wpa_auth.c revision d80a401aed31d06f261efd19223cf55d1a2a8228
1/*
2 * IEEE 802.11 RSN / WPA Authenticator
3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "utils/includes.h"
10
11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "utils/state_machine.h"
14#include "utils/bitfield.h"
15#include "common/ieee802_11_defs.h"
16#include "crypto/aes_wrap.h"
17#include "crypto/crypto.h"
18#include "crypto/sha1.h"
19#include "crypto/sha256.h"
20#include "crypto/random.h"
21#include "eapol_auth/eapol_auth_sm.h"
22#include "ap_config.h"
23#include "ieee802_11.h"
24#include "wpa_auth.h"
25#include "pmksa_cache_auth.h"
26#include "wpa_auth_i.h"
27#include "wpa_auth_ie.h"
28
29#define STATE_MACHINE_DATA struct wpa_state_machine
30#define STATE_MACHINE_DEBUG_PREFIX "WPA"
31#define STATE_MACHINE_ADDR sm->addr
32
33
34static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
35static int wpa_sm_step(struct wpa_state_machine *sm);
36static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
37			      size_t data_len);
38static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
39static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
40			      struct wpa_group *group);
41static void wpa_request_new_ptk(struct wpa_state_machine *sm);
42static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
43			  struct wpa_group *group);
44static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
45				       struct wpa_group *group);
46static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
47			  const u8 *pmk, unsigned int pmk_len,
48			  struct wpa_ptk *ptk);
49static void wpa_group_free(struct wpa_authenticator *wpa_auth,
50			   struct wpa_group *group);
51static void wpa_group_get(struct wpa_authenticator *wpa_auth,
52			  struct wpa_group *group);
53static void wpa_group_put(struct wpa_authenticator *wpa_auth,
54			  struct wpa_group *group);
55
56static const u32 dot11RSNAConfigGroupUpdateCount = 4;
57static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
58static const u32 eapol_key_timeout_first = 100; /* ms */
59static const u32 eapol_key_timeout_subseq = 1000; /* ms */
60static const u32 eapol_key_timeout_first_group = 500; /* ms */
61
62/* TODO: make these configurable */
63static const int dot11RSNAConfigPMKLifetime = 43200;
64static const int dot11RSNAConfigPMKReauthThreshold = 70;
65static const int dot11RSNAConfigSATimeout = 60;
66
67
68static inline int wpa_auth_mic_failure_report(
69	struct wpa_authenticator *wpa_auth, const u8 *addr)
70{
71	if (wpa_auth->cb.mic_failure_report)
72		return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr);
73	return 0;
74}
75
76
77static inline void wpa_auth_psk_failure_report(
78	struct wpa_authenticator *wpa_auth, const u8 *addr)
79{
80	if (wpa_auth->cb.psk_failure_report)
81		wpa_auth->cb.psk_failure_report(wpa_auth->cb.ctx, addr);
82}
83
84
85static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
86				      const u8 *addr, wpa_eapol_variable var,
87				      int value)
88{
89	if (wpa_auth->cb.set_eapol)
90		wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value);
91}
92
93
94static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
95				     const u8 *addr, wpa_eapol_variable var)
96{
97	if (wpa_auth->cb.get_eapol == NULL)
98		return -1;
99	return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var);
100}
101
102
103static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
104					  const u8 *addr,
105					  const u8 *p2p_dev_addr,
106					  const u8 *prev_psk)
107{
108	if (wpa_auth->cb.get_psk == NULL)
109		return NULL;
110	return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr,
111				    prev_psk);
112}
113
114
115static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
116				   const u8 *addr, u8 *msk, size_t *len)
117{
118	if (wpa_auth->cb.get_msk == NULL)
119		return -1;
120	return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len);
121}
122
123
124static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
125				   int vlan_id,
126				   enum wpa_alg alg, const u8 *addr, int idx,
127				   u8 *key, size_t key_len)
128{
129	if (wpa_auth->cb.set_key == NULL)
130		return -1;
131	return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx,
132				    key, key_len);
133}
134
135
136static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
137				      const u8 *addr, int idx, u8 *seq)
138{
139	if (wpa_auth->cb.get_seqnum == NULL)
140		return -1;
141	return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq);
142}
143
144
145static inline int
146wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
147		    const u8 *data, size_t data_len, int encrypt)
148{
149	if (wpa_auth->cb.send_eapol == NULL)
150		return -1;
151	return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len,
152				       encrypt);
153}
154
155
156#ifdef CONFIG_MESH
157static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
158				      const u8 *addr)
159{
160	if (wpa_auth->cb.start_ampe == NULL)
161		return -1;
162	return wpa_auth->cb.start_ampe(wpa_auth->cb.ctx, addr);
163}
164#endif /* CONFIG_MESH */
165
166
167int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
168			  int (*cb)(struct wpa_state_machine *sm, void *ctx),
169			  void *cb_ctx)
170{
171	if (wpa_auth->cb.for_each_sta == NULL)
172		return 0;
173	return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx);
174}
175
176
177int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
178			   int (*cb)(struct wpa_authenticator *a, void *ctx),
179			   void *cb_ctx)
180{
181	if (wpa_auth->cb.for_each_auth == NULL)
182		return 0;
183	return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx);
184}
185
186
187void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
188		     logger_level level, const char *txt)
189{
190	if (wpa_auth->cb.logger == NULL)
191		return;
192	wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt);
193}
194
195
196void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
197		      logger_level level, const char *fmt, ...)
198{
199	char *format;
200	int maxlen;
201	va_list ap;
202
203	if (wpa_auth->cb.logger == NULL)
204		return;
205
206	maxlen = os_strlen(fmt) + 100;
207	format = os_malloc(maxlen);
208	if (!format)
209		return;
210
211	va_start(ap, fmt);
212	vsnprintf(format, maxlen, fmt, ap);
213	va_end(ap);
214
215	wpa_auth_logger(wpa_auth, addr, level, format);
216
217	os_free(format);
218}
219
220
221static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
222			       const u8 *addr)
223{
224	if (wpa_auth->cb.disconnect == NULL)
225		return;
226	wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
227	wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr,
228				WLAN_REASON_PREV_AUTH_NOT_VALID);
229}
230
231
232static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
233{
234	int ret = 0;
235#ifdef CONFIG_IEEE80211R
236	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
237		ret = 1;
238#endif /* CONFIG_IEEE80211R */
239#ifdef CONFIG_IEEE80211W
240	if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
241		ret = 1;
242#endif /* CONFIG_IEEE80211W */
243	if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
244		ret = 1;
245	return ret;
246}
247
248
249static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
250{
251	struct wpa_authenticator *wpa_auth = eloop_ctx;
252
253	if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
254		wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
255			   "initialization.");
256	} else {
257		wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
258		wpa_hexdump_key(MSG_DEBUG, "GMK",
259				wpa_auth->group->GMK, WPA_GMK_LEN);
260	}
261
262	if (wpa_auth->conf.wpa_gmk_rekey) {
263		eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
264				       wpa_rekey_gmk, wpa_auth, NULL);
265	}
266}
267
268
269static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
270{
271	struct wpa_authenticator *wpa_auth = eloop_ctx;
272	struct wpa_group *group, *next;
273
274	wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
275	group = wpa_auth->group;
276	while (group) {
277		wpa_group_get(wpa_auth, group);
278
279		group->GTKReKey = TRUE;
280		do {
281			group->changed = FALSE;
282			wpa_group_sm_step(wpa_auth, group);
283		} while (group->changed);
284
285		next = group->next;
286		wpa_group_put(wpa_auth, group);
287		group = next;
288	}
289
290	if (wpa_auth->conf.wpa_group_rekey) {
291		eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
292				       0, wpa_rekey_gtk, wpa_auth, NULL);
293	}
294}
295
296
297static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
298{
299	struct wpa_authenticator *wpa_auth = eloop_ctx;
300	struct wpa_state_machine *sm = timeout_ctx;
301
302	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
303	wpa_request_new_ptk(sm);
304	wpa_sm_step(sm);
305}
306
307
308static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
309{
310	if (sm->pmksa == ctx)
311		sm->pmksa = NULL;
312	return 0;
313}
314
315
316static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
317				   void *ctx)
318{
319	struct wpa_authenticator *wpa_auth = ctx;
320	wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
321}
322
323
324static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
325					  struct wpa_group *group)
326{
327	u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
328	u8 rkey[32];
329	unsigned long ptr;
330
331	if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
332		return -1;
333	wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
334
335	/*
336	 * Counter = PRF-256(Random number, "Init Counter",
337	 *                   Local MAC Address || Time)
338	 */
339	os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
340	wpa_get_ntp_timestamp(buf + ETH_ALEN);
341	ptr = (unsigned long) group;
342	os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
343	if (random_get_bytes(rkey, sizeof(rkey)) < 0)
344		return -1;
345
346	if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
347		     group->Counter, WPA_NONCE_LEN) < 0)
348		return -1;
349	wpa_hexdump_key(MSG_DEBUG, "Key Counter",
350			group->Counter, WPA_NONCE_LEN);
351
352	return 0;
353}
354
355
356static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
357					 int vlan_id, int delay_init)
358{
359	struct wpa_group *group;
360
361	group = os_zalloc(sizeof(struct wpa_group));
362	if (group == NULL)
363		return NULL;
364
365	group->GTKAuthenticator = TRUE;
366	group->vlan_id = vlan_id;
367	group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
368
369	if (random_pool_ready() != 1) {
370		wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
371			   "for secure operations - update keys later when "
372			   "the first station connects");
373	}
374
375	/*
376	 * Set initial GMK/Counter value here. The actual values that will be
377	 * used in negotiations will be set once the first station tries to
378	 * connect. This allows more time for collecting additional randomness
379	 * on embedded devices.
380	 */
381	if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
382		wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
383			   "initialization.");
384		os_free(group);
385		return NULL;
386	}
387
388	group->GInit = TRUE;
389	if (delay_init) {
390		wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
391			   "until Beacon frames have been configured");
392		/* Initialization is completed in wpa_init_keys(). */
393	} else {
394		wpa_group_sm_step(wpa_auth, group);
395		group->GInit = FALSE;
396		wpa_group_sm_step(wpa_auth, group);
397	}
398
399	return group;
400}
401
402
403/**
404 * wpa_init - Initialize WPA authenticator
405 * @addr: Authenticator address
406 * @conf: Configuration for WPA authenticator
407 * @cb: Callback functions for WPA authenticator
408 * Returns: Pointer to WPA authenticator data or %NULL on failure
409 */
410struct wpa_authenticator * wpa_init(const u8 *addr,
411				    struct wpa_auth_config *conf,
412				    struct wpa_auth_callbacks *cb)
413{
414	struct wpa_authenticator *wpa_auth;
415
416	wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
417	if (wpa_auth == NULL)
418		return NULL;
419	os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
420	os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
421	os_memcpy(&wpa_auth->cb, cb, sizeof(*cb));
422
423	if (wpa_auth_gen_wpa_ie(wpa_auth)) {
424		wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
425		os_free(wpa_auth);
426		return NULL;
427	}
428
429	wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
430	if (wpa_auth->group == NULL) {
431		os_free(wpa_auth->wpa_ie);
432		os_free(wpa_auth);
433		return NULL;
434	}
435
436	wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
437						wpa_auth);
438	if (wpa_auth->pmksa == NULL) {
439		wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
440		os_free(wpa_auth->group);
441		os_free(wpa_auth->wpa_ie);
442		os_free(wpa_auth);
443		return NULL;
444	}
445
446#ifdef CONFIG_IEEE80211R
447	wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
448	if (wpa_auth->ft_pmk_cache == NULL) {
449		wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
450		os_free(wpa_auth->group);
451		os_free(wpa_auth->wpa_ie);
452		pmksa_cache_auth_deinit(wpa_auth->pmksa);
453		os_free(wpa_auth);
454		return NULL;
455	}
456#endif /* CONFIG_IEEE80211R */
457
458	if (wpa_auth->conf.wpa_gmk_rekey) {
459		eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
460				       wpa_rekey_gmk, wpa_auth, NULL);
461	}
462
463	if (wpa_auth->conf.wpa_group_rekey) {
464		eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
465				       wpa_rekey_gtk, wpa_auth, NULL);
466	}
467
468#ifdef CONFIG_P2P
469	if (WPA_GET_BE32(conf->ip_addr_start)) {
470		int count = WPA_GET_BE32(conf->ip_addr_end) -
471			WPA_GET_BE32(conf->ip_addr_start) + 1;
472		if (count > 1000)
473			count = 1000;
474		if (count > 0)
475			wpa_auth->ip_pool = bitfield_alloc(count);
476	}
477#endif /* CONFIG_P2P */
478
479	return wpa_auth;
480}
481
482
483int wpa_init_keys(struct wpa_authenticator *wpa_auth)
484{
485	struct wpa_group *group = wpa_auth->group;
486
487	wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
488		   "keys");
489	wpa_group_sm_step(wpa_auth, group);
490	group->GInit = FALSE;
491	wpa_group_sm_step(wpa_auth, group);
492	if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
493		return -1;
494	return 0;
495}
496
497
498/**
499 * wpa_deinit - Deinitialize WPA authenticator
500 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
501 */
502void wpa_deinit(struct wpa_authenticator *wpa_auth)
503{
504	struct wpa_group *group, *prev;
505
506	eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
507	eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
508
509#ifdef CONFIG_PEERKEY
510	while (wpa_auth->stsl_negotiations)
511		wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations);
512#endif /* CONFIG_PEERKEY */
513
514	pmksa_cache_auth_deinit(wpa_auth->pmksa);
515
516#ifdef CONFIG_IEEE80211R
517	wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
518	wpa_auth->ft_pmk_cache = NULL;
519#endif /* CONFIG_IEEE80211R */
520
521#ifdef CONFIG_P2P
522	bitfield_free(wpa_auth->ip_pool);
523#endif /* CONFIG_P2P */
524
525
526	os_free(wpa_auth->wpa_ie);
527
528	group = wpa_auth->group;
529	while (group) {
530		prev = group;
531		group = group->next;
532		os_free(prev);
533	}
534
535	os_free(wpa_auth);
536}
537
538
539/**
540 * wpa_reconfig - Update WPA authenticator configuration
541 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
542 * @conf: Configuration for WPA authenticator
543 */
544int wpa_reconfig(struct wpa_authenticator *wpa_auth,
545		 struct wpa_auth_config *conf)
546{
547	struct wpa_group *group;
548	if (wpa_auth == NULL)
549		return 0;
550
551	os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
552	if (wpa_auth_gen_wpa_ie(wpa_auth)) {
553		wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
554		return -1;
555	}
556
557	/*
558	 * Reinitialize GTK to make sure it is suitable for the new
559	 * configuration.
560	 */
561	group = wpa_auth->group;
562	group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
563	group->GInit = TRUE;
564	wpa_group_sm_step(wpa_auth, group);
565	group->GInit = FALSE;
566	wpa_group_sm_step(wpa_auth, group);
567
568	return 0;
569}
570
571
572struct wpa_state_machine *
573wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
574		  const u8 *p2p_dev_addr)
575{
576	struct wpa_state_machine *sm;
577
578	if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
579		return NULL;
580
581	sm = os_zalloc(sizeof(struct wpa_state_machine));
582	if (sm == NULL)
583		return NULL;
584	os_memcpy(sm->addr, addr, ETH_ALEN);
585	if (p2p_dev_addr)
586		os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
587
588	sm->wpa_auth = wpa_auth;
589	sm->group = wpa_auth->group;
590	wpa_group_get(sm->wpa_auth, sm->group);
591
592	return sm;
593}
594
595
596int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
597			    struct wpa_state_machine *sm)
598{
599	if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
600		return -1;
601
602#ifdef CONFIG_IEEE80211R
603	if (sm->ft_completed) {
604		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
605				"FT authentication already completed - do not "
606				"start 4-way handshake");
607		/* Go to PTKINITDONE state to allow GTK rekeying */
608		sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
609		return 0;
610	}
611#endif /* CONFIG_IEEE80211R */
612
613	if (sm->started) {
614		os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
615		sm->ReAuthenticationRequest = TRUE;
616		return wpa_sm_step(sm);
617	}
618
619	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
620			"start authentication");
621	sm->started = 1;
622
623	sm->Init = TRUE;
624	if (wpa_sm_step(sm) == 1)
625		return 1; /* should not really happen */
626	sm->Init = FALSE;
627	sm->AuthenticationRequest = TRUE;
628	return wpa_sm_step(sm);
629}
630
631
632void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
633{
634	/* WPA/RSN was not used - clear WPA state. This is needed if the STA
635	 * reassociates back to the same AP while the previous entry for the
636	 * STA has not yet been removed. */
637	if (sm == NULL)
638		return;
639
640	sm->wpa_key_mgmt = 0;
641}
642
643
644static void wpa_free_sta_sm(struct wpa_state_machine *sm)
645{
646#ifdef CONFIG_P2P
647	if (WPA_GET_BE32(sm->ip_addr)) {
648		u32 start;
649		wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
650			   "address %u.%u.%u.%u from " MACSTR,
651			   sm->ip_addr[0], sm->ip_addr[1],
652			   sm->ip_addr[2], sm->ip_addr[3],
653			   MAC2STR(sm->addr));
654		start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
655		bitfield_clear(sm->wpa_auth->ip_pool,
656			       WPA_GET_BE32(sm->ip_addr) - start);
657	}
658#endif /* CONFIG_P2P */
659	if (sm->GUpdateStationKeys) {
660		sm->group->GKeyDoneStations--;
661		sm->GUpdateStationKeys = FALSE;
662	}
663#ifdef CONFIG_IEEE80211R
664	os_free(sm->assoc_resp_ftie);
665	wpabuf_free(sm->ft_pending_req_ies);
666#endif /* CONFIG_IEEE80211R */
667	os_free(sm->last_rx_eapol_key);
668	os_free(sm->wpa_ie);
669	wpa_group_put(sm->wpa_auth, sm->group);
670	os_free(sm);
671}
672
673
674void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
675{
676	if (sm == NULL)
677		return;
678
679	if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
680		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
681				"strict rekeying - force GTK rekey since STA "
682				"is leaving");
683		eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
684		eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
685				       NULL);
686	}
687
688	eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
689	sm->pending_1_of_4_timeout = 0;
690	eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
691	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
692	if (sm->in_step_loop) {
693		/* Must not free state machine while wpa_sm_step() is running.
694		 * Freeing will be completed in the end of wpa_sm_step(). */
695		wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
696			   "machine deinit for " MACSTR, MAC2STR(sm->addr));
697		sm->pending_deinit = 1;
698	} else
699		wpa_free_sta_sm(sm);
700}
701
702
703static void wpa_request_new_ptk(struct wpa_state_machine *sm)
704{
705	if (sm == NULL)
706		return;
707
708	sm->PTKRequest = TRUE;
709	sm->PTK_valid = 0;
710}
711
712
713static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
714				    const u8 *replay_counter)
715{
716	int i;
717	for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
718		if (!ctr[i].valid)
719			break;
720		if (os_memcmp(replay_counter, ctr[i].counter,
721			      WPA_REPLAY_COUNTER_LEN) == 0)
722			return 1;
723	}
724	return 0;
725}
726
727
728static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
729					    const u8 *replay_counter)
730{
731	int i;
732	for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
733		if (ctr[i].valid &&
734		    (replay_counter == NULL ||
735		     os_memcmp(replay_counter, ctr[i].counter,
736			       WPA_REPLAY_COUNTER_LEN) == 0))
737			ctr[i].valid = FALSE;
738	}
739}
740
741
742#ifdef CONFIG_IEEE80211R
743static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
744			       struct wpa_state_machine *sm,
745			       struct wpa_eapol_ie_parse *kde)
746{
747	struct wpa_ie_data ie;
748	struct rsn_mdie *mdie;
749
750	if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
751	    ie.num_pmkid != 1 || ie.pmkid == NULL) {
752		wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
753			   "FT 4-way handshake message 2/4");
754		return -1;
755	}
756
757	os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
758	wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
759		    sm->sup_pmk_r1_name, PMKID_LEN);
760
761	if (!kde->mdie || !kde->ftie) {
762		wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
763			   "message 2/4", kde->mdie ? "FTIE" : "MDIE");
764		return -1;
765	}
766
767	mdie = (struct rsn_mdie *) (kde->mdie + 2);
768	if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
769	    os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
770		      MOBILITY_DOMAIN_ID_LEN) != 0) {
771		wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
772		return -1;
773	}
774
775	if (sm->assoc_resp_ftie &&
776	    (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
777	     os_memcmp(kde->ftie, sm->assoc_resp_ftie,
778		       2 + sm->assoc_resp_ftie[1]) != 0)) {
779		wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
780		wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
781			    kde->ftie, kde->ftie_len);
782		wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
783			    sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
784		return -1;
785	}
786
787	return 0;
788}
789#endif /* CONFIG_IEEE80211R */
790
791
792static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
793				    struct wpa_state_machine *sm, int group)
794{
795	/* Supplicant reported a Michael MIC error */
796	wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
797			 "received EAPOL-Key Error Request "
798			 "(STA detected Michael MIC failure (group=%d))",
799			 group);
800
801	if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
802		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
803				"ignore Michael MIC failure report since "
804				"group cipher is not TKIP");
805	} else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
806		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
807				"ignore Michael MIC failure report since "
808				"pairwise cipher is not TKIP");
809	} else {
810		if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
811			return 1; /* STA entry was removed */
812		sm->dot11RSNAStatsTKIPRemoteMICFailures++;
813		wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
814	}
815
816	/*
817	 * Error report is not a request for a new key handshake, but since
818	 * Authenticator may do it, let's change the keys now anyway.
819	 */
820	wpa_request_new_ptk(sm);
821	return 0;
822}
823
824
825static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
826			      size_t data_len)
827{
828	struct wpa_ptk PTK;
829	int ok = 0;
830	const u8 *pmk = NULL;
831	unsigned int pmk_len;
832
833	for (;;) {
834		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
835			pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
836					       sm->p2p_dev_addr, pmk);
837			if (pmk == NULL)
838				break;
839			pmk_len = PMK_LEN;
840		} else {
841			pmk = sm->PMK;
842			pmk_len = sm->pmk_len;
843		}
844
845		wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK);
846
847		if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, data, data_len)
848		    == 0) {
849			ok = 1;
850			break;
851		}
852
853		if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
854			break;
855	}
856
857	if (!ok) {
858		wpa_printf(MSG_DEBUG,
859			   "WPA: Earlier SNonce did not result in matching MIC");
860		return -1;
861	}
862
863	wpa_printf(MSG_DEBUG,
864		   "WPA: Earlier SNonce resulted in matching MIC");
865	sm->alt_snonce_valid = 0;
866	os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
867	os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
868	sm->PTK_valid = TRUE;
869
870	return 0;
871}
872
873
874void wpa_receive(struct wpa_authenticator *wpa_auth,
875		 struct wpa_state_machine *sm,
876		 u8 *data, size_t data_len)
877{
878	struct ieee802_1x_hdr *hdr;
879	struct wpa_eapol_key *key;
880	struct wpa_eapol_key_192 *key192;
881	u16 key_info, key_data_length;
882	enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
883	       SMK_M1, SMK_M3, SMK_ERROR } msg;
884	char *msgtxt;
885	struct wpa_eapol_ie_parse kde;
886	int ft;
887	const u8 *eapol_key_ie, *key_data;
888	size_t eapol_key_ie_len, keyhdrlen, mic_len;
889
890	if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
891		return;
892
893	mic_len = wpa_mic_len(sm->wpa_key_mgmt);
894	keyhdrlen = mic_len == 24 ? sizeof(*key192) : sizeof(*key);
895
896	if (data_len < sizeof(*hdr) + keyhdrlen)
897		return;
898
899	hdr = (struct ieee802_1x_hdr *) data;
900	key = (struct wpa_eapol_key *) (hdr + 1);
901	key192 = (struct wpa_eapol_key_192 *) (hdr + 1);
902	key_info = WPA_GET_BE16(key->key_info);
903	if (mic_len == 24) {
904		key_data = (const u8 *) (key192 + 1);
905		key_data_length = WPA_GET_BE16(key192->key_data_length);
906	} else {
907		key_data = (const u8 *) (key + 1);
908		key_data_length = WPA_GET_BE16(key->key_data_length);
909	}
910	wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
911		   " key_info=0x%x type=%u key_data_length=%u",
912		   MAC2STR(sm->addr), key_info, key->type, key_data_length);
913	if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
914		wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
915			   "key_data overflow (%d > %lu)",
916			   key_data_length,
917			   (unsigned long) (data_len - sizeof(*hdr) -
918					    keyhdrlen));
919		return;
920	}
921
922	if (sm->wpa == WPA_VERSION_WPA2) {
923		if (key->type == EAPOL_KEY_TYPE_WPA) {
924			/*
925			 * Some deployed station implementations seem to send
926			 * msg 4/4 with incorrect type value in WPA2 mode.
927			 */
928			wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
929				   "with unexpected WPA type in RSN mode");
930		} else if (key->type != EAPOL_KEY_TYPE_RSN) {
931			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
932				   "unexpected type %d in RSN mode",
933				   key->type);
934			return;
935		}
936	} else {
937		if (key->type != EAPOL_KEY_TYPE_WPA) {
938			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
939				   "unexpected type %d in WPA mode",
940				   key->type);
941			return;
942		}
943	}
944
945	wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
946		    WPA_NONCE_LEN);
947	wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
948		    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
949
950	/* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
951	 * are set */
952
953	if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
954	    (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
955		if (key_info & WPA_KEY_INFO_ERROR) {
956			msg = SMK_ERROR;
957			msgtxt = "SMK Error";
958		} else {
959			msg = SMK_M1;
960			msgtxt = "SMK M1";
961		}
962	} else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
963		msg = SMK_M3;
964		msgtxt = "SMK M3";
965	} else if (key_info & WPA_KEY_INFO_REQUEST) {
966		msg = REQUEST;
967		msgtxt = "Request";
968	} else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
969		msg = GROUP_2;
970		msgtxt = "2/2 Group";
971	} else if (key_data_length == 0) {
972		msg = PAIRWISE_4;
973		msgtxt = "4/4 Pairwise";
974	} else {
975		msg = PAIRWISE_2;
976		msgtxt = "2/4 Pairwise";
977	}
978
979	/* TODO: key_info type validation for PeerKey */
980	if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
981	    msg == GROUP_2) {
982		u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
983		if (sm->pairwise == WPA_CIPHER_CCMP ||
984		    sm->pairwise == WPA_CIPHER_GCMP) {
985			if (wpa_use_aes_cmac(sm) &&
986			    sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
987			    !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
988			    ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
989				wpa_auth_logger(wpa_auth, sm->addr,
990						LOGGER_WARNING,
991						"advertised support for "
992						"AES-128-CMAC, but did not "
993						"use it");
994				return;
995			}
996
997			if (!wpa_use_aes_cmac(sm) &&
998			    ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
999				wpa_auth_logger(wpa_auth, sm->addr,
1000						LOGGER_WARNING,
1001						"did not use HMAC-SHA1-AES "
1002						"with CCMP/GCMP");
1003				return;
1004			}
1005		}
1006
1007		if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
1008		    ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1009			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1010					"did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1011			return;
1012		}
1013	}
1014
1015	if (key_info & WPA_KEY_INFO_REQUEST) {
1016		if (sm->req_replay_counter_used &&
1017		    os_memcmp(key->replay_counter, sm->req_replay_counter,
1018			      WPA_REPLAY_COUNTER_LEN) <= 0) {
1019			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1020					"received EAPOL-Key request with "
1021					"replayed counter");
1022			return;
1023		}
1024	}
1025
1026	if (!(key_info & WPA_KEY_INFO_REQUEST) &&
1027	    !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
1028		int i;
1029
1030		if (msg == PAIRWISE_2 &&
1031		    wpa_replay_counter_valid(sm->prev_key_replay,
1032					     key->replay_counter) &&
1033		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1034		    os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1035		{
1036			/*
1037			 * Some supplicant implementations (e.g., Windows XP
1038			 * WZC) update SNonce for each EAPOL-Key 2/4. This
1039			 * breaks the workaround on accepting any of the
1040			 * pending requests, so allow the SNonce to be updated
1041			 * even if we have already sent out EAPOL-Key 3/4.
1042			 */
1043			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1044					 "Process SNonce update from STA "
1045					 "based on retransmitted EAPOL-Key "
1046					 "1/4");
1047			sm->update_snonce = 1;
1048			os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1049			sm->alt_snonce_valid = TRUE;
1050			os_memcpy(sm->alt_replay_counter,
1051				  sm->key_replay[0].counter,
1052				  WPA_REPLAY_COUNTER_LEN);
1053			goto continue_processing;
1054		}
1055
1056		if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1057		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1058		    os_memcmp(key->replay_counter, sm->alt_replay_counter,
1059			      WPA_REPLAY_COUNTER_LEN) == 0) {
1060			/*
1061			 * Supplicant may still be using the old SNonce since
1062			 * there was two EAPOL-Key 2/4 messages and they had
1063			 * different SNonce values.
1064			 */
1065			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1066					 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
1067			goto continue_processing;
1068		}
1069
1070		if (msg == PAIRWISE_2 &&
1071		    wpa_replay_counter_valid(sm->prev_key_replay,
1072					     key->replay_counter) &&
1073		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1074			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1075					 "ignore retransmitted EAPOL-Key %s - "
1076					 "SNonce did not change", msgtxt);
1077		} else {
1078			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1079					 "received EAPOL-Key %s with "
1080					 "unexpected replay counter", msgtxt);
1081		}
1082		for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1083			if (!sm->key_replay[i].valid)
1084				break;
1085			wpa_hexdump(MSG_DEBUG, "pending replay counter",
1086				    sm->key_replay[i].counter,
1087				    WPA_REPLAY_COUNTER_LEN);
1088		}
1089		wpa_hexdump(MSG_DEBUG, "received replay counter",
1090			    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1091		return;
1092	}
1093
1094continue_processing:
1095	switch (msg) {
1096	case PAIRWISE_2:
1097		if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
1098		    sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1099		    (!sm->update_snonce ||
1100		     sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
1101			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1102					 "received EAPOL-Key msg 2/4 in "
1103					 "invalid state (%d) - dropped",
1104					 sm->wpa_ptk_state);
1105			return;
1106		}
1107		random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
1108		if (sm->group->reject_4way_hs_for_entropy) {
1109			/*
1110			 * The system did not have enough entropy to generate
1111			 * strong random numbers. Reject the first 4-way
1112			 * handshake(s) and collect some entropy based on the
1113			 * information from it. Once enough entropy is
1114			 * available, the next atempt will trigger GMK/Key
1115			 * Counter update and the station will be allowed to
1116			 * continue.
1117			 */
1118			wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1119				   "collect more entropy for random number "
1120				   "generation");
1121			random_mark_pool_ready();
1122			wpa_sta_disconnect(wpa_auth, sm->addr);
1123			return;
1124		}
1125		if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
1126			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1127					 "received EAPOL-Key msg 2/4 with "
1128					 "invalid Key Data contents");
1129			return;
1130		}
1131		if (kde.rsn_ie) {
1132			eapol_key_ie = kde.rsn_ie;
1133			eapol_key_ie_len = kde.rsn_ie_len;
1134		} else if (kde.osen) {
1135			eapol_key_ie = kde.osen;
1136			eapol_key_ie_len = kde.osen_len;
1137		} else {
1138			eapol_key_ie = kde.wpa_ie;
1139			eapol_key_ie_len = kde.wpa_ie_len;
1140		}
1141		ft = sm->wpa == WPA_VERSION_WPA2 &&
1142			wpa_key_mgmt_ft(sm->wpa_key_mgmt);
1143		if (sm->wpa_ie == NULL ||
1144		    wpa_compare_rsn_ie(ft,
1145				       sm->wpa_ie, sm->wpa_ie_len,
1146				       eapol_key_ie, eapol_key_ie_len)) {
1147			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1148					"WPA IE from (Re)AssocReq did not "
1149					"match with msg 2/4");
1150			if (sm->wpa_ie) {
1151				wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
1152					    sm->wpa_ie, sm->wpa_ie_len);
1153			}
1154			wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
1155				    eapol_key_ie, eapol_key_ie_len);
1156			/* MLME-DEAUTHENTICATE.request */
1157			wpa_sta_disconnect(wpa_auth, sm->addr);
1158			return;
1159		}
1160#ifdef CONFIG_IEEE80211R
1161		if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
1162			wpa_sta_disconnect(wpa_auth, sm->addr);
1163			return;
1164		}
1165#endif /* CONFIG_IEEE80211R */
1166#ifdef CONFIG_P2P
1167		if (kde.ip_addr_req && kde.ip_addr_req[0] &&
1168		    wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
1169			int idx;
1170			wpa_printf(MSG_DEBUG, "P2P: IP address requested in "
1171				   "EAPOL-Key exchange");
1172			idx = bitfield_get_first_zero(wpa_auth->ip_pool);
1173			if (idx >= 0) {
1174				u32 start = WPA_GET_BE32(wpa_auth->conf.
1175							 ip_addr_start);
1176				bitfield_set(wpa_auth->ip_pool, idx);
1177				WPA_PUT_BE32(sm->ip_addr, start + idx);
1178				wpa_printf(MSG_DEBUG, "P2P: Assigned IP "
1179					   "address %u.%u.%u.%u to " MACSTR,
1180					   sm->ip_addr[0], sm->ip_addr[1],
1181					   sm->ip_addr[2], sm->ip_addr[3],
1182					   MAC2STR(sm->addr));
1183			}
1184		}
1185#endif /* CONFIG_P2P */
1186		break;
1187	case PAIRWISE_4:
1188		if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1189		    !sm->PTK_valid) {
1190			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1191					 "received EAPOL-Key msg 4/4 in "
1192					 "invalid state (%d) - dropped",
1193					 sm->wpa_ptk_state);
1194			return;
1195		}
1196		break;
1197	case GROUP_2:
1198		if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1199		    || !sm->PTK_valid) {
1200			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1201					 "received EAPOL-Key msg 2/2 in "
1202					 "invalid state (%d) - dropped",
1203					 sm->wpa_ptk_group_state);
1204			return;
1205		}
1206		break;
1207#ifdef CONFIG_PEERKEY
1208	case SMK_M1:
1209	case SMK_M3:
1210	case SMK_ERROR:
1211		if (!wpa_auth->conf.peerkey) {
1212			wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1213				   "PeerKey use disabled - ignoring message");
1214			return;
1215		}
1216		if (!sm->PTK_valid) {
1217			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1218					"received EAPOL-Key msg SMK in "
1219					"invalid state - dropped");
1220			return;
1221		}
1222		break;
1223#else /* CONFIG_PEERKEY */
1224	case SMK_M1:
1225	case SMK_M3:
1226	case SMK_ERROR:
1227		return; /* STSL disabled - ignore SMK messages */
1228#endif /* CONFIG_PEERKEY */
1229	case REQUEST:
1230		break;
1231	}
1232
1233	wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1234			 "received EAPOL-Key frame (%s)", msgtxt);
1235
1236	if (key_info & WPA_KEY_INFO_ACK) {
1237		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1238				"received invalid EAPOL-Key: Key Ack set");
1239		return;
1240	}
1241
1242	if (!(key_info & WPA_KEY_INFO_MIC)) {
1243		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1244				"received invalid EAPOL-Key: Key MIC not set");
1245		return;
1246	}
1247
1248	sm->MICVerified = FALSE;
1249	if (sm->PTK_valid && !sm->update_snonce) {
1250		if (wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data,
1251				       data_len) &&
1252		    (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1253		     wpa_try_alt_snonce(sm, data, data_len))) {
1254			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1255					"received EAPOL-Key with invalid MIC");
1256			return;
1257		}
1258		sm->MICVerified = TRUE;
1259		eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1260		sm->pending_1_of_4_timeout = 0;
1261	}
1262
1263	if (key_info & WPA_KEY_INFO_REQUEST) {
1264		if (sm->MICVerified) {
1265			sm->req_replay_counter_used = 1;
1266			os_memcpy(sm->req_replay_counter, key->replay_counter,
1267				  WPA_REPLAY_COUNTER_LEN);
1268		} else {
1269			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1270					"received EAPOL-Key request with "
1271					"invalid MIC");
1272			return;
1273		}
1274
1275		/*
1276		 * TODO: should decrypt key data field if encryption was used;
1277		 * even though MAC address KDE is not normally encrypted,
1278		 * supplicant is allowed to encrypt it.
1279		 */
1280		if (msg == SMK_ERROR) {
1281#ifdef CONFIG_PEERKEY
1282			wpa_smk_error(wpa_auth, sm, key_data, key_data_length);
1283#endif /* CONFIG_PEERKEY */
1284			return;
1285		} else if (key_info & WPA_KEY_INFO_ERROR) {
1286			if (wpa_receive_error_report(
1287				    wpa_auth, sm,
1288				    !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1289				return; /* STA entry was removed */
1290		} else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1291			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1292					"received EAPOL-Key Request for new "
1293					"4-Way Handshake");
1294			wpa_request_new_ptk(sm);
1295#ifdef CONFIG_PEERKEY
1296		} else if (msg == SMK_M1) {
1297			wpa_smk_m1(wpa_auth, sm, key, key_data,
1298				   key_data_length);
1299#endif /* CONFIG_PEERKEY */
1300		} else if (key_data_length > 0 &&
1301			   wpa_parse_kde_ies(key_data, key_data_length,
1302					     &kde) == 0 &&
1303			   kde.mac_addr) {
1304		} else {
1305			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1306					"received EAPOL-Key Request for GTK "
1307					"rekeying");
1308			eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1309			wpa_rekey_gtk(wpa_auth, NULL);
1310		}
1311	} else {
1312		/* Do not allow the same key replay counter to be reused. */
1313		wpa_replay_counter_mark_invalid(sm->key_replay,
1314						key->replay_counter);
1315
1316		if (msg == PAIRWISE_2) {
1317			/*
1318			 * Maintain a copy of the pending EAPOL-Key frames in
1319			 * case the EAPOL-Key frame was retransmitted. This is
1320			 * needed to allow EAPOL-Key msg 2/4 reply to another
1321			 * pending msg 1/4 to update the SNonce to work around
1322			 * unexpected supplicant behavior.
1323			 */
1324			os_memcpy(sm->prev_key_replay, sm->key_replay,
1325				  sizeof(sm->key_replay));
1326		} else {
1327			os_memset(sm->prev_key_replay, 0,
1328				  sizeof(sm->prev_key_replay));
1329		}
1330
1331		/*
1332		 * Make sure old valid counters are not accepted anymore and
1333		 * do not get copied again.
1334		 */
1335		wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1336	}
1337
1338#ifdef CONFIG_PEERKEY
1339	if (msg == SMK_M3) {
1340		wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length);
1341		return;
1342	}
1343#endif /* CONFIG_PEERKEY */
1344
1345	os_free(sm->last_rx_eapol_key);
1346	sm->last_rx_eapol_key = os_malloc(data_len);
1347	if (sm->last_rx_eapol_key == NULL)
1348		return;
1349	os_memcpy(sm->last_rx_eapol_key, data, data_len);
1350	sm->last_rx_eapol_key_len = data_len;
1351
1352	sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1353	sm->EAPOLKeyReceived = TRUE;
1354	sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1355	sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1356	os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1357	wpa_sm_step(sm);
1358}
1359
1360
1361static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1362			  const u8 *gnonce, u8 *gtk, size_t gtk_len)
1363{
1364	u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1365	u8 *pos;
1366	int ret = 0;
1367
1368	/* GTK = PRF-X(GMK, "Group key expansion",
1369	 *	AA || GNonce || Time || random data)
1370	 * The example described in the IEEE 802.11 standard uses only AA and
1371	 * GNonce as inputs here. Add some more entropy since this derivation
1372	 * is done only at the Authenticator and as such, does not need to be
1373	 * exactly same.
1374	 */
1375	os_memcpy(data, addr, ETH_ALEN);
1376	os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1377	pos = data + ETH_ALEN + WPA_NONCE_LEN;
1378	wpa_get_ntp_timestamp(pos);
1379	pos += 8;
1380	if (random_get_bytes(pos, 16) < 0)
1381		ret = -1;
1382
1383#ifdef CONFIG_IEEE80211W
1384	sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
1385#else /* CONFIG_IEEE80211W */
1386	if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1387	    < 0)
1388		ret = -1;
1389#endif /* CONFIG_IEEE80211W */
1390
1391	return ret;
1392}
1393
1394
1395static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1396{
1397	struct wpa_authenticator *wpa_auth = eloop_ctx;
1398	struct wpa_state_machine *sm = timeout_ctx;
1399
1400	sm->pending_1_of_4_timeout = 0;
1401	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1402	sm->TimeoutEvt = TRUE;
1403	wpa_sm_step(sm);
1404}
1405
1406
1407void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1408		      struct wpa_state_machine *sm, int key_info,
1409		      const u8 *key_rsc, const u8 *nonce,
1410		      const u8 *kde, size_t kde_len,
1411		      int keyidx, int encr, int force_version)
1412{
1413	struct ieee802_1x_hdr *hdr;
1414	struct wpa_eapol_key *key;
1415	struct wpa_eapol_key_192 *key192;
1416	size_t len, mic_len, keyhdrlen;
1417	int alg;
1418	int key_data_len, pad_len = 0;
1419	u8 *buf, *pos;
1420	int version, pairwise;
1421	int i;
1422	u8 *key_data;
1423
1424	mic_len = wpa_mic_len(sm->wpa_key_mgmt);
1425	keyhdrlen = mic_len == 24 ? sizeof(*key192) : sizeof(*key);
1426
1427	len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
1428
1429	if (force_version)
1430		version = force_version;
1431	else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1432		 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt))
1433		version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
1434	else if (wpa_use_aes_cmac(sm))
1435		version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1436	else if (sm->pairwise != WPA_CIPHER_TKIP)
1437		version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1438	else
1439		version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1440
1441	pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1442
1443	wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1444		   "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1445		   "encr=%d)",
1446		   version,
1447		   (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1448		   (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1449		   (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1450		   (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1451		   pairwise, (unsigned long) kde_len, keyidx, encr);
1452
1453	key_data_len = kde_len;
1454
1455	if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1456	     sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1457	     wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1458	     version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1459		pad_len = key_data_len % 8;
1460		if (pad_len)
1461			pad_len = 8 - pad_len;
1462		key_data_len += pad_len + 8;
1463	}
1464
1465	len += key_data_len;
1466
1467	hdr = os_zalloc(len);
1468	if (hdr == NULL)
1469		return;
1470	hdr->version = wpa_auth->conf.eapol_version;
1471	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1472	hdr->length = host_to_be16(len  - sizeof(*hdr));
1473	key = (struct wpa_eapol_key *) (hdr + 1);
1474	key192 = (struct wpa_eapol_key_192 *) (hdr + 1);
1475	key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
1476
1477	key->type = sm->wpa == WPA_VERSION_WPA2 ?
1478		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1479	key_info |= version;
1480	if (encr && sm->wpa == WPA_VERSION_WPA2)
1481		key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1482	if (sm->wpa != WPA_VERSION_WPA2)
1483		key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1484	WPA_PUT_BE16(key->key_info, key_info);
1485
1486	alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
1487	WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
1488	if (key_info & WPA_KEY_INFO_SMK_MESSAGE)
1489		WPA_PUT_BE16(key->key_length, 0);
1490
1491	/* FIX: STSL: what to use as key_replay_counter? */
1492	for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1493		sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1494		os_memcpy(sm->key_replay[i].counter,
1495			  sm->key_replay[i - 1].counter,
1496			  WPA_REPLAY_COUNTER_LEN);
1497	}
1498	inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1499	os_memcpy(key->replay_counter, sm->key_replay[0].counter,
1500		  WPA_REPLAY_COUNTER_LEN);
1501	wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1502		    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1503	sm->key_replay[0].valid = TRUE;
1504
1505	if (nonce)
1506		os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1507
1508	if (key_rsc)
1509		os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1510
1511	if (kde && !encr) {
1512		os_memcpy(key_data, kde, kde_len);
1513		if (mic_len == 24)
1514			WPA_PUT_BE16(key192->key_data_length, kde_len);
1515		else
1516			WPA_PUT_BE16(key->key_data_length, kde_len);
1517	} else if (encr && kde) {
1518		buf = os_zalloc(key_data_len);
1519		if (buf == NULL) {
1520			os_free(hdr);
1521			return;
1522		}
1523		pos = buf;
1524		os_memcpy(pos, kde, kde_len);
1525		pos += kde_len;
1526
1527		if (pad_len)
1528			*pos++ = 0xdd;
1529
1530		wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1531				buf, key_data_len);
1532		if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1533		    sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
1534		    wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1535		    version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1536			if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
1537				     (key_data_len - 8) / 8, buf, key_data)) {
1538				os_free(hdr);
1539				os_free(buf);
1540				return;
1541			}
1542			if (mic_len == 24)
1543				WPA_PUT_BE16(key192->key_data_length,
1544					     key_data_len);
1545			else
1546				WPA_PUT_BE16(key->key_data_length,
1547					     key_data_len);
1548#ifndef CONFIG_NO_RC4
1549		} else if (sm->PTK.kek_len == 16) {
1550			u8 ek[32];
1551			os_memcpy(key->key_iv,
1552				  sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1553			inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1554			os_memcpy(ek, key->key_iv, 16);
1555			os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
1556			os_memcpy(key_data, buf, key_data_len);
1557			rc4_skip(ek, 32, 256, key_data, key_data_len);
1558			if (mic_len == 24)
1559				WPA_PUT_BE16(key192->key_data_length,
1560					     key_data_len);
1561			else
1562				WPA_PUT_BE16(key->key_data_length,
1563					     key_data_len);
1564#endif /* CONFIG_NO_RC4 */
1565		} else {
1566			os_free(hdr);
1567			os_free(buf);
1568			return;
1569		}
1570		os_free(buf);
1571	}
1572
1573	if (key_info & WPA_KEY_INFO_MIC) {
1574		u8 *key_mic;
1575
1576		if (!sm->PTK_valid) {
1577			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1578					"PTK not valid when sending EAPOL-Key "
1579					"frame");
1580			os_free(hdr);
1581			return;
1582		}
1583
1584		key_mic = key192->key_mic; /* same offset for key and key192 */
1585		wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1586				  sm->wpa_key_mgmt, version,
1587				  (u8 *) hdr, len, key_mic);
1588#ifdef CONFIG_TESTING_OPTIONS
1589		if (!pairwise &&
1590		    wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
1591		    drand48() <
1592		    wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1593			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1594					"Corrupting group EAPOL-Key Key MIC");
1595			key_mic[0]++;
1596		}
1597#endif /* CONFIG_TESTING_OPTIONS */
1598	}
1599
1600	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1601			   1);
1602	wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1603			    sm->pairwise_set);
1604	os_free(hdr);
1605}
1606
1607
1608static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1609			   struct wpa_state_machine *sm, int key_info,
1610			   const u8 *key_rsc, const u8 *nonce,
1611			   const u8 *kde, size_t kde_len,
1612			   int keyidx, int encr)
1613{
1614	int timeout_ms;
1615	int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1616	int ctr;
1617
1618	if (sm == NULL)
1619		return;
1620
1621	__wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1622			 keyidx, encr, 0);
1623
1624	ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
1625	if (ctr == 1 && wpa_auth->conf.tx_status)
1626		timeout_ms = pairwise ? eapol_key_timeout_first :
1627			eapol_key_timeout_first_group;
1628	else
1629		timeout_ms = eapol_key_timeout_subseq;
1630	if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1631		sm->pending_1_of_4_timeout = 1;
1632	wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
1633		   "counter %d)", timeout_ms, ctr);
1634	eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1635			       wpa_send_eapol_timeout, wpa_auth, sm);
1636}
1637
1638
1639static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
1640			      size_t data_len)
1641{
1642	struct ieee802_1x_hdr *hdr;
1643	struct wpa_eapol_key *key;
1644	struct wpa_eapol_key_192 *key192;
1645	u16 key_info;
1646	int ret = 0;
1647	u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
1648	size_t mic_len = wpa_mic_len(akmp);
1649
1650	if (data_len < sizeof(*hdr) + sizeof(*key))
1651		return -1;
1652
1653	hdr = (struct ieee802_1x_hdr *) data;
1654	key = (struct wpa_eapol_key *) (hdr + 1);
1655	key192 = (struct wpa_eapol_key_192 *) (hdr + 1);
1656	key_info = WPA_GET_BE16(key->key_info);
1657	os_memcpy(mic, key192->key_mic, mic_len);
1658	os_memset(key192->key_mic, 0, mic_len);
1659	if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1660			      key_info & WPA_KEY_INFO_TYPE_MASK,
1661			      data, data_len, key192->key_mic) ||
1662	    os_memcmp_const(mic, key192->key_mic, mic_len) != 0)
1663		ret = -1;
1664	os_memcpy(key192->key_mic, mic, mic_len);
1665	return ret;
1666}
1667
1668
1669void wpa_remove_ptk(struct wpa_state_machine *sm)
1670{
1671	sm->PTK_valid = FALSE;
1672	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1673	wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0);
1674	sm->pairwise_set = FALSE;
1675	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
1676}
1677
1678
1679int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
1680{
1681	int remove_ptk = 1;
1682
1683	if (sm == NULL)
1684		return -1;
1685
1686	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1687			 "event %d notification", event);
1688
1689	switch (event) {
1690	case WPA_AUTH:
1691#ifdef CONFIG_MESH
1692		/* PTKs are derived through AMPE */
1693		if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1694			/* not mesh */
1695			break;
1696		}
1697		return 0;
1698#endif /* CONFIG_MESH */
1699	case WPA_ASSOC:
1700		break;
1701	case WPA_DEAUTH:
1702	case WPA_DISASSOC:
1703		sm->DeauthenticationRequest = TRUE;
1704		break;
1705	case WPA_REAUTH:
1706	case WPA_REAUTH_EAPOL:
1707		if (!sm->started) {
1708			/*
1709			 * When using WPS, we may end up here if the STA
1710			 * manages to re-associate without the previous STA
1711			 * entry getting removed. Consequently, we need to make
1712			 * sure that the WPA state machines gets initialized
1713			 * properly at this point.
1714			 */
1715			wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1716				   "started - initialize now");
1717			sm->started = 1;
1718			sm->Init = TRUE;
1719			if (wpa_sm_step(sm) == 1)
1720				return 1; /* should not really happen */
1721			sm->Init = FALSE;
1722			sm->AuthenticationRequest = TRUE;
1723			break;
1724		}
1725		if (sm->GUpdateStationKeys) {
1726			/*
1727			 * Reauthentication cancels the pending group key
1728			 * update for this STA.
1729			 */
1730			sm->group->GKeyDoneStations--;
1731			sm->GUpdateStationKeys = FALSE;
1732			sm->PtkGroupInit = TRUE;
1733		}
1734		sm->ReAuthenticationRequest = TRUE;
1735		break;
1736	case WPA_ASSOC_FT:
1737#ifdef CONFIG_IEEE80211R
1738		wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1739			   "after association");
1740		wpa_ft_install_ptk(sm);
1741
1742		/* Using FT protocol, not WPA auth state machine */
1743		sm->ft_completed = 1;
1744		return 0;
1745#else /* CONFIG_IEEE80211R */
1746		break;
1747#endif /* CONFIG_IEEE80211R */
1748	}
1749
1750#ifdef CONFIG_IEEE80211R
1751	sm->ft_completed = 0;
1752#endif /* CONFIG_IEEE80211R */
1753
1754#ifdef CONFIG_IEEE80211W
1755	if (sm->mgmt_frame_prot && event == WPA_AUTH)
1756		remove_ptk = 0;
1757#endif /* CONFIG_IEEE80211W */
1758
1759	if (remove_ptk) {
1760		sm->PTK_valid = FALSE;
1761		os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1762
1763		if (event != WPA_REAUTH_EAPOL)
1764			wpa_remove_ptk(sm);
1765	}
1766
1767	if (sm->in_step_loop) {
1768		/*
1769		 * wpa_sm_step() is already running - avoid recursive call to
1770		 * it by making the existing loop process the new update.
1771		 */
1772		sm->changed = TRUE;
1773		return 0;
1774	}
1775	return wpa_sm_step(sm);
1776}
1777
1778
1779SM_STATE(WPA_PTK, INITIALIZE)
1780{
1781	SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1782	if (sm->Init) {
1783		/* Init flag is not cleared here, so avoid busy
1784		 * loop by claiming nothing changed. */
1785		sm->changed = FALSE;
1786	}
1787
1788	sm->keycount = 0;
1789	if (sm->GUpdateStationKeys)
1790		sm->group->GKeyDoneStations--;
1791	sm->GUpdateStationKeys = FALSE;
1792	if (sm->wpa == WPA_VERSION_WPA)
1793		sm->PInitAKeys = FALSE;
1794	if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1795	       * Local AA > Remote AA)) */) {
1796		sm->Pair = TRUE;
1797	}
1798	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1799	wpa_remove_ptk(sm);
1800	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1801	sm->TimeoutCtr = 0;
1802	if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1803		wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1804				   WPA_EAPOL_authorized, 0);
1805	}
1806}
1807
1808
1809SM_STATE(WPA_PTK, DISCONNECT)
1810{
1811	SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1812	sm->Disconnect = FALSE;
1813	wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1814}
1815
1816
1817SM_STATE(WPA_PTK, DISCONNECTED)
1818{
1819	SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1820	sm->DeauthenticationRequest = FALSE;
1821}
1822
1823
1824SM_STATE(WPA_PTK, AUTHENTICATION)
1825{
1826	SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1827	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1828	sm->PTK_valid = FALSE;
1829	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1830			   1);
1831	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1832	sm->AuthenticationRequest = FALSE;
1833}
1834
1835
1836static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1837				  struct wpa_group *group)
1838{
1839	if (group->first_sta_seen)
1840		return;
1841	/*
1842	 * System has run bit further than at the time hostapd was started
1843	 * potentially very early during boot up. This provides better chances
1844	 * of collecting more randomness on embedded systems. Re-initialize the
1845	 * GMK and Counter here to improve their strength if there was not
1846	 * enough entropy available immediately after system startup.
1847	 */
1848	wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1849		   "station");
1850	if (random_pool_ready() != 1) {
1851		wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1852			   "to proceed - reject first 4-way handshake");
1853		group->reject_4way_hs_for_entropy = TRUE;
1854	} else {
1855		group->first_sta_seen = TRUE;
1856		group->reject_4way_hs_for_entropy = FALSE;
1857	}
1858
1859	if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1860	    wpa_gtk_update(wpa_auth, group) < 0 ||
1861	    wpa_group_config_group_keys(wpa_auth, group) < 0) {
1862		wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1863		group->first_sta_seen = FALSE;
1864		group->reject_4way_hs_for_entropy = TRUE;
1865	}
1866}
1867
1868
1869SM_STATE(WPA_PTK, AUTHENTICATION2)
1870{
1871	SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1872
1873	wpa_group_ensure_init(sm->wpa_auth, sm->group);
1874	sm->ReAuthenticationRequest = FALSE;
1875
1876	/*
1877	 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1878	 * ambiguous. The Authenticator state machine uses a counter that is
1879	 * incremented by one for each 4-way handshake. However, the security
1880	 * analysis of 4-way handshake points out that unpredictable nonces
1881	 * help in preventing precomputation attacks. Instead of the state
1882	 * machine definition, use an unpredictable nonce value here to provide
1883	 * stronger protection against potential precomputation attacks.
1884	 */
1885	if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1886		wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1887			   "ANonce.");
1888		sm->Disconnect = TRUE;
1889		return;
1890	}
1891	wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1892		    WPA_NONCE_LEN);
1893	/* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1894	 * logical place than INITIALIZE since AUTHENTICATION2 can be
1895	 * re-entered on ReAuthenticationRequest without going through
1896	 * INITIALIZE. */
1897	sm->TimeoutCtr = 0;
1898}
1899
1900
1901SM_STATE(WPA_PTK, INITPMK)
1902{
1903	u8 msk[2 * PMK_LEN];
1904	size_t len = 2 * PMK_LEN;
1905
1906	SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
1907#ifdef CONFIG_IEEE80211R
1908	sm->xxkey_len = 0;
1909#endif /* CONFIG_IEEE80211R */
1910	if (sm->pmksa) {
1911		wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
1912		os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1913		sm->pmk_len = sm->pmksa->pmk_len;
1914	} else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
1915		unsigned int pmk_len;
1916
1917		if (sm->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
1918			pmk_len = PMK_LEN_SUITE_B_192;
1919		else
1920			pmk_len = PMK_LEN;
1921		wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
1922			   "(MSK len=%lu PMK len=%u)", (unsigned long) len,
1923			   pmk_len);
1924		if (len < pmk_len) {
1925			wpa_printf(MSG_DEBUG,
1926				   "WPA: MSK not long enough (%u) to create PMK (%u)",
1927				   (unsigned int) len, (unsigned int) pmk_len);
1928			sm->Disconnect = TRUE;
1929			return;
1930		}
1931		os_memcpy(sm->PMK, msk, pmk_len);
1932		sm->pmk_len = pmk_len;
1933#ifdef CONFIG_IEEE80211R
1934		if (len >= 2 * PMK_LEN) {
1935			os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1936			sm->xxkey_len = PMK_LEN;
1937		}
1938#endif /* CONFIG_IEEE80211R */
1939	} else {
1940		wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
1941			   sm->wpa_auth->cb.get_msk);
1942		sm->Disconnect = TRUE;
1943		return;
1944	}
1945	os_memset(msk, 0, sizeof(msk));
1946
1947	sm->req_replay_counter_used = 0;
1948	/* IEEE 802.11i does not set keyRun to FALSE, but not doing this
1949	 * will break reauthentication since EAPOL state machines may not be
1950	 * get into AUTHENTICATING state that clears keyRun before WPA state
1951	 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
1952	 * state and takes PMK from the previously used AAA Key. This will
1953	 * eventually fail in 4-Way Handshake because Supplicant uses PMK
1954	 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
1955	 * be good workaround for this issue. */
1956	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
1957}
1958
1959
1960SM_STATE(WPA_PTK, INITPSK)
1961{
1962	const u8 *psk;
1963	SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
1964	psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL);
1965	if (psk) {
1966		os_memcpy(sm->PMK, psk, PMK_LEN);
1967		sm->pmk_len = PMK_LEN;
1968#ifdef CONFIG_IEEE80211R
1969		os_memcpy(sm->xxkey, psk, PMK_LEN);
1970		sm->xxkey_len = PMK_LEN;
1971#endif /* CONFIG_IEEE80211R */
1972	}
1973	sm->req_replay_counter_used = 0;
1974}
1975
1976
1977SM_STATE(WPA_PTK, PTKSTART)
1978{
1979	u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
1980	size_t pmkid_len = 0;
1981
1982	SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
1983	sm->PTKRequest = FALSE;
1984	sm->TimeoutEvt = FALSE;
1985	sm->alt_snonce_valid = FALSE;
1986
1987	sm->TimeoutCtr++;
1988	if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
1989		/* No point in sending the EAPOL-Key - we will disconnect
1990		 * immediately following this. */
1991		return;
1992	}
1993
1994	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1995			"sending 1/4 msg of 4-Way Handshake");
1996	/*
1997	 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
1998	 * one possible PSK for this STA.
1999	 */
2000	if (sm->wpa == WPA_VERSION_WPA2 &&
2001	    wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
2002	    sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
2003		pmkid = buf;
2004		pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2005		pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2006		pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2007		RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
2008		if (sm->pmksa) {
2009			os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2010				  sm->pmksa->pmkid, PMKID_LEN);
2011		} else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2012			/* No KCK available to derive PMKID */
2013			pmkid = NULL;
2014		} else {
2015			/*
2016			 * Calculate PMKID since no PMKSA cache entry was
2017			 * available with pre-calculated PMKID.
2018			 */
2019			rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
2020				  sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
2021				  wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
2022		}
2023	}
2024	wpa_send_eapol(sm->wpa_auth, sm,
2025		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2026		       sm->ANonce, pmkid, pmkid_len, 0, 0);
2027}
2028
2029
2030static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
2031			  const u8 *pmk, unsigned int pmk_len,
2032			  struct wpa_ptk *ptk)
2033{
2034#ifdef CONFIG_IEEE80211R
2035	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
2036		return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
2037#endif /* CONFIG_IEEE80211R */
2038
2039	return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
2040			      sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
2041			      ptk, sm->wpa_key_mgmt, sm->pairwise);
2042}
2043
2044
2045SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2046{
2047	struct wpa_ptk PTK;
2048	int ok = 0, psk_found = 0;
2049	const u8 *pmk = NULL;
2050	unsigned int pmk_len;
2051
2052	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2053	sm->EAPOLKeyReceived = FALSE;
2054	sm->update_snonce = FALSE;
2055
2056	/* WPA with IEEE 802.1X: use the derived PMK from EAP
2057	 * WPA-PSK: iterate through possible PSKs and select the one matching
2058	 * the packet */
2059	for (;;) {
2060		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2061			pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
2062					       sm->p2p_dev_addr, pmk);
2063			if (pmk == NULL)
2064				break;
2065			psk_found = 1;
2066			pmk_len = PMK_LEN;
2067		} else {
2068			pmk = sm->PMK;
2069			pmk_len = sm->pmk_len;
2070		}
2071
2072		wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK);
2073
2074		if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK,
2075				       sm->last_rx_eapol_key,
2076				       sm->last_rx_eapol_key_len) == 0) {
2077			ok = 1;
2078			break;
2079		}
2080
2081		if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
2082			break;
2083	}
2084
2085	if (!ok) {
2086		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2087				"invalid MIC in msg 2/4 of 4-Way Handshake");
2088		if (psk_found)
2089			wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
2090		return;
2091	}
2092
2093#ifdef CONFIG_IEEE80211R
2094	if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2095		/*
2096		 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2097		 * with the value we derived.
2098		 */
2099		if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2100				    WPA_PMK_NAME_LEN) != 0) {
2101			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2102					"PMKR1Name mismatch in FT 4-way "
2103					"handshake");
2104			wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2105				    "Supplicant",
2106				    sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2107			wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2108				    sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2109			return;
2110		}
2111	}
2112#endif /* CONFIG_IEEE80211R */
2113
2114	sm->pending_1_of_4_timeout = 0;
2115	eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2116
2117	if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2118		/* PSK may have changed from the previous choice, so update
2119		 * state machine data based on whatever PSK was selected here.
2120		 */
2121		os_memcpy(sm->PMK, pmk, PMK_LEN);
2122		sm->pmk_len = PMK_LEN;
2123	}
2124
2125	sm->MICVerified = TRUE;
2126
2127	os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
2128	sm->PTK_valid = TRUE;
2129}
2130
2131
2132SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
2133{
2134	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
2135	sm->TimeoutCtr = 0;
2136}
2137
2138
2139#ifdef CONFIG_IEEE80211W
2140
2141static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2142{
2143	if (sm->mgmt_frame_prot) {
2144		size_t len;
2145		len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2146		return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
2147	}
2148
2149	return 0;
2150}
2151
2152
2153static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2154{
2155	struct wpa_igtk_kde igtk;
2156	struct wpa_group *gsm = sm->group;
2157	u8 rsc[WPA_KEY_RSC_LEN];
2158	size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2159
2160	if (!sm->mgmt_frame_prot)
2161		return pos;
2162
2163	igtk.keyid[0] = gsm->GN_igtk;
2164	igtk.keyid[1] = 0;
2165	if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
2166	    wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
2167		os_memset(igtk.pn, 0, sizeof(igtk.pn));
2168	else
2169		os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
2170	os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
2171	if (sm->wpa_auth->conf.disable_gtk) {
2172		/*
2173		 * Provide unique random IGTK to each STA to prevent use of
2174		 * IGTK in the BSS.
2175		 */
2176		if (random_get_bytes(igtk.igtk, len) < 0)
2177			return pos;
2178	}
2179	pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
2180			  (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
2181			  NULL, 0);
2182
2183	return pos;
2184}
2185
2186#else /* CONFIG_IEEE80211W */
2187
2188static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2189{
2190	return 0;
2191}
2192
2193
2194static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2195{
2196	return pos;
2197}
2198
2199#endif /* CONFIG_IEEE80211W */
2200
2201
2202SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
2203{
2204	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
2205	size_t gtk_len, kde_len;
2206	struct wpa_group *gsm = sm->group;
2207	u8 *wpa_ie;
2208	int wpa_ie_len, secure, keyidx, encr = 0;
2209
2210	SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
2211	sm->TimeoutEvt = FALSE;
2212
2213	sm->TimeoutCtr++;
2214	if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
2215		/* No point in sending the EAPOL-Key - we will disconnect
2216		 * immediately following this. */
2217		return;
2218	}
2219
2220	/* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
2221	   GTK[GN], IGTK, [FTIE], [TIE * 2])
2222	 */
2223	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2224	wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
2225	/* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
2226	wpa_ie = sm->wpa_auth->wpa_ie;
2227	wpa_ie_len = sm->wpa_auth->wpa_ie_len;
2228	if (sm->wpa == WPA_VERSION_WPA &&
2229	    (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
2230	    wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
2231		/* WPA-only STA, remove RSN IE and possible MDIE */
2232		wpa_ie = wpa_ie + wpa_ie[1] + 2;
2233		if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
2234			wpa_ie = wpa_ie + wpa_ie[1] + 2;
2235		wpa_ie_len = wpa_ie[1] + 2;
2236	}
2237	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2238			"sending 3/4 msg of 4-Way Handshake");
2239	if (sm->wpa == WPA_VERSION_WPA2) {
2240		/* WPA2 send GTK in the 4-way handshake */
2241		secure = 1;
2242		gtk = gsm->GTK[gsm->GN - 1];
2243		gtk_len = gsm->GTK_len;
2244		if (sm->wpa_auth->conf.disable_gtk) {
2245			/*
2246			 * Provide unique random GTK to each STA to prevent use
2247			 * of GTK in the BSS.
2248			 */
2249			if (random_get_bytes(dummy_gtk, gtk_len) < 0)
2250				return;
2251			gtk = dummy_gtk;
2252		}
2253		keyidx = gsm->GN;
2254		_rsc = rsc;
2255		encr = 1;
2256	} else {
2257		/* WPA does not include GTK in msg 3/4 */
2258		secure = 0;
2259		gtk = NULL;
2260		gtk_len = 0;
2261		keyidx = 0;
2262		_rsc = NULL;
2263		if (sm->rx_eapol_key_secure) {
2264			/*
2265			 * It looks like Windows 7 supplicant tries to use
2266			 * Secure bit in msg 2/4 after having reported Michael
2267			 * MIC failure and it then rejects the 4-way handshake
2268			 * if msg 3/4 does not set Secure bit. Work around this
2269			 * by setting the Secure bit here even in the case of
2270			 * WPA if the supplicant used it first.
2271			 */
2272			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2273					"STA used Secure bit in WPA msg 2/4 - "
2274					"set Secure for 3/4 as workaround");
2275			secure = 1;
2276		}
2277	}
2278
2279	kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
2280	if (gtk)
2281		kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
2282#ifdef CONFIG_IEEE80211R
2283	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2284		kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
2285		kde_len += 300; /* FTIE + 2 * TIE */
2286	}
2287#endif /* CONFIG_IEEE80211R */
2288#ifdef CONFIG_P2P
2289	if (WPA_GET_BE32(sm->ip_addr) > 0)
2290		kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
2291#endif /* CONFIG_P2P */
2292	kde = os_malloc(kde_len);
2293	if (kde == NULL)
2294		return;
2295
2296	pos = kde;
2297	os_memcpy(pos, wpa_ie, wpa_ie_len);
2298	pos += wpa_ie_len;
2299#ifdef CONFIG_IEEE80211R
2300	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2301		int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name);
2302		if (res < 0) {
2303			wpa_printf(MSG_ERROR, "FT: Failed to insert "
2304				   "PMKR1Name into RSN IE in EAPOL-Key data");
2305			os_free(kde);
2306			return;
2307		}
2308		pos += res;
2309	}
2310#endif /* CONFIG_IEEE80211R */
2311	if (gtk) {
2312		u8 hdr[2];
2313		hdr[0] = keyidx & 0x03;
2314		hdr[1] = 0;
2315		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2316				  gtk, gtk_len);
2317	}
2318	pos = ieee80211w_kde_add(sm, pos);
2319
2320#ifdef CONFIG_IEEE80211R
2321	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2322		int res;
2323		struct wpa_auth_config *conf;
2324
2325		conf = &sm->wpa_auth->conf;
2326		res = wpa_write_ftie(conf, conf->r0_key_holder,
2327				     conf->r0_key_holder_len,
2328				     NULL, NULL, pos, kde + kde_len - pos,
2329				     NULL, 0);
2330		if (res < 0) {
2331			wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2332				   "into EAPOL-Key Key Data");
2333			os_free(kde);
2334			return;
2335		}
2336		pos += res;
2337
2338		/* TIE[ReassociationDeadline] (TU) */
2339		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2340		*pos++ = 5;
2341		*pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
2342		WPA_PUT_LE32(pos, conf->reassociation_deadline);
2343		pos += 4;
2344
2345		/* TIE[KeyLifetime] (seconds) */
2346		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2347		*pos++ = 5;
2348		*pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
2349		WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
2350		pos += 4;
2351	}
2352#endif /* CONFIG_IEEE80211R */
2353#ifdef CONFIG_P2P
2354	if (WPA_GET_BE32(sm->ip_addr) > 0) {
2355		u8 addr[3 * 4];
2356		os_memcpy(addr, sm->ip_addr, 4);
2357		os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
2358		os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
2359		pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
2360				  addr, sizeof(addr), NULL, 0);
2361	}
2362#endif /* CONFIG_P2P */
2363
2364	wpa_send_eapol(sm->wpa_auth, sm,
2365		       (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC |
2366		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
2367		       WPA_KEY_INFO_KEY_TYPE,
2368		       _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
2369	os_free(kde);
2370}
2371
2372
2373SM_STATE(WPA_PTK, PTKINITDONE)
2374{
2375	SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
2376	sm->EAPOLKeyReceived = FALSE;
2377	if (sm->Pair) {
2378		enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
2379		int klen = wpa_cipher_key_len(sm->pairwise);
2380		if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2381				     sm->PTK.tk, klen)) {
2382			wpa_sta_disconnect(sm->wpa_auth, sm->addr);
2383			return;
2384		}
2385		/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
2386		sm->pairwise_set = TRUE;
2387
2388		if (sm->wpa_auth->conf.wpa_ptk_rekey) {
2389			eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2390			eloop_register_timeout(sm->wpa_auth->conf.
2391					       wpa_ptk_rekey, 0, wpa_rekey_ptk,
2392					       sm->wpa_auth, sm);
2393		}
2394
2395		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2396			wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2397					   WPA_EAPOL_authorized, 1);
2398		}
2399	}
2400
2401	if (0 /* IBSS == TRUE */) {
2402		sm->keycount++;
2403		if (sm->keycount == 2) {
2404			wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2405					   WPA_EAPOL_portValid, 1);
2406		}
2407	} else {
2408		wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
2409				   1);
2410	}
2411	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
2412	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
2413	if (sm->wpa == WPA_VERSION_WPA)
2414		sm->PInitAKeys = TRUE;
2415	else
2416		sm->has_GTK = TRUE;
2417	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2418			 "pairwise key handshake completed (%s)",
2419			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2420
2421#ifdef CONFIG_IEEE80211R
2422	wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
2423#endif /* CONFIG_IEEE80211R */
2424}
2425
2426
2427SM_STEP(WPA_PTK)
2428{
2429	struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2430
2431	if (sm->Init)
2432		SM_ENTER(WPA_PTK, INITIALIZE);
2433	else if (sm->Disconnect
2434		 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
2435		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
2436				"WPA_PTK: sm->Disconnect");
2437		SM_ENTER(WPA_PTK, DISCONNECT);
2438	}
2439	else if (sm->DeauthenticationRequest)
2440		SM_ENTER(WPA_PTK, DISCONNECTED);
2441	else if (sm->AuthenticationRequest)
2442		SM_ENTER(WPA_PTK, AUTHENTICATION);
2443	else if (sm->ReAuthenticationRequest)
2444		SM_ENTER(WPA_PTK, AUTHENTICATION2);
2445	else if (sm->PTKRequest)
2446		SM_ENTER(WPA_PTK, PTKSTART);
2447	else switch (sm->wpa_ptk_state) {
2448	case WPA_PTK_INITIALIZE:
2449		break;
2450	case WPA_PTK_DISCONNECT:
2451		SM_ENTER(WPA_PTK, DISCONNECTED);
2452		break;
2453	case WPA_PTK_DISCONNECTED:
2454		SM_ENTER(WPA_PTK, INITIALIZE);
2455		break;
2456	case WPA_PTK_AUTHENTICATION:
2457		SM_ENTER(WPA_PTK, AUTHENTICATION2);
2458		break;
2459	case WPA_PTK_AUTHENTICATION2:
2460		if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
2461		    wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2462				       WPA_EAPOL_keyRun) > 0)
2463			SM_ENTER(WPA_PTK, INITPMK);
2464		else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)
2465			 /* FIX: && 802.1X::keyRun */)
2466			SM_ENTER(WPA_PTK, INITPSK);
2467		break;
2468	case WPA_PTK_INITPMK:
2469		if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2470				       WPA_EAPOL_keyAvailable) > 0)
2471			SM_ENTER(WPA_PTK, PTKSTART);
2472		else {
2473			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2474			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2475					"INITPMK - keyAvailable = false");
2476			SM_ENTER(WPA_PTK, DISCONNECT);
2477		}
2478		break;
2479	case WPA_PTK_INITPSK:
2480		if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
2481				     NULL))
2482			SM_ENTER(WPA_PTK, PTKSTART);
2483		else {
2484			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2485					"no PSK configured for the STA");
2486			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2487			SM_ENTER(WPA_PTK, DISCONNECT);
2488		}
2489		break;
2490	case WPA_PTK_PTKSTART:
2491		if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2492		    sm->EAPOLKeyPairwise)
2493			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2494		else if (sm->TimeoutCtr >
2495			 (int) dot11RSNAConfigPairwiseUpdateCount) {
2496			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2497			wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2498					 "PTKSTART: Retry limit %d reached",
2499					 dot11RSNAConfigPairwiseUpdateCount);
2500			SM_ENTER(WPA_PTK, DISCONNECT);
2501		} else if (sm->TimeoutEvt)
2502			SM_ENTER(WPA_PTK, PTKSTART);
2503		break;
2504	case WPA_PTK_PTKCALCNEGOTIATING:
2505		if (sm->MICVerified)
2506			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
2507		else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2508			 sm->EAPOLKeyPairwise)
2509			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2510		else if (sm->TimeoutEvt)
2511			SM_ENTER(WPA_PTK, PTKSTART);
2512		break;
2513	case WPA_PTK_PTKCALCNEGOTIATING2:
2514		SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2515		break;
2516	case WPA_PTK_PTKINITNEGOTIATING:
2517		if (sm->update_snonce)
2518			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2519		else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2520			 sm->EAPOLKeyPairwise && sm->MICVerified)
2521			SM_ENTER(WPA_PTK, PTKINITDONE);
2522		else if (sm->TimeoutCtr >
2523			 (int) dot11RSNAConfigPairwiseUpdateCount) {
2524			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2525			wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2526					 "PTKINITNEGOTIATING: Retry limit %d "
2527					 "reached",
2528					 dot11RSNAConfigPairwiseUpdateCount);
2529			SM_ENTER(WPA_PTK, DISCONNECT);
2530		} else if (sm->TimeoutEvt)
2531			SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2532		break;
2533	case WPA_PTK_PTKINITDONE:
2534		break;
2535	}
2536}
2537
2538
2539SM_STATE(WPA_PTK_GROUP, IDLE)
2540{
2541	SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
2542	if (sm->Init) {
2543		/* Init flag is not cleared here, so avoid busy
2544		 * loop by claiming nothing changed. */
2545		sm->changed = FALSE;
2546	}
2547	sm->GTimeoutCtr = 0;
2548}
2549
2550
2551SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
2552{
2553	u8 rsc[WPA_KEY_RSC_LEN];
2554	struct wpa_group *gsm = sm->group;
2555	const u8 *kde;
2556	u8 *kde_buf = NULL, *pos, hdr[2];
2557	size_t kde_len;
2558	u8 *gtk, dummy_gtk[32];
2559
2560	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
2561
2562	sm->GTimeoutCtr++;
2563	if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) {
2564		/* No point in sending the EAPOL-Key - we will disconnect
2565		 * immediately following this. */
2566		return;
2567	}
2568
2569	if (sm->wpa == WPA_VERSION_WPA)
2570		sm->PInitAKeys = FALSE;
2571	sm->TimeoutEvt = FALSE;
2572	/* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
2573	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2574	if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
2575		wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
2576	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2577			"sending 1/2 msg of Group Key Handshake");
2578
2579	gtk = gsm->GTK[gsm->GN - 1];
2580	if (sm->wpa_auth->conf.disable_gtk) {
2581		/*
2582		 * Provide unique random GTK to each STA to prevent use
2583		 * of GTK in the BSS.
2584		 */
2585		if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
2586			return;
2587		gtk = dummy_gtk;
2588	}
2589	if (sm->wpa == WPA_VERSION_WPA2) {
2590		kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
2591			ieee80211w_kde_len(sm);
2592		kde_buf = os_malloc(kde_len);
2593		if (kde_buf == NULL)
2594			return;
2595
2596		kde = pos = kde_buf;
2597		hdr[0] = gsm->GN & 0x03;
2598		hdr[1] = 0;
2599		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2600				  gtk, gsm->GTK_len);
2601		pos = ieee80211w_kde_add(sm, pos);
2602		kde_len = pos - kde;
2603	} else {
2604		kde = gtk;
2605		kde_len = gsm->GTK_len;
2606	}
2607
2608	wpa_send_eapol(sm->wpa_auth, sm,
2609		       WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
2610		       WPA_KEY_INFO_ACK |
2611		       (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
2612		       rsc, gsm->GNonce, kde, kde_len, gsm->GN, 1);
2613
2614	os_free(kde_buf);
2615}
2616
2617
2618SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
2619{
2620	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
2621	sm->EAPOLKeyReceived = FALSE;
2622	if (sm->GUpdateStationKeys)
2623		sm->group->GKeyDoneStations--;
2624	sm->GUpdateStationKeys = FALSE;
2625	sm->GTimeoutCtr = 0;
2626	/* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
2627	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2628			 "group key handshake completed (%s)",
2629			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2630	sm->has_GTK = TRUE;
2631}
2632
2633
2634SM_STATE(WPA_PTK_GROUP, KEYERROR)
2635{
2636	SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
2637	if (sm->GUpdateStationKeys)
2638		sm->group->GKeyDoneStations--;
2639	sm->GUpdateStationKeys = FALSE;
2640	sm->Disconnect = TRUE;
2641}
2642
2643
2644SM_STEP(WPA_PTK_GROUP)
2645{
2646	if (sm->Init || sm->PtkGroupInit) {
2647		SM_ENTER(WPA_PTK_GROUP, IDLE);
2648		sm->PtkGroupInit = FALSE;
2649	} else switch (sm->wpa_ptk_group_state) {
2650	case WPA_PTK_GROUP_IDLE:
2651		if (sm->GUpdateStationKeys ||
2652		    (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
2653			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2654		break;
2655	case WPA_PTK_GROUP_REKEYNEGOTIATING:
2656		if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2657		    !sm->EAPOLKeyPairwise && sm->MICVerified)
2658			SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
2659		else if (sm->GTimeoutCtr >
2660			 (int) dot11RSNAConfigGroupUpdateCount)
2661			SM_ENTER(WPA_PTK_GROUP, KEYERROR);
2662		else if (sm->TimeoutEvt)
2663			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2664		break;
2665	case WPA_PTK_GROUP_KEYERROR:
2666		SM_ENTER(WPA_PTK_GROUP, IDLE);
2667		break;
2668	case WPA_PTK_GROUP_REKEYESTABLISHED:
2669		SM_ENTER(WPA_PTK_GROUP, IDLE);
2670		break;
2671	}
2672}
2673
2674
2675static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
2676			  struct wpa_group *group)
2677{
2678	int ret = 0;
2679
2680	os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2681	inc_byte_array(group->Counter, WPA_NONCE_LEN);
2682	if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
2683			   wpa_auth->addr, group->GNonce,
2684			   group->GTK[group->GN - 1], group->GTK_len) < 0)
2685		ret = -1;
2686	wpa_hexdump_key(MSG_DEBUG, "GTK",
2687			group->GTK[group->GN - 1], group->GTK_len);
2688
2689#ifdef CONFIG_IEEE80211W
2690	if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
2691		size_t len;
2692		len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
2693		os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2694		inc_byte_array(group->Counter, WPA_NONCE_LEN);
2695		if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
2696				   wpa_auth->addr, group->GNonce,
2697				   group->IGTK[group->GN_igtk - 4], len) < 0)
2698			ret = -1;
2699		wpa_hexdump_key(MSG_DEBUG, "IGTK",
2700				group->IGTK[group->GN_igtk - 4], len);
2701	}
2702#endif /* CONFIG_IEEE80211W */
2703
2704	return ret;
2705}
2706
2707
2708static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
2709			       struct wpa_group *group)
2710{
2711	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2712		   "GTK_INIT (VLAN-ID %d)", group->vlan_id);
2713	group->changed = FALSE; /* GInit is not cleared here; avoid loop */
2714	group->wpa_group_state = WPA_GROUP_GTK_INIT;
2715
2716	/* GTK[0..N] = 0 */
2717	os_memset(group->GTK, 0, sizeof(group->GTK));
2718	group->GN = 1;
2719	group->GM = 2;
2720#ifdef CONFIG_IEEE80211W
2721	group->GN_igtk = 4;
2722	group->GM_igtk = 5;
2723#endif /* CONFIG_IEEE80211W */
2724	/* GTK[GN] = CalcGTK() */
2725	wpa_gtk_update(wpa_auth, group);
2726}
2727
2728
2729static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
2730{
2731	if (ctx != NULL && ctx != sm->group)
2732		return 0;
2733
2734	if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
2735		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2736				"Not in PTKINITDONE; skip Group Key update");
2737		sm->GUpdateStationKeys = FALSE;
2738		return 0;
2739	}
2740	if (sm->GUpdateStationKeys) {
2741		/*
2742		 * This should not really happen, so add a debug log entry.
2743		 * Since we clear the GKeyDoneStations before the loop, the
2744		 * station needs to be counted here anyway.
2745		 */
2746		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2747				"GUpdateStationKeys was already set when "
2748				"marking station for GTK rekeying");
2749	}
2750
2751	/* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
2752	if (sm->is_wnmsleep)
2753		return 0;
2754
2755	sm->group->GKeyDoneStations++;
2756	sm->GUpdateStationKeys = TRUE;
2757
2758	wpa_sm_step(sm);
2759	return 0;
2760}
2761
2762
2763#ifdef CONFIG_WNM
2764/* update GTK when exiting WNM-Sleep Mode */
2765void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
2766{
2767	if (sm == NULL || sm->is_wnmsleep)
2768		return;
2769
2770	wpa_group_update_sta(sm, NULL);
2771}
2772
2773
2774void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
2775{
2776	if (sm)
2777		sm->is_wnmsleep = !!flag;
2778}
2779
2780
2781int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2782{
2783	struct wpa_group *gsm = sm->group;
2784	u8 *start = pos;
2785
2786	/*
2787	 * GTK subelement:
2788	 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
2789	 * Key[5..32]
2790	 */
2791	*pos++ = WNM_SLEEP_SUBELEM_GTK;
2792	*pos++ = 11 + gsm->GTK_len;
2793	/* Key ID in B0-B1 of Key Info */
2794	WPA_PUT_LE16(pos, gsm->GN & 0x03);
2795	pos += 2;
2796	*pos++ = gsm->GTK_len;
2797	if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
2798		return 0;
2799	pos += 8;
2800	os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
2801	pos += gsm->GTK_len;
2802
2803	wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
2804		   gsm->GN);
2805	wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
2806			gsm->GTK[gsm->GN - 1], gsm->GTK_len);
2807
2808	return pos - start;
2809}
2810
2811
2812#ifdef CONFIG_IEEE80211W
2813int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2814{
2815	struct wpa_group *gsm = sm->group;
2816	u8 *start = pos;
2817	size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2818
2819	/*
2820	 * IGTK subelement:
2821	 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
2822	 */
2823	*pos++ = WNM_SLEEP_SUBELEM_IGTK;
2824	*pos++ = 2 + 6 + len;
2825	WPA_PUT_LE16(pos, gsm->GN_igtk);
2826	pos += 2;
2827	if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
2828		return 0;
2829	pos += 6;
2830
2831	os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
2832	pos += len;
2833
2834	wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
2835		   gsm->GN_igtk);
2836	wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
2837			gsm->IGTK[gsm->GN_igtk - 4], len);
2838
2839	return pos - start;
2840}
2841#endif /* CONFIG_IEEE80211W */
2842#endif /* CONFIG_WNM */
2843
2844
2845static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
2846			      struct wpa_group *group)
2847{
2848	int tmp;
2849
2850	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2851		   "SETKEYS (VLAN-ID %d)", group->vlan_id);
2852	group->changed = TRUE;
2853	group->wpa_group_state = WPA_GROUP_SETKEYS;
2854	group->GTKReKey = FALSE;
2855	tmp = group->GM;
2856	group->GM = group->GN;
2857	group->GN = tmp;
2858#ifdef CONFIG_IEEE80211W
2859	tmp = group->GM_igtk;
2860	group->GM_igtk = group->GN_igtk;
2861	group->GN_igtk = tmp;
2862#endif /* CONFIG_IEEE80211W */
2863	/* "GKeyDoneStations = GNoStations" is done in more robust way by
2864	 * counting the STAs that are marked with GUpdateStationKeys instead of
2865	 * including all STAs that could be in not-yet-completed state. */
2866	wpa_gtk_update(wpa_auth, group);
2867
2868	if (group->GKeyDoneStations) {
2869		wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
2870			   "GKeyDoneStations=%d when starting new GTK rekey",
2871			   group->GKeyDoneStations);
2872		group->GKeyDoneStations = 0;
2873	}
2874	wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
2875	wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
2876		   group->GKeyDoneStations);
2877}
2878
2879
2880static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
2881				       struct wpa_group *group)
2882{
2883	int ret = 0;
2884
2885	if (wpa_auth_set_key(wpa_auth, group->vlan_id,
2886			     wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
2887			     broadcast_ether_addr, group->GN,
2888			     group->GTK[group->GN - 1], group->GTK_len) < 0)
2889		ret = -1;
2890
2891#ifdef CONFIG_IEEE80211W
2892	if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
2893		enum wpa_alg alg;
2894		size_t len;
2895
2896		alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
2897		len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
2898
2899		if (ret == 0 &&
2900		    wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
2901				     broadcast_ether_addr, group->GN_igtk,
2902				     group->IGTK[group->GN_igtk - 4], len) < 0)
2903			ret = -1;
2904	}
2905#endif /* CONFIG_IEEE80211W */
2906
2907	return ret;
2908}
2909
2910
2911static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
2912{
2913	if (sm->group == ctx) {
2914		wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
2915			   " for discconnection due to fatal failure",
2916			   MAC2STR(sm->addr));
2917		sm->Disconnect = TRUE;
2918	}
2919
2920	return 0;
2921}
2922
2923
2924static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
2925				    struct wpa_group *group)
2926{
2927	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
2928	group->changed = TRUE;
2929	group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
2930	wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
2931}
2932
2933
2934static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
2935				 struct wpa_group *group)
2936{
2937	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2938		   "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
2939	group->changed = TRUE;
2940	group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
2941
2942	if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
2943		wpa_group_fatal_failure(wpa_auth, group);
2944		return -1;
2945	}
2946
2947	return 0;
2948}
2949
2950
2951static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
2952			      struct wpa_group *group)
2953{
2954	if (group->GInit) {
2955		wpa_group_gtk_init(wpa_auth, group);
2956	} else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
2957		/* Do not allow group operations */
2958	} else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
2959		   group->GTKAuthenticator) {
2960		wpa_group_setkeysdone(wpa_auth, group);
2961	} else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
2962		   group->GTKReKey) {
2963		wpa_group_setkeys(wpa_auth, group);
2964	} else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
2965		if (group->GKeyDoneStations == 0)
2966			wpa_group_setkeysdone(wpa_auth, group);
2967		else if (group->GTKReKey)
2968			wpa_group_setkeys(wpa_auth, group);
2969	}
2970}
2971
2972
2973static int wpa_sm_step(struct wpa_state_machine *sm)
2974{
2975	if (sm == NULL)
2976		return 0;
2977
2978	if (sm->in_step_loop) {
2979		/* This should not happen, but if it does, make sure we do not
2980		 * end up freeing the state machine too early by exiting the
2981		 * recursive call. */
2982		wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
2983		return 0;
2984	}
2985
2986	sm->in_step_loop = 1;
2987	do {
2988		if (sm->pending_deinit)
2989			break;
2990
2991		sm->changed = FALSE;
2992		sm->wpa_auth->group->changed = FALSE;
2993
2994		SM_STEP_RUN(WPA_PTK);
2995		if (sm->pending_deinit)
2996			break;
2997		SM_STEP_RUN(WPA_PTK_GROUP);
2998		if (sm->pending_deinit)
2999			break;
3000		wpa_group_sm_step(sm->wpa_auth, sm->group);
3001	} while (sm->changed || sm->wpa_auth->group->changed);
3002	sm->in_step_loop = 0;
3003
3004	if (sm->pending_deinit) {
3005		wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
3006			   "machine deinit for " MACSTR, MAC2STR(sm->addr));
3007		wpa_free_sta_sm(sm);
3008		return 1;
3009	}
3010	return 0;
3011}
3012
3013
3014static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
3015{
3016	struct wpa_state_machine *sm = eloop_ctx;
3017	wpa_sm_step(sm);
3018}
3019
3020
3021void wpa_auth_sm_notify(struct wpa_state_machine *sm)
3022{
3023	if (sm == NULL)
3024		return;
3025	eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
3026}
3027
3028
3029void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
3030{
3031	int tmp, i;
3032	struct wpa_group *group;
3033
3034	if (wpa_auth == NULL)
3035		return;
3036
3037	group = wpa_auth->group;
3038
3039	for (i = 0; i < 2; i++) {
3040		tmp = group->GM;
3041		group->GM = group->GN;
3042		group->GN = tmp;
3043#ifdef CONFIG_IEEE80211W
3044		tmp = group->GM_igtk;
3045		group->GM_igtk = group->GN_igtk;
3046		group->GN_igtk = tmp;
3047#endif /* CONFIG_IEEE80211W */
3048		wpa_gtk_update(wpa_auth, group);
3049		wpa_group_config_group_keys(wpa_auth, group);
3050	}
3051}
3052
3053
3054static const char * wpa_bool_txt(int val)
3055{
3056	return val ? "TRUE" : "FALSE";
3057}
3058
3059
3060#define RSN_SUITE "%02x-%02x-%02x-%d"
3061#define RSN_SUITE_ARG(s) \
3062((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
3063
3064int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
3065{
3066	int len = 0, ret;
3067	char pmkid_txt[PMKID_LEN * 2 + 1];
3068#ifdef CONFIG_RSN_PREAUTH
3069	const int preauth = 1;
3070#else /* CONFIG_RSN_PREAUTH */
3071	const int preauth = 0;
3072#endif /* CONFIG_RSN_PREAUTH */
3073
3074	if (wpa_auth == NULL)
3075		return len;
3076
3077	ret = os_snprintf(buf + len, buflen - len,
3078			  "dot11RSNAOptionImplemented=TRUE\n"
3079			  "dot11RSNAPreauthenticationImplemented=%s\n"
3080			  "dot11RSNAEnabled=%s\n"
3081			  "dot11RSNAPreauthenticationEnabled=%s\n",
3082			  wpa_bool_txt(preauth),
3083			  wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
3084			  wpa_bool_txt(wpa_auth->conf.rsn_preauth));
3085	if (os_snprintf_error(buflen - len, ret))
3086		return len;
3087	len += ret;
3088
3089	wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3090			 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
3091
3092	ret = os_snprintf(
3093		buf + len, buflen - len,
3094		"dot11RSNAConfigVersion=%u\n"
3095		"dot11RSNAConfigPairwiseKeysSupported=9999\n"
3096		/* FIX: dot11RSNAConfigGroupCipher */
3097		/* FIX: dot11RSNAConfigGroupRekeyMethod */
3098		/* FIX: dot11RSNAConfigGroupRekeyTime */
3099		/* FIX: dot11RSNAConfigGroupRekeyPackets */
3100		"dot11RSNAConfigGroupRekeyStrict=%u\n"
3101		"dot11RSNAConfigGroupUpdateCount=%u\n"
3102		"dot11RSNAConfigPairwiseUpdateCount=%u\n"
3103		"dot11RSNAConfigGroupCipherSize=%u\n"
3104		"dot11RSNAConfigPMKLifetime=%u\n"
3105		"dot11RSNAConfigPMKReauthThreshold=%u\n"
3106		"dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
3107		"dot11RSNAConfigSATimeout=%u\n"
3108		"dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3109		"dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3110		"dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3111		"dot11RSNAPMKIDUsed=%s\n"
3112		"dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3113		"dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3114		"dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3115		"dot11RSNATKIPCounterMeasuresInvoked=%u\n"
3116		"dot11RSNA4WayHandshakeFailures=%u\n"
3117		"dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
3118		RSN_VERSION,
3119		!!wpa_auth->conf.wpa_strict_rekey,
3120		dot11RSNAConfigGroupUpdateCount,
3121		dot11RSNAConfigPairwiseUpdateCount,
3122		wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
3123		dot11RSNAConfigPMKLifetime,
3124		dot11RSNAConfigPMKReauthThreshold,
3125		dot11RSNAConfigSATimeout,
3126		RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
3127		RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
3128		RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
3129		pmkid_txt,
3130		RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
3131		RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
3132		RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
3133		wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
3134		wpa_auth->dot11RSNA4WayHandshakeFailures);
3135	if (os_snprintf_error(buflen - len, ret))
3136		return len;
3137	len += ret;
3138
3139	/* TODO: dot11RSNAConfigPairwiseCiphersTable */
3140	/* TODO: dot11RSNAConfigAuthenticationSuitesTable */
3141
3142	/* Private MIB */
3143	ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
3144			  wpa_auth->group->wpa_group_state);
3145	if (os_snprintf_error(buflen - len, ret))
3146		return len;
3147	len += ret;
3148
3149	return len;
3150}
3151
3152
3153int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
3154{
3155	int len = 0, ret;
3156	u32 pairwise = 0;
3157
3158	if (sm == NULL)
3159		return 0;
3160
3161	/* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
3162
3163	/* dot11RSNAStatsEntry */
3164
3165	pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
3166				       WPA_PROTO_RSN : WPA_PROTO_WPA,
3167				       sm->pairwise);
3168	if (pairwise == 0)
3169		return 0;
3170
3171	ret = os_snprintf(
3172		buf + len, buflen - len,
3173		/* TODO: dot11RSNAStatsIndex */
3174		"dot11RSNAStatsSTAAddress=" MACSTR "\n"
3175		"dot11RSNAStatsVersion=1\n"
3176		"dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
3177		/* TODO: dot11RSNAStatsTKIPICVErrors */
3178		"dot11RSNAStatsTKIPLocalMICFailures=%u\n"
3179		"dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
3180		/* TODO: dot11RSNAStatsCCMPReplays */
3181		/* TODO: dot11RSNAStatsCCMPDecryptErrors */
3182		/* TODO: dot11RSNAStatsTKIPReplays */,
3183		MAC2STR(sm->addr),
3184		RSN_SUITE_ARG(pairwise),
3185		sm->dot11RSNAStatsTKIPLocalMICFailures,
3186		sm->dot11RSNAStatsTKIPRemoteMICFailures);
3187	if (os_snprintf_error(buflen - len, ret))
3188		return len;
3189	len += ret;
3190
3191	/* Private MIB */
3192	ret = os_snprintf(buf + len, buflen - len,
3193			  "hostapdWPAPTKState=%d\n"
3194			  "hostapdWPAPTKGroupState=%d\n",
3195			  sm->wpa_ptk_state,
3196			  sm->wpa_ptk_group_state);
3197	if (os_snprintf_error(buflen - len, ret))
3198		return len;
3199	len += ret;
3200
3201	return len;
3202}
3203
3204
3205void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
3206{
3207	if (wpa_auth)
3208		wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
3209}
3210
3211
3212int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
3213{
3214	return sm && sm->pairwise_set;
3215}
3216
3217
3218int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
3219{
3220	return sm->pairwise;
3221}
3222
3223
3224int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
3225{
3226	if (sm == NULL)
3227		return -1;
3228	return sm->wpa_key_mgmt;
3229}
3230
3231
3232int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
3233{
3234	if (sm == NULL)
3235		return 0;
3236	return sm->wpa;
3237}
3238
3239
3240int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
3241			     struct rsn_pmksa_cache_entry *entry)
3242{
3243	if (sm == NULL || sm->pmksa != entry)
3244		return -1;
3245	sm->pmksa = NULL;
3246	return 0;
3247}
3248
3249
3250struct rsn_pmksa_cache_entry *
3251wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
3252{
3253	return sm ? sm->pmksa : NULL;
3254}
3255
3256
3257void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
3258{
3259	if (sm)
3260		sm->dot11RSNAStatsTKIPLocalMICFailures++;
3261}
3262
3263
3264const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
3265{
3266	if (wpa_auth == NULL)
3267		return NULL;
3268	*len = wpa_auth->wpa_ie_len;
3269	return wpa_auth->wpa_ie;
3270}
3271
3272
3273int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
3274		       unsigned int pmk_len,
3275		       int session_timeout, struct eapol_state_machine *eapol)
3276{
3277	if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
3278	    sm->wpa_auth->conf.disable_pmksa_caching)
3279		return -1;
3280
3281	if (sm->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) {
3282		if (pmk_len > PMK_LEN_SUITE_B_192)
3283			pmk_len = PMK_LEN_SUITE_B_192;
3284	} else if (pmk_len > PMK_LEN) {
3285		pmk_len = PMK_LEN;
3286	}
3287
3288	if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len,
3289				 sm->PTK.kck, sm->PTK.kck_len,
3290				 sm->wpa_auth->addr, sm->addr, session_timeout,
3291				 eapol, sm->wpa_key_mgmt))
3292		return 0;
3293
3294	return -1;
3295}
3296
3297
3298int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
3299			       const u8 *pmk, size_t len, const u8 *sta_addr,
3300			       int session_timeout,
3301			       struct eapol_state_machine *eapol)
3302{
3303	if (wpa_auth == NULL)
3304		return -1;
3305
3306	if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len,
3307				 NULL, 0,
3308				 wpa_auth->addr,
3309				 sta_addr, session_timeout, eapol,
3310				 WPA_KEY_MGMT_IEEE8021X))
3311		return 0;
3312
3313	return -1;
3314}
3315
3316
3317int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
3318			   const u8 *pmk)
3319{
3320	if (wpa_auth->conf.disable_pmksa_caching)
3321		return -1;
3322
3323	if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN,
3324				 NULL, 0,
3325				 wpa_auth->addr, addr, 0, NULL,
3326				 WPA_KEY_MGMT_SAE))
3327		return 0;
3328
3329	return -1;
3330}
3331
3332
3333void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
3334			   const u8 *sta_addr)
3335{
3336	struct rsn_pmksa_cache_entry *pmksa;
3337
3338	if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
3339		return;
3340	pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
3341	if (pmksa) {
3342		wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
3343			   MACSTR " based on request", MAC2STR(sta_addr));
3344		pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
3345	}
3346}
3347
3348
3349/*
3350 * Remove and free the group from wpa_authenticator. This is triggered by a
3351 * callback to make sure nobody is currently iterating the group list while it
3352 * gets modified.
3353 */
3354static void wpa_group_free(struct wpa_authenticator *wpa_auth,
3355			   struct wpa_group *group)
3356{
3357	struct wpa_group *prev = wpa_auth->group;
3358
3359	wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
3360		   group->vlan_id);
3361
3362	while (prev) {
3363		if (prev->next == group) {
3364			/* This never frees the special first group as needed */
3365			prev->next = group->next;
3366			os_free(group);
3367			break;
3368		}
3369		prev = prev->next;
3370	}
3371
3372}
3373
3374
3375/* Increase the reference counter for group */
3376static void wpa_group_get(struct wpa_authenticator *wpa_auth,
3377			  struct wpa_group *group)
3378{
3379	/* Skip the special first group */
3380	if (wpa_auth->group == group)
3381		return;
3382
3383	group->references++;
3384}
3385
3386
3387/* Decrease the reference counter and maybe free the group */
3388static void wpa_group_put(struct wpa_authenticator *wpa_auth,
3389			  struct wpa_group *group)
3390{
3391	/* Skip the special first group */
3392	if (wpa_auth->group == group)
3393		return;
3394
3395	group->references--;
3396	if (group->references)
3397		return;
3398	wpa_group_free(wpa_auth, group);
3399}
3400
3401
3402/*
3403 * Add a group that has its references counter set to zero. Caller needs to
3404 * call wpa_group_get() on the return value to mark the entry in use.
3405 */
3406static struct wpa_group *
3407wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
3408{
3409	struct wpa_group *group;
3410
3411	if (wpa_auth == NULL || wpa_auth->group == NULL)
3412		return NULL;
3413
3414	wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
3415		   vlan_id);
3416	group = wpa_group_init(wpa_auth, vlan_id, 0);
3417	if (group == NULL)
3418		return NULL;
3419
3420	group->next = wpa_auth->group->next;
3421	wpa_auth->group->next = group;
3422
3423	return group;
3424}
3425
3426
3427/*
3428 * Enforce that the group state machine for the VLAN is running, increase
3429 * reference counter as interface is up. References might have been increased
3430 * even if a negative value is returned.
3431 * Returns: -1 on error (group missing, group already failed); otherwise, 0
3432 */
3433int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
3434{
3435	struct wpa_group *group;
3436
3437	if (wpa_auth == NULL)
3438		return 0;
3439
3440	group = wpa_auth->group;
3441	while (group) {
3442		if (group->vlan_id == vlan_id)
3443			break;
3444		group = group->next;
3445	}
3446
3447	if (group == NULL) {
3448		group = wpa_auth_add_group(wpa_auth, vlan_id);
3449		if (group == NULL)
3450			return -1;
3451	}
3452
3453	wpa_printf(MSG_DEBUG,
3454		   "WPA: Ensure group state machine running for VLAN ID %d",
3455		   vlan_id);
3456
3457	wpa_group_get(wpa_auth, group);
3458	group->num_setup_iface++;
3459
3460	if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
3461		return -1;
3462
3463	return 0;
3464}
3465
3466
3467/*
3468 * Decrease reference counter, expected to be zero afterwards.
3469 * returns: -1 on error (group not found, group in fail state)
3470 *          -2 if wpa_group is still referenced
3471 *           0 else
3472 */
3473int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
3474{
3475	struct wpa_group *group;
3476	int ret = 0;
3477
3478	if (wpa_auth == NULL)
3479		return 0;
3480
3481	group = wpa_auth->group;
3482	while (group) {
3483		if (group->vlan_id == vlan_id)
3484			break;
3485		group = group->next;
3486	}
3487
3488	if (group == NULL)
3489		return -1;
3490
3491	wpa_printf(MSG_DEBUG,
3492		   "WPA: Try stopping group state machine for VLAN ID %d",
3493		   vlan_id);
3494
3495	if (group->num_setup_iface <= 0) {
3496		wpa_printf(MSG_ERROR,
3497			   "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
3498			   vlan_id);
3499		return -1;
3500	}
3501	group->num_setup_iface--;
3502
3503	if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
3504		ret = -1;
3505
3506	if (group->references > 1) {
3507		wpa_printf(MSG_DEBUG,
3508			   "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
3509			   vlan_id);
3510		ret = -2;
3511	}
3512
3513	wpa_group_put(wpa_auth, group);
3514
3515	return ret;
3516}
3517
3518
3519int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
3520{
3521	struct wpa_group *group;
3522
3523	if (sm == NULL || sm->wpa_auth == NULL)
3524		return 0;
3525
3526	group = sm->wpa_auth->group;
3527	while (group) {
3528		if (group->vlan_id == vlan_id)
3529			break;
3530		group = group->next;
3531	}
3532
3533	if (group == NULL) {
3534		group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
3535		if (group == NULL)
3536			return -1;
3537	}
3538
3539	if (sm->group == group)
3540		return 0;
3541
3542	if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
3543		return -1;
3544
3545	wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
3546		   "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
3547
3548	wpa_group_get(sm->wpa_auth, group);
3549	wpa_group_put(sm->wpa_auth, sm->group);
3550	sm->group = group;
3551
3552	return 0;
3553}
3554
3555
3556void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
3557				  struct wpa_state_machine *sm, int ack)
3558{
3559	if (wpa_auth == NULL || sm == NULL)
3560		return;
3561	wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
3562		   " ack=%d", MAC2STR(sm->addr), ack);
3563	if (sm->pending_1_of_4_timeout && ack) {
3564		/*
3565		 * Some deployed supplicant implementations update their SNonce
3566		 * for each EAPOL-Key 2/4 message even within the same 4-way
3567		 * handshake and then fail to use the first SNonce when
3568		 * deriving the PTK. This results in unsuccessful 4-way
3569		 * handshake whenever the relatively short initial timeout is
3570		 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
3571		 * around this by increasing the timeout now that we know that
3572		 * the station has received the frame.
3573		 */
3574		int timeout_ms = eapol_key_timeout_subseq;
3575		wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
3576			   "timeout by %u ms because of acknowledged frame",
3577			   timeout_ms);
3578		eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
3579		eloop_register_timeout(timeout_ms / 1000,
3580				       (timeout_ms % 1000) * 1000,
3581				       wpa_send_eapol_timeout, wpa_auth, sm);
3582	}
3583}
3584
3585
3586int wpa_auth_uses_sae(struct wpa_state_machine *sm)
3587{
3588	if (sm == NULL)
3589		return 0;
3590	return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
3591}
3592
3593
3594int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
3595{
3596	if (sm == NULL)
3597		return 0;
3598	return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
3599}
3600
3601
3602#ifdef CONFIG_P2P
3603int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
3604{
3605	if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
3606		return -1;
3607	os_memcpy(addr, sm->ip_addr, 4);
3608	return 0;
3609}
3610#endif /* CONFIG_P2P */
3611
3612
3613int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
3614					 struct radius_das_attrs *attr)
3615{
3616	return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
3617}
3618
3619
3620void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
3621{
3622	struct wpa_group *group;
3623
3624	if (!wpa_auth)
3625		return;
3626	for (group = wpa_auth->group; group; group = group->next)
3627		wpa_group_config_group_keys(wpa_auth, group);
3628}
3629