1/*
2 * IEEE 802.11 RSN / WPA Authenticator
3 * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "utils/includes.h"
10
11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "utils/state_machine.h"
14#include "common/ieee802_11_defs.h"
15#include "crypto/aes_wrap.h"
16#include "crypto/crypto.h"
17#include "crypto/sha1.h"
18#include "crypto/sha256.h"
19#include "crypto/random.h"
20#include "eapol_auth/eapol_auth_sm.h"
21#include "ap_config.h"
22#include "ieee802_11.h"
23#include "wpa_auth.h"
24#include "pmksa_cache_auth.h"
25#include "wpa_auth_i.h"
26#include "wpa_auth_ie.h"
27
28#define STATE_MACHINE_DATA struct wpa_state_machine
29#define STATE_MACHINE_DEBUG_PREFIX "WPA"
30#define STATE_MACHINE_ADDR sm->addr
31
32
33static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
34static int wpa_sm_step(struct wpa_state_machine *sm);
35static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len);
36static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
37static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
38			      struct wpa_group *group);
39static void wpa_request_new_ptk(struct wpa_state_machine *sm);
40static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
41			  struct wpa_group *group);
42static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
43				       struct wpa_group *group);
44
45static const u32 dot11RSNAConfigGroupUpdateCount = 4;
46static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
47static const u32 eapol_key_timeout_first = 100; /* ms */
48static const u32 eapol_key_timeout_subseq = 1000; /* ms */
49static const u32 eapol_key_timeout_first_group = 500; /* ms */
50
51/* TODO: make these configurable */
52static const int dot11RSNAConfigPMKLifetime = 43200;
53static const int dot11RSNAConfigPMKReauthThreshold = 70;
54static const int dot11RSNAConfigSATimeout = 60;
55
56
57static inline void wpa_auth_mic_failure_report(
58	struct wpa_authenticator *wpa_auth, const u8 *addr)
59{
60	if (wpa_auth->cb.mic_failure_report)
61		wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr);
62}
63
64
65static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
66				      const u8 *addr, wpa_eapol_variable var,
67				      int value)
68{
69	if (wpa_auth->cb.set_eapol)
70		wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value);
71}
72
73
74static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
75				     const u8 *addr, wpa_eapol_variable var)
76{
77	if (wpa_auth->cb.get_eapol == NULL)
78		return -1;
79	return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var);
80}
81
82
83static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
84					  const u8 *addr, const u8 *prev_psk)
85{
86	if (wpa_auth->cb.get_psk == NULL)
87		return NULL;
88	return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, prev_psk);
89}
90
91
92static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
93				   const u8 *addr, u8 *msk, size_t *len)
94{
95	if (wpa_auth->cb.get_msk == NULL)
96		return -1;
97	return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len);
98}
99
100
101static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
102				   int vlan_id,
103				   enum wpa_alg alg, const u8 *addr, int idx,
104				   u8 *key, size_t key_len)
105{
106	if (wpa_auth->cb.set_key == NULL)
107		return -1;
108	return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx,
109				    key, key_len);
110}
111
112
113static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
114				      const u8 *addr, int idx, u8 *seq)
115{
116	if (wpa_auth->cb.get_seqnum == NULL)
117		return -1;
118	return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq);
119}
120
121
122static inline int
123wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
124		    const u8 *data, size_t data_len, int encrypt)
125{
126	if (wpa_auth->cb.send_eapol == NULL)
127		return -1;
128	return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len,
129				       encrypt);
130}
131
132
133int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
134			  int (*cb)(struct wpa_state_machine *sm, void *ctx),
135			  void *cb_ctx)
136{
137	if (wpa_auth->cb.for_each_sta == NULL)
138		return 0;
139	return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx);
140}
141
142
143int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
144			   int (*cb)(struct wpa_authenticator *a, void *ctx),
145			   void *cb_ctx)
146{
147	if (wpa_auth->cb.for_each_auth == NULL)
148		return 0;
149	return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx);
150}
151
152
153void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
154		     logger_level level, const char *txt)
155{
156	if (wpa_auth->cb.logger == NULL)
157		return;
158	wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt);
159}
160
161
162void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
163		      logger_level level, const char *fmt, ...)
164{
165	char *format;
166	int maxlen;
167	va_list ap;
168
169	if (wpa_auth->cb.logger == NULL)
170		return;
171
172	maxlen = os_strlen(fmt) + 100;
173	format = os_malloc(maxlen);
174	if (!format)
175		return;
176
177	va_start(ap, fmt);
178	vsnprintf(format, maxlen, fmt, ap);
179	va_end(ap);
180
181	wpa_auth_logger(wpa_auth, addr, level, format);
182
183	os_free(format);
184}
185
186
187static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
188			       const u8 *addr)
189{
190	if (wpa_auth->cb.disconnect == NULL)
191		return;
192	wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
193	wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr,
194				WLAN_REASON_PREV_AUTH_NOT_VALID);
195}
196
197
198static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
199{
200	int ret = 0;
201#ifdef CONFIG_IEEE80211R
202	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
203		ret = 1;
204#endif /* CONFIG_IEEE80211R */
205#ifdef CONFIG_IEEE80211W
206	if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
207		ret = 1;
208#endif /* CONFIG_IEEE80211W */
209	return ret;
210}
211
212
213static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
214{
215	struct wpa_authenticator *wpa_auth = eloop_ctx;
216
217	if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
218		wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
219			   "initialization.");
220	} else {
221		wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
222		wpa_hexdump_key(MSG_DEBUG, "GMK",
223				wpa_auth->group->GMK, WPA_GMK_LEN);
224	}
225
226	if (wpa_auth->conf.wpa_gmk_rekey) {
227		eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
228				       wpa_rekey_gmk, wpa_auth, NULL);
229	}
230}
231
232
233static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
234{
235	struct wpa_authenticator *wpa_auth = eloop_ctx;
236	struct wpa_group *group;
237
238	wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
239	for (group = wpa_auth->group; group; group = group->next) {
240		group->GTKReKey = TRUE;
241		do {
242			group->changed = FALSE;
243			wpa_group_sm_step(wpa_auth, group);
244		} while (group->changed);
245	}
246
247	if (wpa_auth->conf.wpa_group_rekey) {
248		eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
249				       0, wpa_rekey_gtk, wpa_auth, NULL);
250	}
251}
252
253
254static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
255{
256	struct wpa_authenticator *wpa_auth = eloop_ctx;
257	struct wpa_state_machine *sm = timeout_ctx;
258
259	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
260	wpa_request_new_ptk(sm);
261	wpa_sm_step(sm);
262}
263
264
265static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
266{
267	if (sm->pmksa == ctx)
268		sm->pmksa = NULL;
269	return 0;
270}
271
272
273static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
274				   void *ctx)
275{
276	struct wpa_authenticator *wpa_auth = ctx;
277	wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
278}
279
280
281static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
282					  struct wpa_group *group)
283{
284	u8 buf[ETH_ALEN + 8 + sizeof(group)];
285	u8 rkey[32];
286
287	if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
288		return -1;
289	wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
290
291	/*
292	 * Counter = PRF-256(Random number, "Init Counter",
293	 *                   Local MAC Address || Time)
294	 */
295	os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
296	wpa_get_ntp_timestamp(buf + ETH_ALEN);
297	os_memcpy(buf + ETH_ALEN + 8, &group, sizeof(group));
298	if (random_get_bytes(rkey, sizeof(rkey)) < 0)
299		return -1;
300
301	if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
302		     group->Counter, WPA_NONCE_LEN) < 0)
303		return -1;
304	wpa_hexdump_key(MSG_DEBUG, "Key Counter",
305			group->Counter, WPA_NONCE_LEN);
306
307	return 0;
308}
309
310
311static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
312					 int vlan_id, int delay_init)
313{
314	struct wpa_group *group;
315
316	group = os_zalloc(sizeof(struct wpa_group));
317	if (group == NULL)
318		return NULL;
319
320	group->GTKAuthenticator = TRUE;
321	group->vlan_id = vlan_id;
322	group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
323
324	if (random_pool_ready() != 1) {
325		wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
326			   "for secure operations - update keys later when "
327			   "the first station connects");
328	}
329
330	/*
331	 * Set initial GMK/Counter value here. The actual values that will be
332	 * used in negotiations will be set once the first station tries to
333	 * connect. This allows more time for collecting additional randomness
334	 * on embedded devices.
335	 */
336	if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
337		wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
338			   "initialization.");
339		os_free(group);
340		return NULL;
341	}
342
343	group->GInit = TRUE;
344	if (delay_init) {
345		wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
346			   "until Beacon frames have been configured");
347		/* Initialization is completed in wpa_init_keys(). */
348	} else {
349		wpa_group_sm_step(wpa_auth, group);
350		group->GInit = FALSE;
351		wpa_group_sm_step(wpa_auth, group);
352	}
353
354	return group;
355}
356
357
358/**
359 * wpa_init - Initialize WPA authenticator
360 * @addr: Authenticator address
361 * @conf: Configuration for WPA authenticator
362 * @cb: Callback functions for WPA authenticator
363 * Returns: Pointer to WPA authenticator data or %NULL on failure
364 */
365struct wpa_authenticator * wpa_init(const u8 *addr,
366				    struct wpa_auth_config *conf,
367				    struct wpa_auth_callbacks *cb)
368{
369	struct wpa_authenticator *wpa_auth;
370
371	wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
372	if (wpa_auth == NULL)
373		return NULL;
374	os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
375	os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
376	os_memcpy(&wpa_auth->cb, cb, sizeof(*cb));
377
378	if (wpa_auth_gen_wpa_ie(wpa_auth)) {
379		wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
380		os_free(wpa_auth);
381		return NULL;
382	}
383
384	wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
385	if (wpa_auth->group == NULL) {
386		os_free(wpa_auth->wpa_ie);
387		os_free(wpa_auth);
388		return NULL;
389	}
390
391	wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
392						wpa_auth);
393	if (wpa_auth->pmksa == NULL) {
394		wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
395		os_free(wpa_auth->wpa_ie);
396		os_free(wpa_auth);
397		return NULL;
398	}
399
400#ifdef CONFIG_IEEE80211R
401	wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
402	if (wpa_auth->ft_pmk_cache == NULL) {
403		wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
404		os_free(wpa_auth->wpa_ie);
405		pmksa_cache_auth_deinit(wpa_auth->pmksa);
406		os_free(wpa_auth);
407		return NULL;
408	}
409#endif /* CONFIG_IEEE80211R */
410
411	if (wpa_auth->conf.wpa_gmk_rekey) {
412		eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
413				       wpa_rekey_gmk, wpa_auth, NULL);
414	}
415
416	if (wpa_auth->conf.wpa_group_rekey) {
417		eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
418				       wpa_rekey_gtk, wpa_auth, NULL);
419	}
420
421	return wpa_auth;
422}
423
424
425int wpa_init_keys(struct wpa_authenticator *wpa_auth)
426{
427	struct wpa_group *group = wpa_auth->group;
428
429	wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
430		   "keys");
431	wpa_group_sm_step(wpa_auth, group);
432	group->GInit = FALSE;
433	wpa_group_sm_step(wpa_auth, group);
434	return 0;
435}
436
437
438/**
439 * wpa_deinit - Deinitialize WPA authenticator
440 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
441 */
442void wpa_deinit(struct wpa_authenticator *wpa_auth)
443{
444	struct wpa_group *group, *prev;
445
446	eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
447	eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
448
449#ifdef CONFIG_PEERKEY
450	while (wpa_auth->stsl_negotiations)
451		wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations);
452#endif /* CONFIG_PEERKEY */
453
454	pmksa_cache_auth_deinit(wpa_auth->pmksa);
455
456#ifdef CONFIG_IEEE80211R
457	wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
458	wpa_auth->ft_pmk_cache = NULL;
459#endif /* CONFIG_IEEE80211R */
460
461	os_free(wpa_auth->wpa_ie);
462
463	group = wpa_auth->group;
464	while (group) {
465		prev = group;
466		group = group->next;
467		os_free(prev);
468	}
469
470	os_free(wpa_auth);
471}
472
473
474/**
475 * wpa_reconfig - Update WPA authenticator configuration
476 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
477 * @conf: Configuration for WPA authenticator
478 */
479int wpa_reconfig(struct wpa_authenticator *wpa_auth,
480		 struct wpa_auth_config *conf)
481{
482	struct wpa_group *group;
483	if (wpa_auth == NULL)
484		return 0;
485
486	os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
487	if (wpa_auth_gen_wpa_ie(wpa_auth)) {
488		wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
489		return -1;
490	}
491
492	/*
493	 * Reinitialize GTK to make sure it is suitable for the new
494	 * configuration.
495	 */
496	group = wpa_auth->group;
497	group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
498	group->GInit = TRUE;
499	wpa_group_sm_step(wpa_auth, group);
500	group->GInit = FALSE;
501	wpa_group_sm_step(wpa_auth, group);
502
503	return 0;
504}
505
506
507struct wpa_state_machine *
508wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr)
509{
510	struct wpa_state_machine *sm;
511
512	sm = os_zalloc(sizeof(struct wpa_state_machine));
513	if (sm == NULL)
514		return NULL;
515	os_memcpy(sm->addr, addr, ETH_ALEN);
516
517	sm->wpa_auth = wpa_auth;
518	sm->group = wpa_auth->group;
519
520	return sm;
521}
522
523
524int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
525			    struct wpa_state_machine *sm)
526{
527	if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
528		return -1;
529
530#ifdef CONFIG_IEEE80211R
531	if (sm->ft_completed) {
532		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
533				"FT authentication already completed - do not "
534				"start 4-way handshake");
535		return 0;
536	}
537#endif /* CONFIG_IEEE80211R */
538
539	if (sm->started) {
540		os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
541		sm->ReAuthenticationRequest = TRUE;
542		return wpa_sm_step(sm);
543	}
544
545	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
546			"start authentication");
547	sm->started = 1;
548
549	sm->Init = TRUE;
550	if (wpa_sm_step(sm) == 1)
551		return 1; /* should not really happen */
552	sm->Init = FALSE;
553	sm->AuthenticationRequest = TRUE;
554	return wpa_sm_step(sm);
555}
556
557
558void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
559{
560	/* WPA/RSN was not used - clear WPA state. This is needed if the STA
561	 * reassociates back to the same AP while the previous entry for the
562	 * STA has not yet been removed. */
563	if (sm == NULL)
564		return;
565
566	sm->wpa_key_mgmt = 0;
567}
568
569
570static void wpa_free_sta_sm(struct wpa_state_machine *sm)
571{
572	if (sm->GUpdateStationKeys) {
573		sm->group->GKeyDoneStations--;
574		sm->GUpdateStationKeys = FALSE;
575	}
576#ifdef CONFIG_IEEE80211R
577	os_free(sm->assoc_resp_ftie);
578#endif /* CONFIG_IEEE80211R */
579	os_free(sm->last_rx_eapol_key);
580	os_free(sm->wpa_ie);
581	os_free(sm);
582}
583
584
585void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
586{
587	if (sm == NULL)
588		return;
589
590	if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
591		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
592				"strict rekeying - force GTK rekey since STA "
593				"is leaving");
594		eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
595		eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
596				       NULL);
597	}
598
599	eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
600	sm->pending_1_of_4_timeout = 0;
601	eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
602	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
603	if (sm->in_step_loop) {
604		/* Must not free state machine while wpa_sm_step() is running.
605		 * Freeing will be completed in the end of wpa_sm_step(). */
606		wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
607			   "machine deinit for " MACSTR, MAC2STR(sm->addr));
608		sm->pending_deinit = 1;
609	} else
610		wpa_free_sta_sm(sm);
611}
612
613
614static void wpa_request_new_ptk(struct wpa_state_machine *sm)
615{
616	if (sm == NULL)
617		return;
618
619	sm->PTKRequest = TRUE;
620	sm->PTK_valid = 0;
621}
622
623
624static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
625				    const u8 *replay_counter)
626{
627	int i;
628	for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
629		if (!ctr[i].valid)
630			break;
631		if (os_memcmp(replay_counter, ctr[i].counter,
632			      WPA_REPLAY_COUNTER_LEN) == 0)
633			return 1;
634	}
635	return 0;
636}
637
638
639static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
640					    const u8 *replay_counter)
641{
642	int i;
643	for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
644		if (ctr[i].valid &&
645		    (replay_counter == NULL ||
646		     os_memcmp(replay_counter, ctr[i].counter,
647			       WPA_REPLAY_COUNTER_LEN) == 0))
648			ctr[i].valid = FALSE;
649	}
650}
651
652
653#ifdef CONFIG_IEEE80211R
654static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
655			       struct wpa_state_machine *sm,
656			       struct wpa_eapol_ie_parse *kde)
657{
658	struct wpa_ie_data ie;
659	struct rsn_mdie *mdie;
660
661	if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
662	    ie.num_pmkid != 1 || ie.pmkid == NULL) {
663		wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
664			   "FT 4-way handshake message 2/4");
665		return -1;
666	}
667
668	os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
669	wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
670		    sm->sup_pmk_r1_name, PMKID_LEN);
671
672	if (!kde->mdie || !kde->ftie) {
673		wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
674			   "message 2/4", kde->mdie ? "FTIE" : "MDIE");
675		return -1;
676	}
677
678	mdie = (struct rsn_mdie *) (kde->mdie + 2);
679	if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
680	    os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
681		      MOBILITY_DOMAIN_ID_LEN) != 0) {
682		wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
683		return -1;
684	}
685
686	if (sm->assoc_resp_ftie &&
687	    (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
688	     os_memcmp(kde->ftie, sm->assoc_resp_ftie,
689		       2 + sm->assoc_resp_ftie[1]) != 0)) {
690		wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
691		wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
692			    kde->ftie, kde->ftie_len);
693		wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
694			    sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
695		return -1;
696	}
697
698	return 0;
699}
700#endif /* CONFIG_IEEE80211R */
701
702
703static void wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
704				     struct wpa_state_machine *sm, int group)
705{
706	/* Supplicant reported a Michael MIC error */
707	wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
708			 "received EAPOL-Key Error Request "
709			 "(STA detected Michael MIC failure (group=%d))",
710			 group);
711
712	if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
713		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
714				"ignore Michael MIC failure report since "
715				"group cipher is not TKIP");
716	} else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
717		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
718				"ignore Michael MIC failure report since "
719				"pairwise cipher is not TKIP");
720	} else {
721		wpa_auth_mic_failure_report(wpa_auth, sm->addr);
722		sm->dot11RSNAStatsTKIPRemoteMICFailures++;
723		wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
724	}
725
726	/*
727	 * Error report is not a request for a new key handshake, but since
728	 * Authenticator may do it, let's change the keys now anyway.
729	 */
730	wpa_request_new_ptk(sm);
731}
732
733
734void wpa_receive(struct wpa_authenticator *wpa_auth,
735		 struct wpa_state_machine *sm,
736		 u8 *data, size_t data_len)
737{
738	struct ieee802_1x_hdr *hdr;
739	struct wpa_eapol_key *key;
740	u16 key_info, key_data_length;
741	enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
742	       SMK_M1, SMK_M3, SMK_ERROR } msg;
743	char *msgtxt;
744	struct wpa_eapol_ie_parse kde;
745	int ft;
746	const u8 *eapol_key_ie;
747	size_t eapol_key_ie_len;
748
749	if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
750		return;
751
752	if (data_len < sizeof(*hdr) + sizeof(*key))
753		return;
754
755	hdr = (struct ieee802_1x_hdr *) data;
756	key = (struct wpa_eapol_key *) (hdr + 1);
757	key_info = WPA_GET_BE16(key->key_info);
758	key_data_length = WPA_GET_BE16(key->key_data_length);
759	wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
760		   " key_info=0x%x type=%u key_data_length=%u",
761		   MAC2STR(sm->addr), key_info, key->type, key_data_length);
762	if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) {
763		wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
764			   "key_data overflow (%d > %lu)",
765			   key_data_length,
766			   (unsigned long) (data_len - sizeof(*hdr) -
767					    sizeof(*key)));
768		return;
769	}
770
771	if (sm->wpa == WPA_VERSION_WPA2) {
772		if (key->type == EAPOL_KEY_TYPE_WPA) {
773			/*
774			 * Some deployed station implementations seem to send
775			 * msg 4/4 with incorrect type value in WPA2 mode.
776			 */
777			wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
778				   "with unexpected WPA type in RSN mode");
779		} else if (key->type != EAPOL_KEY_TYPE_RSN) {
780			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
781				   "unexpected type %d in RSN mode",
782				   key->type);
783			return;
784		}
785	} else {
786		if (key->type != EAPOL_KEY_TYPE_WPA) {
787			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
788				   "unexpected type %d in WPA mode",
789				   key->type);
790			return;
791		}
792	}
793
794	wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
795		    WPA_NONCE_LEN);
796	wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
797		    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
798
799	/* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
800	 * are set */
801
802	if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
803	    (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
804		if (key_info & WPA_KEY_INFO_ERROR) {
805			msg = SMK_ERROR;
806			msgtxt = "SMK Error";
807		} else {
808			msg = SMK_M1;
809			msgtxt = "SMK M1";
810		}
811	} else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
812		msg = SMK_M3;
813		msgtxt = "SMK M3";
814	} else if (key_info & WPA_KEY_INFO_REQUEST) {
815		msg = REQUEST;
816		msgtxt = "Request";
817	} else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
818		msg = GROUP_2;
819		msgtxt = "2/2 Group";
820	} else if (key_data_length == 0) {
821		msg = PAIRWISE_4;
822		msgtxt = "4/4 Pairwise";
823	} else {
824		msg = PAIRWISE_2;
825		msgtxt = "2/4 Pairwise";
826	}
827
828	/* TODO: key_info type validation for PeerKey */
829	if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
830	    msg == GROUP_2) {
831		u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
832		if (sm->pairwise == WPA_CIPHER_CCMP ||
833		    sm->pairwise == WPA_CIPHER_GCMP) {
834			if (wpa_use_aes_cmac(sm) &&
835			    ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
836				wpa_auth_logger(wpa_auth, sm->addr,
837						LOGGER_WARNING,
838						"advertised support for "
839						"AES-128-CMAC, but did not "
840						"use it");
841				return;
842			}
843
844			if (!wpa_use_aes_cmac(sm) &&
845			    ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
846				wpa_auth_logger(wpa_auth, sm->addr,
847						LOGGER_WARNING,
848						"did not use HMAC-SHA1-AES "
849						"with CCMP/GCMP");
850				return;
851			}
852		}
853	}
854
855	if (key_info & WPA_KEY_INFO_REQUEST) {
856		if (sm->req_replay_counter_used &&
857		    os_memcmp(key->replay_counter, sm->req_replay_counter,
858			      WPA_REPLAY_COUNTER_LEN) <= 0) {
859			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
860					"received EAPOL-Key request with "
861					"replayed counter");
862			return;
863		}
864	}
865
866	if (!(key_info & WPA_KEY_INFO_REQUEST) &&
867	    !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
868		int i;
869
870		if (msg == PAIRWISE_2 &&
871		    wpa_replay_counter_valid(sm->prev_key_replay,
872					     key->replay_counter) &&
873		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
874		    os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
875		{
876			/*
877			 * Some supplicant implementations (e.g., Windows XP
878			 * WZC) update SNonce for each EAPOL-Key 2/4. This
879			 * breaks the workaround on accepting any of the
880			 * pending requests, so allow the SNonce to be updated
881			 * even if we have already sent out EAPOL-Key 3/4.
882			 */
883			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
884					 "Process SNonce update from STA "
885					 "based on retransmitted EAPOL-Key "
886					 "1/4");
887			sm->update_snonce = 1;
888			wpa_replay_counter_mark_invalid(sm->prev_key_replay,
889							key->replay_counter);
890			goto continue_processing;
891		}
892
893		if (msg == PAIRWISE_2 &&
894		    wpa_replay_counter_valid(sm->prev_key_replay,
895					     key->replay_counter) &&
896		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
897			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
898					 "ignore retransmitted EAPOL-Key %s - "
899					 "SNonce did not change", msgtxt);
900		} else {
901			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
902					 "received EAPOL-Key %s with "
903					 "unexpected replay counter", msgtxt);
904		}
905		for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
906			if (!sm->key_replay[i].valid)
907				break;
908			wpa_hexdump(MSG_DEBUG, "pending replay counter",
909				    sm->key_replay[i].counter,
910				    WPA_REPLAY_COUNTER_LEN);
911		}
912		wpa_hexdump(MSG_DEBUG, "received replay counter",
913			    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
914		return;
915	}
916
917continue_processing:
918	switch (msg) {
919	case PAIRWISE_2:
920		if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
921		    sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
922		    (!sm->update_snonce ||
923		     sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
924			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
925					 "received EAPOL-Key msg 2/4 in "
926					 "invalid state (%d) - dropped",
927					 sm->wpa_ptk_state);
928			return;
929		}
930		random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
931		if (sm->group->reject_4way_hs_for_entropy) {
932			/*
933			 * The system did not have enough entropy to generate
934			 * strong random numbers. Reject the first 4-way
935			 * handshake(s) and collect some entropy based on the
936			 * information from it. Once enough entropy is
937			 * available, the next atempt will trigger GMK/Key
938			 * Counter update and the station will be allowed to
939			 * continue.
940			 */
941			wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
942				   "collect more entropy for random number "
943				   "generation");
944			random_mark_pool_ready();
945			wpa_sta_disconnect(wpa_auth, sm->addr);
946			return;
947		}
948		if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length,
949				      &kde) < 0) {
950			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
951					 "received EAPOL-Key msg 2/4 with "
952					 "invalid Key Data contents");
953			return;
954		}
955		if (kde.rsn_ie) {
956			eapol_key_ie = kde.rsn_ie;
957			eapol_key_ie_len = kde.rsn_ie_len;
958		} else {
959			eapol_key_ie = kde.wpa_ie;
960			eapol_key_ie_len = kde.wpa_ie_len;
961		}
962		ft = sm->wpa == WPA_VERSION_WPA2 &&
963			wpa_key_mgmt_ft(sm->wpa_key_mgmt);
964		if (sm->wpa_ie == NULL ||
965		    wpa_compare_rsn_ie(ft,
966				       sm->wpa_ie, sm->wpa_ie_len,
967				       eapol_key_ie, eapol_key_ie_len)) {
968			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
969					"WPA IE from (Re)AssocReq did not "
970					"match with msg 2/4");
971			if (sm->wpa_ie) {
972				wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
973					    sm->wpa_ie, sm->wpa_ie_len);
974			}
975			wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
976				    eapol_key_ie, eapol_key_ie_len);
977			/* MLME-DEAUTHENTICATE.request */
978			wpa_sta_disconnect(wpa_auth, sm->addr);
979			return;
980		}
981#ifdef CONFIG_IEEE80211R
982		if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
983			wpa_sta_disconnect(wpa_auth, sm->addr);
984			return;
985		}
986#endif /* CONFIG_IEEE80211R */
987		break;
988	case PAIRWISE_4:
989		if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
990		    !sm->PTK_valid) {
991			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
992					 "received EAPOL-Key msg 4/4 in "
993					 "invalid state (%d) - dropped",
994					 sm->wpa_ptk_state);
995			return;
996		}
997		break;
998	case GROUP_2:
999		if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1000		    || !sm->PTK_valid) {
1001			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1002					 "received EAPOL-Key msg 2/2 in "
1003					 "invalid state (%d) - dropped",
1004					 sm->wpa_ptk_group_state);
1005			return;
1006		}
1007		break;
1008#ifdef CONFIG_PEERKEY
1009	case SMK_M1:
1010	case SMK_M3:
1011	case SMK_ERROR:
1012		if (!wpa_auth->conf.peerkey) {
1013			wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1014				   "PeerKey use disabled - ignoring message");
1015			return;
1016		}
1017		if (!sm->PTK_valid) {
1018			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1019					"received EAPOL-Key msg SMK in "
1020					"invalid state - dropped");
1021			return;
1022		}
1023		break;
1024#else /* CONFIG_PEERKEY */
1025	case SMK_M1:
1026	case SMK_M3:
1027	case SMK_ERROR:
1028		return; /* STSL disabled - ignore SMK messages */
1029#endif /* CONFIG_PEERKEY */
1030	case REQUEST:
1031		break;
1032	}
1033
1034	wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1035			 "received EAPOL-Key frame (%s)", msgtxt);
1036
1037	if (key_info & WPA_KEY_INFO_ACK) {
1038		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1039				"received invalid EAPOL-Key: Key Ack set");
1040		return;
1041	}
1042
1043	if (!(key_info & WPA_KEY_INFO_MIC)) {
1044		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1045				"received invalid EAPOL-Key: Key MIC not set");
1046		return;
1047	}
1048
1049	sm->MICVerified = FALSE;
1050	if (sm->PTK_valid && !sm->update_snonce) {
1051		if (wpa_verify_key_mic(&sm->PTK, data, data_len)) {
1052			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1053					"received EAPOL-Key with invalid MIC");
1054			return;
1055		}
1056		sm->MICVerified = TRUE;
1057		eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1058		sm->pending_1_of_4_timeout = 0;
1059	}
1060
1061	if (key_info & WPA_KEY_INFO_REQUEST) {
1062		if (sm->MICVerified) {
1063			sm->req_replay_counter_used = 1;
1064			os_memcpy(sm->req_replay_counter, key->replay_counter,
1065				  WPA_REPLAY_COUNTER_LEN);
1066		} else {
1067			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1068					"received EAPOL-Key request with "
1069					"invalid MIC");
1070			return;
1071		}
1072
1073		/*
1074		 * TODO: should decrypt key data field if encryption was used;
1075		 * even though MAC address KDE is not normally encrypted,
1076		 * supplicant is allowed to encrypt it.
1077		 */
1078		if (msg == SMK_ERROR) {
1079#ifdef CONFIG_PEERKEY
1080			wpa_smk_error(wpa_auth, sm, key);
1081#endif /* CONFIG_PEERKEY */
1082			return;
1083		} else if (key_info & WPA_KEY_INFO_ERROR) {
1084			wpa_receive_error_report(
1085				wpa_auth, sm,
1086				!(key_info & WPA_KEY_INFO_KEY_TYPE));
1087		} else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1088			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1089					"received EAPOL-Key Request for new "
1090					"4-Way Handshake");
1091			wpa_request_new_ptk(sm);
1092#ifdef CONFIG_PEERKEY
1093		} else if (msg == SMK_M1) {
1094			wpa_smk_m1(wpa_auth, sm, key);
1095#endif /* CONFIG_PEERKEY */
1096		} else if (key_data_length > 0 &&
1097			   wpa_parse_kde_ies((const u8 *) (key + 1),
1098					     key_data_length, &kde) == 0 &&
1099			   kde.mac_addr) {
1100		} else {
1101			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1102					"received EAPOL-Key Request for GTK "
1103					"rekeying");
1104			eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1105			wpa_rekey_gtk(wpa_auth, NULL);
1106		}
1107	} else {
1108		/* Do not allow the same key replay counter to be reused. */
1109		wpa_replay_counter_mark_invalid(sm->key_replay,
1110						key->replay_counter);
1111
1112		if (msg == PAIRWISE_2) {
1113			/*
1114			 * Maintain a copy of the pending EAPOL-Key frames in
1115			 * case the EAPOL-Key frame was retransmitted. This is
1116			 * needed to allow EAPOL-Key msg 2/4 reply to another
1117			 * pending msg 1/4 to update the SNonce to work around
1118			 * unexpected supplicant behavior.
1119			 */
1120			os_memcpy(sm->prev_key_replay, sm->key_replay,
1121				  sizeof(sm->key_replay));
1122		} else {
1123			os_memset(sm->prev_key_replay, 0,
1124				  sizeof(sm->prev_key_replay));
1125		}
1126
1127		/*
1128		 * Make sure old valid counters are not accepted anymore and
1129		 * do not get copied again.
1130		 */
1131		wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1132	}
1133
1134#ifdef CONFIG_PEERKEY
1135	if (msg == SMK_M3) {
1136		wpa_smk_m3(wpa_auth, sm, key);
1137		return;
1138	}
1139#endif /* CONFIG_PEERKEY */
1140
1141	os_free(sm->last_rx_eapol_key);
1142	sm->last_rx_eapol_key = os_malloc(data_len);
1143	if (sm->last_rx_eapol_key == NULL)
1144		return;
1145	os_memcpy(sm->last_rx_eapol_key, data, data_len);
1146	sm->last_rx_eapol_key_len = data_len;
1147
1148	sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1149	sm->EAPOLKeyReceived = TRUE;
1150	sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1151	sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1152	os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1153	wpa_sm_step(sm);
1154}
1155
1156
1157static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1158			  const u8 *gnonce, u8 *gtk, size_t gtk_len)
1159{
1160	u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1161	u8 *pos;
1162	int ret = 0;
1163
1164	/* GTK = PRF-X(GMK, "Group key expansion",
1165	 *	AA || GNonce || Time || random data)
1166	 * The example described in the IEEE 802.11 standard uses only AA and
1167	 * GNonce as inputs here. Add some more entropy since this derivation
1168	 * is done only at the Authenticator and as such, does not need to be
1169	 * exactly same.
1170	 */
1171	os_memcpy(data, addr, ETH_ALEN);
1172	os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1173	pos = data + ETH_ALEN + WPA_NONCE_LEN;
1174	wpa_get_ntp_timestamp(pos);
1175	pos += 8;
1176	if (random_get_bytes(pos, 16) < 0)
1177		ret = -1;
1178
1179#ifdef CONFIG_IEEE80211W
1180	sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
1181#else /* CONFIG_IEEE80211W */
1182	if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1183	    < 0)
1184		ret = -1;
1185#endif /* CONFIG_IEEE80211W */
1186
1187	return ret;
1188}
1189
1190
1191static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1192{
1193	struct wpa_authenticator *wpa_auth = eloop_ctx;
1194	struct wpa_state_machine *sm = timeout_ctx;
1195
1196	sm->pending_1_of_4_timeout = 0;
1197	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1198	sm->TimeoutEvt = TRUE;
1199	wpa_sm_step(sm);
1200}
1201
1202
1203void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1204		      struct wpa_state_machine *sm, int key_info,
1205		      const u8 *key_rsc, const u8 *nonce,
1206		      const u8 *kde, size_t kde_len,
1207		      int keyidx, int encr, int force_version)
1208{
1209	struct ieee802_1x_hdr *hdr;
1210	struct wpa_eapol_key *key;
1211	size_t len;
1212	int alg;
1213	int key_data_len, pad_len = 0;
1214	u8 *buf, *pos;
1215	int version, pairwise;
1216	int i;
1217
1218	len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key);
1219
1220	if (force_version)
1221		version = force_version;
1222	else if (wpa_use_aes_cmac(sm))
1223		version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1224	else if (sm->pairwise != WPA_CIPHER_TKIP)
1225		version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1226	else
1227		version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1228
1229	pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1230
1231	wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1232		   "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1233		   "encr=%d)",
1234		   version,
1235		   (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1236		   (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1237		   (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1238		   (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1239		   pairwise, (unsigned long) kde_len, keyidx, encr);
1240
1241	key_data_len = kde_len;
1242
1243	if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1244	     version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1245		pad_len = key_data_len % 8;
1246		if (pad_len)
1247			pad_len = 8 - pad_len;
1248		key_data_len += pad_len + 8;
1249	}
1250
1251	len += key_data_len;
1252
1253	hdr = os_zalloc(len);
1254	if (hdr == NULL)
1255		return;
1256	hdr->version = wpa_auth->conf.eapol_version;
1257	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1258	hdr->length = host_to_be16(len  - sizeof(*hdr));
1259	key = (struct wpa_eapol_key *) (hdr + 1);
1260
1261	key->type = sm->wpa == WPA_VERSION_WPA2 ?
1262		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1263	key_info |= version;
1264	if (encr && sm->wpa == WPA_VERSION_WPA2)
1265		key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1266	if (sm->wpa != WPA_VERSION_WPA2)
1267		key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1268	WPA_PUT_BE16(key->key_info, key_info);
1269
1270	alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
1271	WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
1272	if (key_info & WPA_KEY_INFO_SMK_MESSAGE)
1273		WPA_PUT_BE16(key->key_length, 0);
1274
1275	/* FIX: STSL: what to use as key_replay_counter? */
1276	for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1277		sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1278		os_memcpy(sm->key_replay[i].counter,
1279			  sm->key_replay[i - 1].counter,
1280			  WPA_REPLAY_COUNTER_LEN);
1281	}
1282	inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1283	os_memcpy(key->replay_counter, sm->key_replay[0].counter,
1284		  WPA_REPLAY_COUNTER_LEN);
1285	sm->key_replay[0].valid = TRUE;
1286
1287	if (nonce)
1288		os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1289
1290	if (key_rsc)
1291		os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1292
1293	if (kde && !encr) {
1294		os_memcpy(key + 1, kde, kde_len);
1295		WPA_PUT_BE16(key->key_data_length, kde_len);
1296	} else if (encr && kde) {
1297		buf = os_zalloc(key_data_len);
1298		if (buf == NULL) {
1299			os_free(hdr);
1300			return;
1301		}
1302		pos = buf;
1303		os_memcpy(pos, kde, kde_len);
1304		pos += kde_len;
1305
1306		if (pad_len)
1307			*pos++ = 0xdd;
1308
1309		wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1310				buf, key_data_len);
1311		if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1312		    version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1313			if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf,
1314				     (u8 *) (key + 1))) {
1315				os_free(hdr);
1316				os_free(buf);
1317				return;
1318			}
1319			WPA_PUT_BE16(key->key_data_length, key_data_len);
1320		} else {
1321			u8 ek[32];
1322			os_memcpy(key->key_iv,
1323				  sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1324			inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1325			os_memcpy(ek, key->key_iv, 16);
1326			os_memcpy(ek + 16, sm->PTK.kek, 16);
1327			os_memcpy(key + 1, buf, key_data_len);
1328			rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len);
1329			WPA_PUT_BE16(key->key_data_length, key_data_len);
1330		}
1331		os_free(buf);
1332	}
1333
1334	if (key_info & WPA_KEY_INFO_MIC) {
1335		if (!sm->PTK_valid) {
1336			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1337					"PTK not valid when sending EAPOL-Key "
1338					"frame");
1339			os_free(hdr);
1340			return;
1341		}
1342		wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len,
1343				  key->key_mic);
1344	}
1345
1346	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1347			   1);
1348	wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1349			    sm->pairwise_set);
1350	os_free(hdr);
1351}
1352
1353
1354static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1355			   struct wpa_state_machine *sm, int key_info,
1356			   const u8 *key_rsc, const u8 *nonce,
1357			   const u8 *kde, size_t kde_len,
1358			   int keyidx, int encr)
1359{
1360	int timeout_ms;
1361	int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1362	int ctr;
1363
1364	if (sm == NULL)
1365		return;
1366
1367	__wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1368			 keyidx, encr, 0);
1369
1370	ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
1371	if (ctr == 1 && wpa_auth->conf.tx_status)
1372		timeout_ms = pairwise ? eapol_key_timeout_first :
1373			eapol_key_timeout_first_group;
1374	else
1375		timeout_ms = eapol_key_timeout_subseq;
1376	if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1377		sm->pending_1_of_4_timeout = 1;
1378	wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
1379		   "counter %d)", timeout_ms, ctr);
1380	eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1381			       wpa_send_eapol_timeout, wpa_auth, sm);
1382}
1383
1384
1385static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len)
1386{
1387	struct ieee802_1x_hdr *hdr;
1388	struct wpa_eapol_key *key;
1389	u16 key_info;
1390	int ret = 0;
1391	u8 mic[16];
1392
1393	if (data_len < sizeof(*hdr) + sizeof(*key))
1394		return -1;
1395
1396	hdr = (struct ieee802_1x_hdr *) data;
1397	key = (struct wpa_eapol_key *) (hdr + 1);
1398	key_info = WPA_GET_BE16(key->key_info);
1399	os_memcpy(mic, key->key_mic, 16);
1400	os_memset(key->key_mic, 0, 16);
1401	if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK,
1402			      data, data_len, key->key_mic) ||
1403	    os_memcmp(mic, key->key_mic, 16) != 0)
1404		ret = -1;
1405	os_memcpy(key->key_mic, mic, 16);
1406	return ret;
1407}
1408
1409
1410void wpa_remove_ptk(struct wpa_state_machine *sm)
1411{
1412	sm->PTK_valid = FALSE;
1413	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1414	wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0);
1415	sm->pairwise_set = FALSE;
1416	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
1417}
1418
1419
1420int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event)
1421{
1422	int remove_ptk = 1;
1423
1424	if (sm == NULL)
1425		return -1;
1426
1427	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1428			 "event %d notification", event);
1429
1430	switch (event) {
1431	case WPA_AUTH:
1432	case WPA_ASSOC:
1433		break;
1434	case WPA_DEAUTH:
1435	case WPA_DISASSOC:
1436		sm->DeauthenticationRequest = TRUE;
1437		break;
1438	case WPA_REAUTH:
1439	case WPA_REAUTH_EAPOL:
1440		if (!sm->started) {
1441			/*
1442			 * When using WPS, we may end up here if the STA
1443			 * manages to re-associate without the previous STA
1444			 * entry getting removed. Consequently, we need to make
1445			 * sure that the WPA state machines gets initialized
1446			 * properly at this point.
1447			 */
1448			wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1449				   "started - initialize now");
1450			sm->started = 1;
1451			sm->Init = TRUE;
1452			if (wpa_sm_step(sm) == 1)
1453				return 1; /* should not really happen */
1454			sm->Init = FALSE;
1455			sm->AuthenticationRequest = TRUE;
1456			break;
1457		}
1458		if (sm->GUpdateStationKeys) {
1459			/*
1460			 * Reauthentication cancels the pending group key
1461			 * update for this STA.
1462			 */
1463			sm->group->GKeyDoneStations--;
1464			sm->GUpdateStationKeys = FALSE;
1465			sm->PtkGroupInit = TRUE;
1466		}
1467		sm->ReAuthenticationRequest = TRUE;
1468		break;
1469	case WPA_ASSOC_FT:
1470#ifdef CONFIG_IEEE80211R
1471		wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1472			   "after association");
1473		wpa_ft_install_ptk(sm);
1474
1475		/* Using FT protocol, not WPA auth state machine */
1476		sm->ft_completed = 1;
1477		return 0;
1478#else /* CONFIG_IEEE80211R */
1479		break;
1480#endif /* CONFIG_IEEE80211R */
1481	}
1482
1483#ifdef CONFIG_IEEE80211R
1484	sm->ft_completed = 0;
1485#endif /* CONFIG_IEEE80211R */
1486
1487#ifdef CONFIG_IEEE80211W
1488	if (sm->mgmt_frame_prot && event == WPA_AUTH)
1489		remove_ptk = 0;
1490#endif /* CONFIG_IEEE80211W */
1491
1492	if (remove_ptk) {
1493		sm->PTK_valid = FALSE;
1494		os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1495
1496		if (event != WPA_REAUTH_EAPOL)
1497			wpa_remove_ptk(sm);
1498	}
1499
1500	return wpa_sm_step(sm);
1501}
1502
1503
1504SM_STATE(WPA_PTK, INITIALIZE)
1505{
1506	SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1507	if (sm->Init) {
1508		/* Init flag is not cleared here, so avoid busy
1509		 * loop by claiming nothing changed. */
1510		sm->changed = FALSE;
1511	}
1512
1513	sm->keycount = 0;
1514	if (sm->GUpdateStationKeys)
1515		sm->group->GKeyDoneStations--;
1516	sm->GUpdateStationKeys = FALSE;
1517	if (sm->wpa == WPA_VERSION_WPA)
1518		sm->PInitAKeys = FALSE;
1519	if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1520	       * Local AA > Remote AA)) */) {
1521		sm->Pair = TRUE;
1522	}
1523	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1524	wpa_remove_ptk(sm);
1525	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1526	sm->TimeoutCtr = 0;
1527	if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1528		wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1529				   WPA_EAPOL_authorized, 0);
1530	}
1531}
1532
1533
1534SM_STATE(WPA_PTK, DISCONNECT)
1535{
1536	SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1537	sm->Disconnect = FALSE;
1538	wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1539}
1540
1541
1542SM_STATE(WPA_PTK, DISCONNECTED)
1543{
1544	SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1545	sm->DeauthenticationRequest = FALSE;
1546}
1547
1548
1549SM_STATE(WPA_PTK, AUTHENTICATION)
1550{
1551	SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1552	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1553	sm->PTK_valid = FALSE;
1554	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1555			   1);
1556	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1557	sm->AuthenticationRequest = FALSE;
1558}
1559
1560
1561static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1562				  struct wpa_group *group)
1563{
1564	if (group->first_sta_seen)
1565		return;
1566	/*
1567	 * System has run bit further than at the time hostapd was started
1568	 * potentially very early during boot up. This provides better chances
1569	 * of collecting more randomness on embedded systems. Re-initialize the
1570	 * GMK and Counter here to improve their strength if there was not
1571	 * enough entropy available immediately after system startup.
1572	 */
1573	wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1574		   "station");
1575	if (random_pool_ready() != 1) {
1576		wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1577			   "to proceed - reject first 4-way handshake");
1578		group->reject_4way_hs_for_entropy = TRUE;
1579	} else {
1580		group->first_sta_seen = TRUE;
1581		group->reject_4way_hs_for_entropy = FALSE;
1582	}
1583
1584	wpa_group_init_gmk_and_counter(wpa_auth, group);
1585	wpa_gtk_update(wpa_auth, group);
1586	wpa_group_config_group_keys(wpa_auth, group);
1587}
1588
1589
1590SM_STATE(WPA_PTK, AUTHENTICATION2)
1591{
1592	SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1593
1594	wpa_group_ensure_init(sm->wpa_auth, sm->group);
1595
1596	/*
1597	 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1598	 * ambiguous. The Authenticator state machine uses a counter that is
1599	 * incremented by one for each 4-way handshake. However, the security
1600	 * analysis of 4-way handshake points out that unpredictable nonces
1601	 * help in preventing precomputation attacks. Instead of the state
1602	 * machine definition, use an unpredictable nonce value here to provide
1603	 * stronger protection against potential precomputation attacks.
1604	 */
1605	if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1606		wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1607			   "ANonce.");
1608		wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1609		return;
1610	}
1611	wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1612		    WPA_NONCE_LEN);
1613	sm->ReAuthenticationRequest = FALSE;
1614	/* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1615	 * logical place than INITIALIZE since AUTHENTICATION2 can be
1616	 * re-entered on ReAuthenticationRequest without going through
1617	 * INITIALIZE. */
1618	sm->TimeoutCtr = 0;
1619}
1620
1621
1622SM_STATE(WPA_PTK, INITPMK)
1623{
1624	u8 msk[2 * PMK_LEN];
1625	size_t len = 2 * PMK_LEN;
1626
1627	SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
1628#ifdef CONFIG_IEEE80211R
1629	sm->xxkey_len = 0;
1630#endif /* CONFIG_IEEE80211R */
1631	if (sm->pmksa) {
1632		wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
1633		os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN);
1634	} else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
1635		wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
1636			   "(len=%lu)", (unsigned long) len);
1637		os_memcpy(sm->PMK, msk, PMK_LEN);
1638#ifdef CONFIG_IEEE80211R
1639		if (len >= 2 * PMK_LEN) {
1640			os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1641			sm->xxkey_len = PMK_LEN;
1642		}
1643#endif /* CONFIG_IEEE80211R */
1644	} else {
1645		wpa_printf(MSG_DEBUG, "WPA: Could not get PMK");
1646	}
1647
1648	sm->req_replay_counter_used = 0;
1649	/* IEEE 802.11i does not set keyRun to FALSE, but not doing this
1650	 * will break reauthentication since EAPOL state machines may not be
1651	 * get into AUTHENTICATING state that clears keyRun before WPA state
1652	 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
1653	 * state and takes PMK from the previously used AAA Key. This will
1654	 * eventually fail in 4-Way Handshake because Supplicant uses PMK
1655	 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
1656	 * be good workaround for this issue. */
1657	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
1658}
1659
1660
1661SM_STATE(WPA_PTK, INITPSK)
1662{
1663	const u8 *psk;
1664	SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
1665	psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL);
1666	if (psk) {
1667		os_memcpy(sm->PMK, psk, PMK_LEN);
1668#ifdef CONFIG_IEEE80211R
1669		os_memcpy(sm->xxkey, psk, PMK_LEN);
1670		sm->xxkey_len = PMK_LEN;
1671#endif /* CONFIG_IEEE80211R */
1672	}
1673	sm->req_replay_counter_used = 0;
1674}
1675
1676
1677SM_STATE(WPA_PTK, PTKSTART)
1678{
1679	u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
1680	size_t pmkid_len = 0;
1681
1682	SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
1683	sm->PTKRequest = FALSE;
1684	sm->TimeoutEvt = FALSE;
1685
1686	sm->TimeoutCtr++;
1687	if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
1688		/* No point in sending the EAPOL-Key - we will disconnect
1689		 * immediately following this. */
1690		return;
1691	}
1692
1693	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1694			"sending 1/4 msg of 4-Way Handshake");
1695	/*
1696	 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
1697	 * one possible PSK for this STA.
1698	 */
1699	if (sm->wpa == WPA_VERSION_WPA2 &&
1700	    wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt)) {
1701		pmkid = buf;
1702		pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
1703		pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
1704		pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
1705		RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
1706		if (sm->pmksa)
1707			os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
1708				  sm->pmksa->pmkid, PMKID_LEN);
1709		else {
1710			/*
1711			 * Calculate PMKID since no PMKSA cache entry was
1712			 * available with pre-calculated PMKID.
1713			 */
1714			rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr,
1715				  sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
1716				  wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
1717		}
1718	}
1719	wpa_send_eapol(sm->wpa_auth, sm,
1720		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
1721		       sm->ANonce, pmkid, pmkid_len, 0, 0);
1722}
1723
1724
1725static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk,
1726			  struct wpa_ptk *ptk)
1727{
1728	size_t ptk_len = sm->pairwise != WPA_CIPHER_TKIP ? 48 : 64;
1729#ifdef CONFIG_IEEE80211R
1730	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
1731		return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len);
1732#endif /* CONFIG_IEEE80211R */
1733
1734	wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion",
1735		       sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce,
1736		       (u8 *) ptk, ptk_len,
1737		       wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
1738
1739	return 0;
1740}
1741
1742
1743SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
1744{
1745	struct wpa_ptk PTK;
1746	int ok = 0;
1747	const u8 *pmk = NULL;
1748
1749	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
1750	sm->EAPOLKeyReceived = FALSE;
1751	sm->update_snonce = FALSE;
1752
1753	/* WPA with IEEE 802.1X: use the derived PMK from EAP
1754	 * WPA-PSK: iterate through possible PSKs and select the one matching
1755	 * the packet */
1756	for (;;) {
1757		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1758			pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, pmk);
1759			if (pmk == NULL)
1760				break;
1761		} else
1762			pmk = sm->PMK;
1763
1764		wpa_derive_ptk(sm, pmk, &PTK);
1765
1766		if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key,
1767				       sm->last_rx_eapol_key_len) == 0) {
1768			ok = 1;
1769			break;
1770		}
1771
1772		if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
1773			break;
1774	}
1775
1776	if (!ok) {
1777		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1778				"invalid MIC in msg 2/4 of 4-Way Handshake");
1779		return;
1780	}
1781
1782#ifdef CONFIG_IEEE80211R
1783	if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
1784		/*
1785		 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
1786		 * with the value we derived.
1787		 */
1788		if (os_memcmp(sm->sup_pmk_r1_name, sm->pmk_r1_name,
1789			      WPA_PMK_NAME_LEN) != 0) {
1790			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1791					"PMKR1Name mismatch in FT 4-way "
1792					"handshake");
1793			wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
1794				    "Supplicant",
1795				    sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
1796			wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1797				    sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1798			return;
1799		}
1800	}
1801#endif /* CONFIG_IEEE80211R */
1802
1803	sm->pending_1_of_4_timeout = 0;
1804	eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
1805
1806	if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1807		/* PSK may have changed from the previous choice, so update
1808		 * state machine data based on whatever PSK was selected here.
1809		 */
1810		os_memcpy(sm->PMK, pmk, PMK_LEN);
1811	}
1812
1813	sm->MICVerified = TRUE;
1814
1815	os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
1816	sm->PTK_valid = TRUE;
1817}
1818
1819
1820SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
1821{
1822	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
1823	sm->TimeoutCtr = 0;
1824}
1825
1826
1827#ifdef CONFIG_IEEE80211W
1828
1829static int ieee80211w_kde_len(struct wpa_state_machine *sm)
1830{
1831	if (sm->mgmt_frame_prot) {
1832		return 2 + RSN_SELECTOR_LEN + sizeof(struct wpa_igtk_kde);
1833	}
1834
1835	return 0;
1836}
1837
1838
1839static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
1840{
1841	struct wpa_igtk_kde igtk;
1842	struct wpa_group *gsm = sm->group;
1843
1844	if (!sm->mgmt_frame_prot)
1845		return pos;
1846
1847	igtk.keyid[0] = gsm->GN_igtk;
1848	igtk.keyid[1] = 0;
1849	if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
1850	    wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, igtk.pn) < 0)
1851		os_memset(igtk.pn, 0, sizeof(igtk.pn));
1852	os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
1853	if (sm->wpa_auth->conf.disable_gtk) {
1854		/*
1855		 * Provide unique random IGTK to each STA to prevent use of
1856		 * IGTK in the BSS.
1857		 */
1858		if (random_get_bytes(igtk.igtk, WPA_IGTK_LEN) < 0)
1859			return pos;
1860	}
1861	pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
1862			  (const u8 *) &igtk, sizeof(igtk), NULL, 0);
1863
1864	return pos;
1865}
1866
1867#else /* CONFIG_IEEE80211W */
1868
1869static int ieee80211w_kde_len(struct wpa_state_machine *sm)
1870{
1871	return 0;
1872}
1873
1874
1875static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
1876{
1877	return pos;
1878}
1879
1880#endif /* CONFIG_IEEE80211W */
1881
1882
1883SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
1884{
1885	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
1886	size_t gtk_len, kde_len;
1887	struct wpa_group *gsm = sm->group;
1888	u8 *wpa_ie;
1889	int wpa_ie_len, secure, keyidx, encr = 0;
1890
1891	SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
1892	sm->TimeoutEvt = FALSE;
1893
1894	sm->TimeoutCtr++;
1895	if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
1896		/* No point in sending the EAPOL-Key - we will disconnect
1897		 * immediately following this. */
1898		return;
1899	}
1900
1901	/* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
1902	   GTK[GN], IGTK, [FTIE], [TIE * 2])
1903	 */
1904	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
1905	wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
1906	/* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
1907	wpa_ie = sm->wpa_auth->wpa_ie;
1908	wpa_ie_len = sm->wpa_auth->wpa_ie_len;
1909	if (sm->wpa == WPA_VERSION_WPA &&
1910	    (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
1911	    wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
1912		/* WPA-only STA, remove RSN IE */
1913		wpa_ie = wpa_ie + wpa_ie[1] + 2;
1914		wpa_ie_len = wpa_ie[1] + 2;
1915	}
1916	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1917			"sending 3/4 msg of 4-Way Handshake");
1918	if (sm->wpa == WPA_VERSION_WPA2) {
1919		/* WPA2 send GTK in the 4-way handshake */
1920		secure = 1;
1921		gtk = gsm->GTK[gsm->GN - 1];
1922		gtk_len = gsm->GTK_len;
1923		if (sm->wpa_auth->conf.disable_gtk) {
1924			/*
1925			 * Provide unique random GTK to each STA to prevent use
1926			 * of GTK in the BSS.
1927			 */
1928			if (random_get_bytes(dummy_gtk, gtk_len) < 0)
1929				return;
1930			gtk = dummy_gtk;
1931		}
1932		keyidx = gsm->GN;
1933		_rsc = rsc;
1934		encr = 1;
1935	} else {
1936		/* WPA does not include GTK in msg 3/4 */
1937		secure = 0;
1938		gtk = NULL;
1939		gtk_len = 0;
1940		keyidx = 0;
1941		_rsc = NULL;
1942		if (sm->rx_eapol_key_secure) {
1943			/*
1944			 * It looks like Windows 7 supplicant tries to use
1945			 * Secure bit in msg 2/4 after having reported Michael
1946			 * MIC failure and it then rejects the 4-way handshake
1947			 * if msg 3/4 does not set Secure bit. Work around this
1948			 * by setting the Secure bit here even in the case of
1949			 * WPA if the supplicant used it first.
1950			 */
1951			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1952					"STA used Secure bit in WPA msg 2/4 - "
1953					"set Secure for 3/4 as workaround");
1954			secure = 1;
1955		}
1956	}
1957
1958	kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
1959	if (gtk)
1960		kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
1961#ifdef CONFIG_IEEE80211R
1962	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
1963		kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
1964		kde_len += 300; /* FTIE + 2 * TIE */
1965	}
1966#endif /* CONFIG_IEEE80211R */
1967	kde = os_malloc(kde_len);
1968	if (kde == NULL)
1969		return;
1970
1971	pos = kde;
1972	os_memcpy(pos, wpa_ie, wpa_ie_len);
1973	pos += wpa_ie_len;
1974#ifdef CONFIG_IEEE80211R
1975	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
1976		int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name);
1977		if (res < 0) {
1978			wpa_printf(MSG_ERROR, "FT: Failed to insert "
1979				   "PMKR1Name into RSN IE in EAPOL-Key data");
1980			os_free(kde);
1981			return;
1982		}
1983		pos += res;
1984	}
1985#endif /* CONFIG_IEEE80211R */
1986	if (gtk) {
1987		u8 hdr[2];
1988		hdr[0] = keyidx & 0x03;
1989		hdr[1] = 0;
1990		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
1991				  gtk, gtk_len);
1992	}
1993	pos = ieee80211w_kde_add(sm, pos);
1994
1995#ifdef CONFIG_IEEE80211R
1996	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
1997		int res;
1998		struct wpa_auth_config *conf;
1999
2000		conf = &sm->wpa_auth->conf;
2001		res = wpa_write_ftie(conf, conf->r0_key_holder,
2002				     conf->r0_key_holder_len,
2003				     NULL, NULL, pos, kde + kde_len - pos,
2004				     NULL, 0);
2005		if (res < 0) {
2006			wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2007				   "into EAPOL-Key Key Data");
2008			os_free(kde);
2009			return;
2010		}
2011		pos += res;
2012
2013		/* TIE[ReassociationDeadline] (TU) */
2014		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2015		*pos++ = 5;
2016		*pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
2017		WPA_PUT_LE32(pos, conf->reassociation_deadline);
2018		pos += 4;
2019
2020		/* TIE[KeyLifetime] (seconds) */
2021		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2022		*pos++ = 5;
2023		*pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
2024		WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
2025		pos += 4;
2026	}
2027#endif /* CONFIG_IEEE80211R */
2028
2029	wpa_send_eapol(sm->wpa_auth, sm,
2030		       (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC |
2031		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
2032		       WPA_KEY_INFO_KEY_TYPE,
2033		       _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
2034	os_free(kde);
2035}
2036
2037
2038SM_STATE(WPA_PTK, PTKINITDONE)
2039{
2040	SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
2041	sm->EAPOLKeyReceived = FALSE;
2042	if (sm->Pair) {
2043		enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
2044		int klen = wpa_cipher_key_len(sm->pairwise);
2045		if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2046				     sm->PTK.tk1, klen)) {
2047			wpa_sta_disconnect(sm->wpa_auth, sm->addr);
2048			return;
2049		}
2050		/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
2051		sm->pairwise_set = TRUE;
2052
2053		if (sm->wpa_auth->conf.wpa_ptk_rekey) {
2054			eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2055			eloop_register_timeout(sm->wpa_auth->conf.
2056					       wpa_ptk_rekey, 0, wpa_rekey_ptk,
2057					       sm->wpa_auth, sm);
2058		}
2059
2060		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2061			wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2062					   WPA_EAPOL_authorized, 1);
2063		}
2064	}
2065
2066	if (0 /* IBSS == TRUE */) {
2067		sm->keycount++;
2068		if (sm->keycount == 2) {
2069			wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2070					   WPA_EAPOL_portValid, 1);
2071		}
2072	} else {
2073		wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
2074				   1);
2075	}
2076	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
2077	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
2078	if (sm->wpa == WPA_VERSION_WPA)
2079		sm->PInitAKeys = TRUE;
2080	else
2081		sm->has_GTK = TRUE;
2082	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2083			 "pairwise key handshake completed (%s)",
2084			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2085
2086#ifdef CONFIG_IEEE80211R
2087	wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
2088#endif /* CONFIG_IEEE80211R */
2089}
2090
2091
2092SM_STEP(WPA_PTK)
2093{
2094	struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2095
2096	if (sm->Init)
2097		SM_ENTER(WPA_PTK, INITIALIZE);
2098	else if (sm->Disconnect
2099		 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
2100		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
2101				"WPA_PTK: sm->Disconnect");
2102		SM_ENTER(WPA_PTK, DISCONNECT);
2103	}
2104	else if (sm->DeauthenticationRequest)
2105		SM_ENTER(WPA_PTK, DISCONNECTED);
2106	else if (sm->AuthenticationRequest)
2107		SM_ENTER(WPA_PTK, AUTHENTICATION);
2108	else if (sm->ReAuthenticationRequest)
2109		SM_ENTER(WPA_PTK, AUTHENTICATION2);
2110	else if (sm->PTKRequest)
2111		SM_ENTER(WPA_PTK, PTKSTART);
2112	else switch (sm->wpa_ptk_state) {
2113	case WPA_PTK_INITIALIZE:
2114		break;
2115	case WPA_PTK_DISCONNECT:
2116		SM_ENTER(WPA_PTK, DISCONNECTED);
2117		break;
2118	case WPA_PTK_DISCONNECTED:
2119		SM_ENTER(WPA_PTK, INITIALIZE);
2120		break;
2121	case WPA_PTK_AUTHENTICATION:
2122		SM_ENTER(WPA_PTK, AUTHENTICATION2);
2123		break;
2124	case WPA_PTK_AUTHENTICATION2:
2125		if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
2126		    wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2127				       WPA_EAPOL_keyRun) > 0)
2128			SM_ENTER(WPA_PTK, INITPMK);
2129		else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)
2130			 /* FIX: && 802.1X::keyRun */)
2131			SM_ENTER(WPA_PTK, INITPSK);
2132		break;
2133	case WPA_PTK_INITPMK:
2134		if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2135				       WPA_EAPOL_keyAvailable) > 0)
2136			SM_ENTER(WPA_PTK, PTKSTART);
2137		else {
2138			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2139			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2140					"INITPMK - keyAvailable = false");
2141			SM_ENTER(WPA_PTK, DISCONNECT);
2142		}
2143		break;
2144	case WPA_PTK_INITPSK:
2145		if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL))
2146			SM_ENTER(WPA_PTK, PTKSTART);
2147		else {
2148			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2149					"no PSK configured for the STA");
2150			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2151			SM_ENTER(WPA_PTK, DISCONNECT);
2152		}
2153		break;
2154	case WPA_PTK_PTKSTART:
2155		if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2156		    sm->EAPOLKeyPairwise)
2157			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2158		else if (sm->TimeoutCtr >
2159			 (int) dot11RSNAConfigPairwiseUpdateCount) {
2160			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2161			wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2162					 "PTKSTART: Retry limit %d reached",
2163					 dot11RSNAConfigPairwiseUpdateCount);
2164			SM_ENTER(WPA_PTK, DISCONNECT);
2165		} else if (sm->TimeoutEvt)
2166			SM_ENTER(WPA_PTK, PTKSTART);
2167		break;
2168	case WPA_PTK_PTKCALCNEGOTIATING:
2169		if (sm->MICVerified)
2170			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
2171		else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2172			 sm->EAPOLKeyPairwise)
2173			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2174		else if (sm->TimeoutEvt)
2175			SM_ENTER(WPA_PTK, PTKSTART);
2176		break;
2177	case WPA_PTK_PTKCALCNEGOTIATING2:
2178		SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2179		break;
2180	case WPA_PTK_PTKINITNEGOTIATING:
2181		if (sm->update_snonce)
2182			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2183		else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2184			 sm->EAPOLKeyPairwise && sm->MICVerified)
2185			SM_ENTER(WPA_PTK, PTKINITDONE);
2186		else if (sm->TimeoutCtr >
2187			 (int) dot11RSNAConfigPairwiseUpdateCount) {
2188			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2189			wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2190					 "PTKINITNEGOTIATING: Retry limit %d "
2191					 "reached",
2192					 dot11RSNAConfigPairwiseUpdateCount);
2193			SM_ENTER(WPA_PTK, DISCONNECT);
2194		} else if (sm->TimeoutEvt)
2195			SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2196		break;
2197	case WPA_PTK_PTKINITDONE:
2198		break;
2199	}
2200}
2201
2202
2203SM_STATE(WPA_PTK_GROUP, IDLE)
2204{
2205	SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
2206	if (sm->Init) {
2207		/* Init flag is not cleared here, so avoid busy
2208		 * loop by claiming nothing changed. */
2209		sm->changed = FALSE;
2210	}
2211	sm->GTimeoutCtr = 0;
2212}
2213
2214
2215SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
2216{
2217	u8 rsc[WPA_KEY_RSC_LEN];
2218	struct wpa_group *gsm = sm->group;
2219	u8 *kde, *pos, hdr[2];
2220	size_t kde_len;
2221	u8 *gtk, dummy_gtk[32];
2222
2223	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
2224
2225	sm->GTimeoutCtr++;
2226	if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) {
2227		/* No point in sending the EAPOL-Key - we will disconnect
2228		 * immediately following this. */
2229		return;
2230	}
2231
2232	if (sm->wpa == WPA_VERSION_WPA)
2233		sm->PInitAKeys = FALSE;
2234	sm->TimeoutEvt = FALSE;
2235	/* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
2236	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2237	if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
2238		wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
2239	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2240			"sending 1/2 msg of Group Key Handshake");
2241
2242	gtk = gsm->GTK[gsm->GN - 1];
2243	if (sm->wpa_auth->conf.disable_gtk) {
2244		/*
2245		 * Provide unique random GTK to each STA to prevent use
2246		 * of GTK in the BSS.
2247		 */
2248		if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
2249			return;
2250		gtk = dummy_gtk;
2251	}
2252	if (sm->wpa == WPA_VERSION_WPA2) {
2253		kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
2254			ieee80211w_kde_len(sm);
2255		kde = os_malloc(kde_len);
2256		if (kde == NULL)
2257			return;
2258
2259		pos = kde;
2260		hdr[0] = gsm->GN & 0x03;
2261		hdr[1] = 0;
2262		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2263				  gtk, gsm->GTK_len);
2264		pos = ieee80211w_kde_add(sm, pos);
2265	} else {
2266		kde = gtk;
2267		pos = kde + gsm->GTK_len;
2268	}
2269
2270	wpa_send_eapol(sm->wpa_auth, sm,
2271		       WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
2272		       WPA_KEY_INFO_ACK |
2273		       (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
2274		       rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1);
2275	if (sm->wpa == WPA_VERSION_WPA2)
2276		os_free(kde);
2277}
2278
2279
2280SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
2281{
2282	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
2283	sm->EAPOLKeyReceived = FALSE;
2284	if (sm->GUpdateStationKeys)
2285		sm->group->GKeyDoneStations--;
2286	sm->GUpdateStationKeys = FALSE;
2287	sm->GTimeoutCtr = 0;
2288	/* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
2289	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2290			 "group key handshake completed (%s)",
2291			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2292	sm->has_GTK = TRUE;
2293}
2294
2295
2296SM_STATE(WPA_PTK_GROUP, KEYERROR)
2297{
2298	SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
2299	if (sm->GUpdateStationKeys)
2300		sm->group->GKeyDoneStations--;
2301	sm->GUpdateStationKeys = FALSE;
2302	sm->Disconnect = TRUE;
2303}
2304
2305
2306SM_STEP(WPA_PTK_GROUP)
2307{
2308	if (sm->Init || sm->PtkGroupInit) {
2309		SM_ENTER(WPA_PTK_GROUP, IDLE);
2310		sm->PtkGroupInit = FALSE;
2311	} else switch (sm->wpa_ptk_group_state) {
2312	case WPA_PTK_GROUP_IDLE:
2313		if (sm->GUpdateStationKeys ||
2314		    (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
2315			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2316		break;
2317	case WPA_PTK_GROUP_REKEYNEGOTIATING:
2318		if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2319		    !sm->EAPOLKeyPairwise && sm->MICVerified)
2320			SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
2321		else if (sm->GTimeoutCtr >
2322			 (int) dot11RSNAConfigGroupUpdateCount)
2323			SM_ENTER(WPA_PTK_GROUP, KEYERROR);
2324		else if (sm->TimeoutEvt)
2325			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2326		break;
2327	case WPA_PTK_GROUP_KEYERROR:
2328		SM_ENTER(WPA_PTK_GROUP, IDLE);
2329		break;
2330	case WPA_PTK_GROUP_REKEYESTABLISHED:
2331		SM_ENTER(WPA_PTK_GROUP, IDLE);
2332		break;
2333	}
2334}
2335
2336
2337static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
2338			  struct wpa_group *group)
2339{
2340	int ret = 0;
2341
2342	os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2343	inc_byte_array(group->Counter, WPA_NONCE_LEN);
2344	if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
2345			   wpa_auth->addr, group->GNonce,
2346			   group->GTK[group->GN - 1], group->GTK_len) < 0)
2347		ret = -1;
2348	wpa_hexdump_key(MSG_DEBUG, "GTK",
2349			group->GTK[group->GN - 1], group->GTK_len);
2350
2351#ifdef CONFIG_IEEE80211W
2352	if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
2353		os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2354		inc_byte_array(group->Counter, WPA_NONCE_LEN);
2355		if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
2356				   wpa_auth->addr, group->GNonce,
2357				   group->IGTK[group->GN_igtk - 4],
2358				   WPA_IGTK_LEN) < 0)
2359			ret = -1;
2360		wpa_hexdump_key(MSG_DEBUG, "IGTK",
2361				group->IGTK[group->GN_igtk - 4], WPA_IGTK_LEN);
2362	}
2363#endif /* CONFIG_IEEE80211W */
2364
2365	return ret;
2366}
2367
2368
2369static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
2370			       struct wpa_group *group)
2371{
2372	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2373		   "GTK_INIT (VLAN-ID %d)", group->vlan_id);
2374	group->changed = FALSE; /* GInit is not cleared here; avoid loop */
2375	group->wpa_group_state = WPA_GROUP_GTK_INIT;
2376
2377	/* GTK[0..N] = 0 */
2378	os_memset(group->GTK, 0, sizeof(group->GTK));
2379	group->GN = 1;
2380	group->GM = 2;
2381#ifdef CONFIG_IEEE80211W
2382	group->GN_igtk = 4;
2383	group->GM_igtk = 5;
2384#endif /* CONFIG_IEEE80211W */
2385	/* GTK[GN] = CalcGTK() */
2386	wpa_gtk_update(wpa_auth, group);
2387}
2388
2389
2390static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
2391{
2392	if (ctx != NULL && ctx != sm->group)
2393		return 0;
2394
2395	if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
2396		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2397				"Not in PTKINITDONE; skip Group Key update");
2398		sm->GUpdateStationKeys = FALSE;
2399		return 0;
2400	}
2401	if (sm->GUpdateStationKeys) {
2402		/*
2403		 * This should not really happen, so add a debug log entry.
2404		 * Since we clear the GKeyDoneStations before the loop, the
2405		 * station needs to be counted here anyway.
2406		 */
2407		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2408				"GUpdateStationKeys was already set when "
2409				"marking station for GTK rekeying");
2410	}
2411
2412#ifdef CONFIG_IEEE80211V
2413	/* Do not rekey GTK/IGTK when STA is in wnmsleep */
2414	if (sm->is_wnmsleep)
2415		return 0;
2416#endif /* CONFIG_IEEE80211V */
2417
2418	sm->group->GKeyDoneStations++;
2419	sm->GUpdateStationKeys = TRUE;
2420
2421	wpa_sm_step(sm);
2422	return 0;
2423}
2424
2425
2426#ifdef CONFIG_IEEE80211V
2427/* update GTK when exiting wnmsleep mode */
2428void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
2429{
2430	if (sm->is_wnmsleep)
2431		return;
2432
2433	wpa_group_update_sta(sm, NULL);
2434}
2435
2436
2437void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
2438{
2439	sm->is_wnmsleep = !!flag;
2440}
2441
2442
2443int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2444{
2445	u8 *subelem;
2446	struct wpa_group *gsm = sm->group;
2447	size_t subelem_len, pad_len;
2448	const u8 *key;
2449	size_t key_len;
2450	u8 keybuf[32];
2451
2452	/* GTK subslement */
2453	key_len = gsm->GTK_len;
2454	if (key_len > sizeof(keybuf))
2455		return 0;
2456
2457	/*
2458	 * Pad key for AES Key Wrap if it is not multiple of 8 bytes or is less
2459	 * than 16 bytes.
2460	 */
2461	pad_len = key_len % 8;
2462	if (pad_len)
2463		pad_len = 8 - pad_len;
2464	if (key_len + pad_len < 16)
2465		pad_len += 8;
2466	if (pad_len) {
2467		os_memcpy(keybuf, gsm->GTK[gsm->GN - 1], key_len);
2468		os_memset(keybuf + key_len, 0, pad_len);
2469		keybuf[key_len] = 0xdd;
2470		key_len += pad_len;
2471		key = keybuf;
2472	} else
2473		key = gsm->GTK[gsm->GN - 1];
2474
2475	/*
2476	 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
2477	 * Key[5..32] | 8 padding.
2478	 */
2479	subelem_len = 13 + key_len + 8;
2480	subelem = os_zalloc(subelem_len);
2481	if (subelem == NULL)
2482		return 0;
2483
2484	subelem[0] = WNM_SLEEP_SUBELEM_GTK;
2485	subelem[1] = 11 + key_len + 8;
2486	/* Key ID in B0-B1 of Key Info */
2487	WPA_PUT_LE16(&subelem[2], gsm->GN & 0x03);
2488	subelem[4] = gsm->GTK_len;
2489	if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, subelem + 5) != 0)
2490	{
2491		os_free(subelem);
2492		return 0;
2493	}
2494	if (aes_wrap(sm->PTK.kek, key_len / 8, key, subelem + 13)) {
2495		os_free(subelem);
2496		return 0;
2497	}
2498
2499	os_memcpy(pos, subelem, subelem_len);
2500
2501	wpa_hexdump_key(MSG_DEBUG, "Plaintext GTK",
2502			gsm->GTK[gsm->GN - 1], gsm->GTK_len);
2503	os_free(subelem);
2504
2505	return subelem_len;
2506}
2507
2508
2509#ifdef CONFIG_IEEE80211W
2510int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2511{
2512	u8 *subelem, *ptr;
2513	struct wpa_group *gsm = sm->group;
2514	size_t subelem_len;
2515
2516	/* IGTK subelement
2517	 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] |
2518	 * Key[16] | 8 padding */
2519	subelem_len = 1 + 1 + 2 + 6 + WPA_IGTK_LEN + 8;
2520	subelem = os_zalloc(subelem_len);
2521	if (subelem == NULL)
2522		return 0;
2523
2524	ptr = subelem;
2525	*ptr++ = WNM_SLEEP_SUBELEM_IGTK;
2526	*ptr++ = subelem_len - 2;
2527	WPA_PUT_LE16(ptr, gsm->GN_igtk);
2528	ptr += 2;
2529	if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, ptr) != 0) {
2530		os_free(subelem);
2531		return 0;
2532	}
2533	ptr += 6;
2534	if (aes_wrap(sm->PTK.kek, WPA_IGTK_LEN / 8,
2535		     gsm->IGTK[gsm->GN_igtk - 4], ptr)) {
2536		os_free(subelem);
2537		return -1;
2538	}
2539
2540	os_memcpy(pos, subelem, subelem_len);
2541
2542	wpa_hexdump_key(MSG_DEBUG, "Plaintext IGTK",
2543			gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
2544	os_free(subelem);
2545
2546	return subelem_len;
2547}
2548#endif /* CONFIG_IEEE80211W */
2549#endif /* CONFIG_IEEE80211V */
2550
2551
2552static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
2553			      struct wpa_group *group)
2554{
2555	int tmp;
2556
2557	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2558		   "SETKEYS (VLAN-ID %d)", group->vlan_id);
2559	group->changed = TRUE;
2560	group->wpa_group_state = WPA_GROUP_SETKEYS;
2561	group->GTKReKey = FALSE;
2562	tmp = group->GM;
2563	group->GM = group->GN;
2564	group->GN = tmp;
2565#ifdef CONFIG_IEEE80211W
2566	tmp = group->GM_igtk;
2567	group->GM_igtk = group->GN_igtk;
2568	group->GN_igtk = tmp;
2569#endif /* CONFIG_IEEE80211W */
2570	/* "GKeyDoneStations = GNoStations" is done in more robust way by
2571	 * counting the STAs that are marked with GUpdateStationKeys instead of
2572	 * including all STAs that could be in not-yet-completed state. */
2573	wpa_gtk_update(wpa_auth, group);
2574
2575	if (group->GKeyDoneStations) {
2576		wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
2577			   "GKeyDoneStations=%d when starting new GTK rekey",
2578			   group->GKeyDoneStations);
2579		group->GKeyDoneStations = 0;
2580	}
2581	wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
2582	wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
2583		   group->GKeyDoneStations);
2584}
2585
2586
2587static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
2588				       struct wpa_group *group)
2589{
2590	int ret = 0;
2591
2592	if (wpa_auth_set_key(wpa_auth, group->vlan_id,
2593			     wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
2594			     broadcast_ether_addr, group->GN,
2595			     group->GTK[group->GN - 1], group->GTK_len) < 0)
2596		ret = -1;
2597
2598#ifdef CONFIG_IEEE80211W
2599	if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION &&
2600	    wpa_auth_set_key(wpa_auth, group->vlan_id, WPA_ALG_IGTK,
2601			     broadcast_ether_addr, group->GN_igtk,
2602			     group->IGTK[group->GN_igtk - 4],
2603			     WPA_IGTK_LEN) < 0)
2604		ret = -1;
2605#endif /* CONFIG_IEEE80211W */
2606
2607	return ret;
2608}
2609
2610
2611static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
2612				 struct wpa_group *group)
2613{
2614	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2615		   "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
2616	group->changed = TRUE;
2617	group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
2618
2619	if (wpa_group_config_group_keys(wpa_auth, group) < 0)
2620		return -1;
2621
2622	return 0;
2623}
2624
2625
2626static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
2627			      struct wpa_group *group)
2628{
2629	if (group->GInit) {
2630		wpa_group_gtk_init(wpa_auth, group);
2631	} else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
2632		   group->GTKAuthenticator) {
2633		wpa_group_setkeysdone(wpa_auth, group);
2634	} else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
2635		   group->GTKReKey) {
2636		wpa_group_setkeys(wpa_auth, group);
2637	} else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
2638		if (group->GKeyDoneStations == 0)
2639			wpa_group_setkeysdone(wpa_auth, group);
2640		else if (group->GTKReKey)
2641			wpa_group_setkeys(wpa_auth, group);
2642	}
2643}
2644
2645
2646static int wpa_sm_step(struct wpa_state_machine *sm)
2647{
2648	if (sm == NULL)
2649		return 0;
2650
2651	if (sm->in_step_loop) {
2652		/* This should not happen, but if it does, make sure we do not
2653		 * end up freeing the state machine too early by exiting the
2654		 * recursive call. */
2655		wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
2656		return 0;
2657	}
2658
2659	sm->in_step_loop = 1;
2660	do {
2661		if (sm->pending_deinit)
2662			break;
2663
2664		sm->changed = FALSE;
2665		sm->wpa_auth->group->changed = FALSE;
2666
2667		SM_STEP_RUN(WPA_PTK);
2668		if (sm->pending_deinit)
2669			break;
2670		SM_STEP_RUN(WPA_PTK_GROUP);
2671		if (sm->pending_deinit)
2672			break;
2673		wpa_group_sm_step(sm->wpa_auth, sm->group);
2674	} while (sm->changed || sm->wpa_auth->group->changed);
2675	sm->in_step_loop = 0;
2676
2677	if (sm->pending_deinit) {
2678		wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
2679			   "machine deinit for " MACSTR, MAC2STR(sm->addr));
2680		wpa_free_sta_sm(sm);
2681		return 1;
2682	}
2683	return 0;
2684}
2685
2686
2687static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
2688{
2689	struct wpa_state_machine *sm = eloop_ctx;
2690	wpa_sm_step(sm);
2691}
2692
2693
2694void wpa_auth_sm_notify(struct wpa_state_machine *sm)
2695{
2696	if (sm == NULL)
2697		return;
2698	eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
2699}
2700
2701
2702void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
2703{
2704	int tmp, i;
2705	struct wpa_group *group;
2706
2707	if (wpa_auth == NULL)
2708		return;
2709
2710	group = wpa_auth->group;
2711
2712	for (i = 0; i < 2; i++) {
2713		tmp = group->GM;
2714		group->GM = group->GN;
2715		group->GN = tmp;
2716#ifdef CONFIG_IEEE80211W
2717		tmp = group->GM_igtk;
2718		group->GM_igtk = group->GN_igtk;
2719		group->GN_igtk = tmp;
2720#endif /* CONFIG_IEEE80211W */
2721		wpa_gtk_update(wpa_auth, group);
2722		wpa_group_config_group_keys(wpa_auth, group);
2723	}
2724}
2725
2726
2727static const char * wpa_bool_txt(int bool)
2728{
2729	return bool ? "TRUE" : "FALSE";
2730}
2731
2732
2733#define RSN_SUITE "%02x-%02x-%02x-%d"
2734#define RSN_SUITE_ARG(s) \
2735((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2736
2737int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
2738{
2739	int len = 0, ret;
2740	char pmkid_txt[PMKID_LEN * 2 + 1];
2741#ifdef CONFIG_RSN_PREAUTH
2742	const int preauth = 1;
2743#else /* CONFIG_RSN_PREAUTH */
2744	const int preauth = 0;
2745#endif /* CONFIG_RSN_PREAUTH */
2746
2747	if (wpa_auth == NULL)
2748		return len;
2749
2750	ret = os_snprintf(buf + len, buflen - len,
2751			  "dot11RSNAOptionImplemented=TRUE\n"
2752			  "dot11RSNAPreauthenticationImplemented=%s\n"
2753			  "dot11RSNAEnabled=%s\n"
2754			  "dot11RSNAPreauthenticationEnabled=%s\n",
2755			  wpa_bool_txt(preauth),
2756			  wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
2757			  wpa_bool_txt(wpa_auth->conf.rsn_preauth));
2758	if (ret < 0 || (size_t) ret >= buflen - len)
2759		return len;
2760	len += ret;
2761
2762	wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2763			 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
2764
2765	ret = os_snprintf(
2766		buf + len, buflen - len,
2767		"dot11RSNAConfigVersion=%u\n"
2768		"dot11RSNAConfigPairwiseKeysSupported=9999\n"
2769		/* FIX: dot11RSNAConfigGroupCipher */
2770		/* FIX: dot11RSNAConfigGroupRekeyMethod */
2771		/* FIX: dot11RSNAConfigGroupRekeyTime */
2772		/* FIX: dot11RSNAConfigGroupRekeyPackets */
2773		"dot11RSNAConfigGroupRekeyStrict=%u\n"
2774		"dot11RSNAConfigGroupUpdateCount=%u\n"
2775		"dot11RSNAConfigPairwiseUpdateCount=%u\n"
2776		"dot11RSNAConfigGroupCipherSize=%u\n"
2777		"dot11RSNAConfigPMKLifetime=%u\n"
2778		"dot11RSNAConfigPMKReauthThreshold=%u\n"
2779		"dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
2780		"dot11RSNAConfigSATimeout=%u\n"
2781		"dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2782		"dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2783		"dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2784		"dot11RSNAPMKIDUsed=%s\n"
2785		"dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2786		"dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2787		"dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2788		"dot11RSNATKIPCounterMeasuresInvoked=%u\n"
2789		"dot11RSNA4WayHandshakeFailures=%u\n"
2790		"dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
2791		RSN_VERSION,
2792		!!wpa_auth->conf.wpa_strict_rekey,
2793		dot11RSNAConfigGroupUpdateCount,
2794		dot11RSNAConfigPairwiseUpdateCount,
2795		wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
2796		dot11RSNAConfigPMKLifetime,
2797		dot11RSNAConfigPMKReauthThreshold,
2798		dot11RSNAConfigSATimeout,
2799		RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
2800		RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
2801		RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
2802		pmkid_txt,
2803		RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
2804		RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
2805		RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
2806		wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
2807		wpa_auth->dot11RSNA4WayHandshakeFailures);
2808	if (ret < 0 || (size_t) ret >= buflen - len)
2809		return len;
2810	len += ret;
2811
2812	/* TODO: dot11RSNAConfigPairwiseCiphersTable */
2813	/* TODO: dot11RSNAConfigAuthenticationSuitesTable */
2814
2815	/* Private MIB */
2816	ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
2817			  wpa_auth->group->wpa_group_state);
2818	if (ret < 0 || (size_t) ret >= buflen - len)
2819		return len;
2820	len += ret;
2821
2822	return len;
2823}
2824
2825
2826int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
2827{
2828	int len = 0, ret;
2829	u32 pairwise = 0;
2830
2831	if (sm == NULL)
2832		return 0;
2833
2834	/* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
2835
2836	/* dot11RSNAStatsEntry */
2837
2838	pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
2839				       WPA_PROTO_RSN : WPA_PROTO_WPA,
2840				       sm->pairwise);
2841	if (pairwise == 0)
2842		return 0;
2843
2844	ret = os_snprintf(
2845		buf + len, buflen - len,
2846		/* TODO: dot11RSNAStatsIndex */
2847		"dot11RSNAStatsSTAAddress=" MACSTR "\n"
2848		"dot11RSNAStatsVersion=1\n"
2849		"dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
2850		/* TODO: dot11RSNAStatsTKIPICVErrors */
2851		"dot11RSNAStatsTKIPLocalMICFailures=%u\n"
2852		"dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
2853		/* TODO: dot11RSNAStatsCCMPReplays */
2854		/* TODO: dot11RSNAStatsCCMPDecryptErrors */
2855		/* TODO: dot11RSNAStatsTKIPReplays */,
2856		MAC2STR(sm->addr),
2857		RSN_SUITE_ARG(pairwise),
2858		sm->dot11RSNAStatsTKIPLocalMICFailures,
2859		sm->dot11RSNAStatsTKIPRemoteMICFailures);
2860	if (ret < 0 || (size_t) ret >= buflen - len)
2861		return len;
2862	len += ret;
2863
2864	/* Private MIB */
2865	ret = os_snprintf(buf + len, buflen - len,
2866			  "hostapdWPAPTKState=%d\n"
2867			  "hostapdWPAPTKGroupState=%d\n",
2868			  sm->wpa_ptk_state,
2869			  sm->wpa_ptk_group_state);
2870	if (ret < 0 || (size_t) ret >= buflen - len)
2871		return len;
2872	len += ret;
2873
2874	return len;
2875}
2876
2877
2878void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
2879{
2880	if (wpa_auth)
2881		wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
2882}
2883
2884
2885int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
2886{
2887	return sm && sm->pairwise_set;
2888}
2889
2890
2891int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
2892{
2893	return sm->pairwise;
2894}
2895
2896
2897int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
2898{
2899	if (sm == NULL)
2900		return -1;
2901	return sm->wpa_key_mgmt;
2902}
2903
2904
2905int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
2906{
2907	if (sm == NULL)
2908		return 0;
2909	return sm->wpa;
2910}
2911
2912
2913int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
2914			     struct rsn_pmksa_cache_entry *entry)
2915{
2916	if (sm == NULL || sm->pmksa != entry)
2917		return -1;
2918	sm->pmksa = NULL;
2919	return 0;
2920}
2921
2922
2923struct rsn_pmksa_cache_entry *
2924wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
2925{
2926	return sm ? sm->pmksa : NULL;
2927}
2928
2929
2930void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
2931{
2932	if (sm)
2933		sm->dot11RSNAStatsTKIPLocalMICFailures++;
2934}
2935
2936
2937const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
2938{
2939	if (wpa_auth == NULL)
2940		return NULL;
2941	*len = wpa_auth->wpa_ie_len;
2942	return wpa_auth->wpa_ie;
2943}
2944
2945
2946int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
2947		       int session_timeout, struct eapol_state_machine *eapol)
2948{
2949	if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
2950	    sm->wpa_auth->conf.disable_pmksa_caching)
2951		return -1;
2952
2953	if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN,
2954				 sm->wpa_auth->addr, sm->addr, session_timeout,
2955				 eapol, sm->wpa_key_mgmt))
2956		return 0;
2957
2958	return -1;
2959}
2960
2961
2962int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
2963			       const u8 *pmk, size_t len, const u8 *sta_addr,
2964			       int session_timeout,
2965			       struct eapol_state_machine *eapol)
2966{
2967	if (wpa_auth == NULL)
2968		return -1;
2969
2970	if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr,
2971				 sta_addr, session_timeout, eapol,
2972				 WPA_KEY_MGMT_IEEE8021X))
2973		return 0;
2974
2975	return -1;
2976}
2977
2978
2979static struct wpa_group *
2980wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
2981{
2982	struct wpa_group *group;
2983
2984	if (wpa_auth == NULL || wpa_auth->group == NULL)
2985		return NULL;
2986
2987	wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
2988		   vlan_id);
2989	group = wpa_group_init(wpa_auth, vlan_id, 0);
2990	if (group == NULL)
2991		return NULL;
2992
2993	group->next = wpa_auth->group->next;
2994	wpa_auth->group->next = group;
2995
2996	return group;
2997}
2998
2999
3000int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
3001{
3002	struct wpa_group *group;
3003
3004	if (sm == NULL || sm->wpa_auth == NULL)
3005		return 0;
3006
3007	group = sm->wpa_auth->group;
3008	while (group) {
3009		if (group->vlan_id == vlan_id)
3010			break;
3011		group = group->next;
3012	}
3013
3014	if (group == NULL) {
3015		group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
3016		if (group == NULL)
3017			return -1;
3018	}
3019
3020	if (sm->group == group)
3021		return 0;
3022
3023	wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
3024		   "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
3025
3026	sm->group = group;
3027	return 0;
3028}
3029
3030
3031void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
3032				  struct wpa_state_machine *sm, int ack)
3033{
3034	if (wpa_auth == NULL || sm == NULL)
3035		return;
3036	wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
3037		   " ack=%d", MAC2STR(sm->addr), ack);
3038	if (sm->pending_1_of_4_timeout && ack) {
3039		/*
3040		 * Some deployed supplicant implementations update their SNonce
3041		 * for each EAPOL-Key 2/4 message even within the same 4-way
3042		 * handshake and then fail to use the first SNonce when
3043		 * deriving the PTK. This results in unsuccessful 4-way
3044		 * handshake whenever the relatively short initial timeout is
3045		 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
3046		 * around this by increasing the timeout now that we know that
3047		 * the station has received the frame.
3048		 */
3049		int timeout_ms = eapol_key_timeout_subseq;
3050		wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
3051			   "timeout by %u ms because of acknowledged frame",
3052			   timeout_ms);
3053		eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
3054		eloop_register_timeout(timeout_ms / 1000,
3055				       (timeout_ms % 1000) * 1000,
3056				       wpa_send_eapol_timeout, wpa_auth, sm);
3057	}
3058}
3059