]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
mka: Some bug fixes for MACsec in PSK mode
[thirdparty/hostap.git] / src / ap / wpa_auth.c
CommitLineData
6fc6879b 1/*
00338a4f 2 * IEEE 802.11 RSN / WPA Authenticator
98cd3d1c 3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
6fc6879b 4 *
0f3d578e
JM		 5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
6fc6879b
JM		 7 */
8
6226e38d 9#include "utils/includes.h"
6fc6879b 10
6226e38d
JM		 11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "utils/state_machine.h"
25ef8529 14#include "utils/bitfield.h"
81f4f619 15#include "common/ieee802_11_defs.h"
3b5b7aa8 16#include "crypto/aes.h"
03da66bd 17#include "crypto/aes_wrap.h"
3b5b7aa8 18#include "crypto/aes_siv.h"
03da66bd
JM		 19#include "crypto/crypto.h"
20#include "crypto/sha1.h"
21#include "crypto/sha256.h"
3642c431 22#include "crypto/random.h"
281c950b 23#include "eapol_auth/eapol_auth_sm.h"
6226e38d 24#include "ap_config.h"
6fc6879b 25#include "ieee802_11.h"
6226e38d
JM		 26#include "wpa_auth.h"
27#include "pmksa_cache_auth.h"
6fc6879b
JM		 28#include "wpa_auth_i.h"
29#include "wpa_auth_ie.h"
30
31#define STATE_MACHINE_DATA struct wpa_state_machine
32#define STATE_MACHINE_DEBUG_PREFIX "WPA"
33#define STATE_MACHINE_ADDR sm->addr
34
35
36static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
e4a6ea1d 37static int wpa_sm_step(struct wpa_state_machine *sm);
929a2ea5
JM		 38static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
39 size_t data_len);
75c8563e
JM		 40#ifdef CONFIG_FILS
41static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
42 u8 *buf, size_t buf_len, u16 *_key_data_len);
43#endif /* CONFIG_FILS */
6fc6879b
JM		 44static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
45static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
46 struct wpa_group *group);
581a8cde 47static void wpa_request_new_ptk(struct wpa_state_machine *sm);
e6965d4e
JM		 48static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
49 struct wpa_group *group);
1bdb7ab3
JM		 50static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
51 struct wpa_group *group);
f23c5b17 52static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 53 const u8 *pmk, unsigned int pmk_len,
54 struct wpa_ptk *ptk);
a0ad9e8c
MB		 55static void wpa_group_free(struct wpa_authenticator *wpa_auth,
56 struct wpa_group *group);
57static void wpa_group_get(struct wpa_authenticator *wpa_auth,
58 struct wpa_group *group);
59static void wpa_group_put(struct wpa_authenticator *wpa_auth,
60 struct wpa_group *group);
e73ffa09 61static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
6fc6879b 62
bae61562
JM		 63static const u32 dot11RSNAConfigGroupUpdateCount = 4;
64static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
65static const u32 eapol_key_timeout_first = 100; /* ms */
66static const u32 eapol_key_timeout_subseq = 1000; /* ms */
00338a4f 67static const u32 eapol_key_timeout_first_group = 500; /* ms */
6fc6879b
JM		 68
69/* TODO: make these configurable */
70static const int dot11RSNAConfigPMKLifetime = 43200;
71static const int dot11RSNAConfigPMKReauthThreshold = 70;
72static const int dot11RSNAConfigSATimeout = 60;
73
74
c772d054 75static inline int wpa_auth_mic_failure_report(
6fc6879b
JM		 76 struct wpa_authenticator *wpa_auth, const u8 *addr)
77{
cef8fac0
JB		 78 if (wpa_auth->cb->mic_failure_report)
79 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
c772d054 80 return 0;
6fc6879b
JM		 81}
82
83
2c502460
JM		 84static inline void wpa_auth_psk_failure_report(
85 struct wpa_authenticator *wpa_auth, const u8 *addr)
86{
cef8fac0
JB		 87 if (wpa_auth->cb->psk_failure_report)
88 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
2c502460
JM		 89}
90
91
6fc6879b
JM		 92static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
93 const u8 *addr, wpa_eapol_variable var,
94 int value)
95{
cef8fac0
JB		 96 if (wpa_auth->cb->set_eapol)
97 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
6fc6879b
JM		 98}
99
100
101static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
102 const u8 *addr, wpa_eapol_variable var)
103{
cef8fac0 104 if (wpa_auth->cb->get_eapol == NULL)
6fc6879b 105 return -1;
cef8fac0 106 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
6fc6879b
JM		 107}
108
109
110static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
759fd76b
JM		 111 const u8 *addr,
112 const u8 *p2p_dev_addr,
113 const u8 *prev_psk)
6fc6879b 114{
cef8fac0 115 if (wpa_auth->cb->get_psk == NULL)
6fc6879b 116 return NULL;
cef8fac0
JB		 117 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
118 prev_psk);
6fc6879b
JM		 119}
120
121
122static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
123 const u8 *addr, u8 *msk, size_t *len)
124{
cef8fac0 125 if (wpa_auth->cb->get_msk == NULL)
6fc6879b 126 return -1;
cef8fac0 127 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
6fc6879b
JM		 128}
129
130
131static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
132 int vlan_id,
71934751 133 enum wpa_alg alg, const u8 *addr, int idx,
6fc6879b
JM		 134 u8 *key, size_t key_len)
135{
cef8fac0 136 if (wpa_auth->cb->set_key == NULL)
6fc6879b 137 return -1;
cef8fac0
JB		 138 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
139 key, key_len);
6fc6879b
JM		 140}
141
142
143static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
144 const u8 *addr, int idx, u8 *seq)
145{
cef8fac0 146 if (wpa_auth->cb->get_seqnum == NULL)
6fc6879b 147 return -1;
cef8fac0 148 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
6fc6879b
JM		 149}
150
151
6fc6879b
JM		 152static inline int
153wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
154 const u8 *data, size_t data_len, int encrypt)
155{
cef8fac0 156 if (wpa_auth->cb->send_eapol == NULL)
6fc6879b 157 return -1;
cef8fac0
JB		 158 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
159 encrypt);
6fc6879b
JM		 160}
161
162
c50d94f1
BC		 163#ifdef CONFIG_MESH
164static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
165 const u8 *addr)
166{
cef8fac0 167 if (wpa_auth->cb->start_ampe == NULL)
c50d94f1 168 return -1;
cef8fac0 169 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
c50d94f1
BC		 170}
171#endif /* CONFIG_MESH */
172
173
6fc6879b
JM		 174int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
175 int (*cb)(struct wpa_state_machine *sm, void *ctx),
176 void *cb_ctx)
177{
cef8fac0 178 if (wpa_auth->cb->for_each_sta == NULL)
6fc6879b 179 return 0;
cef8fac0 180 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
6fc6879b
JM		 181}
182
183
bf98f7f3
JM		 184int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
185 int (*cb)(struct wpa_authenticator *a, void *ctx),
186 void *cb_ctx)
187{
cef8fac0 188 if (wpa_auth->cb->for_each_auth == NULL)
bf98f7f3 189 return 0;
cef8fac0 190 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
bf98f7f3
JM		 191}
192
193
6fc6879b
JM		 194void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
195 logger_level level, const char *txt)
196{
cef8fac0 197 if (wpa_auth->cb->logger == NULL)
6fc6879b 198 return;
cef8fac0 199 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
6fc6879b
JM		 200}
201
202
203void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
204 logger_level level, const char *fmt, ...)
205{
206 char *format;
207 int maxlen;
208 va_list ap;
209
cef8fac0 210 if (wpa_auth->cb->logger == NULL)
6fc6879b
JM		 211 return;
212
213 maxlen = os_strlen(fmt) + 100;
214 format = os_malloc(maxlen);
215 if (!format)
216 return;
217
218 va_start(ap, fmt);
219 vsnprintf(format, maxlen, fmt, ap);
220 va_end(ap);
221
222 wpa_auth_logger(wpa_auth, addr, level, format);
223
224 os_free(format);
225}
226
227
228static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
229 const u8 *addr)
230{
cef8fac0 231 if (wpa_auth->cb->disconnect == NULL)
6fc6879b 232 return;
afcc9ea1 233 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
cef8fac0
JB		 234 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr,
235 WLAN_REASON_PREV_AUTH_NOT_VALID);
6fc6879b
JM		 236}
237
238
239static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
240{
56586197 241 int ret = 0;
4ec1fd8e 242#ifdef CONFIG_IEEE80211R_AP
56586197
JM		 243 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
244 ret = 1;
4ec1fd8e 245#endif /* CONFIG_IEEE80211R_AP */
56586197
JM		 246#ifdef CONFIG_IEEE80211W
247 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
248 ret = 1;
249#endif /* CONFIG_IEEE80211W */
a14896e8
JM		 250 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
251 ret = 1;
56586197 252 return ret;
6fc6879b
JM		 253}
254
255
256static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
257{
258 struct wpa_authenticator *wpa_auth = eloop_ctx;
259
3642c431 260 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
6fc6879b
JM		 261 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
262 "initialization.");
263 } else {
264 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
5cb9d5c3
JM		 265 wpa_hexdump_key(MSG_DEBUG, "GMK",
266 wpa_auth->group->GMK, WPA_GMK_LEN);
6fc6879b
JM		 267 }
268
269 if (wpa_auth->conf.wpa_gmk_rekey) {
270 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
271 wpa_rekey_gmk, wpa_auth, NULL);
272 }
273}
274
275
276static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
277{
278 struct wpa_authenticator *wpa_auth = eloop_ctx;
a0ad9e8c 279 struct wpa_group *group, *next;
6fc6879b
JM		 280
281 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
a0ad9e8c
MB		 282 group = wpa_auth->group;
283 while (group) {
284 wpa_group_get(wpa_auth, group);
285
6fc6879b
JM		 286 group->GTKReKey = TRUE;
287 do {
288 group->changed = FALSE;
289 wpa_group_sm_step(wpa_auth, group);
290 } while (group->changed);
a0ad9e8c
MB		 291
292 next = group->next;
293 wpa_group_put(wpa_auth, group);
294 group = next;
6fc6879b
JM		 295 }
296
297 if (wpa_auth->conf.wpa_group_rekey) {
298 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
299 0, wpa_rekey_gtk, wpa_auth, NULL);
300 }
301}
302
303
581a8cde
JM		 304static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
305{
306 struct wpa_authenticator *wpa_auth = eloop_ctx;
307 struct wpa_state_machine *sm = timeout_ctx;
308
309 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
310 wpa_request_new_ptk(sm);
311 wpa_sm_step(sm);
312}
313
314
6fc6879b
JM		 315static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
316{
317 if (sm->pmksa == ctx)
318 sm->pmksa = NULL;
319 return 0;
320}
321
322
323static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
324 void *ctx)
325{
326 struct wpa_authenticator *wpa_auth = ctx;
327 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
328}
329
330
1bdb7ab3
JM		 331static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
332 struct wpa_group *group)
333{
559cdabb 334 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
1bdb7ab3 335 u8 rkey[32];
559cdabb 336 unsigned long ptr;
1bdb7ab3 337
3642c431 338 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
1bdb7ab3
JM		 339 return -1;
340 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
341
342 /*
343 * Counter = PRF-256(Random number, "Init Counter",
344 * Local MAC Address || Time)
345 */
346 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
347 wpa_get_ntp_timestamp(buf + ETH_ALEN);
559cdabb
JM		 348 ptr = (unsigned long) group;
349 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
3642c431 350 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
1bdb7ab3
JM		 351 return -1;
352
353 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
354 group->Counter, WPA_NONCE_LEN) < 0)
355 return -1;
356 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
357 group->Counter, WPA_NONCE_LEN);
358
359 return 0;
360}
361
362
e6965d4e 363static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
bdffdc5d 364 int vlan_id, int delay_init)
e6965d4e
JM		 365{
366 struct wpa_group *group;
e6965d4e
JM		 367
368 group = os_zalloc(sizeof(struct wpa_group));
369 if (group == NULL)
370 return NULL;
371
372 group->GTKAuthenticator = TRUE;
373 group->vlan_id = vlan_id;
c3550295 374 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
6fc6879b 375
08704cd8
JM		 376 if (random_pool_ready() != 1) {
377 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
378 "for secure operations - update keys later when "
379 "the first station connects");
380 }
381
1bdb7ab3
JM		 382 /*
383 * Set initial GMK/Counter value here. The actual values that will be
384 * used in negotiations will be set once the first station tries to
385 * connect. This allows more time for collecting additional randomness
386 * on embedded devices.
6fc6879b 387 */
1bdb7ab3 388 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
6fc6879b
JM		 389 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
390 "initialization.");
391 os_free(group);
392 return NULL;
393 }
6fc6879b
JM		 394
395 group->GInit = TRUE;
bdffdc5d
JM		 396 if (delay_init) {
397 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
398 "until Beacon frames have been configured");
399 /* Initialization is completed in wpa_init_keys(). */
400 } else {
401 wpa_group_sm_step(wpa_auth, group);
402 group->GInit = FALSE;
403 wpa_group_sm_step(wpa_auth, group);
404 }
6fc6879b
JM		 405
406 return group;
407}
408
409
410/**
411 * wpa_init - Initialize WPA authenticator
412 * @addr: Authenticator address
413 * @conf: Configuration for WPA authenticator
a17df5fb 414 * @cb: Callback functions for WPA authenticator
6fc6879b
JM		 415 * Returns: Pointer to WPA authenticator data or %NULL on failure
416 */
417struct wpa_authenticator * wpa_init(const u8 *addr,
418 struct wpa_auth_config *conf,
cef8fac0
JB		 419 const struct wpa_auth_callbacks *cb,
420 void *cb_ctx)
6fc6879b
JM		 421{
422 struct wpa_authenticator *wpa_auth;
423
424 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
425 if (wpa_auth == NULL)
426 return NULL;
427 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
428 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
cef8fac0
JB		 429 wpa_auth->cb = cb;
430 wpa_auth->cb_ctx = cb_ctx;
6fc6879b
JM		 431
432 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
433 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
434 os_free(wpa_auth);
435 return NULL;
436 }
437
bdffdc5d 438 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
6fc6879b
JM		 439 if (wpa_auth->group == NULL) {
440 os_free(wpa_auth->wpa_ie);
441 os_free(wpa_auth);
442 return NULL;
443 }
444
4bb081f1
JM		 445 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
446 wpa_auth);
6fc6879b
JM		 447 if (wpa_auth->pmksa == NULL) {
448 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
27d9701d 449 os_free(wpa_auth->group);
6fc6879b
JM		 450 os_free(wpa_auth->wpa_ie);
451 os_free(wpa_auth);
452 return NULL;
453 }
454
4ec1fd8e 455#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 456 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
457 if (wpa_auth->ft_pmk_cache == NULL) {
458 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
27d9701d 459 os_free(wpa_auth->group);
6fc6879b 460 os_free(wpa_auth->wpa_ie);
4bb081f1 461 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b
JM		 462 os_free(wpa_auth);
463 return NULL;
464 }
4ec1fd8e 465#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 466
467 if (wpa_auth->conf.wpa_gmk_rekey) {
468 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
469 wpa_rekey_gmk, wpa_auth, NULL);
470 }
471
472 if (wpa_auth->conf.wpa_group_rekey) {
473 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
474 wpa_rekey_gtk, wpa_auth, NULL);
475 }
476
25ef8529
JM		 477#ifdef CONFIG_P2P
478 if (WPA_GET_BE32(conf->ip_addr_start)) {
479 int count = WPA_GET_BE32(conf->ip_addr_end) -
480 WPA_GET_BE32(conf->ip_addr_start) + 1;
481 if (count > 1000)
482 count = 1000;
483 if (count > 0)
484 wpa_auth->ip_pool = bitfield_alloc(count);
485 }
486#endif /* CONFIG_P2P */
487
6fc6879b
JM		 488 return wpa_auth;
489}
490
491
bdffdc5d
JM		 492int wpa_init_keys(struct wpa_authenticator *wpa_auth)
493{
494 struct wpa_group *group = wpa_auth->group;
495
496 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
497 "keys");
498 wpa_group_sm_step(wpa_auth, group);
499 group->GInit = FALSE;
500 wpa_group_sm_step(wpa_auth, group);
7d7f7be2
JM		 501 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
502 return -1;
bdffdc5d
JM		 503 return 0;
504}
505
506
6fc6879b
JM		 507/**
508 * wpa_deinit - Deinitialize WPA authenticator
509 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
510 */
511void wpa_deinit(struct wpa_authenticator *wpa_auth)
512{
513 struct wpa_group *group, *prev;
514
515 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
516 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
517
518#ifdef CONFIG_PEERKEY
519 while (wpa_auth->stsl_negotiations)
520 wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations);
521#endif /* CONFIG_PEERKEY */
522
4bb081f1 523 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b 524
4ec1fd8e 525#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 526 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
527 wpa_auth->ft_pmk_cache = NULL;
4ec1fd8e 528#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 529
25ef8529
JM		 530#ifdef CONFIG_P2P
531 bitfield_free(wpa_auth->ip_pool);
532#endif /* CONFIG_P2P */
533
534
6fc6879b
JM		 535 os_free(wpa_auth->wpa_ie);
536
537 group = wpa_auth->group;
538 while (group) {
539 prev = group;
540 group = group->next;
541 os_free(prev);
542 }
543
544 os_free(wpa_auth);
545}
546
547
548/**
549 * wpa_reconfig - Update WPA authenticator configuration
550 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
551 * @conf: Configuration for WPA authenticator
552 */
553int wpa_reconfig(struct wpa_authenticator *wpa_auth,
554 struct wpa_auth_config *conf)
555{
e6965d4e 556 struct wpa_group *group;
6fc6879b
JM		 557 if (wpa_auth == NULL)
558 return 0;
559
560 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
ad08c363
JM		 561 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
562 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
563 return -1;
564 }
565
e6965d4e
JM		 566 /*
567 * Reinitialize GTK to make sure it is suitable for the new
568 * configuration.
569 */
570 group = wpa_auth->group;
c3550295 571 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
e6965d4e
JM		 572 group->GInit = TRUE;
573 wpa_group_sm_step(wpa_auth, group);
574 group->GInit = FALSE;
575 wpa_group_sm_step(wpa_auth, group);
576
6fc6879b
JM		 577 return 0;
578}
579
580
581struct wpa_state_machine *
94ddef3e
JM		 582wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
583 const u8 *p2p_dev_addr)
6fc6879b
JM		 584{
585 struct wpa_state_machine *sm;
586
7d7f7be2
JM		 587 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
588 return NULL;
589
6fc6879b
JM		 590 sm = os_zalloc(sizeof(struct wpa_state_machine));
591 if (sm == NULL)
592 return NULL;
593 os_memcpy(sm->addr, addr, ETH_ALEN);
94ddef3e
JM		 594 if (p2p_dev_addr)
595 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
6fc6879b
JM		 596
597 sm->wpa_auth = wpa_auth;
598 sm->group = wpa_auth->group;
a0ad9e8c 599 wpa_group_get(sm->wpa_auth, sm->group);
6fc6879b
JM		 600
601 return sm;
602}
603
604
6f9b5d16
JM		 605int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
606 struct wpa_state_machine *sm)
6fc6879b
JM		 607{
608 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
6f9b5d16 609 return -1;
6fc6879b 610
4ec1fd8e 611#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 612 if (sm->ft_completed) {
613 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
614 "FT authentication already completed - do not "
615 "start 4-way handshake");
3d4d2348
JM		 616 /* Go to PTKINITDONE state to allow GTK rekeying */
617 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 618 sm->Pair = TRUE;
6f9b5d16 619 return 0;
6fc6879b 620 }
4ec1fd8e 621#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 622
07e0117d
JM		 623#ifdef CONFIG_FILS
624 if (sm->fils_completed) {
625 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
626 "FILS authentication already completed - do not start 4-way handshake");
627 /* Go to PTKINITDONE state to allow GTK rekeying */
628 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 629 sm->Pair = TRUE;
07e0117d
JM		 630 return 0;
631 }
632#endif /* CONFIG_FILS */
633
6fc6879b 634 if (sm->started) {
22a299ee 635 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
6fc6879b 636 sm->ReAuthenticationRequest = TRUE;
6f9b5d16 637 return wpa_sm_step(sm);
6fc6879b
JM		 638 }
639
640 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
641 "start authentication");
642 sm->started = 1;
643
644 sm->Init = TRUE;
e4a6ea1d 645 if (wpa_sm_step(sm) == 1)
6f9b5d16 646 return 1; /* should not really happen */
6fc6879b
JM		 647 sm->Init = FALSE;
648 sm->AuthenticationRequest = TRUE;
6f9b5d16 649 return wpa_sm_step(sm);
6fc6879b
JM		 650}
651
652
a8d05fca
JM		 653void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
654{
655 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
656 * reassociates back to the same AP while the previous entry for the
657 * STA has not yet been removed. */
658 if (sm == NULL)
659 return;
660
661 sm->wpa_key_mgmt = 0;
662}
663
664
6fc6879b
JM		 665static void wpa_free_sta_sm(struct wpa_state_machine *sm)
666{
25ef8529
JM		 667#ifdef CONFIG_P2P
668 if (WPA_GET_BE32(sm->ip_addr)) {
669 u32 start;
670 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
671 "address %u.%u.%u.%u from " MACSTR,
672 sm->ip_addr[0], sm->ip_addr[1],
673 sm->ip_addr[2], sm->ip_addr[3],
674 MAC2STR(sm->addr));
675 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
676 bitfield_clear(sm->wpa_auth->ip_pool,
677 WPA_GET_BE32(sm->ip_addr) - start);
678 }
679#endif /* CONFIG_P2P */
2ade8ef2
JM		 680 if (sm->GUpdateStationKeys) {
681 sm->group->GKeyDoneStations--;
682 sm->GUpdateStationKeys = FALSE;
683 }
4ec1fd8e 684#ifdef CONFIG_IEEE80211R_AP
0f857f43 685 os_free(sm->assoc_resp_ftie);
692ec305 686 wpabuf_free(sm->ft_pending_req_ies);
4ec1fd8e 687#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 688 os_free(sm->last_rx_eapol_key);
689 os_free(sm->wpa_ie);
a0ad9e8c 690 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b
JM		 691 os_free(sm);
692}
693
694
695void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
696{
697 if (sm == NULL)
698 return;
699
700 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
701 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
702 "strict rekeying - force GTK rekey since STA "
703 "is leaving");
704 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
705 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
706 NULL);
707 }
708
709 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
e4bf4db9 710 sm->pending_1_of_4_timeout = 0;
6fc6879b 711 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
581a8cde 712 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 713 if (sm->in_step_loop) {
714 /* Must not free state machine while wpa_sm_step() is running.
715 * Freeing will be completed in the end of wpa_sm_step(). */
716 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
717 "machine deinit for " MACSTR, MAC2STR(sm->addr));
718 sm->pending_deinit = 1;
719 } else
720 wpa_free_sta_sm(sm);
721}
722
723
724static void wpa_request_new_ptk(struct wpa_state_machine *sm)
725{
726 if (sm == NULL)
727 return;
728
729 sm->PTKRequest = TRUE;
730 sm->PTK_valid = 0;
731}
732
733
68921e24 734static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
22a299ee
JM		 735 const u8 *replay_counter)
736{
737 int i;
738 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
68921e24 739 if (!ctr[i].valid)
22a299ee 740 break;
68921e24 741 if (os_memcmp(replay_counter, ctr[i].counter,
22a299ee
JM		 742 WPA_REPLAY_COUNTER_LEN) == 0)
743 return 1;
744 }
745 return 0;
746}
747
748
68921e24
JM		 749static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
750 const u8 *replay_counter)
751{
752 int i;
753 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
754 if (ctr[i].valid &&
755 (replay_counter == NULL ||
756 os_memcmp(replay_counter, ctr[i].counter,
757 WPA_REPLAY_COUNTER_LEN) == 0))
758 ctr[i].valid = FALSE;
759 }
760}
761
762
4ec1fd8e 763#ifdef CONFIG_IEEE80211R_AP
0f857f43
JM		 764static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
765 struct wpa_state_machine *sm,
766 struct wpa_eapol_ie_parse *kde)
767{
768 struct wpa_ie_data ie;
769 struct rsn_mdie *mdie;
770
771 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
772 ie.num_pmkid != 1 || ie.pmkid == NULL) {
773 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
774 "FT 4-way handshake message 2/4");
775 return -1;
776 }
777
778 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
779 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
780 sm->sup_pmk_r1_name, PMKID_LEN);
781
782 if (!kde->mdie || !kde->ftie) {
783 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
784 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
785 return -1;
786 }
787
788 mdie = (struct rsn_mdie *) (kde->mdie + 2);
789 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
790 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
791 MOBILITY_DOMAIN_ID_LEN) != 0) {
792 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
793 return -1;
794 }
795
796 if (sm->assoc_resp_ftie &&
797 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
798 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
799 2 + sm->assoc_resp_ftie[1]) != 0)) {
800 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
801 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
802 kde->ftie, kde->ftie_len);
803 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
804 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
805 return -1;
806 }
807
808 return 0;
809}
4ec1fd8e 810#endif /* CONFIG_IEEE80211R_AP */
0f857f43
JM		 811
812
c772d054
JM		 813static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
814 struct wpa_state_machine *sm, int group)
ec027805
JM		 815{
816 /* Supplicant reported a Michael MIC error */
817 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
818 "received EAPOL-Key Error Request "
819 "(STA detected Michael MIC failure (group=%d))",
820 group);
fbc72d32
JM		 821
822 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
823 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
824 "ignore Michael MIC failure report since "
825 "group cipher is not TKIP");
826 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
827 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
828 "ignore Michael MIC failure report since "
829 "pairwise cipher is not TKIP");
830 } else {
c772d054
JM		 831 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
832 return 1; /* STA entry was removed */
fbc72d32
JM		 833 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
834 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
835 }
ec027805
JM		 836
837 /*
838 * Error report is not a request for a new key handshake, but since
839 * Authenticator may do it, let's change the keys now anyway.
840 */
841 wpa_request_new_ptk(sm);
c772d054 842 return 0;
ec027805
JM		 843}
844
845
f23c5b17
JM		 846static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
847 size_t data_len)
848{
849 struct wpa_ptk PTK;
850 int ok = 0;
851 const u8 *pmk = NULL;
207976f0 852 unsigned int pmk_len;
f23c5b17 853
b729fd8d 854 os_memset(&PTK, 0, sizeof(PTK));
f23c5b17
JM		 855 for (;;) {
856 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
857 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
858 sm->p2p_dev_addr, pmk);
859 if (pmk == NULL)
860 break;
207976f0
JM		 861 pmk_len = PMK_LEN;
862 } else {
f23c5b17 863 pmk = sm->PMK;
207976f0
JM		 864 pmk_len = sm->pmk_len;
865 }
f23c5b17 866
207976f0 867 wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK);
f23c5b17
JM		 868
869 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, data, data_len)
870 == 0) {
871 ok = 1;
872 break;
873 }
874
875 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
876 break;
877 }
878
879 if (!ok) {
880 wpa_printf(MSG_DEBUG,
881 "WPA: Earlier SNonce did not result in matching MIC");
882 return -1;
883 }
884
885 wpa_printf(MSG_DEBUG,
886 "WPA: Earlier SNonce resulted in matching MIC");
887 sm->alt_snonce_valid = 0;
888 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
889 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
890 sm->PTK_valid = TRUE;
891
892 return 0;
893}
894
895
6fc6879b
JM		 896void wpa_receive(struct wpa_authenticator *wpa_auth,
897 struct wpa_state_machine *sm,
898 u8 *data, size_t data_len)
899{
900 struct ieee802_1x_hdr *hdr;
901 struct wpa_eapol_key *key;
902 u16 key_info, key_data_length;
903 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
904 SMK_M1, SMK_M3, SMK_ERROR } msg;
905 char *msgtxt;
906 struct wpa_eapol_ie_parse kde;
3b5b7aa8
JM		 907 const u8 *key_data;
908 size_t keyhdrlen, mic_len;
6d014ffc 909 u8 *mic;
6fc6879b
JM		 910
911 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
912 return;
dc5bad48 913 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
6fc6879b 914
5e3b5197 915 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
6d014ffc 916 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197 917
dc5bad48
JM		 918 if (data_len < sizeof(*hdr) + keyhdrlen) {
919 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
6fc6879b 920 return;
dc5bad48 921 }
6fc6879b
JM		 922
923 hdr = (struct ieee802_1x_hdr *) data;
924 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 925 mic = (u8 *) (key + 1);
6fc6879b 926 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 927 key_data = mic + mic_len + 2;
928 key_data_length = WPA_GET_BE16(mic + mic_len);
0d442aff 929 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
dc5bad48
JM		 930 " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
931 MAC2STR(sm->addr), key_info, key->type,
932 (unsigned int) mic_len, key_data_length);
933 wpa_hexdump(MSG_MSGDUMP,
934 "WPA: EAPOL-Key header (ending before Key MIC)",
935 key, sizeof(*key));
936 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
937 mic, mic_len);
5e3b5197 938 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
6fc6879b
JM		 939 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
940 "key_data overflow (%d > %lu)",
941 key_data_length,
942 (unsigned long) (data_len - sizeof(*hdr) -
5e3b5197 943 keyhdrlen));
6fc6879b
JM		 944 return;
945 }
946
f8e96eb6 947 if (sm->wpa == WPA_VERSION_WPA2) {
74590e71
JM		 948 if (key->type == EAPOL_KEY_TYPE_WPA) {
949 /*
950 * Some deployed station implementations seem to send
951 * msg 4/4 with incorrect type value in WPA2 mode.
952 */
953 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
954 "with unexpected WPA type in RSN mode");
955 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
f8e96eb6
JM		 956 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
957 "unexpected type %d in RSN mode",
958 key->type);
959 return;
960 }
961 } else {
962 if (key->type != EAPOL_KEY_TYPE_WPA) {
963 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
964 "unexpected type %d in WPA mode",
965 key->type);
966 return;
967 }
968 }
969
bc8318ac
JM		 970 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
971 WPA_NONCE_LEN);
972 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
973 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
974
6fc6879b
JM		 975 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
976 * are set */
977
978 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
979 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
980 if (key_info & WPA_KEY_INFO_ERROR) {
981 msg = SMK_ERROR;
982 msgtxt = "SMK Error";
983 } else {
984 msg = SMK_M1;
985 msgtxt = "SMK M1";
986 }
987 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
988 msg = SMK_M3;
989 msgtxt = "SMK M3";
990 } else if (key_info & WPA_KEY_INFO_REQUEST) {
991 msg = REQUEST;
992 msgtxt = "Request";
993 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
994 msg = GROUP_2;
995 msgtxt = "2/2 Group";
3b5b7aa8
JM		 996 } else if (key_data_length == 0 ||
997 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
998 key_data_length == AES_BLOCK_SIZE)) {
6fc6879b
JM		 999 msg = PAIRWISE_4;
1000 msgtxt = "4/4 Pairwise";
1001 } else {
1002 msg = PAIRWISE_2;
1003 msgtxt = "2/4 Pairwise";
1004 }
1005
1006 /* TODO: key_info type validation for PeerKey */
1007 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1008 msg == GROUP_2) {
1009 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
eb7719ff
JM		 1010 if (sm->pairwise == WPA_CIPHER_CCMP ||
1011 sm->pairwise == WPA_CIPHER_GCMP) {
6fc6879b 1012 if (wpa_use_aes_cmac(sm) &&
a14896e8 1013 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
929a2ea5 1014 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
b9866483 1015 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1016 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1017 wpa_auth_logger(wpa_auth, sm->addr,
1018 LOGGER_WARNING,
1019 "advertised support for "
1020 "AES-128-CMAC, but did not "
1021 "use it");
1022 return;
1023 }
1024
1025 if (!wpa_use_aes_cmac(sm) &&
2449791b 1026 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1027 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1028 wpa_auth_logger(wpa_auth, sm->addr,
1029 LOGGER_WARNING,
1030 "did not use HMAC-SHA1-AES "
eb7719ff 1031 "with CCMP/GCMP");
6fc6879b
JM		 1032 return;
1033 }
1034 }
929a2ea5 1035
2449791b
JM		 1036 if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1037 wpa_key_mgmt_fils(sm->wpa_key_mgmt)) &&
929a2ea5
JM		 1038 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1039 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1040 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1041 return;
1042 }
6fc6879b
JM		 1043 }
1044
1045 if (key_info & WPA_KEY_INFO_REQUEST) {
1046 if (sm->req_replay_counter_used &&
1047 os_memcmp(key->replay_counter, sm->req_replay_counter,
1048 WPA_REPLAY_COUNTER_LEN) <= 0) {
1049 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1050 "received EAPOL-Key request with "
1051 "replayed counter");
1052 return;
1053 }
1054 }
1055
1056 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
68921e24 1057 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
22a299ee 1058 int i;
68921e24
JM		 1059
1060 if (msg == PAIRWISE_2 &&
1061 wpa_replay_counter_valid(sm->prev_key_replay,
1062 key->replay_counter) &&
1063 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1064 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1065 {
1066 /*
1067 * Some supplicant implementations (e.g., Windows XP
1068 * WZC) update SNonce for each EAPOL-Key 2/4. This
1069 * breaks the workaround on accepting any of the
1070 * pending requests, so allow the SNonce to be updated
1071 * even if we have already sent out EAPOL-Key 3/4.
1072 */
1073 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1074 "Process SNonce update from STA "
1075 "based on retransmitted EAPOL-Key "
1076 "1/4");
1077 sm->update_snonce = 1;
f23c5b17
JM		 1078 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1079 sm->alt_snonce_valid = TRUE;
1080 os_memcpy(sm->alt_replay_counter,
1081 sm->key_replay[0].counter,
1082 WPA_REPLAY_COUNTER_LEN);
1083 goto continue_processing;
1084 }
1085
1086 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1087 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1088 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1089 WPA_REPLAY_COUNTER_LEN) == 0) {
1090 /*
1091 * Supplicant may still be using the old SNonce since
1092 * there was two EAPOL-Key 2/4 messages and they had
1093 * different SNonce values.
1094 */
1095 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1096 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
68921e24
JM		 1097 goto continue_processing;
1098 }
1099
1100 if (msg == PAIRWISE_2 &&
1101 wpa_replay_counter_valid(sm->prev_key_replay,
1102 key->replay_counter) &&
1103 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1104 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1105 "ignore retransmitted EAPOL-Key %s - "
1106 "SNonce did not change", msgtxt);
1107 } else {
1108 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1109 "received EAPOL-Key %s with "
1110 "unexpected replay counter", msgtxt);
1111 }
22a299ee
JM		 1112 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1113 if (!sm->key_replay[i].valid)
1114 break;
1115 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1116 sm->key_replay[i].counter,
1117 WPA_REPLAY_COUNTER_LEN);
1118 }
6fc6879b
JM		 1119 wpa_hexdump(MSG_DEBUG, "received replay counter",
1120 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1121 return;
1122 }
1123
68921e24 1124continue_processing:
3b5b7aa8
JM		 1125#ifdef CONFIG_FILS
1126 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1127 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1128 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1129 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1130 return;
1131 }
1132#endif /* CONFIG_FILS */
1133
6fc6879b
JM		 1134 switch (msg) {
1135 case PAIRWISE_2:
1136 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
68921e24
JM		 1137 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1138 (!sm->update_snonce ||
1139 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
6fc6879b
JM		 1140 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1141 "received EAPOL-Key msg 2/4 in "
1142 "invalid state (%d) - dropped",
1143 sm->wpa_ptk_state);
1144 return;
1145 }
bbb921da 1146 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
08704cd8
JM		 1147 if (sm->group->reject_4way_hs_for_entropy) {
1148 /*
1149 * The system did not have enough entropy to generate
1150 * strong random numbers. Reject the first 4-way
1151 * handshake(s) and collect some entropy based on the
1152 * information from it. Once enough entropy is
1153 * available, the next atempt will trigger GMK/Key
1154 * Counter update and the station will be allowed to
1155 * continue.
1156 */
1157 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1158 "collect more entropy for random number "
1159 "generation");
08704cd8 1160 random_mark_pool_ready();
08704cd8
JM		 1161 wpa_sta_disconnect(wpa_auth, sm->addr);
1162 return;
1163 }
6fc6879b
JM		 1164 break;
1165 case PAIRWISE_4:
1166 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1167 !sm->PTK_valid) {
1168 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1169 "received EAPOL-Key msg 4/4 in "
1170 "invalid state (%d) - dropped",
1171 sm->wpa_ptk_state);
1172 return;
1173 }
1174 break;
1175 case GROUP_2:
1176 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1177 || !sm->PTK_valid) {
1178 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1179 "received EAPOL-Key msg 2/2 in "
1180 "invalid state (%d) - dropped",
1181 sm->wpa_ptk_group_state);
1182 return;
1183 }
1184 break;
1185#ifdef CONFIG_PEERKEY
1186 case SMK_M1:
1187 case SMK_M3:
1188 case SMK_ERROR:
1189 if (!wpa_auth->conf.peerkey) {
1190 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1191 "PeerKey use disabled - ignoring message");
1192 return;
1193 }
1194 if (!sm->PTK_valid) {
1195 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1196 "received EAPOL-Key msg SMK in "
1197 "invalid state - dropped");
1198 return;
1199 }
1200 break;
1201#else /* CONFIG_PEERKEY */
1202 case SMK_M1:
1203 case SMK_M3:
1204 case SMK_ERROR:
1205 return; /* STSL disabled - ignore SMK messages */
1206#endif /* CONFIG_PEERKEY */
1207 case REQUEST:
1208 break;
1209 }
1210
1211 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1212 "received EAPOL-Key frame (%s)", msgtxt);
1213
1214 if (key_info & WPA_KEY_INFO_ACK) {
1215 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1216 "received invalid EAPOL-Key: Key Ack set");
1217 return;
1218 }
1219
b9866483
JM		 1220 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1221 !(key_info & WPA_KEY_INFO_MIC)) {
6fc6879b
JM		 1222 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1223 "received invalid EAPOL-Key: Key MIC not set");
1224 return;
1225 }
1226
b9866483
JM		 1227#ifdef CONFIG_FILS
1228 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1229 (key_info & WPA_KEY_INFO_MIC)) {
1230 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1231 "received invalid EAPOL-Key: Key MIC set");
1232 return;
1233 }
1234#endif /* CONFIG_FILS */
1235
6fc6879b 1236 sm->MICVerified = FALSE;
68921e24 1237 if (sm->PTK_valid && !sm->update_snonce) {
3b5b7aa8
JM		 1238 if (mic_len &&
1239 wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data,
f23c5b17
JM		 1240 data_len) &&
1241 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1242 wpa_try_alt_snonce(sm, data, data_len))) {
6fc6879b
JM		 1243 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1244 "received EAPOL-Key with invalid MIC");
1245 return;
1246 }
75c8563e
JM		 1247#ifdef CONFIG_FILS
1248 if (!mic_len &&
1249 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1250 &key_data_length) < 0) {
1251 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1252 "received EAPOL-Key with invalid MIC");
1253 return;
1254 }
1255#endif /* CONFIG_FILS */
6fc6879b
JM		 1256 sm->MICVerified = TRUE;
1257 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
e4bf4db9 1258 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1259 }
1260
1261 if (key_info & WPA_KEY_INFO_REQUEST) {
1262 if (sm->MICVerified) {
1263 sm->req_replay_counter_used = 1;
1264 os_memcpy(sm->req_replay_counter, key->replay_counter,
1265 WPA_REPLAY_COUNTER_LEN);
1266 } else {
1267 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1268 "received EAPOL-Key request with "
1269 "invalid MIC");
1270 return;
1271 }
1272
1273 /*
1274 * TODO: should decrypt key data field if encryption was used;
1275 * even though MAC address KDE is not normally encrypted,
1276 * supplicant is allowed to encrypt it.
1277 */
1278 if (msg == SMK_ERROR) {
1279#ifdef CONFIG_PEERKEY
5e3b5197 1280 wpa_smk_error(wpa_auth, sm, key_data, key_data_length);
6fc6879b
JM		 1281#endif /* CONFIG_PEERKEY */
1282 return;
1283 } else if (key_info & WPA_KEY_INFO_ERROR) {
c772d054
JM		 1284 if (wpa_receive_error_report(
1285 wpa_auth, sm,
1286 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1287 return; /* STA entry was removed */
6fc6879b
JM		 1288 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1289 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1290 "received EAPOL-Key Request for new "
1291 "4-Way Handshake");
1292 wpa_request_new_ptk(sm);
1293#ifdef CONFIG_PEERKEY
1294 } else if (msg == SMK_M1) {
5e3b5197 1295 wpa_smk_m1(wpa_auth, sm, key, key_data,
5c6787a6 1296 key_data_length);
6fc6879b
JM		 1297#endif /* CONFIG_PEERKEY */
1298 } else if (key_data_length > 0 &&
5e3b5197
JM		 1299 wpa_parse_kde_ies(key_data, key_data_length,
1300 &kde) == 0 &&
6fc6879b
JM		 1301 kde.mac_addr) {
1302 } else {
1303 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1304 "received EAPOL-Key Request for GTK "
1305 "rekeying");
6fc6879b
JM		 1306 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1307 wpa_rekey_gtk(wpa_auth, NULL);
1308 }
1309 } else {
68921e24
JM		 1310 /* Do not allow the same key replay counter to be reused. */
1311 wpa_replay_counter_mark_invalid(sm->key_replay,
1312 key->replay_counter);
1313
1314 if (msg == PAIRWISE_2) {
1315 /*
1316 * Maintain a copy of the pending EAPOL-Key frames in
1317 * case the EAPOL-Key frame was retransmitted. This is
1318 * needed to allow EAPOL-Key msg 2/4 reply to another
1319 * pending msg 1/4 to update the SNonce to work around
1320 * unexpected supplicant behavior.
1321 */
1322 os_memcpy(sm->prev_key_replay, sm->key_replay,
1323 sizeof(sm->key_replay));
1324 } else {
1325 os_memset(sm->prev_key_replay, 0,
1326 sizeof(sm->prev_key_replay));
1327 }
1328
1329 /*
1330 * Make sure old valid counters are not accepted anymore and
1331 * do not get copied again.
1332 */
1333 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
6fc6879b
JM		 1334 }
1335
1336#ifdef CONFIG_PEERKEY
1337 if (msg == SMK_M3) {
5e3b5197 1338 wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length);
6fc6879b
JM		 1339 return;
1340 }
1341#endif /* CONFIG_PEERKEY */
1342
1343 os_free(sm->last_rx_eapol_key);
1344 sm->last_rx_eapol_key = os_malloc(data_len);
1345 if (sm->last_rx_eapol_key == NULL)
1346 return;
1347 os_memcpy(sm->last_rx_eapol_key, data, data_len);
1348 sm->last_rx_eapol_key_len = data_len;
1349
0d442aff 1350 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
6fc6879b
JM		 1351 sm->EAPOLKeyReceived = TRUE;
1352 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1353 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1354 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1355 wpa_sm_step(sm);
1356}
1357
1358
3c7302c2
JM		 1359static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1360 const u8 *gnonce, u8 *gtk, size_t gtk_len)
6fc6879b 1361{
5cb9d5c3
JM		 1362 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1363 u8 *pos;
3c7302c2 1364 int ret = 0;
6fc6879b 1365
5cb9d5c3
JM		 1366 /* GTK = PRF-X(GMK, "Group key expansion",
1367 * AA || GNonce || Time || random data)
1368 * The example described in the IEEE 802.11 standard uses only AA and
1369 * GNonce as inputs here. Add some more entropy since this derivation
1370 * is done only at the Authenticator and as such, does not need to be
1371 * exactly same.
1372 */
6fc6879b
JM		 1373 os_memcpy(data, addr, ETH_ALEN);
1374 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
5cb9d5c3
JM		 1375 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1376 wpa_get_ntp_timestamp(pos);
1377 pos += 8;
3642c431 1378 if (random_get_bytes(pos, 16) < 0)
3c7302c2 1379 ret = -1;
6fc6879b 1380
56586197 1381#ifdef CONFIG_IEEE80211W
5cb9d5c3 1382 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
56586197 1383#else /* CONFIG_IEEE80211W */
3c7302c2
JM		 1384 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1385 < 0)
1386 ret = -1;
56586197 1387#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 1388
1389 return ret;
6fc6879b
JM		 1390}
1391
1392
1393static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1394{
1395 struct wpa_authenticator *wpa_auth = eloop_ctx;
1396 struct wpa_state_machine *sm = timeout_ctx;
1397
e4bf4db9 1398 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1399 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1400 sm->TimeoutEvt = TRUE;
1401 wpa_sm_step(sm);
1402}
1403
1404
1405void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1406 struct wpa_state_machine *sm, int key_info,
1407 const u8 *key_rsc, const u8 *nonce,
1408 const u8 *kde, size_t kde_len,
1409 int keyidx, int encr, int force_version)
1410{
1411 struct ieee802_1x_hdr *hdr;
1412 struct wpa_eapol_key *key;
5e3b5197 1413 size_t len, mic_len, keyhdrlen;
6fc6879b
JM		 1414 int alg;
1415 int key_data_len, pad_len = 0;
1416 u8 *buf, *pos;
1417 int version, pairwise;
22a299ee 1418 int i;
6d014ffc 1419 u8 *key_mic, *key_data;
6fc6879b 1420
5e3b5197 1421 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
6d014ffc 1422 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197
JM		 1423
1424 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
6fc6879b
JM		 1425
1426 if (force_version)
1427 version = force_version;
929a2ea5 1428 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
36a50fd4
JM		 1429 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1430 wpa_key_mgmt_fils(sm->wpa_key_mgmt))
a14896e8 1431 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
6fc6879b
JM		 1432 else if (wpa_use_aes_cmac(sm))
1433 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
eb7719ff 1434 else if (sm->pairwise != WPA_CIPHER_TKIP)
6fc6879b
JM		 1435 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1436 else
1437 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1438
8543ed8a 1439 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
6fc6879b
JM		 1440
1441 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1442 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1443 "encr=%d)",
1444 version,
1445 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1446 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1447 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1448 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1449 pairwise, (unsigned long) kde_len, keyidx, encr);
1450
1451 key_data_len = kde_len;
1452
1453 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
a14896e8 1454 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
929a2ea5 1455 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
6fc6879b
JM		 1456 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1457 pad_len = key_data_len % 8;
1458 if (pad_len)
1459 pad_len = 8 - pad_len;
1460 key_data_len += pad_len + 8;
1461 }
1462
1463 len += key_data_len;
b729fd8d
JM		 1464 if (!mic_len && encr)
1465 len += AES_BLOCK_SIZE;
6fc6879b
JM		 1466
1467 hdr = os_zalloc(len);
1468 if (hdr == NULL)
1469 return;
1470 hdr->version = wpa_auth->conf.eapol_version;
1471 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1472 hdr->length = host_to_be16(len - sizeof(*hdr));
1473 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1474 key_mic = (u8 *) (key + 1);
5e3b5197 1475 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
6fc6879b
JM		 1476
1477 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1478 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1479 key_info |= version;
1480 if (encr && sm->wpa == WPA_VERSION_WPA2)
1481 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1482 if (sm->wpa != WPA_VERSION_WPA2)
1483 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1484 WPA_PUT_BE16(key->key_info, key_info);
1485
1486 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
caab23f1
JM		 1487 if ((key_info & WPA_KEY_INFO_SMK_MESSAGE) ||
1488 (sm->wpa == WPA_VERSION_WPA2 && !pairwise))
6fc6879b 1489 WPA_PUT_BE16(key->key_length, 0);
caab23f1
JM		 1490 else
1491 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
6fc6879b
JM		 1492
1493 /* FIX: STSL: what to use as key_replay_counter? */
22a299ee
JM		 1494 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1495 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1496 os_memcpy(sm->key_replay[i].counter,
1497 sm->key_replay[i - 1].counter,
1498 WPA_REPLAY_COUNTER_LEN);
1499 }
1500 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1501 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
6fc6879b 1502 WPA_REPLAY_COUNTER_LEN);
db099951
JM		 1503 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1504 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
22a299ee 1505 sm->key_replay[0].valid = TRUE;
6fc6879b
JM		 1506
1507 if (nonce)
1508 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1509
1510 if (key_rsc)
1511 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1512
1513 if (kde && !encr) {
5e3b5197 1514 os_memcpy(key_data, kde, kde_len);
6d014ffc 1515 WPA_PUT_BE16(key_mic + mic_len, kde_len);
b729fd8d
JM		 1516#ifdef CONFIG_FILS
1517 } else if (!mic_len) {
1518 const u8 *aad[1];
1519 size_t aad_len[1];
1520
1521 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1522 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1523 kde, kde_len);
1524
1525 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1526 sm->PTK.kek, sm->PTK.kek_len);
1527 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1528 * to Key Data (exclusive). */
1529 aad[0] = (u8 *) hdr;
1530 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1531 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1532 1, aad, aad_len, key_mic + 2) < 0) {
1533 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1534 return;
1535 }
1536
1537 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1538 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1539#endif /* CONFIG_FILS */
6fc6879b
JM		 1540 } else if (encr && kde) {
1541 buf = os_zalloc(key_data_len);
1542 if (buf == NULL) {
1543 os_free(hdr);
1544 return;
1545 }
1546 pos = buf;
1547 os_memcpy(pos, kde, kde_len);
1548 pos += kde_len;
1549
1550 if (pad_len)
1551 *pos++ = 0xdd;
1552
1553 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1554 buf, key_data_len);
1555 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
a14896e8 1556 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
929a2ea5 1557 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
6fc6879b 1558 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
98cd3d1c 1559 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
5e3b5197 1560 (key_data_len - 8) / 8, buf, key_data)) {
6fc6879b
JM		 1561 os_free(hdr);
1562 os_free(buf);
1563 return;
1564 }
6d014ffc 1565 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1566#ifndef CONFIG_NO_RC4
98cd3d1c 1567 } else if (sm->PTK.kek_len == 16) {
6fc6879b
JM		 1568 u8 ek[32];
1569 os_memcpy(key->key_iv,
1570 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1571 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1572 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1573 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
5e3b5197
JM		 1574 os_memcpy(key_data, buf, key_data_len);
1575 rc4_skip(ek, 32, 256, key_data, key_data_len);
6d014ffc 1576 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1577#endif /* CONFIG_NO_RC4 */
98cd3d1c
JM		 1578 } else {
1579 os_free(hdr);
1580 os_free(buf);
1581 return;
6fc6879b
JM		 1582 }
1583 os_free(buf);
1584 }
1585
1586 if (key_info & WPA_KEY_INFO_MIC) {
b729fd8d 1587 if (!sm->PTK_valid || !mic_len) {
6fc6879b
JM		 1588 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1589 "PTK not valid when sending EAPOL-Key "
1590 "frame");
1591 os_free(hdr);
1592 return;
1593 }
5e3b5197 1594
98cd3d1c
JM		 1595 wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1596 sm->wpa_key_mgmt, version,
5e3b5197 1597 (u8 *) hdr, len, key_mic);
7af092a0
JB		 1598#ifdef CONFIG_TESTING_OPTIONS
1599 if (!pairwise &&
06df2aa6 1600 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
7af092a0
JB		 1601 drand48() <
1602 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1603 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1604 "Corrupting group EAPOL-Key Key MIC");
5e3b5197 1605 key_mic[0]++;
7af092a0
JB		 1606 }
1607#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 1608 }
1609
1610 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1611 1);
1612 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1613 sm->pairwise_set);
1614 os_free(hdr);
1615}
1616
1617
1618static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1619 struct wpa_state_machine *sm, int key_info,
1620 const u8 *key_rsc, const u8 *nonce,
1621 const u8 *kde, size_t kde_len,
1622 int keyidx, int encr)
1623{
1624 int timeout_ms;
1625 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
bae61562 1626 int ctr;
6fc6879b
JM		 1627
1628 if (sm == NULL)
1629 return;
1630
1631 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1632 keyidx, encr, 0);
1633
bae61562 1634 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
e4bf4db9 1635 if (ctr == 1 && wpa_auth->conf.tx_status)
00338a4f
JM		 1636 timeout_ms = pairwise ? eapol_key_timeout_first :
1637 eapol_key_timeout_first_group;
bae61562
JM		 1638 else
1639 timeout_ms = eapol_key_timeout_subseq;
e4bf4db9
JM		 1640 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1641 sm->pending_1_of_4_timeout = 1;
1642 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
1643 "counter %d)", timeout_ms, ctr);
6fc6879b
JM		 1644 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1645 wpa_send_eapol_timeout, wpa_auth, sm);
1646}
1647
1648
929a2ea5
JM		 1649static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
1650 size_t data_len)
6fc6879b
JM		 1651{
1652 struct ieee802_1x_hdr *hdr;
1653 struct wpa_eapol_key *key;
1654 u16 key_info;
1655 int ret = 0;
6d014ffc 1656 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
5e3b5197 1657 size_t mic_len = wpa_mic_len(akmp);
6fc6879b
JM		 1658
1659 if (data_len < sizeof(*hdr) + sizeof(*key))
1660 return -1;
1661
1662 hdr = (struct ieee802_1x_hdr *) data;
1663 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1664 mic_pos = (u8 *) (key + 1);
6fc6879b 1665 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 1666 os_memcpy(mic, mic_pos, mic_len);
1667 os_memset(mic_pos, 0, mic_len);
98cd3d1c
JM		 1668 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1669 key_info & WPA_KEY_INFO_TYPE_MASK,
6d014ffc
JM		 1670 data, data_len, mic_pos) ||
1671 os_memcmp_const(mic, mic_pos, mic_len) != 0)
6fc6879b 1672 ret = -1;
6d014ffc 1673 os_memcpy(mic_pos, mic, mic_len);
6fc6879b
JM		 1674 return ret;
1675}
1676
1677
1678void wpa_remove_ptk(struct wpa_state_machine *sm)
1679{
1680 sm->PTK_valid = FALSE;
1681 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2a0b86d3
JM		 1682 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1683 0))
1684 wpa_printf(MSG_DEBUG,
1685 "RSN: PTK removal from the driver failed");
6fc6879b 1686 sm->pairwise_set = FALSE;
581a8cde 1687 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 1688}
1689
1690
bb119228 1691int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
6fc6879b 1692{
5d22a1d5
JM		 1693 int remove_ptk = 1;
1694
6fc6879b 1695 if (sm == NULL)
6f9b5d16 1696 return -1;
6fc6879b
JM		 1697
1698 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1699 "event %d notification", event);
1700
1701 switch (event) {
1702 case WPA_AUTH:
c50d94f1
BC		 1703#ifdef CONFIG_MESH
1704 /* PTKs are derived through AMPE */
1705 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1706 /* not mesh */
1707 break;
1708 }
1709 return 0;
1710#endif /* CONFIG_MESH */
6fc6879b
JM		 1711 case WPA_ASSOC:
1712 break;
1713 case WPA_DEAUTH:
1714 case WPA_DISASSOC:
1715 sm->DeauthenticationRequest = TRUE;
1716 break;
1717 case WPA_REAUTH:
1718 case WPA_REAUTH_EAPOL:
3ab72b62
JM		 1719 if (!sm->started) {
1720 /*
1721 * When using WPS, we may end up here if the STA
1722 * manages to re-associate without the previous STA
1723 * entry getting removed. Consequently, we need to make
1724 * sure that the WPA state machines gets initialized
1725 * properly at this point.
1726 */
1727 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1728 "started - initialize now");
1729 sm->started = 1;
1730 sm->Init = TRUE;
1731 if (wpa_sm_step(sm) == 1)
1732 return 1; /* should not really happen */
1733 sm->Init = FALSE;
1734 sm->AuthenticationRequest = TRUE;
1735 break;
1736 }
9663596f
JM		 1737 if (sm->GUpdateStationKeys) {
1738 /*
1739 * Reauthentication cancels the pending group key
1740 * update for this STA.
1741 */
1742 sm->group->GKeyDoneStations--;
1743 sm->GUpdateStationKeys = FALSE;
1744 sm->PtkGroupInit = TRUE;
1745 }
6fc6879b
JM		 1746 sm->ReAuthenticationRequest = TRUE;
1747 break;
1748 case WPA_ASSOC_FT:
4ec1fd8e 1749#ifdef CONFIG_IEEE80211R_AP
81a658d7
JM		 1750 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1751 "after association");
1752 wpa_ft_install_ptk(sm);
1753
6fc6879b
JM		 1754 /* Using FT protocol, not WPA auth state machine */
1755 sm->ft_completed = 1;
6f9b5d16 1756 return 0;
4ec1fd8e 1757#else /* CONFIG_IEEE80211R_AP */
6fc6879b 1758 break;
4ec1fd8e 1759#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 1760 }
1761
4ec1fd8e 1762#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1763 sm->ft_completed = 0;
4ec1fd8e 1764#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1765
5d22a1d5
JM		 1766#ifdef CONFIG_IEEE80211W
1767 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1768 remove_ptk = 0;
1769#endif /* CONFIG_IEEE80211W */
78815f3d 1770#ifdef CONFIG_FILS
da24c5aa
JM		 1771 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1772 (event == WPA_AUTH || event == WPA_ASSOC))
78815f3d
JM		 1773 remove_ptk = 0;
1774#endif /* CONFIG_FILS */
6fc6879b 1775
5d22a1d5
JM		 1776 if (remove_ptk) {
1777 sm->PTK_valid = FALSE;
1778 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1779
1780 if (event != WPA_REAUTH_EAPOL)
1781 wpa_remove_ptk(sm);
1782 }
6fc6879b 1783
43f49c37
JM		 1784 if (sm->in_step_loop) {
1785 /*
1786 * wpa_sm_step() is already running - avoid recursive call to
1787 * it by making the existing loop process the new update.
1788 */
1789 sm->changed = TRUE;
1790 return 0;
1791 }
6f9b5d16 1792 return wpa_sm_step(sm);
6fc6879b
JM		 1793}
1794
1795
6fc6879b
JM		 1796SM_STATE(WPA_PTK, INITIALIZE)
1797{
1798 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1799 if (sm->Init) {
1800 /* Init flag is not cleared here, so avoid busy
1801 * loop by claiming nothing changed. */
1802 sm->changed = FALSE;
1803 }
1804
1805 sm->keycount = 0;
1806 if (sm->GUpdateStationKeys)
1807 sm->group->GKeyDoneStations--;
1808 sm->GUpdateStationKeys = FALSE;
1809 if (sm->wpa == WPA_VERSION_WPA)
1810 sm->PInitAKeys = FALSE;
1811 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1812 * Local AA > Remote AA)) */) {
1813 sm->Pair = TRUE;
1814 }
1815 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1816 wpa_remove_ptk(sm);
1817 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1818 sm->TimeoutCtr = 0;
56586197 1819 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 1820 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1821 WPA_EAPOL_authorized, 0);
1822 }
1823}
1824
1825
1826SM_STATE(WPA_PTK, DISCONNECT)
1827{
1828 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1829 sm->Disconnect = FALSE;
1830 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1831}
1832
1833
1834SM_STATE(WPA_PTK, DISCONNECTED)
1835{
1836 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1837 sm->DeauthenticationRequest = FALSE;
1838}
1839
1840
1841SM_STATE(WPA_PTK, AUTHENTICATION)
1842{
1843 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1844 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1845 sm->PTK_valid = FALSE;
1846 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1847 1);
1848 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1849 sm->AuthenticationRequest = FALSE;
1850}
1851
1852
40d00d2b
NC		 1853static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1854 struct wpa_group *group)
1bdb7ab3 1855{
40d00d2b
NC		 1856 if (group->first_sta_seen)
1857 return;
1bdb7ab3
JM		 1858 /*
1859 * System has run bit further than at the time hostapd was started
1860 * potentially very early during boot up. This provides better chances
1861 * of collecting more randomness on embedded systems. Re-initialize the
1862 * GMK and Counter here to improve their strength if there was not
1863 * enough entropy available immediately after system startup.
1864 */
1865 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1866 "station");
08704cd8
JM		 1867 if (random_pool_ready() != 1) {
1868 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1869 "to proceed - reject first 4-way handshake");
1870 group->reject_4way_hs_for_entropy = TRUE;
40d00d2b
NC		 1871 } else {
1872 group->first_sta_seen = TRUE;
1873 group->reject_4way_hs_for_entropy = FALSE;
08704cd8 1874 }
40d00d2b 1875
aac1efec
JM		 1876 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1877 wpa_gtk_update(wpa_auth, group) < 0 ||
1878 wpa_group_config_group_keys(wpa_auth, group) < 0) {
1879 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1880 group->first_sta_seen = FALSE;
1881 group->reject_4way_hs_for_entropy = TRUE;
1882 }
1bdb7ab3
JM		 1883}
1884
1885
6fc6879b
JM		 1886SM_STATE(WPA_PTK, AUTHENTICATION2)
1887{
1888 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1bdb7ab3 1889
40d00d2b 1890 wpa_group_ensure_init(sm->wpa_auth, sm->group);
65a32cdb 1891 sm->ReAuthenticationRequest = FALSE;
1bdb7ab3 1892
3825a19b
JM		 1893 /*
1894 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1895 * ambiguous. The Authenticator state machine uses a counter that is
1896 * incremented by one for each 4-way handshake. However, the security
1897 * analysis of 4-way handshake points out that unpredictable nonces
1898 * help in preventing precomputation attacks. Instead of the state
1899 * machine definition, use an unpredictable nonce value here to provide
1900 * stronger protection against potential precomputation attacks.
1901 */
1902 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1903 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1904 "ANonce.");
65a32cdb 1905 sm->Disconnect = TRUE;
3825a19b
JM		 1906 return;
1907 }
bc8318ac
JM		 1908 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1909 WPA_NONCE_LEN);
6fc6879b
JM		 1910 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1911 * logical place than INITIALIZE since AUTHENTICATION2 can be
1912 * re-entered on ReAuthenticationRequest without going through
1913 * INITIALIZE. */
1914 sm->TimeoutCtr = 0;
1915}
1916
1917
1918SM_STATE(WPA_PTK, INITPMK)
1919{
1920 u8 msk[2 * PMK_LEN];
1921 size_t len = 2 * PMK_LEN;
1922
1923 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
4ec1fd8e 1924#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1925 sm->xxkey_len = 0;
4ec1fd8e 1926#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 1927 if (sm->pmksa) {
1928 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
207976f0
JM		 1929 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1930 sm->pmk_len = sm->pmksa->pmk_len;
6fc6879b 1931 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
207976f0
JM		 1932 unsigned int pmk_len;
1933
1934 if (sm->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
1935 pmk_len = PMK_LEN_SUITE_B_192;
1936 else
1937 pmk_len = PMK_LEN;
6fc6879b 1938 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
207976f0
JM		 1939 "(MSK len=%lu PMK len=%u)", (unsigned long) len,
1940 pmk_len);
1941 if (len < pmk_len) {
1942 wpa_printf(MSG_DEBUG,
1943 "WPA: MSK not long enough (%u) to create PMK (%u)",
1944 (unsigned int) len, (unsigned int) pmk_len);
1945 sm->Disconnect = TRUE;
1946 return;
1947 }
1948 os_memcpy(sm->PMK, msk, pmk_len);
1949 sm->pmk_len = pmk_len;
4ec1fd8e 1950#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 1951 if (len >= 2 * PMK_LEN) {
1952 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1953 sm->xxkey_len = PMK_LEN;
1954 }
4ec1fd8e 1955#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1956 } else {
400de9b1 1957 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
cef8fac0 1958 sm->wpa_auth->cb->get_msk);
1180dd66
JM		 1959 sm->Disconnect = TRUE;
1960 return;
6fc6879b 1961 }
40aaa64f 1962 os_memset(msk, 0, sizeof(msk));
6fc6879b
JM		 1963
1964 sm->req_replay_counter_used = 0;
1965 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
1966 * will break reauthentication since EAPOL state machines may not be
1967 * get into AUTHENTICATING state that clears keyRun before WPA state
1968 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
1969 * state and takes PMK from the previously used AAA Key. This will
1970 * eventually fail in 4-Way Handshake because Supplicant uses PMK
1971 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
1972 * be good workaround for this issue. */
1973 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
1974}
1975
1976
1977SM_STATE(WPA_PTK, INITPSK)
1978{
1979 const u8 *psk;
1980 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
759fd76b 1981 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL);
6fc6879b
JM		 1982 if (psk) {
1983 os_memcpy(sm->PMK, psk, PMK_LEN);
207976f0 1984 sm->pmk_len = PMK_LEN;
4ec1fd8e 1985#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 1986 os_memcpy(sm->xxkey, psk, PMK_LEN);
1987 sm->xxkey_len = PMK_LEN;
4ec1fd8e 1988#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 1989 }
1990 sm->req_replay_counter_used = 0;
1991}
1992
1993
1994SM_STATE(WPA_PTK, PTKSTART)
1995{
1996 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
1997 size_t pmkid_len = 0;
1998
1999 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2000 sm->PTKRequest = FALSE;
2001 sm->TimeoutEvt = FALSE;
f23c5b17 2002 sm->alt_snonce_valid = FALSE;
bae61562
JM		 2003
2004 sm->TimeoutCtr++;
2005 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
2006 /* No point in sending the EAPOL-Key - we will disconnect
2007 * immediately following this. */
2008 return;
2009 }
2010
6fc6879b
JM		 2011 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2012 "sending 1/4 msg of 4-Way Handshake");
2013 /*
2014 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
2015 * one possible PSK for this STA.
2016 */
2017 if (sm->wpa == WPA_VERSION_WPA2 &&
a14896e8
JM		 2018 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
2019 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
6fc6879b
JM		 2020 pmkid = buf;
2021 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2022 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2023 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2024 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
929a2ea5 2025 if (sm->pmksa) {
6fc6879b
JM		 2026 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2027 sm->pmksa->pmkid, PMKID_LEN);
929a2ea5
JM		 2028 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2029 /* No KCK available to derive PMKID */
2030 pmkid = NULL;
2031 } else {
6fc6879b
JM		 2032 /*
2033 * Calculate PMKID since no PMKSA cache entry was
2034 * available with pre-calculated PMKID.
2035 */
207976f0 2036 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
56586197
JM		 2037 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
2038 wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
6fc6879b
JM		 2039 }
2040 }
2041 wpa_send_eapol(sm->wpa_auth, sm,
2042 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2043 sm->ANonce, pmkid, pmkid_len, 0, 0);
6fc6879b
JM		 2044}
2045
2046
f23c5b17 2047static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 2048 const u8 *pmk, unsigned int pmk_len,
2049 struct wpa_ptk *ptk)
6fc6879b 2050{
4ec1fd8e 2051#ifdef CONFIG_IEEE80211R_AP
56586197 2052 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
98cd3d1c 2053 return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
4ec1fd8e 2054#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2055
207976f0 2056 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
98cd3d1c
JM		 2057 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
2058 ptk, sm->wpa_key_mgmt, sm->pairwise);
6fc6879b
JM		 2059}
2060
2061
3b5b7aa8 2062#ifdef CONFIG_FILS
c4fd6d8a
JM		 2063
2064int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
2065 size_t pmk_len, const u8 *snonce, const u8 *anonce)
2066{
2067 u8 ick[FILS_ICK_MAX_LEN];
2068 size_t ick_len;
2069 int res;
2070
2071 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
2072 snonce, anonce, &sm->PTK, ick, &ick_len,
2073 sm->wpa_key_mgmt, sm->pairwise);
2074 if (res < 0)
2075 return res;
2076 sm->PTK_valid = TRUE;
2077
2078 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2079 sm->addr, sm->wpa_auth->addr,
2080 NULL, 0, NULL, 0, /* TODO: SK+PFS */
2081 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2082 sm->fils_key_auth_ap,
2083 &sm->fils_key_auth_len);
2084 os_memset(ick, 0, sizeof(ick));
78815f3d
JM		 2085
2086 /* Store nonces for (Re)Association Request/Response frame processing */
2087 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2088 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2089
c4fd6d8a
JM		 2090 return res;
2091}
2092
2093
3b5b7aa8 2094static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
75c8563e 2095 u8 *buf, size_t buf_len, u16 *_key_data_len)
3b5b7aa8
JM		 2096{
2097 struct ieee802_1x_hdr *hdr;
2098 struct wpa_eapol_key *key;
2099 u8 *pos;
2100 u16 key_data_len;
2101 u8 *tmp;
2102 const u8 *aad[1];
2103 size_t aad_len[1];
2104
75c8563e 2105 hdr = (struct ieee802_1x_hdr *) buf;
3b5b7aa8
JM		 2106 key = (struct wpa_eapol_key *) (hdr + 1);
2107 pos = (u8 *) (key + 1);
2108 key_data_len = WPA_GET_BE16(pos);
2109 if (key_data_len < AES_BLOCK_SIZE ||
2110 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2111 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2112 "No room for AES-SIV data in the frame");
2113 return -1;
2114 }
2115 pos += 2; /* Pointing at the Encrypted Key Data field */
2116
2117 tmp = os_malloc(key_data_len);
2118 if (!tmp)
2119 return -1;
2120
2121 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2122 * to Key Data (exclusive). */
75c8563e
JM		 2123 aad[0] = buf;
2124 aad_len[0] = pos - buf;
3b5b7aa8
JM		 2125 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2126 1, aad, aad_len, tmp) < 0) {
2127 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2128 "Invalid AES-SIV data in the frame");
2129 bin_clear_free(tmp, key_data_len);
2130 return -1;
2131 }
2132
2133 /* AEAD decryption and validation completed successfully */
2134 key_data_len -= AES_BLOCK_SIZE;
2135 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2136 tmp, key_data_len);
2137
2138 /* Replace Key Data field with the decrypted version */
2139 os_memcpy(pos, tmp, key_data_len);
2140 pos -= 2; /* Key Data Length field */
2141 WPA_PUT_BE16(pos, key_data_len);
2142 bin_clear_free(tmp, key_data_len);
2143 if (_key_data_len)
2144 *_key_data_len = key_data_len;
2145 return 0;
2146}
78815f3d
JM		 2147
2148
2149int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2150 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2151 u8 *pos, size_t left)
2152{
2153 u16 fc, stype;
2154 const u8 *end, *ie_start, *ie, *session, *crypt;
2155 struct ieee802_11_elems elems;
2156 const u8 *aad[5];
2157 size_t aad_len[5];
2158
2159 if (!sm || !sm->PTK_valid) {
2160 wpa_printf(MSG_DEBUG,
2161 "FILS: No KEK to decrypt Assocication Request frame");
2162 return -1;
2163 }
2164
2165 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2166 wpa_printf(MSG_DEBUG,
2167 "FILS: Not a FILS AKM - reject association");
2168 return -1;
2169 }
2170
2171 end = ((const u8 *) mgmt) + frame_len;
2172 fc = le_to_host16(mgmt->frame_control);
2173 stype = WLAN_FC_GET_STYPE(fc);
2174 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2175 ie_start = mgmt->u.reassoc_req.variable;
2176 else
2177 ie_start = mgmt->u.assoc_req.variable;
2178 ie = ie_start;
2179
2180 /*
2181 * Find FILS Session element which is the last unencrypted element in
2182 * the frame.
2183 */
2184 session = NULL;
2185 while (ie + 1 < end) {
2186 if (ie + 2 + ie[1] > end)
2187 break;
2188 if (ie[0] == WLAN_EID_EXTENSION &&
2189 ie[1] >= 1 + FILS_SESSION_LEN &&
2190 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2191 session = ie;
2192 break;
2193 }
2194 ie += 2 + ie[1];
2195 }
2196
2197 if (!session) {
2198 wpa_printf(MSG_DEBUG,
2199 "FILS: Could not find FILS Session element in Association Request frame - reject");
2200 return -1;
2201 }
2202 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2203 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2204 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2205 fils_session, FILS_SESSION_LEN);
2206 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2207 session + 3, FILS_SESSION_LEN);
2208 return -1;
2209 }
2210 crypt = session + 2 + session[1];
2211
2212 if (end - crypt < AES_BLOCK_SIZE) {
2213 wpa_printf(MSG_DEBUG,
2214 "FILS: Too short frame to include AES-SIV data");
2215 return -1;
2216 }
2217
2218 /* AES-SIV AAD vectors */
2219
2220 /* The STA's MAC address */
2221 aad[0] = mgmt->sa;
2222 aad_len[0] = ETH_ALEN;
2223 /* The AP's BSSID */
2224 aad[1] = mgmt->da;
2225 aad_len[1] = ETH_ALEN;
2226 /* The STA's nonce */
2227 aad[2] = sm->SNonce;
2228 aad_len[2] = FILS_NONCE_LEN;
2229 /* The AP's nonce */
2230 aad[3] = sm->ANonce;
2231 aad_len[3] = FILS_NONCE_LEN;
2232 /*
2233 * The (Re)Association Request frame from the Capability Information
2234 * field to the FILS Session element (both inclusive).
2235 */
2236 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
d77f3304 2237 aad_len[4] = crypt - aad[4];
78815f3d
JM		 2238
2239 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
d77f3304 2240 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
78815f3d
JM		 2241 wpa_printf(MSG_DEBUG,
2242 "FILS: Invalid AES-SIV data in the frame");
2243 return -1;
2244 }
2245 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2246 pos, left - AES_BLOCK_SIZE);
2247
2248 if (ieee802_11_parse_elems(pos, left - AES_BLOCK_SIZE, &elems, 1) ==
2249 ParseFailed) {
2250 wpa_printf(MSG_DEBUG,
2251 "FILS: Failed to parse decrypted elements");
2252 return -1;
2253 }
2254 if (!elems.fils_key_confirm) {
2255 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2256 return -1;
2257 }
2258 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2259 wpa_printf(MSG_DEBUG,
2260 "FILS: Unexpected Key-Auth length %d (expected %d)",
2261 elems.fils_key_confirm_len,
2262 (int) sm->fils_key_auth_len);
2263 return -1;
2264 }
2265 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2266 sm->fils_key_auth_len) != 0) {
2267 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2268 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2269 elems.fils_key_confirm,
2270 elems.fils_key_confirm_len);
2271 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2272 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2273 return -1;
2274 }
2275
2276 return left - AES_BLOCK_SIZE;
2277}
2278
e73ffa09
JM		 2279
2280int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
91d91abf
JM		 2281 size_t current_len, size_t max_len,
2282 const struct wpabuf *hlp)
e73ffa09
JM		 2283{
2284 u8 *end = buf + max_len;
2285 u8 *pos = buf + current_len;
2286 struct ieee80211_mgmt *mgmt;
2287 struct wpabuf *plain;
2288 u8 *len, *tmp, *tmp2;
2289 u8 hdr[2];
2290 u8 *gtk, dummy_gtk[32];
2291 size_t gtk_len;
2292 struct wpa_group *gsm;
2293 const u8 *aad[5];
2294 size_t aad_len[5];
2295
2296 if (!sm || !sm->PTK_valid)
2297 return -1;
2298
2299 wpa_hexdump(MSG_DEBUG,
2300 "FILS: Association Response frame before FILS processing",
2301 buf, current_len);
2302
2303 mgmt = (struct ieee80211_mgmt *) buf;
2304
2305 /* AES-SIV AAD vectors */
2306
2307 /* The AP's BSSID */
2308 aad[0] = mgmt->sa;
2309 aad_len[0] = ETH_ALEN;
2310 /* The STA's MAC address */
2311 aad[1] = mgmt->da;
2312 aad_len[1] = ETH_ALEN;
2313 /* The AP's nonce */
2314 aad[2] = sm->ANonce;
2315 aad_len[2] = FILS_NONCE_LEN;
2316 /* The STA's nonce */
2317 aad[3] = sm->SNonce;
2318 aad_len[3] = FILS_NONCE_LEN;
2319 /*
2320 * The (Re)Association Response frame from the Capability Information
2321 * field (the same offset in both Association and Reassociation
2322 * Response frames) to the FILS Session element (both inclusive).
2323 */
2324 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2325 aad_len[4] = pos - aad[4];
2326
2327 /* The following elements will be encrypted with AES-SIV */
2328
2329 plain = wpabuf_alloc(1000);
2330 if (!plain)
2331 return -1;
2332
2333 /* TODO: FILS Public Key */
2334
2335 /* FILS Key Confirmation */
2336 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2337 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2338 /* Element ID Extension */
2339 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2340 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2341
91d91abf
JM		 2342 /* FILS HLP Container */
2343 if (hlp)
2344 wpabuf_put_buf(plain, hlp);
e73ffa09
JM		 2345
2346 /* TODO: FILS IP Address Assignment */
2347
2348 /* Key Delivery */
2349 gsm = sm->group;
2350 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2351 len = wpabuf_put(plain, 1);
2352 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2353 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2354 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2355 /* GTK KDE */
2356 gtk = gsm->GTK[gsm->GN - 1];
2357 gtk_len = gsm->GTK_len;
2358 if (sm->wpa_auth->conf.disable_gtk) {
2359 /*
2360 * Provide unique random GTK to each STA to prevent use
2361 * of GTK in the BSS.
2362 */
2363 if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
2364 wpabuf_free(plain);
2365 return -1;
2366 }
2367 gtk = dummy_gtk;
2368 }
2369 hdr[0] = gsm->GN & 0x03;
2370 hdr[1] = 0;
2371 tmp = wpabuf_put(plain, 0);
2372 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2373 gtk, gtk_len);
2374 wpabuf_put(plain, tmp2 - tmp);
2375
2376 /* IGTK KDE */
2377 tmp = wpabuf_put(plain, 0);
2378 tmp2 = ieee80211w_kde_add(sm, tmp);
2379 wpabuf_put(plain, tmp2 - tmp);
2380
2381 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
2382
2383 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2384 wpa_printf(MSG_DEBUG,
2385 "FILS: Not enough room for FILS elements");
2386 wpabuf_free(plain);
2387 return -1;
2388 }
2389
2390 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2391 plain);
2392
2393 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2394 wpabuf_head(plain), wpabuf_len(plain),
2395 5, aad, aad_len, pos) < 0) {
2396 wpabuf_free(plain);
2397 return -1;
2398 }
2399
2400 wpa_hexdump(MSG_DEBUG,
2401 "FILS: Encrypted Association Response elements",
2402 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2403 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2404 wpabuf_free(plain);
2405
07e0117d
JM		 2406 sm->fils_completed = 1;
2407
e73ffa09
JM		 2408 return current_len;
2409}
2410
da24c5aa
JM		 2411
2412int fils_set_tk(struct wpa_state_machine *sm)
2413{
2414 enum wpa_alg alg;
2415 int klen;
2416
2417 if (!sm || !sm->PTK_valid)
2418 return -1;
2419
2420 alg = wpa_cipher_to_alg(sm->pairwise);
2421 klen = wpa_cipher_key_len(sm->pairwise);
2422
2423 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
2424 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2425 sm->PTK.tk, klen)) {
2426 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
2427 return -1;
2428 }
2429
2430 return 0;
2431}
2432
3b5b7aa8
JM		 2433#endif /* CONFIG_FILS */
2434
2435
6fc6879b
JM		 2436SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2437{
3b5b7aa8 2438 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
6fc6879b 2439 struct wpa_ptk PTK;
2c502460 2440 int ok = 0, psk_found = 0;
6fc6879b 2441 const u8 *pmk = NULL;
207976f0 2442 unsigned int pmk_len;
3b5b7aa8
JM		 2443 int ft;
2444 const u8 *eapol_key_ie, *key_data, *mic;
2445 u16 key_data_length;
2446 size_t mic_len, eapol_key_ie_len;
2447 struct ieee802_1x_hdr *hdr;
2448 struct wpa_eapol_key *key;
2449 struct wpa_eapol_ie_parse kde;
6fc6879b
JM		 2450
2451 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2452 sm->EAPOLKeyReceived = FALSE;
68921e24 2453 sm->update_snonce = FALSE;
b729fd8d 2454 os_memset(&PTK, 0, sizeof(PTK));
6fc6879b 2455
3b5b7aa8
JM		 2456 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
2457
6fc6879b
JM		 2458 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2459 * WPA-PSK: iterate through possible PSKs and select the one matching
2460 * the packet */
2461 for (;;) {
56586197 2462 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
759fd76b
JM		 2463 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
2464 sm->p2p_dev_addr, pmk);
6fc6879b
JM		 2465 if (pmk == NULL)
2466 break;
2c502460 2467 psk_found = 1;
207976f0
JM		 2468 pmk_len = PMK_LEN;
2469 } else {
6fc6879b 2470 pmk = sm->PMK;
207976f0
JM		 2471 pmk_len = sm->pmk_len;
2472 }
6fc6879b 2473
207976f0 2474 wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK);
6fc6879b 2475
3b5b7aa8
JM		 2476 if (mic_len &&
2477 wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK,
929a2ea5 2478 sm->last_rx_eapol_key,
6fc6879b
JM		 2479 sm->last_rx_eapol_key_len) == 0) {
2480 ok = 1;
2481 break;
2482 }
2483
3b5b7aa8 2484#ifdef CONFIG_FILS
75c8563e
JM		 2485 if (!mic_len &&
2486 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2487 sm->last_rx_eapol_key_len, NULL) == 0) {
3b5b7aa8
JM		 2488 ok = 1;
2489 break;
2490 }
2491#endif /* CONFIG_FILS */
2492
56586197 2493 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
6fc6879b
JM		 2494 break;
2495 }
2496
2497 if (!ok) {
2498 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2499 "invalid MIC in msg 2/4 of 4-Way Handshake");
2c502460
JM		 2500 if (psk_found)
2501 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
6fc6879b
JM		 2502 return;
2503 }
2504
3b5b7aa8
JM		 2505 /*
2506 * Note: last_rx_eapol_key length fields have already been validated in
2507 * wpa_receive().
2508 */
2509 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2510 key = (struct wpa_eapol_key *) (hdr + 1);
2511 mic = (u8 *) (key + 1);
2512 key_data = mic + mic_len + 2;
2513 key_data_length = WPA_GET_BE16(mic + mic_len);
2514 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2515 sizeof(*key) - mic_len - 2)
2516 return;
2517
2518 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2519 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2520 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2521 return;
2522 }
2523 if (kde.rsn_ie) {
2524 eapol_key_ie = kde.rsn_ie;
2525 eapol_key_ie_len = kde.rsn_ie_len;
2526 } else if (kde.osen) {
2527 eapol_key_ie = kde.osen;
2528 eapol_key_ie_len = kde.osen_len;
2529 } else {
2530 eapol_key_ie = kde.wpa_ie;
2531 eapol_key_ie_len = kde.wpa_ie_len;
2532 }
2533 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2534 if (sm->wpa_ie == NULL ||
2535 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2536 eapol_key_ie, eapol_key_ie_len)) {
2537 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2538 "WPA IE from (Re)AssocReq did not match with msg 2/4");
2539 if (sm->wpa_ie) {
2540 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2541 sm->wpa_ie, sm->wpa_ie_len);
2542 }
2543 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2544 eapol_key_ie, eapol_key_ie_len);
2545 /* MLME-DEAUTHENTICATE.request */
2546 wpa_sta_disconnect(wpa_auth, sm->addr);
2547 return;
2548 }
4ec1fd8e 2549#ifdef CONFIG_IEEE80211R_AP
3b5b7aa8
JM		 2550 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
2551 wpa_sta_disconnect(wpa_auth, sm->addr);
2552 return;
2553 }
4ec1fd8e 2554#endif /* CONFIG_IEEE80211R_AP */
3b5b7aa8
JM		 2555#ifdef CONFIG_P2P
2556 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
2557 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
2558 int idx;
2559 wpa_printf(MSG_DEBUG,
2560 "P2P: IP address requested in EAPOL-Key exchange");
2561 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
2562 if (idx >= 0) {
2563 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
2564 bitfield_set(wpa_auth->ip_pool, idx);
2565 WPA_PUT_BE32(sm->ip_addr, start + idx);
2566 wpa_printf(MSG_DEBUG,
2567 "P2P: Assigned IP address %u.%u.%u.%u to "
2568 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
2569 sm->ip_addr[2], sm->ip_addr[3],
2570 MAC2STR(sm->addr));
2571 }
2572 }
2573#endif /* CONFIG_P2P */
2574
4ec1fd8e 2575#ifdef CONFIG_IEEE80211R_AP
26e23750
JM		 2576 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2577 /*
2578 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2579 * with the value we derived.
2580 */
870834a1
JM		 2581 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2582 WPA_PMK_NAME_LEN) != 0) {
26e23750
JM		 2583 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2584 "PMKR1Name mismatch in FT 4-way "
2585 "handshake");
2586 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2587 "Supplicant",
2588 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2589 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2590 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2591 return;
2592 }
2593 }
4ec1fd8e 2594#endif /* CONFIG_IEEE80211R_AP */
26e23750 2595
e4bf4db9 2596 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 2597 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2598
56586197 2599 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 2600 /* PSK may have changed from the previous choice, so update
2601 * state machine data based on whatever PSK was selected here.
2602 */
2603 os_memcpy(sm->PMK, pmk, PMK_LEN);
207976f0 2604 sm->pmk_len = PMK_LEN;
6fc6879b
JM		 2605 }
2606
2607 sm->MICVerified = TRUE;
2608
2609 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
2610 sm->PTK_valid = TRUE;
2611}
2612
2613
2614SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
2615{
2616 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
2617 sm->TimeoutCtr = 0;
2618}
2619
2620
2621#ifdef CONFIG_IEEE80211W
2622
2623static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2624{
2625 if (sm->mgmt_frame_prot) {
8dd9f9cd
JM		 2626 size_t len;
2627 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2628 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
6fc6879b
JM		 2629 }
2630
2631 return 0;
2632}
2633
2634
2635static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2636{
2637 struct wpa_igtk_kde igtk;
2638 struct wpa_group *gsm = sm->group;
03610ad2 2639 u8 rsc[WPA_KEY_RSC_LEN];
8dd9f9cd 2640 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
6fc6879b
JM		 2641
2642 if (!sm->mgmt_frame_prot)
2643 return pos;
2644
2645 igtk.keyid[0] = gsm->GN_igtk;
2646 igtk.keyid[1] = 0;
7b1080da 2647 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
03610ad2 2648 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
6fc6879b 2649 os_memset(igtk.pn, 0, sizeof(igtk.pn));
03610ad2
JM		 2650 else
2651 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
8dd9f9cd 2652 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
83421850
JM		 2653 if (sm->wpa_auth->conf.disable_gtk) {
2654 /*
2655 * Provide unique random IGTK to each STA to prevent use of
2656 * IGTK in the BSS.
2657 */
8dd9f9cd 2658 if (random_get_bytes(igtk.igtk, len) < 0)
83421850
JM		 2659 return pos;
2660 }
6fc6879b 2661 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
8dd9f9cd
JM		 2662 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
2663 NULL, 0);
6fc6879b
JM		 2664
2665 return pos;
2666}
2667
2668#else /* CONFIG_IEEE80211W */
2669
2670static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2671{
2672 return 0;
2673}
2674
2675
2676static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2677{
2678 return pos;
2679}
2680
2681#endif /* CONFIG_IEEE80211W */
2682
2683
2684SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
2685{
83421850 2686 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
6fc6879b
JM		 2687 size_t gtk_len, kde_len;
2688 struct wpa_group *gsm = sm->group;
2689 u8 *wpa_ie;
2690 int wpa_ie_len, secure, keyidx, encr = 0;
2691
2692 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
2693 sm->TimeoutEvt = FALSE;
bae61562
JM		 2694
2695 sm->TimeoutCtr++;
2696 if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
2697 /* No point in sending the EAPOL-Key - we will disconnect
2698 * immediately following this. */
2699 return;
2700 }
2701
86dfabb8
JM		 2702 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
2703 GTK[GN], IGTK, [FTIE], [TIE * 2])
6fc6879b
JM		 2704 */
2705 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2706 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
86dfabb8 2707 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
6fc6879b
JM		 2708 wpa_ie = sm->wpa_auth->wpa_ie;
2709 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
2710 if (sm->wpa == WPA_VERSION_WPA &&
2711 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
2712 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
774d4145 2713 /* WPA-only STA, remove RSN IE and possible MDIE */
6fc6879b 2714 wpa_ie = wpa_ie + wpa_ie[1] + 2;
774d4145
JM		 2715 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
2716 wpa_ie = wpa_ie + wpa_ie[1] + 2;
6fc6879b
JM		 2717 wpa_ie_len = wpa_ie[1] + 2;
2718 }
2719 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2720 "sending 3/4 msg of 4-Way Handshake");
2721 if (sm->wpa == WPA_VERSION_WPA2) {
2722 /* WPA2 send GTK in the 4-way handshake */
2723 secure = 1;
2724 gtk = gsm->GTK[gsm->GN - 1];
2725 gtk_len = gsm->GTK_len;
83421850
JM		 2726 if (sm->wpa_auth->conf.disable_gtk) {
2727 /*
2728 * Provide unique random GTK to each STA to prevent use
2729 * of GTK in the BSS.
2730 */
2731 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
2732 return;
2733 gtk = dummy_gtk;
2734 }
6fc6879b
JM		 2735 keyidx = gsm->GN;
2736 _rsc = rsc;
2737 encr = 1;
2738 } else {
2739 /* WPA does not include GTK in msg 3/4 */
2740 secure = 0;
2741 gtk = NULL;
2742 gtk_len = 0;
2743 keyidx = 0;
2744 _rsc = NULL;
0d442aff
JM		 2745 if (sm->rx_eapol_key_secure) {
2746 /*
2747 * It looks like Windows 7 supplicant tries to use
2748 * Secure bit in msg 2/4 after having reported Michael
2749 * MIC failure and it then rejects the 4-way handshake
2750 * if msg 3/4 does not set Secure bit. Work around this
2751 * by setting the Secure bit here even in the case of
2752 * WPA if the supplicant used it first.
2753 */
2754 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4740d5b9
JM		 2755 "STA used Secure bit in WPA msg 2/4 - "
2756 "set Secure for 3/4 as workaround");
0d442aff
JM		 2757 secure = 1;
2758 }
6fc6879b
JM		 2759 }
2760
2761 kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
2762 if (gtk)
2763 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4ec1fd8e 2764#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 2765 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2766 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
2767 kde_len += 300; /* FTIE + 2 * TIE */
2768 }
4ec1fd8e 2769#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 2770#ifdef CONFIG_P2P
2771 if (WPA_GET_BE32(sm->ip_addr) > 0)
2772 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
2773#endif /* CONFIG_P2P */
6fc6879b
JM		 2774 kde = os_malloc(kde_len);
2775 if (kde == NULL)
2776 return;
2777
2778 pos = kde;
2779 os_memcpy(pos, wpa_ie, wpa_ie_len);
2780 pos += wpa_ie_len;
4ec1fd8e 2781#ifdef CONFIG_IEEE80211R_AP
26e23750 2782 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
59e78c24
JM		 2783 int res;
2784 size_t elen;
2785
2786 elen = pos - kde;
2787 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
26e23750
JM		 2788 if (res < 0) {
2789 wpa_printf(MSG_ERROR, "FT: Failed to insert "
2790 "PMKR1Name into RSN IE in EAPOL-Key data");
2791 os_free(kde);
2792 return;
2793 }
59e78c24
JM		 2794 pos -= wpa_ie_len;
2795 pos += elen;
26e23750 2796 }
4ec1fd8e 2797#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 2798 if (gtk) {
2799 u8 hdr[2];
2800 hdr[0] = keyidx & 0x03;
2801 hdr[1] = 0;
2802 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2803 gtk, gtk_len);
2804 }
2805 pos = ieee80211w_kde_add(sm, pos);
2806
4ec1fd8e 2807#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 2808 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2809 int res;
2810 struct wpa_auth_config *conf;
2811
2812 conf = &sm->wpa_auth->conf;
9257610a
JM		 2813 if (sm->assoc_resp_ftie &&
2814 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
2815 os_memcpy(pos, sm->assoc_resp_ftie,
2816 2 + sm->assoc_resp_ftie[1]);
2817 res = 2 + sm->assoc_resp_ftie[1];
2818 } else {
2819 res = wpa_write_ftie(conf, conf->r0_key_holder,
2820 conf->r0_key_holder_len,
2821 NULL, NULL, pos,
2822 kde + kde_len - pos,
2823 NULL, 0);
2824 }
86dfabb8
JM		 2825 if (res < 0) {
2826 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2827 "into EAPOL-Key Key Data");
2828 os_free(kde);
2829 return;
2830 }
2831 pos += res;
2832
2833 /* TIE[ReassociationDeadline] (TU) */
2834 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2835 *pos++ = 5;
2836 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
2837 WPA_PUT_LE32(pos, conf->reassociation_deadline);
2838 pos += 4;
2839
2840 /* TIE[KeyLifetime] (seconds) */
2841 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2842 *pos++ = 5;
2843 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
2844 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
2845 pos += 4;
2846 }
4ec1fd8e 2847#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 2848#ifdef CONFIG_P2P
2849 if (WPA_GET_BE32(sm->ip_addr) > 0) {
2850 u8 addr[3 * 4];
2851 os_memcpy(addr, sm->ip_addr, 4);
2852 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
2853 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
2854 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
2855 addr, sizeof(addr), NULL, 0);
2856 }
2857#endif /* CONFIG_P2P */
86dfabb8 2858
6fc6879b 2859 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d
JM		 2860 (secure ? WPA_KEY_INFO_SECURE : 0) |
2861 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 2862 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
2863 WPA_KEY_INFO_KEY_TYPE,
2864 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
2865 os_free(kde);
6fc6879b
JM		 2866}
2867
2868
2869SM_STATE(WPA_PTK, PTKINITDONE)
2870{
2871 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
2872 sm->EAPOLKeyReceived = FALSE;
2873 if (sm->Pair) {
c3550295
JM		 2874 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
2875 int klen = wpa_cipher_key_len(sm->pairwise);
6fc6879b 2876 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
98cd3d1c 2877 sm->PTK.tk, klen)) {
6fc6879b
JM		 2878 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
2879 return;
2880 }
2881 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
2882 sm->pairwise_set = TRUE;
2883
581a8cde
JM		 2884 if (sm->wpa_auth->conf.wpa_ptk_rekey) {
2885 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2886 eloop_register_timeout(sm->wpa_auth->conf.
2887 wpa_ptk_rekey, 0, wpa_rekey_ptk,
2888 sm->wpa_auth, sm);
2889 }
2890
56586197 2891 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 2892 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2893 WPA_EAPOL_authorized, 1);
2894 }
2895 }
2896
2897 if (0 /* IBSS == TRUE */) {
2898 sm->keycount++;
2899 if (sm->keycount == 2) {
2900 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2901 WPA_EAPOL_portValid, 1);
2902 }
2903 } else {
2904 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
2905 1);
2906 }
2907 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
2908 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
2909 if (sm->wpa == WPA_VERSION_WPA)
2910 sm->PInitAKeys = TRUE;
2911 else
2912 sm->has_GTK = TRUE;
2913 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2914 "pairwise key handshake completed (%s)",
2915 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2916
4ec1fd8e 2917#ifdef CONFIG_IEEE80211R_AP
6fc6879b 2918 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
4ec1fd8e 2919#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 2920}
2921
2922
2923SM_STEP(WPA_PTK)
2924{
2925 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2926
2927 if (sm->Init)
2928 SM_ENTER(WPA_PTK, INITIALIZE);
2929 else if (sm->Disconnect
1aae01fc
BG		 2930 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
2931 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
2932 "WPA_PTK: sm->Disconnect");
6fc6879b 2933 SM_ENTER(WPA_PTK, DISCONNECT);
1aae01fc 2934 }
6fc6879b
JM		 2935 else if (sm->DeauthenticationRequest)
2936 SM_ENTER(WPA_PTK, DISCONNECTED);
2937 else if (sm->AuthenticationRequest)
2938 SM_ENTER(WPA_PTK, AUTHENTICATION);
2939 else if (sm->ReAuthenticationRequest)
2940 SM_ENTER(WPA_PTK, AUTHENTICATION2);
2941 else if (sm->PTKRequest)
2942 SM_ENTER(WPA_PTK, PTKSTART);
2943 else switch (sm->wpa_ptk_state) {
2944 case WPA_PTK_INITIALIZE:
2945 break;
2946 case WPA_PTK_DISCONNECT:
2947 SM_ENTER(WPA_PTK, DISCONNECTED);
2948 break;
2949 case WPA_PTK_DISCONNECTED:
2950 SM_ENTER(WPA_PTK, INITIALIZE);
2951 break;
2952 case WPA_PTK_AUTHENTICATION:
2953 SM_ENTER(WPA_PTK, AUTHENTICATION2);
2954 break;
2955 case WPA_PTK_AUTHENTICATION2:
56586197 2956 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
6fc6879b
JM		 2957 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2958 WPA_EAPOL_keyRun) > 0)
2959 SM_ENTER(WPA_PTK, INITPMK);
56586197 2960 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)
6fc6879b
JM		 2961 /* FIX: && 802.1X::keyRun */)
2962 SM_ENTER(WPA_PTK, INITPSK);
2963 break;
2964 case WPA_PTK_INITPMK:
2965 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2966 WPA_EAPOL_keyAvailable) > 0)
2967 SM_ENTER(WPA_PTK, PTKSTART);
2968 else {
2969 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 2970 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2971 "INITPMK - keyAvailable = false");
6fc6879b
JM		 2972 SM_ENTER(WPA_PTK, DISCONNECT);
2973 }
2974 break;
2975 case WPA_PTK_INITPSK:
759fd76b
JM		 2976 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
2977 NULL))
6fc6879b
JM		 2978 SM_ENTER(WPA_PTK, PTKSTART);
2979 else {
2980 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2981 "no PSK configured for the STA");
2982 wpa_auth->dot11RSNA4WayHandshakeFailures++;
2983 SM_ENTER(WPA_PTK, DISCONNECT);
2984 }
2985 break;
2986 case WPA_PTK_PTKSTART:
2987 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2988 sm->EAPOLKeyPairwise)
2989 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2990 else if (sm->TimeoutCtr >
2991 (int) dot11RSNAConfigPairwiseUpdateCount) {
2992 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 2993 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2994 "PTKSTART: Retry limit %d reached",
2995 dot11RSNAConfigPairwiseUpdateCount);
6fc6879b
JM		 2996 SM_ENTER(WPA_PTK, DISCONNECT);
2997 } else if (sm->TimeoutEvt)
2998 SM_ENTER(WPA_PTK, PTKSTART);
2999 break;
3000 case WPA_PTK_PTKCALCNEGOTIATING:
3001 if (sm->MICVerified)
3002 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
3003 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3004 sm->EAPOLKeyPairwise)
3005 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3006 else if (sm->TimeoutEvt)
3007 SM_ENTER(WPA_PTK, PTKSTART);
3008 break;
3009 case WPA_PTK_PTKCALCNEGOTIATING2:
3010 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3011 break;
3012 case WPA_PTK_PTKINITNEGOTIATING:
68921e24
JM		 3013 if (sm->update_snonce)
3014 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3015 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3016 sm->EAPOLKeyPairwise && sm->MICVerified)
6fc6879b
JM		 3017 SM_ENTER(WPA_PTK, PTKINITDONE);
3018 else if (sm->TimeoutCtr >
3019 (int) dot11RSNAConfigPairwiseUpdateCount) {
3020 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 3021 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3022 "PTKINITNEGOTIATING: Retry limit %d "
3023 "reached",
3024 dot11RSNAConfigPairwiseUpdateCount);
6fc6879b
JM		 3025 SM_ENTER(WPA_PTK, DISCONNECT);
3026 } else if (sm->TimeoutEvt)
3027 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3028 break;
3029 case WPA_PTK_PTKINITDONE:
3030 break;
3031 }
3032}
3033
3034
3035SM_STATE(WPA_PTK_GROUP, IDLE)
3036{
3037 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
3038 if (sm->Init) {
3039 /* Init flag is not cleared here, so avoid busy
3040 * loop by claiming nothing changed. */
3041 sm->changed = FALSE;
3042 }
3043 sm->GTimeoutCtr = 0;
3044}
3045
3046
3047SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3048{
3049 u8 rsc[WPA_KEY_RSC_LEN];
3050 struct wpa_group *gsm = sm->group;
e41e4f9e
JM		 3051 const u8 *kde;
3052 u8 *kde_buf = NULL, *pos, hdr[2];
6fc6879b 3053 size_t kde_len;
83421850 3054 u8 *gtk, dummy_gtk[32];
6fc6879b
JM		 3055
3056 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
bae61562
JM		 3057
3058 sm->GTimeoutCtr++;
3059 if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) {
3060 /* No point in sending the EAPOL-Key - we will disconnect
3061 * immediately following this. */
3062 return;
3063 }
3064
6fc6879b
JM		 3065 if (sm->wpa == WPA_VERSION_WPA)
3066 sm->PInitAKeys = FALSE;
3067 sm->TimeoutEvt = FALSE;
3068 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3069 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3070 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3071 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3072 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3073 "sending 1/2 msg of Group Key Handshake");
3074
83421850
JM		 3075 gtk = gsm->GTK[gsm->GN - 1];
3076 if (sm->wpa_auth->conf.disable_gtk) {
3077 /*
3078 * Provide unique random GTK to each STA to prevent use
3079 * of GTK in the BSS.
3080 */
3081 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
3082 return;
3083 gtk = dummy_gtk;
3084 }
6fc6879b
JM		 3085 if (sm->wpa == WPA_VERSION_WPA2) {
3086 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
3087 ieee80211w_kde_len(sm);
e41e4f9e
JM		 3088 kde_buf = os_malloc(kde_len);
3089 if (kde_buf == NULL)
6fc6879b
JM		 3090 return;
3091
e41e4f9e 3092 kde = pos = kde_buf;
6fc6879b
JM		 3093 hdr[0] = gsm->GN & 0x03;
3094 hdr[1] = 0;
3095 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
83421850 3096 gtk, gsm->GTK_len);
6fc6879b 3097 pos = ieee80211w_kde_add(sm, pos);
e41e4f9e 3098 kde_len = pos - kde;
6fc6879b 3099 } else {
83421850 3100 kde = gtk;
e41e4f9e 3101 kde_len = gsm->GTK_len;
6fc6879b
JM		 3102 }
3103
3104 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d
JM		 3105 WPA_KEY_INFO_SECURE |
3106 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3107 WPA_KEY_INFO_ACK |
3108 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
b0fb2be7 3109 rsc, NULL, kde, kde_len, gsm->GN, 1);
e41e4f9e
JM		 3110
3111 os_free(kde_buf);
6fc6879b
JM		 3112}
3113
3114
3115SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3116{
3117 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3118 sm->EAPOLKeyReceived = FALSE;
3119 if (sm->GUpdateStationKeys)
3120 sm->group->GKeyDoneStations--;
3121 sm->GUpdateStationKeys = FALSE;
3122 sm->GTimeoutCtr = 0;
3123 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
3124 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3125 "group key handshake completed (%s)",
3126 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3127 sm->has_GTK = TRUE;
3128}
3129
3130
3131SM_STATE(WPA_PTK_GROUP, KEYERROR)
3132{
3133 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
3134 if (sm->GUpdateStationKeys)
3135 sm->group->GKeyDoneStations--;
3136 sm->GUpdateStationKeys = FALSE;
3137 sm->Disconnect = TRUE;
3138}
3139
3140
3141SM_STEP(WPA_PTK_GROUP)
3142{
9663596f 3143 if (sm->Init || sm->PtkGroupInit) {
6fc6879b 3144 SM_ENTER(WPA_PTK_GROUP, IDLE);
9663596f
JM		 3145 sm->PtkGroupInit = FALSE;
3146 } else switch (sm->wpa_ptk_group_state) {
6fc6879b
JM		 3147 case WPA_PTK_GROUP_IDLE:
3148 if (sm->GUpdateStationKeys ||
3149 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
3150 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3151 break;
3152 case WPA_PTK_GROUP_REKEYNEGOTIATING:
3153 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3154 !sm->EAPOLKeyPairwise && sm->MICVerified)
3155 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
3156 else if (sm->GTimeoutCtr >
3157 (int) dot11RSNAConfigGroupUpdateCount)
3158 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
3159 else if (sm->TimeoutEvt)
3160 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3161 break;
3162 case WPA_PTK_GROUP_KEYERROR:
3163 SM_ENTER(WPA_PTK_GROUP, IDLE);
3164 break;
3165 case WPA_PTK_GROUP_REKEYESTABLISHED:
3166 SM_ENTER(WPA_PTK_GROUP, IDLE);
3167 break;
3168 }
3169}
3170
3171
3172static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
3173 struct wpa_group *group)
3174{
3175 int ret = 0;
3176
6fc6879b
JM		 3177 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3178 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3179 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
3180 wpa_auth->addr, group->GNonce,
3181 group->GTK[group->GN - 1], group->GTK_len) < 0)
3182 ret = -1;
5cb9d5c3
JM		 3183 wpa_hexdump_key(MSG_DEBUG, "GTK",
3184 group->GTK[group->GN - 1], group->GTK_len);
6fc6879b
JM		 3185
3186#ifdef CONFIG_IEEE80211W
70f8cc8e 3187 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
8dd9f9cd
JM		 3188 size_t len;
3189 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
5cb9d5c3
JM		 3190 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3191 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3192 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
3193 wpa_auth->addr, group->GNonce,
8dd9f9cd 3194 group->IGTK[group->GN_igtk - 4], len) < 0)
3c7302c2 3195 ret = -1;
6fc6879b 3196 wpa_hexdump_key(MSG_DEBUG, "IGTK",
8dd9f9cd 3197 group->IGTK[group->GN_igtk - 4], len);
6fc6879b
JM		 3198 }
3199#endif /* CONFIG_IEEE80211W */
3200
3201 return ret;
3202}
3203
3204
3205static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
3206 struct wpa_group *group)
3207{
3208 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3209 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
3210 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
3211 group->wpa_group_state = WPA_GROUP_GTK_INIT;
3212
3213 /* GTK[0..N] = 0 */
3214 os_memset(group->GTK, 0, sizeof(group->GTK));
3215 group->GN = 1;
3216 group->GM = 2;
3217#ifdef CONFIG_IEEE80211W
3218 group->GN_igtk = 4;
3219 group->GM_igtk = 5;
3220#endif /* CONFIG_IEEE80211W */
3221 /* GTK[GN] = CalcGTK() */
3222 wpa_gtk_update(wpa_auth, group);
3223}
3224
3225
3226static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
3227{
473b6f22
MB		 3228 if (ctx != NULL && ctx != sm->group)
3229 return 0;
3230
6fc6879b
JM		 3231 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
3232 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3233 "Not in PTKINITDONE; skip Group Key update");
3c183894 3234 sm->GUpdateStationKeys = FALSE;
6fc6879b
JM		 3235 return 0;
3236 }
9663596f
JM		 3237 if (sm->GUpdateStationKeys) {
3238 /*
3c183894
JM		 3239 * This should not really happen, so add a debug log entry.
3240 * Since we clear the GKeyDoneStations before the loop, the
3241 * station needs to be counted here anyway.
9663596f
JM		 3242 */
3243 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3c183894
JM		 3244 "GUpdateStationKeys was already set when "
3245 "marking station for GTK rekeying");
9663596f 3246 }
3c183894 3247
ad3872a3 3248 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
d32d94db
XC		 3249 if (sm->is_wnmsleep)
3250 return 0;
d32d94db 3251
3c183894
JM		 3252 sm->group->GKeyDoneStations++;
3253 sm->GUpdateStationKeys = TRUE;
3254
6fc6879b
JM		 3255 wpa_sm_step(sm);
3256 return 0;
3257}
3258
3259
ad3872a3
JM		 3260#ifdef CONFIG_WNM
3261/* update GTK when exiting WNM-Sleep Mode */
d32d94db
XC		 3262void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
3263{
629edfef 3264 if (sm == NULL || sm->is_wnmsleep)
d32d94db
XC		 3265 return;
3266
3267 wpa_group_update_sta(sm, NULL);
3268}
3269
3270
3271void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
3272{
629edfef
JM		 3273 if (sm)
3274 sm->is_wnmsleep = !!flag;
d32d94db
XC		 3275}
3276
3277
3278int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3279{
d32d94db 3280 struct wpa_group *gsm = sm->group;
835822d4 3281 u8 *start = pos;
d32d94db
XC		 3282
3283 /*
835822d4 3284 * GTK subelement:
d32d94db 3285 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
835822d4 3286 * Key[5..32]
d32d94db 3287 */
835822d4
JM		 3288 *pos++ = WNM_SLEEP_SUBELEM_GTK;
3289 *pos++ = 11 + gsm->GTK_len;
d32d94db 3290 /* Key ID in B0-B1 of Key Info */
835822d4
JM		 3291 WPA_PUT_LE16(pos, gsm->GN & 0x03);
3292 pos += 2;
3293 *pos++ = gsm->GTK_len;
3294 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
d32d94db 3295 return 0;
835822d4
JM		 3296 pos += 8;
3297 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3298 pos += gsm->GTK_len;
d32d94db 3299
835822d4
JM		 3300 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
3301 gsm->GN);
3302 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
d32d94db 3303 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
d32d94db 3304
835822d4 3305 return pos - start;
d32d94db
XC		 3306}
3307
3308
3309#ifdef CONFIG_IEEE80211W
3310int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3311{
d32d94db 3312 struct wpa_group *gsm = sm->group;
835822d4 3313 u8 *start = pos;
8dd9f9cd 3314 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
d32d94db 3315
835822d4
JM		 3316 /*
3317 * IGTK subelement:
3318 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
3319 */
3320 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
8dd9f9cd 3321 *pos++ = 2 + 6 + len;
835822d4
JM		 3322 WPA_PUT_LE16(pos, gsm->GN_igtk);
3323 pos += 2;
3324 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
d32d94db 3325 return 0;
835822d4 3326 pos += 6;
d32d94db 3327
8dd9f9cd
JM		 3328 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
3329 pos += len;
d32d94db 3330
835822d4
JM		 3331 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
3332 gsm->GN_igtk);
3333 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
8dd9f9cd 3334 gsm->IGTK[gsm->GN_igtk - 4], len);
d32d94db 3335
835822d4 3336 return pos - start;
d32d94db
XC		 3337}
3338#endif /* CONFIG_IEEE80211W */
ad3872a3 3339#endif /* CONFIG_WNM */
d32d94db
XC		 3340
3341
6fc6879b
JM		 3342static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
3343 struct wpa_group *group)
3344{
3345 int tmp;
3346
3347 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3348 "SETKEYS (VLAN-ID %d)", group->vlan_id);
3349 group->changed = TRUE;
3350 group->wpa_group_state = WPA_GROUP_SETKEYS;
3351 group->GTKReKey = FALSE;
3352 tmp = group->GM;
3353 group->GM = group->GN;
3354 group->GN = tmp;
3355#ifdef CONFIG_IEEE80211W
3356 tmp = group->GM_igtk;
3357 group->GM_igtk = group->GN_igtk;
3358 group->GN_igtk = tmp;
3359#endif /* CONFIG_IEEE80211W */
3360 /* "GKeyDoneStations = GNoStations" is done in more robust way by
3361 * counting the STAs that are marked with GUpdateStationKeys instead of
3362 * including all STAs that could be in not-yet-completed state. */
3363 wpa_gtk_update(wpa_auth, group);
3364
3c183894
JM		 3365 if (group->GKeyDoneStations) {
3366 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3367 "GKeyDoneStations=%d when starting new GTK rekey",
3368 group->GKeyDoneStations);
3369 group->GKeyDoneStations = 0;
3370 }
473b6f22 3371 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
6fc6879b
JM		 3372 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3373 group->GKeyDoneStations);
3374}
3375
3376
1bdb7ab3
JM		 3377static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3378 struct wpa_group *group)
6fc6879b 3379{
3c7302c2
JM		 3380 int ret = 0;
3381
3c7302c2 3382 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
c3550295 3383 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
0382097e
JM		 3384 broadcast_ether_addr, group->GN,
3385 group->GTK[group->GN - 1], group->GTK_len) < 0)
3c7302c2 3386 ret = -1;
6fc6879b
JM		 3387
3388#ifdef CONFIG_IEEE80211W
8dd9f9cd
JM		 3389 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3390 enum wpa_alg alg;
3391 size_t len;
3392
3393 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3394 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3395
3396 if (ret == 0 &&
3397 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
3398 broadcast_ether_addr, group->GN_igtk,
3399 group->IGTK[group->GN_igtk - 4], len) < 0)
3400 ret = -1;
3401 }
6fc6879b 3402#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 3403
3404 return ret;
6fc6879b
JM		 3405}
3406
3407
7d7f7be2
JM		 3408static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
3409{
3410 if (sm->group == ctx) {
3411 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
3412 " for discconnection due to fatal failure",
3413 MAC2STR(sm->addr));
3414 sm->Disconnect = TRUE;
3415 }
3416
3417 return 0;
3418}
3419
3420
3421static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
3422 struct wpa_group *group)
3423{
3424 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
3425 group->changed = TRUE;
3426 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
3427 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
3428}
3429
3430
1bdb7ab3
JM		 3431static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
3432 struct wpa_group *group)
3433{
3434 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3435 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
3436 group->changed = TRUE;
3437 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
3438
7d7f7be2
JM		 3439 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
3440 wpa_group_fatal_failure(wpa_auth, group);
1bdb7ab3 3441 return -1;
7d7f7be2 3442 }
1bdb7ab3
JM		 3443
3444 return 0;
3445}
3446
3447
6fc6879b
JM		 3448static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
3449 struct wpa_group *group)
3450{
3451 if (group->GInit) {
3452 wpa_group_gtk_init(wpa_auth, group);
7d7f7be2
JM		 3453 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
3454 /* Do not allow group operations */
6fc6879b
JM		 3455 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
3456 group->GTKAuthenticator) {
3457 wpa_group_setkeysdone(wpa_auth, group);
3458 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
3459 group->GTKReKey) {
3460 wpa_group_setkeys(wpa_auth, group);
3461 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
3462 if (group->GKeyDoneStations == 0)
3463 wpa_group_setkeysdone(wpa_auth, group);
3464 else if (group->GTKReKey)
3465 wpa_group_setkeys(wpa_auth, group);
3466 }
3467}
3468
3469
e4a6ea1d 3470static int wpa_sm_step(struct wpa_state_machine *sm)
6fc6879b
JM		 3471{
3472 if (sm == NULL)
e4a6ea1d 3473 return 0;
6fc6879b
JM		 3474
3475 if (sm->in_step_loop) {
3476 /* This should not happen, but if it does, make sure we do not
3477 * end up freeing the state machine too early by exiting the
3478 * recursive call. */
3479 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
e4a6ea1d 3480 return 0;
6fc6879b
JM		 3481 }
3482
3483 sm->in_step_loop = 1;
3484 do {
3485 if (sm->pending_deinit)
3486 break;
3487
3488 sm->changed = FALSE;
3489 sm->wpa_auth->group->changed = FALSE;
3490
3491 SM_STEP_RUN(WPA_PTK);
3492 if (sm->pending_deinit)
3493 break;
3494 SM_STEP_RUN(WPA_PTK_GROUP);
3495 if (sm->pending_deinit)
3496 break;
3497 wpa_group_sm_step(sm->wpa_auth, sm->group);
3498 } while (sm->changed || sm->wpa_auth->group->changed);
3499 sm->in_step_loop = 0;
3500
3501 if (sm->pending_deinit) {
3502 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
3503 "machine deinit for " MACSTR, MAC2STR(sm->addr));
3504 wpa_free_sta_sm(sm);
e4a6ea1d 3505 return 1;
6fc6879b 3506 }
e4a6ea1d 3507 return 0;
6fc6879b
JM		 3508}
3509
3510
3511static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
3512{
3513 struct wpa_state_machine *sm = eloop_ctx;
3514 wpa_sm_step(sm);
3515}
3516
3517
3518void wpa_auth_sm_notify(struct wpa_state_machine *sm)
3519{
3520 if (sm == NULL)
3521 return;
3522 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
3523}
3524
3525
3526void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
3527{
3528 int tmp, i;
3529 struct wpa_group *group;
3530
3531 if (wpa_auth == NULL)
3532 return;
3533
3534 group = wpa_auth->group;
3535
3536 for (i = 0; i < 2; i++) {
3537 tmp = group->GM;
3538 group->GM = group->GN;
3539 group->GN = tmp;
3540#ifdef CONFIG_IEEE80211W
3541 tmp = group->GM_igtk;
3542 group->GM_igtk = group->GN_igtk;
3543 group->GN_igtk = tmp;
3544#endif /* CONFIG_IEEE80211W */
3545 wpa_gtk_update(wpa_auth, group);
9354e594 3546 wpa_group_config_group_keys(wpa_auth, group);
6fc6879b
JM		 3547 }
3548}
3549
3550
a6da824b 3551static const char * wpa_bool_txt(int val)
6fc6879b 3552{
a6da824b 3553 return val ? "TRUE" : "FALSE";
6fc6879b
JM		 3554}
3555
3556
6fc6879b
JM		 3557#define RSN_SUITE "%02x-%02x-%02x-%d"
3558#define RSN_SUITE_ARG(s) \
3559((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
3560
3561int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
3562{
3563 int len = 0, ret;
3564 char pmkid_txt[PMKID_LEN * 2 + 1];
8ce58ceb
IH		 3565#ifdef CONFIG_RSN_PREAUTH
3566 const int preauth = 1;
3567#else /* CONFIG_RSN_PREAUTH */
3568 const int preauth = 0;
3569#endif /* CONFIG_RSN_PREAUTH */
6fc6879b
JM		 3570
3571 if (wpa_auth == NULL)
3572 return len;
3573
3574 ret = os_snprintf(buf + len, buflen - len,
3575 "dot11RSNAOptionImplemented=TRUE\n"
8ce58ceb 3576 "dot11RSNAPreauthenticationImplemented=%s\n"
6fc6879b
JM		 3577 "dot11RSNAEnabled=%s\n"
3578 "dot11RSNAPreauthenticationEnabled=%s\n",
8ce58ceb 3579 wpa_bool_txt(preauth),
6fc6879b
JM		 3580 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
3581 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
d85e1fc8 3582 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3583 return len;
3584 len += ret;
3585
3586 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3587 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
3588
3589 ret = os_snprintf(
3590 buf + len, buflen - len,
3591 "dot11RSNAConfigVersion=%u\n"
3592 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
3593 /* FIX: dot11RSNAConfigGroupCipher */
3594 /* FIX: dot11RSNAConfigGroupRekeyMethod */
3595 /* FIX: dot11RSNAConfigGroupRekeyTime */
3596 /* FIX: dot11RSNAConfigGroupRekeyPackets */
3597 "dot11RSNAConfigGroupRekeyStrict=%u\n"
3598 "dot11RSNAConfigGroupUpdateCount=%u\n"
3599 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
3600 "dot11RSNAConfigGroupCipherSize=%u\n"
3601 "dot11RSNAConfigPMKLifetime=%u\n"
3602 "dot11RSNAConfigPMKReauthThreshold=%u\n"
3603 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
3604 "dot11RSNAConfigSATimeout=%u\n"
3605 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3606 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3607 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3608 "dot11RSNAPMKIDUsed=%s\n"
3609 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3610 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3611 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3612 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
3613 "dot11RSNA4WayHandshakeFailures=%u\n"
3614 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
3615 RSN_VERSION,
3616 !!wpa_auth->conf.wpa_strict_rekey,
3617 dot11RSNAConfigGroupUpdateCount,
3618 dot11RSNAConfigPairwiseUpdateCount,
c3550295 3619 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
6fc6879b
JM		 3620 dot11RSNAConfigPMKLifetime,
3621 dot11RSNAConfigPMKReauthThreshold,
3622 dot11RSNAConfigSATimeout,
3623 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
3624 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
3625 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
3626 pmkid_txt,
3627 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
3628 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
3629 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
3630 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
3631 wpa_auth->dot11RSNA4WayHandshakeFailures);
d85e1fc8 3632 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3633 return len;
3634 len += ret;
3635
3636 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
3637 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
3638
3639 /* Private MIB */
3640 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
3641 wpa_auth->group->wpa_group_state);
d85e1fc8 3642 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3643 return len;
3644 len += ret;
3645
3646 return len;
3647}
3648
3649
3650int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
3651{
3652 int len = 0, ret;
3653 u32 pairwise = 0;
3654
3655 if (sm == NULL)
3656 return 0;
3657
3658 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
3659
3660 /* dot11RSNAStatsEntry */
3661
c3550295
JM		 3662 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
3663 WPA_PROTO_RSN : WPA_PROTO_WPA,
3664 sm->pairwise);
3665 if (pairwise == 0)
6fc6879b
JM		 3666 return 0;
3667
3668 ret = os_snprintf(
3669 buf + len, buflen - len,
3670 /* TODO: dot11RSNAStatsIndex */
3671 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
3672 "dot11RSNAStatsVersion=1\n"
3673 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
3674 /* TODO: dot11RSNAStatsTKIPICVErrors */
3675 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
d9040cdb 3676 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
6fc6879b
JM		 3677 /* TODO: dot11RSNAStatsCCMPReplays */
3678 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
3679 /* TODO: dot11RSNAStatsTKIPReplays */,
3680 MAC2STR(sm->addr),
3681 RSN_SUITE_ARG(pairwise),
3682 sm->dot11RSNAStatsTKIPLocalMICFailures,
3683 sm->dot11RSNAStatsTKIPRemoteMICFailures);
d85e1fc8 3684 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3685 return len;
3686 len += ret;
3687
3688 /* Private MIB */
3689 ret = os_snprintf(buf + len, buflen - len,
3690 "hostapdWPAPTKState=%d\n"
3691 "hostapdWPAPTKGroupState=%d\n",
3692 sm->wpa_ptk_state,
3693 sm->wpa_ptk_group_state);
d85e1fc8 3694 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3695 return len;
3696 len += ret;
3697
3698 return len;
3699}
3700
3701
3702void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
3703{
3704 if (wpa_auth)
3705 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
3706}
3707
3708
3709int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
3710{
3711 return sm && sm->pairwise_set;
3712}
3713
3714
ff36ff00
JM		 3715int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
3716{
3717 return sm->pairwise;
3718}
3719
3720
6fc6879b
JM		 3721int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
3722{
3723 if (sm == NULL)
3724 return -1;
3725 return sm->wpa_key_mgmt;
3726}
3727
3728
3729int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
3730{
3731 if (sm == NULL)
3732 return 0;
3733 return sm->wpa;
3734}
3735
3736
3737int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
3738 struct rsn_pmksa_cache_entry *entry)
3739{
3740 if (sm == NULL || sm->pmksa != entry)
3741 return -1;
3742 sm->pmksa = NULL;
3743 return 0;
3744}
3745
3746
3747struct rsn_pmksa_cache_entry *
3748wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
3749{
3750 return sm ? sm->pmksa : NULL;
3751}
3752
3753
3754void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
3755{
3756 if (sm)
3757 sm->dot11RSNAStatsTKIPLocalMICFailures++;
3758}
3759
3760
3761const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
3762{
3763 if (wpa_auth == NULL)
3764 return NULL;
3765 *len = wpa_auth->wpa_ie_len;
3766 return wpa_auth->wpa_ie;
3767}
3768
3769
3770int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
207976f0 3771 unsigned int pmk_len,
6fc6879b
JM		 3772 int session_timeout, struct eapol_state_machine *eapol)
3773{
cb465555
JM		 3774 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
3775 sm->wpa_auth->conf.disable_pmksa_caching)
6fc6879b
JM		 3776 return -1;
3777
207976f0
JM		 3778 if (sm->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) {
3779 if (pmk_len > PMK_LEN_SUITE_B_192)
3780 pmk_len = PMK_LEN_SUITE_B_192;
3781 } else if (pmk_len > PMK_LEN) {
3782 pmk_len = PMK_LEN;
3783 }
3784
70c93963 3785 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
98cd3d1c 3786 sm->PTK.kck, sm->PTK.kck_len,
4bb081f1
JM		 3787 sm->wpa_auth->addr, sm->addr, session_timeout,
3788 eapol, sm->wpa_key_mgmt))
6fc6879b
JM		 3789 return 0;
3790
3791 return -1;
3792}
3793
3794
3795int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
3796 const u8 *pmk, size_t len, const u8 *sta_addr,
3797 int session_timeout,
3798 struct eapol_state_machine *eapol)
3799{
3800 if (wpa_auth == NULL)
3801 return -1;
3802
70c93963 3803 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
087a1f4e
JM		 3804 NULL, 0,
3805 wpa_auth->addr,
4bb081f1
JM		 3806 sta_addr, session_timeout, eapol,
3807 WPA_KEY_MGMT_IEEE8021X))
6fc6879b
JM		 3808 return 0;
3809
3810 return -1;
3811}
3812
3813
f2991170 3814int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
70c93963 3815 const u8 *pmk, const u8 *pmkid)
f2991170
JM		 3816{
3817 if (wpa_auth->conf.disable_pmksa_caching)
3818 return -1;
3819
70c93963 3820 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
087a1f4e 3821 NULL, 0,
f2991170
JM		 3822 wpa_auth->addr, addr, 0, NULL,
3823 WPA_KEY_MGMT_SAE))
3824 return 0;
3825
3826 return -1;
3827}
3828
3829
901d1fe1
JM		 3830void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
3831 const u8 *sta_addr)
3832{
3833 struct rsn_pmksa_cache_entry *pmksa;
3834
3835 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
3836 return;
3837 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
3838 if (pmksa) {
3839 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
3840 MACSTR " based on request", MAC2STR(sta_addr));
3841 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
3842 }
3843}
3844
3845
b8daac18
MH		 3846int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
3847 size_t len)
3848{
3849 if (!wpa_auth || !wpa_auth->pmksa)
3850 return 0;
3851 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
3852}
3853
3854
4c522c77
MH		 3855void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
3856{
3857 if (wpa_auth && wpa_auth->pmksa)
3858 pmksa_cache_auth_flush(wpa_auth->pmksa);
3859}
3860
3861
4d77d80e
MH		 3862#ifdef CONFIG_PMKSA_CACHE_EXTERNAL
3863#ifdef CONFIG_MESH
3864
3865int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
3866 char *buf, size_t len)
3867{
3868 if (!wpa_auth || !wpa_auth->pmksa)
3869 return 0;
3870
3871 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
3872}
3873
3874
3875struct rsn_pmksa_cache_entry *
3876wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
3877 const u8 *pmkid, int expiration)
3878{
3879 struct rsn_pmksa_cache_entry *entry;
3880 struct os_reltime now;
3881
3882 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa,
3883 spa, 0, NULL, WPA_KEY_MGMT_SAE);
3884 if (!entry)
3885 return NULL;
3886
3887 os_get_reltime(&now);
3888 entry->expiration = now.sec + expiration;
3889 return entry;
3890}
3891
3892
3893int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
3894 struct rsn_pmksa_cache_entry *entry)
3895{
3896 int ret;
3897
3898 if (!wpa_auth || !wpa_auth->pmksa)
3899 return -1;
3900
3901 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
3902 if (ret < 0)
3903 wpa_printf(MSG_DEBUG,
3904 "RSN: Failed to store external PMKSA cache for "
3905 MACSTR, MAC2STR(entry->spa));
3906
3907 return ret;
3908}
3909
3910#endif /* CONFIG_MESH */
3911#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
3912
3913
9f2cf23e 3914struct rsn_pmksa_cache_entry *
c1bd4bac
JM		 3915wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
3916 const u8 *pmkid)
9f2cf23e
MH		 3917{
3918 if (!wpa_auth || !wpa_auth->pmksa)
3919 return NULL;
c1bd4bac 3920 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
9f2cf23e
MH		 3921}
3922
3923
3924void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
3925 struct wpa_state_machine *sm,
3926 struct wpa_authenticator *wpa_auth,
3927 u8 *pmkid, u8 *pmk)
3928{
3929 if (!sm)
3930 return;
3931
3932 sm->pmksa = pmksa;
8854f90b
JM		 3933 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
3934 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
3935 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
9f2cf23e
MH		 3936}
3937
3938
a0ad9e8c
MB		 3939/*
3940 * Remove and free the group from wpa_authenticator. This is triggered by a
3941 * callback to make sure nobody is currently iterating the group list while it
3942 * gets modified.
3943 */
3944static void wpa_group_free(struct wpa_authenticator *wpa_auth,
3945 struct wpa_group *group)
3946{
3947 struct wpa_group *prev = wpa_auth->group;
3948
3949 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
3950 group->vlan_id);
3951
3952 while (prev) {
3953 if (prev->next == group) {
3954 /* This never frees the special first group as needed */
3955 prev->next = group->next;
3956 os_free(group);
3957 break;
3958 }
3959 prev = prev->next;
3960 }
3961
3962}
3963
3964
3965/* Increase the reference counter for group */
3966static void wpa_group_get(struct wpa_authenticator *wpa_auth,
3967 struct wpa_group *group)
3968{
3969 /* Skip the special first group */
3970 if (wpa_auth->group == group)
3971 return;
3972
3973 group->references++;
3974}
3975
3976
3977/* Decrease the reference counter and maybe free the group */
3978static void wpa_group_put(struct wpa_authenticator *wpa_auth,
3979 struct wpa_group *group)
3980{
3981 /* Skip the special first group */
3982 if (wpa_auth->group == group)
3983 return;
3984
3985 group->references--;
3986 if (group->references)
3987 return;
3988 wpa_group_free(wpa_auth, group);
3989}
3990
3991
3992/*
3993 * Add a group that has its references counter set to zero. Caller needs to
3994 * call wpa_group_get() on the return value to mark the entry in use.
3995 */
6fc6879b
JM		 3996static struct wpa_group *
3997wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
3998{
3999 struct wpa_group *group;
4000
4001 if (wpa_auth == NULL || wpa_auth->group == NULL)
4002 return NULL;
4003
4004 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
4005 vlan_id);
bdffdc5d 4006 group = wpa_group_init(wpa_auth, vlan_id, 0);
6fc6879b
JM		 4007 if (group == NULL)
4008 return NULL;
4009
4010 group->next = wpa_auth->group->next;
4011 wpa_auth->group->next = group;
4012
4013 return group;
4014}
4015
4016
7cebc8e2
MB		 4017/*
4018 * Enforce that the group state machine for the VLAN is running, increase
4019 * reference counter as interface is up. References might have been increased
4020 * even if a negative value is returned.
4021 * Returns: -1 on error (group missing, group already failed); otherwise, 0
4022 */
4023int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4024{
4025 struct wpa_group *group;
4026
4027 if (wpa_auth == NULL)
4028 return 0;
4029
4030 group = wpa_auth->group;
4031 while (group) {
4032 if (group->vlan_id == vlan_id)
4033 break;
4034 group = group->next;
4035 }
4036
4037 if (group == NULL) {
4038 group = wpa_auth_add_group(wpa_auth, vlan_id);
4039 if (group == NULL)
4040 return -1;
4041 }
4042
4043 wpa_printf(MSG_DEBUG,
4044 "WPA: Ensure group state machine running for VLAN ID %d",
4045 vlan_id);
4046
4047 wpa_group_get(wpa_auth, group);
4048 group->num_setup_iface++;
4049
4050 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4051 return -1;
4052
4053 return 0;
4054}
4055
4056
4057/*
4058 * Decrease reference counter, expected to be zero afterwards.
4059 * returns: -1 on error (group not found, group in fail state)
4060 * -2 if wpa_group is still referenced
4061 * 0 else
4062 */
4063int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4064{
4065 struct wpa_group *group;
4066 int ret = 0;
4067
4068 if (wpa_auth == NULL)
4069 return 0;
4070
4071 group = wpa_auth->group;
4072 while (group) {
4073 if (group->vlan_id == vlan_id)
4074 break;
4075 group = group->next;
4076 }
4077
4078 if (group == NULL)
4079 return -1;
4080
4081 wpa_printf(MSG_DEBUG,
4082 "WPA: Try stopping group state machine for VLAN ID %d",
4083 vlan_id);
4084
4085 if (group->num_setup_iface <= 0) {
4086 wpa_printf(MSG_ERROR,
4087 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
4088 vlan_id);
4089 return -1;
4090 }
4091 group->num_setup_iface--;
4092
4093 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4094 ret = -1;
4095
4096 if (group->references > 1) {
4097 wpa_printf(MSG_DEBUG,
4098 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
4099 vlan_id);
4100 ret = -2;
4101 }
4102
4103 wpa_group_put(wpa_auth, group);
4104
4105 return ret;
4106}
4107
4108
6fc6879b
JM		 4109int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
4110{
4111 struct wpa_group *group;
4112
4113 if (sm == NULL || sm->wpa_auth == NULL)
4114 return 0;
4115
4116 group = sm->wpa_auth->group;
4117 while (group) {
4118 if (group->vlan_id == vlan_id)
4119 break;
4120 group = group->next;
4121 }
4122
4123 if (group == NULL) {
4124 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
4125 if (group == NULL)
4126 return -1;
4127 }
4128
4129 if (sm->group == group)
4130 return 0;
4131
7d7f7be2
JM		 4132 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4133 return -1;
4134
6fc6879b
JM		 4135 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
4136 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
4137
a0ad9e8c
MB		 4138 wpa_group_get(sm->wpa_auth, group);
4139 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b 4140 sm->group = group;
a0ad9e8c 4141
6fc6879b
JM		 4142 return 0;
4143}
e4bf4db9
JM		 4144
4145
4146void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
4147 struct wpa_state_machine *sm, int ack)
4148{
4149 if (wpa_auth == NULL || sm == NULL)
4150 return;
4151 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
4152 " ack=%d", MAC2STR(sm->addr), ack);
4153 if (sm->pending_1_of_4_timeout && ack) {
4154 /*
4155 * Some deployed supplicant implementations update their SNonce
4156 * for each EAPOL-Key 2/4 message even within the same 4-way
4157 * handshake and then fail to use the first SNonce when
4158 * deriving the PTK. This results in unsuccessful 4-way
4159 * handshake whenever the relatively short initial timeout is
4160 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
4161 * around this by increasing the timeout now that we know that
4162 * the station has received the frame.
4163 */
4164 int timeout_ms = eapol_key_timeout_subseq;
4165 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
4166 "timeout by %u ms because of acknowledged frame",
4167 timeout_ms);
4168 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
4169 eloop_register_timeout(timeout_ms / 1000,
4170 (timeout_ms % 1000) * 1000,
4171 wpa_send_eapol_timeout, wpa_auth, sm);
4172 }
4173}
c10347f2
JM		 4174
4175
4176int wpa_auth_uses_sae(struct wpa_state_machine *sm)
4177{
4178 if (sm == NULL)
4179 return 0;
4180 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
4181}
aa189ac9
JM		 4182
4183
4184int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
4185{
4186 if (sm == NULL)
4187 return 0;
4188 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
4189}
25ef8529
JM		 4190
4191
4192#ifdef CONFIG_P2P
4193int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
4194{
4195 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
4196 return -1;
4197 os_memcpy(addr, sm->ip_addr, 4);
4198 return 0;
4199}
4200#endif /* CONFIG_P2P */
cbc210de
JM		 4201
4202
4203int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
4204 struct radius_das_attrs *attr)
4205{
4206 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
4207}
34782730
JM		 4208
4209
4210void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
4211{
4212 struct wpa_group *group;
4213
4214 if (!wpa_auth)
4215 return;
4216 for (group = wpa_auth->group; group; group = group->next)
4217 wpa_group_config_group_keys(wpa_auth, group);
4218}
Unnamed repository; edit this file 'description' to name the repository.