]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add definitions for new cipher suites from IEEE Std 802.11ac-2013
[thirdparty/hostap.git] / src / ap / wpa_auth.c
CommitLineData
6fc6879b 1/*
00338a4f 2 * IEEE 802.11 RSN / WPA Authenticator
94ddef3e 3 * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi>
6fc6879b 4 *
0f3d578e
JM		 5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
6fc6879b
JM		 7 */
8
6226e38d 9#include "utils/includes.h"
6fc6879b 10
6226e38d
JM		 11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "utils/state_machine.h"
81f4f619 14#include "common/ieee802_11_defs.h"
03da66bd
JM		 15#include "crypto/aes_wrap.h"
16#include "crypto/crypto.h"
17#include "crypto/sha1.h"
18#include "crypto/sha256.h"
3642c431 19#include "crypto/random.h"
281c950b 20#include "eapol_auth/eapol_auth_sm.h"
6226e38d 21#include "ap_config.h"
6fc6879b 22#include "ieee802_11.h"
6226e38d
JM		 23#include "wpa_auth.h"
24#include "pmksa_cache_auth.h"
6fc6879b
JM		 25#include "wpa_auth_i.h"
26#include "wpa_auth_ie.h"
27
28#define STATE_MACHINE_DATA struct wpa_state_machine
29#define STATE_MACHINE_DEBUG_PREFIX "WPA"
30#define STATE_MACHINE_ADDR sm->addr
31
32
33static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
e4a6ea1d 34static int wpa_sm_step(struct wpa_state_machine *sm);
6fc6879b
JM		 35static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len);
36static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
37static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
38 struct wpa_group *group);
581a8cde 39static void wpa_request_new_ptk(struct wpa_state_machine *sm);
e6965d4e
JM		 40static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
41 struct wpa_group *group);
1bdb7ab3
JM		 42static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
43 struct wpa_group *group);
6fc6879b 44
bae61562
JM		 45static const u32 dot11RSNAConfigGroupUpdateCount = 4;
46static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
47static const u32 eapol_key_timeout_first = 100; /* ms */
48static const u32 eapol_key_timeout_subseq = 1000; /* ms */
00338a4f 49static const u32 eapol_key_timeout_first_group = 500; /* ms */
6fc6879b
JM		 50
51/* TODO: make these configurable */
52static const int dot11RSNAConfigPMKLifetime = 43200;
53static const int dot11RSNAConfigPMKReauthThreshold = 70;
54static const int dot11RSNAConfigSATimeout = 60;
55
56
c772d054 57static inline int wpa_auth_mic_failure_report(
6fc6879b
JM		 58 struct wpa_authenticator *wpa_auth, const u8 *addr)
59{
60 if (wpa_auth->cb.mic_failure_report)
c772d054
JM		 61 return wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr);
62 return 0;
6fc6879b
JM		 63}
64
65
66static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
67 const u8 *addr, wpa_eapol_variable var,
68 int value)
69{
70 if (wpa_auth->cb.set_eapol)
71 wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value);
72}
73
74
75static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
76 const u8 *addr, wpa_eapol_variable var)
77{
78 if (wpa_auth->cb.get_eapol == NULL)
79 return -1;
80 return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var);
81}
82
83
84static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
759fd76b
JM		 85 const u8 *addr,
86 const u8 *p2p_dev_addr,
87 const u8 *prev_psk)
6fc6879b
JM		 88{
89 if (wpa_auth->cb.get_psk == NULL)
90 return NULL;
759fd76b
JM		 91 return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, p2p_dev_addr,
92 prev_psk);
6fc6879b
JM		 93}
94
95
96static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
97 const u8 *addr, u8 *msk, size_t *len)
98{
99 if (wpa_auth->cb.get_msk == NULL)
100 return -1;
101 return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len);
102}
103
104
105static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
106 int vlan_id,
71934751 107 enum wpa_alg alg, const u8 *addr, int idx,
6fc6879b
JM		 108 u8 *key, size_t key_len)
109{
110 if (wpa_auth->cb.set_key == NULL)
111 return -1;
112 return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx,
113 key, key_len);
114}
115
116
117static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
118 const u8 *addr, int idx, u8 *seq)
119{
120 if (wpa_auth->cb.get_seqnum == NULL)
121 return -1;
122 return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq);
123}
124
125
6fc6879b
JM		 126static inline int
127wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
128 const u8 *data, size_t data_len, int encrypt)
129{
130 if (wpa_auth->cb.send_eapol == NULL)
131 return -1;
132 return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len,
133 encrypt);
134}
135
136
137int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
138 int (*cb)(struct wpa_state_machine *sm, void *ctx),
139 void *cb_ctx)
140{
141 if (wpa_auth->cb.for_each_sta == NULL)
142 return 0;
143 return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx);
144}
145
146
bf98f7f3
JM		 147int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
148 int (*cb)(struct wpa_authenticator *a, void *ctx),
149 void *cb_ctx)
150{
151 if (wpa_auth->cb.for_each_auth == NULL)
152 return 0;
153 return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx);
154}
155
156
6fc6879b
JM		 157void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
158 logger_level level, const char *txt)
159{
160 if (wpa_auth->cb.logger == NULL)
161 return;
162 wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt);
163}
164
165
166void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
167 logger_level level, const char *fmt, ...)
168{
169 char *format;
170 int maxlen;
171 va_list ap;
172
173 if (wpa_auth->cb.logger == NULL)
174 return;
175
176 maxlen = os_strlen(fmt) + 100;
177 format = os_malloc(maxlen);
178 if (!format)
179 return;
180
181 va_start(ap, fmt);
182 vsnprintf(format, maxlen, fmt, ap);
183 va_end(ap);
184
185 wpa_auth_logger(wpa_auth, addr, level, format);
186
187 os_free(format);
188}
189
190
191static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
192 const u8 *addr)
193{
194 if (wpa_auth->cb.disconnect == NULL)
195 return;
afcc9ea1 196 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
6fc6879b
JM		 197 wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr,
198 WLAN_REASON_PREV_AUTH_NOT_VALID);
199}
200
201
202static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
203{
56586197 204 int ret = 0;
6fc6879b 205#ifdef CONFIG_IEEE80211R
56586197
JM		 206 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
207 ret = 1;
6fc6879b 208#endif /* CONFIG_IEEE80211R */
56586197
JM		 209#ifdef CONFIG_IEEE80211W
210 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
211 ret = 1;
212#endif /* CONFIG_IEEE80211W */
213 return ret;
6fc6879b
JM		 214}
215
216
217static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
218{
219 struct wpa_authenticator *wpa_auth = eloop_ctx;
220
3642c431 221 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
6fc6879b
JM		 222 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
223 "initialization.");
224 } else {
225 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
5cb9d5c3
JM		 226 wpa_hexdump_key(MSG_DEBUG, "GMK",
227 wpa_auth->group->GMK, WPA_GMK_LEN);
6fc6879b
JM		 228 }
229
230 if (wpa_auth->conf.wpa_gmk_rekey) {
231 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
232 wpa_rekey_gmk, wpa_auth, NULL);
233 }
234}
235
236
237static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
238{
239 struct wpa_authenticator *wpa_auth = eloop_ctx;
240 struct wpa_group *group;
241
242 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
243 for (group = wpa_auth->group; group; group = group->next) {
244 group->GTKReKey = TRUE;
245 do {
246 group->changed = FALSE;
247 wpa_group_sm_step(wpa_auth, group);
248 } while (group->changed);
249 }
250
251 if (wpa_auth->conf.wpa_group_rekey) {
252 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
253 0, wpa_rekey_gtk, wpa_auth, NULL);
254 }
255}
256
257
581a8cde
JM		 258static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
259{
260 struct wpa_authenticator *wpa_auth = eloop_ctx;
261 struct wpa_state_machine *sm = timeout_ctx;
262
263 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
264 wpa_request_new_ptk(sm);
265 wpa_sm_step(sm);
266}
267
268
6fc6879b
JM		 269static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
270{
271 if (sm->pmksa == ctx)
272 sm->pmksa = NULL;
273 return 0;
274}
275
276
277static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
278 void *ctx)
279{
280 struct wpa_authenticator *wpa_auth = ctx;
281 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
282}
283
284
1bdb7ab3
JM		 285static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
286 struct wpa_group *group)
287{
559cdabb 288 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
1bdb7ab3 289 u8 rkey[32];
559cdabb 290 unsigned long ptr;
1bdb7ab3 291
3642c431 292 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
1bdb7ab3
JM		 293 return -1;
294 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
295
296 /*
297 * Counter = PRF-256(Random number, "Init Counter",
298 * Local MAC Address || Time)
299 */
300 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
301 wpa_get_ntp_timestamp(buf + ETH_ALEN);
559cdabb
JM		 302 ptr = (unsigned long) group;
303 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
3642c431 304 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
1bdb7ab3
JM		 305 return -1;
306
307 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
308 group->Counter, WPA_NONCE_LEN) < 0)
309 return -1;
310 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
311 group->Counter, WPA_NONCE_LEN);
312
313 return 0;
314}
315
316
e6965d4e 317static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
bdffdc5d 318 int vlan_id, int delay_init)
e6965d4e
JM		 319{
320 struct wpa_group *group;
e6965d4e
JM		 321
322 group = os_zalloc(sizeof(struct wpa_group));
323 if (group == NULL)
324 return NULL;
325
326 group->GTKAuthenticator = TRUE;
327 group->vlan_id = vlan_id;
c3550295 328 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
6fc6879b 329
08704cd8
JM		 330 if (random_pool_ready() != 1) {
331 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
332 "for secure operations - update keys later when "
333 "the first station connects");
334 }
335
1bdb7ab3
JM		 336 /*
337 * Set initial GMK/Counter value here. The actual values that will be
338 * used in negotiations will be set once the first station tries to
339 * connect. This allows more time for collecting additional randomness
340 * on embedded devices.
6fc6879b 341 */
1bdb7ab3 342 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
6fc6879b
JM		 343 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
344 "initialization.");
345 os_free(group);
346 return NULL;
347 }
6fc6879b
JM		 348
349 group->GInit = TRUE;
bdffdc5d
JM		 350 if (delay_init) {
351 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
352 "until Beacon frames have been configured");
353 /* Initialization is completed in wpa_init_keys(). */
354 } else {
355 wpa_group_sm_step(wpa_auth, group);
356 group->GInit = FALSE;
357 wpa_group_sm_step(wpa_auth, group);
358 }
6fc6879b
JM		 359
360 return group;
361}
362
363
364/**
365 * wpa_init - Initialize WPA authenticator
366 * @addr: Authenticator address
367 * @conf: Configuration for WPA authenticator
a17df5fb 368 * @cb: Callback functions for WPA authenticator
6fc6879b
JM		 369 * Returns: Pointer to WPA authenticator data or %NULL on failure
370 */
371struct wpa_authenticator * wpa_init(const u8 *addr,
372 struct wpa_auth_config *conf,
373 struct wpa_auth_callbacks *cb)
374{
375 struct wpa_authenticator *wpa_auth;
376
377 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
378 if (wpa_auth == NULL)
379 return NULL;
380 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
381 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
382 os_memcpy(&wpa_auth->cb, cb, sizeof(*cb));
383
384 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
385 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
386 os_free(wpa_auth);
387 return NULL;
388 }
389
bdffdc5d 390 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
6fc6879b
JM		 391 if (wpa_auth->group == NULL) {
392 os_free(wpa_auth->wpa_ie);
393 os_free(wpa_auth);
394 return NULL;
395 }
396
4bb081f1
JM		 397 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
398 wpa_auth);
6fc6879b
JM		 399 if (wpa_auth->pmksa == NULL) {
400 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
401 os_free(wpa_auth->wpa_ie);
402 os_free(wpa_auth);
403 return NULL;
404 }
405
406#ifdef CONFIG_IEEE80211R
407 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
408 if (wpa_auth->ft_pmk_cache == NULL) {
409 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
410 os_free(wpa_auth->wpa_ie);
4bb081f1 411 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b
JM		 412 os_free(wpa_auth);
413 return NULL;
414 }
415#endif /* CONFIG_IEEE80211R */
416
417 if (wpa_auth->conf.wpa_gmk_rekey) {
418 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
419 wpa_rekey_gmk, wpa_auth, NULL);
420 }
421
422 if (wpa_auth->conf.wpa_group_rekey) {
423 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
424 wpa_rekey_gtk, wpa_auth, NULL);
425 }
426
427 return wpa_auth;
428}
429
430
bdffdc5d
JM		 431int wpa_init_keys(struct wpa_authenticator *wpa_auth)
432{
433 struct wpa_group *group = wpa_auth->group;
434
435 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
436 "keys");
437 wpa_group_sm_step(wpa_auth, group);
438 group->GInit = FALSE;
439 wpa_group_sm_step(wpa_auth, group);
440 return 0;
441}
442
443
6fc6879b
JM		 444/**
445 * wpa_deinit - Deinitialize WPA authenticator
446 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
447 */
448void wpa_deinit(struct wpa_authenticator *wpa_auth)
449{
450 struct wpa_group *group, *prev;
451
452 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
453 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
454
455#ifdef CONFIG_PEERKEY
456 while (wpa_auth->stsl_negotiations)
457 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations);
458#endif /* CONFIG_PEERKEY */
459
4bb081f1 460 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b
JM		 461
462#ifdef CONFIG_IEEE80211R
463 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
464 wpa_auth->ft_pmk_cache = NULL;
465#endif /* CONFIG_IEEE80211R */
466
467 os_free(wpa_auth->wpa_ie);
468
469 group = wpa_auth->group;
470 while (group) {
471 prev = group;
472 group = group->next;
473 os_free(prev);
474 }
475
476 os_free(wpa_auth);
477}
478
479
480/**
481 * wpa_reconfig - Update WPA authenticator configuration
482 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
483 * @conf: Configuration for WPA authenticator
484 */
485int wpa_reconfig(struct wpa_authenticator *wpa_auth,
486 struct wpa_auth_config *conf)
487{
e6965d4e 488 struct wpa_group *group;
6fc6879b
JM		 489 if (wpa_auth == NULL)
490 return 0;
491
492 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
ad08c363
JM		 493 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
494 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
495 return -1;
496 }
497
e6965d4e
JM		 498 /*
499 * Reinitialize GTK to make sure it is suitable for the new
500 * configuration.
501 */
502 group = wpa_auth->group;
c3550295 503 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
e6965d4e
JM		 504 group->GInit = TRUE;
505 wpa_group_sm_step(wpa_auth, group);
506 group->GInit = FALSE;
507 wpa_group_sm_step(wpa_auth, group);
508
6fc6879b
JM		 509 return 0;
510}
511
512
513struct wpa_state_machine *
94ddef3e
JM		 514wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
515 const u8 *p2p_dev_addr)
6fc6879b
JM		 516{
517 struct wpa_state_machine *sm;
518
519 sm = os_zalloc(sizeof(struct wpa_state_machine));
520 if (sm == NULL)
521 return NULL;
522 os_memcpy(sm->addr, addr, ETH_ALEN);
94ddef3e
JM		 523 if (p2p_dev_addr)
524 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
6fc6879b
JM		 525
526 sm->wpa_auth = wpa_auth;
527 sm->group = wpa_auth->group;
528
529 return sm;
530}
531
532
6f9b5d16
JM		 533int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
534 struct wpa_state_machine *sm)
6fc6879b
JM		 535{
536 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
6f9b5d16 537 return -1;
6fc6879b
JM		 538
539#ifdef CONFIG_IEEE80211R
540 if (sm->ft_completed) {
541 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
542 "FT authentication already completed - do not "
543 "start 4-way handshake");
6f9b5d16 544 return 0;
6fc6879b
JM		 545 }
546#endif /* CONFIG_IEEE80211R */
547
548 if (sm->started) {
22a299ee 549 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
6fc6879b 550 sm->ReAuthenticationRequest = TRUE;
6f9b5d16 551 return wpa_sm_step(sm);
6fc6879b
JM		 552 }
553
554 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
555 "start authentication");
556 sm->started = 1;
557
558 sm->Init = TRUE;
e4a6ea1d 559 if (wpa_sm_step(sm) == 1)
6f9b5d16 560 return 1; /* should not really happen */
6fc6879b
JM		 561 sm->Init = FALSE;
562 sm->AuthenticationRequest = TRUE;
6f9b5d16 563 return wpa_sm_step(sm);
6fc6879b
JM		 564}
565
566
a8d05fca
JM		 567void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
568{
569 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
570 * reassociates back to the same AP while the previous entry for the
571 * STA has not yet been removed. */
572 if (sm == NULL)
573 return;
574
575 sm->wpa_key_mgmt = 0;
576}
577
578
6fc6879b
JM		 579static void wpa_free_sta_sm(struct wpa_state_machine *sm)
580{
2ade8ef2
JM		 581 if (sm->GUpdateStationKeys) {
582 sm->group->GKeyDoneStations--;
583 sm->GUpdateStationKeys = FALSE;
584 }
0f857f43
JM		 585#ifdef CONFIG_IEEE80211R
586 os_free(sm->assoc_resp_ftie);
587#endif /* CONFIG_IEEE80211R */
6fc6879b
JM		 588 os_free(sm->last_rx_eapol_key);
589 os_free(sm->wpa_ie);
590 os_free(sm);
591}
592
593
594void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
595{
596 if (sm == NULL)
597 return;
598
599 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
600 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
601 "strict rekeying - force GTK rekey since STA "
602 "is leaving");
603 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
604 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
605 NULL);
606 }
607
608 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
e4bf4db9 609 sm->pending_1_of_4_timeout = 0;
6fc6879b 610 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
581a8cde 611 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 612 if (sm->in_step_loop) {
613 /* Must not free state machine while wpa_sm_step() is running.
614 * Freeing will be completed in the end of wpa_sm_step(). */
615 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
616 "machine deinit for " MACSTR, MAC2STR(sm->addr));
617 sm->pending_deinit = 1;
618 } else
619 wpa_free_sta_sm(sm);
620}
621
622
623static void wpa_request_new_ptk(struct wpa_state_machine *sm)
624{
625 if (sm == NULL)
626 return;
627
628 sm->PTKRequest = TRUE;
629 sm->PTK_valid = 0;
630}
631
632
68921e24 633static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
22a299ee
JM		 634 const u8 *replay_counter)
635{
636 int i;
637 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
68921e24 638 if (!ctr[i].valid)
22a299ee 639 break;
68921e24 640 if (os_memcmp(replay_counter, ctr[i].counter,
22a299ee
JM		 641 WPA_REPLAY_COUNTER_LEN) == 0)
642 return 1;
643 }
644 return 0;
645}
646
647
68921e24
JM		 648static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
649 const u8 *replay_counter)
650{
651 int i;
652 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
653 if (ctr[i].valid &&
654 (replay_counter == NULL ||
655 os_memcmp(replay_counter, ctr[i].counter,
656 WPA_REPLAY_COUNTER_LEN) == 0))
657 ctr[i].valid = FALSE;
658 }
659}
660
661
0f857f43
JM		 662#ifdef CONFIG_IEEE80211R
663static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
664 struct wpa_state_machine *sm,
665 struct wpa_eapol_ie_parse *kde)
666{
667 struct wpa_ie_data ie;
668 struct rsn_mdie *mdie;
669
670 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
671 ie.num_pmkid != 1 || ie.pmkid == NULL) {
672 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
673 "FT 4-way handshake message 2/4");
674 return -1;
675 }
676
677 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
678 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
679 sm->sup_pmk_r1_name, PMKID_LEN);
680
681 if (!kde->mdie || !kde->ftie) {
682 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
683 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
684 return -1;
685 }
686
687 mdie = (struct rsn_mdie *) (kde->mdie + 2);
688 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
689 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
690 MOBILITY_DOMAIN_ID_LEN) != 0) {
691 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
692 return -1;
693 }
694
695 if (sm->assoc_resp_ftie &&
696 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
697 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
698 2 + sm->assoc_resp_ftie[1]) != 0)) {
699 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
700 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
701 kde->ftie, kde->ftie_len);
702 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
703 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
704 return -1;
705 }
706
707 return 0;
708}
709#endif /* CONFIG_IEEE80211R */
710
711
c772d054
JM		 712static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
713 struct wpa_state_machine *sm, int group)
ec027805
JM		 714{
715 /* Supplicant reported a Michael MIC error */
716 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
717 "received EAPOL-Key Error Request "
718 "(STA detected Michael MIC failure (group=%d))",
719 group);
fbc72d32
JM		 720
721 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
722 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
723 "ignore Michael MIC failure report since "
724 "group cipher is not TKIP");
725 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
726 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
727 "ignore Michael MIC failure report since "
728 "pairwise cipher is not TKIP");
729 } else {
c772d054
JM		 730 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
731 return 1; /* STA entry was removed */
fbc72d32
JM		 732 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
733 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
734 }
ec027805
JM		 735
736 /*
737 * Error report is not a request for a new key handshake, but since
738 * Authenticator may do it, let's change the keys now anyway.
739 */
740 wpa_request_new_ptk(sm);
c772d054 741 return 0;
ec027805
JM		 742}
743
744
6fc6879b
JM		 745void wpa_receive(struct wpa_authenticator *wpa_auth,
746 struct wpa_state_machine *sm,
747 u8 *data, size_t data_len)
748{
749 struct ieee802_1x_hdr *hdr;
750 struct wpa_eapol_key *key;
751 u16 key_info, key_data_length;
752 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
753 SMK_M1, SMK_M3, SMK_ERROR } msg;
754 char *msgtxt;
755 struct wpa_eapol_ie_parse kde;
26e23750 756 int ft;
1566ec46
JM		 757 const u8 *eapol_key_ie;
758 size_t eapol_key_ie_len;
6fc6879b
JM		 759
760 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
761 return;
762
763 if (data_len < sizeof(*hdr) + sizeof(*key))
764 return;
765
766 hdr = (struct ieee802_1x_hdr *) data;
767 key = (struct wpa_eapol_key *) (hdr + 1);
768 key_info = WPA_GET_BE16(key->key_info);
769 key_data_length = WPA_GET_BE16(key->key_data_length);
0d442aff
JM		 770 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
771 " key_info=0x%x type=%u key_data_length=%u",
772 MAC2STR(sm->addr), key_info, key->type, key_data_length);
6fc6879b
JM		 773 if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) {
774 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
775 "key_data overflow (%d > %lu)",
776 key_data_length,
777 (unsigned long) (data_len - sizeof(*hdr) -
778 sizeof(*key)));
779 return;
780 }
781
f8e96eb6 782 if (sm->wpa == WPA_VERSION_WPA2) {
74590e71
JM		 783 if (key->type == EAPOL_KEY_TYPE_WPA) {
784 /*
785 * Some deployed station implementations seem to send
786 * msg 4/4 with incorrect type value in WPA2 mode.
787 */
788 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
789 "with unexpected WPA type in RSN mode");
790 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
f8e96eb6
JM		 791 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
792 "unexpected type %d in RSN mode",
793 key->type);
794 return;
795 }
796 } else {
797 if (key->type != EAPOL_KEY_TYPE_WPA) {
798 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
799 "unexpected type %d in WPA mode",
800 key->type);
801 return;
802 }
803 }
804
bc8318ac
JM		 805 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
806 WPA_NONCE_LEN);
807 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
808 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
809
6fc6879b
JM		 810 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
811 * are set */
812
813 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
814 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
815 if (key_info & WPA_KEY_INFO_ERROR) {
816 msg = SMK_ERROR;
817 msgtxt = "SMK Error";
818 } else {
819 msg = SMK_M1;
820 msgtxt = "SMK M1";
821 }
822 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
823 msg = SMK_M3;
824 msgtxt = "SMK M3";
825 } else if (key_info & WPA_KEY_INFO_REQUEST) {
826 msg = REQUEST;
827 msgtxt = "Request";
828 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
829 msg = GROUP_2;
830 msgtxt = "2/2 Group";
831 } else if (key_data_length == 0) {
832 msg = PAIRWISE_4;
833 msgtxt = "4/4 Pairwise";
834 } else {
835 msg = PAIRWISE_2;
836 msgtxt = "2/4 Pairwise";
837 }
838
839 /* TODO: key_info type validation for PeerKey */
840 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
841 msg == GROUP_2) {
842 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
eb7719ff
JM		 843 if (sm->pairwise == WPA_CIPHER_CCMP ||
844 sm->pairwise == WPA_CIPHER_GCMP) {
6fc6879b
JM		 845 if (wpa_use_aes_cmac(sm) &&
846 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
847 wpa_auth_logger(wpa_auth, sm->addr,
848 LOGGER_WARNING,
849 "advertised support for "
850 "AES-128-CMAC, but did not "
851 "use it");
852 return;
853 }
854
855 if (!wpa_use_aes_cmac(sm) &&
856 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
857 wpa_auth_logger(wpa_auth, sm->addr,
858 LOGGER_WARNING,
859 "did not use HMAC-SHA1-AES "
eb7719ff 860 "with CCMP/GCMP");
6fc6879b
JM		 861 return;
862 }
863 }
864 }
865
866 if (key_info & WPA_KEY_INFO_REQUEST) {
867 if (sm->req_replay_counter_used &&
868 os_memcmp(key->replay_counter, sm->req_replay_counter,
869 WPA_REPLAY_COUNTER_LEN) <= 0) {
870 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
871 "received EAPOL-Key request with "
872 "replayed counter");
873 return;
874 }
875 }
876
877 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
68921e24 878 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
22a299ee 879 int i;
68921e24
JM		 880
881 if (msg == PAIRWISE_2 &&
882 wpa_replay_counter_valid(sm->prev_key_replay,
883 key->replay_counter) &&
884 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
885 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
886 {
887 /*
888 * Some supplicant implementations (e.g., Windows XP
889 * WZC) update SNonce for each EAPOL-Key 2/4. This
890 * breaks the workaround on accepting any of the
891 * pending requests, so allow the SNonce to be updated
892 * even if we have already sent out EAPOL-Key 3/4.
893 */
894 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
895 "Process SNonce update from STA "
896 "based on retransmitted EAPOL-Key "
897 "1/4");
898 sm->update_snonce = 1;
899 wpa_replay_counter_mark_invalid(sm->prev_key_replay,
900 key->replay_counter);
901 goto continue_processing;
902 }
903
904 if (msg == PAIRWISE_2 &&
905 wpa_replay_counter_valid(sm->prev_key_replay,
906 key->replay_counter) &&
907 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
908 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
909 "ignore retransmitted EAPOL-Key %s - "
910 "SNonce did not change", msgtxt);
911 } else {
912 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
913 "received EAPOL-Key %s with "
914 "unexpected replay counter", msgtxt);
915 }
22a299ee
JM		 916 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
917 if (!sm->key_replay[i].valid)
918 break;
919 wpa_hexdump(MSG_DEBUG, "pending replay counter",
920 sm->key_replay[i].counter,
921 WPA_REPLAY_COUNTER_LEN);
922 }
6fc6879b
JM		 923 wpa_hexdump(MSG_DEBUG, "received replay counter",
924 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
925 return;
926 }
927
68921e24 928continue_processing:
6fc6879b
JM		 929 switch (msg) {
930 case PAIRWISE_2:
931 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
68921e24
JM		 932 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
933 (!sm->update_snonce ||
934 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
6fc6879b
JM		 935 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
936 "received EAPOL-Key msg 2/4 in "
937 "invalid state (%d) - dropped",
938 sm->wpa_ptk_state);
939 return;
940 }
bbb921da 941 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
08704cd8
JM		 942 if (sm->group->reject_4way_hs_for_entropy) {
943 /*
944 * The system did not have enough entropy to generate
945 * strong random numbers. Reject the first 4-way
946 * handshake(s) and collect some entropy based on the
947 * information from it. Once enough entropy is
948 * available, the next atempt will trigger GMK/Key
949 * Counter update and the station will be allowed to
950 * continue.
951 */
952 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
953 "collect more entropy for random number "
954 "generation");
08704cd8 955 random_mark_pool_ready();
08704cd8
JM		 956 wpa_sta_disconnect(wpa_auth, sm->addr);
957 return;
958 }
1566ec46
JM		 959 if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length,
960 &kde) < 0) {
961 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
962 "received EAPOL-Key msg 2/4 with "
963 "invalid Key Data contents");
964 return;
965 }
966 if (kde.rsn_ie) {
967 eapol_key_ie = kde.rsn_ie;
968 eapol_key_ie_len = kde.rsn_ie_len;
969 } else {
970 eapol_key_ie = kde.wpa_ie;
971 eapol_key_ie_len = kde.wpa_ie_len;
972 }
26e23750
JM		 973 ft = sm->wpa == WPA_VERSION_WPA2 &&
974 wpa_key_mgmt_ft(sm->wpa_key_mgmt);
6fc6879b 975 if (sm->wpa_ie == NULL ||
26e23750
JM		 976 wpa_compare_rsn_ie(ft,
977 sm->wpa_ie, sm->wpa_ie_len,
1566ec46 978 eapol_key_ie, eapol_key_ie_len)) {
6fc6879b
JM		 979 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
980 "WPA IE from (Re)AssocReq did not "
981 "match with msg 2/4");
982 if (sm->wpa_ie) {
983 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
984 sm->wpa_ie, sm->wpa_ie_len);
985 }
986 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
1566ec46 987 eapol_key_ie, eapol_key_ie_len);
6fc6879b
JM		 988 /* MLME-DEAUTHENTICATE.request */
989 wpa_sta_disconnect(wpa_auth, sm->addr);
990 return;
991 }
26e23750 992#ifdef CONFIG_IEEE80211R
0f857f43
JM		 993 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
994 wpa_sta_disconnect(wpa_auth, sm->addr);
995 return;
26e23750
JM		 996 }
997#endif /* CONFIG_IEEE80211R */
6fc6879b
JM		 998 break;
999 case PAIRWISE_4:
1000 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1001 !sm->PTK_valid) {
1002 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1003 "received EAPOL-Key msg 4/4 in "
1004 "invalid state (%d) - dropped",
1005 sm->wpa_ptk_state);
1006 return;
1007 }
1008 break;
1009 case GROUP_2:
1010 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1011 || !sm->PTK_valid) {
1012 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1013 "received EAPOL-Key msg 2/2 in "
1014 "invalid state (%d) - dropped",
1015 sm->wpa_ptk_group_state);
1016 return;
1017 }
1018 break;
1019#ifdef CONFIG_PEERKEY
1020 case SMK_M1:
1021 case SMK_M3:
1022 case SMK_ERROR:
1023 if (!wpa_auth->conf.peerkey) {
1024 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1025 "PeerKey use disabled - ignoring message");
1026 return;
1027 }
1028 if (!sm->PTK_valid) {
1029 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1030 "received EAPOL-Key msg SMK in "
1031 "invalid state - dropped");
1032 return;
1033 }
1034 break;
1035#else /* CONFIG_PEERKEY */
1036 case SMK_M1:
1037 case SMK_M3:
1038 case SMK_ERROR:
1039 return; /* STSL disabled - ignore SMK messages */
1040#endif /* CONFIG_PEERKEY */
1041 case REQUEST:
1042 break;
1043 }
1044
1045 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1046 "received EAPOL-Key frame (%s)", msgtxt);
1047
1048 if (key_info & WPA_KEY_INFO_ACK) {
1049 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1050 "received invalid EAPOL-Key: Key Ack set");
1051 return;
1052 }
1053
1054 if (!(key_info & WPA_KEY_INFO_MIC)) {
1055 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1056 "received invalid EAPOL-Key: Key MIC not set");
1057 return;
1058 }
1059
1060 sm->MICVerified = FALSE;
68921e24 1061 if (sm->PTK_valid && !sm->update_snonce) {
6fc6879b
JM		 1062 if (wpa_verify_key_mic(&sm->PTK, data, data_len)) {
1063 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1064 "received EAPOL-Key with invalid MIC");
1065 return;
1066 }
1067 sm->MICVerified = TRUE;
1068 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
e4bf4db9 1069 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1070 }
1071
1072 if (key_info & WPA_KEY_INFO_REQUEST) {
1073 if (sm->MICVerified) {
1074 sm->req_replay_counter_used = 1;
1075 os_memcpy(sm->req_replay_counter, key->replay_counter,
1076 WPA_REPLAY_COUNTER_LEN);
1077 } else {
1078 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1079 "received EAPOL-Key request with "
1080 "invalid MIC");
1081 return;
1082 }
1083
1084 /*
1085 * TODO: should decrypt key data field if encryption was used;
1086 * even though MAC address KDE is not normally encrypted,
1087 * supplicant is allowed to encrypt it.
1088 */
1089 if (msg == SMK_ERROR) {
1090#ifdef CONFIG_PEERKEY
1091 wpa_smk_error(wpa_auth, sm, key);
1092#endif /* CONFIG_PEERKEY */
1093 return;
1094 } else if (key_info & WPA_KEY_INFO_ERROR) {
c772d054
JM		 1095 if (wpa_receive_error_report(
1096 wpa_auth, sm,
1097 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1098 return; /* STA entry was removed */
6fc6879b
JM		 1099 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1100 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1101 "received EAPOL-Key Request for new "
1102 "4-Way Handshake");
1103 wpa_request_new_ptk(sm);
1104#ifdef CONFIG_PEERKEY
1105 } else if (msg == SMK_M1) {
1106 wpa_smk_m1(wpa_auth, sm, key);
1107#endif /* CONFIG_PEERKEY */
1108 } else if (key_data_length > 0 &&
1109 wpa_parse_kde_ies((const u8 *) (key + 1),
1110 key_data_length, &kde) == 0 &&
1111 kde.mac_addr) {
1112 } else {
1113 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1114 "received EAPOL-Key Request for GTK "
1115 "rekeying");
6fc6879b
JM		 1116 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1117 wpa_rekey_gtk(wpa_auth, NULL);
1118 }
1119 } else {
68921e24
JM		 1120 /* Do not allow the same key replay counter to be reused. */
1121 wpa_replay_counter_mark_invalid(sm->key_replay,
1122 key->replay_counter);
1123
1124 if (msg == PAIRWISE_2) {
1125 /*
1126 * Maintain a copy of the pending EAPOL-Key frames in
1127 * case the EAPOL-Key frame was retransmitted. This is
1128 * needed to allow EAPOL-Key msg 2/4 reply to another
1129 * pending msg 1/4 to update the SNonce to work around
1130 * unexpected supplicant behavior.
1131 */
1132 os_memcpy(sm->prev_key_replay, sm->key_replay,
1133 sizeof(sm->key_replay));
1134 } else {
1135 os_memset(sm->prev_key_replay, 0,
1136 sizeof(sm->prev_key_replay));
1137 }
1138
1139 /*
1140 * Make sure old valid counters are not accepted anymore and
1141 * do not get copied again.
1142 */
1143 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
6fc6879b
JM		 1144 }
1145
1146#ifdef CONFIG_PEERKEY
1147 if (msg == SMK_M3) {
1148 wpa_smk_m3(wpa_auth, sm, key);
1149 return;
1150 }
1151#endif /* CONFIG_PEERKEY */
1152
1153 os_free(sm->last_rx_eapol_key);
1154 sm->last_rx_eapol_key = os_malloc(data_len);
1155 if (sm->last_rx_eapol_key == NULL)
1156 return;
1157 os_memcpy(sm->last_rx_eapol_key, data, data_len);
1158 sm->last_rx_eapol_key_len = data_len;
1159
0d442aff 1160 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
6fc6879b
JM		 1161 sm->EAPOLKeyReceived = TRUE;
1162 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1163 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1164 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1165 wpa_sm_step(sm);
1166}
1167
1168
3c7302c2
JM		 1169static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1170 const u8 *gnonce, u8 *gtk, size_t gtk_len)
6fc6879b 1171{
5cb9d5c3
JM		 1172 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1173 u8 *pos;
3c7302c2 1174 int ret = 0;
6fc6879b 1175
5cb9d5c3
JM		 1176 /* GTK = PRF-X(GMK, "Group key expansion",
1177 * AA || GNonce || Time || random data)
1178 * The example described in the IEEE 802.11 standard uses only AA and
1179 * GNonce as inputs here. Add some more entropy since this derivation
1180 * is done only at the Authenticator and as such, does not need to be
1181 * exactly same.
1182 */
6fc6879b
JM		 1183 os_memcpy(data, addr, ETH_ALEN);
1184 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
5cb9d5c3
JM		 1185 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1186 wpa_get_ntp_timestamp(pos);
1187 pos += 8;
3642c431 1188 if (random_get_bytes(pos, 16) < 0)
3c7302c2 1189 ret = -1;
6fc6879b 1190
56586197 1191#ifdef CONFIG_IEEE80211W
5cb9d5c3 1192 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
56586197 1193#else /* CONFIG_IEEE80211W */
3c7302c2
JM		 1194 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1195 < 0)
1196 ret = -1;
56586197 1197#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 1198
1199 return ret;
6fc6879b
JM		 1200}
1201
1202
1203static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1204{
1205 struct wpa_authenticator *wpa_auth = eloop_ctx;
1206 struct wpa_state_machine *sm = timeout_ctx;
1207
e4bf4db9 1208 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1209 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1210 sm->TimeoutEvt = TRUE;
1211 wpa_sm_step(sm);
1212}
1213
1214
1215void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1216 struct wpa_state_machine *sm, int key_info,
1217 const u8 *key_rsc, const u8 *nonce,
1218 const u8 *kde, size_t kde_len,
1219 int keyidx, int encr, int force_version)
1220{
1221 struct ieee802_1x_hdr *hdr;
1222 struct wpa_eapol_key *key;
1223 size_t len;
1224 int alg;
1225 int key_data_len, pad_len = 0;
1226 u8 *buf, *pos;
1227 int version, pairwise;
22a299ee 1228 int i;
6fc6879b
JM		 1229
1230 len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key);
1231
1232 if (force_version)
1233 version = force_version;
1234 else if (wpa_use_aes_cmac(sm))
1235 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
eb7719ff 1236 else if (sm->pairwise != WPA_CIPHER_TKIP)
6fc6879b
JM		 1237 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1238 else
1239 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1240
8543ed8a 1241 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
6fc6879b
JM		 1242
1243 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1244 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1245 "encr=%d)",
1246 version,
1247 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1248 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1249 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1250 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1251 pairwise, (unsigned long) kde_len, keyidx, encr);
1252
1253 key_data_len = kde_len;
1254
1255 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1256 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1257 pad_len = key_data_len % 8;
1258 if (pad_len)
1259 pad_len = 8 - pad_len;
1260 key_data_len += pad_len + 8;
1261 }
1262
1263 len += key_data_len;
1264
1265 hdr = os_zalloc(len);
1266 if (hdr == NULL)
1267 return;
1268 hdr->version = wpa_auth->conf.eapol_version;
1269 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1270 hdr->length = host_to_be16(len - sizeof(*hdr));
1271 key = (struct wpa_eapol_key *) (hdr + 1);
1272
1273 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1274 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1275 key_info |= version;
1276 if (encr && sm->wpa == WPA_VERSION_WPA2)
1277 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1278 if (sm->wpa != WPA_VERSION_WPA2)
1279 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1280 WPA_PUT_BE16(key->key_info, key_info);
1281
1282 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
c3550295 1283 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
6fc6879b
JM		 1284 if (key_info & WPA_KEY_INFO_SMK_MESSAGE)
1285 WPA_PUT_BE16(key->key_length, 0);
1286
1287 /* FIX: STSL: what to use as key_replay_counter? */
22a299ee
JM		 1288 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1289 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1290 os_memcpy(sm->key_replay[i].counter,
1291 sm->key_replay[i - 1].counter,
1292 WPA_REPLAY_COUNTER_LEN);
1293 }
1294 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1295 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
6fc6879b 1296 WPA_REPLAY_COUNTER_LEN);
22a299ee 1297 sm->key_replay[0].valid = TRUE;
6fc6879b
JM		 1298
1299 if (nonce)
1300 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1301
1302 if (key_rsc)
1303 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1304
1305 if (kde && !encr) {
1306 os_memcpy(key + 1, kde, kde_len);
1307 WPA_PUT_BE16(key->key_data_length, kde_len);
1308 } else if (encr && kde) {
1309 buf = os_zalloc(key_data_len);
1310 if (buf == NULL) {
1311 os_free(hdr);
1312 return;
1313 }
1314 pos = buf;
1315 os_memcpy(pos, kde, kde_len);
1316 pos += kde_len;
1317
1318 if (pad_len)
1319 *pos++ = 0xdd;
1320
1321 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1322 buf, key_data_len);
1323 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1324 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1325 if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf,
1326 (u8 *) (key + 1))) {
1327 os_free(hdr);
1328 os_free(buf);
1329 return;
1330 }
1331 WPA_PUT_BE16(key->key_data_length, key_data_len);
1332 } else {
1333 u8 ek[32];
1334 os_memcpy(key->key_iv,
1335 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1336 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1337 os_memcpy(ek, key->key_iv, 16);
1338 os_memcpy(ek + 16, sm->PTK.kek, 16);
1339 os_memcpy(key + 1, buf, key_data_len);
1340 rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len);
1341 WPA_PUT_BE16(key->key_data_length, key_data_len);
1342 }
1343 os_free(buf);
1344 }
1345
1346 if (key_info & WPA_KEY_INFO_MIC) {
1347 if (!sm->PTK_valid) {
1348 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1349 "PTK not valid when sending EAPOL-Key "
1350 "frame");
1351 os_free(hdr);
1352 return;
1353 }
1354 wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len,
1355 key->key_mic);
7af092a0
JB		 1356#ifdef CONFIG_TESTING_OPTIONS
1357 if (!pairwise &&
1358 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0d &&
1359 drand48() <
1360 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1361 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1362 "Corrupting group EAPOL-Key Key MIC");
1363 key->key_mic[0]++;
1364 }
1365#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 1366 }
1367
1368 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1369 1);
1370 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1371 sm->pairwise_set);
1372 os_free(hdr);
1373}
1374
1375
1376static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1377 struct wpa_state_machine *sm, int key_info,
1378 const u8 *key_rsc, const u8 *nonce,
1379 const u8 *kde, size_t kde_len,
1380 int keyidx, int encr)
1381{
1382 int timeout_ms;
1383 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
bae61562 1384 int ctr;
6fc6879b
JM		 1385
1386 if (sm == NULL)
1387 return;
1388
1389 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1390 keyidx, encr, 0);
1391
bae61562 1392 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
e4bf4db9 1393 if (ctr == 1 && wpa_auth->conf.tx_status)
00338a4f
JM		 1394 timeout_ms = pairwise ? eapol_key_timeout_first :
1395 eapol_key_timeout_first_group;
bae61562
JM		 1396 else
1397 timeout_ms = eapol_key_timeout_subseq;
e4bf4db9
JM		 1398 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1399 sm->pending_1_of_4_timeout = 1;
1400 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
1401 "counter %d)", timeout_ms, ctr);
6fc6879b
JM		 1402 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1403 wpa_send_eapol_timeout, wpa_auth, sm);
1404}
1405
1406
1407static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len)
1408{
1409 struct ieee802_1x_hdr *hdr;
1410 struct wpa_eapol_key *key;
1411 u16 key_info;
1412 int ret = 0;
1413 u8 mic[16];
1414
1415 if (data_len < sizeof(*hdr) + sizeof(*key))
1416 return -1;
1417
1418 hdr = (struct ieee802_1x_hdr *) data;
1419 key = (struct wpa_eapol_key *) (hdr + 1);
1420 key_info = WPA_GET_BE16(key->key_info);
1421 os_memcpy(mic, key->key_mic, 16);
1422 os_memset(key->key_mic, 0, 16);
1423 if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK,
1424 data, data_len, key->key_mic) ||
1425 os_memcmp(mic, key->key_mic, 16) != 0)
1426 ret = -1;
1427 os_memcpy(key->key_mic, mic, 16);
1428 return ret;
1429}
1430
1431
1432void wpa_remove_ptk(struct wpa_state_machine *sm)
1433{
1434 sm->PTK_valid = FALSE;
1435 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
26083221 1436 wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0);
6fc6879b 1437 sm->pairwise_set = FALSE;
581a8cde 1438 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 1439}
1440
1441
6f9b5d16 1442int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event)
6fc6879b 1443{
5d22a1d5
JM		 1444 int remove_ptk = 1;
1445
6fc6879b 1446 if (sm == NULL)
6f9b5d16 1447 return -1;
6fc6879b
JM		 1448
1449 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1450 "event %d notification", event);
1451
1452 switch (event) {
1453 case WPA_AUTH:
1454 case WPA_ASSOC:
1455 break;
1456 case WPA_DEAUTH:
1457 case WPA_DISASSOC:
1458 sm->DeauthenticationRequest = TRUE;
1459 break;
1460 case WPA_REAUTH:
1461 case WPA_REAUTH_EAPOL:
3ab72b62
JM		 1462 if (!sm->started) {
1463 /*
1464 * When using WPS, we may end up here if the STA
1465 * manages to re-associate without the previous STA
1466 * entry getting removed. Consequently, we need to make
1467 * sure that the WPA state machines gets initialized
1468 * properly at this point.
1469 */
1470 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1471 "started - initialize now");
1472 sm->started = 1;
1473 sm->Init = TRUE;
1474 if (wpa_sm_step(sm) == 1)
1475 return 1; /* should not really happen */
1476 sm->Init = FALSE;
1477 sm->AuthenticationRequest = TRUE;
1478 break;
1479 }
9663596f
JM		 1480 if (sm->GUpdateStationKeys) {
1481 /*
1482 * Reauthentication cancels the pending group key
1483 * update for this STA.
1484 */
1485 sm->group->GKeyDoneStations--;
1486 sm->GUpdateStationKeys = FALSE;
1487 sm->PtkGroupInit = TRUE;
1488 }
6fc6879b
JM		 1489 sm->ReAuthenticationRequest = TRUE;
1490 break;
1491 case WPA_ASSOC_FT:
1492#ifdef CONFIG_IEEE80211R
81a658d7
JM		 1493 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1494 "after association");
1495 wpa_ft_install_ptk(sm);
1496
6fc6879b
JM		 1497 /* Using FT protocol, not WPA auth state machine */
1498 sm->ft_completed = 1;
6f9b5d16 1499 return 0;
6fc6879b
JM		 1500#else /* CONFIG_IEEE80211R */
1501 break;
1502#endif /* CONFIG_IEEE80211R */
1503 }
1504
1505#ifdef CONFIG_IEEE80211R
1506 sm->ft_completed = 0;
1507#endif /* CONFIG_IEEE80211R */
1508
5d22a1d5
JM		 1509#ifdef CONFIG_IEEE80211W
1510 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1511 remove_ptk = 0;
1512#endif /* CONFIG_IEEE80211W */
6fc6879b 1513
5d22a1d5
JM		 1514 if (remove_ptk) {
1515 sm->PTK_valid = FALSE;
1516 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1517
1518 if (event != WPA_REAUTH_EAPOL)
1519 wpa_remove_ptk(sm);
1520 }
6fc6879b 1521
6f9b5d16 1522 return wpa_sm_step(sm);
6fc6879b
JM		 1523}
1524
1525
6fc6879b
JM		 1526SM_STATE(WPA_PTK, INITIALIZE)
1527{
1528 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1529 if (sm->Init) {
1530 /* Init flag is not cleared here, so avoid busy
1531 * loop by claiming nothing changed. */
1532 sm->changed = FALSE;
1533 }
1534
1535 sm->keycount = 0;
1536 if (sm->GUpdateStationKeys)
1537 sm->group->GKeyDoneStations--;
1538 sm->GUpdateStationKeys = FALSE;
1539 if (sm->wpa == WPA_VERSION_WPA)
1540 sm->PInitAKeys = FALSE;
1541 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1542 * Local AA > Remote AA)) */) {
1543 sm->Pair = TRUE;
1544 }
1545 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1546 wpa_remove_ptk(sm);
1547 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1548 sm->TimeoutCtr = 0;
56586197 1549 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 1550 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1551 WPA_EAPOL_authorized, 0);
1552 }
1553}
1554
1555
1556SM_STATE(WPA_PTK, DISCONNECT)
1557{
1558 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1559 sm->Disconnect = FALSE;
1560 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1561}
1562
1563
1564SM_STATE(WPA_PTK, DISCONNECTED)
1565{
1566 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1567 sm->DeauthenticationRequest = FALSE;
1568}
1569
1570
1571SM_STATE(WPA_PTK, AUTHENTICATION)
1572{
1573 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1574 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1575 sm->PTK_valid = FALSE;
1576 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1577 1);
1578 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1579 sm->AuthenticationRequest = FALSE;
1580}
1581
1582
40d00d2b
NC		 1583static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1584 struct wpa_group *group)
1bdb7ab3 1585{
40d00d2b
NC		 1586 if (group->first_sta_seen)
1587 return;
1bdb7ab3
JM		 1588 /*
1589 * System has run bit further than at the time hostapd was started
1590 * potentially very early during boot up. This provides better chances
1591 * of collecting more randomness on embedded systems. Re-initialize the
1592 * GMK and Counter here to improve their strength if there was not
1593 * enough entropy available immediately after system startup.
1594 */
1595 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1596 "station");
08704cd8
JM		 1597 if (random_pool_ready() != 1) {
1598 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1599 "to proceed - reject first 4-way handshake");
1600 group->reject_4way_hs_for_entropy = TRUE;
40d00d2b
NC		 1601 } else {
1602 group->first_sta_seen = TRUE;
1603 group->reject_4way_hs_for_entropy = FALSE;
08704cd8 1604 }
40d00d2b 1605
1bdb7ab3
JM		 1606 wpa_group_init_gmk_and_counter(wpa_auth, group);
1607 wpa_gtk_update(wpa_auth, group);
1608 wpa_group_config_group_keys(wpa_auth, group);
1609}
1610
1611
6fc6879b
JM		 1612SM_STATE(WPA_PTK, AUTHENTICATION2)
1613{
1614 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1bdb7ab3 1615
40d00d2b 1616 wpa_group_ensure_init(sm->wpa_auth, sm->group);
65a32cdb 1617 sm->ReAuthenticationRequest = FALSE;
1bdb7ab3 1618
3825a19b
JM		 1619 /*
1620 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1621 * ambiguous. The Authenticator state machine uses a counter that is
1622 * incremented by one for each 4-way handshake. However, the security
1623 * analysis of 4-way handshake points out that unpredictable nonces
1624 * help in preventing precomputation attacks. Instead of the state
1625 * machine definition, use an unpredictable nonce value here to provide
1626 * stronger protection against potential precomputation attacks.
1627 */
1628 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1629 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1630 "ANonce.");
65a32cdb 1631 sm->Disconnect = TRUE;
3825a19b
JM		 1632 return;
1633 }
bc8318ac
JM		 1634 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1635 WPA_NONCE_LEN);
6fc6879b
JM		 1636 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1637 * logical place than INITIALIZE since AUTHENTICATION2 can be
1638 * re-entered on ReAuthenticationRequest without going through
1639 * INITIALIZE. */
1640 sm->TimeoutCtr = 0;
1641}
1642
1643
1644SM_STATE(WPA_PTK, INITPMK)
1645{
1646 u8 msk[2 * PMK_LEN];
1647 size_t len = 2 * PMK_LEN;
1648
1649 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
1650#ifdef CONFIG_IEEE80211R
1651 sm->xxkey_len = 0;
1652#endif /* CONFIG_IEEE80211R */
1653 if (sm->pmksa) {
1654 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
1655 os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN);
1656 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
1657 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
1658 "(len=%lu)", (unsigned long) len);
1659 os_memcpy(sm->PMK, msk, PMK_LEN);
1660#ifdef CONFIG_IEEE80211R
1661 if (len >= 2 * PMK_LEN) {
1662 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1663 sm->xxkey_len = PMK_LEN;
1664 }
1665#endif /* CONFIG_IEEE80211R */
1666 } else {
1667 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK");
1668 }
1669
1670 sm->req_replay_counter_used = 0;
1671 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
1672 * will break reauthentication since EAPOL state machines may not be
1673 * get into AUTHENTICATING state that clears keyRun before WPA state
1674 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
1675 * state and takes PMK from the previously used AAA Key. This will
1676 * eventually fail in 4-Way Handshake because Supplicant uses PMK
1677 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
1678 * be good workaround for this issue. */
1679 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
1680}
1681
1682
1683SM_STATE(WPA_PTK, INITPSK)
1684{
1685 const u8 *psk;
1686 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
759fd76b 1687 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL);
6fc6879b
JM		 1688 if (psk) {
1689 os_memcpy(sm->PMK, psk, PMK_LEN);
1690#ifdef CONFIG_IEEE80211R
1691 os_memcpy(sm->xxkey, psk, PMK_LEN);
1692 sm->xxkey_len = PMK_LEN;
1693#endif /* CONFIG_IEEE80211R */
1694 }
1695 sm->req_replay_counter_used = 0;
1696}
1697
1698
1699SM_STATE(WPA_PTK, PTKSTART)
1700{
1701 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
1702 size_t pmkid_len = 0;
1703
1704 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
1705 sm->PTKRequest = FALSE;
1706 sm->TimeoutEvt = FALSE;
bae61562
JM		 1707
1708 sm->TimeoutCtr++;
1709 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
1710 /* No point in sending the EAPOL-Key - we will disconnect
1711 * immediately following this. */
1712 return;
1713 }
1714
6fc6879b
JM		 1715 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1716 "sending 1/4 msg of 4-Way Handshake");
1717 /*
1718 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
1719 * one possible PSK for this STA.
1720 */
1721 if (sm->wpa == WPA_VERSION_WPA2 &&
56586197 1722 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt)) {
6fc6879b
JM		 1723 pmkid = buf;
1724 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
1725 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
1726 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
1727 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
1728 if (sm->pmksa)
1729 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
1730 sm->pmksa->pmkid, PMKID_LEN);
1731 else {
1732 /*
1733 * Calculate PMKID since no PMKSA cache entry was
1734 * available with pre-calculated PMKID.
1735 */
1736 rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr,
56586197
JM		 1737 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
1738 wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
6fc6879b
JM		 1739 }
1740 }
1741 wpa_send_eapol(sm->wpa_auth, sm,
1742 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
1743 sm->ANonce, pmkid, pmkid_len, 0, 0);
6fc6879b
JM		 1744}
1745
1746
1747static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk,
1748 struct wpa_ptk *ptk)
1749{
eb7719ff 1750 size_t ptk_len = sm->pairwise != WPA_CIPHER_TKIP ? 48 : 64;
6fc6879b 1751#ifdef CONFIG_IEEE80211R
56586197 1752 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
c0a61908 1753 return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len);
6fc6879b
JM		 1754#endif /* CONFIG_IEEE80211R */
1755
1756 wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion",
1757 sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce,
c0a61908 1758 (u8 *) ptk, ptk_len,
56586197 1759 wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
6fc6879b
JM		 1760
1761 return 0;
1762}
1763
1764
1765SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
1766{
1767 struct wpa_ptk PTK;
1768 int ok = 0;
1769 const u8 *pmk = NULL;
1770
1771 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
1772 sm->EAPOLKeyReceived = FALSE;
68921e24 1773 sm->update_snonce = FALSE;
6fc6879b
JM		 1774
1775 /* WPA with IEEE 802.1X: use the derived PMK from EAP
1776 * WPA-PSK: iterate through possible PSKs and select the one matching
1777 * the packet */
1778 for (;;) {
56586197 1779 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
759fd76b
JM		 1780 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
1781 sm->p2p_dev_addr, pmk);
6fc6879b
JM		 1782 if (pmk == NULL)
1783 break;
1784 } else
1785 pmk = sm->PMK;
1786
1787 wpa_derive_ptk(sm, pmk, &PTK);
1788
1789 if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key,
1790 sm->last_rx_eapol_key_len) == 0) {
1791 ok = 1;
1792 break;
1793 }
1794
56586197 1795 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
6fc6879b
JM		 1796 break;
1797 }
1798
1799 if (!ok) {
1800 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1801 "invalid MIC in msg 2/4 of 4-Way Handshake");
1802 return;
1803 }
1804
26e23750
JM		 1805#ifdef CONFIG_IEEE80211R
1806 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
1807 /*
1808 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
1809 * with the value we derived.
1810 */
1811 if (os_memcmp(sm->sup_pmk_r1_name, sm->pmk_r1_name,
1812 WPA_PMK_NAME_LEN) != 0) {
1813 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1814 "PMKR1Name mismatch in FT 4-way "
1815 "handshake");
1816 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
1817 "Supplicant",
1818 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
1819 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1820 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1821 return;
1822 }
1823 }
1824#endif /* CONFIG_IEEE80211R */
1825
e4bf4db9 1826 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1827 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
1828
56586197 1829 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 1830 /* PSK may have changed from the previous choice, so update
1831 * state machine data based on whatever PSK was selected here.
1832 */
1833 os_memcpy(sm->PMK, pmk, PMK_LEN);
1834 }
1835
1836 sm->MICVerified = TRUE;
1837
1838 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
1839 sm->PTK_valid = TRUE;
1840}
1841
1842
1843SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
1844{
1845 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
1846 sm->TimeoutCtr = 0;
1847}
1848
1849
1850#ifdef CONFIG_IEEE80211W
1851
1852static int ieee80211w_kde_len(struct wpa_state_machine *sm)
1853{
1854 if (sm->mgmt_frame_prot) {
1855 return 2 + RSN_SELECTOR_LEN + sizeof(struct wpa_igtk_kde);
1856 }
1857
1858 return 0;
1859}
1860
1861
1862static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
1863{
1864 struct wpa_igtk_kde igtk;
1865 struct wpa_group *gsm = sm->group;
03610ad2 1866 u8 rsc[WPA_KEY_RSC_LEN];
6fc6879b
JM		 1867
1868 if (!sm->mgmt_frame_prot)
1869 return pos;
1870
1871 igtk.keyid[0] = gsm->GN_igtk;
1872 igtk.keyid[1] = 0;
7b1080da 1873 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
03610ad2 1874 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
6fc6879b 1875 os_memset(igtk.pn, 0, sizeof(igtk.pn));
03610ad2
JM		 1876 else
1877 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
6fc6879b 1878 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
83421850
JM		 1879 if (sm->wpa_auth->conf.disable_gtk) {
1880 /*
1881 * Provide unique random IGTK to each STA to prevent use of
1882 * IGTK in the BSS.
1883 */
1884 if (random_get_bytes(igtk.igtk, WPA_IGTK_LEN) < 0)
1885 return pos;
1886 }
6fc6879b
JM		 1887 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
1888 (const u8 *) &igtk, sizeof(igtk), NULL, 0);
1889
1890 return pos;
1891}
1892
1893#else /* CONFIG_IEEE80211W */
1894
1895static int ieee80211w_kde_len(struct wpa_state_machine *sm)
1896{
1897 return 0;
1898}
1899
1900
1901static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
1902{
1903 return pos;
1904}
1905
1906#endif /* CONFIG_IEEE80211W */
1907
1908
1909SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
1910{
83421850 1911 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
6fc6879b
JM		 1912 size_t gtk_len, kde_len;
1913 struct wpa_group *gsm = sm->group;
1914 u8 *wpa_ie;
1915 int wpa_ie_len, secure, keyidx, encr = 0;
1916
1917 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
1918 sm->TimeoutEvt = FALSE;
bae61562
JM		 1919
1920 sm->TimeoutCtr++;
1921 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
1922 /* No point in sending the EAPOL-Key - we will disconnect
1923 * immediately following this. */
1924 return;
1925 }
1926
86dfabb8
JM		 1927 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
1928 GTK[GN], IGTK, [FTIE], [TIE * 2])
6fc6879b
JM		 1929 */
1930 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
1931 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
86dfabb8 1932 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
6fc6879b
JM		 1933 wpa_ie = sm->wpa_auth->wpa_ie;
1934 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
1935 if (sm->wpa == WPA_VERSION_WPA &&
1936 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
1937 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
1938 /* WPA-only STA, remove RSN IE */
1939 wpa_ie = wpa_ie + wpa_ie[1] + 2;
1940 wpa_ie_len = wpa_ie[1] + 2;
1941 }
1942 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1943 "sending 3/4 msg of 4-Way Handshake");
1944 if (sm->wpa == WPA_VERSION_WPA2) {
1945 /* WPA2 send GTK in the 4-way handshake */
1946 secure = 1;
1947 gtk = gsm->GTK[gsm->GN - 1];
1948 gtk_len = gsm->GTK_len;
83421850
JM		 1949 if (sm->wpa_auth->conf.disable_gtk) {
1950 /*
1951 * Provide unique random GTK to each STA to prevent use
1952 * of GTK in the BSS.
1953 */
1954 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
1955 return;
1956 gtk = dummy_gtk;
1957 }
6fc6879b
JM		 1958 keyidx = gsm->GN;
1959 _rsc = rsc;
1960 encr = 1;
1961 } else {
1962 /* WPA does not include GTK in msg 3/4 */
1963 secure = 0;
1964 gtk = NULL;
1965 gtk_len = 0;
1966 keyidx = 0;
1967 _rsc = NULL;
0d442aff
JM		 1968 if (sm->rx_eapol_key_secure) {
1969 /*
1970 * It looks like Windows 7 supplicant tries to use
1971 * Secure bit in msg 2/4 after having reported Michael
1972 * MIC failure and it then rejects the 4-way handshake
1973 * if msg 3/4 does not set Secure bit. Work around this
1974 * by setting the Secure bit here even in the case of
1975 * WPA if the supplicant used it first.
1976 */
1977 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4740d5b9
JM		 1978 "STA used Secure bit in WPA msg 2/4 - "
1979 "set Secure for 3/4 as workaround");
0d442aff
JM		 1980 secure = 1;
1981 }
6fc6879b
JM		 1982 }
1983
1984 kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
1985 if (gtk)
1986 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
26e23750 1987#ifdef CONFIG_IEEE80211R
86dfabb8
JM		 1988 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
1989 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
1990 kde_len += 300; /* FTIE + 2 * TIE */
1991 }
26e23750 1992#endif /* CONFIG_IEEE80211R */
6fc6879b
JM		 1993 kde = os_malloc(kde_len);
1994 if (kde == NULL)
1995 return;
1996
1997 pos = kde;
1998 os_memcpy(pos, wpa_ie, wpa_ie_len);
1999 pos += wpa_ie_len;
26e23750
JM		 2000#ifdef CONFIG_IEEE80211R
2001 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2002 int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name);
2003 if (res < 0) {
2004 wpa_printf(MSG_ERROR, "FT: Failed to insert "
2005 "PMKR1Name into RSN IE in EAPOL-Key data");
2006 os_free(kde);
2007 return;
2008 }
2009 pos += res;
2010 }
2011#endif /* CONFIG_IEEE80211R */
6fc6879b
JM		 2012 if (gtk) {
2013 u8 hdr[2];
2014 hdr[0] = keyidx & 0x03;
2015 hdr[1] = 0;
2016 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2017 gtk, gtk_len);
2018 }
2019 pos = ieee80211w_kde_add(sm, pos);
2020
86dfabb8
JM		 2021#ifdef CONFIG_IEEE80211R
2022 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2023 int res;
2024 struct wpa_auth_config *conf;
2025
2026 conf = &sm->wpa_auth->conf;
2027 res = wpa_write_ftie(conf, conf->r0_key_holder,
2028 conf->r0_key_holder_len,
2029 NULL, NULL, pos, kde + kde_len - pos,
2030 NULL, 0);
2031 if (res < 0) {
2032 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2033 "into EAPOL-Key Key Data");
2034 os_free(kde);
2035 return;
2036 }
2037 pos += res;
2038
2039 /* TIE[ReassociationDeadline] (TU) */
2040 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2041 *pos++ = 5;
2042 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
2043 WPA_PUT_LE32(pos, conf->reassociation_deadline);
2044 pos += 4;
2045
2046 /* TIE[KeyLifetime] (seconds) */
2047 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2048 *pos++ = 5;
2049 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
2050 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
2051 pos += 4;
2052 }
2053#endif /* CONFIG_IEEE80211R */
2054
6fc6879b
JM		 2055 wpa_send_eapol(sm->wpa_auth, sm,
2056 (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC |
2057 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
2058 WPA_KEY_INFO_KEY_TYPE,
2059 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
2060 os_free(kde);
6fc6879b
JM		 2061}
2062
2063
2064SM_STATE(WPA_PTK, PTKINITDONE)
2065{
2066 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
2067 sm->EAPOLKeyReceived = FALSE;
2068 if (sm->Pair) {
c3550295
JM		 2069 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
2070 int klen = wpa_cipher_key_len(sm->pairwise);
6fc6879b
JM		 2071 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2072 sm->PTK.tk1, klen)) {
2073 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
2074 return;
2075 }
2076 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
2077 sm->pairwise_set = TRUE;
2078
581a8cde
JM		 2079 if (sm->wpa_auth->conf.wpa_ptk_rekey) {
2080 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2081 eloop_register_timeout(sm->wpa_auth->conf.
2082 wpa_ptk_rekey, 0, wpa_rekey_ptk,
2083 sm->wpa_auth, sm);
2084 }
2085
56586197 2086 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 2087 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2088 WPA_EAPOL_authorized, 1);
2089 }
2090 }
2091
2092 if (0 /* IBSS == TRUE */) {
2093 sm->keycount++;
2094 if (sm->keycount == 2) {
2095 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2096 WPA_EAPOL_portValid, 1);
2097 }
2098 } else {
2099 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
2100 1);
2101 }
2102 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
2103 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
2104 if (sm->wpa == WPA_VERSION_WPA)
2105 sm->PInitAKeys = TRUE;
2106 else
2107 sm->has_GTK = TRUE;
2108 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2109 "pairwise key handshake completed (%s)",
2110 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2111
2112#ifdef CONFIG_IEEE80211R
2113 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
2114#endif /* CONFIG_IEEE80211R */
2115}
2116
2117
2118SM_STEP(WPA_PTK)
2119{
2120 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2121
2122 if (sm->Init)
2123 SM_ENTER(WPA_PTK, INITIALIZE);
2124 else if (sm->Disconnect
1aae01fc
BG		 2125 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
2126 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
2127 "WPA_PTK: sm->Disconnect");
6fc6879b 2128 SM_ENTER(WPA_PTK, DISCONNECT);
1aae01fc 2129 }
6fc6879b
JM		 2130 else if (sm->DeauthenticationRequest)
2131 SM_ENTER(WPA_PTK, DISCONNECTED);
2132 else if (sm->AuthenticationRequest)
2133 SM_ENTER(WPA_PTK, AUTHENTICATION);
2134 else if (sm->ReAuthenticationRequest)
2135 SM_ENTER(WPA_PTK, AUTHENTICATION2);
2136 else if (sm->PTKRequest)
2137 SM_ENTER(WPA_PTK, PTKSTART);
2138 else switch (sm->wpa_ptk_state) {
2139 case WPA_PTK_INITIALIZE:
2140 break;
2141 case WPA_PTK_DISCONNECT:
2142 SM_ENTER(WPA_PTK, DISCONNECTED);
2143 break;
2144 case WPA_PTK_DISCONNECTED:
2145 SM_ENTER(WPA_PTK, INITIALIZE);
2146 break;
2147 case WPA_PTK_AUTHENTICATION:
2148 SM_ENTER(WPA_PTK, AUTHENTICATION2);
2149 break;
2150 case WPA_PTK_AUTHENTICATION2:
56586197 2151 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
6fc6879b
JM		 2152 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2153 WPA_EAPOL_keyRun) > 0)
2154 SM_ENTER(WPA_PTK, INITPMK);
56586197 2155 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)
6fc6879b
JM		 2156 /* FIX: && 802.1X::keyRun */)
2157 SM_ENTER(WPA_PTK, INITPSK);
2158 break;
2159 case WPA_PTK_INITPMK:
2160 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2161 WPA_EAPOL_keyAvailable) > 0)
2162 SM_ENTER(WPA_PTK, PTKSTART);
2163 else {
2164 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 2165 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2166 "INITPMK - keyAvailable = false");
6fc6879b
JM		 2167 SM_ENTER(WPA_PTK, DISCONNECT);
2168 }
2169 break;
2170 case WPA_PTK_INITPSK:
759fd76b
JM		 2171 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
2172 NULL))
6fc6879b
JM		 2173 SM_ENTER(WPA_PTK, PTKSTART);
2174 else {
2175 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2176 "no PSK configured for the STA");
2177 wpa_auth->dot11RSNA4WayHandshakeFailures++;
2178 SM_ENTER(WPA_PTK, DISCONNECT);
2179 }
2180 break;
2181 case WPA_PTK_PTKSTART:
2182 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2183 sm->EAPOLKeyPairwise)
2184 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2185 else if (sm->TimeoutCtr >
2186 (int) dot11RSNAConfigPairwiseUpdateCount) {
2187 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 2188 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2189 "PTKSTART: Retry limit %d reached",
2190 dot11RSNAConfigPairwiseUpdateCount);
6fc6879b
JM		 2191 SM_ENTER(WPA_PTK, DISCONNECT);
2192 } else if (sm->TimeoutEvt)
2193 SM_ENTER(WPA_PTK, PTKSTART);
2194 break;
2195 case WPA_PTK_PTKCALCNEGOTIATING:
2196 if (sm->MICVerified)
2197 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
2198 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2199 sm->EAPOLKeyPairwise)
2200 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2201 else if (sm->TimeoutEvt)
2202 SM_ENTER(WPA_PTK, PTKSTART);
2203 break;
2204 case WPA_PTK_PTKCALCNEGOTIATING2:
2205 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2206 break;
2207 case WPA_PTK_PTKINITNEGOTIATING:
68921e24
JM		 2208 if (sm->update_snonce)
2209 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2210 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2211 sm->EAPOLKeyPairwise && sm->MICVerified)
6fc6879b
JM		 2212 SM_ENTER(WPA_PTK, PTKINITDONE);
2213 else if (sm->TimeoutCtr >
2214 (int) dot11RSNAConfigPairwiseUpdateCount) {
2215 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 2216 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2217 "PTKINITNEGOTIATING: Retry limit %d "
2218 "reached",
2219 dot11RSNAConfigPairwiseUpdateCount);
6fc6879b
JM		 2220 SM_ENTER(WPA_PTK, DISCONNECT);
2221 } else if (sm->TimeoutEvt)
2222 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2223 break;
2224 case WPA_PTK_PTKINITDONE:
2225 break;
2226 }
2227}
2228
2229
2230SM_STATE(WPA_PTK_GROUP, IDLE)
2231{
2232 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
2233 if (sm->Init) {
2234 /* Init flag is not cleared here, so avoid busy
2235 * loop by claiming nothing changed. */
2236 sm->changed = FALSE;
2237 }
2238 sm->GTimeoutCtr = 0;
2239}
2240
2241
2242SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
2243{
2244 u8 rsc[WPA_KEY_RSC_LEN];
2245 struct wpa_group *gsm = sm->group;
2246 u8 *kde, *pos, hdr[2];
2247 size_t kde_len;
83421850 2248 u8 *gtk, dummy_gtk[32];
6fc6879b
JM		 2249
2250 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
bae61562
JM		 2251
2252 sm->GTimeoutCtr++;
2253 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) {
2254 /* No point in sending the EAPOL-Key - we will disconnect
2255 * immediately following this. */
2256 return;
2257 }
2258
6fc6879b
JM		 2259 if (sm->wpa == WPA_VERSION_WPA)
2260 sm->PInitAKeys = FALSE;
2261 sm->TimeoutEvt = FALSE;
2262 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
2263 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2264 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
2265 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
2266 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2267 "sending 1/2 msg of Group Key Handshake");
2268
83421850
JM		 2269 gtk = gsm->GTK[gsm->GN - 1];
2270 if (sm->wpa_auth->conf.disable_gtk) {
2271 /*
2272 * Provide unique random GTK to each STA to prevent use
2273 * of GTK in the BSS.
2274 */
2275 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
2276 return;
2277 gtk = dummy_gtk;
2278 }
6fc6879b
JM		 2279 if (sm->wpa == WPA_VERSION_WPA2) {
2280 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
2281 ieee80211w_kde_len(sm);
2282 kde = os_malloc(kde_len);
2283 if (kde == NULL)
2284 return;
2285
2286 pos = kde;
2287 hdr[0] = gsm->GN & 0x03;
2288 hdr[1] = 0;
2289 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
83421850 2290 gtk, gsm->GTK_len);
6fc6879b
JM		 2291 pos = ieee80211w_kde_add(sm, pos);
2292 } else {
83421850 2293 kde = gtk;
6fc6879b
JM		 2294 pos = kde + gsm->GTK_len;
2295 }
2296
2297 wpa_send_eapol(sm->wpa_auth, sm,
2298 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
2299 WPA_KEY_INFO_ACK |
2300 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
2301 rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1);
2302 if (sm->wpa == WPA_VERSION_WPA2)
2303 os_free(kde);
6fc6879b
JM		 2304}
2305
2306
2307SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
2308{
2309 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
2310 sm->EAPOLKeyReceived = FALSE;
2311 if (sm->GUpdateStationKeys)
2312 sm->group->GKeyDoneStations--;
2313 sm->GUpdateStationKeys = FALSE;
2314 sm->GTimeoutCtr = 0;
2315 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
2316 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2317 "group key handshake completed (%s)",
2318 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2319 sm->has_GTK = TRUE;
2320}
2321
2322
2323SM_STATE(WPA_PTK_GROUP, KEYERROR)
2324{
2325 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
2326 if (sm->GUpdateStationKeys)
2327 sm->group->GKeyDoneStations--;
2328 sm->GUpdateStationKeys = FALSE;
2329 sm->Disconnect = TRUE;
2330}
2331
2332
2333SM_STEP(WPA_PTK_GROUP)
2334{
9663596f 2335 if (sm->Init || sm->PtkGroupInit) {
6fc6879b 2336 SM_ENTER(WPA_PTK_GROUP, IDLE);
9663596f
JM		 2337 sm->PtkGroupInit = FALSE;
2338 } else switch (sm->wpa_ptk_group_state) {
6fc6879b
JM		 2339 case WPA_PTK_GROUP_IDLE:
2340 if (sm->GUpdateStationKeys ||
2341 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
2342 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2343 break;
2344 case WPA_PTK_GROUP_REKEYNEGOTIATING:
2345 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2346 !sm->EAPOLKeyPairwise && sm->MICVerified)
2347 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
2348 else if (sm->GTimeoutCtr >
2349 (int) dot11RSNAConfigGroupUpdateCount)
2350 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
2351 else if (sm->TimeoutEvt)
2352 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2353 break;
2354 case WPA_PTK_GROUP_KEYERROR:
2355 SM_ENTER(WPA_PTK_GROUP, IDLE);
2356 break;
2357 case WPA_PTK_GROUP_REKEYESTABLISHED:
2358 SM_ENTER(WPA_PTK_GROUP, IDLE);
2359 break;
2360 }
2361}
2362
2363
2364static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
2365 struct wpa_group *group)
2366{
2367 int ret = 0;
2368
6fc6879b
JM		 2369 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2370 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 2371 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
2372 wpa_auth->addr, group->GNonce,
2373 group->GTK[group->GN - 1], group->GTK_len) < 0)
2374 ret = -1;
5cb9d5c3
JM		 2375 wpa_hexdump_key(MSG_DEBUG, "GTK",
2376 group->GTK[group->GN - 1], group->GTK_len);
6fc6879b
JM		 2377
2378#ifdef CONFIG_IEEE80211W
70f8cc8e 2379 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
5cb9d5c3
JM		 2380 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2381 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 2382 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
2383 wpa_auth->addr, group->GNonce,
2384 group->IGTK[group->GN_igtk - 4],
2385 WPA_IGTK_LEN) < 0)
2386 ret = -1;
6fc6879b
JM		 2387 wpa_hexdump_key(MSG_DEBUG, "IGTK",
2388 group->IGTK[group->GN_igtk - 4], WPA_IGTK_LEN);
2389 }
2390#endif /* CONFIG_IEEE80211W */
2391
2392 return ret;
2393}
2394
2395
2396static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
2397 struct wpa_group *group)
2398{
2399 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2400 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
2401 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
2402 group->wpa_group_state = WPA_GROUP_GTK_INIT;
2403
2404 /* GTK[0..N] = 0 */
2405 os_memset(group->GTK, 0, sizeof(group->GTK));
2406 group->GN = 1;
2407 group->GM = 2;
2408#ifdef CONFIG_IEEE80211W
2409 group->GN_igtk = 4;
2410 group->GM_igtk = 5;
2411#endif /* CONFIG_IEEE80211W */
2412 /* GTK[GN] = CalcGTK() */
2413 wpa_gtk_update(wpa_auth, group);
2414}
2415
2416
2417static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
2418{
473b6f22
MB		 2419 if (ctx != NULL && ctx != sm->group)
2420 return 0;
2421
6fc6879b
JM		 2422 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
2423 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2424 "Not in PTKINITDONE; skip Group Key update");
3c183894 2425 sm->GUpdateStationKeys = FALSE;
6fc6879b
JM		 2426 return 0;
2427 }
9663596f
JM		 2428 if (sm->GUpdateStationKeys) {
2429 /*
3c183894
JM		 2430 * This should not really happen, so add a debug log entry.
2431 * Since we clear the GKeyDoneStations before the loop, the
2432 * station needs to be counted here anyway.
9663596f
JM		 2433 */
2434 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3c183894
JM		 2435 "GUpdateStationKeys was already set when "
2436 "marking station for GTK rekeying");
9663596f 2437 }
3c183894 2438
ad3872a3 2439 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
d32d94db
XC		 2440 if (sm->is_wnmsleep)
2441 return 0;
d32d94db 2442
3c183894
JM		 2443 sm->group->GKeyDoneStations++;
2444 sm->GUpdateStationKeys = TRUE;
2445
6fc6879b
JM		 2446 wpa_sm_step(sm);
2447 return 0;
2448}
2449
2450
ad3872a3
JM		 2451#ifdef CONFIG_WNM
2452/* update GTK when exiting WNM-Sleep Mode */
d32d94db
XC		 2453void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
2454{
2455 if (sm->is_wnmsleep)
2456 return;
2457
2458 wpa_group_update_sta(sm, NULL);
2459}
2460
2461
2462void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
2463{
2464 sm->is_wnmsleep = !!flag;
2465}
2466
2467
2468int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2469{
d32d94db 2470 struct wpa_group *gsm = sm->group;
835822d4 2471 u8 *start = pos;
d32d94db
XC		 2472
2473 /*
835822d4 2474 * GTK subelement:
d32d94db 2475 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
835822d4 2476 * Key[5..32]
d32d94db 2477 */
835822d4
JM		 2478 *pos++ = WNM_SLEEP_SUBELEM_GTK;
2479 *pos++ = 11 + gsm->GTK_len;
d32d94db 2480 /* Key ID in B0-B1 of Key Info */
835822d4
JM		 2481 WPA_PUT_LE16(pos, gsm->GN & 0x03);
2482 pos += 2;
2483 *pos++ = gsm->GTK_len;
2484 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
d32d94db 2485 return 0;
835822d4
JM		 2486 pos += 8;
2487 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
2488 pos += gsm->GTK_len;
d32d94db 2489
835822d4
JM		 2490 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
2491 gsm->GN);
2492 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
d32d94db 2493 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
d32d94db 2494
835822d4 2495 return pos - start;
d32d94db
XC		 2496}
2497
2498
2499#ifdef CONFIG_IEEE80211W
2500int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2501{
d32d94db 2502 struct wpa_group *gsm = sm->group;
835822d4 2503 u8 *start = pos;
d32d94db 2504
835822d4
JM		 2505 /*
2506 * IGTK subelement:
2507 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
2508 */
2509 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
2510 *pos++ = 2 + 6 + WPA_IGTK_LEN;
2511 WPA_PUT_LE16(pos, gsm->GN_igtk);
2512 pos += 2;
2513 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
d32d94db 2514 return 0;
835822d4 2515 pos += 6;
d32d94db 2516
835822d4
JM		 2517 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
2518 pos += WPA_IGTK_LEN;
d32d94db 2519
835822d4
JM		 2520 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
2521 gsm->GN_igtk);
2522 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
d32d94db 2523 gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
d32d94db 2524
835822d4 2525 return pos - start;
d32d94db
XC		 2526}
2527#endif /* CONFIG_IEEE80211W */
ad3872a3 2528#endif /* CONFIG_WNM */
d32d94db
XC		 2529
2530
6fc6879b
JM		 2531static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
2532 struct wpa_group *group)
2533{
2534 int tmp;
2535
2536 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2537 "SETKEYS (VLAN-ID %d)", group->vlan_id);
2538 group->changed = TRUE;
2539 group->wpa_group_state = WPA_GROUP_SETKEYS;
2540 group->GTKReKey = FALSE;
2541 tmp = group->GM;
2542 group->GM = group->GN;
2543 group->GN = tmp;
2544#ifdef CONFIG_IEEE80211W
2545 tmp = group->GM_igtk;
2546 group->GM_igtk = group->GN_igtk;
2547 group->GN_igtk = tmp;
2548#endif /* CONFIG_IEEE80211W */
2549 /* "GKeyDoneStations = GNoStations" is done in more robust way by
2550 * counting the STAs that are marked with GUpdateStationKeys instead of
2551 * including all STAs that could be in not-yet-completed state. */
2552 wpa_gtk_update(wpa_auth, group);
2553
3c183894
JM		 2554 if (group->GKeyDoneStations) {
2555 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
2556 "GKeyDoneStations=%d when starting new GTK rekey",
2557 group->GKeyDoneStations);
2558 group->GKeyDoneStations = 0;
2559 }
473b6f22 2560 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
6fc6879b
JM		 2561 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
2562 group->GKeyDoneStations);
2563}
2564
2565
1bdb7ab3
JM		 2566static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
2567 struct wpa_group *group)
6fc6879b 2568{
3c7302c2
JM		 2569 int ret = 0;
2570
3c7302c2 2571 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
c3550295 2572 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
0382097e
JM		 2573 broadcast_ether_addr, group->GN,
2574 group->GTK[group->GN - 1], group->GTK_len) < 0)
3c7302c2 2575 ret = -1;
6fc6879b
JM		 2576
2577#ifdef CONFIG_IEEE80211W
3c7302c2
JM		 2578 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION &&
2579 wpa_auth_set_key(wpa_auth, group->vlan_id, WPA_ALG_IGTK,
0382097e 2580 broadcast_ether_addr, group->GN_igtk,
3c7302c2
JM		 2581 group->IGTK[group->GN_igtk - 4],
2582 WPA_IGTK_LEN) < 0)
2583 ret = -1;
6fc6879b 2584#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 2585
2586 return ret;
6fc6879b
JM		 2587}
2588
2589
1bdb7ab3
JM		 2590static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
2591 struct wpa_group *group)
2592{
2593 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2594 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
2595 group->changed = TRUE;
2596 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
2597
2598 if (wpa_group_config_group_keys(wpa_auth, group) < 0)
2599 return -1;
2600
2601 return 0;
2602}
2603
2604
6fc6879b
JM		 2605static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
2606 struct wpa_group *group)
2607{
2608 if (group->GInit) {
2609 wpa_group_gtk_init(wpa_auth, group);
2610 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
2611 group->GTKAuthenticator) {
2612 wpa_group_setkeysdone(wpa_auth, group);
2613 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
2614 group->GTKReKey) {
2615 wpa_group_setkeys(wpa_auth, group);
2616 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
2617 if (group->GKeyDoneStations == 0)
2618 wpa_group_setkeysdone(wpa_auth, group);
2619 else if (group->GTKReKey)
2620 wpa_group_setkeys(wpa_auth, group);
2621 }
2622}
2623
2624
e4a6ea1d 2625static int wpa_sm_step(struct wpa_state_machine *sm)
6fc6879b
JM		 2626{
2627 if (sm == NULL)
e4a6ea1d 2628 return 0;
6fc6879b
JM		 2629
2630 if (sm->in_step_loop) {
2631 /* This should not happen, but if it does, make sure we do not
2632 * end up freeing the state machine too early by exiting the
2633 * recursive call. */
2634 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
e4a6ea1d 2635 return 0;
6fc6879b
JM		 2636 }
2637
2638 sm->in_step_loop = 1;
2639 do {
2640 if (sm->pending_deinit)
2641 break;
2642
2643 sm->changed = FALSE;
2644 sm->wpa_auth->group->changed = FALSE;
2645
2646 SM_STEP_RUN(WPA_PTK);
2647 if (sm->pending_deinit)
2648 break;
2649 SM_STEP_RUN(WPA_PTK_GROUP);
2650 if (sm->pending_deinit)
2651 break;
2652 wpa_group_sm_step(sm->wpa_auth, sm->group);
2653 } while (sm->changed || sm->wpa_auth->group->changed);
2654 sm->in_step_loop = 0;
2655
2656 if (sm->pending_deinit) {
2657 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
2658 "machine deinit for " MACSTR, MAC2STR(sm->addr));
2659 wpa_free_sta_sm(sm);
e4a6ea1d 2660 return 1;
6fc6879b 2661 }
e4a6ea1d 2662 return 0;
6fc6879b
JM		 2663}
2664
2665
2666static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
2667{
2668 struct wpa_state_machine *sm = eloop_ctx;
2669 wpa_sm_step(sm);
2670}
2671
2672
2673void wpa_auth_sm_notify(struct wpa_state_machine *sm)
2674{
2675 if (sm == NULL)
2676 return;
2677 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
2678}
2679
2680
2681void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
2682{
2683 int tmp, i;
2684 struct wpa_group *group;
2685
2686 if (wpa_auth == NULL)
2687 return;
2688
2689 group = wpa_auth->group;
2690
2691 for (i = 0; i < 2; i++) {
2692 tmp = group->GM;
2693 group->GM = group->GN;
2694 group->GN = tmp;
2695#ifdef CONFIG_IEEE80211W
2696 tmp = group->GM_igtk;
2697 group->GM_igtk = group->GN_igtk;
2698 group->GN_igtk = tmp;
2699#endif /* CONFIG_IEEE80211W */
2700 wpa_gtk_update(wpa_auth, group);
9354e594 2701 wpa_group_config_group_keys(wpa_auth, group);
6fc6879b
JM		 2702 }
2703}
2704
2705
2706static const char * wpa_bool_txt(int bool)
2707{
2708 return bool ? "TRUE" : "FALSE";
2709}
2710
2711
6fc6879b
JM		 2712#define RSN_SUITE "%02x-%02x-%02x-%d"
2713#define RSN_SUITE_ARG(s) \
2714((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2715
2716int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
2717{
2718 int len = 0, ret;
2719 char pmkid_txt[PMKID_LEN * 2 + 1];
8ce58ceb
IH		 2720#ifdef CONFIG_RSN_PREAUTH
2721 const int preauth = 1;
2722#else /* CONFIG_RSN_PREAUTH */
2723 const int preauth = 0;
2724#endif /* CONFIG_RSN_PREAUTH */
6fc6879b
JM		 2725
2726 if (wpa_auth == NULL)
2727 return len;
2728
2729 ret = os_snprintf(buf + len, buflen - len,
2730 "dot11RSNAOptionImplemented=TRUE\n"
8ce58ceb 2731 "dot11RSNAPreauthenticationImplemented=%s\n"
6fc6879b
JM		 2732 "dot11RSNAEnabled=%s\n"
2733 "dot11RSNAPreauthenticationEnabled=%s\n",
8ce58ceb 2734 wpa_bool_txt(preauth),
6fc6879b
JM		 2735 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
2736 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
2737 if (ret < 0 || (size_t) ret >= buflen - len)
2738 return len;
2739 len += ret;
2740
2741 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2742 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
2743
2744 ret = os_snprintf(
2745 buf + len, buflen - len,
2746 "dot11RSNAConfigVersion=%u\n"
2747 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
2748 /* FIX: dot11RSNAConfigGroupCipher */
2749 /* FIX: dot11RSNAConfigGroupRekeyMethod */
2750 /* FIX: dot11RSNAConfigGroupRekeyTime */
2751 /* FIX: dot11RSNAConfigGroupRekeyPackets */
2752 "dot11RSNAConfigGroupRekeyStrict=%u\n"
2753 "dot11RSNAConfigGroupUpdateCount=%u\n"
2754 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
2755 "dot11RSNAConfigGroupCipherSize=%u\n"
2756 "dot11RSNAConfigPMKLifetime=%u\n"
2757 "dot11RSNAConfigPMKReauthThreshold=%u\n"
2758 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
2759 "dot11RSNAConfigSATimeout=%u\n"
2760 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2761 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2762 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2763 "dot11RSNAPMKIDUsed=%s\n"
2764 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2765 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2766 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2767 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
2768 "dot11RSNA4WayHandshakeFailures=%u\n"
2769 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
2770 RSN_VERSION,
2771 !!wpa_auth->conf.wpa_strict_rekey,
2772 dot11RSNAConfigGroupUpdateCount,
2773 dot11RSNAConfigPairwiseUpdateCount,
c3550295 2774 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
6fc6879b
JM		 2775 dot11RSNAConfigPMKLifetime,
2776 dot11RSNAConfigPMKReauthThreshold,
2777 dot11RSNAConfigSATimeout,
2778 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
2779 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
2780 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
2781 pmkid_txt,
2782 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
2783 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
2784 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
2785 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
2786 wpa_auth->dot11RSNA4WayHandshakeFailures);
2787 if (ret < 0 || (size_t) ret >= buflen - len)
2788 return len;
2789 len += ret;
2790
2791 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
2792 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
2793
2794 /* Private MIB */
2795 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
2796 wpa_auth->group->wpa_group_state);
2797 if (ret < 0 || (size_t) ret >= buflen - len)
2798 return len;
2799 len += ret;
2800
2801 return len;
2802}
2803
2804
2805int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
2806{
2807 int len = 0, ret;
2808 u32 pairwise = 0;
2809
2810 if (sm == NULL)
2811 return 0;
2812
2813 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
2814
2815 /* dot11RSNAStatsEntry */
2816
c3550295
JM		 2817 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
2818 WPA_PROTO_RSN : WPA_PROTO_WPA,
2819 sm->pairwise);
2820 if (pairwise == 0)
6fc6879b
JM		 2821 return 0;
2822
2823 ret = os_snprintf(
2824 buf + len, buflen - len,
2825 /* TODO: dot11RSNAStatsIndex */
2826 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
2827 "dot11RSNAStatsVersion=1\n"
2828 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
2829 /* TODO: dot11RSNAStatsTKIPICVErrors */
2830 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
d9040cdb 2831 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
6fc6879b
JM		 2832 /* TODO: dot11RSNAStatsCCMPReplays */
2833 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
2834 /* TODO: dot11RSNAStatsTKIPReplays */,
2835 MAC2STR(sm->addr),
2836 RSN_SUITE_ARG(pairwise),
2837 sm->dot11RSNAStatsTKIPLocalMICFailures,
2838 sm->dot11RSNAStatsTKIPRemoteMICFailures);
2839 if (ret < 0 || (size_t) ret >= buflen - len)
2840 return len;
2841 len += ret;
2842
2843 /* Private MIB */
2844 ret = os_snprintf(buf + len, buflen - len,
2845 "hostapdWPAPTKState=%d\n"
2846 "hostapdWPAPTKGroupState=%d\n",
2847 sm->wpa_ptk_state,
2848 sm->wpa_ptk_group_state);
2849 if (ret < 0 || (size_t) ret >= buflen - len)
2850 return len;
2851 len += ret;
2852
2853 return len;
2854}
2855
2856
2857void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
2858{
2859 if (wpa_auth)
2860 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
2861}
2862
2863
2864int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
2865{
2866 return sm && sm->pairwise_set;
2867}
2868
2869
ff36ff00
JM		 2870int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
2871{
2872 return sm->pairwise;
2873}
2874
2875
6fc6879b
JM		 2876int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
2877{
2878 if (sm == NULL)
2879 return -1;
2880 return sm->wpa_key_mgmt;
2881}
2882
2883
2884int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
2885{
2886 if (sm == NULL)
2887 return 0;
2888 return sm->wpa;
2889}
2890
2891
2892int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
2893 struct rsn_pmksa_cache_entry *entry)
2894{
2895 if (sm == NULL || sm->pmksa != entry)
2896 return -1;
2897 sm->pmksa = NULL;
2898 return 0;
2899}
2900
2901
2902struct rsn_pmksa_cache_entry *
2903wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
2904{
2905 return sm ? sm->pmksa : NULL;
2906}
2907
2908
2909void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
2910{
2911 if (sm)
2912 sm->dot11RSNAStatsTKIPLocalMICFailures++;
2913}
2914
2915
2916const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
2917{
2918 if (wpa_auth == NULL)
2919 return NULL;
2920 *len = wpa_auth->wpa_ie_len;
2921 return wpa_auth->wpa_ie;
2922}
2923
2924
2925int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
2926 int session_timeout, struct eapol_state_machine *eapol)
2927{
cb465555
JM		 2928 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
2929 sm->wpa_auth->conf.disable_pmksa_caching)
6fc6879b
JM		 2930 return -1;
2931
4bb081f1
JM		 2932 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN,
2933 sm->wpa_auth->addr, sm->addr, session_timeout,
2934 eapol, sm->wpa_key_mgmt))
6fc6879b
JM		 2935 return 0;
2936
2937 return -1;
2938}
2939
2940
2941int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
2942 const u8 *pmk, size_t len, const u8 *sta_addr,
2943 int session_timeout,
2944 struct eapol_state_machine *eapol)
2945{
2946 if (wpa_auth == NULL)
2947 return -1;
2948
4bb081f1
JM		 2949 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr,
2950 sta_addr, session_timeout, eapol,
2951 WPA_KEY_MGMT_IEEE8021X))
6fc6879b
JM		 2952 return 0;
2953
2954 return -1;
2955}
2956
2957
901d1fe1
JM		 2958void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
2959 const u8 *sta_addr)
2960{
2961 struct rsn_pmksa_cache_entry *pmksa;
2962
2963 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
2964 return;
2965 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
2966 if (pmksa) {
2967 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
2968 MACSTR " based on request", MAC2STR(sta_addr));
2969 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
2970 }
2971}
2972
2973
6fc6879b
JM		 2974static struct wpa_group *
2975wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
2976{
2977 struct wpa_group *group;
2978
2979 if (wpa_auth == NULL || wpa_auth->group == NULL)
2980 return NULL;
2981
2982 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
2983 vlan_id);
bdffdc5d 2984 group = wpa_group_init(wpa_auth, vlan_id, 0);
6fc6879b
JM		 2985 if (group == NULL)
2986 return NULL;
2987
2988 group->next = wpa_auth->group->next;
2989 wpa_auth->group->next = group;
2990
2991 return group;
2992}
2993
2994
2995int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
2996{
2997 struct wpa_group *group;
2998
2999 if (sm == NULL || sm->wpa_auth == NULL)
3000 return 0;
3001
3002 group = sm->wpa_auth->group;
3003 while (group) {
3004 if (group->vlan_id == vlan_id)
3005 break;
3006 group = group->next;
3007 }
3008
3009 if (group == NULL) {
3010 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
3011 if (group == NULL)
3012 return -1;
3013 }
3014
3015 if (sm->group == group)
3016 return 0;
3017
3018 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
3019 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
3020
3021 sm->group = group;
3022 return 0;
3023}
e4bf4db9
JM		 3024
3025
3026void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
3027 struct wpa_state_machine *sm, int ack)
3028{
3029 if (wpa_auth == NULL || sm == NULL)
3030 return;
3031 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
3032 " ack=%d", MAC2STR(sm->addr), ack);
3033 if (sm->pending_1_of_4_timeout && ack) {
3034 /*
3035 * Some deployed supplicant implementations update their SNonce
3036 * for each EAPOL-Key 2/4 message even within the same 4-way
3037 * handshake and then fail to use the first SNonce when
3038 * deriving the PTK. This results in unsuccessful 4-way
3039 * handshake whenever the relatively short initial timeout is
3040 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
3041 * around this by increasing the timeout now that we know that
3042 * the station has received the frame.
3043 */
3044 int timeout_ms = eapol_key_timeout_subseq;
3045 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
3046 "timeout by %u ms because of acknowledged frame",
3047 timeout_ms);
3048 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
3049 eloop_register_timeout(timeout_ms / 1000,
3050 (timeout_ms % 1000) * 1000,
3051 wpa_send_eapol_timeout, wpa_auth, sm);
3052 }
3053}
c10347f2
JM		 3054
3055
3056int wpa_auth_uses_sae(struct wpa_state_machine *sm)
3057{
3058 if (sm == NULL)
3059 return 0;
3060 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
3061}
Unnamed repository; edit this file 'description' to name the repository.