Home | History | Annotate | Download | only in ap
      1 /*
      2  * IEEE 802.11 RSN / WPA Authenticator
      3  * Copyright (c) 2004-2011, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "utils/includes.h"
     10 
     11 #include "utils/common.h"
     12 #include "utils/eloop.h"
     13 #include "utils/state_machine.h"
     14 #include "common/ieee802_11_defs.h"
     15 #include "crypto/aes_wrap.h"
     16 #include "crypto/crypto.h"
     17 #include "crypto/sha1.h"
     18 #include "crypto/sha256.h"
     19 #include "crypto/random.h"
     20 #include "eapol_auth/eapol_auth_sm.h"
     21 #include "ap_config.h"
     22 #include "ieee802_11.h"
     23 #include "wpa_auth.h"
     24 #include "pmksa_cache_auth.h"
     25 #include "wpa_auth_i.h"
     26 #include "wpa_auth_ie.h"
     27 
     28 #define STATE_MACHINE_DATA struct wpa_state_machine
     29 #define STATE_MACHINE_DEBUG_PREFIX "WPA"
     30 #define STATE_MACHINE_ADDR sm->addr
     31 
     32 
     33 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
     34 static int wpa_sm_step(struct wpa_state_machine *sm);
     35 static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len);
     36 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
     37 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
     38 			      struct wpa_group *group);
     39 static void wpa_request_new_ptk(struct wpa_state_machine *sm);
     40 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
     41 			  struct wpa_group *group);
     42 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
     43 				       struct wpa_group *group);
     44 
     45 static const u32 dot11RSNAConfigGroupUpdateCount = 4;
     46 static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
     47 static const u32 eapol_key_timeout_first = 100; /* ms */
     48 static const u32 eapol_key_timeout_subseq = 1000; /* ms */
     49 static const u32 eapol_key_timeout_first_group = 500; /* ms */
     50 
     51 /* TODO: make these configurable */
     52 static const int dot11RSNAConfigPMKLifetime = 43200;
     53 static const int dot11RSNAConfigPMKReauthThreshold = 70;
     54 static const int dot11RSNAConfigSATimeout = 60;
     55 
     56 
     57 static inline void wpa_auth_mic_failure_report(
     58 	struct wpa_authenticator *wpa_auth, const u8 *addr)
     59 {
     60 	if (wpa_auth->cb.mic_failure_report)
     61 		wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr);
     62 }
     63 
     64 
     65 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
     66 				      const u8 *addr, wpa_eapol_variable var,
     67 				      int value)
     68 {
     69 	if (wpa_auth->cb.set_eapol)
     70 		wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value);
     71 }
     72 
     73 
     74 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
     75 				     const u8 *addr, wpa_eapol_variable var)
     76 {
     77 	if (wpa_auth->cb.get_eapol == NULL)
     78 		return -1;
     79 	return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var);
     80 }
     81 
     82 
     83 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
     84 					  const u8 *addr, const u8 *prev_psk)
     85 {
     86 	if (wpa_auth->cb.get_psk == NULL)
     87 		return NULL;
     88 	return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, prev_psk);
     89 }
     90 
     91 
     92 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
     93 				   const u8 *addr, u8 *msk, size_t *len)
     94 {
     95 	if (wpa_auth->cb.get_msk == NULL)
     96 		return -1;
     97 	return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len);
     98 }
     99 
    100 
    101 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
    102 				   int vlan_id,
    103 				   enum wpa_alg alg, const u8 *addr, int idx,
    104 				   u8 *key, size_t key_len)
    105 {
    106 	if (wpa_auth->cb.set_key == NULL)
    107 		return -1;
    108 	return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx,
    109 				    key, key_len);
    110 }
    111 
    112 
    113 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
    114 				      const u8 *addr, int idx, u8 *seq)
    115 {
    116 	if (wpa_auth->cb.get_seqnum == NULL)
    117 		return -1;
    118 	return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq);
    119 }
    120 
    121 
    122 static inline int
    123 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
    124 		    const u8 *data, size_t data_len, int encrypt)
    125 {
    126 	if (wpa_auth->cb.send_eapol == NULL)
    127 		return -1;
    128 	return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len,
    129 				       encrypt);
    130 }
    131 
    132 
    133 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
    134 			  int (*cb)(struct wpa_state_machine *sm, void *ctx),
    135 			  void *cb_ctx)
    136 {
    137 	if (wpa_auth->cb.for_each_sta == NULL)
    138 		return 0;
    139 	return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx);
    140 }
    141 
    142 
    143 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
    144 			   int (*cb)(struct wpa_authenticator *a, void *ctx),
    145 			   void *cb_ctx)
    146 {
    147 	if (wpa_auth->cb.for_each_auth == NULL)
    148 		return 0;
    149 	return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx);
    150 }
    151 
    152 
    153 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
    154 		     logger_level level, const char *txt)
    155 {
    156 	if (wpa_auth->cb.logger == NULL)
    157 		return;
    158 	wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt);
    159 }
    160 
    161 
    162 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
    163 		      logger_level level, const char *fmt, ...)
    164 {
    165 	char *format;
    166 	int maxlen;
    167 	va_list ap;
    168 
    169 	if (wpa_auth->cb.logger == NULL)
    170 		return;
    171 
    172 	maxlen = os_strlen(fmt) + 100;
    173 	format = os_malloc(maxlen);
    174 	if (!format)
    175 		return;
    176 
    177 	va_start(ap, fmt);
    178 	vsnprintf(format, maxlen, fmt, ap);
    179 	va_end(ap);
    180 
    181 	wpa_auth_logger(wpa_auth, addr, level, format);
    182 
    183 	os_free(format);
    184 }
    185 
    186 
    187 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
    188 			       const u8 *addr)
    189 {
    190 	if (wpa_auth->cb.disconnect == NULL)
    191 		return;
    192 	wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
    193 	wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr,
    194 				WLAN_REASON_PREV_AUTH_NOT_VALID);
    195 }
    196 
    197 
    198 static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
    199 {
    200 	int ret = 0;
    201 #ifdef CONFIG_IEEE80211R
    202 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
    203 		ret = 1;
    204 #endif /* CONFIG_IEEE80211R */
    205 #ifdef CONFIG_IEEE80211W
    206 	if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
    207 		ret = 1;
    208 #endif /* CONFIG_IEEE80211W */
    209 	return ret;
    210 }
    211 
    212 
    213 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
    214 {
    215 	struct wpa_authenticator *wpa_auth = eloop_ctx;
    216 
    217 	if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
    218 		wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
    219 			   "initialization.");
    220 	} else {
    221 		wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
    222 		wpa_hexdump_key(MSG_DEBUG, "GMK",
    223 				wpa_auth->group->GMK, WPA_GMK_LEN);
    224 	}
    225 
    226 	if (wpa_auth->conf.wpa_gmk_rekey) {
    227 		eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
    228 				       wpa_rekey_gmk, wpa_auth, NULL);
    229 	}
    230 }
    231 
    232 
    233 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
    234 {
    235 	struct wpa_authenticator *wpa_auth = eloop_ctx;
    236 	struct wpa_group *group;
    237 
    238 	wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
    239 	for (group = wpa_auth->group; group; group = group->next) {
    240 		group->GTKReKey = TRUE;
    241 		do {
    242 			group->changed = FALSE;
    243 			wpa_group_sm_step(wpa_auth, group);
    244 		} while (group->changed);
    245 	}
    246 
    247 	if (wpa_auth->conf.wpa_group_rekey) {
    248 		eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
    249 				       0, wpa_rekey_gtk, wpa_auth, NULL);
    250 	}
    251 }
    252 
    253 
    254 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
    255 {
    256 	struct wpa_authenticator *wpa_auth = eloop_ctx;
    257 	struct wpa_state_machine *sm = timeout_ctx;
    258 
    259 	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
    260 	wpa_request_new_ptk(sm);
    261 	wpa_sm_step(sm);
    262 }
    263 
    264 
    265 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
    266 {
    267 	if (sm->pmksa == ctx)
    268 		sm->pmksa = NULL;
    269 	return 0;
    270 }
    271 
    272 
    273 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
    274 				   void *ctx)
    275 {
    276 	struct wpa_authenticator *wpa_auth = ctx;
    277 	wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
    278 }
    279 
    280 
    281 static void wpa_group_set_key_len(struct wpa_group *group, int cipher)
    282 {
    283 	switch (cipher) {
    284 	case WPA_CIPHER_CCMP:
    285 		group->GTK_len = 16;
    286 		break;
    287 	case WPA_CIPHER_TKIP:
    288 		group->GTK_len = 32;
    289 		break;
    290 	case WPA_CIPHER_WEP104:
    291 		group->GTK_len = 13;
    292 		break;
    293 	case WPA_CIPHER_WEP40:
    294 		group->GTK_len = 5;
    295 		break;
    296 	}
    297 }
    298 
    299 
    300 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
    301 					  struct wpa_group *group)
    302 {
    303 	u8 buf[ETH_ALEN + 8 + sizeof(group)];
    304 	u8 rkey[32];
    305 
    306 	if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
    307 		return -1;
    308 	wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
    309 
    310 	/*
    311 	 * Counter = PRF-256(Random number, "Init Counter",
    312 	 *                   Local MAC Address || Time)
    313 	 */
    314 	os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
    315 	wpa_get_ntp_timestamp(buf + ETH_ALEN);
    316 	os_memcpy(buf + ETH_ALEN + 8, &group, sizeof(group));
    317 	if (random_get_bytes(rkey, sizeof(rkey)) < 0)
    318 		return -1;
    319 
    320 	if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
    321 		     group->Counter, WPA_NONCE_LEN) < 0)
    322 		return -1;
    323 	wpa_hexdump_key(MSG_DEBUG, "Key Counter",
    324 			group->Counter, WPA_NONCE_LEN);
    325 
    326 	return 0;
    327 }
    328 
    329 
    330 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
    331 					 int vlan_id, int delay_init)
    332 {
    333 	struct wpa_group *group;
    334 
    335 	group = os_zalloc(sizeof(struct wpa_group));
    336 	if (group == NULL)
    337 		return NULL;
    338 
    339 	group->GTKAuthenticator = TRUE;
    340 	group->vlan_id = vlan_id;
    341 
    342 	wpa_group_set_key_len(group, wpa_auth->conf.wpa_group);
    343 
    344 	if (random_pool_ready() != 1) {
    345 		wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
    346 			   "for secure operations - update keys later when "
    347 			   "the first station connects");
    348 	}
    349 
    350 	/*
    351 	 * Set initial GMK/Counter value here. The actual values that will be
    352 	 * used in negotiations will be set once the first station tries to
    353 	 * connect. This allows more time for collecting additional randomness
    354 	 * on embedded devices.
    355 	 */
    356 	if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
    357 		wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
    358 			   "initialization.");
    359 		os_free(group);
    360 		return NULL;
    361 	}
    362 
    363 	group->GInit = TRUE;
    364 	if (delay_init) {
    365 		wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
    366 			   "until Beacon frames have been configured");
    367 		/* Initialization is completed in wpa_init_keys(). */
    368 	} else {
    369 		wpa_group_sm_step(wpa_auth, group);
    370 		group->GInit = FALSE;
    371 		wpa_group_sm_step(wpa_auth, group);
    372 	}
    373 
    374 	return group;
    375 }
    376 
    377 
    378 /**
    379  * wpa_init - Initialize WPA authenticator
    380  * @addr: Authenticator address
    381  * @conf: Configuration for WPA authenticator
    382  * @cb: Callback functions for WPA authenticator
    383  * Returns: Pointer to WPA authenticator data or %NULL on failure
    384  */
    385 struct wpa_authenticator * wpa_init(const u8 *addr,
    386 				    struct wpa_auth_config *conf,
    387 				    struct wpa_auth_callbacks *cb)
    388 {
    389 	struct wpa_authenticator *wpa_auth;
    390 
    391 	wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
    392 	if (wpa_auth == NULL)
    393 		return NULL;
    394 	os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
    395 	os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
    396 	os_memcpy(&wpa_auth->cb, cb, sizeof(*cb));
    397 
    398 	if (wpa_auth_gen_wpa_ie(wpa_auth)) {
    399 		wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
    400 		os_free(wpa_auth);
    401 		return NULL;
    402 	}
    403 
    404 	wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
    405 	if (wpa_auth->group == NULL) {
    406 		os_free(wpa_auth->wpa_ie);
    407 		os_free(wpa_auth);
    408 		return NULL;
    409 	}
    410 
    411 	wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
    412 						wpa_auth);
    413 	if (wpa_auth->pmksa == NULL) {
    414 		wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
    415 		os_free(wpa_auth->wpa_ie);
    416 		os_free(wpa_auth);
    417 		return NULL;
    418 	}
    419 
    420 #ifdef CONFIG_IEEE80211R
    421 	wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
    422 	if (wpa_auth->ft_pmk_cache == NULL) {
    423 		wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
    424 		os_free(wpa_auth->wpa_ie);
    425 		pmksa_cache_auth_deinit(wpa_auth->pmksa);
    426 		os_free(wpa_auth);
    427 		return NULL;
    428 	}
    429 #endif /* CONFIG_IEEE80211R */
    430 
    431 	if (wpa_auth->conf.wpa_gmk_rekey) {
    432 		eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
    433 				       wpa_rekey_gmk, wpa_auth, NULL);
    434 	}
    435 
    436 	if (wpa_auth->conf.wpa_group_rekey) {
    437 		eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
    438 				       wpa_rekey_gtk, wpa_auth, NULL);
    439 	}
    440 
    441 	return wpa_auth;
    442 }
    443 
    444 
    445 int wpa_init_keys(struct wpa_authenticator *wpa_auth)
    446 {
    447 	struct wpa_group *group = wpa_auth->group;
    448 
    449 	wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
    450 		   "keys");
    451 	wpa_group_sm_step(wpa_auth, group);
    452 	group->GInit = FALSE;
    453 	wpa_group_sm_step(wpa_auth, group);
    454 	return 0;
    455 }
    456 
    457 
    458 /**
    459  * wpa_deinit - Deinitialize WPA authenticator
    460  * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
    461  */
    462 void wpa_deinit(struct wpa_authenticator *wpa_auth)
    463 {
    464 	struct wpa_group *group, *prev;
    465 
    466 	eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
    467 	eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
    468 
    469 #ifdef CONFIG_PEERKEY
    470 	while (wpa_auth->stsl_negotiations)
    471 		wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations);
    472 #endif /* CONFIG_PEERKEY */
    473 
    474 	pmksa_cache_auth_deinit(wpa_auth->pmksa);
    475 
    476 #ifdef CONFIG_IEEE80211R
    477 	wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
    478 	wpa_auth->ft_pmk_cache = NULL;
    479 #endif /* CONFIG_IEEE80211R */
    480 
    481 	os_free(wpa_auth->wpa_ie);
    482 
    483 	group = wpa_auth->group;
    484 	while (group) {
    485 		prev = group;
    486 		group = group->next;
    487 		os_free(prev);
    488 	}
    489 
    490 	os_free(wpa_auth);
    491 }
    492 
    493 
    494 /**
    495  * wpa_reconfig - Update WPA authenticator configuration
    496  * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
    497  * @conf: Configuration for WPA authenticator
    498  */
    499 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
    500 		 struct wpa_auth_config *conf)
    501 {
    502 	struct wpa_group *group;
    503 	if (wpa_auth == NULL)
    504 		return 0;
    505 
    506 	os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
    507 	if (wpa_auth_gen_wpa_ie(wpa_auth)) {
    508 		wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
    509 		return -1;
    510 	}
    511 
    512 	/*
    513 	 * Reinitialize GTK to make sure it is suitable for the new
    514 	 * configuration.
    515 	 */
    516 	group = wpa_auth->group;
    517 	wpa_group_set_key_len(group, wpa_auth->conf.wpa_group);
    518 	group->GInit = TRUE;
    519 	wpa_group_sm_step(wpa_auth, group);
    520 	group->GInit = FALSE;
    521 	wpa_group_sm_step(wpa_auth, group);
    522 
    523 	return 0;
    524 }
    525 
    526 
    527 struct wpa_state_machine *
    528 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr)
    529 {
    530 	struct wpa_state_machine *sm;
    531 
    532 	sm = os_zalloc(sizeof(struct wpa_state_machine));
    533 	if (sm == NULL)
    534 		return NULL;
    535 	os_memcpy(sm->addr, addr, ETH_ALEN);
    536 
    537 	sm->wpa_auth = wpa_auth;
    538 	sm->group = wpa_auth->group;
    539 
    540 	return sm;
    541 }
    542 
    543 
    544 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
    545 			    struct wpa_state_machine *sm)
    546 {
    547 	if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
    548 		return -1;
    549 
    550 #ifdef CONFIG_IEEE80211R
    551 	if (sm->ft_completed) {
    552 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
    553 				"FT authentication already completed - do not "
    554 				"start 4-way handshake");
    555 		return 0;
    556 	}
    557 #endif /* CONFIG_IEEE80211R */
    558 
    559 	if (sm->started) {
    560 		os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
    561 		sm->ReAuthenticationRequest = TRUE;
    562 		return wpa_sm_step(sm);
    563 	}
    564 
    565 	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
    566 			"start authentication");
    567 	sm->started = 1;
    568 
    569 	sm->Init = TRUE;
    570 	if (wpa_sm_step(sm) == 1)
    571 		return 1; /* should not really happen */
    572 	sm->Init = FALSE;
    573 	sm->AuthenticationRequest = TRUE;
    574 	return wpa_sm_step(sm);
    575 }
    576 
    577 
    578 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
    579 {
    580 	/* WPA/RSN was not used - clear WPA state. This is needed if the STA
    581 	 * reassociates back to the same AP while the previous entry for the
    582 	 * STA has not yet been removed. */
    583 	if (sm == NULL)
    584 		return;
    585 
    586 	sm->wpa_key_mgmt = 0;
    587 }
    588 
    589 
    590 static void wpa_free_sta_sm(struct wpa_state_machine *sm)
    591 {
    592 	if (sm->GUpdateStationKeys) {
    593 		sm->group->GKeyDoneStations--;
    594 		sm->GUpdateStationKeys = FALSE;
    595 	}
    596 #ifdef CONFIG_IEEE80211R
    597 	os_free(sm->assoc_resp_ftie);
    598 #endif /* CONFIG_IEEE80211R */
    599 	os_free(sm->last_rx_eapol_key);
    600 	os_free(sm->wpa_ie);
    601 	os_free(sm);
    602 }
    603 
    604 
    605 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
    606 {
    607 	if (sm == NULL)
    608 		return;
    609 
    610 	if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
    611 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
    612 				"strict rekeying - force GTK rekey since STA "
    613 				"is leaving");
    614 		eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
    615 		eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
    616 				       NULL);
    617 	}
    618 
    619 	eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
    620 	sm->pending_1_of_4_timeout = 0;
    621 	eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
    622 	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
    623 	if (sm->in_step_loop) {
    624 		/* Must not free state machine while wpa_sm_step() is running.
    625 		 * Freeing will be completed in the end of wpa_sm_step(). */
    626 		wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
    627 			   "machine deinit for " MACSTR, MAC2STR(sm->addr));
    628 		sm->pending_deinit = 1;
    629 	} else
    630 		wpa_free_sta_sm(sm);
    631 }
    632 
    633 
    634 static void wpa_request_new_ptk(struct wpa_state_machine *sm)
    635 {
    636 	if (sm == NULL)
    637 		return;
    638 
    639 	sm->PTKRequest = TRUE;
    640 	sm->PTK_valid = 0;
    641 }
    642 
    643 
    644 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
    645 				    const u8 *replay_counter)
    646 {
    647 	int i;
    648 	for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
    649 		if (!ctr[i].valid)
    650 			break;
    651 		if (os_memcmp(replay_counter, ctr[i].counter,
    652 			      WPA_REPLAY_COUNTER_LEN) == 0)
    653 			return 1;
    654 	}
    655 	return 0;
    656 }
    657 
    658 
    659 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
    660 					    const u8 *replay_counter)
    661 {
    662 	int i;
    663 	for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
    664 		if (ctr[i].valid &&
    665 		    (replay_counter == NULL ||
    666 		     os_memcmp(replay_counter, ctr[i].counter,
    667 			       WPA_REPLAY_COUNTER_LEN) == 0))
    668 			ctr[i].valid = FALSE;
    669 	}
    670 }
    671 
    672 
    673 #ifdef CONFIG_IEEE80211R
    674 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
    675 			       struct wpa_state_machine *sm,
    676 			       struct wpa_eapol_ie_parse *kde)
    677 {
    678 	struct wpa_ie_data ie;
    679 	struct rsn_mdie *mdie;
    680 
    681 	if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
    682 	    ie.num_pmkid != 1 || ie.pmkid == NULL) {
    683 		wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
    684 			   "FT 4-way handshake message 2/4");
    685 		return -1;
    686 	}
    687 
    688 	os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
    689 	wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
    690 		    sm->sup_pmk_r1_name, PMKID_LEN);
    691 
    692 	if (!kde->mdie || !kde->ftie) {
    693 		wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
    694 			   "message 2/4", kde->mdie ? "FTIE" : "MDIE");
    695 		return -1;
    696 	}
    697 
    698 	mdie = (struct rsn_mdie *) (kde->mdie + 2);
    699 	if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
    700 	    os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
    701 		      MOBILITY_DOMAIN_ID_LEN) != 0) {
    702 		wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
    703 		return -1;
    704 	}
    705 
    706 	if (sm->assoc_resp_ftie &&
    707 	    (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
    708 	     os_memcmp(kde->ftie, sm->assoc_resp_ftie,
    709 		       2 + sm->assoc_resp_ftie[1]) != 0)) {
    710 		wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
    711 		wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
    712 			    kde->ftie, kde->ftie_len);
    713 		wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
    714 			    sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
    715 		return -1;
    716 	}
    717 
    718 	return 0;
    719 }
    720 #endif /* CONFIG_IEEE80211R */
    721 
    722 
    723 static void wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
    724 				     struct wpa_state_machine *sm, int group)
    725 {
    726 	/* Supplicant reported a Michael MIC error */
    727 	wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
    728 			 "received EAPOL-Key Error Request "
    729 			 "(STA detected Michael MIC failure (group=%d))",
    730 			 group);
    731 
    732 	if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
    733 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
    734 				"ignore Michael MIC failure report since "
    735 				"group cipher is not TKIP");
    736 	} else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
    737 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
    738 				"ignore Michael MIC failure report since "
    739 				"pairwise cipher is not TKIP");
    740 	} else {
    741 		wpa_auth_mic_failure_report(wpa_auth, sm->addr);
    742 		sm->dot11RSNAStatsTKIPRemoteMICFailures++;
    743 		wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
    744 	}
    745 
    746 	/*
    747 	 * Error report is not a request for a new key handshake, but since
    748 	 * Authenticator may do it, let's change the keys now anyway.
    749 	 */
    750 	wpa_request_new_ptk(sm);
    751 }
    752 
    753 
    754 void wpa_receive(struct wpa_authenticator *wpa_auth,
    755 		 struct wpa_state_machine *sm,
    756 		 u8 *data, size_t data_len)
    757 {
    758 	struct ieee802_1x_hdr *hdr;
    759 	struct wpa_eapol_key *key;
    760 	u16 key_info, key_data_length;
    761 	enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
    762 	       SMK_M1, SMK_M3, SMK_ERROR } msg;
    763 	char *msgtxt;
    764 	struct wpa_eapol_ie_parse kde;
    765 	int ft;
    766 	const u8 *eapol_key_ie;
    767 	size_t eapol_key_ie_len;
    768 
    769 	if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
    770 		return;
    771 
    772 	if (data_len < sizeof(*hdr) + sizeof(*key))
    773 		return;
    774 
    775 	hdr = (struct ieee802_1x_hdr *) data;
    776 	key = (struct wpa_eapol_key *) (hdr + 1);
    777 	key_info = WPA_GET_BE16(key->key_info);
    778 	key_data_length = WPA_GET_BE16(key->key_data_length);
    779 	wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
    780 		   " key_info=0x%x type=%u key_data_length=%u",
    781 		   MAC2STR(sm->addr), key_info, key->type, key_data_length);
    782 	if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) {
    783 		wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
    784 			   "key_data overflow (%d > %lu)",
    785 			   key_data_length,
    786 			   (unsigned long) (data_len - sizeof(*hdr) -
    787 					    sizeof(*key)));
    788 		return;
    789 	}
    790 
    791 	if (sm->wpa == WPA_VERSION_WPA2) {
    792 		if (key->type == EAPOL_KEY_TYPE_WPA) {
    793 			/*
    794 			 * Some deployed station implementations seem to send
    795 			 * msg 4/4 with incorrect type value in WPA2 mode.
    796 			 */
    797 			wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
    798 				   "with unexpected WPA type in RSN mode");
    799 		} else if (key->type != EAPOL_KEY_TYPE_RSN) {
    800 			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
    801 				   "unexpected type %d in RSN mode",
    802 				   key->type);
    803 			return;
    804 		}
    805 	} else {
    806 		if (key->type != EAPOL_KEY_TYPE_WPA) {
    807 			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
    808 				   "unexpected type %d in WPA mode",
    809 				   key->type);
    810 			return;
    811 		}
    812 	}
    813 
    814 	wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
    815 		    WPA_NONCE_LEN);
    816 	wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
    817 		    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
    818 
    819 	/* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
    820 	 * are set */
    821 
    822 	if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
    823 	    (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
    824 		if (key_info & WPA_KEY_INFO_ERROR) {
    825 			msg = SMK_ERROR;
    826 			msgtxt = "SMK Error";
    827 		} else {
    828 			msg = SMK_M1;
    829 			msgtxt = "SMK M1";
    830 		}
    831 	} else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
    832 		msg = SMK_M3;
    833 		msgtxt = "SMK M3";
    834 	} else if (key_info & WPA_KEY_INFO_REQUEST) {
    835 		msg = REQUEST;
    836 		msgtxt = "Request";
    837 	} else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
    838 		msg = GROUP_2;
    839 		msgtxt = "2/2 Group";
    840 	} else if (key_data_length == 0) {
    841 		msg = PAIRWISE_4;
    842 		msgtxt = "4/4 Pairwise";
    843 	} else {
    844 		msg = PAIRWISE_2;
    845 		msgtxt = "2/4 Pairwise";
    846 	}
    847 
    848 	/* TODO: key_info type validation for PeerKey */
    849 	if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
    850 	    msg == GROUP_2) {
    851 		u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
    852 		if (sm->pairwise == WPA_CIPHER_CCMP) {
    853 			if (wpa_use_aes_cmac(sm) &&
    854 			    ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
    855 				wpa_auth_logger(wpa_auth, sm->addr,
    856 						LOGGER_WARNING,
    857 						"advertised support for "
    858 						"AES-128-CMAC, but did not "
    859 						"use it");
    860 				return;
    861 			}
    862 
    863 			if (!wpa_use_aes_cmac(sm) &&
    864 			    ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
    865 				wpa_auth_logger(wpa_auth, sm->addr,
    866 						LOGGER_WARNING,
    867 						"did not use HMAC-SHA1-AES "
    868 						"with CCMP");
    869 				return;
    870 			}
    871 		}
    872 	}
    873 
    874 	if (key_info & WPA_KEY_INFO_REQUEST) {
    875 		if (sm->req_replay_counter_used &&
    876 		    os_memcmp(key->replay_counter, sm->req_replay_counter,
    877 			      WPA_REPLAY_COUNTER_LEN) <= 0) {
    878 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
    879 					"received EAPOL-Key request with "
    880 					"replayed counter");
    881 			return;
    882 		}
    883 	}
    884 
    885 	if (!(key_info & WPA_KEY_INFO_REQUEST) &&
    886 	    !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
    887 		int i;
    888 
    889 		if (msg == PAIRWISE_2 &&
    890 		    wpa_replay_counter_valid(sm->prev_key_replay,
    891 					     key->replay_counter) &&
    892 		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
    893 		    os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
    894 		{
    895 			/*
    896 			 * Some supplicant implementations (e.g., Windows XP
    897 			 * WZC) update SNonce for each EAPOL-Key 2/4. This
    898 			 * breaks the workaround on accepting any of the
    899 			 * pending requests, so allow the SNonce to be updated
    900 			 * even if we have already sent out EAPOL-Key 3/4.
    901 			 */
    902 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
    903 					 "Process SNonce update from STA "
    904 					 "based on retransmitted EAPOL-Key "
    905 					 "1/4");
    906 			sm->update_snonce = 1;
    907 			wpa_replay_counter_mark_invalid(sm->prev_key_replay,
    908 							key->replay_counter);
    909 			goto continue_processing;
    910 		}
    911 
    912 		if (msg == PAIRWISE_2 &&
    913 		    wpa_replay_counter_valid(sm->prev_key_replay,
    914 					     key->replay_counter) &&
    915 		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
    916 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
    917 					 "ignore retransmitted EAPOL-Key %s - "
    918 					 "SNonce did not change", msgtxt);
    919 		} else {
    920 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
    921 					 "received EAPOL-Key %s with "
    922 					 "unexpected replay counter", msgtxt);
    923 		}
    924 		for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
    925 			if (!sm->key_replay[i].valid)
    926 				break;
    927 			wpa_hexdump(MSG_DEBUG, "pending replay counter",
    928 				    sm->key_replay[i].counter,
    929 				    WPA_REPLAY_COUNTER_LEN);
    930 		}
    931 		wpa_hexdump(MSG_DEBUG, "received replay counter",
    932 			    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
    933 		return;
    934 	}
    935 
    936 continue_processing:
    937 	switch (msg) {
    938 	case PAIRWISE_2:
    939 		if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
    940 		    sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
    941 		    (!sm->update_snonce ||
    942 		     sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
    943 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
    944 					 "received EAPOL-Key msg 2/4 in "
    945 					 "invalid state (%d) - dropped",
    946 					 sm->wpa_ptk_state);
    947 			return;
    948 		}
    949 		random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
    950 		if (sm->group->reject_4way_hs_for_entropy) {
    951 			/*
    952 			 * The system did not have enough entropy to generate
    953 			 * strong random numbers. Reject the first 4-way
    954 			 * handshake(s) and collect some entropy based on the
    955 			 * information from it. Once enough entropy is
    956 			 * available, the next atempt will trigger GMK/Key
    957 			 * Counter update and the station will be allowed to
    958 			 * continue.
    959 			 */
    960 			wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
    961 				   "collect more entropy for random number "
    962 				   "generation");
    963 			random_mark_pool_ready();
    964 			wpa_sta_disconnect(wpa_auth, sm->addr);
    965 			return;
    966 		}
    967 		if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length,
    968 				      &kde) < 0) {
    969 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
    970 					 "received EAPOL-Key msg 2/4 with "
    971 					 "invalid Key Data contents");
    972 			return;
    973 		}
    974 		if (kde.rsn_ie) {
    975 			eapol_key_ie = kde.rsn_ie;
    976 			eapol_key_ie_len = kde.rsn_ie_len;
    977 		} else {
    978 			eapol_key_ie = kde.wpa_ie;
    979 			eapol_key_ie_len = kde.wpa_ie_len;
    980 		}
    981 		ft = sm->wpa == WPA_VERSION_WPA2 &&
    982 			wpa_key_mgmt_ft(sm->wpa_key_mgmt);
    983 		if (sm->wpa_ie == NULL ||
    984 		    wpa_compare_rsn_ie(ft,
    985 				       sm->wpa_ie, sm->wpa_ie_len,
    986 				       eapol_key_ie, eapol_key_ie_len)) {
    987 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
    988 					"WPA IE from (Re)AssocReq did not "
    989 					"match with msg 2/4");
    990 			if (sm->wpa_ie) {
    991 				wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
    992 					    sm->wpa_ie, sm->wpa_ie_len);
    993 			}
    994 			wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
    995 				    eapol_key_ie, eapol_key_ie_len);
    996 			/* MLME-DEAUTHENTICATE.request */
    997 			wpa_sta_disconnect(wpa_auth, sm->addr);
    998 			return;
    999 		}
   1000 #ifdef CONFIG_IEEE80211R
   1001 		if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
   1002 			wpa_sta_disconnect(wpa_auth, sm->addr);
   1003 			return;
   1004 		}
   1005 #endif /* CONFIG_IEEE80211R */
   1006 		break;
   1007 	case PAIRWISE_4:
   1008 		if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
   1009 		    !sm->PTK_valid) {
   1010 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
   1011 					 "received EAPOL-Key msg 4/4 in "
   1012 					 "invalid state (%d) - dropped",
   1013 					 sm->wpa_ptk_state);
   1014 			return;
   1015 		}
   1016 		break;
   1017 	case GROUP_2:
   1018 		if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
   1019 		    || !sm->PTK_valid) {
   1020 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
   1021 					 "received EAPOL-Key msg 2/2 in "
   1022 					 "invalid state (%d) - dropped",
   1023 					 sm->wpa_ptk_group_state);
   1024 			return;
   1025 		}
   1026 		break;
   1027 #ifdef CONFIG_PEERKEY
   1028 	case SMK_M1:
   1029 	case SMK_M3:
   1030 	case SMK_ERROR:
   1031 		if (!wpa_auth->conf.peerkey) {
   1032 			wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
   1033 				   "PeerKey use disabled - ignoring message");
   1034 			return;
   1035 		}
   1036 		if (!sm->PTK_valid) {
   1037 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
   1038 					"received EAPOL-Key msg SMK in "
   1039 					"invalid state - dropped");
   1040 			return;
   1041 		}
   1042 		break;
   1043 #else /* CONFIG_PEERKEY */
   1044 	case SMK_M1:
   1045 	case SMK_M3:
   1046 	case SMK_ERROR:
   1047 		return; /* STSL disabled - ignore SMK messages */
   1048 #endif /* CONFIG_PEERKEY */
   1049 	case REQUEST:
   1050 		break;
   1051 	}
   1052 
   1053 	wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
   1054 			 "received EAPOL-Key frame (%s)", msgtxt);
   1055 
   1056 	if (key_info & WPA_KEY_INFO_ACK) {
   1057 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
   1058 				"received invalid EAPOL-Key: Key Ack set");
   1059 		return;
   1060 	}
   1061 
   1062 	if (!(key_info & WPA_KEY_INFO_MIC)) {
   1063 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
   1064 				"received invalid EAPOL-Key: Key MIC not set");
   1065 		return;
   1066 	}
   1067 
   1068 	sm->MICVerified = FALSE;
   1069 	if (sm->PTK_valid && !sm->update_snonce) {
   1070 		if (wpa_verify_key_mic(&sm->PTK, data, data_len)) {
   1071 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
   1072 					"received EAPOL-Key with invalid MIC");
   1073 			return;
   1074 		}
   1075 		sm->MICVerified = TRUE;
   1076 		eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
   1077 		sm->pending_1_of_4_timeout = 0;
   1078 	}
   1079 
   1080 	if (key_info & WPA_KEY_INFO_REQUEST) {
   1081 		if (sm->MICVerified) {
   1082 			sm->req_replay_counter_used = 1;
   1083 			os_memcpy(sm->req_replay_counter, key->replay_counter,
   1084 				  WPA_REPLAY_COUNTER_LEN);
   1085 		} else {
   1086 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
   1087 					"received EAPOL-Key request with "
   1088 					"invalid MIC");
   1089 			return;
   1090 		}
   1091 
   1092 		/*
   1093 		 * TODO: should decrypt key data field if encryption was used;
   1094 		 * even though MAC address KDE is not normally encrypted,
   1095 		 * supplicant is allowed to encrypt it.
   1096 		 */
   1097 		if (msg == SMK_ERROR) {
   1098 #ifdef CONFIG_PEERKEY
   1099 			wpa_smk_error(wpa_auth, sm, key);
   1100 #endif /* CONFIG_PEERKEY */
   1101 			return;
   1102 		} else if (key_info & WPA_KEY_INFO_ERROR) {
   1103 			wpa_receive_error_report(
   1104 				wpa_auth, sm,
   1105 				!(key_info & WPA_KEY_INFO_KEY_TYPE));
   1106 		} else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
   1107 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
   1108 					"received EAPOL-Key Request for new "
   1109 					"4-Way Handshake");
   1110 			wpa_request_new_ptk(sm);
   1111 #ifdef CONFIG_PEERKEY
   1112 		} else if (msg == SMK_M1) {
   1113 			wpa_smk_m1(wpa_auth, sm, key);
   1114 #endif /* CONFIG_PEERKEY */
   1115 		} else if (key_data_length > 0 &&
   1116 			   wpa_parse_kde_ies((const u8 *) (key + 1),
   1117 					     key_data_length, &kde) == 0 &&
   1118 			   kde.mac_addr) {
   1119 		} else {
   1120 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
   1121 					"received EAPOL-Key Request for GTK "
   1122 					"rekeying");
   1123 			eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
   1124 			wpa_rekey_gtk(wpa_auth, NULL);
   1125 		}
   1126 	} else {
   1127 		/* Do not allow the same key replay counter to be reused. */
   1128 		wpa_replay_counter_mark_invalid(sm->key_replay,
   1129 						key->replay_counter);
   1130 
   1131 		if (msg == PAIRWISE_2) {
   1132 			/*
   1133 			 * Maintain a copy of the pending EAPOL-Key frames in
   1134 			 * case the EAPOL-Key frame was retransmitted. This is
   1135 			 * needed to allow EAPOL-Key msg 2/4 reply to another
   1136 			 * pending msg 1/4 to update the SNonce to work around
   1137 			 * unexpected supplicant behavior.
   1138 			 */
   1139 			os_memcpy(sm->prev_key_replay, sm->key_replay,
   1140 				  sizeof(sm->key_replay));
   1141 		} else {
   1142 			os_memset(sm->prev_key_replay, 0,
   1143 				  sizeof(sm->prev_key_replay));
   1144 		}
   1145 
   1146 		/*
   1147 		 * Make sure old valid counters are not accepted anymore and
   1148 		 * do not get copied again.
   1149 		 */
   1150 		wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
   1151 	}
   1152 
   1153 #ifdef CONFIG_PEERKEY
   1154 	if (msg == SMK_M3) {
   1155 		wpa_smk_m3(wpa_auth, sm, key);
   1156 		return;
   1157 	}
   1158 #endif /* CONFIG_PEERKEY */
   1159 
   1160 	os_free(sm->last_rx_eapol_key);
   1161 	sm->last_rx_eapol_key = os_malloc(data_len);
   1162 	if (sm->last_rx_eapol_key == NULL)
   1163 		return;
   1164 	os_memcpy(sm->last_rx_eapol_key, data, data_len);
   1165 	sm->last_rx_eapol_key_len = data_len;
   1166 
   1167 	sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
   1168 	sm->EAPOLKeyReceived = TRUE;
   1169 	sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
   1170 	sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
   1171 	os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
   1172 	wpa_sm_step(sm);
   1173 }
   1174 
   1175 
   1176 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
   1177 			  const u8 *gnonce, u8 *gtk, size_t gtk_len)
   1178 {
   1179 	u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
   1180 	u8 *pos;
   1181 	int ret = 0;
   1182 
   1183 	/* GTK = PRF-X(GMK, "Group key expansion",
   1184 	 *	AA || GNonce || Time || random data)
   1185 	 * The example described in the IEEE 802.11 standard uses only AA and
   1186 	 * GNonce as inputs here. Add some more entropy since this derivation
   1187 	 * is done only at the Authenticator and as such, does not need to be
   1188 	 * exactly same.
   1189 	 */
   1190 	os_memcpy(data, addr, ETH_ALEN);
   1191 	os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
   1192 	pos = data + ETH_ALEN + WPA_NONCE_LEN;
   1193 	wpa_get_ntp_timestamp(pos);
   1194 	pos += 8;
   1195 	if (random_get_bytes(pos, 16) < 0)
   1196 		ret = -1;
   1197 
   1198 #ifdef CONFIG_IEEE80211W
   1199 	sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
   1200 #else /* CONFIG_IEEE80211W */
   1201 	if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
   1202 	    < 0)
   1203 		ret = -1;
   1204 #endif /* CONFIG_IEEE80211W */
   1205 
   1206 	return ret;
   1207 }
   1208 
   1209 
   1210 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
   1211 {
   1212 	struct wpa_authenticator *wpa_auth = eloop_ctx;
   1213 	struct wpa_state_machine *sm = timeout_ctx;
   1214 
   1215 	sm->pending_1_of_4_timeout = 0;
   1216 	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
   1217 	sm->TimeoutEvt = TRUE;
   1218 	wpa_sm_step(sm);
   1219 }
   1220 
   1221 
   1222 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
   1223 		      struct wpa_state_machine *sm, int key_info,
   1224 		      const u8 *key_rsc, const u8 *nonce,
   1225 		      const u8 *kde, size_t kde_len,
   1226 		      int keyidx, int encr, int force_version)
   1227 {
   1228 	struct ieee802_1x_hdr *hdr;
   1229 	struct wpa_eapol_key *key;
   1230 	size_t len;
   1231 	int alg;
   1232 	int key_data_len, pad_len = 0;
   1233 	u8 *buf, *pos;
   1234 	int version, pairwise;
   1235 	int i;
   1236 
   1237 	len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key);
   1238 
   1239 	if (force_version)
   1240 		version = force_version;
   1241 	else if (wpa_use_aes_cmac(sm))
   1242 		version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
   1243 	else if (sm->pairwise == WPA_CIPHER_CCMP)
   1244 		version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
   1245 	else
   1246 		version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
   1247 
   1248 	pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
   1249 
   1250 	wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
   1251 		   "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
   1252 		   "encr=%d)",
   1253 		   version,
   1254 		   (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
   1255 		   (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
   1256 		   (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
   1257 		   (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
   1258 		   pairwise, (unsigned long) kde_len, keyidx, encr);
   1259 
   1260 	key_data_len = kde_len;
   1261 
   1262 	if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
   1263 	     version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
   1264 		pad_len = key_data_len % 8;
   1265 		if (pad_len)
   1266 			pad_len = 8 - pad_len;
   1267 		key_data_len += pad_len + 8;
   1268 	}
   1269 
   1270 	len += key_data_len;
   1271 
   1272 	hdr = os_zalloc(len);
   1273 	if (hdr == NULL)
   1274 		return;
   1275 	hdr->version = wpa_auth->conf.eapol_version;
   1276 	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
   1277 	hdr->length = host_to_be16(len  - sizeof(*hdr));
   1278 	key = (struct wpa_eapol_key *) (hdr + 1);
   1279 
   1280 	key->type = sm->wpa == WPA_VERSION_WPA2 ?
   1281 		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
   1282 	key_info |= version;
   1283 	if (encr && sm->wpa == WPA_VERSION_WPA2)
   1284 		key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
   1285 	if (sm->wpa != WPA_VERSION_WPA2)
   1286 		key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
   1287 	WPA_PUT_BE16(key->key_info, key_info);
   1288 
   1289 	alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
   1290 	switch (alg) {
   1291 	case WPA_CIPHER_CCMP:
   1292 		WPA_PUT_BE16(key->key_length, 16);
   1293 		break;
   1294 	case WPA_CIPHER_TKIP:
   1295 		WPA_PUT_BE16(key->key_length, 32);
   1296 		break;
   1297 	case WPA_CIPHER_WEP40:
   1298 		WPA_PUT_BE16(key->key_length, 5);
   1299 		break;
   1300 	case WPA_CIPHER_WEP104:
   1301 		WPA_PUT_BE16(key->key_length, 13);
   1302 		break;
   1303 	}
   1304 	if (key_info & WPA_KEY_INFO_SMK_MESSAGE)
   1305 		WPA_PUT_BE16(key->key_length, 0);
   1306 
   1307 	/* FIX: STSL: what to use as key_replay_counter? */
   1308 	for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
   1309 		sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
   1310 		os_memcpy(sm->key_replay[i].counter,
   1311 			  sm->key_replay[i - 1].counter,
   1312 			  WPA_REPLAY_COUNTER_LEN);
   1313 	}
   1314 	inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
   1315 	os_memcpy(key->replay_counter, sm->key_replay[0].counter,
   1316 		  WPA_REPLAY_COUNTER_LEN);
   1317 	sm->key_replay[0].valid = TRUE;
   1318 
   1319 	if (nonce)
   1320 		os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
   1321 
   1322 	if (key_rsc)
   1323 		os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
   1324 
   1325 	if (kde && !encr) {
   1326 		os_memcpy(key + 1, kde, kde_len);
   1327 		WPA_PUT_BE16(key->key_data_length, kde_len);
   1328 	} else if (encr && kde) {
   1329 		buf = os_zalloc(key_data_len);
   1330 		if (buf == NULL) {
   1331 			os_free(hdr);
   1332 			return;
   1333 		}
   1334 		pos = buf;
   1335 		os_memcpy(pos, kde, kde_len);
   1336 		pos += kde_len;
   1337 
   1338 		if (pad_len)
   1339 			*pos++ = 0xdd;
   1340 
   1341 		wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
   1342 				buf, key_data_len);
   1343 		if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
   1344 		    version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
   1345 			if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf,
   1346 				     (u8 *) (key + 1))) {
   1347 				os_free(hdr);
   1348 				os_free(buf);
   1349 				return;
   1350 			}
   1351 			WPA_PUT_BE16(key->key_data_length, key_data_len);
   1352 		} else {
   1353 			u8 ek[32];
   1354 			os_memcpy(key->key_iv,
   1355 				  sm->group->Counter + WPA_NONCE_LEN - 16, 16);
   1356 			inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
   1357 			os_memcpy(ek, key->key_iv, 16);
   1358 			os_memcpy(ek + 16, sm->PTK.kek, 16);
   1359 			os_memcpy(key + 1, buf, key_data_len);
   1360 			rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len);
   1361 			WPA_PUT_BE16(key->key_data_length, key_data_len);
   1362 		}
   1363 		os_free(buf);
   1364 	}
   1365 
   1366 	if (key_info & WPA_KEY_INFO_MIC) {
   1367 		if (!sm->PTK_valid) {
   1368 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
   1369 					"PTK not valid when sending EAPOL-Key "
   1370 					"frame");
   1371 			os_free(hdr);
   1372 			return;
   1373 		}
   1374 		wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len,
   1375 				  key->key_mic);
   1376 	}
   1377 
   1378 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
   1379 			   1);
   1380 	wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
   1381 			    sm->pairwise_set);
   1382 	os_free(hdr);
   1383 }
   1384 
   1385 
   1386 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
   1387 			   struct wpa_state_machine *sm, int key_info,
   1388 			   const u8 *key_rsc, const u8 *nonce,
   1389 			   const u8 *kde, size_t kde_len,
   1390 			   int keyidx, int encr)
   1391 {
   1392 	int timeout_ms;
   1393 	int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
   1394 	int ctr;
   1395 
   1396 	if (sm == NULL)
   1397 		return;
   1398 
   1399 	__wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
   1400 			 keyidx, encr, 0);
   1401 
   1402 	ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
   1403 	if (ctr == 1 && wpa_auth->conf.tx_status)
   1404 		timeout_ms = pairwise ? eapol_key_timeout_first :
   1405 			eapol_key_timeout_first_group;
   1406 	else
   1407 		timeout_ms = eapol_key_timeout_subseq;
   1408 	if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
   1409 		sm->pending_1_of_4_timeout = 1;
   1410 	wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
   1411 		   "counter %d)", timeout_ms, ctr);
   1412 	eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
   1413 			       wpa_send_eapol_timeout, wpa_auth, sm);
   1414 }
   1415 
   1416 
   1417 static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len)
   1418 {
   1419 	struct ieee802_1x_hdr *hdr;
   1420 	struct wpa_eapol_key *key;
   1421 	u16 key_info;
   1422 	int ret = 0;
   1423 	u8 mic[16];
   1424 
   1425 	if (data_len < sizeof(*hdr) + sizeof(*key))
   1426 		return -1;
   1427 
   1428 	hdr = (struct ieee802_1x_hdr *) data;
   1429 	key = (struct wpa_eapol_key *) (hdr + 1);
   1430 	key_info = WPA_GET_BE16(key->key_info);
   1431 	os_memcpy(mic, key->key_mic, 16);
   1432 	os_memset(key->key_mic, 0, 16);
   1433 	if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK,
   1434 			      data, data_len, key->key_mic) ||
   1435 	    os_memcmp(mic, key->key_mic, 16) != 0)
   1436 		ret = -1;
   1437 	os_memcpy(key->key_mic, mic, 16);
   1438 	return ret;
   1439 }
   1440 
   1441 
   1442 void wpa_remove_ptk(struct wpa_state_machine *sm)
   1443 {
   1444 	sm->PTK_valid = FALSE;
   1445 	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
   1446 	wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0);
   1447 	sm->pairwise_set = FALSE;
   1448 	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
   1449 }
   1450 
   1451 
   1452 int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event)
   1453 {
   1454 	int remove_ptk = 1;
   1455 
   1456 	if (sm == NULL)
   1457 		return -1;
   1458 
   1459 	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   1460 			 "event %d notification", event);
   1461 
   1462 	switch (event) {
   1463 	case WPA_AUTH:
   1464 	case WPA_ASSOC:
   1465 		break;
   1466 	case WPA_DEAUTH:
   1467 	case WPA_DISASSOC:
   1468 		sm->DeauthenticationRequest = TRUE;
   1469 		break;
   1470 	case WPA_REAUTH:
   1471 	case WPA_REAUTH_EAPOL:
   1472 		if (!sm->started) {
   1473 			/*
   1474 			 * When using WPS, we may end up here if the STA
   1475 			 * manages to re-associate without the previous STA
   1476 			 * entry getting removed. Consequently, we need to make
   1477 			 * sure that the WPA state machines gets initialized
   1478 			 * properly at this point.
   1479 			 */
   1480 			wpa_printf(MSG_DEBUG, "WPA state machine had not been "
   1481 				   "started - initialize now");
   1482 			sm->started = 1;
   1483 			sm->Init = TRUE;
   1484 			if (wpa_sm_step(sm) == 1)
   1485 				return 1; /* should not really happen */
   1486 			sm->Init = FALSE;
   1487 			sm->AuthenticationRequest = TRUE;
   1488 			break;
   1489 		}
   1490 		if (sm->GUpdateStationKeys) {
   1491 			/*
   1492 			 * Reauthentication cancels the pending group key
   1493 			 * update for this STA.
   1494 			 */
   1495 			sm->group->GKeyDoneStations--;
   1496 			sm->GUpdateStationKeys = FALSE;
   1497 			sm->PtkGroupInit = TRUE;
   1498 		}
   1499 		sm->ReAuthenticationRequest = TRUE;
   1500 		break;
   1501 	case WPA_ASSOC_FT:
   1502 #ifdef CONFIG_IEEE80211R
   1503 		wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
   1504 			   "after association");
   1505 		wpa_ft_install_ptk(sm);
   1506 
   1507 		/* Using FT protocol, not WPA auth state machine */
   1508 		sm->ft_completed = 1;
   1509 		return 0;
   1510 #else /* CONFIG_IEEE80211R */
   1511 		break;
   1512 #endif /* CONFIG_IEEE80211R */
   1513 	}
   1514 
   1515 #ifdef CONFIG_IEEE80211R
   1516 	sm->ft_completed = 0;
   1517 #endif /* CONFIG_IEEE80211R */
   1518 
   1519 #ifdef CONFIG_IEEE80211W
   1520 	if (sm->mgmt_frame_prot && event == WPA_AUTH)
   1521 		remove_ptk = 0;
   1522 #endif /* CONFIG_IEEE80211W */
   1523 
   1524 	if (remove_ptk) {
   1525 		sm->PTK_valid = FALSE;
   1526 		os_memset(&sm->PTK, 0, sizeof(sm->PTK));
   1527 
   1528 		if (event != WPA_REAUTH_EAPOL)
   1529 			wpa_remove_ptk(sm);
   1530 	}
   1531 
   1532 	return wpa_sm_step(sm);
   1533 }
   1534 
   1535 
   1536 static enum wpa_alg wpa_alg_enum(int alg)
   1537 {
   1538 	switch (alg) {
   1539 	case WPA_CIPHER_CCMP:
   1540 		return WPA_ALG_CCMP;
   1541 	case WPA_CIPHER_TKIP:
   1542 		return WPA_ALG_TKIP;
   1543 	case WPA_CIPHER_WEP104:
   1544 	case WPA_CIPHER_WEP40:
   1545 		return WPA_ALG_WEP;
   1546 	default:
   1547 		return WPA_ALG_NONE;
   1548 	}
   1549 }
   1550 
   1551 
   1552 SM_STATE(WPA_PTK, INITIALIZE)
   1553 {
   1554 	SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
   1555 	if (sm->Init) {
   1556 		/* Init flag is not cleared here, so avoid busy
   1557 		 * loop by claiming nothing changed. */
   1558 		sm->changed = FALSE;
   1559 	}
   1560 
   1561 	sm->keycount = 0;
   1562 	if (sm->GUpdateStationKeys)
   1563 		sm->group->GKeyDoneStations--;
   1564 	sm->GUpdateStationKeys = FALSE;
   1565 	if (sm->wpa == WPA_VERSION_WPA)
   1566 		sm->PInitAKeys = FALSE;
   1567 	if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
   1568 	       * Local AA > Remote AA)) */) {
   1569 		sm->Pair = TRUE;
   1570 	}
   1571 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
   1572 	wpa_remove_ptk(sm);
   1573 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
   1574 	sm->TimeoutCtr = 0;
   1575 	if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
   1576 		wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
   1577 				   WPA_EAPOL_authorized, 0);
   1578 	}
   1579 }
   1580 
   1581 
   1582 SM_STATE(WPA_PTK, DISCONNECT)
   1583 {
   1584 	SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
   1585 	sm->Disconnect = FALSE;
   1586 	wpa_sta_disconnect(sm->wpa_auth, sm->addr);
   1587 }
   1588 
   1589 
   1590 SM_STATE(WPA_PTK, DISCONNECTED)
   1591 {
   1592 	SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
   1593 	sm->DeauthenticationRequest = FALSE;
   1594 }
   1595 
   1596 
   1597 SM_STATE(WPA_PTK, AUTHENTICATION)
   1598 {
   1599 	SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
   1600 	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
   1601 	sm->PTK_valid = FALSE;
   1602 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
   1603 			   1);
   1604 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
   1605 	sm->AuthenticationRequest = FALSE;
   1606 }
   1607 
   1608 
   1609 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
   1610 				  struct wpa_group *group)
   1611 {
   1612 	if (group->first_sta_seen)
   1613 		return;
   1614 	/*
   1615 	 * System has run bit further than at the time hostapd was started
   1616 	 * potentially very early during boot up. This provides better chances
   1617 	 * of collecting more randomness on embedded systems. Re-initialize the
   1618 	 * GMK and Counter here to improve their strength if there was not
   1619 	 * enough entropy available immediately after system startup.
   1620 	 */
   1621 	wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
   1622 		   "station");
   1623 	if (random_pool_ready() != 1) {
   1624 		wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
   1625 			   "to proceed - reject first 4-way handshake");
   1626 		group->reject_4way_hs_for_entropy = TRUE;
   1627 	} else {
   1628 		group->first_sta_seen = TRUE;
   1629 		group->reject_4way_hs_for_entropy = FALSE;
   1630 	}
   1631 
   1632 	wpa_group_init_gmk_and_counter(wpa_auth, group);
   1633 	wpa_gtk_update(wpa_auth, group);
   1634 	wpa_group_config_group_keys(wpa_auth, group);
   1635 }
   1636 
   1637 
   1638 SM_STATE(WPA_PTK, AUTHENTICATION2)
   1639 {
   1640 	SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
   1641 
   1642 	wpa_group_ensure_init(sm->wpa_auth, sm->group);
   1643 
   1644 	os_memcpy(sm->ANonce, sm->group->Counter, WPA_NONCE_LEN);
   1645 	wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
   1646 		    WPA_NONCE_LEN);
   1647 	inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
   1648 	sm->ReAuthenticationRequest = FALSE;
   1649 	/* IEEE 802.11i does not clear TimeoutCtr here, but this is more
   1650 	 * logical place than INITIALIZE since AUTHENTICATION2 can be
   1651 	 * re-entered on ReAuthenticationRequest without going through
   1652 	 * INITIALIZE. */
   1653 	sm->TimeoutCtr = 0;
   1654 }
   1655 
   1656 
   1657 SM_STATE(WPA_PTK, INITPMK)
   1658 {
   1659 	u8 msk[2 * PMK_LEN];
   1660 	size_t len = 2 * PMK_LEN;
   1661 
   1662 	SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
   1663 #ifdef CONFIG_IEEE80211R
   1664 	sm->xxkey_len = 0;
   1665 #endif /* CONFIG_IEEE80211R */
   1666 	if (sm->pmksa) {
   1667 		wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
   1668 		os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN);
   1669 	} else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
   1670 		wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
   1671 			   "(len=%lu)", (unsigned long) len);
   1672 		os_memcpy(sm->PMK, msk, PMK_LEN);
   1673 #ifdef CONFIG_IEEE80211R
   1674 		if (len >= 2 * PMK_LEN) {
   1675 			os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
   1676 			sm->xxkey_len = PMK_LEN;
   1677 		}
   1678 #endif /* CONFIG_IEEE80211R */
   1679 	} else {
   1680 		wpa_printf(MSG_DEBUG, "WPA: Could not get PMK");
   1681 	}
   1682 
   1683 	sm->req_replay_counter_used = 0;
   1684 	/* IEEE 802.11i does not set keyRun to FALSE, but not doing this
   1685 	 * will break reauthentication since EAPOL state machines may not be
   1686 	 * get into AUTHENTICATING state that clears keyRun before WPA state
   1687 	 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
   1688 	 * state and takes PMK from the previously used AAA Key. This will
   1689 	 * eventually fail in 4-Way Handshake because Supplicant uses PMK
   1690 	 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
   1691 	 * be good workaround for this issue. */
   1692 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
   1693 }
   1694 
   1695 
   1696 SM_STATE(WPA_PTK, INITPSK)
   1697 {
   1698 	const u8 *psk;
   1699 	SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
   1700 	psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL);
   1701 	if (psk) {
   1702 		os_memcpy(sm->PMK, psk, PMK_LEN);
   1703 #ifdef CONFIG_IEEE80211R
   1704 		os_memcpy(sm->xxkey, psk, PMK_LEN);
   1705 		sm->xxkey_len = PMK_LEN;
   1706 #endif /* CONFIG_IEEE80211R */
   1707 	}
   1708 	sm->req_replay_counter_used = 0;
   1709 }
   1710 
   1711 
   1712 SM_STATE(WPA_PTK, PTKSTART)
   1713 {
   1714 	u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
   1715 	size_t pmkid_len = 0;
   1716 
   1717 	SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
   1718 	sm->PTKRequest = FALSE;
   1719 	sm->TimeoutEvt = FALSE;
   1720 
   1721 	sm->TimeoutCtr++;
   1722 	if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
   1723 		/* No point in sending the EAPOL-Key - we will disconnect
   1724 		 * immediately following this. */
   1725 		return;
   1726 	}
   1727 
   1728 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   1729 			"sending 1/4 msg of 4-Way Handshake");
   1730 	/*
   1731 	 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
   1732 	 * one possible PSK for this STA.
   1733 	 */
   1734 	if (sm->wpa == WPA_VERSION_WPA2 &&
   1735 	    wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt)) {
   1736 		pmkid = buf;
   1737 		pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
   1738 		pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
   1739 		pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
   1740 		RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
   1741 		if (sm->pmksa)
   1742 			os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
   1743 				  sm->pmksa->pmkid, PMKID_LEN);
   1744 		else {
   1745 			/*
   1746 			 * Calculate PMKID since no PMKSA cache entry was
   1747 			 * available with pre-calculated PMKID.
   1748 			 */
   1749 			rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr,
   1750 				  sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
   1751 				  wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
   1752 		}
   1753 	}
   1754 	wpa_send_eapol(sm->wpa_auth, sm,
   1755 		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
   1756 		       sm->ANonce, pmkid, pmkid_len, 0, 0);
   1757 }
   1758 
   1759 
   1760 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk,
   1761 			  struct wpa_ptk *ptk)
   1762 {
   1763 	size_t ptk_len = sm->pairwise == WPA_CIPHER_CCMP ? 48 : 64;
   1764 #ifdef CONFIG_IEEE80211R
   1765 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
   1766 		return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len);
   1767 #endif /* CONFIG_IEEE80211R */
   1768 
   1769 	wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion",
   1770 		       sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce,
   1771 		       (u8 *) ptk, ptk_len,
   1772 		       wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
   1773 
   1774 	return 0;
   1775 }
   1776 
   1777 
   1778 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
   1779 {
   1780 	struct wpa_ptk PTK;
   1781 	int ok = 0;
   1782 	const u8 *pmk = NULL;
   1783 
   1784 	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
   1785 	sm->EAPOLKeyReceived = FALSE;
   1786 	sm->update_snonce = FALSE;
   1787 
   1788 	/* WPA with IEEE 802.1X: use the derived PMK from EAP
   1789 	 * WPA-PSK: iterate through possible PSKs and select the one matching
   1790 	 * the packet */
   1791 	for (;;) {
   1792 		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
   1793 			pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, pmk);
   1794 			if (pmk == NULL)
   1795 				break;
   1796 		} else
   1797 			pmk = sm->PMK;
   1798 
   1799 		wpa_derive_ptk(sm, pmk, &PTK);
   1800 
   1801 		if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key,
   1802 				       sm->last_rx_eapol_key_len) == 0) {
   1803 			ok = 1;
   1804 			break;
   1805 		}
   1806 
   1807 		if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
   1808 			break;
   1809 	}
   1810 
   1811 	if (!ok) {
   1812 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   1813 				"invalid MIC in msg 2/4 of 4-Way Handshake");
   1814 		return;
   1815 	}
   1816 
   1817 #ifdef CONFIG_IEEE80211R
   1818 	if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
   1819 		/*
   1820 		 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
   1821 		 * with the value we derived.
   1822 		 */
   1823 		if (os_memcmp(sm->sup_pmk_r1_name, sm->pmk_r1_name,
   1824 			      WPA_PMK_NAME_LEN) != 0) {
   1825 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   1826 					"PMKR1Name mismatch in FT 4-way "
   1827 					"handshake");
   1828 			wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
   1829 				    "Supplicant",
   1830 				    sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
   1831 			wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
   1832 				    sm->pmk_r1_name, WPA_PMK_NAME_LEN);
   1833 			return;
   1834 		}
   1835 	}
   1836 #endif /* CONFIG_IEEE80211R */
   1837 
   1838 	sm->pending_1_of_4_timeout = 0;
   1839 	eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
   1840 
   1841 	if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
   1842 		/* PSK may have changed from the previous choice, so update
   1843 		 * state machine data based on whatever PSK was selected here.
   1844 		 */
   1845 		os_memcpy(sm->PMK, pmk, PMK_LEN);
   1846 	}
   1847 
   1848 	sm->MICVerified = TRUE;
   1849 
   1850 	os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
   1851 	sm->PTK_valid = TRUE;
   1852 }
   1853 
   1854 
   1855 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
   1856 {
   1857 	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
   1858 	sm->TimeoutCtr = 0;
   1859 }
   1860 
   1861 
   1862 #ifdef CONFIG_IEEE80211W
   1863 
   1864 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
   1865 {
   1866 	if (sm->mgmt_frame_prot) {
   1867 		return 2 + RSN_SELECTOR_LEN + sizeof(struct wpa_igtk_kde);
   1868 	}
   1869 
   1870 	return 0;
   1871 }
   1872 
   1873 
   1874 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
   1875 {
   1876 	struct wpa_igtk_kde igtk;
   1877 	struct wpa_group *gsm = sm->group;
   1878 
   1879 	if (!sm->mgmt_frame_prot)
   1880 		return pos;
   1881 
   1882 	igtk.keyid[0] = gsm->GN_igtk;
   1883 	igtk.keyid[1] = 0;
   1884 	if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
   1885 	    wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, igtk.pn) < 0)
   1886 		os_memset(igtk.pn, 0, sizeof(igtk.pn));
   1887 	os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
   1888 	pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
   1889 			  (const u8 *) &igtk, sizeof(igtk), NULL, 0);
   1890 
   1891 	return pos;
   1892 }
   1893 
   1894 #else /* CONFIG_IEEE80211W */
   1895 
   1896 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
   1897 {
   1898 	return 0;
   1899 }
   1900 
   1901 
   1902 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
   1903 {
   1904 	return pos;
   1905 }
   1906 
   1907 #endif /* CONFIG_IEEE80211W */
   1908 
   1909 
   1910 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
   1911 {
   1912 	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos;
   1913 	size_t gtk_len, kde_len;
   1914 	struct wpa_group *gsm = sm->group;
   1915 	u8 *wpa_ie;
   1916 	int wpa_ie_len, secure, keyidx, encr = 0;
   1917 
   1918 	SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
   1919 	sm->TimeoutEvt = FALSE;
   1920 
   1921 	sm->TimeoutCtr++;
   1922 	if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
   1923 		/* No point in sending the EAPOL-Key - we will disconnect
   1924 		 * immediately following this. */
   1925 		return;
   1926 	}
   1927 
   1928 	/* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
   1929 	   GTK[GN], IGTK, [FTIE], [TIE * 2])
   1930 	 */
   1931 	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
   1932 	wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
   1933 	/* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
   1934 	wpa_ie = sm->wpa_auth->wpa_ie;
   1935 	wpa_ie_len = sm->wpa_auth->wpa_ie_len;
   1936 	if (sm->wpa == WPA_VERSION_WPA &&
   1937 	    (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
   1938 	    wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
   1939 		/* WPA-only STA, remove RSN IE */
   1940 		wpa_ie = wpa_ie + wpa_ie[1] + 2;
   1941 		wpa_ie_len = wpa_ie[1] + 2;
   1942 	}
   1943 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   1944 			"sending 3/4 msg of 4-Way Handshake");
   1945 	if (sm->wpa == WPA_VERSION_WPA2) {
   1946 		/* WPA2 send GTK in the 4-way handshake */
   1947 		secure = 1;
   1948 		gtk = gsm->GTK[gsm->GN - 1];
   1949 		gtk_len = gsm->GTK_len;
   1950 		keyidx = gsm->GN;
   1951 		_rsc = rsc;
   1952 		encr = 1;
   1953 	} else {
   1954 		/* WPA does not include GTK in msg 3/4 */
   1955 		secure = 0;
   1956 		gtk = NULL;
   1957 		gtk_len = 0;
   1958 		keyidx = 0;
   1959 		_rsc = NULL;
   1960 		if (sm->rx_eapol_key_secure) {
   1961 			/*
   1962 			 * It looks like Windows 7 supplicant tries to use
   1963 			 * Secure bit in msg 2/4 after having reported Michael
   1964 			 * MIC failure and it then rejects the 4-way handshake
   1965 			 * if msg 3/4 does not set Secure bit. Work around this
   1966 			 * by setting the Secure bit here even in the case of
   1967 			 * WPA if the supplicant used it first.
   1968 			 */
   1969 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   1970 					"STA used Secure bit in WPA msg 2/4 - "
   1971 					"set Secure for 3/4 as workaround");
   1972 			secure = 1;
   1973 		}
   1974 	}
   1975 
   1976 	kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
   1977 	if (gtk)
   1978 		kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
   1979 #ifdef CONFIG_IEEE80211R
   1980 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
   1981 		kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
   1982 		kde_len += 300; /* FTIE + 2 * TIE */
   1983 	}
   1984 #endif /* CONFIG_IEEE80211R */
   1985 	kde = os_malloc(kde_len);
   1986 	if (kde == NULL)
   1987 		return;
   1988 
   1989 	pos = kde;
   1990 	os_memcpy(pos, wpa_ie, wpa_ie_len);
   1991 	pos += wpa_ie_len;
   1992 #ifdef CONFIG_IEEE80211R
   1993 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
   1994 		int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name);
   1995 		if (res < 0) {
   1996 			wpa_printf(MSG_ERROR, "FT: Failed to insert "
   1997 				   "PMKR1Name into RSN IE in EAPOL-Key data");
   1998 			os_free(kde);
   1999 			return;
   2000 		}
   2001 		pos += res;
   2002 	}
   2003 #endif /* CONFIG_IEEE80211R */
   2004 	if (gtk) {
   2005 		u8 hdr[2];
   2006 		hdr[0] = keyidx & 0x03;
   2007 		hdr[1] = 0;
   2008 		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
   2009 				  gtk, gtk_len);
   2010 	}
   2011 	pos = ieee80211w_kde_add(sm, pos);
   2012 
   2013 #ifdef CONFIG_IEEE80211R
   2014 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
   2015 		int res;
   2016 		struct wpa_auth_config *conf;
   2017 
   2018 		conf = &sm->wpa_auth->conf;
   2019 		res = wpa_write_ftie(conf, conf->r0_key_holder,
   2020 				     conf->r0_key_holder_len,
   2021 				     NULL, NULL, pos, kde + kde_len - pos,
   2022 				     NULL, 0);
   2023 		if (res < 0) {
   2024 			wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
   2025 				   "into EAPOL-Key Key Data");
   2026 			os_free(kde);
   2027 			return;
   2028 		}
   2029 		pos += res;
   2030 
   2031 		/* TIE[ReassociationDeadline] (TU) */
   2032 		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
   2033 		*pos++ = 5;
   2034 		*pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
   2035 		WPA_PUT_LE32(pos, conf->reassociation_deadline);
   2036 		pos += 4;
   2037 
   2038 		/* TIE[KeyLifetime] (seconds) */
   2039 		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
   2040 		*pos++ = 5;
   2041 		*pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
   2042 		WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
   2043 		pos += 4;
   2044 	}
   2045 #endif /* CONFIG_IEEE80211R */
   2046 
   2047 	wpa_send_eapol(sm->wpa_auth, sm,
   2048 		       (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC |
   2049 		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
   2050 		       WPA_KEY_INFO_KEY_TYPE,
   2051 		       _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
   2052 	os_free(kde);
   2053 }
   2054 
   2055 
   2056 SM_STATE(WPA_PTK, PTKINITDONE)
   2057 {
   2058 	SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
   2059 	sm->EAPOLKeyReceived = FALSE;
   2060 	if (sm->Pair) {
   2061 		enum wpa_alg alg;
   2062 		int klen;
   2063 		if (sm->pairwise == WPA_CIPHER_TKIP) {
   2064 			alg = WPA_ALG_TKIP;
   2065 			klen = 32;
   2066 		} else {
   2067 			alg = WPA_ALG_CCMP;
   2068 			klen = 16;
   2069 		}
   2070 		if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
   2071 				     sm->PTK.tk1, klen)) {
   2072 			wpa_sta_disconnect(sm->wpa_auth, sm->addr);
   2073 			return;
   2074 		}
   2075 		/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
   2076 		sm->pairwise_set = TRUE;
   2077 
   2078 		if (sm->wpa_auth->conf.wpa_ptk_rekey) {
   2079 			eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
   2080 			eloop_register_timeout(sm->wpa_auth->conf.
   2081 					       wpa_ptk_rekey, 0, wpa_rekey_ptk,
   2082 					       sm->wpa_auth, sm);
   2083 		}
   2084 
   2085 		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
   2086 			wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
   2087 					   WPA_EAPOL_authorized, 1);
   2088 		}
   2089 	}
   2090 
   2091 	if (0 /* IBSS == TRUE */) {
   2092 		sm->keycount++;
   2093 		if (sm->keycount == 2) {
   2094 			wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
   2095 					   WPA_EAPOL_portValid, 1);
   2096 		}
   2097 	} else {
   2098 		wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
   2099 				   1);
   2100 	}
   2101 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
   2102 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
   2103 	if (sm->wpa == WPA_VERSION_WPA)
   2104 		sm->PInitAKeys = TRUE;
   2105 	else
   2106 		sm->has_GTK = TRUE;
   2107 	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
   2108 			 "pairwise key handshake completed (%s)",
   2109 			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
   2110 
   2111 #ifdef CONFIG_IEEE80211R
   2112 	wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
   2113 #endif /* CONFIG_IEEE80211R */
   2114 }
   2115 
   2116 
   2117 SM_STEP(WPA_PTK)
   2118 {
   2119 	struct wpa_authenticator *wpa_auth = sm->wpa_auth;
   2120 
   2121 	if (sm->Init)
   2122 		SM_ENTER(WPA_PTK, INITIALIZE);
   2123 	else if (sm->Disconnect
   2124 		 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
   2125 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
   2126 				"WPA_PTK: sm->Disconnect");
   2127 		SM_ENTER(WPA_PTK, DISCONNECT);
   2128 	}
   2129 	else if (sm->DeauthenticationRequest)
   2130 		SM_ENTER(WPA_PTK, DISCONNECTED);
   2131 	else if (sm->AuthenticationRequest)
   2132 		SM_ENTER(WPA_PTK, AUTHENTICATION);
   2133 	else if (sm->ReAuthenticationRequest)
   2134 		SM_ENTER(WPA_PTK, AUTHENTICATION2);
   2135 	else if (sm->PTKRequest)
   2136 		SM_ENTER(WPA_PTK, PTKSTART);
   2137 	else switch (sm->wpa_ptk_state) {
   2138 	case WPA_PTK_INITIALIZE:
   2139 		break;
   2140 	case WPA_PTK_DISCONNECT:
   2141 		SM_ENTER(WPA_PTK, DISCONNECTED);
   2142 		break;
   2143 	case WPA_PTK_DISCONNECTED:
   2144 		SM_ENTER(WPA_PTK, INITIALIZE);
   2145 		break;
   2146 	case WPA_PTK_AUTHENTICATION:
   2147 		SM_ENTER(WPA_PTK, AUTHENTICATION2);
   2148 		break;
   2149 	case WPA_PTK_AUTHENTICATION2:
   2150 		if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
   2151 		    wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
   2152 				       WPA_EAPOL_keyRun) > 0)
   2153 			SM_ENTER(WPA_PTK, INITPMK);
   2154 		else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)
   2155 			 /* FIX: && 802.1X::keyRun */)
   2156 			SM_ENTER(WPA_PTK, INITPSK);
   2157 		break;
   2158 	case WPA_PTK_INITPMK:
   2159 		if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
   2160 				       WPA_EAPOL_keyAvailable) > 0)
   2161 			SM_ENTER(WPA_PTK, PTKSTART);
   2162 		else {
   2163 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
   2164 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
   2165 					"INITPMK - keyAvailable = false");
   2166 			SM_ENTER(WPA_PTK, DISCONNECT);
   2167 		}
   2168 		break;
   2169 	case WPA_PTK_INITPSK:
   2170 		if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL))
   2171 			SM_ENTER(WPA_PTK, PTKSTART);
   2172 		else {
   2173 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
   2174 					"no PSK configured for the STA");
   2175 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
   2176 			SM_ENTER(WPA_PTK, DISCONNECT);
   2177 		}
   2178 		break;
   2179 	case WPA_PTK_PTKSTART:
   2180 		if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
   2181 		    sm->EAPOLKeyPairwise)
   2182 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
   2183 		else if (sm->TimeoutCtr >
   2184 			 (int) dot11RSNAConfigPairwiseUpdateCount) {
   2185 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
   2186 			wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   2187 					 "PTKSTART: Retry limit %d reached",
   2188 					 dot11RSNAConfigPairwiseUpdateCount);
   2189 			SM_ENTER(WPA_PTK, DISCONNECT);
   2190 		} else if (sm->TimeoutEvt)
   2191 			SM_ENTER(WPA_PTK, PTKSTART);
   2192 		break;
   2193 	case WPA_PTK_PTKCALCNEGOTIATING:
   2194 		if (sm->MICVerified)
   2195 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
   2196 		else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
   2197 			 sm->EAPOLKeyPairwise)
   2198 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
   2199 		else if (sm->TimeoutEvt)
   2200 			SM_ENTER(WPA_PTK, PTKSTART);
   2201 		break;
   2202 	case WPA_PTK_PTKCALCNEGOTIATING2:
   2203 		SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
   2204 		break;
   2205 	case WPA_PTK_PTKINITNEGOTIATING:
   2206 		if (sm->update_snonce)
   2207 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
   2208 		else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
   2209 			 sm->EAPOLKeyPairwise && sm->MICVerified)
   2210 			SM_ENTER(WPA_PTK, PTKINITDONE);
   2211 		else if (sm->TimeoutCtr >
   2212 			 (int) dot11RSNAConfigPairwiseUpdateCount) {
   2213 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
   2214 			wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   2215 					 "PTKINITNEGOTIATING: Retry limit %d "
   2216 					 "reached",
   2217 					 dot11RSNAConfigPairwiseUpdateCount);
   2218 			SM_ENTER(WPA_PTK, DISCONNECT);
   2219 		} else if (sm->TimeoutEvt)
   2220 			SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
   2221 		break;
   2222 	case WPA_PTK_PTKINITDONE:
   2223 		break;
   2224 	}
   2225 }
   2226 
   2227 
   2228 SM_STATE(WPA_PTK_GROUP, IDLE)
   2229 {
   2230 	SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
   2231 	if (sm->Init) {
   2232 		/* Init flag is not cleared here, so avoid busy
   2233 		 * loop by claiming nothing changed. */
   2234 		sm->changed = FALSE;
   2235 	}
   2236 	sm->GTimeoutCtr = 0;
   2237 }
   2238 
   2239 
   2240 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
   2241 {
   2242 	u8 rsc[WPA_KEY_RSC_LEN];
   2243 	struct wpa_group *gsm = sm->group;
   2244 	u8 *kde, *pos, hdr[2];
   2245 	size_t kde_len;
   2246 
   2247 	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
   2248 
   2249 	sm->GTimeoutCtr++;
   2250 	if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) {
   2251 		/* No point in sending the EAPOL-Key - we will disconnect
   2252 		 * immediately following this. */
   2253 		return;
   2254 	}
   2255 
   2256 	if (sm->wpa == WPA_VERSION_WPA)
   2257 		sm->PInitAKeys = FALSE;
   2258 	sm->TimeoutEvt = FALSE;
   2259 	/* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
   2260 	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
   2261 	if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
   2262 		wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
   2263 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   2264 			"sending 1/2 msg of Group Key Handshake");
   2265 
   2266 	if (sm->wpa == WPA_VERSION_WPA2) {
   2267 		kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
   2268 			ieee80211w_kde_len(sm);
   2269 		kde = os_malloc(kde_len);
   2270 		if (kde == NULL)
   2271 			return;
   2272 
   2273 		pos = kde;
   2274 		hdr[0] = gsm->GN & 0x03;
   2275 		hdr[1] = 0;
   2276 		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
   2277 				  gsm->GTK[gsm->GN - 1], gsm->GTK_len);
   2278 		pos = ieee80211w_kde_add(sm, pos);
   2279 	} else {
   2280 		kde = gsm->GTK[gsm->GN - 1];
   2281 		pos = kde + gsm->GTK_len;
   2282 	}
   2283 
   2284 	wpa_send_eapol(sm->wpa_auth, sm,
   2285 		       WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
   2286 		       WPA_KEY_INFO_ACK |
   2287 		       (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
   2288 		       rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1);
   2289 	if (sm->wpa == WPA_VERSION_WPA2)
   2290 		os_free(kde);
   2291 }
   2292 
   2293 
   2294 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
   2295 {
   2296 	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
   2297 	sm->EAPOLKeyReceived = FALSE;
   2298 	if (sm->GUpdateStationKeys)
   2299 		sm->group->GKeyDoneStations--;
   2300 	sm->GUpdateStationKeys = FALSE;
   2301 	sm->GTimeoutCtr = 0;
   2302 	/* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
   2303 	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
   2304 			 "group key handshake completed (%s)",
   2305 			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
   2306 	sm->has_GTK = TRUE;
   2307 }
   2308 
   2309 
   2310 SM_STATE(WPA_PTK_GROUP, KEYERROR)
   2311 {
   2312 	SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
   2313 	if (sm->GUpdateStationKeys)
   2314 		sm->group->GKeyDoneStations--;
   2315 	sm->GUpdateStationKeys = FALSE;
   2316 	sm->Disconnect = TRUE;
   2317 }
   2318 
   2319 
   2320 SM_STEP(WPA_PTK_GROUP)
   2321 {
   2322 	if (sm->Init || sm->PtkGroupInit) {
   2323 		SM_ENTER(WPA_PTK_GROUP, IDLE);
   2324 		sm->PtkGroupInit = FALSE;
   2325 	} else switch (sm->wpa_ptk_group_state) {
   2326 	case WPA_PTK_GROUP_IDLE:
   2327 		if (sm->GUpdateStationKeys ||
   2328 		    (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
   2329 			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
   2330 		break;
   2331 	case WPA_PTK_GROUP_REKEYNEGOTIATING:
   2332 		if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
   2333 		    !sm->EAPOLKeyPairwise && sm->MICVerified)
   2334 			SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
   2335 		else if (sm->GTimeoutCtr >
   2336 			 (int) dot11RSNAConfigGroupUpdateCount)
   2337 			SM_ENTER(WPA_PTK_GROUP, KEYERROR);
   2338 		else if (sm->TimeoutEvt)
   2339 			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
   2340 		break;
   2341 	case WPA_PTK_GROUP_KEYERROR:
   2342 		SM_ENTER(WPA_PTK_GROUP, IDLE);
   2343 		break;
   2344 	case WPA_PTK_GROUP_REKEYESTABLISHED:
   2345 		SM_ENTER(WPA_PTK_GROUP, IDLE);
   2346 		break;
   2347 	}
   2348 }
   2349 
   2350 
   2351 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
   2352 			  struct wpa_group *group)
   2353 {
   2354 	int ret = 0;
   2355 
   2356 	os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
   2357 	inc_byte_array(group->Counter, WPA_NONCE_LEN);
   2358 	if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
   2359 			   wpa_auth->addr, group->GNonce,
   2360 			   group->GTK[group->GN - 1], group->GTK_len) < 0)
   2361 		ret = -1;
   2362 	wpa_hexdump_key(MSG_DEBUG, "GTK",
   2363 			group->GTK[group->GN - 1], group->GTK_len);
   2364 
   2365 #ifdef CONFIG_IEEE80211W
   2366 	if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
   2367 		os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
   2368 		inc_byte_array(group->Counter, WPA_NONCE_LEN);
   2369 		if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
   2370 				   wpa_auth->addr, group->GNonce,
   2371 				   group->IGTK[group->GN_igtk - 4],
   2372 				   WPA_IGTK_LEN) < 0)
   2373 			ret = -1;
   2374 		wpa_hexdump_key(MSG_DEBUG, "IGTK",
   2375 				group->IGTK[group->GN_igtk - 4], WPA_IGTK_LEN);
   2376 	}
   2377 #endif /* CONFIG_IEEE80211W */
   2378 
   2379 	return ret;
   2380 }
   2381 
   2382 
   2383 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
   2384 			       struct wpa_group *group)
   2385 {
   2386 	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
   2387 		   "GTK_INIT (VLAN-ID %d)", group->vlan_id);
   2388 	group->changed = FALSE; /* GInit is not cleared here; avoid loop */
   2389 	group->wpa_group_state = WPA_GROUP_GTK_INIT;
   2390 
   2391 	/* GTK[0..N] = 0 */
   2392 	os_memset(group->GTK, 0, sizeof(group->GTK));
   2393 	group->GN = 1;
   2394 	group->GM = 2;
   2395 #ifdef CONFIG_IEEE80211W
   2396 	group->GN_igtk = 4;
   2397 	group->GM_igtk = 5;
   2398 #endif /* CONFIG_IEEE80211W */
   2399 	/* GTK[GN] = CalcGTK() */
   2400 	wpa_gtk_update(wpa_auth, group);
   2401 }
   2402 
   2403 
   2404 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
   2405 {
   2406 	if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
   2407 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   2408 				"Not in PTKINITDONE; skip Group Key update");
   2409 		sm->GUpdateStationKeys = FALSE;
   2410 		return 0;
   2411 	}
   2412 	if (sm->GUpdateStationKeys) {
   2413 		/*
   2414 		 * This should not really happen, so add a debug log entry.
   2415 		 * Since we clear the GKeyDoneStations before the loop, the
   2416 		 * station needs to be counted here anyway.
   2417 		 */
   2418 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   2419 				"GUpdateStationKeys was already set when "
   2420 				"marking station for GTK rekeying");
   2421 	}
   2422 
   2423 	sm->group->GKeyDoneStations++;
   2424 	sm->GUpdateStationKeys = TRUE;
   2425 
   2426 	wpa_sm_step(sm);
   2427 	return 0;
   2428 }
   2429 
   2430 
   2431 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
   2432 			      struct wpa_group *group)
   2433 {
   2434 	int tmp;
   2435 
   2436 	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
   2437 		   "SETKEYS (VLAN-ID %d)", group->vlan_id);
   2438 	group->changed = TRUE;
   2439 	group->wpa_group_state = WPA_GROUP_SETKEYS;
   2440 	group->GTKReKey = FALSE;
   2441 	tmp = group->GM;
   2442 	group->GM = group->GN;
   2443 	group->GN = tmp;
   2444 #ifdef CONFIG_IEEE80211W
   2445 	tmp = group->GM_igtk;
   2446 	group->GM_igtk = group->GN_igtk;
   2447 	group->GN_igtk = tmp;
   2448 #endif /* CONFIG_IEEE80211W */
   2449 	/* "GKeyDoneStations = GNoStations" is done in more robust way by
   2450 	 * counting the STAs that are marked with GUpdateStationKeys instead of
   2451 	 * including all STAs that could be in not-yet-completed state. */
   2452 	wpa_gtk_update(wpa_auth, group);
   2453 
   2454 	if (group->GKeyDoneStations) {
   2455 		wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
   2456 			   "GKeyDoneStations=%d when starting new GTK rekey",
   2457 			   group->GKeyDoneStations);
   2458 		group->GKeyDoneStations = 0;
   2459 	}
   2460 	wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, NULL);
   2461 	wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
   2462 		   group->GKeyDoneStations);
   2463 }
   2464 
   2465 
   2466 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
   2467 				       struct wpa_group *group)
   2468 {
   2469 	int ret = 0;
   2470 
   2471 	if (wpa_auth_set_key(wpa_auth, group->vlan_id,
   2472 			     wpa_alg_enum(wpa_auth->conf.wpa_group),
   2473 			     broadcast_ether_addr, group->GN,
   2474 			     group->GTK[group->GN - 1], group->GTK_len) < 0)
   2475 		ret = -1;
   2476 
   2477 #ifdef CONFIG_IEEE80211W
   2478 	if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION &&
   2479 	    wpa_auth_set_key(wpa_auth, group->vlan_id, WPA_ALG_IGTK,
   2480 			     broadcast_ether_addr, group->GN_igtk,
   2481 			     group->IGTK[group->GN_igtk - 4],
   2482 			     WPA_IGTK_LEN) < 0)
   2483 		ret = -1;
   2484 #endif /* CONFIG_IEEE80211W */
   2485 
   2486 	return ret;
   2487 }
   2488 
   2489 
   2490 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
   2491 				 struct wpa_group *group)
   2492 {
   2493 	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
   2494 		   "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
   2495 	group->changed = TRUE;
   2496 	group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
   2497 
   2498 	if (wpa_group_config_group_keys(wpa_auth, group) < 0)
   2499 		return -1;
   2500 
   2501 	return 0;
   2502 }
   2503 
   2504 
   2505 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
   2506 			      struct wpa_group *group)
   2507 {
   2508 	if (group->GInit) {
   2509 		wpa_group_gtk_init(wpa_auth, group);
   2510 	} else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
   2511 		   group->GTKAuthenticator) {
   2512 		wpa_group_setkeysdone(wpa_auth, group);
   2513 	} else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
   2514 		   group->GTKReKey) {
   2515 		wpa_group_setkeys(wpa_auth, group);
   2516 	} else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
   2517 		if (group->GKeyDoneStations == 0)
   2518 			wpa_group_setkeysdone(wpa_auth, group);
   2519 		else if (group->GTKReKey)
   2520 			wpa_group_setkeys(wpa_auth, group);
   2521 	}
   2522 }
   2523 
   2524 
   2525 static int wpa_sm_step(struct wpa_state_machine *sm)
   2526 {
   2527 	if (sm == NULL)
   2528 		return 0;
   2529 
   2530 	if (sm->in_step_loop) {
   2531 		/* This should not happen, but if it does, make sure we do not
   2532 		 * end up freeing the state machine too early by exiting the
   2533 		 * recursive call. */
   2534 		wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
   2535 		return 0;
   2536 	}
   2537 
   2538 	sm->in_step_loop = 1;
   2539 	do {
   2540 		if (sm->pending_deinit)
   2541 			break;
   2542 
   2543 		sm->changed = FALSE;
   2544 		sm->wpa_auth->group->changed = FALSE;
   2545 
   2546 		SM_STEP_RUN(WPA_PTK);
   2547 		if (sm->pending_deinit)
   2548 			break;
   2549 		SM_STEP_RUN(WPA_PTK_GROUP);
   2550 		if (sm->pending_deinit)
   2551 			break;
   2552 		wpa_group_sm_step(sm->wpa_auth, sm->group);
   2553 	} while (sm->changed || sm->wpa_auth->group->changed);
   2554 	sm->in_step_loop = 0;
   2555 
   2556 	if (sm->pending_deinit) {
   2557 		wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
   2558 			   "machine deinit for " MACSTR, MAC2STR(sm->addr));
   2559 		wpa_free_sta_sm(sm);
   2560 		return 1;
   2561 	}
   2562 	return 0;
   2563 }
   2564 
   2565 
   2566 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
   2567 {
   2568 	struct wpa_state_machine *sm = eloop_ctx;
   2569 	wpa_sm_step(sm);
   2570 }
   2571 
   2572 
   2573 void wpa_auth_sm_notify(struct wpa_state_machine *sm)
   2574 {
   2575 	if (sm == NULL)
   2576 		return;
   2577 	eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
   2578 }
   2579 
   2580 
   2581 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
   2582 {
   2583 	int tmp, i;
   2584 	struct wpa_group *group;
   2585 
   2586 	if (wpa_auth == NULL)
   2587 		return;
   2588 
   2589 	group = wpa_auth->group;
   2590 
   2591 	for (i = 0; i < 2; i++) {
   2592 		tmp = group->GM;
   2593 		group->GM = group->GN;
   2594 		group->GN = tmp;
   2595 #ifdef CONFIG_IEEE80211W
   2596 		tmp = group->GM_igtk;
   2597 		group->GM_igtk = group->GN_igtk;
   2598 		group->GN_igtk = tmp;
   2599 #endif /* CONFIG_IEEE80211W */
   2600 		wpa_gtk_update(wpa_auth, group);
   2601 		wpa_group_config_group_keys(wpa_auth, group);
   2602 	}
   2603 }
   2604 
   2605 
   2606 static const char * wpa_bool_txt(int bool)
   2607 {
   2608 	return bool ? "TRUE" : "FALSE";
   2609 }
   2610 
   2611 
   2612 static int wpa_cipher_bits(int cipher)
   2613 {
   2614 	switch (cipher) {
   2615 	case WPA_CIPHER_CCMP:
   2616 		return 128;
   2617 	case WPA_CIPHER_TKIP:
   2618 		return 256;
   2619 	case WPA_CIPHER_WEP104:
   2620 		return 104;
   2621 	case WPA_CIPHER_WEP40:
   2622 		return 40;
   2623 	default:
   2624 		return 0;
   2625 	}
   2626 }
   2627 
   2628 
   2629 #define RSN_SUITE "%02x-%02x-%02x-%d"
   2630 #define RSN_SUITE_ARG(s) \
   2631 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
   2632 
   2633 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
   2634 {
   2635 	int len = 0, ret;
   2636 	char pmkid_txt[PMKID_LEN * 2 + 1];
   2637 #ifdef CONFIG_RSN_PREAUTH
   2638 	const int preauth = 1;
   2639 #else /* CONFIG_RSN_PREAUTH */
   2640 	const int preauth = 0;
   2641 #endif /* CONFIG_RSN_PREAUTH */
   2642 
   2643 	if (wpa_auth == NULL)
   2644 		return len;
   2645 
   2646 	ret = os_snprintf(buf + len, buflen - len,
   2647 			  "dot11RSNAOptionImplemented=TRUE\n"
   2648 			  "dot11RSNAPreauthenticationImplemented=%s\n"
   2649 			  "dot11RSNAEnabled=%s\n"
   2650 			  "dot11RSNAPreauthenticationEnabled=%s\n",
   2651 			  wpa_bool_txt(preauth),
   2652 			  wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
   2653 			  wpa_bool_txt(wpa_auth->conf.rsn_preauth));
   2654 	if (ret < 0 || (size_t) ret >= buflen - len)
   2655 		return len;
   2656 	len += ret;
   2657 
   2658 	wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
   2659 			 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
   2660 
   2661 	ret = os_snprintf(
   2662 		buf + len, buflen - len,
   2663 		"dot11RSNAConfigVersion=%u\n"
   2664 		"dot11RSNAConfigPairwiseKeysSupported=9999\n"
   2665 		/* FIX: dot11RSNAConfigGroupCipher */
   2666 		/* FIX: dot11RSNAConfigGroupRekeyMethod */
   2667 		/* FIX: dot11RSNAConfigGroupRekeyTime */
   2668 		/* FIX: dot11RSNAConfigGroupRekeyPackets */
   2669 		"dot11RSNAConfigGroupRekeyStrict=%u\n"
   2670 		"dot11RSNAConfigGroupUpdateCount=%u\n"
   2671 		"dot11RSNAConfigPairwiseUpdateCount=%u\n"
   2672 		"dot11RSNAConfigGroupCipherSize=%u\n"
   2673 		"dot11RSNAConfigPMKLifetime=%u\n"
   2674 		"dot11RSNAConfigPMKReauthThreshold=%u\n"
   2675 		"dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
   2676 		"dot11RSNAConfigSATimeout=%u\n"
   2677 		"dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
   2678 		"dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
   2679 		"dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
   2680 		"dot11RSNAPMKIDUsed=%s\n"
   2681 		"dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
   2682 		"dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
   2683 		"dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
   2684 		"dot11RSNATKIPCounterMeasuresInvoked=%u\n"
   2685 		"dot11RSNA4WayHandshakeFailures=%u\n"
   2686 		"dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
   2687 		RSN_VERSION,
   2688 		!!wpa_auth->conf.wpa_strict_rekey,
   2689 		dot11RSNAConfigGroupUpdateCount,
   2690 		dot11RSNAConfigPairwiseUpdateCount,
   2691 		wpa_cipher_bits(wpa_auth->conf.wpa_group),
   2692 		dot11RSNAConfigPMKLifetime,
   2693 		dot11RSNAConfigPMKReauthThreshold,
   2694 		dot11RSNAConfigSATimeout,
   2695 		RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
   2696 		RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
   2697 		RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
   2698 		pmkid_txt,
   2699 		RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
   2700 		RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
   2701 		RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
   2702 		wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
   2703 		wpa_auth->dot11RSNA4WayHandshakeFailures);
   2704 	if (ret < 0 || (size_t) ret >= buflen - len)
   2705 		return len;
   2706 	len += ret;
   2707 
   2708 	/* TODO: dot11RSNAConfigPairwiseCiphersTable */
   2709 	/* TODO: dot11RSNAConfigAuthenticationSuitesTable */
   2710 
   2711 	/* Private MIB */
   2712 	ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
   2713 			  wpa_auth->group->wpa_group_state);
   2714 	if (ret < 0 || (size_t) ret >= buflen - len)
   2715 		return len;
   2716 	len += ret;
   2717 
   2718 	return len;
   2719 }
   2720 
   2721 
   2722 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
   2723 {
   2724 	int len = 0, ret;
   2725 	u32 pairwise = 0;
   2726 
   2727 	if (sm == NULL)
   2728 		return 0;
   2729 
   2730 	/* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
   2731 
   2732 	/* dot11RSNAStatsEntry */
   2733 
   2734 	if (sm->wpa == WPA_VERSION_WPA) {
   2735 		if (sm->pairwise == WPA_CIPHER_CCMP)
   2736 			pairwise = WPA_CIPHER_SUITE_CCMP;
   2737 		else if (sm->pairwise == WPA_CIPHER_TKIP)
   2738 			pairwise = WPA_CIPHER_SUITE_TKIP;
   2739 		else if (sm->pairwise == WPA_CIPHER_WEP104)
   2740 			pairwise = WPA_CIPHER_SUITE_WEP104;
   2741 		else if (sm->pairwise == WPA_CIPHER_WEP40)
   2742 			pairwise = WPA_CIPHER_SUITE_WEP40;
   2743 		else if (sm->pairwise == WPA_CIPHER_NONE)
   2744 			pairwise = WPA_CIPHER_SUITE_NONE;
   2745 	} else if (sm->wpa == WPA_VERSION_WPA2) {
   2746 		if (sm->pairwise == WPA_CIPHER_CCMP)
   2747 			pairwise = RSN_CIPHER_SUITE_CCMP;
   2748 		else if (sm->pairwise == WPA_CIPHER_TKIP)
   2749 			pairwise = RSN_CIPHER_SUITE_TKIP;
   2750 		else if (sm->pairwise == WPA_CIPHER_WEP104)
   2751 			pairwise = RSN_CIPHER_SUITE_WEP104;
   2752 		else if (sm->pairwise == WPA_CIPHER_WEP40)
   2753 			pairwise = RSN_CIPHER_SUITE_WEP40;
   2754 		else if (sm->pairwise == WPA_CIPHER_NONE)
   2755 			pairwise = RSN_CIPHER_SUITE_NONE;
   2756 	} else
   2757 		return 0;
   2758 
   2759 	ret = os_snprintf(
   2760 		buf + len, buflen - len,
   2761 		/* TODO: dot11RSNAStatsIndex */
   2762 		"dot11RSNAStatsSTAAddress=" MACSTR "\n"
   2763 		"dot11RSNAStatsVersion=1\n"
   2764 		"dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
   2765 		/* TODO: dot11RSNAStatsTKIPICVErrors */
   2766 		"dot11RSNAStatsTKIPLocalMICFailures=%u\n"
   2767 		"dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
   2768 		/* TODO: dot11RSNAStatsCCMPReplays */
   2769 		/* TODO: dot11RSNAStatsCCMPDecryptErrors */
   2770 		/* TODO: dot11RSNAStatsTKIPReplays */,
   2771 		MAC2STR(sm->addr),
   2772 		RSN_SUITE_ARG(pairwise),
   2773 		sm->dot11RSNAStatsTKIPLocalMICFailures,
   2774 		sm->dot11RSNAStatsTKIPRemoteMICFailures);
   2775 	if (ret < 0 || (size_t) ret >= buflen - len)
   2776 		return len;
   2777 	len += ret;
   2778 
   2779 	/* Private MIB */
   2780 	ret = os_snprintf(buf + len, buflen - len,
   2781 			  "hostapdWPAPTKState=%d\n"
   2782 			  "hostapdWPAPTKGroupState=%d\n",
   2783 			  sm->wpa_ptk_state,
   2784 			  sm->wpa_ptk_group_state);
   2785 	if (ret < 0 || (size_t) ret >= buflen - len)
   2786 		return len;
   2787 	len += ret;
   2788 
   2789 	return len;
   2790 }
   2791 
   2792 
   2793 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
   2794 {
   2795 	if (wpa_auth)
   2796 		wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
   2797 }
   2798 
   2799 
   2800 int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
   2801 {
   2802 	return sm && sm->pairwise_set;
   2803 }
   2804 
   2805 
   2806 int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
   2807 {
   2808 	return sm->pairwise;
   2809 }
   2810 
   2811 
   2812 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
   2813 {
   2814 	if (sm == NULL)
   2815 		return -1;
   2816 	return sm->wpa_key_mgmt;
   2817 }
   2818 
   2819 
   2820 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
   2821 {
   2822 	if (sm == NULL)
   2823 		return 0;
   2824 	return sm->wpa;
   2825 }
   2826 
   2827 
   2828 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
   2829 			     struct rsn_pmksa_cache_entry *entry)
   2830 {
   2831 	if (sm == NULL || sm->pmksa != entry)
   2832 		return -1;
   2833 	sm->pmksa = NULL;
   2834 	return 0;
   2835 }
   2836 
   2837 
   2838 struct rsn_pmksa_cache_entry *
   2839 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
   2840 {
   2841 	return sm ? sm->pmksa : NULL;
   2842 }
   2843 
   2844 
   2845 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
   2846 {
   2847 	if (sm)
   2848 		sm->dot11RSNAStatsTKIPLocalMICFailures++;
   2849 }
   2850 
   2851 
   2852 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
   2853 {
   2854 	if (wpa_auth == NULL)
   2855 		return NULL;
   2856 	*len = wpa_auth->wpa_ie_len;
   2857 	return wpa_auth->wpa_ie;
   2858 }
   2859 
   2860 
   2861 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
   2862 		       int session_timeout, struct eapol_state_machine *eapol)
   2863 {
   2864 	if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
   2865 	    sm->wpa_auth->conf.disable_pmksa_caching)
   2866 		return -1;
   2867 
   2868 	if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN,
   2869 				 sm->wpa_auth->addr, sm->addr, session_timeout,
   2870 				 eapol, sm->wpa_key_mgmt))
   2871 		return 0;
   2872 
   2873 	return -1;
   2874 }
   2875 
   2876 
   2877 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
   2878 			       const u8 *pmk, size_t len, const u8 *sta_addr,
   2879 			       int session_timeout,
   2880 			       struct eapol_state_machine *eapol)
   2881 {
   2882 	if (wpa_auth == NULL)
   2883 		return -1;
   2884 
   2885 	if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr,
   2886 				 sta_addr, session_timeout, eapol,
   2887 				 WPA_KEY_MGMT_IEEE8021X))
   2888 		return 0;
   2889 
   2890 	return -1;
   2891 }
   2892 
   2893 
   2894 static struct wpa_group *
   2895 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
   2896 {
   2897 	struct wpa_group *group;
   2898 
   2899 	if (wpa_auth == NULL || wpa_auth->group == NULL)
   2900 		return NULL;
   2901 
   2902 	wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
   2903 		   vlan_id);
   2904 	group = wpa_group_init(wpa_auth, vlan_id, 0);
   2905 	if (group == NULL)
   2906 		return NULL;
   2907 
   2908 	group->next = wpa_auth->group->next;
   2909 	wpa_auth->group->next = group;
   2910 
   2911 	return group;
   2912 }
   2913 
   2914 
   2915 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
   2916 {
   2917 	struct wpa_group *group;
   2918 
   2919 	if (sm == NULL || sm->wpa_auth == NULL)
   2920 		return 0;
   2921 
   2922 	group = sm->wpa_auth->group;
   2923 	while (group) {
   2924 		if (group->vlan_id == vlan_id)
   2925 			break;
   2926 		group = group->next;
   2927 	}
   2928 
   2929 	if (group == NULL) {
   2930 		group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
   2931 		if (group == NULL)
   2932 			return -1;
   2933 	}
   2934 
   2935 	if (sm->group == group)
   2936 		return 0;
   2937 
   2938 	wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
   2939 		   "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
   2940 
   2941 	sm->group = group;
   2942 	return 0;
   2943 }
   2944 
   2945 
   2946 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
   2947 				  struct wpa_state_machine *sm, int ack)
   2948 {
   2949 	if (wpa_auth == NULL || sm == NULL)
   2950 		return;
   2951 	wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
   2952 		   " ack=%d", MAC2STR(sm->addr), ack);
   2953 	if (sm->pending_1_of_4_timeout && ack) {
   2954 		/*
   2955 		 * Some deployed supplicant implementations update their SNonce
   2956 		 * for each EAPOL-Key 2/4 message even within the same 4-way
   2957 		 * handshake and then fail to use the first SNonce when
   2958 		 * deriving the PTK. This results in unsuccessful 4-way
   2959 		 * handshake whenever the relatively short initial timeout is
   2960 		 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
   2961 		 * around this by increasing the timeout now that we know that
   2962 		 * the station has received the frame.
   2963 		 */
   2964 		int timeout_ms = eapol_key_timeout_subseq;
   2965 		wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
   2966 			   "timeout by %u ms because of acknowledged frame",
   2967 			   timeout_ms);
   2968 		eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
   2969 		eloop_register_timeout(timeout_ms / 1000,
   2970 				       (timeout_ms % 1000) * 1000,
   2971 				       wpa_send_eapol_timeout, wpa_auth, sm);
   2972 	}
   2973 }
   2974