted Association Response elements",
- pos, AES_BLOCK_SIZE + wpabuf_len(plain));
- current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
- wpabuf_free(plain);
-
- sm->fils_completed = 1;
-
- return current_len;
-}
-
-
-int fils_set_tk(struct wpa_state_machine *sm)
-{
- enum wpa_alg alg;
- int klen;
-
- if (!sm || !sm->PTK_valid)
- return -1;
-
- alg = wpa_cipher_to_alg(sm->pairwise);
- klen = wpa_cipher_key_len(sm->pairwise);
-
- wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
- if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
- sm->PTK.tk, klen)) {
- wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
- return -1;
- }
-
- return 0;
-}
-
-#endif /* CONFIG_FILS */
-
-
SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
{
- struct wpa_authenticator *wpa_auth = sm->wpa_auth;
struct wpa_ptk PTK;
int ok = 0, psk_found = 0;
const u8 *pmk = NULL;
unsigned int pmk_len;
- int ft;
- const u8 *eapol_key_ie, *key_data, *mic;
- u16 key_data_length;
- size_t mic_len, eapol_key_ie_len;
- struct ieee802_1x_hdr *hdr;
- struct wpa_eapol_key *key;
- struct wpa_eapol_ie_parse kde;
SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
sm->EAPOLKeyReceived = FALSE;
sm->update_snonce = FALSE;
- os_memset(&PTK, 0, sizeof(PTK));
-
- mic_len = wpa_mic_len(sm->wpa_key_mgmt);
/* WPA with IEEE 802.1X: use the derived PMK from EAP
* WPA-PSK: iterate through possible PSKs and select the one matching
@@ -2464,23 +2071,13 @@
wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK);
- if (mic_len &&
- wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK,
+ if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK,
sm->last_rx_eapol_key,
sm->last_rx_eapol_key_len) == 0) {
ok = 1;
break;
}
-#ifdef CONFIG_FILS
- if (!mic_len &&
- wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
- sm->last_rx_eapol_key_len, NULL) == 0) {
- ok = 1;
- break;
- }
-#endif /* CONFIG_FILS */
-
if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
break;
}
@@ -2493,77 +2090,7 @@
return;
}
- /*
- * Note: last_rx_eapol_key length fields have already been validated in
- * wpa_receive().
- */
- hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
- key = (struct wpa_eapol_key *) (hdr + 1);
- mic = (u8 *) (key + 1);
- key_data = mic + mic_len + 2;
- key_data_length = WPA_GET_BE16(mic + mic_len);
- if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
- sizeof(*key) - mic_len - 2)
- return;
-
- if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
- wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
- "received EAPOL-Key msg 2/4 with invalid Key Data contents");
- return;
- }
- if (kde.rsn_ie) {
- eapol_key_ie = kde.rsn_ie;
- eapol_key_ie_len = kde.rsn_ie_len;
- } else if (kde.osen) {
- eapol_key_ie = kde.osen;
- eapol_key_ie_len = kde.osen_len;
- } else {
- eapol_key_ie = kde.wpa_ie;
- eapol_key_ie_len = kde.wpa_ie_len;
- }
- ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
- if (sm->wpa_ie == NULL ||
- wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
- eapol_key_ie, eapol_key_ie_len)) {
- wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
- "WPA IE from (Re)AssocReq did not match with msg 2/4");
- if (sm->wpa_ie) {
- wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
- sm->wpa_ie, sm->wpa_ie_len);
- }
- wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
- eapol_key_ie, eapol_key_ie_len);
- /* MLME-DEAUTHENTICATE.request */
- wpa_sta_disconnect(wpa_auth, sm->addr);
- return;
- }
-#ifdef CONFIG_IEEE80211R_AP
- if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
- wpa_sta_disconnect(wpa_auth, sm->addr);
- return;
- }
-#endif /* CONFIG_IEEE80211R_AP */
-#ifdef CONFIG_P2P
- if (kde.ip_addr_req && kde.ip_addr_req[0] &&
- wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
- int idx;
- wpa_printf(MSG_DEBUG,
- "P2P: IP address requested in EAPOL-Key exchange");
- idx = bitfield_get_first_zero(wpa_auth->ip_pool);
- if (idx >= 0) {
- u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
- bitfield_set(wpa_auth->ip_pool, idx);
- WPA_PUT_BE32(sm->ip_addr, start + idx);
- wpa_printf(MSG_DEBUG,
- "P2P: Assigned IP address %u.%u.%u.%u to "
- MACSTR, sm->ip_addr[0], sm->ip_addr[1],
- sm->ip_addr[2], sm->ip_addr[3],
- MAC2STR(sm->addr));
- }
- }
-#endif /* CONFIG_P2P */
-
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
/*
* Verify that PMKR1Name from EAPOL-Key message 2/4 matches
@@ -2582,7 +2109,7 @@
return;
}
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
sm->pending_1_of_4_timeout = 0;
eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
@@ -2752,12 +2279,12 @@
kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
if (gtk)
kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
kde_len += 300; /* FTIE + 2 * TIE */
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_P2P
if (WPA_GET_BE32(sm->ip_addr) > 0)
kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
@@ -2769,7 +2296,7 @@
pos = kde;
os_memcpy(pos, wpa_ie, wpa_ie_len);
pos += wpa_ie_len;
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
int res;
size_t elen;
@@ -2785,7 +2312,7 @@
pos -= wpa_ie_len;
pos += elen;
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
if (gtk) {
u8 hdr[2];
hdr[0] = keyidx & 0x03;
@@ -2795,7 +2322,7 @@
}
pos = ieee80211w_kde_add(sm, pos);
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
int res;
struct wpa_auth_config *conf;
@@ -2835,7 +2362,7 @@
WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
pos += 4;
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_P2P
if (WPA_GET_BE32(sm->ip_addr) > 0) {
u8 addr[3 * 4];
@@ -2848,8 +2375,7 @@
#endif /* CONFIG_P2P */
wpa_send_eapol(sm->wpa_auth, sm,
- (secure ? WPA_KEY_INFO_SECURE : 0) |
- (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) |
+ (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC |
WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
WPA_KEY_INFO_KEY_TYPE,
_rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
@@ -2905,9 +2431,9 @@
"pairwise key handshake completed (%s)",
sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
}
@@ -3093,8 +2619,7 @@
}
wpa_send_eapol(sm->wpa_auth, sm,
- WPA_KEY_INFO_SECURE |
- (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) |
+ WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
WPA_KEY_INFO_ACK |
(!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
rsc, gsm->GNonce, kde, kde_len, gsm->GN, 1);
@@ -3851,12 +3376,11 @@
struct rsn_pmksa_cache_entry *
-wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
- const u8 *pmkid)
+wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr)
{
if (!wpa_auth || !wpa_auth->pmksa)
return NULL;
- return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
+ return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
}
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 743f2e6..0de8d97 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -157,7 +157,7 @@
enum mfp_options ieee80211w;
int group_mgmt_cipher;
#endif /* CONFIG_IEEE80211W */
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
u8 ssid[SSID_MAX_LEN];
size_t ssid_len;
u8 mobility_domain[MOBILITY_DOMAIN_ID_LEN];
@@ -170,8 +170,7 @@
struct ft_remote_r1kh *r1kh_list;
int pmk_r1_push;
int ft_over_ds;
- int ft_psk_generate_local;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
int disable_gtk;
int ap_mlme;
#ifdef CONFIG_TESTING_OPTIONS
@@ -221,13 +220,13 @@
void *ctx), void *cb_ctx);
int (*send_ether)(void *ctx, const u8 *dst, u16 proto, const u8 *data,
size_t data_len);
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
struct wpa_state_machine * (*add_sta)(void *ctx, const u8 *sta_addr);
int (*send_ft_action)(void *ctx, const u8 *dst,
const u8 *data, size_t data_len);
int (*add_tspec)(void *ctx, const u8 *sta_addr, u8 *tspec_ie,
size_t tspec_ielen);
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_MESH
int (*start_ampe)(void *ctx, const u8 *sta_addr);
#endif /* CONFIG_MESH */
@@ -303,8 +302,7 @@
size_t len);
void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth);
struct rsn_pmksa_cache_entry *
-wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
- const u8 *pmkid);
+wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr);
void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
struct wpa_state_machine *sm,
struct wpa_authenticator *wpa_auth,
@@ -313,7 +311,7 @@
void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
struct wpa_state_machine *sm, int ack);
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
u8 * wpa_sm_write_assoc_resp_ies(struct wpa_state_machine *sm, u8 *pos,
size_t max_len, int auth_alg,
const u8 *req_ies, size_t req_ies_len);
@@ -329,7 +327,7 @@
int wpa_ft_rrb_rx(struct wpa_authenticator *wpa_auth, const u8 *src_addr,
const u8 *data, size_t data_len);
void wpa_ft_push_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *addr);
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm);
void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag);
@@ -348,13 +346,5 @@
int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id);
int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id);
-int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
- size_t pmk_len, const u8 *snonce, const u8 *anonce);
-int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
- const struct ieee80211_mgmt *mgmt, size_t frame_len,
- u8 *pos, size_t left);
-int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
- size_t current_len, size_t max_len);
-int fils_set_tk(struct wpa_state_machine *sm);
#endif /* WPA_AUTH_H */
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 637d6d6..42242a5 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -22,7 +22,7 @@
#include "wpa_auth_i.h"
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
static int wpa_ft_send_rrb_auth_resp(struct wpa_state_machine *sm,
const u8 *current_ap, const u8 *sta_addr,
@@ -51,17 +51,6 @@
}
-static const u8 * wpa_ft_get_psk(struct wpa_authenticator *wpa_auth,
- const u8 *addr, const u8 *p2p_dev_addr,
- const u8 *prev_psk)
-{
- if (wpa_auth->cb.get_psk == NULL)
- return NULL;
- return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr,
- prev_psk);
-}
-
-
static struct wpa_state_machine *
wpa_ft_add_sta(struct wpa_authenticator *wpa_auth, const u8 *sta_addr)
{
@@ -384,7 +373,6 @@
const u8 *r1kh = sm->wpa_auth->conf.r1_key_holder;
const u8 *ssid = sm->wpa_auth->conf.ssid;
size_t ssid_len = sm->wpa_auth->conf.ssid_len;
- int psk_local = sm->wpa_auth->conf.ft_psk_generate_local;
if (sm->xxkey_len == 0) {
wpa_printf(MSG_DEBUG, "FT: XXKey not available for key "
@@ -396,18 +384,16 @@
r0kh, r0kh_len, sm->addr, pmk_r0, pmk_r0_name);
wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, PMK_LEN);
wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN);
- if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
- wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name,
- sm->pairwise);
+ wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name,
+ sm->pairwise);
wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, r1kh, sm->addr,
pmk_r1, sm->pmk_r1_name);
wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, PMK_LEN);
wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", sm->pmk_r1_name,
WPA_PMK_NAME_LEN);
- if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
- wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1,
- sm->pmk_r1_name, sm->pairwise);
+ wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1, sm->pmk_r1_name,
+ sm->pairwise);
return wpa_pmk_r1_to_ptk(pmk_r1, sm->SNonce, sm->ANonce, sm->addr,
sm->wpa_auth->addr, sm->pmk_r1_name,
@@ -809,89 +795,6 @@
}
-/* Derive PMK-R1 from PSK, check all available PSK */
-static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
- const u8 *req_pmk_r1_name,
- u8 *out_pmk_r1, int *out_pairwise)
-{
- const u8 *pmk = NULL;
- u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN];
- u8 pmk_r1[PMK_LEN], pmk_r1_name[WPA_PMK_NAME_LEN];
- struct wpa_authenticator *wpa_auth = sm->wpa_auth;
- const u8 *mdid = wpa_auth->conf.mobility_domain;
- const u8 *r0kh = sm->r0kh_id;
- size_t r0kh_len = sm->r0kh_id_len;
- const u8 *r1kh = wpa_auth->conf.r1_key_holder;
- const u8 *ssid = wpa_auth->conf.ssid;
- size_t ssid_len = wpa_auth->conf.ssid_len;
- int pairwise;
-
- pairwise = sm->pairwise;
-
- for (;;) {
- pmk = wpa_ft_get_psk(wpa_auth, sm->addr, sm->p2p_dev_addr,
- pmk);
- if (pmk == NULL)
- break;
-
- wpa_derive_pmk_r0(pmk, PMK_LEN, ssid, ssid_len, mdid, r0kh,
- r0kh_len, sm->addr, pmk_r0, pmk_r0_name);
- wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, r1kh, sm->addr,
- pmk_r1, pmk_r1_name);
-
- if (os_memcmp_const(pmk_r1_name, req_pmk_r1_name,
- WPA_PMK_NAME_LEN) != 0)
- continue;
-
- /* We found a PSK that matches the requested pmk_r1_name */
- wpa_printf(MSG_DEBUG,
- "FT: Found PSK to generate PMK-R1 locally");
- os_memcpy(out_pmk_r1, pmk_r1, PMK_LEN);
- if (out_pairwise)
- *out_pairwise = pairwise;
- return 0;
- }
-
- wpa_printf(MSG_DEBUG,
- "FT: Did not find PSK to generate PMK-R1 locally");
- return -1;
-}
-
-
-/* Detect the configuration the station asked for.
- * Required to detect FT-PSK and pairwise cipher.
- */
-static int wpa_ft_set_key_mgmt(struct wpa_state_machine *sm,
- struct wpa_ft_ies *parse)
-{
- int key_mgmt, ciphers;
-
- if (sm->wpa_key_mgmt)
- return 0;
-
- key_mgmt = parse->key_mgmt & sm->wpa_auth->conf.wpa_key_mgmt;
- if (!key_mgmt) {
- wpa_printf(MSG_DEBUG, "FT: Invalid key mgmt (0x%x) from "
- MACSTR, parse->key_mgmt, MAC2STR(sm->addr));
- return -1;
- }
- if (key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X)
- sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X;
- else if (key_mgmt & WPA_KEY_MGMT_FT_PSK)
- sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_PSK;
- ciphers = parse->pairwise_cipher & sm->wpa_auth->conf.rsn_pairwise;
- if (!ciphers) {
- wpa_printf(MSG_DEBUG, "FT: Invalid pairwise cipher (0x%x) from "
- MACSTR,
- parse->pairwise_cipher, MAC2STR(sm->addr));
- return -1;
- }
- sm->pairwise = wpa_pick_pairwise_cipher(ciphers, 0);
-
- return 0;
-}
-
-
static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
const u8 *ies, size_t ies_len,
u8 **resp_ies, size_t *resp_ies_len)
@@ -953,9 +856,6 @@
return WLAN_STATUS_INVALID_PMKID;
}
- if (wpa_ft_set_key_mgmt(sm, &parse) < 0)
- return WLAN_STATUS_UNSPECIFIED_FAILURE;
-
wpa_hexdump(MSG_DEBUG, "FT: Requested PMKR0Name",
parse.rsn_pmkid, WPA_PMK_NAME_LEN);
wpa_derive_pmk_r1_name(parse.rsn_pmkid,
@@ -964,12 +864,8 @@
wpa_hexdump(MSG_DEBUG, "FT: Derived requested PMKR1Name",
pmk_r1_name, WPA_PMK_NAME_LEN);
- if (conf->ft_psk_generate_local &&
- wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
- if (wpa_ft_psk_pmk_r1(sm, pmk_r1_name, pmk_r1, &pairwise) < 0)
- return WLAN_STATUS_INVALID_PMKID;
- } else if (wpa_ft_fetch_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1_name,
- pmk_r1, &pairwise) < 0) {
+ if (wpa_ft_fetch_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1_name, pmk_r1,
+ &pairwise) < 0) {
if (wpa_ft_pull_pmk_r1(sm, ies, ies_len, parse.rsn_pmkid) < 0) {
wpa_printf(MSG_DEBUG, "FT: Did not have matching "
"PMK-R1 and unknown R0KH-ID");
@@ -1145,7 +1041,7 @@
ftie->snonce, WPA_NONCE_LEN);
wpa_hexdump(MSG_DEBUG, "FT: Expected SNonce",
sm->SNonce, WPA_NONCE_LEN);
- return WLAN_STATUS_INVALID_FTIE;
+ return -1;
}
if (os_memcmp(ftie->anonce, sm->ANonce, WPA_NONCE_LEN) != 0) {
@@ -1154,13 +1050,13 @@
ftie->anonce, WPA_NONCE_LEN);
wpa_hexdump(MSG_DEBUG, "FT: Expected ANonce",
sm->ANonce, WPA_NONCE_LEN);
- return WLAN_STATUS_INVALID_FTIE;
+ return -1;
}
if (parse.r0kh_id == NULL) {
wpa_printf(MSG_DEBUG, "FT: No R0KH-ID subelem in FTIE");
- return WLAN_STATUS_INVALID_FTIE;
+ return -1;
}
if (parse.r0kh_id_len != sm->r0kh_id_len ||
@@ -1172,12 +1068,12 @@
parse.r0kh_id, parse.r0kh_id_len);
wpa_hexdump(MSG_DEBUG, "FT: The current R0KH-ID",
sm->r0kh_id, sm->r0kh_id_len);
- return WLAN_STATUS_INVALID_FTIE;
+ return -1;
}
if (parse.r1kh_id == NULL) {
wpa_printf(MSG_DEBUG, "FT: No R1KH-ID subelem in FTIE");
- return WLAN_STATUS_INVALID_FTIE;
+ return -1;
}
if (os_memcmp_const(parse.r1kh_id, sm->wpa_auth->conf.r1_key_holder,
@@ -1188,7 +1084,7 @@
parse.r1kh_id, FT_R1KH_ID_LEN);
wpa_hexdump(MSG_DEBUG, "FT: Expected R1KH-ID",
sm->wpa_auth->conf.r1_key_holder, FT_R1KH_ID_LEN);
- return WLAN_STATUS_INVALID_FTIE;
+ return -1;
}
if (parse.rsn_pmkid == NULL ||
@@ -1196,7 +1092,7 @@
{
wpa_printf(MSG_DEBUG, "FT: No matching PMKR1Name (PMKID) in "
"RSNIE (pmkid=%d)", !!parse.rsn_pmkid);
- return WLAN_STATUS_INVALID_PMKID;
+ return -1;
}
count = 3;
@@ -1206,7 +1102,7 @@
wpa_printf(MSG_DEBUG, "FT: Unexpected IE count in MIC "
"Control: received %u expected %u",
ftie->mic_control[1], count);
- return WLAN_STATUS_UNSPECIFIED_FAILURE;
+ return -1;
}
if (wpa_ft_mic(sm->PTK.kck, sm->PTK.kck_len, sm->addr,
@@ -1893,4 +1789,4 @@
}
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index aabac36..2142414 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -53,7 +53,7 @@
wconf->ieee80211w = conf->ieee80211w;
wconf->group_mgmt_cipher = conf->group_mgmt_cipher;
#endif /* CONFIG_IEEE80211W */
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
wconf->ssid_len = conf->ssid.ssid_len;
if (wconf->ssid_len > SSID_MAX_LEN)
wconf->ssid_len = SSID_MAX_LEN;
@@ -73,8 +73,7 @@
wconf->r1kh_list = conf->r1kh_list;
wconf->pmk_r1_push = conf->pmk_r1_push;
wconf->ft_over_ds = conf->ft_over_ds;
- wconf->ft_psk_generate_local = conf->ft_psk_generate_local;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_HS20
wconf->disable_gtk = conf->disable_dgaf;
if (conf->osen) {
@@ -402,7 +401,7 @@
}
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
struct wpa_auth_ft_iface_iter_data {
struct hostapd_data *src_hapd;
@@ -441,7 +440,7 @@
return 0;
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
static int hostapd_wpa_auth_send_ether(void *ctx, const u8 *dst, u16 proto,
@@ -466,7 +465,7 @@
}
#endif /* CONFIG_TESTING_OPTIONS */
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (proto == ETH_P_RRB && hapd->iface->interfaces &&
hapd->iface->interfaces->for_each_interface) {
int res;
@@ -481,7 +480,7 @@
if (res == 1)
return data_len;
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
if (hapd->driver && hapd->driver->send_ether)
return hapd->driver->send_ether(hapd->drv_priv, dst,
@@ -504,7 +503,7 @@
}
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
static int hostapd_wpa_auth_send_ft_action(void *ctx, const u8 *dst,
const u8 *data, size_t data_len)
@@ -589,7 +588,7 @@
return hostapd_add_tspec(hapd, sta_addr, tspec_ie, tspec_ielen);
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
int hostapd_setup_wpa(struct hostapd_data *hapd)
@@ -620,11 +619,11 @@
cb.for_each_sta = hostapd_wpa_auth_for_each_sta;
cb.for_each_auth = hostapd_wpa_auth_for_each_auth;
cb.send_ether = hostapd_wpa_auth_send_ether;
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
cb.send_ft_action = hostapd_wpa_auth_send_ft_action;
cb.add_sta = hostapd_wpa_auth_add_sta;
cb.add_tspec = hostapd_wpa_auth_add_tspec;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
hapd->wpa_auth = wpa_init(hapd->own_addr, &_conf, &cb);
if (hapd->wpa_auth == NULL) {
wpa_printf(MSG_ERROR, "WPA initialization failed.");
@@ -650,7 +649,7 @@
return -1;
}
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (!hostapd_drv_none(hapd) &&
wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt)) {
hapd->l2 = l2_packet_init(hapd->conf->bridge[0] ?
@@ -665,7 +664,7 @@
return -1;
}
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
return 0;
@@ -703,8 +702,8 @@
}
ieee802_1x_deinit(hapd);
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
l2_packet_deinit(hapd->l2);
hapd->l2 = NULL;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
}
diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
index 0c5a457..72b7eb3 100644
--- a/src/ap/wpa_auth_i.h
+++ b/src/ap/wpa_auth_i.h
@@ -88,10 +88,10 @@
unsigned int rx_eapol_key_secure:1;
unsigned int update_snonce:1;
unsigned int alt_snonce_valid:1;
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
unsigned int ft_completed:1;
unsigned int pmk_r1_name_valid:1;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
unsigned int is_wnmsleep:1;
u8 req_replay_counter[WPA_REPLAY_COUNTER_LEN];
@@ -112,7 +112,7 @@
u32 dot11RSNAStatsTKIPLocalMICFailures;
u32 dot11RSNAStatsTKIPRemoteMICFailures;
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
u8 xxkey[PMK_LEN]; /* PSK or the second 256 bits of MSK */
size_t xxkey_len;
u8 pmk_r1_name[WPA_PMK_NAME_LEN]; /* PMKR1Name derived from FT Auth
@@ -131,20 +131,13 @@
u8 ft_pending_pull_nonce[FT_R0KH_R1KH_PULL_NONCE_LEN];
u8 ft_pending_auth_transaction;
u8 ft_pending_current_ap[ETH_ALEN];
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
int pending_1_of_4_timeout;
#ifdef CONFIG_P2P
u8 ip_addr[4];
#endif /* CONFIG_P2P */
-
-#ifdef CONFIG_FILS
- u8 fils_key_auth_sta[FILS_MAX_KEY_AUTH_LEN];
- u8 fils_key_auth_ap[FILS_MAX_KEY_AUTH_LEN];
- size_t fils_key_auth_len;
- unsigned int fils_completed:1;
-#endif /* CONFIG_FILS */
};
@@ -251,7 +244,7 @@
const u8 *key_data, size_t key_data_len);
#endif /* CONFIG_PEERKEY */
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
int wpa_write_mdie(struct wpa_auth_config *conf, u8 *buf, size_t len);
int wpa_write_ftie(struct wpa_auth_config *conf, const u8 *r0kh_id,
size_t r0kh_id_len,
@@ -263,6 +256,6 @@
struct wpa_ft_pmk_cache * wpa_ft_pmk_cache_init(void);
void wpa_ft_pmk_cache_deinit(struct wpa_ft_pmk_cache *cache);
void wpa_ft_install_ptk(struct wpa_state_machine *sm);
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#endif /* WPA_AUTH_I_H */
diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 1df3009..f79783b 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -164,7 +164,7 @@
pos += RSN_SELECTOR_LEN;
num_suites++;
}
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X);
pos += RSN_SELECTOR_LEN;
@@ -175,7 +175,7 @@
pos += RSN_SELECTOR_LEN;
num_suites++;
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_IEEE80211W
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) {
RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SHA256);
@@ -210,30 +210,6 @@
pos += RSN_SELECTOR_LEN;
num_suites++;
}
-#ifdef CONFIG_FILS
- if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FILS_SHA256) {
- RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FILS_SHA256);
- pos += RSN_SELECTOR_LEN;
- num_suites++;
- }
- if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FILS_SHA384) {
- RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FILS_SHA384);
- pos += RSN_SELECTOR_LEN;
- num_suites++;
- }
-#ifdef CONFIG_IEEE80211R_AP
- if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256) {
- RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
- pos += RSN_SELECTOR_LEN;
- num_suites++;
- }
- if (conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA384) {
- RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
- pos += RSN_SELECTOR_LEN;
- num_suites++;
- }
-#endif /* CONFIG_IEEE80211R_AP */
-#endif /* CONFIG_FILS */
#ifdef CONFIG_RSN_TESTING
if (rsn_testing) {
@@ -431,7 +407,7 @@
return res;
pos += res;
}
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (wpa_key_mgmt_ft(wpa_auth->conf.wpa_key_mgmt)) {
res = wpa_write_mdie(&wpa_auth->conf, pos,
buf + sizeof(buf) - pos);
@@ -439,7 +415,7 @@
return res;
pos += res;
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
if (wpa_auth->conf.wpa & WPA_PROTO_WPA) {
res = wpa_write_wpa_ie(&wpa_auth->conf,
pos, buf + sizeof(buf) - pos);
@@ -533,24 +509,12 @@
selector = RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B)
selector = RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
-#ifdef CONFIG_FILS
-#ifdef CONFIG_IEEE80211R_AP
- else if (data.key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA384)
- selector = RSN_AUTH_KEY_MGMT_FT_FILS_SHA384;
- else if (data.key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256)
- selector = RSN_AUTH_KEY_MGMT_FT_FILS_SHA256;
-#endif /* CONFIG_IEEE80211R_AP */
- else if (data.key_mgmt & WPA_KEY_MGMT_FILS_SHA384)
- selector = RSN_AUTH_KEY_MGMT_FILS_SHA384;
- else if (data.key_mgmt & WPA_KEY_MGMT_FILS_SHA256)
- selector = RSN_AUTH_KEY_MGMT_FILS_SHA256;
-#endif /* CONFIG_FILS */
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
else if (data.key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X)
selector = RSN_AUTH_KEY_MGMT_FT_802_1X;
else if (data.key_mgmt & WPA_KEY_MGMT_FT_PSK)
selector = RSN_AUTH_KEY_MGMT_FT_PSK;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_IEEE80211W
else if (data.key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256)
selector = RSN_AUTH_KEY_MGMT_802_1X_SHA256;
@@ -627,24 +591,12 @@
sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_SUITE_B_192;
else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B)
sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_SUITE_B;
-#ifdef CONFIG_FILS
-#ifdef CONFIG_IEEE80211R_AP
- else if (key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA384)
- sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_FILS_SHA384;
- else if (data.key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256)
- sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_FILS_SHA256;
-#endif /* CONFIG_IEEE80211R_AP */
- else if (key_mgmt & WPA_KEY_MGMT_FILS_SHA384)
- sm->wpa_key_mgmt = WPA_KEY_MGMT_FILS_SHA384;
- else if (key_mgmt & WPA_KEY_MGMT_FILS_SHA256)
- sm->wpa_key_mgmt = WPA_KEY_MGMT_FILS_SHA256;
-#endif /* CONFIG_FILS */
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
else if (key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X)
sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X;
else if (key_mgmt & WPA_KEY_MGMT_FT_PSK)
sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_PSK;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_IEEE80211W
else if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256)
sm->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA256;
@@ -703,7 +655,7 @@
sm->mgmt_frame_prot = 1;
#endif /* CONFIG_IEEE80211W */
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
if (mdie == NULL || mdie_len < MOBILITY_DOMAIN_ID_LEN + 1) {
wpa_printf(MSG_DEBUG, "RSN: Trying to use FT, but "
@@ -717,7 +669,7 @@
return WPA_INVALID_MDIE;
}
}
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
sm->pairwise = wpa_pick_pairwise_cipher(ciphers, 0);
if (sm->pairwise < 0)
@@ -956,14 +908,14 @@
if (*pos == WLAN_EID_RSN) {
ie->rsn_ie = pos;
ie->rsn_ie_len = pos[1] + 2;
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
} else if (*pos == WLAN_EID_MOBILITY_DOMAIN) {
ie->mdie = pos;
ie->mdie_len = pos[1] + 2;
} else if (*pos == WLAN_EID_FAST_BSS_TRANSITION) {
ie->ftie = pos;
ie->ftie_len = pos[1] + 2;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
} else if (*pos == WLAN_EID_VENDOR_SPECIFIC) {
ret = wpa_parse_generic(pos, end, ie);
if (ret < 0)
diff --git a/src/ap/wpa_auth_ie.h b/src/ap/wpa_auth_ie.h
index 5c3bd18..d2067ba 100644
--- a/src/ap/wpa_auth_ie.h
+++ b/src/ap/wpa_auth_ie.h
@@ -33,12 +33,12 @@
const u8 *igtk;
size_t igtk_len;
#endif /* CONFIG_IEEE80211W */
-#ifdef CONFIG_IEEE80211R_AP
+#ifdef CONFIG_IEEE80211R
const u8 *mdie;
size_t mdie_len;
const u8 *ftie;
size_t ftie_len;
-#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_P2P
const u8 *ip_addr_req;
const u8 *ip_addr_alloc;