]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/ap/wpa_auth.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
FILS: Add FTE into FILS Authentication frame from AP when using FILS+FT
[thirdparty/hostap.git] / src / ap / wpa_auth.c
CommitLineData
6fc6879b 1/*
00338a4f 2 * IEEE 802.11 RSN / WPA Authenticator
98cd3d1c 3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
6fc6879b 4 *
0f3d578e
JM		 5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
6fc6879b
JM		 7 */
8
6226e38d 9#include "utils/includes.h"
6fc6879b 10
6226e38d
JM		 11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "utils/state_machine.h"
25ef8529 14#include "utils/bitfield.h"
81f4f619 15#include "common/ieee802_11_defs.h"
3b5b7aa8 16#include "crypto/aes.h"
03da66bd 17#include "crypto/aes_wrap.h"
3b5b7aa8 18#include "crypto/aes_siv.h"
03da66bd
JM		 19#include "crypto/crypto.h"
20#include "crypto/sha1.h"
21#include "crypto/sha256.h"
3642c431 22#include "crypto/random.h"
281c950b 23#include "eapol_auth/eapol_auth_sm.h"
6226e38d 24#include "ap_config.h"
6fc6879b 25#include "ieee802_11.h"
6226e38d
JM		 26#include "wpa_auth.h"
27#include "pmksa_cache_auth.h"
6fc6879b
JM		 28#include "wpa_auth_i.h"
29#include "wpa_auth_ie.h"
30
31#define STATE_MACHINE_DATA struct wpa_state_machine
32#define STATE_MACHINE_DEBUG_PREFIX "WPA"
33#define STATE_MACHINE_ADDR sm->addr
34
35
36static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
e4a6ea1d 37static int wpa_sm_step(struct wpa_state_machine *sm);
929a2ea5
JM		 38static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
39 size_t data_len);
75c8563e
JM		 40#ifdef CONFIG_FILS
41static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
42 u8 *buf, size_t buf_len, u16 *_key_data_len);
43#endif /* CONFIG_FILS */
6fc6879b
JM		 44static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
45static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
46 struct wpa_group *group);
581a8cde 47static void wpa_request_new_ptk(struct wpa_state_machine *sm);
e6965d4e
JM		 48static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
49 struct wpa_group *group);
1bdb7ab3
JM		 50static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
51 struct wpa_group *group);
f23c5b17 52static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 53 const u8 *pmk, unsigned int pmk_len,
54 struct wpa_ptk *ptk);
a0ad9e8c
MB		 55static void wpa_group_free(struct wpa_authenticator *wpa_auth,
56 struct wpa_group *group);
57static void wpa_group_get(struct wpa_authenticator *wpa_auth,
58 struct wpa_group *group);
59static void wpa_group_put(struct wpa_authenticator *wpa_auth,
60 struct wpa_group *group);
e73ffa09 61static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
6fc6879b 62
bae61562
JM		 63static const u32 eapol_key_timeout_first = 100; /* ms */
64static const u32 eapol_key_timeout_subseq = 1000; /* ms */
00338a4f 65static const u32 eapol_key_timeout_first_group = 500; /* ms */
6fc6879b
JM		 66
67/* TODO: make these configurable */
68static const int dot11RSNAConfigPMKLifetime = 43200;
69static const int dot11RSNAConfigPMKReauthThreshold = 70;
70static const int dot11RSNAConfigSATimeout = 60;
71
72
c772d054 73static inline int wpa_auth_mic_failure_report(
6fc6879b
JM		 74 struct wpa_authenticator *wpa_auth, const u8 *addr)
75{
cef8fac0
JB		 76 if (wpa_auth->cb->mic_failure_report)
77 return wpa_auth->cb->mic_failure_report(wpa_auth->cb_ctx, addr);
c772d054 78 return 0;
6fc6879b
JM		 79}
80
81
2c502460
JM		 82static inline void wpa_auth_psk_failure_report(
83 struct wpa_authenticator *wpa_auth, const u8 *addr)
84{
cef8fac0
JB		 85 if (wpa_auth->cb->psk_failure_report)
86 wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
2c502460
JM		 87}
88
89
6fc6879b
JM		 90static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
91 const u8 *addr, wpa_eapol_variable var,
92 int value)
93{
cef8fac0
JB		 94 if (wpa_auth->cb->set_eapol)
95 wpa_auth->cb->set_eapol(wpa_auth->cb_ctx, addr, var, value);
6fc6879b
JM		 96}
97
98
99static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
100 const u8 *addr, wpa_eapol_variable var)
101{
cef8fac0 102 if (wpa_auth->cb->get_eapol == NULL)
6fc6879b 103 return -1;
cef8fac0 104 return wpa_auth->cb->get_eapol(wpa_auth->cb_ctx, addr, var);
6fc6879b
JM		 105}
106
107
108static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
759fd76b
JM		 109 const u8 *addr,
110 const u8 *p2p_dev_addr,
111 const u8 *prev_psk)
6fc6879b 112{
cef8fac0 113 if (wpa_auth->cb->get_psk == NULL)
6fc6879b 114 return NULL;
cef8fac0
JB		 115 return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
116 prev_psk);
6fc6879b
JM		 117}
118
119
120static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
121 const u8 *addr, u8 *msk, size_t *len)
122{
cef8fac0 123 if (wpa_auth->cb->get_msk == NULL)
6fc6879b 124 return -1;
cef8fac0 125 return wpa_auth->cb->get_msk(wpa_auth->cb_ctx, addr, msk, len);
6fc6879b
JM		 126}
127
128
129static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
130 int vlan_id,
71934751 131 enum wpa_alg alg, const u8 *addr, int idx,
6fc6879b
JM		 132 u8 *key, size_t key_len)
133{
cef8fac0 134 if (wpa_auth->cb->set_key == NULL)
6fc6879b 135 return -1;
cef8fac0
JB		 136 return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
137 key, key_len);
6fc6879b
JM		 138}
139
140
141static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
142 const u8 *addr, int idx, u8 *seq)
143{
cef8fac0 144 if (wpa_auth->cb->get_seqnum == NULL)
6fc6879b 145 return -1;
cef8fac0 146 return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
6fc6879b
JM		 147}
148
149
6fc6879b
JM		 150static inline int
151wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
152 const u8 *data, size_t data_len, int encrypt)
153{
cef8fac0 154 if (wpa_auth->cb->send_eapol == NULL)
6fc6879b 155 return -1;
cef8fac0
JB		 156 return wpa_auth->cb->send_eapol(wpa_auth->cb_ctx, addr, data, data_len,
157 encrypt);
6fc6879b
JM		 158}
159
160
c50d94f1
BC		 161#ifdef CONFIG_MESH
162static inline int wpa_auth_start_ampe(struct wpa_authenticator *wpa_auth,
163 const u8 *addr)
164{
cef8fac0 165 if (wpa_auth->cb->start_ampe == NULL)
c50d94f1 166 return -1;
cef8fac0 167 return wpa_auth->cb->start_ampe(wpa_auth->cb_ctx, addr);
c50d94f1
BC		 168}
169#endif /* CONFIG_MESH */
170
171
6fc6879b
JM		 172int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
173 int (*cb)(struct wpa_state_machine *sm, void *ctx),
174 void *cb_ctx)
175{
cef8fac0 176 if (wpa_auth->cb->for_each_sta == NULL)
6fc6879b 177 return 0;
cef8fac0 178 return wpa_auth->cb->for_each_sta(wpa_auth->cb_ctx, cb, cb_ctx);
6fc6879b
JM		 179}
180
181
bf98f7f3
JM		 182int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
183 int (*cb)(struct wpa_authenticator *a, void *ctx),
184 void *cb_ctx)
185{
cef8fac0 186 if (wpa_auth->cb->for_each_auth == NULL)
bf98f7f3 187 return 0;
cef8fac0 188 return wpa_auth->cb->for_each_auth(wpa_auth->cb_ctx, cb, cb_ctx);
bf98f7f3
JM		 189}
190
191
6fc6879b
JM		 192void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
193 logger_level level, const char *txt)
194{
cef8fac0 195 if (wpa_auth->cb->logger == NULL)
6fc6879b 196 return;
cef8fac0 197 wpa_auth->cb->logger(wpa_auth->cb_ctx, addr, level, txt);
6fc6879b
JM		 198}
199
200
201void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
202 logger_level level, const char *fmt, ...)
203{
204 char *format;
205 int maxlen;
206 va_list ap;
207
cef8fac0 208 if (wpa_auth->cb->logger == NULL)
6fc6879b
JM		 209 return;
210
211 maxlen = os_strlen(fmt) + 100;
212 format = os_malloc(maxlen);
213 if (!format)
214 return;
215
216 va_start(ap, fmt);
217 vsnprintf(format, maxlen, fmt, ap);
218 va_end(ap);
219
220 wpa_auth_logger(wpa_auth, addr, level, format);
221
222 os_free(format);
223}
224
225
226static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
227 const u8 *addr)
228{
cef8fac0 229 if (wpa_auth->cb->disconnect == NULL)
6fc6879b 230 return;
afcc9ea1 231 wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
cef8fac0
JB		 232 wpa_auth->cb->disconnect(wpa_auth->cb_ctx, addr,
233 WLAN_REASON_PREV_AUTH_NOT_VALID);
6fc6879b
JM		 234}
235
236
237static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
238{
56586197 239 int ret = 0;
4ec1fd8e 240#ifdef CONFIG_IEEE80211R_AP
56586197
JM		 241 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
242 ret = 1;
4ec1fd8e 243#endif /* CONFIG_IEEE80211R_AP */
56586197
JM		 244#ifdef CONFIG_IEEE80211W
245 if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
246 ret = 1;
247#endif /* CONFIG_IEEE80211W */
a14896e8
JM		 248 if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
249 ret = 1;
56586197 250 return ret;
6fc6879b
JM		 251}
252
253
254static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
255{
256 struct wpa_authenticator *wpa_auth = eloop_ctx;
257
3642c431 258 if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
6fc6879b
JM		 259 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
260 "initialization.");
261 } else {
262 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
5cb9d5c3
JM		 263 wpa_hexdump_key(MSG_DEBUG, "GMK",
264 wpa_auth->group->GMK, WPA_GMK_LEN);
6fc6879b
JM		 265 }
266
267 if (wpa_auth->conf.wpa_gmk_rekey) {
268 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
269 wpa_rekey_gmk, wpa_auth, NULL);
270 }
271}
272
273
274static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
275{
276 struct wpa_authenticator *wpa_auth = eloop_ctx;
a0ad9e8c 277 struct wpa_group *group, *next;
6fc6879b
JM		 278
279 wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
a0ad9e8c
MB		 280 group = wpa_auth->group;
281 while (group) {
282 wpa_group_get(wpa_auth, group);
283
6fc6879b
JM		 284 group->GTKReKey = TRUE;
285 do {
286 group->changed = FALSE;
287 wpa_group_sm_step(wpa_auth, group);
288 } while (group->changed);
a0ad9e8c
MB		 289
290 next = group->next;
291 wpa_group_put(wpa_auth, group);
292 group = next;
6fc6879b
JM		 293 }
294
295 if (wpa_auth->conf.wpa_group_rekey) {
296 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
297 0, wpa_rekey_gtk, wpa_auth, NULL);
298 }
299}
300
301
581a8cde
JM		 302static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
303{
304 struct wpa_authenticator *wpa_auth = eloop_ctx;
305 struct wpa_state_machine *sm = timeout_ctx;
306
307 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
308 wpa_request_new_ptk(sm);
309 wpa_sm_step(sm);
310}
311
312
6fc6879b
JM		 313static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
314{
315 if (sm->pmksa == ctx)
316 sm->pmksa = NULL;
317 return 0;
318}
319
320
321static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
322 void *ctx)
323{
324 struct wpa_authenticator *wpa_auth = ctx;
325 wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
326}
327
328
1bdb7ab3
JM		 329static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
330 struct wpa_group *group)
331{
559cdabb 332 u8 buf[ETH_ALEN + 8 + sizeof(unsigned long)];
1bdb7ab3 333 u8 rkey[32];
559cdabb 334 unsigned long ptr;
1bdb7ab3 335
3642c431 336 if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
1bdb7ab3
JM		 337 return -1;
338 wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
339
340 /*
341 * Counter = PRF-256(Random number, "Init Counter",
342 * Local MAC Address || Time)
343 */
344 os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
345 wpa_get_ntp_timestamp(buf + ETH_ALEN);
559cdabb
JM		 346 ptr = (unsigned long) group;
347 os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
3642c431 348 if (random_get_bytes(rkey, sizeof(rkey)) < 0)
1bdb7ab3
JM		 349 return -1;
350
351 if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
352 group->Counter, WPA_NONCE_LEN) < 0)
353 return -1;
354 wpa_hexdump_key(MSG_DEBUG, "Key Counter",
355 group->Counter, WPA_NONCE_LEN);
356
357 return 0;
358}
359
360
e6965d4e 361static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
bdffdc5d 362 int vlan_id, int delay_init)
e6965d4e
JM		 363{
364 struct wpa_group *group;
e6965d4e
JM		 365
366 group = os_zalloc(sizeof(struct wpa_group));
367 if (group == NULL)
368 return NULL;
369
370 group->GTKAuthenticator = TRUE;
371 group->vlan_id = vlan_id;
c3550295 372 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
6fc6879b 373
08704cd8
JM		 374 if (random_pool_ready() != 1) {
375 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
376 "for secure operations - update keys later when "
377 "the first station connects");
378 }
379
1bdb7ab3
JM		 380 /*
381 * Set initial GMK/Counter value here. The actual values that will be
382 * used in negotiations will be set once the first station tries to
383 * connect. This allows more time for collecting additional randomness
384 * on embedded devices.
6fc6879b 385 */
1bdb7ab3 386 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
6fc6879b
JM		 387 wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
388 "initialization.");
389 os_free(group);
390 return NULL;
391 }
6fc6879b
JM		 392
393 group->GInit = TRUE;
bdffdc5d
JM		 394 if (delay_init) {
395 wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
396 "until Beacon frames have been configured");
397 /* Initialization is completed in wpa_init_keys(). */
398 } else {
399 wpa_group_sm_step(wpa_auth, group);
400 group->GInit = FALSE;
401 wpa_group_sm_step(wpa_auth, group);
402 }
6fc6879b
JM		 403
404 return group;
405}
406
407
408/**
409 * wpa_init - Initialize WPA authenticator
410 * @addr: Authenticator address
411 * @conf: Configuration for WPA authenticator
a17df5fb 412 * @cb: Callback functions for WPA authenticator
6fc6879b
JM		 413 * Returns: Pointer to WPA authenticator data or %NULL on failure
414 */
415struct wpa_authenticator * wpa_init(const u8 *addr,
416 struct wpa_auth_config *conf,
cef8fac0
JB		 417 const struct wpa_auth_callbacks *cb,
418 void *cb_ctx)
6fc6879b
JM		 419{
420 struct wpa_authenticator *wpa_auth;
421
422 wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
423 if (wpa_auth == NULL)
424 return NULL;
425 os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
426 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
cef8fac0
JB		 427 wpa_auth->cb = cb;
428 wpa_auth->cb_ctx = cb_ctx;
6fc6879b
JM		 429
430 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
431 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
432 os_free(wpa_auth);
433 return NULL;
434 }
435
bdffdc5d 436 wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
6fc6879b
JM		 437 if (wpa_auth->group == NULL) {
438 os_free(wpa_auth->wpa_ie);
439 os_free(wpa_auth);
440 return NULL;
441 }
442
4bb081f1
JM		 443 wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
444 wpa_auth);
6fc6879b
JM		 445 if (wpa_auth->pmksa == NULL) {
446 wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
27d9701d 447 os_free(wpa_auth->group);
6fc6879b
JM		 448 os_free(wpa_auth->wpa_ie);
449 os_free(wpa_auth);
450 return NULL;
451 }
452
4ec1fd8e 453#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 454 wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
455 if (wpa_auth->ft_pmk_cache == NULL) {
456 wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
27d9701d 457 os_free(wpa_auth->group);
6fc6879b 458 os_free(wpa_auth->wpa_ie);
4bb081f1 459 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b
JM		 460 os_free(wpa_auth);
461 return NULL;
462 }
4ec1fd8e 463#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 464
465 if (wpa_auth->conf.wpa_gmk_rekey) {
466 eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
467 wpa_rekey_gmk, wpa_auth, NULL);
468 }
469
470 if (wpa_auth->conf.wpa_group_rekey) {
471 eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
472 wpa_rekey_gtk, wpa_auth, NULL);
473 }
474
25ef8529
JM		 475#ifdef CONFIG_P2P
476 if (WPA_GET_BE32(conf->ip_addr_start)) {
477 int count = WPA_GET_BE32(conf->ip_addr_end) -
478 WPA_GET_BE32(conf->ip_addr_start) + 1;
479 if (count > 1000)
480 count = 1000;
481 if (count > 0)
482 wpa_auth->ip_pool = bitfield_alloc(count);
483 }
484#endif /* CONFIG_P2P */
485
6fc6879b
JM		 486 return wpa_auth;
487}
488
489
bdffdc5d
JM		 490int wpa_init_keys(struct wpa_authenticator *wpa_auth)
491{
492 struct wpa_group *group = wpa_auth->group;
493
494 wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
495 "keys");
496 wpa_group_sm_step(wpa_auth, group);
497 group->GInit = FALSE;
498 wpa_group_sm_step(wpa_auth, group);
7d7f7be2
JM		 499 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
500 return -1;
bdffdc5d
JM		 501 return 0;
502}
503
504
6fc6879b
JM		 505/**
506 * wpa_deinit - Deinitialize WPA authenticator
507 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
508 */
509void wpa_deinit(struct wpa_authenticator *wpa_auth)
510{
511 struct wpa_group *group, *prev;
512
513 eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
514 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
515
4bb081f1 516 pmksa_cache_auth_deinit(wpa_auth->pmksa);
6fc6879b 517
4ec1fd8e 518#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 519 wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
520 wpa_auth->ft_pmk_cache = NULL;
4ec1fd8e 521#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 522
25ef8529
JM		 523#ifdef CONFIG_P2P
524 bitfield_free(wpa_auth->ip_pool);
525#endif /* CONFIG_P2P */
526
527
6fc6879b
JM		 528 os_free(wpa_auth->wpa_ie);
529
530 group = wpa_auth->group;
531 while (group) {
532 prev = group;
533 group = group->next;
534 os_free(prev);
535 }
536
537 os_free(wpa_auth);
538}
539
540
541/**
542 * wpa_reconfig - Update WPA authenticator configuration
543 * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
544 * @conf: Configuration for WPA authenticator
545 */
546int wpa_reconfig(struct wpa_authenticator *wpa_auth,
547 struct wpa_auth_config *conf)
548{
e6965d4e 549 struct wpa_group *group;
6fc6879b
JM		 550 if (wpa_auth == NULL)
551 return 0;
552
553 os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
ad08c363
JM		 554 if (wpa_auth_gen_wpa_ie(wpa_auth)) {
555 wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
556 return -1;
557 }
558
e6965d4e
JM		 559 /*
560 * Reinitialize GTK to make sure it is suitable for the new
561 * configuration.
562 */
563 group = wpa_auth->group;
c3550295 564 group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
e6965d4e
JM		 565 group->GInit = TRUE;
566 wpa_group_sm_step(wpa_auth, group);
567 group->GInit = FALSE;
568 wpa_group_sm_step(wpa_auth, group);
569
6fc6879b
JM		 570 return 0;
571}
572
573
574struct wpa_state_machine *
94ddef3e
JM		 575wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr,
576 const u8 *p2p_dev_addr)
6fc6879b
JM		 577{
578 struct wpa_state_machine *sm;
579
7d7f7be2
JM		 580 if (wpa_auth->group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
581 return NULL;
582
6fc6879b
JM		 583 sm = os_zalloc(sizeof(struct wpa_state_machine));
584 if (sm == NULL)
585 return NULL;
586 os_memcpy(sm->addr, addr, ETH_ALEN);
94ddef3e
JM		 587 if (p2p_dev_addr)
588 os_memcpy(sm->p2p_dev_addr, p2p_dev_addr, ETH_ALEN);
6fc6879b
JM		 589
590 sm->wpa_auth = wpa_auth;
591 sm->group = wpa_auth->group;
a0ad9e8c 592 wpa_group_get(sm->wpa_auth, sm->group);
6fc6879b
JM		 593
594 return sm;
595}
596
597
6f9b5d16
JM		 598int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
599 struct wpa_state_machine *sm)
6fc6879b
JM		 600{
601 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
6f9b5d16 602 return -1;
6fc6879b 603
4ec1fd8e 604#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 605 if (sm->ft_completed) {
606 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
607 "FT authentication already completed - do not "
608 "start 4-way handshake");
3d4d2348
JM		 609 /* Go to PTKINITDONE state to allow GTK rekeying */
610 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 611 sm->Pair = TRUE;
6f9b5d16 612 return 0;
6fc6879b 613 }
4ec1fd8e 614#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 615
07e0117d
JM		 616#ifdef CONFIG_FILS
617 if (sm->fils_completed) {
618 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
619 "FILS authentication already completed - do not start 4-way handshake");
620 /* Go to PTKINITDONE state to allow GTK rekeying */
621 sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
3bbc4705 622 sm->Pair = TRUE;
07e0117d
JM		 623 return 0;
624 }
625#endif /* CONFIG_FILS */
626
6fc6879b 627 if (sm->started) {
22a299ee 628 os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
6fc6879b 629 sm->ReAuthenticationRequest = TRUE;
6f9b5d16 630 return wpa_sm_step(sm);
6fc6879b
JM		 631 }
632
633 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
634 "start authentication");
635 sm->started = 1;
636
637 sm->Init = TRUE;
e4a6ea1d 638 if (wpa_sm_step(sm) == 1)
6f9b5d16 639 return 1; /* should not really happen */
6fc6879b
JM		 640 sm->Init = FALSE;
641 sm->AuthenticationRequest = TRUE;
6f9b5d16 642 return wpa_sm_step(sm);
6fc6879b
JM		 643}
644
645
a8d05fca
JM		 646void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
647{
648 /* WPA/RSN was not used - clear WPA state. This is needed if the STA
649 * reassociates back to the same AP while the previous entry for the
650 * STA has not yet been removed. */
651 if (sm == NULL)
652 return;
653
654 sm->wpa_key_mgmt = 0;
655}
656
657
6fc6879b
JM		 658static void wpa_free_sta_sm(struct wpa_state_machine *sm)
659{
25ef8529
JM		 660#ifdef CONFIG_P2P
661 if (WPA_GET_BE32(sm->ip_addr)) {
662 u32 start;
663 wpa_printf(MSG_DEBUG, "P2P: Free assigned IP "
664 "address %u.%u.%u.%u from " MACSTR,
665 sm->ip_addr[0], sm->ip_addr[1],
666 sm->ip_addr[2], sm->ip_addr[3],
667 MAC2STR(sm->addr));
668 start = WPA_GET_BE32(sm->wpa_auth->conf.ip_addr_start);
669 bitfield_clear(sm->wpa_auth->ip_pool,
670 WPA_GET_BE32(sm->ip_addr) - start);
671 }
672#endif /* CONFIG_P2P */
2ade8ef2
JM		 673 if (sm->GUpdateStationKeys) {
674 sm->group->GKeyDoneStations--;
675 sm->GUpdateStationKeys = FALSE;
676 }
4ec1fd8e 677#ifdef CONFIG_IEEE80211R_AP
0f857f43 678 os_free(sm->assoc_resp_ftie);
692ec305 679 wpabuf_free(sm->ft_pending_req_ies);
4ec1fd8e 680#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 681 os_free(sm->last_rx_eapol_key);
682 os_free(sm->wpa_ie);
a0ad9e8c 683 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b
JM		 684 os_free(sm);
685}
686
687
688void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
689{
690 if (sm == NULL)
691 return;
692
693 if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
694 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
695 "strict rekeying - force GTK rekey since STA "
696 "is leaving");
697 eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
698 eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
699 NULL);
700 }
701
702 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
e4bf4db9 703 sm->pending_1_of_4_timeout = 0;
6fc6879b 704 eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
581a8cde 705 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 706 if (sm->in_step_loop) {
707 /* Must not free state machine while wpa_sm_step() is running.
708 * Freeing will be completed in the end of wpa_sm_step(). */
709 wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
710 "machine deinit for " MACSTR, MAC2STR(sm->addr));
711 sm->pending_deinit = 1;
712 } else
713 wpa_free_sta_sm(sm);
714}
715
716
717static void wpa_request_new_ptk(struct wpa_state_machine *sm)
718{
719 if (sm == NULL)
720 return;
721
722 sm->PTKRequest = TRUE;
723 sm->PTK_valid = 0;
724}
725
726
68921e24 727static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
22a299ee
JM		 728 const u8 *replay_counter)
729{
730 int i;
731 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
68921e24 732 if (!ctr[i].valid)
22a299ee 733 break;
68921e24 734 if (os_memcmp(replay_counter, ctr[i].counter,
22a299ee
JM		 735 WPA_REPLAY_COUNTER_LEN) == 0)
736 return 1;
737 }
738 return 0;
739}
740
741
68921e24
JM		 742static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
743 const u8 *replay_counter)
744{
745 int i;
746 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
747 if (ctr[i].valid &&
748 (replay_counter == NULL ||
749 os_memcmp(replay_counter, ctr[i].counter,
750 WPA_REPLAY_COUNTER_LEN) == 0))
751 ctr[i].valid = FALSE;
752 }
753}
754
755
4ec1fd8e 756#ifdef CONFIG_IEEE80211R_AP
0f857f43
JM		 757static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
758 struct wpa_state_machine *sm,
759 struct wpa_eapol_ie_parse *kde)
760{
761 struct wpa_ie_data ie;
762 struct rsn_mdie *mdie;
763
764 if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
765 ie.num_pmkid != 1 || ie.pmkid == NULL) {
766 wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
767 "FT 4-way handshake message 2/4");
768 return -1;
769 }
770
771 os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
772 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
773 sm->sup_pmk_r1_name, PMKID_LEN);
774
775 if (!kde->mdie || !kde->ftie) {
776 wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
777 "message 2/4", kde->mdie ? "FTIE" : "MDIE");
778 return -1;
779 }
780
781 mdie = (struct rsn_mdie *) (kde->mdie + 2);
782 if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
783 os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
784 MOBILITY_DOMAIN_ID_LEN) != 0) {
785 wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
786 return -1;
787 }
788
789 if (sm->assoc_resp_ftie &&
790 (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
791 os_memcmp(kde->ftie, sm->assoc_resp_ftie,
792 2 + sm->assoc_resp_ftie[1]) != 0)) {
793 wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
794 wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
795 kde->ftie, kde->ftie_len);
796 wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
797 sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
798 return -1;
799 }
800
801 return 0;
802}
4ec1fd8e 803#endif /* CONFIG_IEEE80211R_AP */
0f857f43
JM		 804
805
c772d054
JM		 806static int wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
807 struct wpa_state_machine *sm, int group)
ec027805
JM		 808{
809 /* Supplicant reported a Michael MIC error */
810 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
811 "received EAPOL-Key Error Request "
812 "(STA detected Michael MIC failure (group=%d))",
813 group);
fbc72d32
JM		 814
815 if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
816 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
817 "ignore Michael MIC failure report since "
818 "group cipher is not TKIP");
819 } else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
820 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
821 "ignore Michael MIC failure report since "
822 "pairwise cipher is not TKIP");
823 } else {
c772d054
JM		 824 if (wpa_auth_mic_failure_report(wpa_auth, sm->addr) > 0)
825 return 1; /* STA entry was removed */
fbc72d32
JM		 826 sm->dot11RSNAStatsTKIPRemoteMICFailures++;
827 wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
828 }
ec027805
JM		 829
830 /*
831 * Error report is not a request for a new key handshake, but since
832 * Authenticator may do it, let's change the keys now anyway.
833 */
834 wpa_request_new_ptk(sm);
c772d054 835 return 0;
ec027805
JM		 836}
837
838
f23c5b17
JM		 839static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
840 size_t data_len)
841{
842 struct wpa_ptk PTK;
843 int ok = 0;
844 const u8 *pmk = NULL;
207976f0 845 unsigned int pmk_len;
f23c5b17 846
b729fd8d 847 os_memset(&PTK, 0, sizeof(PTK));
f23c5b17
JM		 848 for (;;) {
849 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
850 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
851 sm->p2p_dev_addr, pmk);
852 if (pmk == NULL)
853 break;
207976f0
JM		 854 pmk_len = PMK_LEN;
855 } else {
f23c5b17 856 pmk = sm->PMK;
207976f0
JM		 857 pmk_len = sm->pmk_len;
858 }
f23c5b17 859
364c064a
JM		 860 if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK) < 0)
861 break;
f23c5b17
JM		 862
863 if (wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK, data, data_len)
864 == 0) {
865 ok = 1;
866 break;
867 }
868
869 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
870 break;
871 }
872
873 if (!ok) {
874 wpa_printf(MSG_DEBUG,
875 "WPA: Earlier SNonce did not result in matching MIC");
876 return -1;
877 }
878
879 wpa_printf(MSG_DEBUG,
880 "WPA: Earlier SNonce resulted in matching MIC");
881 sm->alt_snonce_valid = 0;
882 os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
883 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
884 sm->PTK_valid = TRUE;
885
886 return 0;
887}
888
889
6fc6879b
JM		 890void wpa_receive(struct wpa_authenticator *wpa_auth,
891 struct wpa_state_machine *sm,
892 u8 *data, size_t data_len)
893{
894 struct ieee802_1x_hdr *hdr;
895 struct wpa_eapol_key *key;
896 u16 key_info, key_data_length;
897 enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
898 SMK_M1, SMK_M3, SMK_ERROR } msg;
899 char *msgtxt;
900 struct wpa_eapol_ie_parse kde;
3b5b7aa8
JM		 901 const u8 *key_data;
902 size_t keyhdrlen, mic_len;
6d014ffc 903 u8 *mic;
6fc6879b
JM		 904
905 if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
906 return;
dc5bad48 907 wpa_hexdump(MSG_MSGDUMP, "WPA: RX EAPOL data", data, data_len);
6fc6879b 908
5e3b5197 909 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
6d014ffc 910 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197 911
dc5bad48
JM		 912 if (data_len < sizeof(*hdr) + keyhdrlen) {
913 wpa_printf(MSG_DEBUG, "WPA: Ignore too short EAPOL-Key frame");
6fc6879b 914 return;
dc5bad48 915 }
6fc6879b
JM		 916
917 hdr = (struct ieee802_1x_hdr *) data;
918 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 919 mic = (u8 *) (key + 1);
6fc6879b 920 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 921 key_data = mic + mic_len + 2;
922 key_data_length = WPA_GET_BE16(mic + mic_len);
0d442aff 923 wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
dc5bad48
JM		 924 " key_info=0x%x type=%u mic_len=%u key_data_length=%u",
925 MAC2STR(sm->addr), key_info, key->type,
926 (unsigned int) mic_len, key_data_length);
927 wpa_hexdump(MSG_MSGDUMP,
928 "WPA: EAPOL-Key header (ending before Key MIC)",
929 key, sizeof(*key));
930 wpa_hexdump(MSG_MSGDUMP, "WPA: EAPOL-Key Key MIC",
931 mic, mic_len);
5e3b5197 932 if (key_data_length > data_len - sizeof(*hdr) - keyhdrlen) {
6fc6879b
JM		 933 wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
934 "key_data overflow (%d > %lu)",
935 key_data_length,
936 (unsigned long) (data_len - sizeof(*hdr) -
5e3b5197 937 keyhdrlen));
6fc6879b
JM		 938 return;
939 }
940
f8e96eb6 941 if (sm->wpa == WPA_VERSION_WPA2) {
74590e71
JM		 942 if (key->type == EAPOL_KEY_TYPE_WPA) {
943 /*
944 * Some deployed station implementations seem to send
945 * msg 4/4 with incorrect type value in WPA2 mode.
946 */
947 wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
948 "with unexpected WPA type in RSN mode");
949 } else if (key->type != EAPOL_KEY_TYPE_RSN) {
f8e96eb6
JM		 950 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
951 "unexpected type %d in RSN mode",
952 key->type);
953 return;
954 }
955 } else {
956 if (key->type != EAPOL_KEY_TYPE_WPA) {
957 wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
958 "unexpected type %d in WPA mode",
959 key->type);
960 return;
961 }
962 }
963
bc8318ac
JM		 964 wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
965 WPA_NONCE_LEN);
966 wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
967 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
968
6fc6879b
JM		 969 /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
970 * are set */
971
972 if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
973 (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
974 if (key_info & WPA_KEY_INFO_ERROR) {
975 msg = SMK_ERROR;
976 msgtxt = "SMK Error";
977 } else {
978 msg = SMK_M1;
979 msgtxt = "SMK M1";
980 }
981 } else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
982 msg = SMK_M3;
983 msgtxt = "SMK M3";
984 } else if (key_info & WPA_KEY_INFO_REQUEST) {
985 msg = REQUEST;
986 msgtxt = "Request";
987 } else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
988 msg = GROUP_2;
989 msgtxt = "2/2 Group";
3b5b7aa8
JM		 990 } else if (key_data_length == 0 ||
991 (mic_len == 0 && (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) &&
992 key_data_length == AES_BLOCK_SIZE)) {
6fc6879b
JM		 993 msg = PAIRWISE_4;
994 msgtxt = "4/4 Pairwise";
995 } else {
996 msg = PAIRWISE_2;
997 msgtxt = "2/4 Pairwise";
998 }
999
1000 /* TODO: key_info type validation for PeerKey */
1001 if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
1002 msg == GROUP_2) {
1003 u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
eb7719ff
JM		 1004 if (sm->pairwise == WPA_CIPHER_CCMP ||
1005 sm->pairwise == WPA_CIPHER_GCMP) {
6fc6879b 1006 if (wpa_use_aes_cmac(sm) &&
a14896e8 1007 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
929a2ea5 1008 !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
b9866483 1009 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
6fc6879b
JM		 1010 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1011 wpa_auth_logger(wpa_auth, sm->addr,
1012 LOGGER_WARNING,
1013 "advertised support for "
1014 "AES-128-CMAC, but did not "
1015 "use it");
1016 return;
1017 }
1018
1019 if (!wpa_use_aes_cmac(sm) &&
2449791b 1020 !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
07a5fe82 1021 sm->wpa_key_mgmt != WPA_KEY_MGMT_OWE &&
6fc6879b
JM		 1022 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
1023 wpa_auth_logger(wpa_auth, sm->addr,
1024 LOGGER_WARNING,
1025 "did not use HMAC-SHA1-AES "
eb7719ff 1026 "with CCMP/GCMP");
6fc6879b
JM		 1027 return;
1028 }
1029 }
929a2ea5 1030
2449791b 1031 if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
07a5fe82
JM		 1032 wpa_key_mgmt_fils(sm->wpa_key_mgmt) ||
1033 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) &&
929a2ea5
JM		 1034 ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
1035 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1036 "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
1037 return;
1038 }
6fc6879b
JM		 1039 }
1040
1041 if (key_info & WPA_KEY_INFO_REQUEST) {
1042 if (sm->req_replay_counter_used &&
1043 os_memcmp(key->replay_counter, sm->req_replay_counter,
1044 WPA_REPLAY_COUNTER_LEN) <= 0) {
1045 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
1046 "received EAPOL-Key request with "
1047 "replayed counter");
1048 return;
1049 }
1050 }
1051
1052 if (!(key_info & WPA_KEY_INFO_REQUEST) &&
68921e24 1053 !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
22a299ee 1054 int i;
68921e24
JM		 1055
1056 if (msg == PAIRWISE_2 &&
1057 wpa_replay_counter_valid(sm->prev_key_replay,
1058 key->replay_counter) &&
1059 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1060 os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
1061 {
1062 /*
1063 * Some supplicant implementations (e.g., Windows XP
1064 * WZC) update SNonce for each EAPOL-Key 2/4. This
1065 * breaks the workaround on accepting any of the
1066 * pending requests, so allow the SNonce to be updated
1067 * even if we have already sent out EAPOL-Key 3/4.
1068 */
1069 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1070 "Process SNonce update from STA "
1071 "based on retransmitted EAPOL-Key "
1072 "1/4");
1073 sm->update_snonce = 1;
f23c5b17
JM		 1074 os_memcpy(sm->alt_SNonce, sm->SNonce, WPA_NONCE_LEN);
1075 sm->alt_snonce_valid = TRUE;
1076 os_memcpy(sm->alt_replay_counter,
1077 sm->key_replay[0].counter,
1078 WPA_REPLAY_COUNTER_LEN);
1079 goto continue_processing;
1080 }
1081
1082 if (msg == PAIRWISE_4 && sm->alt_snonce_valid &&
1083 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
1084 os_memcmp(key->replay_counter, sm->alt_replay_counter,
1085 WPA_REPLAY_COUNTER_LEN) == 0) {
1086 /*
1087 * Supplicant may still be using the old SNonce since
1088 * there was two EAPOL-Key 2/4 messages and they had
1089 * different SNonce values.
1090 */
1091 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1092 "Try to process received EAPOL-Key 4/4 based on old Replay Counter and SNonce from an earlier EAPOL-Key 1/4");
68921e24
JM		 1093 goto continue_processing;
1094 }
1095
1096 if (msg == PAIRWISE_2 &&
1097 wpa_replay_counter_valid(sm->prev_key_replay,
1098 key->replay_counter) &&
1099 sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
1100 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1101 "ignore retransmitted EAPOL-Key %s - "
1102 "SNonce did not change", msgtxt);
1103 } else {
1104 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1105 "received EAPOL-Key %s with "
1106 "unexpected replay counter", msgtxt);
1107 }
22a299ee
JM		 1108 for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
1109 if (!sm->key_replay[i].valid)
1110 break;
1111 wpa_hexdump(MSG_DEBUG, "pending replay counter",
1112 sm->key_replay[i].counter,
1113 WPA_REPLAY_COUNTER_LEN);
1114 }
6fc6879b
JM		 1115 wpa_hexdump(MSG_DEBUG, "received replay counter",
1116 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
1117 return;
1118 }
1119
68921e24 1120continue_processing:
3b5b7aa8
JM		 1121#ifdef CONFIG_FILS
1122 if (sm->wpa == WPA_VERSION_WPA2 && mic_len == 0 &&
1123 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
1124 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1125 "WPA: Encr Key Data bit not set even though AEAD cipher is supposed to be used - drop frame");
1126 return;
1127 }
1128#endif /* CONFIG_FILS */
1129
6fc6879b
JM		 1130 switch (msg) {
1131 case PAIRWISE_2:
1132 if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
68921e24
JM		 1133 sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
1134 (!sm->update_snonce ||
1135 sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
6fc6879b
JM		 1136 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1137 "received EAPOL-Key msg 2/4 in "
1138 "invalid state (%d) - dropped",
1139 sm->wpa_ptk_state);
1140 return;
1141 }
bbb921da 1142 random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
08704cd8
JM		 1143 if (sm->group->reject_4way_hs_for_entropy) {
1144 /*
1145 * The system did not have enough entropy to generate
1146 * strong random numbers. Reject the first 4-way
1147 * handshake(s) and collect some entropy based on the
1148 * information from it. Once enough entropy is
1149 * available, the next atempt will trigger GMK/Key
1150 * Counter update and the station will be allowed to
1151 * continue.
1152 */
1153 wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
1154 "collect more entropy for random number "
1155 "generation");
08704cd8 1156 random_mark_pool_ready();
08704cd8
JM		 1157 wpa_sta_disconnect(wpa_auth, sm->addr);
1158 return;
1159 }
6fc6879b
JM		 1160 break;
1161 case PAIRWISE_4:
1162 if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
1163 !sm->PTK_valid) {
1164 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1165 "received EAPOL-Key msg 4/4 in "
1166 "invalid state (%d) - dropped",
1167 sm->wpa_ptk_state);
1168 return;
1169 }
1170 break;
1171 case GROUP_2:
1172 if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1173 || !sm->PTK_valid) {
1174 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1175 "received EAPOL-Key msg 2/2 in "
1176 "invalid state (%d) - dropped",
1177 sm->wpa_ptk_group_state);
1178 return;
1179 }
1180 break;
1181#ifdef CONFIG_PEERKEY
1182 case SMK_M1:
1183 case SMK_M3:
1184 case SMK_ERROR:
1185 if (!wpa_auth->conf.peerkey) {
1186 wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1187 "PeerKey use disabled - ignoring message");
1188 return;
1189 }
1190 if (!sm->PTK_valid) {
1191 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1192 "received EAPOL-Key msg SMK in "
1193 "invalid state - dropped");
1194 return;
1195 }
1196 break;
1197#else /* CONFIG_PEERKEY */
1198 case SMK_M1:
1199 case SMK_M3:
1200 case SMK_ERROR:
1201 return; /* STSL disabled - ignore SMK messages */
1202#endif /* CONFIG_PEERKEY */
1203 case REQUEST:
1204 break;
1205 }
1206
1207 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1208 "received EAPOL-Key frame (%s)", msgtxt);
1209
1210 if (key_info & WPA_KEY_INFO_ACK) {
1211 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1212 "received invalid EAPOL-Key: Key Ack set");
1213 return;
1214 }
1215
b9866483
JM		 1216 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1217 !(key_info & WPA_KEY_INFO_MIC)) {
6fc6879b
JM		 1218 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1219 "received invalid EAPOL-Key: Key MIC not set");
1220 return;
1221 }
1222
b9866483
JM		 1223#ifdef CONFIG_FILS
1224 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1225 (key_info & WPA_KEY_INFO_MIC)) {
1226 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1227 "received invalid EAPOL-Key: Key MIC set");
1228 return;
1229 }
1230#endif /* CONFIG_FILS */
1231
6fc6879b 1232 sm->MICVerified = FALSE;
68921e24 1233 if (sm->PTK_valid && !sm->update_snonce) {
3b5b7aa8
JM		 1234 if (mic_len &&
1235 wpa_verify_key_mic(sm->wpa_key_mgmt, &sm->PTK, data,
f23c5b17
JM		 1236 data_len) &&
1237 (msg != PAIRWISE_4 || !sm->alt_snonce_valid ||
1238 wpa_try_alt_snonce(sm, data, data_len))) {
6fc6879b
JM		 1239 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1240 "received EAPOL-Key with invalid MIC");
1241 return;
1242 }
75c8563e
JM		 1243#ifdef CONFIG_FILS
1244 if (!mic_len &&
1245 wpa_aead_decrypt(sm, &sm->PTK, data, data_len,
1246 &key_data_length) < 0) {
1247 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1248 "received EAPOL-Key with invalid MIC");
1249 return;
1250 }
1251#endif /* CONFIG_FILS */
6fc6879b
JM		 1252 sm->MICVerified = TRUE;
1253 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
e4bf4db9 1254 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1255 }
1256
1257 if (key_info & WPA_KEY_INFO_REQUEST) {
1258 if (sm->MICVerified) {
1259 sm->req_replay_counter_used = 1;
1260 os_memcpy(sm->req_replay_counter, key->replay_counter,
1261 WPA_REPLAY_COUNTER_LEN);
1262 } else {
1263 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1264 "received EAPOL-Key request with "
1265 "invalid MIC");
1266 return;
1267 }
1268
1269 /*
1270 * TODO: should decrypt key data field if encryption was used;
1271 * even though MAC address KDE is not normally encrypted,
1272 * supplicant is allowed to encrypt it.
1273 */
1274 if (msg == SMK_ERROR) {
1275#ifdef CONFIG_PEERKEY
5e3b5197 1276 wpa_smk_error(wpa_auth, sm, key_data, key_data_length);
6fc6879b
JM		 1277#endif /* CONFIG_PEERKEY */
1278 return;
1279 } else if (key_info & WPA_KEY_INFO_ERROR) {
c772d054
JM		 1280 if (wpa_receive_error_report(
1281 wpa_auth, sm,
1282 !(key_info & WPA_KEY_INFO_KEY_TYPE)) > 0)
1283 return; /* STA entry was removed */
6fc6879b
JM		 1284 } else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1285 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1286 "received EAPOL-Key Request for new "
1287 "4-Way Handshake");
1288 wpa_request_new_ptk(sm);
1289#ifdef CONFIG_PEERKEY
1290 } else if (msg == SMK_M1) {
5e3b5197 1291 wpa_smk_m1(wpa_auth, sm, key, key_data,
5c6787a6 1292 key_data_length);
6fc6879b
JM		 1293#endif /* CONFIG_PEERKEY */
1294 } else if (key_data_length > 0 &&
5e3b5197
JM		 1295 wpa_parse_kde_ies(key_data, key_data_length,
1296 &kde) == 0 &&
6fc6879b
JM		 1297 kde.mac_addr) {
1298 } else {
1299 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1300 "received EAPOL-Key Request for GTK "
1301 "rekeying");
6fc6879b
JM		 1302 eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1303 wpa_rekey_gtk(wpa_auth, NULL);
1304 }
1305 } else {
68921e24
JM		 1306 /* Do not allow the same key replay counter to be reused. */
1307 wpa_replay_counter_mark_invalid(sm->key_replay,
1308 key->replay_counter);
1309
1310 if (msg == PAIRWISE_2) {
1311 /*
1312 * Maintain a copy of the pending EAPOL-Key frames in
1313 * case the EAPOL-Key frame was retransmitted. This is
1314 * needed to allow EAPOL-Key msg 2/4 reply to another
1315 * pending msg 1/4 to update the SNonce to work around
1316 * unexpected supplicant behavior.
1317 */
1318 os_memcpy(sm->prev_key_replay, sm->key_replay,
1319 sizeof(sm->key_replay));
1320 } else {
1321 os_memset(sm->prev_key_replay, 0,
1322 sizeof(sm->prev_key_replay));
1323 }
1324
1325 /*
1326 * Make sure old valid counters are not accepted anymore and
1327 * do not get copied again.
1328 */
1329 wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
6fc6879b
JM		 1330 }
1331
1332#ifdef CONFIG_PEERKEY
1333 if (msg == SMK_M3) {
5e3b5197 1334 wpa_smk_m3(wpa_auth, sm, key, key_data, key_data_length);
6fc6879b
JM		 1335 return;
1336 }
1337#endif /* CONFIG_PEERKEY */
1338
1339 os_free(sm->last_rx_eapol_key);
a1f11e34 1340 sm->last_rx_eapol_key = os_memdup(data, data_len);
6fc6879b
JM		 1341 if (sm->last_rx_eapol_key == NULL)
1342 return;
6fc6879b
JM		 1343 sm->last_rx_eapol_key_len = data_len;
1344
0d442aff 1345 sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
6fc6879b
JM		 1346 sm->EAPOLKeyReceived = TRUE;
1347 sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1348 sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1349 os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1350 wpa_sm_step(sm);
1351}
1352
1353
3c7302c2
JM		 1354static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1355 const u8 *gnonce, u8 *gtk, size_t gtk_len)
6fc6879b 1356{
5cb9d5c3
JM		 1357 u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1358 u8 *pos;
3c7302c2 1359 int ret = 0;
6fc6879b 1360
5cb9d5c3
JM		 1361 /* GTK = PRF-X(GMK, "Group key expansion",
1362 * AA || GNonce || Time || random data)
1363 * The example described in the IEEE 802.11 standard uses only AA and
1364 * GNonce as inputs here. Add some more entropy since this derivation
1365 * is done only at the Authenticator and as such, does not need to be
1366 * exactly same.
1367 */
6fc6879b
JM		 1368 os_memcpy(data, addr, ETH_ALEN);
1369 os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
5cb9d5c3
JM		 1370 pos = data + ETH_ALEN + WPA_NONCE_LEN;
1371 wpa_get_ntp_timestamp(pos);
1372 pos += 8;
3642c431 1373 if (random_get_bytes(pos, 16) < 0)
3c7302c2 1374 ret = -1;
6fc6879b 1375
56586197 1376#ifdef CONFIG_IEEE80211W
5cb9d5c3 1377 sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
56586197 1378#else /* CONFIG_IEEE80211W */
3c7302c2
JM		 1379 if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1380 < 0)
1381 ret = -1;
56586197 1382#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 1383
1384 return ret;
6fc6879b
JM		 1385}
1386
1387
1388static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1389{
1390 struct wpa_authenticator *wpa_auth = eloop_ctx;
1391 struct wpa_state_machine *sm = timeout_ctx;
1392
e4bf4db9 1393 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 1394 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1395 sm->TimeoutEvt = TRUE;
1396 wpa_sm_step(sm);
1397}
1398
1399
1400void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1401 struct wpa_state_machine *sm, int key_info,
1402 const u8 *key_rsc, const u8 *nonce,
1403 const u8 *kde, size_t kde_len,
1404 int keyidx, int encr, int force_version)
1405{
1406 struct ieee802_1x_hdr *hdr;
1407 struct wpa_eapol_key *key;
5e3b5197 1408 size_t len, mic_len, keyhdrlen;
6fc6879b
JM		 1409 int alg;
1410 int key_data_len, pad_len = 0;
1411 u8 *buf, *pos;
1412 int version, pairwise;
22a299ee 1413 int i;
6d014ffc 1414 u8 *key_mic, *key_data;
6fc6879b 1415
5e3b5197 1416 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
6d014ffc 1417 keyhdrlen = sizeof(*key) + mic_len + 2;
5e3b5197
JM		 1418
1419 len = sizeof(struct ieee802_1x_hdr) + keyhdrlen;
6fc6879b
JM		 1420
1421 if (force_version)
1422 version = force_version;
929a2ea5 1423 else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
07a5fe82 1424 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
36a50fd4
JM		 1425 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
1426 wpa_key_mgmt_fils(sm->wpa_key_mgmt))
a14896e8 1427 version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
6fc6879b
JM		 1428 else if (wpa_use_aes_cmac(sm))
1429 version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
eb7719ff 1430 else if (sm->pairwise != WPA_CIPHER_TKIP)
6fc6879b
JM		 1431 version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1432 else
1433 version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1434
8543ed8a 1435 pairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
6fc6879b
JM		 1436
1437 wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1438 "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1439 "encr=%d)",
1440 version,
1441 (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1442 (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1443 (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1444 (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1445 pairwise, (unsigned long) kde_len, keyidx, encr);
1446
1447 key_data_len = kde_len;
1448
1449 if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
07a5fe82 1450 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
a14896e8 1451 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
929a2ea5 1452 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
6fc6879b
JM		 1453 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1454 pad_len = key_data_len % 8;
1455 if (pad_len)
1456 pad_len = 8 - pad_len;
1457 key_data_len += pad_len + 8;
1458 }
1459
1460 len += key_data_len;
b729fd8d
JM		 1461 if (!mic_len && encr)
1462 len += AES_BLOCK_SIZE;
6fc6879b
JM		 1463
1464 hdr = os_zalloc(len);
1465 if (hdr == NULL)
1466 return;
1467 hdr->version = wpa_auth->conf.eapol_version;
1468 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1469 hdr->length = host_to_be16(len - sizeof(*hdr));
1470 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1471 key_mic = (u8 *) (key + 1);
5e3b5197 1472 key_data = ((u8 *) (hdr + 1)) + keyhdrlen;
6fc6879b
JM		 1473
1474 key->type = sm->wpa == WPA_VERSION_WPA2 ?
1475 EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1476 key_info |= version;
1477 if (encr && sm->wpa == WPA_VERSION_WPA2)
1478 key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1479 if (sm->wpa != WPA_VERSION_WPA2)
1480 key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1481 WPA_PUT_BE16(key->key_info, key_info);
1482
1483 alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
caab23f1
JM		 1484 if ((key_info & WPA_KEY_INFO_SMK_MESSAGE) ||
1485 (sm->wpa == WPA_VERSION_WPA2 && !pairwise))
6fc6879b 1486 WPA_PUT_BE16(key->key_length, 0);
caab23f1
JM		 1487 else
1488 WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
6fc6879b
JM		 1489
1490 /* FIX: STSL: what to use as key_replay_counter? */
22a299ee
JM		 1491 for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1492 sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1493 os_memcpy(sm->key_replay[i].counter,
1494 sm->key_replay[i - 1].counter,
1495 WPA_REPLAY_COUNTER_LEN);
1496 }
1497 inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1498 os_memcpy(key->replay_counter, sm->key_replay[0].counter,
6fc6879b 1499 WPA_REPLAY_COUNTER_LEN);
db099951
JM		 1500 wpa_hexdump(MSG_DEBUG, "WPA: Replay Counter",
1501 key->replay_counter, WPA_REPLAY_COUNTER_LEN);
22a299ee 1502 sm->key_replay[0].valid = TRUE;
6fc6879b
JM		 1503
1504 if (nonce)
1505 os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1506
1507 if (key_rsc)
1508 os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1509
1510 if (kde && !encr) {
5e3b5197 1511 os_memcpy(key_data, kde, kde_len);
6d014ffc 1512 WPA_PUT_BE16(key_mic + mic_len, kde_len);
b729fd8d
JM		 1513#ifdef CONFIG_FILS
1514 } else if (!mic_len) {
1515 const u8 *aad[1];
1516 size_t aad_len[1];
1517
1518 WPA_PUT_BE16(key_mic, AES_BLOCK_SIZE + kde_len);
1519 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1520 kde, kde_len);
1521
1522 wpa_hexdump_key(MSG_DEBUG, "WPA: KEK",
1523 sm->PTK.kek, sm->PTK.kek_len);
1524 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
1525 * to Key Data (exclusive). */
1526 aad[0] = (u8 *) hdr;
1527 aad_len[0] = key_mic + 2 - (u8 *) hdr;
1528 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len, kde, kde_len,
1529 1, aad, aad_len, key_mic + 2) < 0) {
1530 wpa_printf(MSG_DEBUG, "WPA: AES-SIV encryption failed");
1531 return;
1532 }
1533
1534 wpa_hexdump(MSG_DEBUG, "WPA: Encrypted Key Data from SIV",
1535 key_mic + 2, AES_BLOCK_SIZE + kde_len);
1536#endif /* CONFIG_FILS */
6fc6879b
JM		 1537 } else if (encr && kde) {
1538 buf = os_zalloc(key_data_len);
1539 if (buf == NULL) {
1540 os_free(hdr);
1541 return;
1542 }
1543 pos = buf;
1544 os_memcpy(pos, kde, kde_len);
1545 pos += kde_len;
1546
1547 if (pad_len)
1548 *pos++ = 0xdd;
1549
1550 wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1551 buf, key_data_len);
1552 if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
07a5fe82 1553 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
a14896e8 1554 sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
929a2ea5 1555 wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
6fc6879b 1556 version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
ef9627cb
JM		 1557 wpa_printf(MSG_DEBUG,
1558 "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)",
1559 (unsigned int) sm->PTK.kek_len);
98cd3d1c 1560 if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len,
5e3b5197 1561 (key_data_len - 8) / 8, buf, key_data)) {
6fc6879b
JM		 1562 os_free(hdr);
1563 os_free(buf);
1564 return;
1565 }
6d014ffc 1566 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1567#ifndef CONFIG_NO_RC4
98cd3d1c 1568 } else if (sm->PTK.kek_len == 16) {
6fc6879b 1569 u8 ek[32];
ef9627cb
JM		 1570
1571 wpa_printf(MSG_DEBUG,
1572 "WPA: Encrypt Key Data using RC4");
6fc6879b
JM		 1573 os_memcpy(key->key_iv,
1574 sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1575 inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1576 os_memcpy(ek, key->key_iv, 16);
98cd3d1c 1577 os_memcpy(ek + 16, sm->PTK.kek, sm->PTK.kek_len);
5e3b5197
JM		 1578 os_memcpy(key_data, buf, key_data_len);
1579 rc4_skip(ek, 32, 256, key_data, key_data_len);
6d014ffc 1580 WPA_PUT_BE16(key_mic + mic_len, key_data_len);
7cb53ded 1581#endif /* CONFIG_NO_RC4 */
98cd3d1c
JM		 1582 } else {
1583 os_free(hdr);
1584 os_free(buf);
1585 return;
6fc6879b
JM		 1586 }
1587 os_free(buf);
1588 }
1589
1590 if (key_info & WPA_KEY_INFO_MIC) {
b729fd8d 1591 if (!sm->PTK_valid || !mic_len) {
6fc6879b
JM		 1592 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1593 "PTK not valid when sending EAPOL-Key "
1594 "frame");
1595 os_free(hdr);
1596 return;
1597 }
5e3b5197 1598
98cd3d1c
JM		 1599 wpa_eapol_key_mic(sm->PTK.kck, sm->PTK.kck_len,
1600 sm->wpa_key_mgmt, version,
5e3b5197 1601 (u8 *) hdr, len, key_mic);
7af092a0
JB		 1602#ifdef CONFIG_TESTING_OPTIONS
1603 if (!pairwise &&
06df2aa6 1604 wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0 &&
7af092a0
JB		 1605 drand48() <
1606 wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
1607 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1608 "Corrupting group EAPOL-Key Key MIC");
5e3b5197 1609 key_mic[0]++;
7af092a0
JB		 1610 }
1611#endif /* CONFIG_TESTING_OPTIONS */
6fc6879b
JM		 1612 }
1613
1614 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1615 1);
1616 wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1617 sm->pairwise_set);
1618 os_free(hdr);
1619}
1620
1621
1622static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1623 struct wpa_state_machine *sm, int key_info,
1624 const u8 *key_rsc, const u8 *nonce,
1625 const u8 *kde, size_t kde_len,
1626 int keyidx, int encr)
1627{
1628 int timeout_ms;
1629 int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
41f140d3 1630 u32 ctr;
6fc6879b
JM		 1631
1632 if (sm == NULL)
1633 return;
1634
1635 __wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1636 keyidx, encr, 0);
1637
bae61562 1638 ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
e4bf4db9 1639 if (ctr == 1 && wpa_auth->conf.tx_status)
00338a4f
JM		 1640 timeout_ms = pairwise ? eapol_key_timeout_first :
1641 eapol_key_timeout_first_group;
bae61562
JM		 1642 else
1643 timeout_ms = eapol_key_timeout_subseq;
e4bf4db9
JM		 1644 if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1645 sm->pending_1_of_4_timeout = 1;
1646 wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
41f140d3 1647 "counter %u)", timeout_ms, ctr);
6fc6879b
JM		 1648 eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1649 wpa_send_eapol_timeout, wpa_auth, sm);
1650}
1651
1652
929a2ea5
JM		 1653static int wpa_verify_key_mic(int akmp, struct wpa_ptk *PTK, u8 *data,
1654 size_t data_len)
6fc6879b
JM		 1655{
1656 struct ieee802_1x_hdr *hdr;
1657 struct wpa_eapol_key *key;
1658 u16 key_info;
1659 int ret = 0;
6d014ffc 1660 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
5e3b5197 1661 size_t mic_len = wpa_mic_len(akmp);
6fc6879b
JM		 1662
1663 if (data_len < sizeof(*hdr) + sizeof(*key))
1664 return -1;
1665
1666 hdr = (struct ieee802_1x_hdr *) data;
1667 key = (struct wpa_eapol_key *) (hdr + 1);
6d014ffc 1668 mic_pos = (u8 *) (key + 1);
6fc6879b 1669 key_info = WPA_GET_BE16(key->key_info);
6d014ffc
JM		 1670 os_memcpy(mic, mic_pos, mic_len);
1671 os_memset(mic_pos, 0, mic_len);
98cd3d1c
JM		 1672 if (wpa_eapol_key_mic(PTK->kck, PTK->kck_len, akmp,
1673 key_info & WPA_KEY_INFO_TYPE_MASK,
6d014ffc
JM		 1674 data, data_len, mic_pos) ||
1675 os_memcmp_const(mic, mic_pos, mic_len) != 0)
6fc6879b 1676 ret = -1;
6d014ffc 1677 os_memcpy(mic_pos, mic, mic_len);
6fc6879b
JM		 1678 return ret;
1679}
1680
1681
1682void wpa_remove_ptk(struct wpa_state_machine *sm)
1683{
1684 sm->PTK_valid = FALSE;
1685 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
2a0b86d3
JM		 1686 if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL,
1687 0))
1688 wpa_printf(MSG_DEBUG,
1689 "RSN: PTK removal from the driver failed");
6fc6879b 1690 sm->pairwise_set = FALSE;
581a8cde 1691 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
6fc6879b
JM		 1692}
1693
1694
bb119228 1695int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
6fc6879b 1696{
5d22a1d5
JM		 1697 int remove_ptk = 1;
1698
6fc6879b 1699 if (sm == NULL)
6f9b5d16 1700 return -1;
6fc6879b
JM		 1701
1702 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1703 "event %d notification", event);
1704
1705 switch (event) {
1706 case WPA_AUTH:
c50d94f1
BC		 1707#ifdef CONFIG_MESH
1708 /* PTKs are derived through AMPE */
1709 if (wpa_auth_start_ampe(sm->wpa_auth, sm->addr)) {
1710 /* not mesh */
1711 break;
1712 }
1713 return 0;
1714#endif /* CONFIG_MESH */
6fc6879b
JM		 1715 case WPA_ASSOC:
1716 break;
1717 case WPA_DEAUTH:
1718 case WPA_DISASSOC:
1719 sm->DeauthenticationRequest = TRUE;
1720 break;
1721 case WPA_REAUTH:
1722 case WPA_REAUTH_EAPOL:
3ab72b62
JM		 1723 if (!sm->started) {
1724 /*
1725 * When using WPS, we may end up here if the STA
1726 * manages to re-associate without the previous STA
1727 * entry getting removed. Consequently, we need to make
1728 * sure that the WPA state machines gets initialized
1729 * properly at this point.
1730 */
1731 wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1732 "started - initialize now");
1733 sm->started = 1;
1734 sm->Init = TRUE;
1735 if (wpa_sm_step(sm) == 1)
1736 return 1; /* should not really happen */
1737 sm->Init = FALSE;
1738 sm->AuthenticationRequest = TRUE;
1739 break;
1740 }
9663596f
JM		 1741 if (sm->GUpdateStationKeys) {
1742 /*
1743 * Reauthentication cancels the pending group key
1744 * update for this STA.
1745 */
1746 sm->group->GKeyDoneStations--;
1747 sm->GUpdateStationKeys = FALSE;
1748 sm->PtkGroupInit = TRUE;
1749 }
6fc6879b
JM		 1750 sm->ReAuthenticationRequest = TRUE;
1751 break;
1752 case WPA_ASSOC_FT:
4ec1fd8e 1753#ifdef CONFIG_IEEE80211R_AP
81a658d7
JM		 1754 wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1755 "after association");
1756 wpa_ft_install_ptk(sm);
1757
6fc6879b
JM		 1758 /* Using FT protocol, not WPA auth state machine */
1759 sm->ft_completed = 1;
6f9b5d16 1760 return 0;
4ec1fd8e 1761#else /* CONFIG_IEEE80211R_AP */
6fc6879b 1762 break;
4ec1fd8e 1763#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 1764 }
1765
4ec1fd8e 1766#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1767 sm->ft_completed = 0;
4ec1fd8e 1768#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1769
5d22a1d5
JM		 1770#ifdef CONFIG_IEEE80211W
1771 if (sm->mgmt_frame_prot && event == WPA_AUTH)
1772 remove_ptk = 0;
1773#endif /* CONFIG_IEEE80211W */
78815f3d 1774#ifdef CONFIG_FILS
da24c5aa
JM		 1775 if (wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
1776 (event == WPA_AUTH || event == WPA_ASSOC))
78815f3d
JM		 1777 remove_ptk = 0;
1778#endif /* CONFIG_FILS */
6fc6879b 1779
5d22a1d5
JM		 1780 if (remove_ptk) {
1781 sm->PTK_valid = FALSE;
1782 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1783
1784 if (event != WPA_REAUTH_EAPOL)
1785 wpa_remove_ptk(sm);
1786 }
6fc6879b 1787
43f49c37
JM		 1788 if (sm->in_step_loop) {
1789 /*
1790 * wpa_sm_step() is already running - avoid recursive call to
1791 * it by making the existing loop process the new update.
1792 */
1793 sm->changed = TRUE;
1794 return 0;
1795 }
6f9b5d16 1796 return wpa_sm_step(sm);
6fc6879b
JM		 1797}
1798
1799
6fc6879b
JM		 1800SM_STATE(WPA_PTK, INITIALIZE)
1801{
1802 SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1803 if (sm->Init) {
1804 /* Init flag is not cleared here, so avoid busy
1805 * loop by claiming nothing changed. */
1806 sm->changed = FALSE;
1807 }
1808
1809 sm->keycount = 0;
1810 if (sm->GUpdateStationKeys)
1811 sm->group->GKeyDoneStations--;
1812 sm->GUpdateStationKeys = FALSE;
1813 if (sm->wpa == WPA_VERSION_WPA)
1814 sm->PInitAKeys = FALSE;
1815 if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1816 * Local AA > Remote AA)) */) {
1817 sm->Pair = TRUE;
1818 }
1819 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1820 wpa_remove_ptk(sm);
1821 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1822 sm->TimeoutCtr = 0;
a1ea1b45
JM		 1823 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
1824 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 1825 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1826 WPA_EAPOL_authorized, 0);
1827 }
1828}
1829
1830
1831SM_STATE(WPA_PTK, DISCONNECT)
1832{
1833 SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1834 sm->Disconnect = FALSE;
1835 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1836}
1837
1838
1839SM_STATE(WPA_PTK, DISCONNECTED)
1840{
1841 SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1842 sm->DeauthenticationRequest = FALSE;
1843}
1844
1845
1846SM_STATE(WPA_PTK, AUTHENTICATION)
1847{
1848 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1849 os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1850 sm->PTK_valid = FALSE;
1851 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1852 1);
1853 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1854 sm->AuthenticationRequest = FALSE;
1855}
1856
1857
40d00d2b
NC		 1858static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1859 struct wpa_group *group)
1bdb7ab3 1860{
40d00d2b
NC		 1861 if (group->first_sta_seen)
1862 return;
1bdb7ab3
JM		 1863 /*
1864 * System has run bit further than at the time hostapd was started
1865 * potentially very early during boot up. This provides better chances
1866 * of collecting more randomness on embedded systems. Re-initialize the
1867 * GMK and Counter here to improve their strength if there was not
1868 * enough entropy available immediately after system startup.
1869 */
1870 wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1871 "station");
08704cd8
JM		 1872 if (random_pool_ready() != 1) {
1873 wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1874 "to proceed - reject first 4-way handshake");
1875 group->reject_4way_hs_for_entropy = TRUE;
40d00d2b
NC		 1876 } else {
1877 group->first_sta_seen = TRUE;
1878 group->reject_4way_hs_for_entropy = FALSE;
08704cd8 1879 }
40d00d2b 1880
aac1efec
JM		 1881 if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0 ||
1882 wpa_gtk_update(wpa_auth, group) < 0 ||
1883 wpa_group_config_group_keys(wpa_auth, group) < 0) {
1884 wpa_printf(MSG_INFO, "WPA: GMK/GTK setup failed");
1885 group->first_sta_seen = FALSE;
1886 group->reject_4way_hs_for_entropy = TRUE;
1887 }
1bdb7ab3
JM		 1888}
1889
1890
6fc6879b
JM		 1891SM_STATE(WPA_PTK, AUTHENTICATION2)
1892{
1893 SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1bdb7ab3 1894
40d00d2b 1895 wpa_group_ensure_init(sm->wpa_auth, sm->group);
65a32cdb 1896 sm->ReAuthenticationRequest = FALSE;
1bdb7ab3 1897
3825a19b
JM		 1898 /*
1899 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1900 * ambiguous. The Authenticator state machine uses a counter that is
1901 * incremented by one for each 4-way handshake. However, the security
1902 * analysis of 4-way handshake points out that unpredictable nonces
1903 * help in preventing precomputation attacks. Instead of the state
1904 * machine definition, use an unpredictable nonce value here to provide
1905 * stronger protection against potential precomputation attacks.
1906 */
1907 if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1908 wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1909 "ANonce.");
65a32cdb 1910 sm->Disconnect = TRUE;
3825a19b
JM		 1911 return;
1912 }
bc8318ac
JM		 1913 wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1914 WPA_NONCE_LEN);
6fc6879b
JM		 1915 /* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1916 * logical place than INITIALIZE since AUTHENTICATION2 can be
1917 * re-entered on ReAuthenticationRequest without going through
1918 * INITIALIZE. */
1919 sm->TimeoutCtr = 0;
1920}
1921
1922
1923SM_STATE(WPA_PTK, INITPMK)
1924{
1925 u8 msk[2 * PMK_LEN];
1926 size_t len = 2 * PMK_LEN;
1927
1928 SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
4ec1fd8e 1929#ifdef CONFIG_IEEE80211R_AP
6fc6879b 1930 sm->xxkey_len = 0;
4ec1fd8e 1931#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 1932 if (sm->pmksa) {
1933 wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
207976f0
JM		 1934 os_memcpy(sm->PMK, sm->pmksa->pmk, sm->pmksa->pmk_len);
1935 sm->pmk_len = sm->pmksa->pmk_len;
6fc6879b 1936 } else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
207976f0
JM		 1937 unsigned int pmk_len;
1938
834c5d68 1939 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt))
207976f0
JM		 1940 pmk_len = PMK_LEN_SUITE_B_192;
1941 else
1942 pmk_len = PMK_LEN;
6fc6879b 1943 wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
207976f0
JM		 1944 "(MSK len=%lu PMK len=%u)", (unsigned long) len,
1945 pmk_len);
1946 if (len < pmk_len) {
1947 wpa_printf(MSG_DEBUG,
1948 "WPA: MSK not long enough (%u) to create PMK (%u)",
1949 (unsigned int) len, (unsigned int) pmk_len);
1950 sm->Disconnect = TRUE;
1951 return;
1952 }
1953 os_memcpy(sm->PMK, msk, pmk_len);
1954 sm->pmk_len = pmk_len;
4ec1fd8e 1955#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 1956 if (len >= 2 * PMK_LEN) {
1957 os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1958 sm->xxkey_len = PMK_LEN;
1959 }
4ec1fd8e 1960#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 1961 } else {
400de9b1 1962 wpa_printf(MSG_DEBUG, "WPA: Could not get PMK, get_msk: %p",
cef8fac0 1963 sm->wpa_auth->cb->get_msk);
1180dd66
JM		 1964 sm->Disconnect = TRUE;
1965 return;
6fc6879b 1966 }
40aaa64f 1967 os_memset(msk, 0, sizeof(msk));
6fc6879b
JM		 1968
1969 sm->req_replay_counter_used = 0;
1970 /* IEEE 802.11i does not set keyRun to FALSE, but not doing this
1971 * will break reauthentication since EAPOL state machines may not be
1972 * get into AUTHENTICATING state that clears keyRun before WPA state
1973 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
1974 * state and takes PMK from the previously used AAA Key. This will
1975 * eventually fail in 4-Way Handshake because Supplicant uses PMK
1976 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
1977 * be good workaround for this issue. */
1978 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
1979}
1980
1981
1982SM_STATE(WPA_PTK, INITPSK)
1983{
1984 const u8 *psk;
1985 SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
759fd76b 1986 psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL);
6fc6879b
JM		 1987 if (psk) {
1988 os_memcpy(sm->PMK, psk, PMK_LEN);
207976f0 1989 sm->pmk_len = PMK_LEN;
4ec1fd8e 1990#ifdef CONFIG_IEEE80211R_AP
6fc6879b
JM		 1991 os_memcpy(sm->xxkey, psk, PMK_LEN);
1992 sm->xxkey_len = PMK_LEN;
4ec1fd8e 1993#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 1994 }
1995 sm->req_replay_counter_used = 0;
1996}
1997
1998
1999SM_STATE(WPA_PTK, PTKSTART)
2000{
2001 u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
2002 size_t pmkid_len = 0;
2003
2004 SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
2005 sm->PTKRequest = FALSE;
2006 sm->TimeoutEvt = FALSE;
f23c5b17 2007 sm->alt_snonce_valid = FALSE;
bae61562
JM		 2008
2009 sm->TimeoutCtr++;
41f140d3 2010 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 2011 /* No point in sending the EAPOL-Key - we will disconnect
2012 * immediately following this. */
2013 return;
2014 }
2015
6fc6879b
JM		 2016 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2017 "sending 1/4 msg of 4-Way Handshake");
2018 /*
2019 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
2020 * one possible PSK for this STA.
2021 */
2022 if (sm->wpa == WPA_VERSION_WPA2 &&
a14896e8
JM		 2023 wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
2024 sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN) {
6fc6879b
JM		 2025 pmkid = buf;
2026 pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
2027 pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
2028 pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
2029 RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
929a2ea5 2030 if (sm->pmksa) {
6fc6879b
JM		 2031 os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
2032 sm->pmksa->pmkid, PMKID_LEN);
929a2ea5
JM		 2033 } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
2034 /* No KCK available to derive PMKID */
2035 pmkid = NULL;
2036 } else {
6fc6879b
JM		 2037 /*
2038 * Calculate PMKID since no PMKSA cache entry was
2039 * available with pre-calculated PMKID.
2040 */
207976f0 2041 rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
56586197
JM		 2042 sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
2043 wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
6fc6879b
JM		 2044 }
2045 }
2046 wpa_send_eapol(sm->wpa_auth, sm,
2047 WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
2048 sm->ANonce, pmkid, pmkid_len, 0, 0);
6fc6879b
JM		 2049}
2050
2051
f23c5b17 2052static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
207976f0
JM		 2053 const u8 *pmk, unsigned int pmk_len,
2054 struct wpa_ptk *ptk)
6fc6879b 2055{
4ec1fd8e 2056#ifdef CONFIG_IEEE80211R_AP
56586197 2057 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
98cd3d1c 2058 return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
4ec1fd8e 2059#endif /* CONFIG_IEEE80211R_AP */
6fc6879b 2060
207976f0 2061 return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
98cd3d1c
JM		 2062 sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
2063 ptk, sm->wpa_key_mgmt, sm->pairwise);
6fc6879b
JM		 2064}
2065
2066
3b5b7aa8 2067#ifdef CONFIG_FILS
c4fd6d8a
JM		 2068
2069int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
2070 size_t pmk_len, const u8 *snonce, const u8 *anonce)
2071{
2072 u8 ick[FILS_ICK_MAX_LEN];
2073 size_t ick_len;
2074 int res;
2075
2076 res = fils_pmk_to_ptk(pmk, pmk_len, sm->addr, sm->wpa_auth->addr,
2077 snonce, anonce, &sm->PTK, ick, &ick_len,
2078 sm->wpa_key_mgmt, sm->pairwise);
2079 if (res < 0)
2080 return res;
2081 sm->PTK_valid = TRUE;
2082
2083 res = fils_key_auth_sk(ick, ick_len, snonce, anonce,
2084 sm->addr, sm->wpa_auth->addr,
2085 NULL, 0, NULL, 0, /* TODO: SK+PFS */
2086 sm->wpa_key_mgmt, sm->fils_key_auth_sta,
2087 sm->fils_key_auth_ap,
2088 &sm->fils_key_auth_len);
2089 os_memset(ick, 0, sizeof(ick));
78815f3d
JM		 2090
2091 /* Store nonces for (Re)Association Request/Response frame processing */
2092 os_memcpy(sm->SNonce, snonce, FILS_NONCE_LEN);
2093 os_memcpy(sm->ANonce, anonce, FILS_NONCE_LEN);
2094
c4fd6d8a
JM		 2095 return res;
2096}
2097
2098
3b5b7aa8 2099static int wpa_aead_decrypt(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
75c8563e 2100 u8 *buf, size_t buf_len, u16 *_key_data_len)
3b5b7aa8
JM		 2101{
2102 struct ieee802_1x_hdr *hdr;
2103 struct wpa_eapol_key *key;
2104 u8 *pos;
2105 u16 key_data_len;
2106 u8 *tmp;
2107 const u8 *aad[1];
2108 size_t aad_len[1];
2109
75c8563e 2110 hdr = (struct ieee802_1x_hdr *) buf;
3b5b7aa8
JM		 2111 key = (struct wpa_eapol_key *) (hdr + 1);
2112 pos = (u8 *) (key + 1);
2113 key_data_len = WPA_GET_BE16(pos);
2114 if (key_data_len < AES_BLOCK_SIZE ||
2115 key_data_len > buf_len - sizeof(*hdr) - sizeof(*key) - 2) {
2116 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2117 "No room for AES-SIV data in the frame");
2118 return -1;
2119 }
2120 pos += 2; /* Pointing at the Encrypted Key Data field */
2121
2122 tmp = os_malloc(key_data_len);
2123 if (!tmp)
2124 return -1;
2125
2126 /* AES-SIV AAD from EAPOL protocol version field (inclusive) to
2127 * to Key Data (exclusive). */
75c8563e
JM		 2128 aad[0] = buf;
2129 aad_len[0] = pos - buf;
3b5b7aa8
JM		 2130 if (aes_siv_decrypt(ptk->kek, ptk->kek_len, pos, key_data_len,
2131 1, aad, aad_len, tmp) < 0) {
2132 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2133 "Invalid AES-SIV data in the frame");
2134 bin_clear_free(tmp, key_data_len);
2135 return -1;
2136 }
2137
2138 /* AEAD decryption and validation completed successfully */
2139 key_data_len -= AES_BLOCK_SIZE;
2140 wpa_hexdump_key(MSG_DEBUG, "WPA: Decrypted Key Data",
2141 tmp, key_data_len);
2142
2143 /* Replace Key Data field with the decrypted version */
2144 os_memcpy(pos, tmp, key_data_len);
2145 pos -= 2; /* Key Data Length field */
2146 WPA_PUT_BE16(pos, key_data_len);
2147 bin_clear_free(tmp, key_data_len);
2148 if (_key_data_len)
2149 *_key_data_len = key_data_len;
2150 return 0;
2151}
78815f3d
JM		 2152
2153
2154int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
2155 const struct ieee80211_mgmt *mgmt, size_t frame_len,
2156 u8 *pos, size_t left)
2157{
2158 u16 fc, stype;
2159 const u8 *end, *ie_start, *ie, *session, *crypt;
2160 struct ieee802_11_elems elems;
2161 const u8 *aad[5];
2162 size_t aad_len[5];
2163
2164 if (!sm || !sm->PTK_valid) {
2165 wpa_printf(MSG_DEBUG,
2166 "FILS: No KEK to decrypt Assocication Request frame");
2167 return -1;
2168 }
2169
2170 if (!wpa_key_mgmt_fils(sm->wpa_key_mgmt)) {
2171 wpa_printf(MSG_DEBUG,
2172 "FILS: Not a FILS AKM - reject association");
2173 return -1;
2174 }
2175
2176 end = ((const u8 *) mgmt) + frame_len;
2177 fc = le_to_host16(mgmt->frame_control);
2178 stype = WLAN_FC_GET_STYPE(fc);
2179 if (stype == WLAN_FC_STYPE_REASSOC_REQ)
2180 ie_start = mgmt->u.reassoc_req.variable;
2181 else
2182 ie_start = mgmt->u.assoc_req.variable;
2183 ie = ie_start;
2184
2185 /*
2186 * Find FILS Session element which is the last unencrypted element in
2187 * the frame.
2188 */
2189 session = NULL;
2190 while (ie + 1 < end) {
2191 if (ie + 2 + ie[1] > end)
2192 break;
2193 if (ie[0] == WLAN_EID_EXTENSION &&
2194 ie[1] >= 1 + FILS_SESSION_LEN &&
2195 ie[2] == WLAN_EID_EXT_FILS_SESSION) {
2196 session = ie;
2197 break;
2198 }
2199 ie += 2 + ie[1];
2200 }
2201
2202 if (!session) {
2203 wpa_printf(MSG_DEBUG,
2204 "FILS: Could not find FILS Session element in Association Request frame - reject");
2205 return -1;
2206 }
2207 if (os_memcmp(fils_session, session + 3, FILS_SESSION_LEN) != 0) {
2208 wpa_printf(MSG_DEBUG, "FILS: Session mismatch");
2209 wpa_hexdump(MSG_DEBUG, "FILS: Expected FILS Session",
2210 fils_session, FILS_SESSION_LEN);
2211 wpa_hexdump(MSG_DEBUG, "FILS: Received FILS Session",
2212 session + 3, FILS_SESSION_LEN);
2213 return -1;
2214 }
2215 crypt = session + 2 + session[1];
2216
2217 if (end - crypt < AES_BLOCK_SIZE) {
2218 wpa_printf(MSG_DEBUG,
2219 "FILS: Too short frame to include AES-SIV data");
2220 return -1;
2221 }
2222
2223 /* AES-SIV AAD vectors */
2224
2225 /* The STA's MAC address */
2226 aad[0] = mgmt->sa;
2227 aad_len[0] = ETH_ALEN;
2228 /* The AP's BSSID */
2229 aad[1] = mgmt->da;
2230 aad_len[1] = ETH_ALEN;
2231 /* The STA's nonce */
2232 aad[2] = sm->SNonce;
2233 aad_len[2] = FILS_NONCE_LEN;
2234 /* The AP's nonce */
2235 aad[3] = sm->ANonce;
2236 aad_len[3] = FILS_NONCE_LEN;
2237 /*
2238 * The (Re)Association Request frame from the Capability Information
2239 * field to the FILS Session element (both inclusive).
2240 */
2241 aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
d77f3304 2242 aad_len[4] = crypt - aad[4];
78815f3d
JM		 2243
2244 if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
d77f3304 2245 5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
78815f3d
JM		 2246 wpa_printf(MSG_DEBUG,
2247 "FILS: Invalid AES-SIV data in the frame");
2248 return -1;
2249 }
2250 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
2251 pos, left - AES_BLOCK_SIZE);
2252
2253 if (ieee802_11_parse_elems(pos, left - AES_BLOCK_SIZE, &elems, 1) ==
2254 ParseFailed) {
2255 wpa_printf(MSG_DEBUG,
2256 "FILS: Failed to parse decrypted elements");
2257 return -1;
2258 }
2259 if (!elems.fils_key_confirm) {
2260 wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
2261 return -1;
2262 }
2263 if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
2264 wpa_printf(MSG_DEBUG,
2265 "FILS: Unexpected Key-Auth length %d (expected %d)",
2266 elems.fils_key_confirm_len,
2267 (int) sm->fils_key_auth_len);
2268 return -1;
2269 }
2270 if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
2271 sm->fils_key_auth_len) != 0) {
2272 wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
2273 wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
2274 elems.fils_key_confirm,
2275 elems.fils_key_confirm_len);
2276 wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
2277 sm->fils_key_auth_sta, sm->fils_key_auth_len);
2278 return -1;
2279 }
2280
2281 return left - AES_BLOCK_SIZE;
2282}
2283
e73ffa09
JM		 2284
2285int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
91d91abf
JM		 2286 size_t current_len, size_t max_len,
2287 const struct wpabuf *hlp)
e73ffa09
JM		 2288{
2289 u8 *end = buf + max_len;
2290 u8 *pos = buf + current_len;
2291 struct ieee80211_mgmt *mgmt;
2292 struct wpabuf *plain;
2293 u8 *len, *tmp, *tmp2;
2294 u8 hdr[2];
2295 u8 *gtk, dummy_gtk[32];
2296 size_t gtk_len;
2297 struct wpa_group *gsm;
2298 const u8 *aad[5];
2299 size_t aad_len[5];
2300
2301 if (!sm || !sm->PTK_valid)
2302 return -1;
2303
2304 wpa_hexdump(MSG_DEBUG,
2305 "FILS: Association Response frame before FILS processing",
2306 buf, current_len);
2307
2308 mgmt = (struct ieee80211_mgmt *) buf;
2309
2310 /* AES-SIV AAD vectors */
2311
2312 /* The AP's BSSID */
2313 aad[0] = mgmt->sa;
2314 aad_len[0] = ETH_ALEN;
2315 /* The STA's MAC address */
2316 aad[1] = mgmt->da;
2317 aad_len[1] = ETH_ALEN;
2318 /* The AP's nonce */
2319 aad[2] = sm->ANonce;
2320 aad_len[2] = FILS_NONCE_LEN;
2321 /* The STA's nonce */
2322 aad[3] = sm->SNonce;
2323 aad_len[3] = FILS_NONCE_LEN;
2324 /*
2325 * The (Re)Association Response frame from the Capability Information
2326 * field (the same offset in both Association and Reassociation
2327 * Response frames) to the FILS Session element (both inclusive).
2328 */
2329 aad[4] = (const u8 *) &mgmt->u.assoc_resp.capab_info;
2330 aad_len[4] = pos - aad[4];
2331
2332 /* The following elements will be encrypted with AES-SIV */
2333
2334 plain = wpabuf_alloc(1000);
2335 if (!plain)
2336 return -1;
2337
2338 /* TODO: FILS Public Key */
2339
2340 /* FILS Key Confirmation */
2341 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2342 wpabuf_put_u8(plain, 1 + sm->fils_key_auth_len); /* Length */
2343 /* Element ID Extension */
2344 wpabuf_put_u8(plain, WLAN_EID_EXT_FILS_KEY_CONFIRM);
2345 wpabuf_put_data(plain, sm->fils_key_auth_ap, sm->fils_key_auth_len);
2346
91d91abf
JM		 2347 /* FILS HLP Container */
2348 if (hlp)
2349 wpabuf_put_buf(plain, hlp);
e73ffa09
JM		 2350
2351 /* TODO: FILS IP Address Assignment */
2352
2353 /* Key Delivery */
2354 gsm = sm->group;
2355 wpabuf_put_u8(plain, WLAN_EID_EXTENSION); /* Element ID */
2356 len = wpabuf_put(plain, 1);
2357 wpabuf_put_u8(plain, WLAN_EID_EXT_KEY_DELIVERY);
2358 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN,
2359 wpabuf_put(plain, WPA_KEY_RSC_LEN));
2360 /* GTK KDE */
2361 gtk = gsm->GTK[gsm->GN - 1];
2362 gtk_len = gsm->GTK_len;
2363 if (sm->wpa_auth->conf.disable_gtk) {
2364 /*
2365 * Provide unique random GTK to each STA to prevent use
2366 * of GTK in the BSS.
2367 */
2368 if (random_get_bytes(dummy_gtk, gtk_len) < 0) {
2369 wpabuf_free(plain);
2370 return -1;
2371 }
2372 gtk = dummy_gtk;
2373 }
2374 hdr[0] = gsm->GN & 0x03;
2375 hdr[1] = 0;
2376 tmp = wpabuf_put(plain, 0);
2377 tmp2 = wpa_add_kde(tmp, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2378 gtk, gtk_len);
2379 wpabuf_put(plain, tmp2 - tmp);
2380
2381 /* IGTK KDE */
2382 tmp = wpabuf_put(plain, 0);
2383 tmp2 = ieee80211w_kde_add(sm, tmp);
2384 wpabuf_put(plain, tmp2 - tmp);
2385
2386 *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
2387
2388 if (pos + wpabuf_len(plain) + AES_BLOCK_SIZE > end) {
2389 wpa_printf(MSG_DEBUG,
2390 "FILS: Not enough room for FILS elements");
2391 wpabuf_free(plain);
2392 return -1;
2393 }
2394
2395 wpa_hexdump_buf_key(MSG_DEBUG, "FILS: Association Response plaintext",
2396 plain);
2397
2398 if (aes_siv_encrypt(sm->PTK.kek, sm->PTK.kek_len,
2399 wpabuf_head(plain), wpabuf_len(plain),
2400 5, aad, aad_len, pos) < 0) {
2401 wpabuf_free(plain);
2402 return -1;
2403 }
2404
2405 wpa_hexdump(MSG_DEBUG,
2406 "FILS: Encrypted Association Response elements",
2407 pos, AES_BLOCK_SIZE + wpabuf_len(plain));
2408 current_len += wpabuf_len(plain) + AES_BLOCK_SIZE;
2409 wpabuf_free(plain);
2410
07e0117d
JM		 2411 sm->fils_completed = 1;
2412
e73ffa09
JM		 2413 return current_len;
2414}
2415
da24c5aa
JM		 2416
2417int fils_set_tk(struct wpa_state_machine *sm)
2418{
2419 enum wpa_alg alg;
2420 int klen;
2421
2422 if (!sm || !sm->PTK_valid)
2423 return -1;
2424
2425 alg = wpa_cipher_to_alg(sm->pairwise);
2426 klen = wpa_cipher_key_len(sm->pairwise);
2427
2428 wpa_printf(MSG_DEBUG, "FILS: Configure TK to the driver");
2429 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2430 sm->PTK.tk, klen)) {
2431 wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver");
2432 return -1;
2433 }
2434
2435 return 0;
2436}
2437
3b5b7aa8
JM		 2438#endif /* CONFIG_FILS */
2439
2440
6fc6879b
JM		 2441SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
2442{
3b5b7aa8 2443 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
6fc6879b 2444 struct wpa_ptk PTK;
2c502460 2445 int ok = 0, psk_found = 0;
6fc6879b 2446 const u8 *pmk = NULL;
207976f0 2447 unsigned int pmk_len;
3b5b7aa8
JM		 2448 int ft;
2449 const u8 *eapol_key_ie, *key_data, *mic;
2450 u16 key_data_length;
2451 size_t mic_len, eapol_key_ie_len;
2452 struct ieee802_1x_hdr *hdr;
2453 struct wpa_eapol_key *key;
2454 struct wpa_eapol_ie_parse kde;
6fc6879b
JM		 2455
2456 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
2457 sm->EAPOLKeyReceived = FALSE;
68921e24 2458 sm->update_snonce = FALSE;
b729fd8d 2459 os_memset(&PTK, 0, sizeof(PTK));
6fc6879b 2460
3b5b7aa8
JM		 2461 mic_len = wpa_mic_len(sm->wpa_key_mgmt);
2462
6fc6879b
JM		 2463 /* WPA with IEEE 802.1X: use the derived PMK from EAP
2464 * WPA-PSK: iterate through possible PSKs and select the one matching
2465 * the packet */
2466 for (;;) {
56586197 2467 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
759fd76b
JM		 2468 pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
2469 sm->p2p_dev_addr, pmk);
6fc6879b
JM		 2470 if (pmk == NULL)
2471 break;
2c502460 2472 psk_found = 1;
207976f0
JM		 2473 pmk_len = PMK_LEN;
2474 } else {
6fc6879b 2475 pmk = sm->PMK;
207976f0
JM		 2476 pmk_len = sm->pmk_len;
2477 }
6fc6879b 2478
364c064a
JM		 2479 if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK) < 0)
2480 break;
6fc6879b 2481
3b5b7aa8
JM		 2482 if (mic_len &&
2483 wpa_verify_key_mic(sm->wpa_key_mgmt, &PTK,
929a2ea5 2484 sm->last_rx_eapol_key,
6fc6879b
JM		 2485 sm->last_rx_eapol_key_len) == 0) {
2486 ok = 1;
2487 break;
2488 }
2489
3b5b7aa8 2490#ifdef CONFIG_FILS
75c8563e
JM		 2491 if (!mic_len &&
2492 wpa_aead_decrypt(sm, &PTK, sm->last_rx_eapol_key,
2493 sm->last_rx_eapol_key_len, NULL) == 0) {
3b5b7aa8
JM		 2494 ok = 1;
2495 break;
2496 }
2497#endif /* CONFIG_FILS */
2498
56586197 2499 if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
6fc6879b
JM		 2500 break;
2501 }
2502
2503 if (!ok) {
2504 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2505 "invalid MIC in msg 2/4 of 4-Way Handshake");
2c502460
JM		 2506 if (psk_found)
2507 wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
6fc6879b
JM		 2508 return;
2509 }
2510
3b5b7aa8
JM		 2511 /*
2512 * Note: last_rx_eapol_key length fields have already been validated in
2513 * wpa_receive().
2514 */
2515 hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
2516 key = (struct wpa_eapol_key *) (hdr + 1);
2517 mic = (u8 *) (key + 1);
2518 key_data = mic + mic_len + 2;
2519 key_data_length = WPA_GET_BE16(mic + mic_len);
2520 if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
2521 sizeof(*key) - mic_len - 2)
2522 return;
2523
2524 if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
2525 wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
2526 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
2527 return;
2528 }
2529 if (kde.rsn_ie) {
2530 eapol_key_ie = kde.rsn_ie;
2531 eapol_key_ie_len = kde.rsn_ie_len;
2532 } else if (kde.osen) {
2533 eapol_key_ie = kde.osen;
2534 eapol_key_ie_len = kde.osen_len;
2535 } else {
2536 eapol_key_ie = kde.wpa_ie;
2537 eapol_key_ie_len = kde.wpa_ie_len;
2538 }
2539 ft = sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt);
2540 if (sm->wpa_ie == NULL ||
2541 wpa_compare_rsn_ie(ft, sm->wpa_ie, sm->wpa_ie_len,
2542 eapol_key_ie, eapol_key_ie_len)) {
2543 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
2544 "WPA IE from (Re)AssocReq did not match with msg 2/4");
2545 if (sm->wpa_ie) {
2546 wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
2547 sm->wpa_ie, sm->wpa_ie_len);
2548 }
2549 wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
2550 eapol_key_ie, eapol_key_ie_len);
2551 /* MLME-DEAUTHENTICATE.request */
2552 wpa_sta_disconnect(wpa_auth, sm->addr);
2553 return;
2554 }
4ec1fd8e 2555#ifdef CONFIG_IEEE80211R_AP
3b5b7aa8
JM		 2556 if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
2557 wpa_sta_disconnect(wpa_auth, sm->addr);
2558 return;
2559 }
4ec1fd8e 2560#endif /* CONFIG_IEEE80211R_AP */
3b5b7aa8
JM		 2561#ifdef CONFIG_P2P
2562 if (kde.ip_addr_req && kde.ip_addr_req[0] &&
2563 wpa_auth->ip_pool && WPA_GET_BE32(sm->ip_addr) == 0) {
2564 int idx;
2565 wpa_printf(MSG_DEBUG,
2566 "P2P: IP address requested in EAPOL-Key exchange");
2567 idx = bitfield_get_first_zero(wpa_auth->ip_pool);
2568 if (idx >= 0) {
2569 u32 start = WPA_GET_BE32(wpa_auth->conf.ip_addr_start);
2570 bitfield_set(wpa_auth->ip_pool, idx);
2571 WPA_PUT_BE32(sm->ip_addr, start + idx);
2572 wpa_printf(MSG_DEBUG,
2573 "P2P: Assigned IP address %u.%u.%u.%u to "
2574 MACSTR, sm->ip_addr[0], sm->ip_addr[1],
2575 sm->ip_addr[2], sm->ip_addr[3],
2576 MAC2STR(sm->addr));
2577 }
2578 }
2579#endif /* CONFIG_P2P */
2580
4ec1fd8e 2581#ifdef CONFIG_IEEE80211R_AP
26e23750
JM		 2582 if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2583 /*
2584 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
2585 * with the value we derived.
2586 */
870834a1
JM		 2587 if (os_memcmp_const(sm->sup_pmk_r1_name, sm->pmk_r1_name,
2588 WPA_PMK_NAME_LEN) != 0) {
26e23750
JM		 2589 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2590 "PMKR1Name mismatch in FT 4-way "
2591 "handshake");
2592 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
2593 "Supplicant",
2594 sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
2595 wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
2596 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
2597 return;
2598 }
2599 }
4ec1fd8e 2600#endif /* CONFIG_IEEE80211R_AP */
26e23750 2601
e4bf4db9 2602 sm->pending_1_of_4_timeout = 0;
6fc6879b
JM		 2603 eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
2604
56586197 2605 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
6fc6879b
JM		 2606 /* PSK may have changed from the previous choice, so update
2607 * state machine data based on whatever PSK was selected here.
2608 */
2609 os_memcpy(sm->PMK, pmk, PMK_LEN);
207976f0 2610 sm->pmk_len = PMK_LEN;
6fc6879b
JM		 2611 }
2612
2613 sm->MICVerified = TRUE;
2614
2615 os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
2616 sm->PTK_valid = TRUE;
2617}
2618
2619
2620SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
2621{
2622 SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
2623 sm->TimeoutCtr = 0;
2624}
2625
2626
2627#ifdef CONFIG_IEEE80211W
2628
2629static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2630{
2631 if (sm->mgmt_frame_prot) {
8dd9f9cd
JM		 2632 size_t len;
2633 len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
2634 return 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN + len;
6fc6879b
JM		 2635 }
2636
2637 return 0;
2638}
2639
2640
2641static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2642{
2643 struct wpa_igtk_kde igtk;
2644 struct wpa_group *gsm = sm->group;
03610ad2 2645 u8 rsc[WPA_KEY_RSC_LEN];
8dd9f9cd 2646 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
6fc6879b
JM		 2647
2648 if (!sm->mgmt_frame_prot)
2649 return pos;
2650
2651 igtk.keyid[0] = gsm->GN_igtk;
2652 igtk.keyid[1] = 0;
7b1080da 2653 if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
03610ad2 2654 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, rsc) < 0)
6fc6879b 2655 os_memset(igtk.pn, 0, sizeof(igtk.pn));
03610ad2
JM		 2656 else
2657 os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
8dd9f9cd 2658 os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
83421850
JM		 2659 if (sm->wpa_auth->conf.disable_gtk) {
2660 /*
2661 * Provide unique random IGTK to each STA to prevent use of
2662 * IGTK in the BSS.
2663 */
8dd9f9cd 2664 if (random_get_bytes(igtk.igtk, len) < 0)
83421850
JM		 2665 return pos;
2666 }
6fc6879b 2667 pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
8dd9f9cd
JM		 2668 (const u8 *) &igtk, WPA_IGTK_KDE_PREFIX_LEN + len,
2669 NULL, 0);
6fc6879b
JM		 2670
2671 return pos;
2672}
2673
2674#else /* CONFIG_IEEE80211W */
2675
2676static int ieee80211w_kde_len(struct wpa_state_machine *sm)
2677{
2678 return 0;
2679}
2680
2681
2682static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
2683{
2684 return pos;
2685}
2686
2687#endif /* CONFIG_IEEE80211W */
2688
2689
2690SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
2691{
83421850 2692 u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
6fc6879b
JM		 2693 size_t gtk_len, kde_len;
2694 struct wpa_group *gsm = sm->group;
2695 u8 *wpa_ie;
2696 int wpa_ie_len, secure, keyidx, encr = 0;
2697
2698 SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
2699 sm->TimeoutEvt = FALSE;
bae61562
JM		 2700
2701 sm->TimeoutCtr++;
41f140d3 2702 if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
bae61562
JM		 2703 /* No point in sending the EAPOL-Key - we will disconnect
2704 * immediately following this. */
2705 return;
2706 }
2707
86dfabb8
JM		 2708 /* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
2709 GTK[GN], IGTK, [FTIE], [TIE * 2])
6fc6879b
JM		 2710 */
2711 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2712 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
86dfabb8 2713 /* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
6fc6879b
JM		 2714 wpa_ie = sm->wpa_auth->wpa_ie;
2715 wpa_ie_len = sm->wpa_auth->wpa_ie_len;
2716 if (sm->wpa == WPA_VERSION_WPA &&
2717 (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
2718 wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
774d4145 2719 /* WPA-only STA, remove RSN IE and possible MDIE */
6fc6879b 2720 wpa_ie = wpa_ie + wpa_ie[1] + 2;
774d4145
JM		 2721 if (wpa_ie[0] == WLAN_EID_MOBILITY_DOMAIN)
2722 wpa_ie = wpa_ie + wpa_ie[1] + 2;
6fc6879b
JM		 2723 wpa_ie_len = wpa_ie[1] + 2;
2724 }
2725 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2726 "sending 3/4 msg of 4-Way Handshake");
2727 if (sm->wpa == WPA_VERSION_WPA2) {
2728 /* WPA2 send GTK in the 4-way handshake */
2729 secure = 1;
2730 gtk = gsm->GTK[gsm->GN - 1];
2731 gtk_len = gsm->GTK_len;
83421850
JM		 2732 if (sm->wpa_auth->conf.disable_gtk) {
2733 /*
2734 * Provide unique random GTK to each STA to prevent use
2735 * of GTK in the BSS.
2736 */
2737 if (random_get_bytes(dummy_gtk, gtk_len) < 0)
2738 return;
2739 gtk = dummy_gtk;
2740 }
6fc6879b
JM		 2741 keyidx = gsm->GN;
2742 _rsc = rsc;
2743 encr = 1;
2744 } else {
2745 /* WPA does not include GTK in msg 3/4 */
2746 secure = 0;
2747 gtk = NULL;
2748 gtk_len = 0;
2749 keyidx = 0;
2750 _rsc = NULL;
0d442aff
JM		 2751 if (sm->rx_eapol_key_secure) {
2752 /*
2753 * It looks like Windows 7 supplicant tries to use
2754 * Secure bit in msg 2/4 after having reported Michael
2755 * MIC failure and it then rejects the 4-way handshake
2756 * if msg 3/4 does not set Secure bit. Work around this
2757 * by setting the Secure bit here even in the case of
2758 * WPA if the supplicant used it first.
2759 */
2760 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
4740d5b9
JM		 2761 "STA used Secure bit in WPA msg 2/4 - "
2762 "set Secure for 3/4 as workaround");
0d442aff
JM		 2763 secure = 1;
2764 }
6fc6879b
JM		 2765 }
2766
2767 kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
2768 if (gtk)
2769 kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
4ec1fd8e 2770#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 2771 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2772 kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
2773 kde_len += 300; /* FTIE + 2 * TIE */
2774 }
4ec1fd8e 2775#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 2776#ifdef CONFIG_P2P
2777 if (WPA_GET_BE32(sm->ip_addr) > 0)
2778 kde_len += 2 + RSN_SELECTOR_LEN + 3 * 4;
2779#endif /* CONFIG_P2P */
6fc6879b
JM		 2780 kde = os_malloc(kde_len);
2781 if (kde == NULL)
2782 return;
2783
2784 pos = kde;
2785 os_memcpy(pos, wpa_ie, wpa_ie_len);
2786 pos += wpa_ie_len;
4ec1fd8e 2787#ifdef CONFIG_IEEE80211R_AP
26e23750 2788 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
59e78c24
JM		 2789 int res;
2790 size_t elen;
2791
2792 elen = pos - kde;
2793 res = wpa_insert_pmkid(kde, &elen, sm->pmk_r1_name);
26e23750
JM		 2794 if (res < 0) {
2795 wpa_printf(MSG_ERROR, "FT: Failed to insert "
2796 "PMKR1Name into RSN IE in EAPOL-Key data");
2797 os_free(kde);
2798 return;
2799 }
59e78c24
JM		 2800 pos -= wpa_ie_len;
2801 pos += elen;
26e23750 2802 }
4ec1fd8e 2803#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 2804 if (gtk) {
2805 u8 hdr[2];
2806 hdr[0] = keyidx & 0x03;
2807 hdr[1] = 0;
2808 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2809 gtk, gtk_len);
2810 }
2811 pos = ieee80211w_kde_add(sm, pos);
2812
4ec1fd8e 2813#ifdef CONFIG_IEEE80211R_AP
86dfabb8
JM		 2814 if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
2815 int res;
2816 struct wpa_auth_config *conf;
2817
2818 conf = &sm->wpa_auth->conf;
9257610a
JM		 2819 if (sm->assoc_resp_ftie &&
2820 kde + kde_len - pos >= 2 + sm->assoc_resp_ftie[1]) {
2821 os_memcpy(pos, sm->assoc_resp_ftie,
2822 2 + sm->assoc_resp_ftie[1]);
2823 res = 2 + sm->assoc_resp_ftie[1];
2824 } else {
2825 res = wpa_write_ftie(conf, conf->r0_key_holder,
2826 conf->r0_key_holder_len,
2827 NULL, NULL, pos,
2828 kde + kde_len - pos,
2829 NULL, 0);
2830 }
86dfabb8
JM		 2831 if (res < 0) {
2832 wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2833 "into EAPOL-Key Key Data");
2834 os_free(kde);
2835 return;
2836 }
2837 pos += res;
2838
2839 /* TIE[ReassociationDeadline] (TU) */
2840 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2841 *pos++ = 5;
2842 *pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
2843 WPA_PUT_LE32(pos, conf->reassociation_deadline);
2844 pos += 4;
2845
2846 /* TIE[KeyLifetime] (seconds) */
2847 *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2848 *pos++ = 5;
2849 *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
2850 WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
2851 pos += 4;
2852 }
4ec1fd8e 2853#endif /* CONFIG_IEEE80211R_AP */
25ef8529
JM		 2854#ifdef CONFIG_P2P
2855 if (WPA_GET_BE32(sm->ip_addr) > 0) {
2856 u8 addr[3 * 4];
2857 os_memcpy(addr, sm->ip_addr, 4);
2858 os_memcpy(addr + 4, sm->wpa_auth->conf.ip_addr_mask, 4);
2859 os_memcpy(addr + 8, sm->wpa_auth->conf.ip_addr_go, 4);
2860 pos = wpa_add_kde(pos, WFA_KEY_DATA_IP_ADDR_ALLOC,
2861 addr, sizeof(addr), NULL, 0);
2862 }
2863#endif /* CONFIG_P2P */
86dfabb8 2864
6fc6879b 2865 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d
JM		 2866 (secure ? WPA_KEY_INFO_SECURE : 0) |
2867 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 2868 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
2869 WPA_KEY_INFO_KEY_TYPE,
2870 _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
2871 os_free(kde);
6fc6879b
JM		 2872}
2873
2874
2875SM_STATE(WPA_PTK, PTKINITDONE)
2876{
2877 SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
2878 sm->EAPOLKeyReceived = FALSE;
2879 if (sm->Pair) {
c3550295
JM		 2880 enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
2881 int klen = wpa_cipher_key_len(sm->pairwise);
6fc6879b 2882 if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
98cd3d1c 2883 sm->PTK.tk, klen)) {
6fc6879b
JM		 2884 wpa_sta_disconnect(sm->wpa_auth, sm->addr);
2885 return;
2886 }
2887 /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
2888 sm->pairwise_set = TRUE;
2889
581a8cde
JM		 2890 if (sm->wpa_auth->conf.wpa_ptk_rekey) {
2891 eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2892 eloop_register_timeout(sm->wpa_auth->conf.
2893 wpa_ptk_rekey, 0, wpa_rekey_ptk,
2894 sm->wpa_auth, sm);
2895 }
2896
a1ea1b45
JM		 2897 if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
2898 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) {
6fc6879b
JM		 2899 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2900 WPA_EAPOL_authorized, 1);
2901 }
2902 }
2903
2904 if (0 /* IBSS == TRUE */) {
2905 sm->keycount++;
2906 if (sm->keycount == 2) {
2907 wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2908 WPA_EAPOL_portValid, 1);
2909 }
2910 } else {
2911 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
2912 1);
2913 }
2914 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
2915 wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
2916 if (sm->wpa == WPA_VERSION_WPA)
2917 sm->PInitAKeys = TRUE;
2918 else
2919 sm->has_GTK = TRUE;
2920 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2921 "pairwise key handshake completed (%s)",
2922 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2923
4ec1fd8e 2924#ifdef CONFIG_IEEE80211R_AP
6fc6879b 2925 wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
4ec1fd8e 2926#endif /* CONFIG_IEEE80211R_AP */
6fc6879b
JM		 2927}
2928
2929
2930SM_STEP(WPA_PTK)
2931{
2932 struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2933
2934 if (sm->Init)
2935 SM_ENTER(WPA_PTK, INITIALIZE);
2936 else if (sm->Disconnect
1aae01fc
BG		 2937 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
2938 wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
2939 "WPA_PTK: sm->Disconnect");
6fc6879b 2940 SM_ENTER(WPA_PTK, DISCONNECT);
1aae01fc 2941 }
6fc6879b
JM		 2942 else if (sm->DeauthenticationRequest)
2943 SM_ENTER(WPA_PTK, DISCONNECTED);
2944 else if (sm->AuthenticationRequest)
2945 SM_ENTER(WPA_PTK, AUTHENTICATION);
2946 else if (sm->ReAuthenticationRequest)
2947 SM_ENTER(WPA_PTK, AUTHENTICATION2);
2948 else if (sm->PTKRequest)
2949 SM_ENTER(WPA_PTK, PTKSTART);
2950 else switch (sm->wpa_ptk_state) {
2951 case WPA_PTK_INITIALIZE:
2952 break;
2953 case WPA_PTK_DISCONNECT:
2954 SM_ENTER(WPA_PTK, DISCONNECTED);
2955 break;
2956 case WPA_PTK_DISCONNECTED:
2957 SM_ENTER(WPA_PTK, INITIALIZE);
2958 break;
2959 case WPA_PTK_AUTHENTICATION:
2960 SM_ENTER(WPA_PTK, AUTHENTICATION2);
2961 break;
2962 case WPA_PTK_AUTHENTICATION2:
56586197 2963 if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
6fc6879b
JM		 2964 wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2965 WPA_EAPOL_keyRun) > 0)
2966 SM_ENTER(WPA_PTK, INITPMK);
a1ea1b45
JM		 2967 else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
2968 sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE
6fc6879b
JM		 2969 /* FIX: && 802.1X::keyRun */)
2970 SM_ENTER(WPA_PTK, INITPSK);
2971 break;
2972 case WPA_PTK_INITPMK:
2973 if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2974 WPA_EAPOL_keyAvailable) > 0)
2975 SM_ENTER(WPA_PTK, PTKSTART);
2976 else {
2977 wpa_auth->dot11RSNA4WayHandshakeFailures++;
1aae01fc
BG		 2978 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2979 "INITPMK - keyAvailable = false");
6fc6879b
JM		 2980 SM_ENTER(WPA_PTK, DISCONNECT);
2981 }
2982 break;
2983 case WPA_PTK_INITPSK:
759fd76b
JM		 2984 if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
2985 NULL))
6fc6879b
JM		 2986 SM_ENTER(WPA_PTK, PTKSTART);
2987 else {
2988 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2989 "no PSK configured for the STA");
2990 wpa_auth->dot11RSNA4WayHandshakeFailures++;
2991 SM_ENTER(WPA_PTK, DISCONNECT);
2992 }
2993 break;
2994 case WPA_PTK_PTKSTART:
2995 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2996 sm->EAPOLKeyPairwise)
2997 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2998 else if (sm->TimeoutCtr >
41f140d3 2999 sm->wpa_auth->conf.wpa_pairwise_update_count) {
6fc6879b 3000 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3001 wpa_auth_vlogger(
3002 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3003 "PTKSTART: Retry limit %u reached",
3004 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3005 SM_ENTER(WPA_PTK, DISCONNECT);
3006 } else if (sm->TimeoutEvt)
3007 SM_ENTER(WPA_PTK, PTKSTART);
3008 break;
3009 case WPA_PTK_PTKCALCNEGOTIATING:
3010 if (sm->MICVerified)
3011 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
3012 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3013 sm->EAPOLKeyPairwise)
3014 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3015 else if (sm->TimeoutEvt)
3016 SM_ENTER(WPA_PTK, PTKSTART);
3017 break;
3018 case WPA_PTK_PTKCALCNEGOTIATING2:
3019 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3020 break;
3021 case WPA_PTK_PTKINITNEGOTIATING:
68921e24
JM		 3022 if (sm->update_snonce)
3023 SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
3024 else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3025 sm->EAPOLKeyPairwise && sm->MICVerified)
6fc6879b
JM		 3026 SM_ENTER(WPA_PTK, PTKINITDONE);
3027 else if (sm->TimeoutCtr >
41f140d3 3028 sm->wpa_auth->conf.wpa_pairwise_update_count) {
6fc6879b 3029 wpa_auth->dot11RSNA4WayHandshakeFailures++;
41f140d3
GK		 3030 wpa_auth_vlogger(
3031 sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3032 "PTKINITNEGOTIATING: Retry limit %u reached",
3033 sm->wpa_auth->conf.wpa_pairwise_update_count);
6fc6879b
JM		 3034 SM_ENTER(WPA_PTK, DISCONNECT);
3035 } else if (sm->TimeoutEvt)
3036 SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
3037 break;
3038 case WPA_PTK_PTKINITDONE:
3039 break;
3040 }
3041}
3042
3043
3044SM_STATE(WPA_PTK_GROUP, IDLE)
3045{
3046 SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
3047 if (sm->Init) {
3048 /* Init flag is not cleared here, so avoid busy
3049 * loop by claiming nothing changed. */
3050 sm->changed = FALSE;
3051 }
3052 sm->GTimeoutCtr = 0;
3053}
3054
3055
3056SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
3057{
3058 u8 rsc[WPA_KEY_RSC_LEN];
3059 struct wpa_group *gsm = sm->group;
e41e4f9e
JM		 3060 const u8 *kde;
3061 u8 *kde_buf = NULL, *pos, hdr[2];
6fc6879b 3062 size_t kde_len;
83421850 3063 u8 *gtk, dummy_gtk[32];
6fc6879b
JM		 3064
3065 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
bae61562
JM		 3066
3067 sm->GTimeoutCtr++;
41f140d3 3068 if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
bae61562
JM		 3069 /* No point in sending the EAPOL-Key - we will disconnect
3070 * immediately following this. */
3071 return;
3072 }
3073
6fc6879b
JM		 3074 if (sm->wpa == WPA_VERSION_WPA)
3075 sm->PInitAKeys = FALSE;
3076 sm->TimeoutEvt = FALSE;
3077 /* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
3078 os_memset(rsc, 0, WPA_KEY_RSC_LEN);
3079 if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
3080 wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
3081 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3082 "sending 1/2 msg of Group Key Handshake");
3083
83421850
JM		 3084 gtk = gsm->GTK[gsm->GN - 1];
3085 if (sm->wpa_auth->conf.disable_gtk) {
3086 /*
3087 * Provide unique random GTK to each STA to prevent use
3088 * of GTK in the BSS.
3089 */
3090 if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
3091 return;
3092 gtk = dummy_gtk;
3093 }
6fc6879b
JM		 3094 if (sm->wpa == WPA_VERSION_WPA2) {
3095 kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
3096 ieee80211w_kde_len(sm);
e41e4f9e
JM		 3097 kde_buf = os_malloc(kde_len);
3098 if (kde_buf == NULL)
6fc6879b
JM		 3099 return;
3100
e41e4f9e 3101 kde = pos = kde_buf;
6fc6879b
JM		 3102 hdr[0] = gsm->GN & 0x03;
3103 hdr[1] = 0;
3104 pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
83421850 3105 gtk, gsm->GTK_len);
6fc6879b 3106 pos = ieee80211w_kde_add(sm, pos);
e41e4f9e 3107 kde_len = pos - kde;
6fc6879b 3108 } else {
83421850 3109 kde = gtk;
e41e4f9e 3110 kde_len = gsm->GTK_len;
6fc6879b
JM		 3111 }
3112
3113 wpa_send_eapol(sm->wpa_auth, sm,
b729fd8d
JM		 3114 WPA_KEY_INFO_SECURE |
3115 (wpa_mic_len(sm->wpa_key_mgmt) ? WPA_KEY_INFO_MIC : 0) |
6fc6879b
JM		 3116 WPA_KEY_INFO_ACK |
3117 (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
b0fb2be7 3118 rsc, NULL, kde, kde_len, gsm->GN, 1);
e41e4f9e
JM		 3119
3120 os_free(kde_buf);
6fc6879b
JM		 3121}
3122
3123
3124SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
3125{
3126 SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
3127 sm->EAPOLKeyReceived = FALSE;
3128 if (sm->GUpdateStationKeys)
3129 sm->group->GKeyDoneStations--;
3130 sm->GUpdateStationKeys = FALSE;
3131 sm->GTimeoutCtr = 0;
3132 /* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
3133 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3134 "group key handshake completed (%s)",
3135 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
3136 sm->has_GTK = TRUE;
3137}
3138
3139
3140SM_STATE(WPA_PTK_GROUP, KEYERROR)
3141{
3142 SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
3143 if (sm->GUpdateStationKeys)
3144 sm->group->GKeyDoneStations--;
3145 sm->GUpdateStationKeys = FALSE;
3146 sm->Disconnect = TRUE;
4bb9b674
GK		 3147 wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
3148 "group key handshake failed (%s) after %u tries",
3149 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN",
3150 sm->wpa_auth->conf.wpa_group_update_count);
6fc6879b
JM		 3151}
3152
3153
3154SM_STEP(WPA_PTK_GROUP)
3155{
9663596f 3156 if (sm->Init || sm->PtkGroupInit) {
6fc6879b 3157 SM_ENTER(WPA_PTK_GROUP, IDLE);
9663596f
JM		 3158 sm->PtkGroupInit = FALSE;
3159 } else switch (sm->wpa_ptk_group_state) {
6fc6879b
JM		 3160 case WPA_PTK_GROUP_IDLE:
3161 if (sm->GUpdateStationKeys ||
3162 (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
3163 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3164 break;
3165 case WPA_PTK_GROUP_REKEYNEGOTIATING:
3166 if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
3167 !sm->EAPOLKeyPairwise && sm->MICVerified)
3168 SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
3169 else if (sm->GTimeoutCtr >
41f140d3 3170 sm->wpa_auth->conf.wpa_group_update_count)
6fc6879b
JM		 3171 SM_ENTER(WPA_PTK_GROUP, KEYERROR);
3172 else if (sm->TimeoutEvt)
3173 SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
3174 break;
3175 case WPA_PTK_GROUP_KEYERROR:
3176 SM_ENTER(WPA_PTK_GROUP, IDLE);
3177 break;
3178 case WPA_PTK_GROUP_REKEYESTABLISHED:
3179 SM_ENTER(WPA_PTK_GROUP, IDLE);
3180 break;
3181 }
3182}
3183
3184
3185static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
3186 struct wpa_group *group)
3187{
3188 int ret = 0;
3189
6fc6879b
JM		 3190 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3191 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3192 if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
3193 wpa_auth->addr, group->GNonce,
3194 group->GTK[group->GN - 1], group->GTK_len) < 0)
3195 ret = -1;
5cb9d5c3
JM		 3196 wpa_hexdump_key(MSG_DEBUG, "GTK",
3197 group->GTK[group->GN - 1], group->GTK_len);
6fc6879b
JM		 3198
3199#ifdef CONFIG_IEEE80211W
70f8cc8e 3200 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
8dd9f9cd
JM		 3201 size_t len;
3202 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
5cb9d5c3
JM		 3203 os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
3204 inc_byte_array(group->Counter, WPA_NONCE_LEN);
3c7302c2
JM		 3205 if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
3206 wpa_auth->addr, group->GNonce,
8dd9f9cd 3207 group->IGTK[group->GN_igtk - 4], len) < 0)
3c7302c2 3208 ret = -1;
6fc6879b 3209 wpa_hexdump_key(MSG_DEBUG, "IGTK",
8dd9f9cd 3210 group->IGTK[group->GN_igtk - 4], len);
6fc6879b
JM		 3211 }
3212#endif /* CONFIG_IEEE80211W */
3213
3214 return ret;
3215}
3216
3217
3218static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
3219 struct wpa_group *group)
3220{
3221 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3222 "GTK_INIT (VLAN-ID %d)", group->vlan_id);
3223 group->changed = FALSE; /* GInit is not cleared here; avoid loop */
3224 group->wpa_group_state = WPA_GROUP_GTK_INIT;
3225
3226 /* GTK[0..N] = 0 */
3227 os_memset(group->GTK, 0, sizeof(group->GTK));
3228 group->GN = 1;
3229 group->GM = 2;
3230#ifdef CONFIG_IEEE80211W
3231 group->GN_igtk = 4;
3232 group->GM_igtk = 5;
3233#endif /* CONFIG_IEEE80211W */
3234 /* GTK[GN] = CalcGTK() */
3235 wpa_gtk_update(wpa_auth, group);
3236}
3237
3238
3239static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
3240{
473b6f22
MB		 3241 if (ctx != NULL && ctx != sm->group)
3242 return 0;
3243
6fc6879b
JM		 3244 if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
3245 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3246 "Not in PTKINITDONE; skip Group Key update");
3c183894 3247 sm->GUpdateStationKeys = FALSE;
6fc6879b
JM		 3248 return 0;
3249 }
9663596f
JM		 3250 if (sm->GUpdateStationKeys) {
3251 /*
3c183894
JM		 3252 * This should not really happen, so add a debug log entry.
3253 * Since we clear the GKeyDoneStations before the loop, the
3254 * station needs to be counted here anyway.
9663596f
JM		 3255 */
3256 wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
3c183894
JM		 3257 "GUpdateStationKeys was already set when "
3258 "marking station for GTK rekeying");
9663596f 3259 }
3c183894 3260
ad3872a3 3261 /* Do not rekey GTK/IGTK when STA is in WNM-Sleep Mode */
d32d94db
XC		 3262 if (sm->is_wnmsleep)
3263 return 0;
d32d94db 3264
3c183894
JM		 3265 sm->group->GKeyDoneStations++;
3266 sm->GUpdateStationKeys = TRUE;
3267
6fc6879b
JM		 3268 wpa_sm_step(sm);
3269 return 0;
3270}
3271
3272
ad3872a3
JM		 3273#ifdef CONFIG_WNM
3274/* update GTK when exiting WNM-Sleep Mode */
d32d94db
XC		 3275void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
3276{
629edfef 3277 if (sm == NULL || sm->is_wnmsleep)
d32d94db
XC		 3278 return;
3279
3280 wpa_group_update_sta(sm, NULL);
3281}
3282
3283
3284void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
3285{
629edfef
JM		 3286 if (sm)
3287 sm->is_wnmsleep = !!flag;
d32d94db
XC		 3288}
3289
3290
3291int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3292{
d32d94db 3293 struct wpa_group *gsm = sm->group;
835822d4 3294 u8 *start = pos;
d32d94db
XC		 3295
3296 /*
835822d4 3297 * GTK subelement:
d32d94db 3298 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
835822d4 3299 * Key[5..32]
d32d94db 3300 */
835822d4
JM		 3301 *pos++ = WNM_SLEEP_SUBELEM_GTK;
3302 *pos++ = 11 + gsm->GTK_len;
d32d94db 3303 /* Key ID in B0-B1 of Key Info */
835822d4
JM		 3304 WPA_PUT_LE16(pos, gsm->GN & 0x03);
3305 pos += 2;
3306 *pos++ = gsm->GTK_len;
3307 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, pos) != 0)
d32d94db 3308 return 0;
835822d4
JM		 3309 pos += 8;
3310 os_memcpy(pos, gsm->GTK[gsm->GN - 1], gsm->GTK_len);
3311 pos += gsm->GTK_len;
d32d94db 3312
835822d4
JM		 3313 wpa_printf(MSG_DEBUG, "WNM: GTK Key ID %u in WNM-Sleep Mode exit",
3314 gsm->GN);
3315 wpa_hexdump_key(MSG_DEBUG, "WNM: GTK in WNM-Sleep Mode exit",
d32d94db 3316 gsm->GTK[gsm->GN - 1], gsm->GTK_len);
d32d94db 3317
835822d4 3318 return pos - start;
d32d94db
XC		 3319}
3320
3321
3322#ifdef CONFIG_IEEE80211W
3323int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
3324{
d32d94db 3325 struct wpa_group *gsm = sm->group;
835822d4 3326 u8 *start = pos;
8dd9f9cd 3327 size_t len = wpa_cipher_key_len(sm->wpa_auth->conf.group_mgmt_cipher);
d32d94db 3328
835822d4
JM		 3329 /*
3330 * IGTK subelement:
3331 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] | Key[16]
3332 */
3333 *pos++ = WNM_SLEEP_SUBELEM_IGTK;
8dd9f9cd 3334 *pos++ = 2 + 6 + len;
835822d4
JM		 3335 WPA_PUT_LE16(pos, gsm->GN_igtk);
3336 pos += 2;
3337 if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos) != 0)
d32d94db 3338 return 0;
835822d4 3339 pos += 6;
d32d94db 3340
8dd9f9cd
JM		 3341 os_memcpy(pos, gsm->IGTK[gsm->GN_igtk - 4], len);
3342 pos += len;
d32d94db 3343
835822d4
JM		 3344 wpa_printf(MSG_DEBUG, "WNM: IGTK Key ID %u in WNM-Sleep Mode exit",
3345 gsm->GN_igtk);
3346 wpa_hexdump_key(MSG_DEBUG, "WNM: IGTK in WNM-Sleep Mode exit",
8dd9f9cd 3347 gsm->IGTK[gsm->GN_igtk - 4], len);
d32d94db 3348
835822d4 3349 return pos - start;
d32d94db
XC		 3350}
3351#endif /* CONFIG_IEEE80211W */
ad3872a3 3352#endif /* CONFIG_WNM */
d32d94db
XC		 3353
3354
6fc6879b
JM		 3355static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
3356 struct wpa_group *group)
3357{
3358 int tmp;
3359
3360 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3361 "SETKEYS (VLAN-ID %d)", group->vlan_id);
3362 group->changed = TRUE;
3363 group->wpa_group_state = WPA_GROUP_SETKEYS;
3364 group->GTKReKey = FALSE;
3365 tmp = group->GM;
3366 group->GM = group->GN;
3367 group->GN = tmp;
3368#ifdef CONFIG_IEEE80211W
3369 tmp = group->GM_igtk;
3370 group->GM_igtk = group->GN_igtk;
3371 group->GN_igtk = tmp;
3372#endif /* CONFIG_IEEE80211W */
3373 /* "GKeyDoneStations = GNoStations" is done in more robust way by
3374 * counting the STAs that are marked with GUpdateStationKeys instead of
3375 * including all STAs that could be in not-yet-completed state. */
3376 wpa_gtk_update(wpa_auth, group);
3377
3c183894
JM		 3378 if (group->GKeyDoneStations) {
3379 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
3380 "GKeyDoneStations=%d when starting new GTK rekey",
3381 group->GKeyDoneStations);
3382 group->GKeyDoneStations = 0;
3383 }
473b6f22 3384 wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
6fc6879b
JM		 3385 wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
3386 group->GKeyDoneStations);
3387}
3388
3389
1bdb7ab3
JM		 3390static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
3391 struct wpa_group *group)
6fc6879b 3392{
3c7302c2
JM		 3393 int ret = 0;
3394
3c7302c2 3395 if (wpa_auth_set_key(wpa_auth, group->vlan_id,
c3550295 3396 wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
0382097e
JM		 3397 broadcast_ether_addr, group->GN,
3398 group->GTK[group->GN - 1], group->GTK_len) < 0)
3c7302c2 3399 ret = -1;
6fc6879b
JM		 3400
3401#ifdef CONFIG_IEEE80211W
8dd9f9cd
JM		 3402 if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
3403 enum wpa_alg alg;
3404 size_t len;
3405
3406 alg = wpa_cipher_to_alg(wpa_auth->conf.group_mgmt_cipher);
3407 len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
3408
3409 if (ret == 0 &&
3410 wpa_auth_set_key(wpa_auth, group->vlan_id, alg,
3411 broadcast_ether_addr, group->GN_igtk,
3412 group->IGTK[group->GN_igtk - 4], len) < 0)
3413 ret = -1;
3414 }
6fc6879b 3415#endif /* CONFIG_IEEE80211W */
3c7302c2
JM		 3416
3417 return ret;
6fc6879b
JM		 3418}
3419
3420
7d7f7be2
JM		 3421static int wpa_group_disconnect_cb(struct wpa_state_machine *sm, void *ctx)
3422{
3423 if (sm->group == ctx) {
3424 wpa_printf(MSG_DEBUG, "WPA: Mark STA " MACSTR
3425 " for discconnection due to fatal failure",
3426 MAC2STR(sm->addr));
3427 sm->Disconnect = TRUE;
3428 }
3429
3430 return 0;
3431}
3432
3433
3434static void wpa_group_fatal_failure(struct wpa_authenticator *wpa_auth,
3435 struct wpa_group *group)
3436{
3437 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state FATAL_FAILURE");
3438 group->changed = TRUE;
3439 group->wpa_group_state = WPA_GROUP_FATAL_FAILURE;
3440 wpa_auth_for_each_sta(wpa_auth, wpa_group_disconnect_cb, group);
3441}
3442
3443
1bdb7ab3
JM		 3444static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
3445 struct wpa_group *group)
3446{
3447 wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
3448 "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
3449 group->changed = TRUE;
3450 group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
3451
7d7f7be2
JM		 3452 if (wpa_group_config_group_keys(wpa_auth, group) < 0) {
3453 wpa_group_fatal_failure(wpa_auth, group);
1bdb7ab3 3454 return -1;
7d7f7be2 3455 }
1bdb7ab3
JM		 3456
3457 return 0;
3458}
3459
3460
6fc6879b
JM		 3461static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
3462 struct wpa_group *group)
3463{
3464 if (group->GInit) {
3465 wpa_group_gtk_init(wpa_auth, group);
7d7f7be2
JM		 3466 } else if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE) {
3467 /* Do not allow group operations */
6fc6879b
JM		 3468 } else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
3469 group->GTKAuthenticator) {
3470 wpa_group_setkeysdone(wpa_auth, group);
3471 } else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
3472 group->GTKReKey) {
3473 wpa_group_setkeys(wpa_auth, group);
3474 } else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
3475 if (group->GKeyDoneStations == 0)
3476 wpa_group_setkeysdone(wpa_auth, group);
3477 else if (group->GTKReKey)
3478 wpa_group_setkeys(wpa_auth, group);
3479 }
3480}
3481
3482
e4a6ea1d 3483static int wpa_sm_step(struct wpa_state_machine *sm)
6fc6879b
JM		 3484{
3485 if (sm == NULL)
e4a6ea1d 3486 return 0;
6fc6879b
JM		 3487
3488 if (sm->in_step_loop) {
3489 /* This should not happen, but if it does, make sure we do not
3490 * end up freeing the state machine too early by exiting the
3491 * recursive call. */
3492 wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
e4a6ea1d 3493 return 0;
6fc6879b
JM		 3494 }
3495
3496 sm->in_step_loop = 1;
3497 do {
3498 if (sm->pending_deinit)
3499 break;
3500
3501 sm->changed = FALSE;
3502 sm->wpa_auth->group->changed = FALSE;
3503
3504 SM_STEP_RUN(WPA_PTK);
3505 if (sm->pending_deinit)
3506 break;
3507 SM_STEP_RUN(WPA_PTK_GROUP);
3508 if (sm->pending_deinit)
3509 break;
3510 wpa_group_sm_step(sm->wpa_auth, sm->group);
3511 } while (sm->changed || sm->wpa_auth->group->changed);
3512 sm->in_step_loop = 0;
3513
3514 if (sm->pending_deinit) {
3515 wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
3516 "machine deinit for " MACSTR, MAC2STR(sm->addr));
3517 wpa_free_sta_sm(sm);
e4a6ea1d 3518 return 1;
6fc6879b 3519 }
e4a6ea1d 3520 return 0;
6fc6879b
JM		 3521}
3522
3523
3524static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
3525{
3526 struct wpa_state_machine *sm = eloop_ctx;
3527 wpa_sm_step(sm);
3528}
3529
3530
3531void wpa_auth_sm_notify(struct wpa_state_machine *sm)
3532{
3533 if (sm == NULL)
3534 return;
3535 eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
3536}
3537
3538
3539void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
3540{
3541 int tmp, i;
3542 struct wpa_group *group;
3543
3544 if (wpa_auth == NULL)
3545 return;
3546
3547 group = wpa_auth->group;
3548
3549 for (i = 0; i < 2; i++) {
3550 tmp = group->GM;
3551 group->GM = group->GN;
3552 group->GN = tmp;
3553#ifdef CONFIG_IEEE80211W
3554 tmp = group->GM_igtk;
3555 group->GM_igtk = group->GN_igtk;
3556 group->GN_igtk = tmp;
3557#endif /* CONFIG_IEEE80211W */
3558 wpa_gtk_update(wpa_auth, group);
9354e594 3559 wpa_group_config_group_keys(wpa_auth, group);
6fc6879b
JM		 3560 }
3561}
3562
3563
a6da824b 3564static const char * wpa_bool_txt(int val)
6fc6879b 3565{
a6da824b 3566 return val ? "TRUE" : "FALSE";
6fc6879b
JM		 3567}
3568
3569
6fc6879b
JM		 3570#define RSN_SUITE "%02x-%02x-%02x-%d"
3571#define RSN_SUITE_ARG(s) \
3572((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
3573
3574int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
3575{
3576 int len = 0, ret;
3577 char pmkid_txt[PMKID_LEN * 2 + 1];
8ce58ceb
IH		 3578#ifdef CONFIG_RSN_PREAUTH
3579 const int preauth = 1;
3580#else /* CONFIG_RSN_PREAUTH */
3581 const int preauth = 0;
3582#endif /* CONFIG_RSN_PREAUTH */
6fc6879b
JM		 3583
3584 if (wpa_auth == NULL)
3585 return len;
3586
3587 ret = os_snprintf(buf + len, buflen - len,
3588 "dot11RSNAOptionImplemented=TRUE\n"
8ce58ceb 3589 "dot11RSNAPreauthenticationImplemented=%s\n"
6fc6879b
JM		 3590 "dot11RSNAEnabled=%s\n"
3591 "dot11RSNAPreauthenticationEnabled=%s\n",
8ce58ceb 3592 wpa_bool_txt(preauth),
6fc6879b
JM		 3593 wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
3594 wpa_bool_txt(wpa_auth->conf.rsn_preauth));
d85e1fc8 3595 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3596 return len;
3597 len += ret;
3598
3599 wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
3600 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
3601
3602 ret = os_snprintf(
3603 buf + len, buflen - len,
3604 "dot11RSNAConfigVersion=%u\n"
3605 "dot11RSNAConfigPairwiseKeysSupported=9999\n"
3606 /* FIX: dot11RSNAConfigGroupCipher */
3607 /* FIX: dot11RSNAConfigGroupRekeyMethod */
3608 /* FIX: dot11RSNAConfigGroupRekeyTime */
3609 /* FIX: dot11RSNAConfigGroupRekeyPackets */
3610 "dot11RSNAConfigGroupRekeyStrict=%u\n"
3611 "dot11RSNAConfigGroupUpdateCount=%u\n"
3612 "dot11RSNAConfigPairwiseUpdateCount=%u\n"
3613 "dot11RSNAConfigGroupCipherSize=%u\n"
3614 "dot11RSNAConfigPMKLifetime=%u\n"
3615 "dot11RSNAConfigPMKReauthThreshold=%u\n"
3616 "dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
3617 "dot11RSNAConfigSATimeout=%u\n"
3618 "dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
3619 "dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
3620 "dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
3621 "dot11RSNAPMKIDUsed=%s\n"
3622 "dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
3623 "dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
3624 "dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
3625 "dot11RSNATKIPCounterMeasuresInvoked=%u\n"
3626 "dot11RSNA4WayHandshakeFailures=%u\n"
3627 "dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
3628 RSN_VERSION,
3629 !!wpa_auth->conf.wpa_strict_rekey,
41f140d3
GK		 3630 wpa_auth->conf.wpa_group_update_count,
3631 wpa_auth->conf.wpa_pairwise_update_count,
c3550295 3632 wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
6fc6879b
JM		 3633 dot11RSNAConfigPMKLifetime,
3634 dot11RSNAConfigPMKReauthThreshold,
3635 dot11RSNAConfigSATimeout,
3636 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
3637 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
3638 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
3639 pmkid_txt,
3640 RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
3641 RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
3642 RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
3643 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
3644 wpa_auth->dot11RSNA4WayHandshakeFailures);
d85e1fc8 3645 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3646 return len;
3647 len += ret;
3648
3649 /* TODO: dot11RSNAConfigPairwiseCiphersTable */
3650 /* TODO: dot11RSNAConfigAuthenticationSuitesTable */
3651
3652 /* Private MIB */
3653 ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
3654 wpa_auth->group->wpa_group_state);
d85e1fc8 3655 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3656 return len;
3657 len += ret;
3658
3659 return len;
3660}
3661
3662
3663int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
3664{
3665 int len = 0, ret;
3666 u32 pairwise = 0;
3667
3668 if (sm == NULL)
3669 return 0;
3670
3671 /* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
3672
3673 /* dot11RSNAStatsEntry */
3674
c3550295
JM		 3675 pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
3676 WPA_PROTO_RSN : WPA_PROTO_WPA,
3677 sm->pairwise);
3678 if (pairwise == 0)
6fc6879b
JM		 3679 return 0;
3680
3681 ret = os_snprintf(
3682 buf + len, buflen - len,
3683 /* TODO: dot11RSNAStatsIndex */
3684 "dot11RSNAStatsSTAAddress=" MACSTR "\n"
3685 "dot11RSNAStatsVersion=1\n"
3686 "dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
3687 /* TODO: dot11RSNAStatsTKIPICVErrors */
3688 "dot11RSNAStatsTKIPLocalMICFailures=%u\n"
d9040cdb 3689 "dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
6fc6879b
JM		 3690 /* TODO: dot11RSNAStatsCCMPReplays */
3691 /* TODO: dot11RSNAStatsCCMPDecryptErrors */
3692 /* TODO: dot11RSNAStatsTKIPReplays */,
3693 MAC2STR(sm->addr),
3694 RSN_SUITE_ARG(pairwise),
3695 sm->dot11RSNAStatsTKIPLocalMICFailures,
3696 sm->dot11RSNAStatsTKIPRemoteMICFailures);
d85e1fc8 3697 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3698 return len;
3699 len += ret;
3700
3701 /* Private MIB */
3702 ret = os_snprintf(buf + len, buflen - len,
3703 "hostapdWPAPTKState=%d\n"
3704 "hostapdWPAPTKGroupState=%d\n",
3705 sm->wpa_ptk_state,
3706 sm->wpa_ptk_group_state);
d85e1fc8 3707 if (os_snprintf_error(buflen - len, ret))
6fc6879b
JM		 3708 return len;
3709 len += ret;
3710
3711 return len;
3712}
3713
3714
3715void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
3716{
3717 if (wpa_auth)
3718 wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
3719}
3720
3721
3722int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
3723{
3724 return sm && sm->pairwise_set;
3725}
3726
3727
ff36ff00
JM		 3728int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
3729{
3730 return sm->pairwise;
3731}
3732
3733
6fc6879b
JM		 3734int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
3735{
3736 if (sm == NULL)
3737 return -1;
3738 return sm->wpa_key_mgmt;
3739}
3740
3741
3742int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
3743{
3744 if (sm == NULL)
3745 return 0;
3746 return sm->wpa;
3747}
3748
3749
3750int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
3751 struct rsn_pmksa_cache_entry *entry)
3752{
3753 if (sm == NULL || sm->pmksa != entry)
3754 return -1;
3755 sm->pmksa = NULL;
3756 return 0;
3757}
3758
3759
3760struct rsn_pmksa_cache_entry *
3761wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
3762{
3763 return sm ? sm->pmksa : NULL;
3764}
3765
3766
3767void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
3768{
3769 if (sm)
3770 sm->dot11RSNAStatsTKIPLocalMICFailures++;
3771}
3772
3773
3774const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
3775{
3776 if (wpa_auth == NULL)
3777 return NULL;
3778 *len = wpa_auth->wpa_ie_len;
3779 return wpa_auth->wpa_ie;
3780}
3781
3782
3783int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
207976f0 3784 unsigned int pmk_len,
6fc6879b
JM		 3785 int session_timeout, struct eapol_state_machine *eapol)
3786{
cb465555
JM		 3787 if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
3788 sm->wpa_auth->conf.disable_pmksa_caching)
6fc6879b
JM		 3789 return -1;
3790
834c5d68 3791 if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
207976f0
JM		 3792 if (pmk_len > PMK_LEN_SUITE_B_192)
3793 pmk_len = PMK_LEN_SUITE_B_192;
3794 } else if (pmk_len > PMK_LEN) {
3795 pmk_len = PMK_LEN;
3796 }
3797
70c93963 3798 if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, pmk_len, NULL,
98cd3d1c 3799 sm->PTK.kck, sm->PTK.kck_len,
4bb081f1
JM		 3800 sm->wpa_auth->addr, sm->addr, session_timeout,
3801 eapol, sm->wpa_key_mgmt))
6fc6879b
JM		 3802 return 0;
3803
3804 return -1;
3805}
3806
3807
3808int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
3809 const u8 *pmk, size_t len, const u8 *sta_addr,
3810 int session_timeout,
3811 struct eapol_state_machine *eapol)
3812{
3813 if (wpa_auth == NULL)
3814 return -1;
3815
70c93963 3816 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, NULL,
087a1f4e
JM		 3817 NULL, 0,
3818 wpa_auth->addr,
4bb081f1
JM		 3819 sta_addr, session_timeout, eapol,
3820 WPA_KEY_MGMT_IEEE8021X))
6fc6879b
JM		 3821 return 0;
3822
3823 return -1;
3824}
3825
3826
f2991170 3827int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
70c93963 3828 const u8 *pmk, const u8 *pmkid)
f2991170
JM		 3829{
3830 if (wpa_auth->conf.disable_pmksa_caching)
3831 return -1;
3832
70c93963 3833 if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid,
087a1f4e 3834 NULL, 0,
f2991170
JM		 3835 wpa_auth->addr, addr, 0, NULL,
3836 WPA_KEY_MGMT_SAE))
3837 return 0;
3838
3839 return -1;
3840}
3841
3842
901d1fe1
JM		 3843void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
3844 const u8 *sta_addr)
3845{
3846 struct rsn_pmksa_cache_entry *pmksa;
3847
3848 if (wpa_auth == NULL || wpa_auth->pmksa == NULL)
3849 return;
3850 pmksa = pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, NULL);
3851 if (pmksa) {
3852 wpa_printf(MSG_DEBUG, "WPA: Remove PMKSA cache entry for "
3853 MACSTR " based on request", MAC2STR(sta_addr));
3854 pmksa_cache_free_entry(wpa_auth->pmksa, pmksa);
3855 }
3856}
3857
3858
b8daac18
MH		 3859int wpa_auth_pmksa_list(struct wpa_authenticator *wpa_auth, char *buf,
3860 size_t len)
3861{
3862 if (!wpa_auth || !wpa_auth->pmksa)
3863 return 0;
3864 return pmksa_cache_auth_list(wpa_auth->pmksa, buf, len);
3865}
3866
3867
4c522c77
MH		 3868void wpa_auth_pmksa_flush(struct wpa_authenticator *wpa_auth)
3869{
3870 if (wpa_auth && wpa_auth->pmksa)
3871 pmksa_cache_auth_flush(wpa_auth->pmksa);
3872}
3873
3874
4d77d80e
MH		 3875#ifdef CONFIG_PMKSA_CACHE_EXTERNAL
3876#ifdef CONFIG_MESH
3877
3878int wpa_auth_pmksa_list_mesh(struct wpa_authenticator *wpa_auth, const u8 *addr,
3879 char *buf, size_t len)
3880{
3881 if (!wpa_auth || !wpa_auth->pmksa)
3882 return 0;
3883
3884 return pmksa_cache_auth_list_mesh(wpa_auth->pmksa, addr, buf, len);
3885}
3886
3887
3888struct rsn_pmksa_cache_entry *
3889wpa_auth_pmksa_create_entry(const u8 *aa, const u8 *spa, const u8 *pmk,
3890 const u8 *pmkid, int expiration)
3891{
3892 struct rsn_pmksa_cache_entry *entry;
3893 struct os_reltime now;
3894
3895 entry = pmksa_cache_auth_create_entry(pmk, PMK_LEN, pmkid, NULL, 0, aa,
3896 spa, 0, NULL, WPA_KEY_MGMT_SAE);
3897 if (!entry)
3898 return NULL;
3899
3900 os_get_reltime(&now);
3901 entry->expiration = now.sec + expiration;
3902 return entry;
3903}
3904
3905
3906int wpa_auth_pmksa_add_entry(struct wpa_authenticator *wpa_auth,
3907 struct rsn_pmksa_cache_entry *entry)
3908{
3909 int ret;
3910
3911 if (!wpa_auth || !wpa_auth->pmksa)
3912 return -1;
3913
3914 ret = pmksa_cache_auth_add_entry(wpa_auth->pmksa, entry);
3915 if (ret < 0)
3916 wpa_printf(MSG_DEBUG,
3917 "RSN: Failed to store external PMKSA cache for "
3918 MACSTR, MAC2STR(entry->spa));
3919
3920 return ret;
3921}
3922
3923#endif /* CONFIG_MESH */
3924#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
3925
3926
9f2cf23e 3927struct rsn_pmksa_cache_entry *
c1bd4bac
JM		 3928wpa_auth_pmksa_get(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
3929 const u8 *pmkid)
9f2cf23e
MH		 3930{
3931 if (!wpa_auth || !wpa_auth->pmksa)
3932 return NULL;
c1bd4bac 3933 return pmksa_cache_auth_get(wpa_auth->pmksa, sta_addr, pmkid);
9f2cf23e
MH		 3934}
3935
3936
3937void wpa_auth_pmksa_set_to_sm(struct rsn_pmksa_cache_entry *pmksa,
3938 struct wpa_state_machine *sm,
3939 struct wpa_authenticator *wpa_auth,
3940 u8 *pmkid, u8 *pmk)
3941{
3942 if (!sm)
3943 return;
3944
3945 sm->pmksa = pmksa;
8854f90b
JM		 3946 os_memcpy(pmk, pmksa->pmk, PMK_LEN);
3947 os_memcpy(pmkid, pmksa->pmkid, PMKID_LEN);
3948 os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmksa->pmkid, PMKID_LEN);
9f2cf23e
MH		 3949}
3950
3951
a0ad9e8c
MB		 3952/*
3953 * Remove and free the group from wpa_authenticator. This is triggered by a
3954 * callback to make sure nobody is currently iterating the group list while it
3955 * gets modified.
3956 */
3957static void wpa_group_free(struct wpa_authenticator *wpa_auth,
3958 struct wpa_group *group)
3959{
3960 struct wpa_group *prev = wpa_auth->group;
3961
3962 wpa_printf(MSG_DEBUG, "WPA: Remove group state machine for VLAN-ID %d",
3963 group->vlan_id);
3964
3965 while (prev) {
3966 if (prev->next == group) {
3967 /* This never frees the special first group as needed */
3968 prev->next = group->next;
3969 os_free(group);
3970 break;
3971 }
3972 prev = prev->next;
3973 }
3974
3975}
3976
3977
3978/* Increase the reference counter for group */
3979static void wpa_group_get(struct wpa_authenticator *wpa_auth,
3980 struct wpa_group *group)
3981{
3982 /* Skip the special first group */
3983 if (wpa_auth->group == group)
3984 return;
3985
3986 group->references++;
3987}
3988
3989
3990/* Decrease the reference counter and maybe free the group */
3991static void wpa_group_put(struct wpa_authenticator *wpa_auth,
3992 struct wpa_group *group)
3993{
3994 /* Skip the special first group */
3995 if (wpa_auth->group == group)
3996 return;
3997
3998 group->references--;
3999 if (group->references)
4000 return;
4001 wpa_group_free(wpa_auth, group);
4002}
4003
4004
4005/*
4006 * Add a group that has its references counter set to zero. Caller needs to
4007 * call wpa_group_get() on the return value to mark the entry in use.
4008 */
6fc6879b
JM		 4009static struct wpa_group *
4010wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4011{
4012 struct wpa_group *group;
4013
4014 if (wpa_auth == NULL || wpa_auth->group == NULL)
4015 return NULL;
4016
4017 wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
4018 vlan_id);
bdffdc5d 4019 group = wpa_group_init(wpa_auth, vlan_id, 0);
6fc6879b
JM		 4020 if (group == NULL)
4021 return NULL;
4022
4023 group->next = wpa_auth->group->next;
4024 wpa_auth->group->next = group;
4025
4026 return group;
4027}
4028
4029
7cebc8e2
MB		 4030/*
4031 * Enforce that the group state machine for the VLAN is running, increase
4032 * reference counter as interface is up. References might have been increased
4033 * even if a negative value is returned.
4034 * Returns: -1 on error (group missing, group already failed); otherwise, 0
4035 */
4036int wpa_auth_ensure_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4037{
4038 struct wpa_group *group;
4039
4040 if (wpa_auth == NULL)
4041 return 0;
4042
4043 group = wpa_auth->group;
4044 while (group) {
4045 if (group->vlan_id == vlan_id)
4046 break;
4047 group = group->next;
4048 }
4049
4050 if (group == NULL) {
4051 group = wpa_auth_add_group(wpa_auth, vlan_id);
4052 if (group == NULL)
4053 return -1;
4054 }
4055
4056 wpa_printf(MSG_DEBUG,
4057 "WPA: Ensure group state machine running for VLAN ID %d",
4058 vlan_id);
4059
4060 wpa_group_get(wpa_auth, group);
4061 group->num_setup_iface++;
4062
4063 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4064 return -1;
4065
4066 return 0;
4067}
4068
4069
4070/*
4071 * Decrease reference counter, expected to be zero afterwards.
4072 * returns: -1 on error (group not found, group in fail state)
4073 * -2 if wpa_group is still referenced
4074 * 0 else
4075 */
4076int wpa_auth_release_group(struct wpa_authenticator *wpa_auth, int vlan_id)
4077{
4078 struct wpa_group *group;
4079 int ret = 0;
4080
4081 if (wpa_auth == NULL)
4082 return 0;
4083
4084 group = wpa_auth->group;
4085 while (group) {
4086 if (group->vlan_id == vlan_id)
4087 break;
4088 group = group->next;
4089 }
4090
4091 if (group == NULL)
4092 return -1;
4093
4094 wpa_printf(MSG_DEBUG,
4095 "WPA: Try stopping group state machine for VLAN ID %d",
4096 vlan_id);
4097
4098 if (group->num_setup_iface <= 0) {
4099 wpa_printf(MSG_ERROR,
4100 "WPA: wpa_auth_release_group called more often than wpa_auth_ensure_group for VLAN ID %d, skipping.",
4101 vlan_id);
4102 return -1;
4103 }
4104 group->num_setup_iface--;
4105
4106 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4107 ret = -1;
4108
4109 if (group->references > 1) {
4110 wpa_printf(MSG_DEBUG,
4111 "WPA: Cannot stop group state machine for VLAN ID %d as references are still hold",
4112 vlan_id);
4113 ret = -2;
4114 }
4115
4116 wpa_group_put(wpa_auth, group);
4117
4118 return ret;
4119}
4120
4121
6fc6879b
JM		 4122int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
4123{
4124 struct wpa_group *group;
4125
4126 if (sm == NULL || sm->wpa_auth == NULL)
4127 return 0;
4128
4129 group = sm->wpa_auth->group;
4130 while (group) {
4131 if (group->vlan_id == vlan_id)
4132 break;
4133 group = group->next;
4134 }
4135
4136 if (group == NULL) {
4137 group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
4138 if (group == NULL)
4139 return -1;
4140 }
4141
4142 if (sm->group == group)
4143 return 0;
4144
7d7f7be2
JM		 4145 if (group->wpa_group_state == WPA_GROUP_FATAL_FAILURE)
4146 return -1;
4147
6fc6879b
JM		 4148 wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
4149 "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
4150
a0ad9e8c
MB		 4151 wpa_group_get(sm->wpa_auth, group);
4152 wpa_group_put(sm->wpa_auth, sm->group);
6fc6879b 4153 sm->group = group;
a0ad9e8c 4154
6fc6879b
JM		 4155 return 0;
4156}
e4bf4db9
JM		 4157
4158
4159void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
4160 struct wpa_state_machine *sm, int ack)
4161{
4162 if (wpa_auth == NULL || sm == NULL)
4163 return;
4164 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
4165 " ack=%d", MAC2STR(sm->addr), ack);
4166 if (sm->pending_1_of_4_timeout && ack) {
4167 /*
4168 * Some deployed supplicant implementations update their SNonce
4169 * for each EAPOL-Key 2/4 message even within the same 4-way
4170 * handshake and then fail to use the first SNonce when
4171 * deriving the PTK. This results in unsuccessful 4-way
4172 * handshake whenever the relatively short initial timeout is
4173 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
4174 * around this by increasing the timeout now that we know that
4175 * the station has received the frame.
4176 */
4177 int timeout_ms = eapol_key_timeout_subseq;
4178 wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
4179 "timeout by %u ms because of acknowledged frame",
4180 timeout_ms);
4181 eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
4182 eloop_register_timeout(timeout_ms / 1000,
4183 (timeout_ms % 1000) * 1000,
4184 wpa_send_eapol_timeout, wpa_auth, sm);
4185 }
4186}
c10347f2
JM		 4187
4188
4189int wpa_auth_uses_sae(struct wpa_state_machine *sm)
4190{
4191 if (sm == NULL)
4192 return 0;
4193 return wpa_key_mgmt_sae(sm->wpa_key_mgmt);
4194}
aa189ac9
JM		 4195
4196
4197int wpa_auth_uses_ft_sae(struct wpa_state_machine *sm)
4198{
4199 if (sm == NULL)
4200 return 0;
4201 return sm->wpa_key_mgmt == WPA_KEY_MGMT_FT_SAE;
4202}
25ef8529
JM		 4203
4204
4205#ifdef CONFIG_P2P
4206int wpa_auth_get_ip_addr(struct wpa_state_machine *sm, u8 *addr)
4207{
4208 if (sm == NULL || WPA_GET_BE32(sm->ip_addr) == 0)
4209 return -1;
4210 os_memcpy(addr, sm->ip_addr, 4);
4211 return 0;
4212}
4213#endif /* CONFIG_P2P */
cbc210de
JM		 4214
4215
4216int wpa_auth_radius_das_disconnect_pmksa(struct wpa_authenticator *wpa_auth,
4217 struct radius_das_attrs *attr)
4218{
4219 return pmksa_cache_auth_radius_das_disconnect(wpa_auth->pmksa, attr);
4220}
34782730
JM		 4221
4222
4223void wpa_auth_reconfig_group_keys(struct wpa_authenticator *wpa_auth)
4224{
4225 struct wpa_group *group;
4226
4227 if (!wpa_auth)
4228 return;
4229 for (group = wpa_auth->group; group; group = group->next)
4230 wpa_group_config_group_keys(wpa_auth, group);
4231}
7eace378
JM		 4232
4233
4234#ifdef CONFIG_FILS
4235
4236struct wpa_auth_fils_iter_data {
4237 struct wpa_authenticator *auth;
4238 const u8 *cache_id;
4239 struct rsn_pmksa_cache_entry *pmksa;
4240 const u8 *spa;
4241 const u8 *pmkid;
4242};
4243
4244
4245static int wpa_auth_fils_iter(struct wpa_authenticator *a, void *ctx)
4246{
4247 struct wpa_auth_fils_iter_data *data = ctx;
4248
4cc6574d 4249 if (a == data->auth || !a->conf.fils_cache_id_set ||
7eace378
JM		 4250 os_memcmp(a->conf.fils_cache_id, data->cache_id,
4251 FILS_CACHE_ID_LEN) != 0)
4252 return 0;
4253 data->pmksa = pmksa_cache_auth_get(a->pmksa, data->spa, data->pmkid);
4254 return data->pmksa != NULL;
4255}
4256
4257
4258struct rsn_pmksa_cache_entry *
4259wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
4260 const u8 *sta_addr, const u8 *pmkid)
4261{
4262 struct wpa_auth_fils_iter_data idata;
4263
4264 if (!wpa_auth->conf.fils_cache_id_set)
4265 return NULL;
4266 idata.auth = wpa_auth;
4267 idata.cache_id = wpa_auth->conf.fils_cache_id;
4268 idata.pmksa = NULL;
4269 idata.spa = sta_addr;
4270 idata.pmkid = pmkid;
4271 wpa_auth_for_each_auth(wpa_auth, wpa_auth_fils_iter, &idata);
4272 return idata.pmksa;
4273}
4274
5db997e3
JM		 4275
4276#ifdef CONFIG_IEEE80211R_AP
4277int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, u8 *buf, size_t len)
4278{
4279 struct wpa_auth_config *conf = &wpa_auth->conf;
4280
4281 return wpa_write_ftie(conf, conf->r0_key_holder,
4282 conf->r0_key_holder_len,
4283 NULL, NULL, buf, len, NULL, 0);
4284}
4285#endif /* CONFIG_IEEE80211R_AP */
4286
7eace378 4287#endif /* CONFIG_FILS */
Unnamed repository; edit this file 'description' to name the repository.