wpa_auth.c revision 9ead16e203b81d44a2d84eadc2901ceeb7daf805
1/*
2 * IEEE 802.11 RSN / WPA Authenticator
3 * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "utils/includes.h"
10
11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "utils/state_machine.h"
14#include "utils/bitfield.h"
15#include "common/ieee802_11_defs.h"
16#include "crypto/aes_wrap.h"
17#include "crypto/crypto.h"
18#include "crypto/sha1.h"
19#include "crypto/sha256.h"
20#include "crypto/random.h"
21#include "eapol_auth/eapol_auth_sm.h"
22#include "ap_config.h"
23#include "ieee802_11.h"
24#include "wpa_auth.h"
25#include "pmksa_cache_auth.h"
26#include "wpa_auth_i.h"
27#include "wpa_auth_ie.h"
28
29#define STATE_MACHINE_DATA struct wpa_state_machine
30#define STATE_MACHINE_DEBUG_PREFIX "WPA"
31#define STATE_MACHINE_ADDR sm->addr
32
33
34static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
35static int wpa_sm_step(struct wpa_state_machine *sm);
36static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len);
37static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
38static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
39			      struct wpa_group *group);
40static void wpa_request_new_ptk(struct wpa_state_machine *sm);
41static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
42			  struct wpa_group *group);
43static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
44				       struct wpa_group *group);
45
46static const u32 dot11RSNAConfigGroupUpdateCount = 4;
47static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
48static const u32 eapol_key_timeout_first = 100; /* ms */
49static const u32 eapol_key_timeout_subseq = 1000; /* ms */
50static const u32 eapol_key_timeout_first_group = 500; /* ms */
51
52/* TODO: make these configurable */
53static const int dot11RSNAConfigPMKLifetime = 43200;
54static const int dot11RSNAConfigPMKReauthThreshold = 70;
55static const int dot11RSNAConfigSATimeout = 60;
56
57
58static inline int wpa_auth_mic_failure_report(
59	struct wpa_authenticator *wpa_auth, const u8 *addr)
60{
61	if (wpa_auth->cb.mic_failure_report)
62		return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr);
63	return 0;
64}
65
66
67static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
68				      const u8 *addr, wpa_eapol_variable var,
69				      int value)
70{
71	if (wpa_auth->cb.set_eapol)
72		wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value);
73}
74
75
76static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
77				     const u8 *addr, wpa_eapol_variable var)
78{
79	if (wpa_auth->cb.get_eapol == NULL)
80		return -1;
81	return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var);
82}
83
84
85static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
86					  const u8 *addr,
87					  const u8 *p2p_dev_addr,
88					  const u8 *prev_psk)
89{
90	if (wpa_auth->cb.get_psk == NULL)
91		return NULL;
92	return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr,
93				    prev_psk);
94}
95
96
97static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
98				   const u8 *addr, u8 *msk, size_t *len)
99{
100	if (wpa_auth->cb.get_msk == NULL)
101		return -1;
102	return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len);
103}
104
105
106static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
107				   int vlan_id,
108				   enum wpa_alg alg, const u8 *addr, int idx,
109				   u8 *key, size_t key_len)
110{
111	if (wpa_auth->cb.set_key == NULL)
112		return -1;
113	return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx,
114				    key, key_len);
115}
116
117
118static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
119				      const u8 *addr, int idx, u8 *seq)
120{
121	if (wpa_auth->cb.get_seqnum == NULL)
122		return -1;
123	return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq);
124}
125
126
127static inline int
128wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
129		    const u8 *data, size_t data_len, int encrypt)
130{
131	if (wpa_auth->cb.send_eapol == NULL)
132		return -1;
133	return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len,
134				       encrypt);
135}
136
137
138int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
139			  int (*cb)(struct wpa_state_machine *sm, void *ctx),
140			  void *cb_ctx)
141{
142	if (wpa_auth->cb.for_each_sta == NULL)
143		return 0;
144	return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx);
145}
146
147
148int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
149			   int (*cb)(struct wpa_authenticator *a, void *ctx),
150			   void *cb_ctx)
151{
152	if (wpa_auth->cb.for_each_auth == NULL)
153		return 0;
154	return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx);
155}
156
157
158void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
159		     logger_level level, const char *txt)
160{
161	if (wpa_auth->cb.logger == NULL)
162		return;
163	wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt);
164}
165
166
167void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
168		      logger_level level, const char *fmt, ...)
169{
170	char *format;
171	int maxlen;
172	va_list ap;
173
174	if (wpa_auth->cb.logger == NULL)
175		return;
176
177	maxlen = os_strlen(fmt) + 100;
178	format = os_malloc(maxlen);
179	if (!format)
180		return;
181
182	va_start(ap, fmt);
183	vsnprintf(format, maxlen, fmt, ap);
184	va_end(ap);
185
186	wpa_auth_logger(wpa_auth, addr, level, format);
187
188	os_free(format);
189}
190
191
192static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
193			       const u8 *addr)
194{
195	if (wpa_auth->cb.disconnect == NULL)
196		return;
197	wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
198	wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr,
199				WLAN_REASON_PREV_AUTH_NOT_VALID);
200}
201
202
203static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
204{
205	int ret = 0;
206#ifdef CONFIG_IEEE80211R
207	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
208		ret = 1;
209#endif /* CONFIG_IEEE80211R */
210#ifdef CONFIG_IEEE80211W
211	if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
212		ret = 1;
213#endif /* CONFIG_IEEE80211W */
214	if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
215		ret = 1;
216	return ret;
217}
218
219
220static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
221{
222	struct wpa_authenticator *wpa_auth = eloop_ctx;
223
224	if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
225		wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
226			   "initialization.");
227	} else {
228		wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
229		wpa_hexdump_key(MSG_DEBUG, "GMK",
230				wpa_auth->group->GMK, WPA_GMK_LEN);
231	}
232
233	if (wpa_auth->conf.wpa_gmk_rekey) {
234		eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
235				       wpa_rekey_gmk, wpa_auth, NULL);
236	}
237}
238
239
240static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
241{
242	struct wpa_authenticator *wpa_auth = eloop_ctx;
243	struct wpa_group *group;
244
245	wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
246	for (group = wpa_auth->group; group; group = group->next) {
247		group->GTKReKey = TRUE;
248		do {
249			group->changed = FALSE;
250			wpa_group_sm_step(wpa_auth, group);
251		} while (group->changed);
252	}
253
254	if (wpa_auth->conf.wpa_group_rekey) {
255		eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
256				       0, wpa_rekey_gtk, wpa_auth, NULL);
257	}
258}
259
260
261static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
262{
263	struct wpa_authenticator *wpa_auth = eloop_ctx;
264	struct wpa_state_machine *sm = timeout_ctx;
265
266	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
267	wpa_request_new_ptk(sm);
268	wpa_sm_step(sm);
269}
270
271
272static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
273{
274	if (sm->pmksa == ctx)
275		sm->pmksa = NULL;
276	return 0;
277}
278
279
280static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
281				   void *ctx)
282{
283	struct wpa_authenticator *wpa_auth = ctx;
284	wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
285}
286
287
288static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
289					  struct wpa_group *group)
290{
291	u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
292	u8 rkey[32];
293	unsigned long ptr;
294
295	if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
296		return -1;
297	wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
298
299	/*
300	 * Counter = PRF-256(Random number, "Init Counter",
301	 *                   Local MAC Address || Time)
302	 */
303	os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
304	wpa_get_ntp_timestamp(buf + ETH_ALEN);
305	ptr = (unsigned long) group;
306	os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
307	if (random_get_bytes(rkey, sizeof(rkey)) < 0)
308		return -1;
309
310	if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
311		     group->Counter, WPA_NONCE_LEN) < 0)
312		return -1;
313	wpa_hexdump_key(MSG_DEBUG, "Key Counter",
314			group->Counter, WPA_NONCE_LEN);
315
316	return 0;
317}
318
319
320static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
321					 int vlan_id, int delay_init)
322{
323	struct wpa_group *group;
324
325	group = os_zalloc(sizeof(struct wpa_group));
326	if (group == NULL)
327		return NULL;
328
329	group->GTKAuthenticator = TRUE;
330	group->vlan_id = vlan_id;
331	group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
332
333	if (random_pool_ready() != 1) {
334		wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
335			   "for secure operations - update keys later when "
336			   "the first station connects");
337	}
338
339	/*
340	 * Set initial GMK/Counter value here. The actual values that will be
341	 * used in negotiations will be set once the first station tries to
342	 * connect. This allows more time for collecting additional randomness
343	 * on embedded devices.
344	 */
345	if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
346		wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
347			   "initialization.");
348		os_free(group);
349		return NULL;
350	}
351
352	group->GInit = TRUE;
353	if (delay_init) {
354		wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
355			   "until Beacon frames have been configured");
356		/* Initialization is completed in wpa_init_keys(). */
357	} else {
358		wpa_group_sm_step(wpa_auth, group);
359		group->GInit = FALSE;
360		wpa_group_sm_step(wpa_auth, group);
361	}
362
363	return group;
364}
365
366
367/**
368 * wpa_init - Initialize WPA authenticator
369 * @addr: Authenticator address
370 * @conf: Configuration for WPA authenticator
371 * @cb: Callback functions for WPA authenticator
372 * Returns: Pointer to WPA authenticator data or %NULL on failure
373 */
374struct wpa_authenticator * wpa_init(const u8 *addr,
375				    struct wpa_auth_config *conf,
376				    struct wpa_auth_callbacks *cb)
377{
378	struct wpa_authenticator *wpa_auth;
379
380	wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
381	if (wpa_auth == NULL)
382		return NULL;
383	os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
384	os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
385	os_memcpy(&wpa_auth->cb, cb, sizeof(*cb));
386
387	if (wpa_auth_gen_wpa_ie(wpa_auth)) {
388		wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
389		os_free(wpa_auth);
390		return NULL;
391	}
392
393	wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
394	if (wpa_auth->group == NULL) {
395		os_free(wpa_auth->wpa_ie);
396		os_free(wpa_auth);
397		return NULL;
398	}
399
400	wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
401						wpa_auth);
402	if (wpa_auth->pmksa == NULL) {
403		wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
404		os_free(wpa_auth->wpa_ie);
405		os_free(wpa_auth);
406		return NULL;
407	}
408
409#ifdef CONFIG_IEEE80211R
410	wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
411	if (wpa_auth->ft_pmk_cache == NULL) {
412		wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
413		os_free(wpa_auth->wpa_ie);
414		pmksa_cache_auth_deinit(wpa_auth->pmksa);
415		os_free(wpa_auth);
416		return NULL;
417	}
418#endif /* CONFIG_IEEE80211R */
419
420	if (wpa_auth->conf.wpa_gmk_rekey) {
421		eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
422				       wpa_rekey_gmk, wpa_auth, NULL);
423	}
424
425	if (wpa_auth->conf.wpa_group_rekey) {
426		eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
427				       wpa_rekey_gtk, wpa_auth, NULL);
428	}
429
430#ifdef CONFIG_P2P
431	if (WPA_GET_BE32(conf->ip_addr_start)) {
432		int count = WPA_GET_BE32(conf->ip_addr_end) -
433			WPA_GET_BE32(conf->ip_addr_start) + 1;
434		if (count > 1000)
435			count = 1000;
436		if (count > 0)
437			wpa_auth->ip_pool = bitfield_alloc(count);
438	}
439#endif /* CONFIG_P2P */
440
441	return wpa_auth;
442}
443
444
445int wpa_init_keys(struct wpa_authenticator *wpa_auth)
446{
447	struct wpa_group *group = wpa_auth->group;
448
449	wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
450		   "keys");
451	wpa_group_sm_step(wpa_auth, group);
452	group->GInit = FALSE;
453	wpa_group_sm_step(wpa_auth, group);
454	if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
455		return -1;
456	return 0;
457}
458
459
460/**
461 * wpa_deinit - Deinitialize WPA authenticator
462 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
463 */
464void wpa_deinit(struct wpa_authenticator *wpa_auth)
465{
466	struct wpa_group *group, *prev;
467
468	eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
469	eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
470
471#ifdef CONFIG_PEERKEY
472	while (wpa_auth->stsl_negotiations)
473		wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations);
474#endif /* CONFIG_PEERKEY */
475
476	pmksa_cache_auth_deinit(wpa_auth->pmksa);
477
478#ifdef CONFIG_IEEE80211R
479	wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
480	wpa_auth->ft_pmk_cache = NULL;
481#endif /* CONFIG_IEEE80211R */
482
483#ifdef CONFIG_P2P
484	bitfield_free(wpa_auth->ip_pool);
485#endif /* CONFIG_P2P */
486
487
488	os_free(wpa_auth->wpa_ie);
489
490	group = wpa_auth->group;
491	while (group) {
492		prev = group;
493		group = group->next;
494		os_free(prev);
495	}
496
497	os_free(wpa_auth);
498}
499
500
501/**
502 * wpa_reconfig - Update WPA authenticator configuration
503 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
504 * @conf: Configuration for WPA authenticator
505 */
506int wpa_reconfig(struct wpa_authenticator *wpa_auth,
507		 struct wpa_auth_config *conf)
508{
509	struct wpa_group *group;
510	if (wpa_auth == NULL)
511		return 0;
512
513	os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
514	if (wpa_auth_gen_wpa_ie(wpa_auth)) {
515		wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
516		return -1;
517	}
518
519	/*
520	 * Reinitialize GTK to make sure it is suitable for the new
521	 * configuration.
522	 */
523	group = wpa_auth->group;
524	group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
525	group->GInit = TRUE;
526	wpa_group_sm_step(wpa_auth, group);
527	group->GInit = FALSE;
528	wpa_group_sm_step(wpa_auth, group);
529
530	return 0;
531}
532
533
534struct wpa_state_machine *
535wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
536		  const u8 *p2p_dev_addr)
537{
538	struct wpa_state_machine *sm;
539
540	if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
541		return NULL;
542
543	sm = os_zalloc(sizeof(struct wpa_state_machine));
544	if (sm == NULL)
545		return NULL;
546	os_memcpy(sm->addr, addr, ETH_ALEN);
547	if (p2p_dev_addr)
548		os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
549
550	sm->wpa_auth = wpa_auth;
551	sm->group = wpa_auth->group;
552
553	return sm;
554}
555
556
557int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
558			    struct wpa_state_machine *sm)
559{
560	if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
561		return -1;
562
563#ifdef CONFIG_IEEE80211R
564	if (sm->ft_completed) {
565		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
566				"FT authentication already completed - do not "
567				"start 4-way handshake");
568		/* Go to PTKINITDONE state to allow GTK rekeying */
569		sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
570		return 0;
571	}
572#endif /* CONFIG_IEEE80211R */
573
574	if (sm->started) {
575		os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
576		sm->ReAuthenticationRequest = TRUE;
577		return wpa_sm_step(sm);
578	}
579
580	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
581			"start authentication");
582	sm->started = 1;
583
584	sm->Init = TRUE;
585	if (wpa_sm_step(sm) == 1)
586		return 1; /* should not really happen */
587	sm->Init = FALSE;
588	sm->AuthenticationRequest = TRUE;
589	return wpa_sm_step(sm);
590}
591
592
593void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
594{
595	/* WPA/RSN was not used - clear WPA state. This is needed if the STA
596	 * reassociates back to the same AP while the previous entry for the
597	 * STA has not yet been removed. */
598	if (sm == NULL)
599		return;
600
601	sm->wpa_key_mgmt = 0;
602}
603
604
605static void wpa_free_sta_sm(struct wpa_state_machine *sm)
606{
607#ifdef CONFIG_P2P
608	if (WPA_GET_BE32(sm->ip_addr)) {
609		u32 start;
610		wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
611			   "address %u.%u.%u.%u from " MACSTR,
612			   sm->ip_addr[0], sm->ip_addr[1],
613			   sm->ip_addr[2], sm->ip_addr[3],
614			   MAC2STR(sm->addr));
615		start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
616		bitfield_clear(sm->wpa_auth->ip_pool,
617			       WPA_GET_BE32(sm->ip_addr) - start);
618	}
619#endif /* CONFIG_P2P */
620	if (sm->GUpdateStationKeys) {
621		sm->group->GKeyDoneStations--;
622		sm->GUpdateStationKeys = FALSE;
623	}
624#ifdef CONFIG_IEEE80211R
625	os_free(sm->assoc_resp_ftie);
626	wpabuf_free(sm->ft_pending_req_ies);
627#endif /* CONFIG_IEEE80211R */
628	os_free(sm->last_rx_eapol_key);
629	os_free(sm->wpa_ie);
630	os_free(sm);
631}
632
633
634void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
635{
636	if (sm == NULL)
637		return;
638
639	if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
640		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
641				"strict rekeying - force GTK rekey since STA "
642				"is leaving");
643		eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
644		eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
645				       NULL);
646	}
647
648	eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
649	sm->pending_1_of_4_timeout = 0;
650	eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
651	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
652	if (sm->in_step_loop) {
653		/* Must not free state machine while wpa_sm_step() is running.
654		 * Freeing will be completed in the end of wpa_sm_step(). */
655		wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
656			   "machine deinit for " MACSTR, MAC2STR(sm->addr));
657		sm->pending_deinit = 1;
658	} else
659		wpa_free_sta_sm(sm);
660}
661
662
663static void wpa_request_new_ptk(struct wpa_state_machine *sm)
664{
665	if (sm == NULL)
666		return;
667
668	sm->PTKRequest = TRUE;
669	sm->PTK_valid = 0;
670}
671
672
673static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
674				    const u8 *replay_counter)
675{
676	int i;
677	for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
678		if (!ctr[i].valid)
679			break;
680		if (os_memcmp(replay_counter, ctr[i].counter,
681			      WPA_REPLAY_COUNTER_LEN) == 0)
682			return 1;
683	}
684	return 0;
685}
686
687
688static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
689					    const u8 *replay_counter)
690{
691	int i;
692	for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
693		if (ctr[i].valid &&
694		    (replay_counter == NULL ||
695		     os_memcmp(replay_counter, ctr[i].counter,
696			       WPA_REPLAY_COUNTER_LEN) == 0))
697			ctr[i].valid = FALSE;
698	}
699}
700
701
702#ifdef CONFIG_IEEE80211R
703static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
704			       struct wpa_state_machine *sm,
705			       struct wpa_eapol_ie_parse *kde)
706{
707	struct wpa_ie_data ie;
708	struct rsn_mdie *mdie;
709
710	if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
711	    ie.num_pmkid != 1 || ie.pmkid == NULL) {
712		wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
713			   "FT 4-way handshake message 2/4");
714		return -1;
715	}
716
717	os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
718	wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
719		    sm->sup_pmk_r1_name, PMKID_LEN);
720
721	if (!kde->mdie || !kde->ftie) {
722		wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
723			   "message 2/4", kde->mdie ? "FTIE" : "MDIE");
724		return -1;
725	}
726
727	mdie = (struct rsn_mdie *) (kde->mdie + 2);
728	if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
729	    os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
730		      MOBILITY_DOMAIN_ID_LEN) != 0) {
731		wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
732		return -1;
733	}
734
735	if (sm->assoc_resp_ftie &&
736	    (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
737	     os_memcmp(kde->ftie, sm->assoc_resp_ftie,
738		       2 + sm->assoc_resp_ftie[1]) != 0)) {
739		wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
740		wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
741			    kde->ftie, kde->ftie_len);
742		wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
743			    sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
744		return -1;
745	}
746
747	return 0;
748}
749#endif /* CONFIG_IEEE80211R */
750
751
752static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
753				    struct wpa_state_machine *sm, int group)
754{
755	/* Supplicant reported a Michael MIC error */
756	wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
757			 "received EAPOL-Key Error Request "
758			 "(STA detected Michael MIC failure (group=%d))",
759			 group);
760
761	if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
762		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
763				"ignore Michael MIC failure report since "
764				"group cipher is not TKIP");
765	} else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
766		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
767				"ignore Michael MIC failure report since "
768				"pairwise cipher is not TKIP");
769	} else {
770		if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
771			return 1; /* STA entry was removed */
772		sm->dot11RSNAStatsTKIPRemoteMICFailures++;
773		wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
774	}
775
776	/*
777	 * Error report is not a request for a new key handshake, but since
778	 * Authenticator may do it, let's change the keys now anyway.
779	 */
780	wpa_request_new_ptk(sm);
781	return 0;
782}
783
784
785void wpa_receive(struct wpa_authenticator *wpa_auth,
786		 struct wpa_state_machine *sm,
787		 u8 *data, size_t data_len)
788{
789	struct ieee802_1x_hdr *hdr;
790	struct wpa_eapol_key *key;
791	u16 key_info, key_data_length;
792	enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
793	       SMK_M1, SMK_M3, SMK_ERROR } msg;
794	char *msgtxt;
795	struct wpa_eapol_ie_parse kde;
796	int ft;
797	const u8 *eapol_key_ie;
798	size_t eapol_key_ie_len;
799
800	if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
801		return;
802
803	if (data_len < sizeof(*hdr) + sizeof(*key))
804		return;
805
806	hdr = (struct ieee802_1x_hdr *) data;
807	key = (struct wpa_eapol_key *) (hdr + 1);
808	key_info = WPA_GET_BE16(key->key_info);
809	key_data_length = WPA_GET_BE16(key->key_data_length);
810	wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
811		   " key_info=0x%x type=%u key_data_length=%u",
812		   MAC2STR(sm->addr), key_info, key->type, key_data_length);
813	if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) {
814		wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
815			   "key_data overflow (%d > %lu)",
816			   key_data_length,
817			   (unsigned long) (data_len - sizeof(*hdr) -
818					    sizeof(*key)));
819		return;
820	}
821
822	if (sm->wpa == WPA_VERSION_WPA2) {
823		if (key->type == EAPOL_KEY_TYPE_WPA) {
824			/*
825			 * Some deployed station implementations seem to send
826			 * msg 4/4 with incorrect type value in WPA2 mode.
827			 */
828			wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
829				   "with unexpected WPA type in RSN mode");
830		} else if (key->type != EAPOL_KEY_TYPE_RSN) {
831			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
832				   "unexpected type %d in RSN mode",
833				   key->type);
834			return;
835		}
836	} else {
837		if (key->type != EAPOL_KEY_TYPE_WPA) {
838			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
839				   "unexpected type %d in WPA mode",
840				   key->type);
841			return;
842		}
843	}
844
845	wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
846		    WPA_NONCE_LEN);
847	wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
848		    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
849
850	/* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
851	 * are set */
852
853	if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
854	    (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
855		if (key_info & WPA_KEY_INFO_ERROR) {
856			msg = SMK_ERROR;
857			msgtxt = "SMK Error";
858		} else {
859			msg = SMK_M1;
860			msgtxt = "SMK M1";
861		}
862	} else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
863		msg = SMK_M3;
864		msgtxt = "SMK M3";
865	} else if (key_info & WPA_KEY_INFO_REQUEST) {
866		msg = REQUEST;
867		msgtxt = "Request";
868	} else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
869		msg = GROUP_2;
870		msgtxt = "2/2 Group";
871	} else if (key_data_length == 0) {
872		msg = PAIRWISE_4;
873		msgtxt = "4/4 Pairwise";
874	} else {
875		msg = PAIRWISE_2;
876		msgtxt = "2/4 Pairwise";
877	}
878
879	/* TODO: key_info type validation for PeerKey */
880	if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
881	    msg == GROUP_2) {
882		u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
883		if (sm->pairwise == WPA_CIPHER_CCMP ||
884		    sm->pairwise == WPA_CIPHER_GCMP) {
885			if (wpa_use_aes_cmac(sm) &&
886			    sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
887			    ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
888				wpa_auth_logger(wpa_auth, sm->addr,
889						LOGGER_WARNING,
890						"advertised support for "
891						"AES-128-CMAC, but did not "
892						"use it");
893				return;
894			}
895
896			if (!wpa_use_aes_cmac(sm) &&
897			    ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
898				wpa_auth_logger(wpa_auth, sm->addr,
899						LOGGER_WARNING,
900						"did not use HMAC-SHA1-AES "
901						"with CCMP/GCMP");
902				return;
903			}
904		}
905	}
906
907	if (key_info & WPA_KEY_INFO_REQUEST) {
908		if (sm->req_replay_counter_used &&
909		    os_memcmp(key->replay_counter, sm->req_replay_counter,
910			      WPA_REPLAY_COUNTER_LEN) <= 0) {
911			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
912					"received EAPOL-Key request with "
913					"replayed counter");
914			return;
915		}
916	}
917
918	if (!(key_info & WPA_KEY_INFO_REQUEST) &&
919	    !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
920		int i;
921
922		if (msg == PAIRWISE_2 &&
923		    wpa_replay_counter_valid(sm->prev_key_replay,
924					     key->replay_counter) &&
925		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
926		    os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
927		{
928			/*
929			 * Some supplicant implementations (e.g., Windows XP
930			 * WZC) update SNonce for each EAPOL-Key 2/4. This
931			 * breaks the workaround on accepting any of the
932			 * pending requests, so allow the SNonce to be updated
933			 * even if we have already sent out EAPOL-Key 3/4.
934			 */
935			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
936					 "Process SNonce update from STA "
937					 "based on retransmitted EAPOL-Key "
938					 "1/4");
939			sm->update_snonce = 1;
940			wpa_replay_counter_mark_invalid(sm->prev_key_replay,
941							key->replay_counter);
942			goto continue_processing;
943		}
944
945		if (msg == PAIRWISE_2 &&
946		    wpa_replay_counter_valid(sm->prev_key_replay,
947					     key->replay_counter) &&
948		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
949			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
950					 "ignore retransmitted EAPOL-Key %s - "
951					 "SNonce did not change", msgtxt);
952		} else {
953			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
954					 "received EAPOL-Key %s with "
955					 "unexpected replay counter", msgtxt);
956		}
957		for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
958			if (!sm->key_replay[i].valid)
959				break;
960			wpa_hexdump(MSG_DEBUG, "pending replay counter",
961				    sm->key_replay[i].counter,
962				    WPA_REPLAY_COUNTER_LEN);
963		}
964		wpa_hexdump(MSG_DEBUG, "received replay counter",
965			    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
966		return;
967	}
968
969continue_processing:
970	switch (msg) {
971	case PAIRWISE_2:
972		if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
973		    sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
974		    (!sm->update_snonce ||
975		     sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
976			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
977					 "received EAPOL-Key msg 2/4 in "
978					 "invalid state (%d) - dropped",
979					 sm->wpa_ptk_state);
980			return;
981		}
982		random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
983		if (sm->group->reject_4way_hs_for_entropy) {
984			/*
985			 * The system did not have enough entropy to generate
986			 * strong random numbers. Reject the first 4-way
987			 * handshake(s) and collect some entropy based on the
988			 * information from it. Once enough entropy is
989			 * available, the next atempt will trigger GMK/Key
990			 * Counter update and the station will be allowed to
991			 * continue.
992			 */
993			wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
994				   "collect more entropy for random number "
995				   "generation");
996			random_mark_pool_ready();
997			wpa_sta_disconnect(wpa_auth, sm->addr);
998			return;
999		}
1000		if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length,
1001				      &kde) < 0) {
1002			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1003					 "received EAPOL-Key msg 2/4 with "
1004					 "invalid Key Data contents");
1005			return;
1006		}
1007		if (kde.rsn_ie) {
1008			eapol_key_ie = kde.rsn_ie;
1009			eapol_key_ie_len = kde.rsn_ie_len;
1010		} else if (kde.osen) {
1011			eapol_key_ie = kde.osen;
1012			eapol_key_ie_len = kde.osen_len;
1013		} else {
1014			eapol_key_ie = kde.wpa_ie;
1015			eapol_key_ie_len = kde.wpa_ie_len;
1016		}
1017		ft = sm->wpa == WPA_VERSION_WPA2 &&
1018			wpa_key_mgmt_ft(sm->wpa_key_mgmt);
1019		if (sm->wpa_ie == NULL ||
1020		    wpa_compare_rsn_ie(ft,
1021				       sm->wpa_ie, sm->wpa_ie_len,
1022				       eapol_key_ie, eapol_key_ie_len)) {
1023			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1024					"WPA IE from (Re)AssocReq did not "
1025					"match with msg 2/4");
1026			if (sm->wpa_ie) {
1027				wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
1028					    sm->wpa_ie, sm->wpa_ie_len);
1029			}
1030			wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
1031				    eapol_key_ie, eapol_key_ie_len);
1032			/* MLME-DEAUTHENTICATE.request */
1033			wpa_sta_disconnect(wpa_auth, sm->addr);
1034			return;
1035		}
1036#ifdef CONFIG_IEEE80211R
1037		if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
1038			wpa_sta_disconnect(wpa_auth, sm->addr);
1039			return;
1040		}
1041#endif /* CONFIG_IEEE80211R */
1042#ifdef CONFIG_P2P
1043		if (kde.ip_addr_req && kde.ip_addr_req[0] &&
1044		    wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
1045			int idx;
1046			wpa_printf(MSG_DEBUG, "P2P: IP address requested in "
1047				   "EAPOL-Key exchange");
1048			idx = bitfield_get_first_zero(wpa_auth->ip_pool);
1049			if (idx >= 0) {
1050				u32 start = WPA_GET_BE32(wpa_auth->conf.
1051							 ip_addr_start);
1052				bitfield_set(wpa_auth->ip_pool, idx);
1053				WPA_PUT_BE32(sm->ip_addr, start + idx);
1054				wpa_printf(MSG_DEBUG, "P2P: Assigned IP "
1055					   "address %u.%u.%u.%u to " MACSTR,
1056					   sm->ip_addr[0], sm->ip_addr[1],
1057					   sm->ip_addr[2], sm->ip_addr[3],
1058					   MAC2STR(sm->addr));
1059			}
1060		}
1061#endif /* CONFIG_P2P */
1062		break;
1063	case PAIRWISE_4:
1064		if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1065		    !sm->PTK_valid) {
1066			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1067					 "received EAPOL-Key msg 4/4 in "
1068					 "invalid state (%d) - dropped",
1069					 sm->wpa_ptk_state);
1070			return;
1071		}
1072		break;
1073	case GROUP_2:
1074		if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1075		    || !sm->PTK_valid) {
1076			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1077					 "received EAPOL-Key msg 2/2 in "
1078					 "invalid state (%d) - dropped",
1079					 sm->wpa_ptk_group_state);
1080			return;
1081		}
1082		break;
1083#ifdef CONFIG_PEERKEY
1084	case SMK_M1:
1085	case SMK_M3:
1086	case SMK_ERROR:
1087		if (!wpa_auth->conf.peerkey) {
1088			wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1089				   "PeerKey use disabled - ignoring message");
1090			return;
1091		}
1092		if (!sm->PTK_valid) {
1093			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1094					"received EAPOL-Key msg SMK in "
1095					"invalid state - dropped");
1096			return;
1097		}
1098		break;
1099#else /* CONFIG_PEERKEY */
1100	case SMK_M1:
1101	case SMK_M3:
1102	case SMK_ERROR:
1103		return; /* STSL disabled - ignore SMK messages */
1104#endif /* CONFIG_PEERKEY */
1105	case REQUEST:
1106		break;
1107	}
1108
1109	wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1110			 "received EAPOL-Key frame (%s)", msgtxt);
1111
1112	if (key_info & WPA_KEY_INFO_ACK) {
1113		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1114				"received invalid EAPOL-Key: Key Ack set");
1115		return;
1116	}
1117
1118	if (!(key_info & WPA_KEY_INFO_MIC)) {
1119		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1120				"received invalid EAPOL-Key: Key MIC not set");
1121		return;
1122	}
1123
1124	sm->MICVerified = FALSE;
1125	if (sm->PTK_valid && !sm->update_snonce) {
1126		if (wpa_verify_key_mic(&sm->PTK, data, data_len)) {
1127			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1128					"received EAPOL-Key with invalid MIC");
1129			return;
1130		}
1131		sm->MICVerified = TRUE;
1132		eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1133		sm->pending_1_of_4_timeout = 0;
1134	}
1135
1136	if (key_info & WPA_KEY_INFO_REQUEST) {
1137		if (sm->MICVerified) {
1138			sm->req_replay_counter_used = 1;
1139			os_memcpy(sm->req_replay_counter, key->replay_counter,
1140				  WPA_REPLAY_COUNTER_LEN);
1141		} else {
1142			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1143					"received EAPOL-Key request with "
1144					"invalid MIC");
1145			return;
1146		}
1147
1148		/*
1149		 * TODO: should decrypt key data field if encryption was used;
1150		 * even though MAC address KDE is not normally encrypted,
1151		 * supplicant is allowed to encrypt it.
1152		 */
1153		if (msg == SMK_ERROR) {
1154#ifdef CONFIG_PEERKEY
1155			wpa_smk_error(wpa_auth, sm, key);
1156#endif /* CONFIG_PEERKEY */
1157			return;
1158		} else if (key_info & WPA_KEY_INFO_ERROR) {
1159			if (wpa_receive_error_report(
1160				    wpa_auth, sm,
1161				    !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1162				return; /* STA entry was removed */
1163		} else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1164			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1165					"received EAPOL-Key Request for new "
1166					"4-Way Handshake");
1167			wpa_request_new_ptk(sm);
1168#ifdef CONFIG_PEERKEY
1169		} else if (msg == SMK_M1) {
1170			wpa_smk_m1(wpa_auth, sm, key);
1171#endif /* CONFIG_PEERKEY */
1172		} else if (key_data_length > 0 &&
1173			   wpa_parse_kde_ies((const u8 *) (key + 1),
1174					     key_data_length, &kde) == 0 &&
1175			   kde.mac_addr) {
1176		} else {
1177			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1178					"received EAPOL-Key Request for GTK "
1179					"rekeying");
1180			eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1181			wpa_rekey_gtk(wpa_auth, NULL);
1182		}
1183	} else {
1184		/* Do not allow the same key replay counter to be reused. */
1185		wpa_replay_counter_mark_invalid(sm->key_replay,
1186						key->replay_counter);
1187
1188		if (msg == PAIRWISE_2) {
1189			/*
1190			 * Maintain a copy of the pending EAPOL-Key frames in
1191			 * case the EAPOL-Key frame was retransmitted. This is
1192			 * needed to allow EAPOL-Key msg 2/4 reply to another
1193			 * pending msg 1/4 to update the SNonce to work around
1194			 * unexpected supplicant behavior.
1195			 */
1196			os_memcpy(sm->prev_key_replay, sm->key_replay,
1197				  sizeof(sm->key_replay));
1198		} else {
1199			os_memset(sm->prev_key_replay, 0,
1200				  sizeof(sm->prev_key_replay));
1201		}
1202
1203		/*
1204		 * Make sure old valid counters are not accepted anymore and
1205		 * do not get copied again.
1206		 */
1207		wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1208	}
1209
1210#ifdef CONFIG_PEERKEY
1211	if (msg == SMK_M3) {
1212		wpa_smk_m3(wpa_auth, sm, key);
1213		return;
1214	}
1215#endif /* CONFIG_PEERKEY */
1216
1217	os_free(sm->last_rx_eapol_key);
1218	sm->last_rx_eapol_key = os_malloc(data_len);
1219	if (sm->last_rx_eapol_key == NULL)
1220		return;
1221	os_memcpy(sm->last_rx_eapol_key, data, data_len);
1222	sm->last_rx_eapol_key_len = data_len;
1223
1224	sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1225	sm->EAPOLKeyReceived = TRUE;
1226	sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1227	sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1228	os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1229	wpa_sm_step(sm);
1230}
1231
1232
1233static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1234			  const u8 *gnonce, u8 *gtk, size_t gtk_len)
1235{
1236	u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1237	u8 *pos;
1238	int ret = 0;
1239
1240	/* GTK = PRF-X(GMK, "Group key expansion",
1241	 *	AA || GNonce || Time || random data)
1242	 * The example described in the IEEE 802.11 standard uses only AA and
1243	 * GNonce as inputs here. Add some more entropy since this derivation
1244	 * is done only at the Authenticator and as such, does not need to be
1245	 * exactly same.
1246	 */
1247	os_memcpy(data, addr, ETH_ALEN);
1248	os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1249	pos = data + ETH_ALEN + WPA_NONCE_LEN;
1250	wpa_get_ntp_timestamp(pos);
1251	pos += 8;
1252	if (random_get_bytes(pos, 16) < 0)
1253		ret = -1;
1254
1255#ifdef CONFIG_IEEE80211W
1256	sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
1257#else /* CONFIG_IEEE80211W */
1258	if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1259	    < 0)
1260		ret = -1;
1261#endif /* CONFIG_IEEE80211W */
1262
1263	return ret;
1264}
1265
1266
1267static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1268{
1269	struct wpa_authenticator *wpa_auth = eloop_ctx;
1270	struct wpa_state_machine *sm = timeout_ctx;
1271
1272	sm->pending_1_of_4_timeout = 0;
1273	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1274	sm->TimeoutEvt = TRUE;
1275	wpa_sm_step(sm);
1276}
1277
1278
1279void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1280		      struct wpa_state_machine *sm, int key_info,
1281		      const u8 *key_rsc, const u8 *nonce,
1282		      const u8 *kde, size_t kde_len,
1283		      int keyidx, int encr, int force_version)
1284{
1285	struct ieee802_1x_hdr *hdr;
1286	struct wpa_eapol_key *key;
1287	size_t len;
1288	int alg;
1289	int key_data_len, pad_len = 0;
1290	u8 *buf, *pos;
1291	int version, pairwise;
1292	int i;
1293
1294	len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key);
1295
1296	if (force_version)
1297		version = force_version;
1298	else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
1299		version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
1300	else if (wpa_use_aes_cmac(sm))
1301		version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1302	else if (sm->pairwise != WPA_CIPHER_TKIP)
1303		version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1304	else
1305		version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1306
1307	pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1308
1309	wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1310		   "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1311		   "encr=%d)",
1312		   version,
1313		   (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1314		   (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1315		   (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1316		   (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1317		   pairwise, (unsigned long) kde_len, keyidx, encr);
1318
1319	key_data_len = kde_len;
1320
1321	if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1322	     sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1323	     version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1324		pad_len = key_data_len % 8;
1325		if (pad_len)
1326			pad_len = 8 - pad_len;
1327		key_data_len += pad_len + 8;
1328	}
1329
1330	len += key_data_len;
1331
1332	hdr = os_zalloc(len);
1333	if (hdr == NULL)
1334		return;
1335	hdr->version = wpa_auth->conf.eapol_version;
1336	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1337	hdr->length = host_to_be16(len  - sizeof(*hdr));
1338	key = (struct wpa_eapol_key *) (hdr + 1);
1339
1340	key->type = sm->wpa == WPA_VERSION_WPA2 ?
1341		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1342	key_info |= version;
1343	if (encr && sm->wpa == WPA_VERSION_WPA2)
1344		key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1345	if (sm->wpa != WPA_VERSION_WPA2)
1346		key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1347	WPA_PUT_BE16(key->key_info, key_info);
1348
1349	alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
1350	WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
1351	if (key_info & WPA_KEY_INFO_SMK_MESSAGE)
1352		WPA_PUT_BE16(key->key_length, 0);
1353
1354	/* FIX: STSL: what to use as key_replay_counter? */
1355	for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1356		sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1357		os_memcpy(sm->key_replay[i].counter,
1358			  sm->key_replay[i - 1].counter,
1359			  WPA_REPLAY_COUNTER_LEN);
1360	}
1361	inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1362	os_memcpy(key->replay_counter, sm->key_replay[0].counter,
1363		  WPA_REPLAY_COUNTER_LEN);
1364	sm->key_replay[0].valid = TRUE;
1365
1366	if (nonce)
1367		os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1368
1369	if (key_rsc)
1370		os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1371
1372	if (kde && !encr) {
1373		os_memcpy(key + 1, kde, kde_len);
1374		WPA_PUT_BE16(key->key_data_length, kde_len);
1375	} else if (encr && kde) {
1376		buf = os_zalloc(key_data_len);
1377		if (buf == NULL) {
1378			os_free(hdr);
1379			return;
1380		}
1381		pos = buf;
1382		os_memcpy(pos, kde, kde_len);
1383		pos += kde_len;
1384
1385		if (pad_len)
1386			*pos++ = 0xdd;
1387
1388		wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1389				buf, key_data_len);
1390		if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1391		    sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1392		    version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1393			if (aes_wrap(sm->PTK.kek, 16,
1394				     (key_data_len - 8) / 8, buf,
1395				     (u8 *) (key + 1))) {
1396				os_free(hdr);
1397				os_free(buf);
1398				return;
1399			}
1400			WPA_PUT_BE16(key->key_data_length, key_data_len);
1401		} else {
1402			u8 ek[32];
1403			os_memcpy(key->key_iv,
1404				  sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1405			inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1406			os_memcpy(ek, key->key_iv, 16);
1407			os_memcpy(ek + 16, sm->PTK.kek, 16);
1408			os_memcpy(key + 1, buf, key_data_len);
1409			rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len);
1410			WPA_PUT_BE16(key->key_data_length, key_data_len);
1411		}
1412		os_free(buf);
1413	}
1414
1415	if (key_info & WPA_KEY_INFO_MIC) {
1416		if (!sm->PTK_valid) {
1417			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1418					"PTK not valid when sending EAPOL-Key "
1419					"frame");
1420			os_free(hdr);
1421			return;
1422		}
1423		wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len,
1424				  key->key_mic);
1425#ifdef CONFIG_TESTING_OPTIONS
1426		if (!pairwise &&
1427		    wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
1428		    drand48() <
1429		    wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1430			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1431					"Corrupting group EAPOL-Key Key MIC");
1432			key->key_mic[0]++;
1433		}
1434#endif /* CONFIG_TESTING_OPTIONS */
1435	}
1436
1437	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1438			   1);
1439	wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1440			    sm->pairwise_set);
1441	os_free(hdr);
1442}
1443
1444
1445static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1446			   struct wpa_state_machine *sm, int key_info,
1447			   const u8 *key_rsc, const u8 *nonce,
1448			   const u8 *kde, size_t kde_len,
1449			   int keyidx, int encr)
1450{
1451	int timeout_ms;
1452	int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1453	int ctr;
1454
1455	if (sm == NULL)
1456		return;
1457
1458	__wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1459			 keyidx, encr, 0);
1460
1461	ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
1462	if (ctr == 1 && wpa_auth->conf.tx_status)
1463		timeout_ms = pairwise ? eapol_key_timeout_first :
1464			eapol_key_timeout_first_group;
1465	else
1466		timeout_ms = eapol_key_timeout_subseq;
1467	if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1468		sm->pending_1_of_4_timeout = 1;
1469	wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
1470		   "counter %d)", timeout_ms, ctr);
1471	eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1472			       wpa_send_eapol_timeout, wpa_auth, sm);
1473}
1474
1475
1476static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len)
1477{
1478	struct ieee802_1x_hdr *hdr;
1479	struct wpa_eapol_key *key;
1480	u16 key_info;
1481	int ret = 0;
1482	u8 mic[16];
1483
1484	if (data_len < sizeof(*hdr) + sizeof(*key))
1485		return -1;
1486
1487	hdr = (struct ieee802_1x_hdr *) data;
1488	key = (struct wpa_eapol_key *) (hdr + 1);
1489	key_info = WPA_GET_BE16(key->key_info);
1490	os_memcpy(mic, key->key_mic, 16);
1491	os_memset(key->key_mic, 0, 16);
1492	if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK,
1493			      data, data_len, key->key_mic) ||
1494	    os_memcmp_const(mic, key->key_mic, 16) != 0)
1495		ret = -1;
1496	os_memcpy(key->key_mic, mic, 16);
1497	return ret;
1498}
1499
1500
1501void wpa_remove_ptk(struct wpa_state_machine *sm)
1502{
1503	sm->PTK_valid = FALSE;
1504	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1505	wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0);
1506	sm->pairwise_set = FALSE;
1507	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
1508}
1509
1510
1511int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event)
1512{
1513	int remove_ptk = 1;
1514
1515	if (sm == NULL)
1516		return -1;
1517
1518	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1519			 "event %d notification", event);
1520
1521	switch (event) {
1522	case WPA_AUTH:
1523	case WPA_ASSOC:
1524		break;
1525	case WPA_DEAUTH:
1526	case WPA_DISASSOC:
1527		sm->DeauthenticationRequest = TRUE;
1528		break;
1529	case WPA_REAUTH:
1530	case WPA_REAUTH_EAPOL:
1531		if (!sm->started) {
1532			/*
1533			 * When using WPS, we may end up here if the STA
1534			 * manages to re-associate without the previous STA
1535			 * entry getting removed. Consequently, we need to make
1536			 * sure that the WPA state machines gets initialized
1537			 * properly at this point.
1538			 */
1539			wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1540				   "started - initialize now");
1541			sm->started = 1;
1542			sm->Init = TRUE;
1543			if (wpa_sm_step(sm) == 1)
1544				return 1; /* should not really happen */
1545			sm->Init = FALSE;
1546			sm->AuthenticationRequest = TRUE;
1547			break;
1548		}
1549		if (sm->GUpdateStationKeys) {
1550			/*
1551			 * Reauthentication cancels the pending group key
1552			 * update for this STA.
1553			 */
1554			sm->group->GKeyDoneStations--;
1555			sm->GUpdateStationKeys = FALSE;
1556			sm->PtkGroupInit = TRUE;
1557		}
1558		sm->ReAuthenticationRequest = TRUE;
1559		break;
1560	case WPA_ASSOC_FT:
1561#ifdef CONFIG_IEEE80211R
1562		wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1563			   "after association");
1564		wpa_ft_install_ptk(sm);
1565
1566		/* Using FT protocol, not WPA auth state machine */
1567		sm->ft_completed = 1;
1568		return 0;
1569#else /* CONFIG_IEEE80211R */
1570		break;
1571#endif /* CONFIG_IEEE80211R */
1572	}
1573
1574#ifdef CONFIG_IEEE80211R
1575	sm->ft_completed = 0;
1576#endif /* CONFIG_IEEE80211R */
1577
1578#ifdef CONFIG_IEEE80211W
1579	if (sm->mgmt_frame_prot && event == WPA_AUTH)
1580		remove_ptk = 0;
1581#endif /* CONFIG_IEEE80211W */
1582
1583	if (remove_ptk) {
1584		sm->PTK_valid = FALSE;
1585		os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1586
1587		if (event != WPA_REAUTH_EAPOL)
1588			wpa_remove_ptk(sm);
1589	}
1590
1591	return wpa_sm_step(sm);
1592}
1593
1594
1595SM_STATE(WPA_PTK, INITIALIZE)
1596{
1597	SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1598	if (sm->Init) {
1599		/* Init flag is not cleared here, so avoid busy
1600		 * loop by claiming nothing changed. */
1601		sm->changed = FALSE;
1602	}
1603
1604	sm->keycount = 0;
1605	if (sm->GUpdateStationKeys)
1606		sm->group->GKeyDoneStations--;
1607	sm->GUpdateStationKeys = FALSE;
1608	if (sm->wpa == WPA_VERSION_WPA)
1609		sm->PInitAKeys = FALSE;
1610	if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1611	       * Local AA > Remote AA)) */) {
1612		sm->Pair = TRUE;
1613	}
1614	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1615	wpa_remove_ptk(sm);
1616	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1617	sm->TimeoutCtr = 0;
1618	if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1619		wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1620				   WPA_EAPOL_authorized, 0);
1621	}
1622}
1623
1624
1625SM_STATE(WPA_PTK, DISCONNECT)
1626{
1627	SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1628	sm->Disconnect = FALSE;
1629	wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1630}
1631
1632
1633SM_STATE(WPA_PTK, DISCONNECTED)
1634{
1635	SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1636	sm->DeauthenticationRequest = FALSE;
1637}
1638
1639
1640SM_STATE(WPA_PTK, AUTHENTICATION)
1641{
1642	SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1643	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1644	sm->PTK_valid = FALSE;
1645	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1646			   1);
1647	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1648	sm->AuthenticationRequest = FALSE;
1649}
1650
1651
1652static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1653				  struct wpa_group *group)
1654{
1655	if (group->first_sta_seen)
1656		return;
1657	/*
1658	 * System has run bit further than at the time hostapd was started
1659	 * potentially very early during boot up. This provides better chances
1660	 * of collecting more randomness on embedded systems. Re-initialize the
1661	 * GMK and Counter here to improve their strength if there was not
1662	 * enough entropy available immediately after system startup.
1663	 */
1664	wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1665		   "station");
1666	if (random_pool_ready() != 1) {
1667		wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1668			   "to proceed - reject first 4-way handshake");
1669		group->reject_4way_hs_for_entropy = TRUE;
1670	} else {
1671		group->first_sta_seen = TRUE;
1672		group->reject_4way_hs_for_entropy = FALSE;
1673	}
1674
1675	wpa_group_init_gmk_and_counter(wpa_auth, group);
1676	wpa_gtk_update(wpa_auth, group);
1677	wpa_group_config_group_keys(wpa_auth, group);
1678}
1679
1680
1681SM_STATE(WPA_PTK, AUTHENTICATION2)
1682{
1683	SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1684
1685	wpa_group_ensure_init(sm->wpa_auth, sm->group);
1686	sm->ReAuthenticationRequest = FALSE;
1687
1688	/*
1689	 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1690	 * ambiguous. The Authenticator state machine uses a counter that is
1691	 * incremented by one for each 4-way handshake. However, the security
1692	 * analysis of 4-way handshake points out that unpredictable nonces
1693	 * help in preventing precomputation attacks. Instead of the state
1694	 * machine definition, use an unpredictable nonce value here to provide
1695	 * stronger protection against potential precomputation attacks.
1696	 */
1697	if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1698		wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1699			   "ANonce.");
1700		sm->Disconnect = TRUE;
1701		return;
1702	}
1703	wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1704		    WPA_NONCE_LEN);
1705	/* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1706	 * logical place than INITIALIZE since AUTHENTICATION2 can be
1707	 * re-entered on ReAuthenticationRequest without going through
1708	 * INITIALIZE. */
1709	sm->TimeoutCtr = 0;
1710}
1711
1712
1713SM_STATE(WPA_PTK, INITPMK)
1714{
1715	u8 msk[2 * PMK_LEN];
1716	size_t len = 2 * PMK_LEN;
1717
1718	SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
1719#ifdef CONFIG_IEEE80211R
1720	sm->xxkey_len = 0;
1721#endif /* CONFIG_IEEE80211R */
1722	if (sm->pmksa) {
1723		wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
1724		os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN);
1725	} else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
1726		wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
1727			   "(len=%lu)", (unsigned long) len);
1728		os_memcpy(sm->PMK, msk, PMK_LEN);
1729#ifdef CONFIG_IEEE80211R
1730		if (len >= 2 * PMK_LEN) {
1731			os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1732			sm->xxkey_len = PMK_LEN;
1733		}
1734#endif /* CONFIG_IEEE80211R */
1735	} else {
1736		wpa_printf(MSG_DEBUG, "WPA: Could not get PMK");
1737	}
1738
1739	sm->req_replay_counter_used = 0;
1740	/* IEEE 802.11i does not set keyRun to FALSE, but not doing this
1741	 * will break reauthentication since EAPOL state machines may not be
1742	 * get into AUTHENTICATING state that clears keyRun before WPA state
1743	 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
1744	 * state and takes PMK from the previously used AAA Key. This will
1745	 * eventually fail in 4-Way Handshake because Supplicant uses PMK
1746	 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
1747	 * be good workaround for this issue. */
1748	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
1749}
1750
1751
1752SM_STATE(WPA_PTK, INITPSK)
1753{
1754	const u8 *psk;
1755	SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
1756	psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL);
1757	if (psk) {
1758		os_memcpy(sm->PMK, psk, PMK_LEN);
1759#ifdef CONFIG_IEEE80211R
1760		os_memcpy(sm->xxkey, psk, PMK_LEN);
1761		sm->xxkey_len = PMK_LEN;
1762#endif /* CONFIG_IEEE80211R */
1763	}
1764	sm->req_replay_counter_used = 0;
1765}
1766
1767
1768SM_STATE(WPA_PTK, PTKSTART)
1769{
1770	u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
1771	size_t pmkid_len = 0;
1772
1773	SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
1774	sm->PTKRequest = FALSE;
1775	sm->TimeoutEvt = FALSE;
1776
1777	sm->TimeoutCtr++;
1778	if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
1779		/* No point in sending the EAPOL-Key - we will disconnect
1780		 * immediately following this. */
1781		return;
1782	}
1783
1784	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1785			"sending 1/4 msg of 4-Way Handshake");
1786	/*
1787	 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
1788	 * one possible PSK for this STA.
1789	 */
1790	if (sm->wpa == WPA_VERSION_WPA2 &&
1791	    wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
1792	    sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
1793		pmkid = buf;
1794		pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
1795		pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
1796		pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
1797		RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
1798		if (sm->pmksa)
1799			os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
1800				  sm->pmksa->pmkid, PMKID_LEN);
1801		else {
1802			/*
1803			 * Calculate PMKID since no PMKSA cache entry was
1804			 * available with pre-calculated PMKID.
1805			 */
1806			rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr,
1807				  sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
1808				  wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
1809		}
1810	}
1811	wpa_send_eapol(sm->wpa_auth, sm,
1812		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
1813		       sm->ANonce, pmkid, pmkid_len, 0, 0);
1814}
1815
1816
1817static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk,
1818			  struct wpa_ptk *ptk)
1819{
1820	size_t ptk_len = wpa_cipher_key_len(sm->pairwise) + 32;
1821#ifdef CONFIG_IEEE80211R
1822	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
1823		return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len);
1824#endif /* CONFIG_IEEE80211R */
1825
1826	wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion",
1827		       sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce,
1828		       (u8 *) ptk, ptk_len,
1829		       wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
1830
1831	return 0;
1832}
1833
1834
1835SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
1836{
1837	struct wpa_ptk PTK;
1838	int ok = 0;
1839	const u8 *pmk = NULL;
1840
1841	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
1842	sm->EAPOLKeyReceived = FALSE;
1843	sm->update_snonce = FALSE;
1844
1845	/* WPA with IEEE 802.1X: use the derived PMK from EAP
1846	 * WPA-PSK: iterate through possible PSKs and select the one matching
1847	 * the packet */
1848	for (;;) {
1849		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1850			pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
1851					       sm->p2p_dev_addr, pmk);
1852			if (pmk == NULL)
1853				break;
1854		} else
1855			pmk = sm->PMK;
1856
1857		wpa_derive_ptk(sm, pmk, &PTK);
1858
1859		if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key,
1860				       sm->last_rx_eapol_key_len) == 0) {
1861			ok = 1;
1862			break;
1863		}
1864
1865		if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
1866			break;
1867	}
1868
1869	if (!ok) {
1870		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1871				"invalid MIC in msg 2/4 of 4-Way Handshake");
1872		return;
1873	}
1874
1875#ifdef CONFIG_IEEE80211R
1876	if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
1877		/*
1878		 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
1879		 * with the value we derived.
1880		 */
1881		if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
1882				    WPA_PMK_NAME_LEN) != 0) {
1883			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1884					"PMKR1Name mismatch in FT 4-way "
1885					"handshake");
1886			wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
1887				    "Supplicant",
1888				    sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
1889			wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1890				    sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1891			return;
1892		}
1893	}
1894#endif /* CONFIG_IEEE80211R */
1895
1896	sm->pending_1_of_4_timeout = 0;
1897	eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
1898
1899	if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1900		/* PSK may have changed from the previous choice, so update
1901		 * state machine data based on whatever PSK was selected here.
1902		 */
1903		os_memcpy(sm->PMK, pmk, PMK_LEN);
1904	}
1905
1906	sm->MICVerified = TRUE;
1907
1908	os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
1909	sm->PTK_valid = TRUE;
1910}
1911
1912
1913SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
1914{
1915	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
1916	sm->TimeoutCtr = 0;
1917}
1918
1919
1920#ifdef CONFIG_IEEE80211W
1921
1922static int ieee80211w_kde_len(struct wpa_state_machine *sm)
1923{
1924	if (sm->mgmt_frame_prot) {
1925		size_t len;
1926		len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
1927		return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
1928	}
1929
1930	return 0;
1931}
1932
1933
1934static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
1935{
1936	struct wpa_igtk_kde igtk;
1937	struct wpa_group *gsm = sm->group;
1938	u8 rsc[WPA_KEY_RSC_LEN];
1939	size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
1940
1941	if (!sm->mgmt_frame_prot)
1942		return pos;
1943
1944	igtk.keyid[0] = gsm->GN_igtk;
1945	igtk.keyid[1] = 0;
1946	if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
1947	    wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
1948		os_memset(igtk.pn, 0, sizeof(igtk.pn));
1949	else
1950		os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
1951	os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
1952	if (sm->wpa_auth->conf.disable_gtk) {
1953		/*
1954		 * Provide unique random IGTK to each STA to prevent use of
1955		 * IGTK in the BSS.
1956		 */
1957		if (random_get_bytes(igtk.igtk, len) < 0)
1958			return pos;
1959	}
1960	pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
1961			  (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
1962			  NULL, 0);
1963
1964	return pos;
1965}
1966
1967#else /* CONFIG_IEEE80211W */
1968
1969static int ieee80211w_kde_len(struct wpa_state_machine *sm)
1970{
1971	return 0;
1972}
1973
1974
1975static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
1976{
1977	return pos;
1978}
1979
1980#endif /* CONFIG_IEEE80211W */
1981
1982
1983SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
1984{
1985	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
1986	size_t gtk_len, kde_len;
1987	struct wpa_group *gsm = sm->group;
1988	u8 *wpa_ie;
1989	int wpa_ie_len, secure, keyidx, encr = 0;
1990
1991	SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
1992	sm->TimeoutEvt = FALSE;
1993
1994	sm->TimeoutCtr++;
1995	if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
1996		/* No point in sending the EAPOL-Key - we will disconnect
1997		 * immediately following this. */
1998		return;
1999	}
2000
2001	/* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
2002	   GTK[GN], IGTK, [FTIE], [TIE * 2])
2003	 */
2004	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2005	wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
2006	/* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
2007	wpa_ie = sm->wpa_auth->wpa_ie;
2008	wpa_ie_len = sm->wpa_auth->wpa_ie_len;
2009	if (sm->wpa == WPA_VERSION_WPA &&
2010	    (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
2011	    wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
2012		/* WPA-only STA, remove RSN IE */
2013		wpa_ie = wpa_ie + wpa_ie[1] + 2;
2014		wpa_ie_len = wpa_ie[1] + 2;
2015	}
2016	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2017			"sending 3/4 msg of 4-Way Handshake");
2018	if (sm->wpa == WPA_VERSION_WPA2) {
2019		/* WPA2 send GTK in the 4-way handshake */
2020		secure = 1;
2021		gtk = gsm->GTK[gsm->GN - 1];
2022		gtk_len = gsm->GTK_len;
2023		if (sm->wpa_auth->conf.disable_gtk) {
2024			/*
2025			 * Provide unique random GTK to each STA to prevent use
2026			 * of GTK in the BSS.
2027			 */
2028			if (random_get_bytes(dummy_gtk, gtk_len) < 0)
2029				return;
2030			gtk = dummy_gtk;
2031		}
2032		keyidx = gsm->GN;
2033		_rsc = rsc;
2034		encr = 1;
2035	} else {
2036		/* WPA does not include GTK in msg 3/4 */
2037		secure = 0;
2038		gtk = NULL;
2039		gtk_len = 0;
2040		keyidx = 0;
2041		_rsc = NULL;
2042		if (sm->rx_eapol_key_secure) {
2043			/*
2044			 * It looks like Windows 7 supplicant tries to use
2045			 * Secure bit in msg 2/4 after having reported Michael
2046			 * MIC failure and it then rejects the 4-way handshake
2047			 * if msg 3/4 does not set Secure bit. Work around this
2048			 * by setting the Secure bit here even in the case of
2049			 * WPA if the supplicant used it first.
2050			 */
2051			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2052					"STA used Secure bit in WPA msg 2/4 - "
2053					"set Secure for 3/4 as workaround");
2054			secure = 1;
2055		}
2056	}
2057
2058	kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
2059	if (gtk)
2060		kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
2061#ifdef CONFIG_IEEE80211R
2062	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2063		kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
2064		kde_len += 300; /* FTIE + 2 * TIE */
2065	}
2066#endif /* CONFIG_IEEE80211R */
2067#ifdef CONFIG_P2P
2068	if (WPA_GET_BE32(sm->ip_addr) > 0)
2069		kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
2070#endif /* CONFIG_P2P */
2071	kde = os_malloc(kde_len);
2072	if (kde == NULL)
2073		return;
2074
2075	pos = kde;
2076	os_memcpy(pos, wpa_ie, wpa_ie_len);
2077	pos += wpa_ie_len;
2078#ifdef CONFIG_IEEE80211R
2079	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2080		int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name);
2081		if (res < 0) {
2082			wpa_printf(MSG_ERROR, "FT: Failed to insert "
2083				   "PMKR1Name into RSN IE in EAPOL-Key data");
2084			os_free(kde);
2085			return;
2086		}
2087		pos += res;
2088	}
2089#endif /* CONFIG_IEEE80211R */
2090	if (gtk) {
2091		u8 hdr[2];
2092		hdr[0] = keyidx & 0x03;
2093		hdr[1] = 0;
2094		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2095				  gtk, gtk_len);
2096	}
2097	pos = ieee80211w_kde_add(sm, pos);
2098
2099#ifdef CONFIG_IEEE80211R
2100	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2101		int res;
2102		struct wpa_auth_config *conf;
2103
2104		conf = &sm->wpa_auth->conf;
2105		res = wpa_write_ftie(conf, conf->r0_key_holder,
2106				     conf->r0_key_holder_len,
2107				     NULL, NULL, pos, kde + kde_len - pos,
2108				     NULL, 0);
2109		if (res < 0) {
2110			wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2111				   "into EAPOL-Key Key Data");
2112			os_free(kde);
2113			return;
2114		}
2115		pos += res;
2116
2117		/* TIE[ReassociationDeadline] (TU) */
2118		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2119		*pos++ = 5;
2120		*pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
2121		WPA_PUT_LE32(pos, conf->reassociation_deadline);
2122		pos += 4;
2123
2124		/* TIE[KeyLifetime] (seconds) */
2125		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2126		*pos++ = 5;
2127		*pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
2128		WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
2129		pos += 4;
2130	}
2131#endif /* CONFIG_IEEE80211R */
2132#ifdef CONFIG_P2P
2133	if (WPA_GET_BE32(sm->ip_addr) > 0) {
2134		u8 addr[3 * 4];
2135		os_memcpy(addr, sm->ip_addr, 4);
2136		os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
2137		os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
2138		pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
2139				  addr, sizeof(addr), NULL, 0);
2140	}
2141#endif /* CONFIG_P2P */
2142
2143	wpa_send_eapol(sm->wpa_auth, sm,
2144		       (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC |
2145		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
2146		       WPA_KEY_INFO_KEY_TYPE,
2147		       _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
2148	os_free(kde);
2149}
2150
2151
2152SM_STATE(WPA_PTK, PTKINITDONE)
2153{
2154	SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
2155	sm->EAPOLKeyReceived = FALSE;
2156	if (sm->Pair) {
2157		enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
2158		int klen = wpa_cipher_key_len(sm->pairwise);
2159		if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2160				     sm->PTK.tk1, klen)) {
2161			wpa_sta_disconnect(sm->wpa_auth, sm->addr);
2162			return;
2163		}
2164		/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
2165		sm->pairwise_set = TRUE;
2166
2167		if (sm->wpa_auth->conf.wpa_ptk_rekey) {
2168			eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2169			eloop_register_timeout(sm->wpa_auth->conf.
2170					       wpa_ptk_rekey, 0, wpa_rekey_ptk,
2171					       sm->wpa_auth, sm);
2172		}
2173
2174		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2175			wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2176					   WPA_EAPOL_authorized, 1);
2177		}
2178	}
2179
2180	if (0 /* IBSS == TRUE */) {
2181		sm->keycount++;
2182		if (sm->keycount == 2) {
2183			wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2184					   WPA_EAPOL_portValid, 1);
2185		}
2186	} else {
2187		wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
2188				   1);
2189	}
2190	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
2191	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
2192	if (sm->wpa == WPA_VERSION_WPA)
2193		sm->PInitAKeys = TRUE;
2194	else
2195		sm->has_GTK = TRUE;
2196	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2197			 "pairwise key handshake completed (%s)",
2198			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2199
2200#ifdef CONFIG_IEEE80211R
2201	wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
2202#endif /* CONFIG_IEEE80211R */
2203}
2204
2205
2206SM_STEP(WPA_PTK)
2207{
2208	struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2209
2210	if (sm->Init)
2211		SM_ENTER(WPA_PTK, INITIALIZE);
2212	else if (sm->Disconnect
2213		 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
2214		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
2215				"WPA_PTK: sm->Disconnect");
2216		SM_ENTER(WPA_PTK, DISCONNECT);
2217	}
2218	else if (sm->DeauthenticationRequest)
2219		SM_ENTER(WPA_PTK, DISCONNECTED);
2220	else if (sm->AuthenticationRequest)
2221		SM_ENTER(WPA_PTK, AUTHENTICATION);
2222	else if (sm->ReAuthenticationRequest)
2223		SM_ENTER(WPA_PTK, AUTHENTICATION2);
2224	else if (sm->PTKRequest)
2225		SM_ENTER(WPA_PTK, PTKSTART);
2226	else switch (sm->wpa_ptk_state) {
2227	case WPA_PTK_INITIALIZE:
2228		break;
2229	case WPA_PTK_DISCONNECT:
2230		SM_ENTER(WPA_PTK, DISCONNECTED);
2231		break;
2232	case WPA_PTK_DISCONNECTED:
2233		SM_ENTER(WPA_PTK, INITIALIZE);
2234		break;
2235	case WPA_PTK_AUTHENTICATION:
2236		SM_ENTER(WPA_PTK, AUTHENTICATION2);
2237		break;
2238	case WPA_PTK_AUTHENTICATION2:
2239		if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
2240		    wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2241				       WPA_EAPOL_keyRun) > 0)
2242			SM_ENTER(WPA_PTK, INITPMK);
2243		else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)
2244			 /* FIX: && 802.1X::keyRun */)
2245			SM_ENTER(WPA_PTK, INITPSK);
2246		break;
2247	case WPA_PTK_INITPMK:
2248		if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2249				       WPA_EAPOL_keyAvailable) > 0)
2250			SM_ENTER(WPA_PTK, PTKSTART);
2251		else {
2252			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2253			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2254					"INITPMK - keyAvailable = false");
2255			SM_ENTER(WPA_PTK, DISCONNECT);
2256		}
2257		break;
2258	case WPA_PTK_INITPSK:
2259		if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
2260				     NULL))
2261			SM_ENTER(WPA_PTK, PTKSTART);
2262		else {
2263			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2264					"no PSK configured for the STA");
2265			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2266			SM_ENTER(WPA_PTK, DISCONNECT);
2267		}
2268		break;
2269	case WPA_PTK_PTKSTART:
2270		if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2271		    sm->EAPOLKeyPairwise)
2272			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2273		else if (sm->TimeoutCtr >
2274			 (int) dot11RSNAConfigPairwiseUpdateCount) {
2275			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2276			wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2277					 "PTKSTART: Retry limit %d reached",
2278					 dot11RSNAConfigPairwiseUpdateCount);
2279			SM_ENTER(WPA_PTK, DISCONNECT);
2280		} else if (sm->TimeoutEvt)
2281			SM_ENTER(WPA_PTK, PTKSTART);
2282		break;
2283	case WPA_PTK_PTKCALCNEGOTIATING:
2284		if (sm->MICVerified)
2285			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
2286		else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2287			 sm->EAPOLKeyPairwise)
2288			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2289		else if (sm->TimeoutEvt)
2290			SM_ENTER(WPA_PTK, PTKSTART);
2291		break;
2292	case WPA_PTK_PTKCALCNEGOTIATING2:
2293		SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2294		break;
2295	case WPA_PTK_PTKINITNEGOTIATING:
2296		if (sm->update_snonce)
2297			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2298		else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2299			 sm->EAPOLKeyPairwise && sm->MICVerified)
2300			SM_ENTER(WPA_PTK, PTKINITDONE);
2301		else if (sm->TimeoutCtr >
2302			 (int) dot11RSNAConfigPairwiseUpdateCount) {
2303			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2304			wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2305					 "PTKINITNEGOTIATING: Retry limit %d "
2306					 "reached",
2307					 dot11RSNAConfigPairwiseUpdateCount);
2308			SM_ENTER(WPA_PTK, DISCONNECT);
2309		} else if (sm->TimeoutEvt)
2310			SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2311		break;
2312	case WPA_PTK_PTKINITDONE:
2313		break;
2314	}
2315}
2316
2317
2318SM_STATE(WPA_PTK_GROUP, IDLE)
2319{
2320	SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
2321	if (sm->Init) {
2322		/* Init flag is not cleared here, so avoid busy
2323		 * loop by claiming nothing changed. */
2324		sm->changed = FALSE;
2325	}
2326	sm->GTimeoutCtr = 0;
2327}
2328
2329
2330SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
2331{
2332	u8 rsc[WPA_KEY_RSC_LEN];
2333	struct wpa_group *gsm = sm->group;
2334	u8 *kde, *pos, hdr[2];
2335	size_t kde_len;
2336	u8 *gtk, dummy_gtk[32];
2337
2338	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
2339
2340	sm->GTimeoutCtr++;
2341	if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) {
2342		/* No point in sending the EAPOL-Key - we will disconnect
2343		 * immediately following this. */
2344		return;
2345	}
2346
2347	if (sm->wpa == WPA_VERSION_WPA)
2348		sm->PInitAKeys = FALSE;
2349	sm->TimeoutEvt = FALSE;
2350	/* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
2351	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2352	if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
2353		wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
2354	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2355			"sending 1/2 msg of Group Key Handshake");
2356
2357	gtk = gsm->GTK[gsm->GN - 1];
2358	if (sm->wpa_auth->conf.disable_gtk) {
2359		/*
2360		 * Provide unique random GTK to each STA to prevent use
2361		 * of GTK in the BSS.
2362		 */
2363		if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
2364			return;
2365		gtk = dummy_gtk;
2366	}
2367	if (sm->wpa == WPA_VERSION_WPA2) {
2368		kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
2369			ieee80211w_kde_len(sm);
2370		kde = os_malloc(kde_len);
2371		if (kde == NULL)
2372			return;
2373
2374		pos = kde;
2375		hdr[0] = gsm->GN & 0x03;
2376		hdr[1] = 0;
2377		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2378				  gtk, gsm->GTK_len);
2379		pos = ieee80211w_kde_add(sm, pos);
2380	} else {
2381		kde = gtk;
2382		pos = kde + gsm->GTK_len;
2383	}
2384
2385	wpa_send_eapol(sm->wpa_auth, sm,
2386		       WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
2387		       WPA_KEY_INFO_ACK |
2388		       (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
2389		       rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1);
2390	if (sm->wpa == WPA_VERSION_WPA2)
2391		os_free(kde);
2392}
2393
2394
2395SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
2396{
2397	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
2398	sm->EAPOLKeyReceived = FALSE;
2399	if (sm->GUpdateStationKeys)
2400		sm->group->GKeyDoneStations--;
2401	sm->GUpdateStationKeys = FALSE;
2402	sm->GTimeoutCtr = 0;
2403	/* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
2404	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2405			 "group key handshake completed (%s)",
2406			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2407	sm->has_GTK = TRUE;
2408}
2409
2410
2411SM_STATE(WPA_PTK_GROUP, KEYERROR)
2412{
2413	SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
2414	if (sm->GUpdateStationKeys)
2415		sm->group->GKeyDoneStations--;
2416	sm->GUpdateStationKeys = FALSE;
2417	sm->Disconnect = TRUE;
2418}
2419
2420
2421SM_STEP(WPA_PTK_GROUP)
2422{
2423	if (sm->Init || sm->PtkGroupInit) {
2424		SM_ENTER(WPA_PTK_GROUP, IDLE);
2425		sm->PtkGroupInit = FALSE;
2426	} else switch (sm->wpa_ptk_group_state) {
2427	case WPA_PTK_GROUP_IDLE:
2428		if (sm->GUpdateStationKeys ||
2429		    (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
2430			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2431		break;
2432	case WPA_PTK_GROUP_REKEYNEGOTIATING:
2433		if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2434		    !sm->EAPOLKeyPairwise && sm->MICVerified)
2435			SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
2436		else if (sm->GTimeoutCtr >
2437			 (int) dot11RSNAConfigGroupUpdateCount)
2438			SM_ENTER(WPA_PTK_GROUP, KEYERROR);
2439		else if (sm->TimeoutEvt)
2440			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2441		break;
2442	case WPA_PTK_GROUP_KEYERROR:
2443		SM_ENTER(WPA_PTK_GROUP, IDLE);
2444		break;
2445	case WPA_PTK_GROUP_REKEYESTABLISHED:
2446		SM_ENTER(WPA_PTK_GROUP, IDLE);
2447		break;
2448	}
2449}
2450
2451
2452static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
2453			  struct wpa_group *group)
2454{
2455	int ret = 0;
2456
2457	os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2458	inc_byte_array(group->Counter, WPA_NONCE_LEN);
2459	if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
2460			   wpa_auth->addr, group->GNonce,
2461			   group->GTK[group->GN - 1], group->GTK_len) < 0)
2462		ret = -1;
2463	wpa_hexdump_key(MSG_DEBUG, "GTK",
2464			group->GTK[group->GN - 1], group->GTK_len);
2465
2466#ifdef CONFIG_IEEE80211W
2467	if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
2468		size_t len;
2469		len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
2470		os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2471		inc_byte_array(group->Counter, WPA_NONCE_LEN);
2472		if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
2473				   wpa_auth->addr, group->GNonce,
2474				   group->IGTK[group->GN_igtk - 4], len) < 0)
2475			ret = -1;
2476		wpa_hexdump_key(MSG_DEBUG, "IGTK",
2477				group->IGTK[group->GN_igtk - 4], len);
2478	}
2479#endif /* CONFIG_IEEE80211W */
2480
2481	return ret;
2482}
2483
2484
2485static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
2486			       struct wpa_group *group)
2487{
2488	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2489		   "GTK_INIT (VLAN-ID %d)", group->vlan_id);
2490	group->changed = FALSE; /* GInit is not cleared here; avoid loop */
2491	group->wpa_group_state = WPA_GROUP_GTK_INIT;
2492
2493	/* GTK[0..N] = 0 */
2494	os_memset(group->GTK, 0, sizeof(group->GTK));
2495	group->GN = 1;
2496	group->GM = 2;
2497#ifdef CONFIG_IEEE80211W
2498	group->GN_igtk = 4;
2499	group->GM_igtk = 5;
2500#endif /* CONFIG_IEEE80211W */
2501	/* GTK[GN] = CalcGTK() */
2502	wpa_gtk_update(wpa_auth, group);
2503}
2504
2505
2506static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
2507{
2508	if (ctx != NULL && ctx != sm->group)
2509		return 0;
2510
2511	if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
2512		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2513				"Not in PTKINITDONE; skip Group Key update");
2514		sm->GUpdateStationKeys = FALSE;
2515		return 0;
2516	}
2517	if (sm->GUpdateStationKeys) {
2518		/*
2519		 * This should not really happen, so add a debug log entry.
2520		 * Since we clear the GKeyDoneStations before the loop, the
2521		 * station needs to be counted here anyway.
2522		 */
2523		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2524				"GUpdateStationKeys was already set when "
2525				"marking station for GTK rekeying");
2526	}
2527
2528	/* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
2529	if (sm->is_wnmsleep)
2530		return 0;
2531
2532	sm->group->GKeyDoneStations++;
2533	sm->GUpdateStationKeys = TRUE;
2534
2535	wpa_sm_step(sm);
2536	return 0;
2537}
2538
2539
2540#ifdef CONFIG_WNM
2541/* update GTK when exiting WNM-Sleep Mode */
2542void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
2543{
2544	if (sm == NULL || sm->is_wnmsleep)
2545		return;
2546
2547	wpa_group_update_sta(sm, NULL);
2548}
2549
2550
2551void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
2552{
2553	if (sm)
2554		sm->is_wnmsleep = !!flag;
2555}
2556
2557
2558int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2559{
2560	struct wpa_group *gsm = sm->group;
2561	u8 *start = pos;
2562
2563	/*
2564	 * GTK subelement:
2565	 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
2566	 * Key[5..32]
2567	 */
2568	*pos++ = WNM_SLEEP_SUBELEM_GTK;
2569	*pos++ = 11 + gsm->GTK_len;
2570	/* Key ID in B0-B1 of Key Info */
2571	WPA_PUT_LE16(pos, gsm->GN & 0x03);
2572	pos += 2;
2573	*pos++ = gsm->GTK_len;
2574	if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
2575		return 0;
2576	pos += 8;
2577	os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
2578	pos += gsm->GTK_len;
2579
2580	wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
2581		   gsm->GN);
2582	wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
2583			gsm->GTK[gsm->GN - 1], gsm->GTK_len);
2584
2585	return pos - start;
2586}
2587
2588
2589#ifdef CONFIG_IEEE80211W
2590int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2591{
2592	struct wpa_group *gsm = sm->group;
2593	u8 *start = pos;
2594	size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2595
2596	/*
2597	 * IGTK subelement:
2598	 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
2599	 */
2600	*pos++ = WNM_SLEEP_SUBELEM_IGTK;
2601	*pos++ = 2 + 6 + len;
2602	WPA_PUT_LE16(pos, gsm->GN_igtk);
2603	pos += 2;
2604	if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
2605		return 0;
2606	pos += 6;
2607
2608	os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
2609	pos += len;
2610
2611	wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
2612		   gsm->GN_igtk);
2613	wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
2614			gsm->IGTK[gsm->GN_igtk - 4], len);
2615
2616	return pos - start;
2617}
2618#endif /* CONFIG_IEEE80211W */
2619#endif /* CONFIG_WNM */
2620
2621
2622static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
2623			      struct wpa_group *group)
2624{
2625	int tmp;
2626
2627	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2628		   "SETKEYS (VLAN-ID %d)", group->vlan_id);
2629	group->changed = TRUE;
2630	group->wpa_group_state = WPA_GROUP_SETKEYS;
2631	group->GTKReKey = FALSE;
2632	tmp = group->GM;
2633	group->GM = group->GN;
2634	group->GN = tmp;
2635#ifdef CONFIG_IEEE80211W
2636	tmp = group->GM_igtk;
2637	group->GM_igtk = group->GN_igtk;
2638	group->GN_igtk = tmp;
2639#endif /* CONFIG_IEEE80211W */
2640	/* "GKeyDoneStations = GNoStations" is done in more robust way by
2641	 * counting the STAs that are marked with GUpdateStationKeys instead of
2642	 * including all STAs that could be in not-yet-completed state. */
2643	wpa_gtk_update(wpa_auth, group);
2644
2645	if (group->GKeyDoneStations) {
2646		wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
2647			   "GKeyDoneStations=%d when starting new GTK rekey",
2648			   group->GKeyDoneStations);
2649		group->GKeyDoneStations = 0;
2650	}
2651	wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
2652	wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
2653		   group->GKeyDoneStations);
2654}
2655
2656
2657static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
2658				       struct wpa_group *group)
2659{
2660	int ret = 0;
2661
2662	if (wpa_auth_set_key(wpa_auth, group->vlan_id,
2663			     wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
2664			     broadcast_ether_addr, group->GN,
2665			     group->GTK[group->GN - 1], group->GTK_len) < 0)
2666		ret = -1;
2667
2668#ifdef CONFIG_IEEE80211W
2669	if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
2670		enum wpa_alg alg;
2671		size_t len;
2672
2673		alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
2674		len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
2675
2676		if (ret == 0 &&
2677		    wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
2678				     broadcast_ether_addr, group->GN_igtk,
2679				     group->IGTK[group->GN_igtk - 4], len) < 0)
2680			ret = -1;
2681	}
2682#endif /* CONFIG_IEEE80211W */
2683
2684	return ret;
2685}
2686
2687
2688static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
2689{
2690	if (sm->group == ctx) {
2691		wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
2692			   " for discconnection due to fatal failure",
2693			   MAC2STR(sm->addr));
2694		sm->Disconnect = TRUE;
2695	}
2696
2697	return 0;
2698}
2699
2700
2701static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
2702				    struct wpa_group *group)
2703{
2704	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
2705	group->changed = TRUE;
2706	group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
2707	wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
2708}
2709
2710
2711static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
2712				 struct wpa_group *group)
2713{
2714	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2715		   "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
2716	group->changed = TRUE;
2717	group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
2718
2719	if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
2720		wpa_group_fatal_failure(wpa_auth, group);
2721		return -1;
2722	}
2723
2724	return 0;
2725}
2726
2727
2728static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
2729			      struct wpa_group *group)
2730{
2731	if (group->GInit) {
2732		wpa_group_gtk_init(wpa_auth, group);
2733	} else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
2734		/* Do not allow group operations */
2735	} else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
2736		   group->GTKAuthenticator) {
2737		wpa_group_setkeysdone(wpa_auth, group);
2738	} else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
2739		   group->GTKReKey) {
2740		wpa_group_setkeys(wpa_auth, group);
2741	} else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
2742		if (group->GKeyDoneStations == 0)
2743			wpa_group_setkeysdone(wpa_auth, group);
2744		else if (group->GTKReKey)
2745			wpa_group_setkeys(wpa_auth, group);
2746	}
2747}
2748
2749
2750static int wpa_sm_step(struct wpa_state_machine *sm)
2751{
2752	if (sm == NULL)
2753		return 0;
2754
2755	if (sm->in_step_loop) {
2756		/* This should not happen, but if it does, make sure we do not
2757		 * end up freeing the state machine too early by exiting the
2758		 * recursive call. */
2759		wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
2760		return 0;
2761	}
2762
2763	sm->in_step_loop = 1;
2764	do {
2765		if (sm->pending_deinit)
2766			break;
2767
2768		sm->changed = FALSE;
2769		sm->wpa_auth->group->changed = FALSE;
2770
2771		SM_STEP_RUN(WPA_PTK);
2772		if (sm->pending_deinit)
2773			break;
2774		SM_STEP_RUN(WPA_PTK_GROUP);
2775		if (sm->pending_deinit)
2776			break;
2777		wpa_group_sm_step(sm->wpa_auth, sm->group);
2778	} while (sm->changed || sm->wpa_auth->group->changed);
2779	sm->in_step_loop = 0;
2780
2781	if (sm->pending_deinit) {
2782		wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
2783			   "machine deinit for " MACSTR, MAC2STR(sm->addr));
2784		wpa_free_sta_sm(sm);
2785		return 1;
2786	}
2787	return 0;
2788}
2789
2790
2791static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
2792{
2793	struct wpa_state_machine *sm = eloop_ctx;
2794	wpa_sm_step(sm);
2795}
2796
2797
2798void wpa_auth_sm_notify(struct wpa_state_machine *sm)
2799{
2800	if (sm == NULL)
2801		return;
2802	eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
2803}
2804
2805
2806void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
2807{
2808	int tmp, i;
2809	struct wpa_group *group;
2810
2811	if (wpa_auth == NULL)
2812		return;
2813
2814	group = wpa_auth->group;
2815
2816	for (i = 0; i < 2; i++) {
2817		tmp = group->GM;
2818		group->GM = group->GN;
2819		group->GN = tmp;
2820#ifdef CONFIG_IEEE80211W
2821		tmp = group->GM_igtk;
2822		group->GM_igtk = group->GN_igtk;
2823		group->GN_igtk = tmp;
2824#endif /* CONFIG_IEEE80211W */
2825		wpa_gtk_update(wpa_auth, group);
2826		wpa_group_config_group_keys(wpa_auth, group);
2827	}
2828}
2829
2830
2831static const char * wpa_bool_txt(int bool)
2832{
2833	return bool ? "TRUE" : "FALSE";
2834}
2835
2836
2837#define RSN_SUITE "%02x-%02x-%02x-%d"
2838#define RSN_SUITE_ARG(s) \
2839((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2840
2841int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
2842{
2843	int len = 0, ret;
2844	char pmkid_txt[PMKID_LEN * 2 + 1];
2845#ifdef CONFIG_RSN_PREAUTH
2846	const int preauth = 1;
2847#else /* CONFIG_RSN_PREAUTH */
2848	const int preauth = 0;
2849#endif /* CONFIG_RSN_PREAUTH */
2850
2851	if (wpa_auth == NULL)
2852		return len;
2853
2854	ret = os_snprintf(buf + len, buflen - len,
2855			  "dot11RSNAOptionImplemented=TRUE\n"
2856			  "dot11RSNAPreauthenticationImplemented=%s\n"
2857			  "dot11RSNAEnabled=%s\n"
2858			  "dot11RSNAPreauthenticationEnabled=%s\n",
2859			  wpa_bool_txt(preauth),
2860			  wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
2861			  wpa_bool_txt(wpa_auth->conf.rsn_preauth));
2862	if (ret < 0 || (size_t) ret >= buflen - len)
2863		return len;
2864	len += ret;
2865
2866	wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2867			 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
2868
2869	ret = os_snprintf(
2870		buf + len, buflen - len,
2871		"dot11RSNAConfigVersion=%u\n"
2872		"dot11RSNAConfigPairwiseKeysSupported=9999\n"
2873		/* FIX: dot11RSNAConfigGroupCipher */
2874		/* FIX: dot11RSNAConfigGroupRekeyMethod */
2875		/* FIX: dot11RSNAConfigGroupRekeyTime */
2876		/* FIX: dot11RSNAConfigGroupRekeyPackets */
2877		"dot11RSNAConfigGroupRekeyStrict=%u\n"
2878		"dot11RSNAConfigGroupUpdateCount=%u\n"
2879		"dot11RSNAConfigPairwiseUpdateCount=%u\n"
2880		"dot11RSNAConfigGroupCipherSize=%u\n"
2881		"dot11RSNAConfigPMKLifetime=%u\n"
2882		"dot11RSNAConfigPMKReauthThreshold=%u\n"
2883		"dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
2884		"dot11RSNAConfigSATimeout=%u\n"
2885		"dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2886		"dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2887		"dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2888		"dot11RSNAPMKIDUsed=%s\n"
2889		"dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2890		"dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2891		"dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2892		"dot11RSNATKIPCounterMeasuresInvoked=%u\n"
2893		"dot11RSNA4WayHandshakeFailures=%u\n"
2894		"dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
2895		RSN_VERSION,
2896		!!wpa_auth->conf.wpa_strict_rekey,
2897		dot11RSNAConfigGroupUpdateCount,
2898		dot11RSNAConfigPairwiseUpdateCount,
2899		wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
2900		dot11RSNAConfigPMKLifetime,
2901		dot11RSNAConfigPMKReauthThreshold,
2902		dot11RSNAConfigSATimeout,
2903		RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
2904		RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
2905		RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
2906		pmkid_txt,
2907		RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
2908		RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
2909		RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
2910		wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
2911		wpa_auth->dot11RSNA4WayHandshakeFailures);
2912	if (ret < 0 || (size_t) ret >= buflen - len)
2913		return len;
2914	len += ret;
2915
2916	/* TODO: dot11RSNAConfigPairwiseCiphersTable */
2917	/* TODO: dot11RSNAConfigAuthenticationSuitesTable */
2918
2919	/* Private MIB */
2920	ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
2921			  wpa_auth->group->wpa_group_state);
2922	if (ret < 0 || (size_t) ret >= buflen - len)
2923		return len;
2924	len += ret;
2925
2926	return len;
2927}
2928
2929
2930int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
2931{
2932	int len = 0, ret;
2933	u32 pairwise = 0;
2934
2935	if (sm == NULL)
2936		return 0;
2937
2938	/* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
2939
2940	/* dot11RSNAStatsEntry */
2941
2942	pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
2943				       WPA_PROTO_RSN : WPA_PROTO_WPA,
2944				       sm->pairwise);
2945	if (pairwise == 0)
2946		return 0;
2947
2948	ret = os_snprintf(
2949		buf + len, buflen - len,
2950		/* TODO: dot11RSNAStatsIndex */
2951		"dot11RSNAStatsSTAAddress=" MACSTR "\n"
2952		"dot11RSNAStatsVersion=1\n"
2953		"dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
2954		/* TODO: dot11RSNAStatsTKIPICVErrors */
2955		"dot11RSNAStatsTKIPLocalMICFailures=%u\n"
2956		"dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
2957		/* TODO: dot11RSNAStatsCCMPReplays */
2958		/* TODO: dot11RSNAStatsCCMPDecryptErrors */
2959		/* TODO: dot11RSNAStatsTKIPReplays */,
2960		MAC2STR(sm->addr),
2961		RSN_SUITE_ARG(pairwise),
2962		sm->dot11RSNAStatsTKIPLocalMICFailures,
2963		sm->dot11RSNAStatsTKIPRemoteMICFailures);
2964	if (ret < 0 || (size_t) ret >= buflen - len)
2965		return len;
2966	len += ret;
2967
2968	/* Private MIB */
2969	ret = os_snprintf(buf + len, buflen - len,
2970			  "hostapdWPAPTKState=%d\n"
2971			  "hostapdWPAPTKGroupState=%d\n",
2972			  sm->wpa_ptk_state,
2973			  sm->wpa_ptk_group_state);
2974	if (ret < 0 || (size_t) ret >= buflen - len)
2975		return len;
2976	len += ret;
2977
2978	return len;
2979}
2980
2981
2982void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
2983{
2984	if (wpa_auth)
2985		wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
2986}
2987
2988
2989int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
2990{
2991	return sm && sm->pairwise_set;
2992}
2993
2994
2995int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
2996{
2997	return sm->pairwise;
2998}
2999
3000
3001int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
3002{
3003	if (sm == NULL)
3004		return -1;
3005	return sm->wpa_key_mgmt;
3006}
3007
3008
3009int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
3010{
3011	if (sm == NULL)
3012		return 0;
3013	return sm->wpa;
3014}
3015
3016
3017int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
3018			     struct rsn_pmksa_cache_entry *entry)
3019{
3020	if (sm == NULL || sm->pmksa != entry)
3021		return -1;
3022	sm->pmksa = NULL;
3023	return 0;
3024}
3025
3026
3027struct rsn_pmksa_cache_entry *
3028wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
3029{
3030	return sm ? sm->pmksa : NULL;
3031}
3032
3033
3034void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
3035{
3036	if (sm)
3037		sm->dot11RSNAStatsTKIPLocalMICFailures++;
3038}
3039
3040
3041const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
3042{
3043	if (wpa_auth == NULL)
3044		return NULL;
3045	*len = wpa_auth->wpa_ie_len;
3046	return wpa_auth->wpa_ie;
3047}
3048
3049
3050int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
3051		       int session_timeout, struct eapol_state_machine *eapol)
3052{
3053	if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
3054	    sm->wpa_auth->conf.disable_pmksa_caching)
3055		return -1;
3056
3057	if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN,
3058				 sm->wpa_auth->addr, sm->addr, session_timeout,
3059				 eapol, sm->wpa_key_mgmt))
3060		return 0;
3061
3062	return -1;
3063}
3064
3065
3066int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
3067			       const u8 *pmk, size_t len, const u8 *sta_addr,
3068			       int session_timeout,
3069			       struct eapol_state_machine *eapol)
3070{
3071	if (wpa_auth == NULL)
3072		return -1;
3073
3074	if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr,
3075				 sta_addr, session_timeout, eapol,
3076				 WPA_KEY_MGMT_IEEE8021X))
3077		return 0;
3078
3079	return -1;
3080}
3081
3082
3083void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
3084			   const u8 *sta_addr)
3085{
3086	struct rsn_pmksa_cache_entry *pmksa;
3087
3088	if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
3089		return;
3090	pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
3091	if (pmksa) {
3092		wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
3093			   MACSTR " based on request", MAC2STR(sta_addr));
3094		pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
3095	}
3096}
3097
3098
3099static struct wpa_group *
3100wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
3101{
3102	struct wpa_group *group;
3103
3104	if (wpa_auth == NULL || wpa_auth->group == NULL)
3105		return NULL;
3106
3107	wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
3108		   vlan_id);
3109	group = wpa_group_init(wpa_auth, vlan_id, 0);
3110	if (group == NULL)
3111		return NULL;
3112
3113	group->next = wpa_auth->group->next;
3114	wpa_auth->group->next = group;
3115
3116	return group;
3117}
3118
3119
3120int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
3121{
3122	struct wpa_group *group;
3123
3124	if (sm == NULL || sm->wpa_auth == NULL)
3125		return 0;
3126
3127	group = sm->wpa_auth->group;
3128	while (group) {
3129		if (group->vlan_id == vlan_id)
3130			break;
3131		group = group->next;
3132	}
3133
3134	if (group == NULL) {
3135		group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
3136		if (group == NULL)
3137			return -1;
3138	}
3139
3140	if (sm->group == group)
3141		return 0;
3142
3143	if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
3144		return -1;
3145
3146	wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
3147		   "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
3148
3149	sm->group = group;
3150	return 0;
3151}
3152
3153
3154void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
3155				  struct wpa_state_machine *sm, int ack)
3156{
3157	if (wpa_auth == NULL || sm == NULL)
3158		return;
3159	wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
3160		   " ack=%d", MAC2STR(sm->addr), ack);
3161	if (sm->pending_1_of_4_timeout && ack) {
3162		/*
3163		 * Some deployed supplicant implementations update their SNonce
3164		 * for each EAPOL-Key 2/4 message even within the same 4-way
3165		 * handshake and then fail to use the first SNonce when
3166		 * deriving the PTK. This results in unsuccessful 4-way
3167		 * handshake whenever the relatively short initial timeout is
3168		 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
3169		 * around this by increasing the timeout now that we know that
3170		 * the station has received the frame.
3171		 */
3172		int timeout_ms = eapol_key_timeout_subseq;
3173		wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
3174			   "timeout by %u ms because of acknowledged frame",
3175			   timeout_ms);
3176		eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
3177		eloop_register_timeout(timeout_ms / 1000,
3178				       (timeout_ms % 1000) * 1000,
3179				       wpa_send_eapol_timeout, wpa_auth, sm);
3180	}
3181}
3182
3183
3184int wpa_auth_uses_sae(struct wpa_state_machine *sm)
3185{
3186	if (sm == NULL)
3187		return 0;
3188	return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
3189}
3190
3191
3192int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
3193{
3194	if (sm == NULL)
3195		return 0;
3196	return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
3197}
3198
3199
3200#ifdef CONFIG_P2P
3201int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
3202{
3203	if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
3204		return -1;
3205	os_memcpy(addr, sm->ip_addr, 4);
3206	return 0;
3207}
3208#endif /* CONFIG_P2P */
3209