Home | History | Annotate | Download | only in ap
      1 /*
      2  * IEEE 802.11 RSN / WPA Authenticator
      3  * Copyright (c) 2004-2011, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "utils/includes.h"
     10 
     11 #include "utils/common.h"
     12 #include "utils/eloop.h"
     13 #include "utils/state_machine.h"
     14 #include "common/ieee802_11_defs.h"
     15 #include "crypto/aes_wrap.h"
     16 #include "crypto/crypto.h"
     17 #include "crypto/sha1.h"
     18 #include "crypto/sha256.h"
     19 #include "crypto/random.h"
     20 #include "eapol_auth/eapol_auth_sm.h"
     21 #include "ap_config.h"
     22 #include "ieee802_11.h"
     23 #include "wpa_auth.h"
     24 #include "pmksa_cache_auth.h"
     25 #include "wpa_auth_i.h"
     26 #include "wpa_auth_ie.h"
     27 
     28 #define STATE_MACHINE_DATA struct wpa_state_machine
     29 #define STATE_MACHINE_DEBUG_PREFIX "WPA"
     30 #define STATE_MACHINE_ADDR sm->addr
     31 
     32 
     33 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
     34 static int wpa_sm_step(struct wpa_state_machine *sm);
     35 static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len);
     36 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
     37 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
     38 			      struct wpa_group *group);
     39 static void wpa_request_new_ptk(struct wpa_state_machine *sm);
     40 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
     41 			  struct wpa_group *group);
     42 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
     43 				       struct wpa_group *group);
     44 
     45 static const u32 dot11RSNAConfigGroupUpdateCount = 4;
     46 static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
     47 static const u32 eapol_key_timeout_first = 100; /* ms */
     48 static const u32 eapol_key_timeout_subseq = 1000; /* ms */
     49 static const u32 eapol_key_timeout_first_group = 500; /* ms */
     50 
     51 /* TODO: make these configurable */
     52 static const int dot11RSNAConfigPMKLifetime = 43200;
     53 static const int dot11RSNAConfigPMKReauthThreshold = 70;
     54 static const int dot11RSNAConfigSATimeout = 60;
     55 
     56 
     57 static inline void wpa_auth_mic_failure_report(
     58 	struct wpa_authenticator *wpa_auth, const u8 *addr)
     59 {
     60 	if (wpa_auth->cb.mic_failure_report)
     61 		wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr);
     62 }
     63 
     64 
     65 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
     66 				      const u8 *addr, wpa_eapol_variable var,
     67 				      int value)
     68 {
     69 	if (wpa_auth->cb.set_eapol)
     70 		wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value);
     71 }
     72 
     73 
     74 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
     75 				     const u8 *addr, wpa_eapol_variable var)
     76 {
     77 	if (wpa_auth->cb.get_eapol == NULL)
     78 		return -1;
     79 	return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var);
     80 }
     81 
     82 
     83 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
     84 					  const u8 *addr, const u8 *prev_psk)
     85 {
     86 	if (wpa_auth->cb.get_psk == NULL)
     87 		return NULL;
     88 	return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, prev_psk);
     89 }
     90 
     91 
     92 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
     93 				   const u8 *addr, u8 *msk, size_t *len)
     94 {
     95 	if (wpa_auth->cb.get_msk == NULL)
     96 		return -1;
     97 	return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len);
     98 }
     99 
    100 
    101 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
    102 				   int vlan_id,
    103 				   enum wpa_alg alg, const u8 *addr, int idx,
    104 				   u8 *key, size_t key_len)
    105 {
    106 	if (wpa_auth->cb.set_key == NULL)
    107 		return -1;
    108 	return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx,
    109 				    key, key_len);
    110 }
    111 
    112 
    113 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
    114 				      const u8 *addr, int idx, u8 *seq)
    115 {
    116 	if (wpa_auth->cb.get_seqnum == NULL)
    117 		return -1;
    118 	return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq);
    119 }
    120 
    121 
    122 static inline int
    123 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
    124 		    const u8 *data, size_t data_len, int encrypt)
    125 {
    126 	if (wpa_auth->cb.send_eapol == NULL)
    127 		return -1;
    128 	return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len,
    129 				       encrypt);
    130 }
    131 
    132 
    133 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
    134 			  int (*cb)(struct wpa_state_machine *sm, void *ctx),
    135 			  void *cb_ctx)
    136 {
    137 	if (wpa_auth->cb.for_each_sta == NULL)
    138 		return 0;
    139 	return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx);
    140 }
    141 
    142 
    143 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
    144 			   int (*cb)(struct wpa_authenticator *a, void *ctx),
    145 			   void *cb_ctx)
    146 {
    147 	if (wpa_auth->cb.for_each_auth == NULL)
    148 		return 0;
    149 	return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx);
    150 }
    151 
    152 
    153 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
    154 		     logger_level level, const char *txt)
    155 {
    156 	if (wpa_auth->cb.logger == NULL)
    157 		return;
    158 	wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt);
    159 }
    160 
    161 
    162 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
    163 		      logger_level level, const char *fmt, ...)
    164 {
    165 	char *format;
    166 	int maxlen;
    167 	va_list ap;
    168 
    169 	if (wpa_auth->cb.logger == NULL)
    170 		return;
    171 
    172 	maxlen = os_strlen(fmt) + 100;
    173 	format = os_malloc(maxlen);
    174 	if (!format)
    175 		return;
    176 
    177 	va_start(ap, fmt);
    178 	vsnprintf(format, maxlen, fmt, ap);
    179 	va_end(ap);
    180 
    181 	wpa_auth_logger(wpa_auth, addr, level, format);
    182 
    183 	os_free(format);
    184 }
    185 
    186 
    187 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
    188 			       const u8 *addr)
    189 {
    190 	if (wpa_auth->cb.disconnect == NULL)
    191 		return;
    192 	wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
    193 	wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr,
    194 				WLAN_REASON_PREV_AUTH_NOT_VALID);
    195 }
    196 
    197 
    198 static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
    199 {
    200 	int ret = 0;
    201 #ifdef CONFIG_IEEE80211R
    202 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
    203 		ret = 1;
    204 #endif /* CONFIG_IEEE80211R */
    205 #ifdef CONFIG_IEEE80211W
    206 	if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
    207 		ret = 1;
    208 #endif /* CONFIG_IEEE80211W */
    209 	return ret;
    210 }
    211 
    212 
    213 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
    214 {
    215 	struct wpa_authenticator *wpa_auth = eloop_ctx;
    216 
    217 	if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
    218 		wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
    219 			   "initialization.");
    220 	} else {
    221 		wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
    222 		wpa_hexdump_key(MSG_DEBUG, "GMK",
    223 				wpa_auth->group->GMK, WPA_GMK_LEN);
    224 	}
    225 
    226 	if (wpa_auth->conf.wpa_gmk_rekey) {
    227 		eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
    228 				       wpa_rekey_gmk, wpa_auth, NULL);
    229 	}
    230 }
    231 
    232 
    233 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
    234 {
    235 	struct wpa_authenticator *wpa_auth = eloop_ctx;
    236 	struct wpa_group *group;
    237 
    238 	wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
    239 	for (group = wpa_auth->group; group; group = group->next) {
    240 		group->GTKReKey = TRUE;
    241 		do {
    242 			group->changed = FALSE;
    243 			wpa_group_sm_step(wpa_auth, group);
    244 		} while (group->changed);
    245 	}
    246 
    247 	if (wpa_auth->conf.wpa_group_rekey) {
    248 		eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
    249 				       0, wpa_rekey_gtk, wpa_auth, NULL);
    250 	}
    251 }
    252 
    253 
    254 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
    255 {
    256 	struct wpa_authenticator *wpa_auth = eloop_ctx;
    257 	struct wpa_state_machine *sm = timeout_ctx;
    258 
    259 	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
    260 	wpa_request_new_ptk(sm);
    261 	wpa_sm_step(sm);
    262 }
    263 
    264 
    265 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
    266 {
    267 	if (sm->pmksa == ctx)
    268 		sm->pmksa = NULL;
    269 	return 0;
    270 }
    271 
    272 
    273 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
    274 				   void *ctx)
    275 {
    276 	struct wpa_authenticator *wpa_auth = ctx;
    277 	wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
    278 }
    279 
    280 
    281 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
    282 					  struct wpa_group *group)
    283 {
    284 	u8 buf[ETH_ALEN + 8 + sizeof(group)];
    285 	u8 rkey[32];
    286 
    287 	if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
    288 		return -1;
    289 	wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
    290 
    291 	/*
    292 	 * Counter = PRF-256(Random number, "Init Counter",
    293 	 *                   Local MAC Address || Time)
    294 	 */
    295 	os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
    296 	wpa_get_ntp_timestamp(buf + ETH_ALEN);
    297 	os_memcpy(buf + ETH_ALEN + 8, &group, sizeof(group));
    298 	if (random_get_bytes(rkey, sizeof(rkey)) < 0)
    299 		return -1;
    300 
    301 	if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
    302 		     group->Counter, WPA_NONCE_LEN) < 0)
    303 		return -1;
    304 	wpa_hexdump_key(MSG_DEBUG, "Key Counter",
    305 			group->Counter, WPA_NONCE_LEN);
    306 
    307 	return 0;
    308 }
    309 
    310 
    311 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
    312 					 int vlan_id, int delay_init)
    313 {
    314 	struct wpa_group *group;
    315 
    316 	group = os_zalloc(sizeof(struct wpa_group));
    317 	if (group == NULL)
    318 		return NULL;
    319 
    320 	group->GTKAuthenticator = TRUE;
    321 	group->vlan_id = vlan_id;
    322 	group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
    323 
    324 	if (random_pool_ready() != 1) {
    325 		wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
    326 			   "for secure operations - update keys later when "
    327 			   "the first station connects");
    328 	}
    329 
    330 	/*
    331 	 * Set initial GMK/Counter value here. The actual values that will be
    332 	 * used in negotiations will be set once the first station tries to
    333 	 * connect. This allows more time for collecting additional randomness
    334 	 * on embedded devices.
    335 	 */
    336 	if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
    337 		wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
    338 			   "initialization.");
    339 		os_free(group);
    340 		return NULL;
    341 	}
    342 
    343 	group->GInit = TRUE;
    344 	if (delay_init) {
    345 		wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
    346 			   "until Beacon frames have been configured");
    347 		/* Initialization is completed in wpa_init_keys(). */
    348 	} else {
    349 		wpa_group_sm_step(wpa_auth, group);
    350 		group->GInit = FALSE;
    351 		wpa_group_sm_step(wpa_auth, group);
    352 	}
    353 
    354 	return group;
    355 }
    356 
    357 
    358 /**
    359  * wpa_init - Initialize WPA authenticator
    360  * @addr: Authenticator address
    361  * @conf: Configuration for WPA authenticator
    362  * @cb: Callback functions for WPA authenticator
    363  * Returns: Pointer to WPA authenticator data or %NULL on failure
    364  */
    365 struct wpa_authenticator * wpa_init(const u8 *addr,
    366 				    struct wpa_auth_config *conf,
    367 				    struct wpa_auth_callbacks *cb)
    368 {
    369 	struct wpa_authenticator *wpa_auth;
    370 
    371 	wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
    372 	if (wpa_auth == NULL)
    373 		return NULL;
    374 	os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
    375 	os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
    376 	os_memcpy(&wpa_auth->cb, cb, sizeof(*cb));
    377 
    378 	if (wpa_auth_gen_wpa_ie(wpa_auth)) {
    379 		wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
    380 		os_free(wpa_auth);
    381 		return NULL;
    382 	}
    383 
    384 	wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
    385 	if (wpa_auth->group == NULL) {
    386 		os_free(wpa_auth->wpa_ie);
    387 		os_free(wpa_auth);
    388 		return NULL;
    389 	}
    390 
    391 	wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
    392 						wpa_auth);
    393 	if (wpa_auth->pmksa == NULL) {
    394 		wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
    395 		os_free(wpa_auth->wpa_ie);
    396 		os_free(wpa_auth);
    397 		return NULL;
    398 	}
    399 
    400 #ifdef CONFIG_IEEE80211R
    401 	wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
    402 	if (wpa_auth->ft_pmk_cache == NULL) {
    403 		wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
    404 		os_free(wpa_auth->wpa_ie);
    405 		pmksa_cache_auth_deinit(wpa_auth->pmksa);
    406 		os_free(wpa_auth);
    407 		return NULL;
    408 	}
    409 #endif /* CONFIG_IEEE80211R */
    410 
    411 	if (wpa_auth->conf.wpa_gmk_rekey) {
    412 		eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
    413 				       wpa_rekey_gmk, wpa_auth, NULL);
    414 	}
    415 
    416 	if (wpa_auth->conf.wpa_group_rekey) {
    417 		eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
    418 				       wpa_rekey_gtk, wpa_auth, NULL);
    419 	}
    420 
    421 	return wpa_auth;
    422 }
    423 
    424 
    425 int wpa_init_keys(struct wpa_authenticator *wpa_auth)
    426 {
    427 	struct wpa_group *group = wpa_auth->group;
    428 
    429 	wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
    430 		   "keys");
    431 	wpa_group_sm_step(wpa_auth, group);
    432 	group->GInit = FALSE;
    433 	wpa_group_sm_step(wpa_auth, group);
    434 	return 0;
    435 }
    436 
    437 
    438 /**
    439  * wpa_deinit - Deinitialize WPA authenticator
    440  * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
    441  */
    442 void wpa_deinit(struct wpa_authenticator *wpa_auth)
    443 {
    444 	struct wpa_group *group, *prev;
    445 
    446 	eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
    447 	eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
    448 
    449 #ifdef CONFIG_PEERKEY
    450 	while (wpa_auth->stsl_negotiations)
    451 		wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations);
    452 #endif /* CONFIG_PEERKEY */
    453 
    454 	pmksa_cache_auth_deinit(wpa_auth->pmksa);
    455 
    456 #ifdef CONFIG_IEEE80211R
    457 	wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
    458 	wpa_auth->ft_pmk_cache = NULL;
    459 #endif /* CONFIG_IEEE80211R */
    460 
    461 	os_free(wpa_auth->wpa_ie);
    462 
    463 	group = wpa_auth->group;
    464 	while (group) {
    465 		prev = group;
    466 		group = group->next;
    467 		os_free(prev);
    468 	}
    469 
    470 	os_free(wpa_auth);
    471 }
    472 
    473 
    474 /**
    475  * wpa_reconfig - Update WPA authenticator configuration
    476  * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
    477  * @conf: Configuration for WPA authenticator
    478  */
    479 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
    480 		 struct wpa_auth_config *conf)
    481 {
    482 	struct wpa_group *group;
    483 	if (wpa_auth == NULL)
    484 		return 0;
    485 
    486 	os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
    487 	if (wpa_auth_gen_wpa_ie(wpa_auth)) {
    488 		wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
    489 		return -1;
    490 	}
    491 
    492 	/*
    493 	 * Reinitialize GTK to make sure it is suitable for the new
    494 	 * configuration.
    495 	 */
    496 	group = wpa_auth->group;
    497 	group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
    498 	group->GInit = TRUE;
    499 	wpa_group_sm_step(wpa_auth, group);
    500 	group->GInit = FALSE;
    501 	wpa_group_sm_step(wpa_auth, group);
    502 
    503 	return 0;
    504 }
    505 
    506 
    507 struct wpa_state_machine *
    508 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr)
    509 {
    510 	struct wpa_state_machine *sm;
    511 
    512 	sm = os_zalloc(sizeof(struct wpa_state_machine));
    513 	if (sm == NULL)
    514 		return NULL;
    515 	os_memcpy(sm->addr, addr, ETH_ALEN);
    516 
    517 	sm->wpa_auth = wpa_auth;
    518 	sm->group = wpa_auth->group;
    519 
    520 	return sm;
    521 }
    522 
    523 
    524 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
    525 			    struct wpa_state_machine *sm)
    526 {
    527 	if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
    528 		return -1;
    529 
    530 #ifdef CONFIG_IEEE80211R
    531 	if (sm->ft_completed) {
    532 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
    533 				"FT authentication already completed - do not "
    534 				"start 4-way handshake");
    535 		return 0;
    536 	}
    537 #endif /* CONFIG_IEEE80211R */
    538 
    539 	if (sm->started) {
    540 		os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
    541 		sm->ReAuthenticationRequest = TRUE;
    542 		return wpa_sm_step(sm);
    543 	}
    544 
    545 	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
    546 			"start authentication");
    547 	sm->started = 1;
    548 
    549 	sm->Init = TRUE;
    550 	if (wpa_sm_step(sm) == 1)
    551 		return 1; /* should not really happen */
    552 	sm->Init = FALSE;
    553 	sm->AuthenticationRequest = TRUE;
    554 	return wpa_sm_step(sm);
    555 }
    556 
    557 
    558 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
    559 {
    560 	/* WPA/RSN was not used - clear WPA state. This is needed if the STA
    561 	 * reassociates back to the same AP while the previous entry for the
    562 	 * STA has not yet been removed. */
    563 	if (sm == NULL)
    564 		return;
    565 
    566 	sm->wpa_key_mgmt = 0;
    567 }
    568 
    569 
    570 static void wpa_free_sta_sm(struct wpa_state_machine *sm)
    571 {
    572 	if (sm->GUpdateStationKeys) {
    573 		sm->group->GKeyDoneStations--;
    574 		sm->GUpdateStationKeys = FALSE;
    575 	}
    576 #ifdef CONFIG_IEEE80211R
    577 	os_free(sm->assoc_resp_ftie);
    578 #endif /* CONFIG_IEEE80211R */
    579 	os_free(sm->last_rx_eapol_key);
    580 	os_free(sm->wpa_ie);
    581 	os_free(sm);
    582 }
    583 
    584 
    585 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
    586 {
    587 	if (sm == NULL)
    588 		return;
    589 
    590 	if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
    591 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
    592 				"strict rekeying - force GTK rekey since STA "
    593 				"is leaving");
    594 		eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
    595 		eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
    596 				       NULL);
    597 	}
    598 
    599 	eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
    600 	sm->pending_1_of_4_timeout = 0;
    601 	eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
    602 	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
    603 	if (sm->in_step_loop) {
    604 		/* Must not free state machine while wpa_sm_step() is running.
    605 		 * Freeing will be completed in the end of wpa_sm_step(). */
    606 		wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
    607 			   "machine deinit for " MACSTR, MAC2STR(sm->addr));
    608 		sm->pending_deinit = 1;
    609 	} else
    610 		wpa_free_sta_sm(sm);
    611 }
    612 
    613 
    614 static void wpa_request_new_ptk(struct wpa_state_machine *sm)
    615 {
    616 	if (sm == NULL)
    617 		return;
    618 
    619 	sm->PTKRequest = TRUE;
    620 	sm->PTK_valid = 0;
    621 }
    622 
    623 
    624 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
    625 				    const u8 *replay_counter)
    626 {
    627 	int i;
    628 	for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
    629 		if (!ctr[i].valid)
    630 			break;
    631 		if (os_memcmp(replay_counter, ctr[i].counter,
    632 			      WPA_REPLAY_COUNTER_LEN) == 0)
    633 			return 1;
    634 	}
    635 	return 0;
    636 }
    637 
    638 
    639 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
    640 					    const u8 *replay_counter)
    641 {
    642 	int i;
    643 	for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
    644 		if (ctr[i].valid &&
    645 		    (replay_counter == NULL ||
    646 		     os_memcmp(replay_counter, ctr[i].counter,
    647 			       WPA_REPLAY_COUNTER_LEN) == 0))
    648 			ctr[i].valid = FALSE;
    649 	}
    650 }
    651 
    652 
    653 #ifdef CONFIG_IEEE80211R
    654 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
    655 			       struct wpa_state_machine *sm,
    656 			       struct wpa_eapol_ie_parse *kde)
    657 {
    658 	struct wpa_ie_data ie;
    659 	struct rsn_mdie *mdie;
    660 
    661 	if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
    662 	    ie.num_pmkid != 1 || ie.pmkid == NULL) {
    663 		wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
    664 			   "FT 4-way handshake message 2/4");
    665 		return -1;
    666 	}
    667 
    668 	os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
    669 	wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
    670 		    sm->sup_pmk_r1_name, PMKID_LEN);
    671 
    672 	if (!kde->mdie || !kde->ftie) {
    673 		wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
    674 			   "message 2/4", kde->mdie ? "FTIE" : "MDIE");
    675 		return -1;
    676 	}
    677 
    678 	mdie = (struct rsn_mdie *) (kde->mdie + 2);
    679 	if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
    680 	    os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
    681 		      MOBILITY_DOMAIN_ID_LEN) != 0) {
    682 		wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
    683 		return -1;
    684 	}
    685 
    686 	if (sm->assoc_resp_ftie &&
    687 	    (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
    688 	     os_memcmp(kde->ftie, sm->assoc_resp_ftie,
    689 		       2 + sm->assoc_resp_ftie[1]) != 0)) {
    690 		wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
    691 		wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
    692 			    kde->ftie, kde->ftie_len);
    693 		wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
    694 			    sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
    695 		return -1;
    696 	}
    697 
    698 	return 0;
    699 }
    700 #endif /* CONFIG_IEEE80211R */
    701 
    702 
    703 static void wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
    704 				     struct wpa_state_machine *sm, int group)
    705 {
    706 	/* Supplicant reported a Michael MIC error */
    707 	wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
    708 			 "received EAPOL-Key Error Request "
    709 			 "(STA detected Michael MIC failure (group=%d))",
    710 			 group);
    711 
    712 	if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
    713 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
    714 				"ignore Michael MIC failure report since "
    715 				"group cipher is not TKIP");
    716 	} else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
    717 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
    718 				"ignore Michael MIC failure report since "
    719 				"pairwise cipher is not TKIP");
    720 	} else {
    721 		wpa_auth_mic_failure_report(wpa_auth, sm->addr);
    722 		sm->dot11RSNAStatsTKIPRemoteMICFailures++;
    723 		wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
    724 	}
    725 
    726 	/*
    727 	 * Error report is not a request for a new key handshake, but since
    728 	 * Authenticator may do it, let's change the keys now anyway.
    729 	 */
    730 	wpa_request_new_ptk(sm);
    731 }
    732 
    733 
    734 void wpa_receive(struct wpa_authenticator *wpa_auth,
    735 		 struct wpa_state_machine *sm,
    736 		 u8 *data, size_t data_len)
    737 {
    738 	struct ieee802_1x_hdr *hdr;
    739 	struct wpa_eapol_key *key;
    740 	u16 key_info, key_data_length;
    741 	enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
    742 	       SMK_M1, SMK_M3, SMK_ERROR } msg;
    743 	char *msgtxt;
    744 	struct wpa_eapol_ie_parse kde;
    745 	int ft;
    746 	const u8 *eapol_key_ie;
    747 	size_t eapol_key_ie_len;
    748 
    749 	if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
    750 		return;
    751 
    752 	if (data_len < sizeof(*hdr) + sizeof(*key))
    753 		return;
    754 
    755 	hdr = (struct ieee802_1x_hdr *) data;
    756 	key = (struct wpa_eapol_key *) (hdr + 1);
    757 	key_info = WPA_GET_BE16(key->key_info);
    758 	key_data_length = WPA_GET_BE16(key->key_data_length);
    759 	wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
    760 		   " key_info=0x%x type=%u key_data_length=%u",
    761 		   MAC2STR(sm->addr), key_info, key->type, key_data_length);
    762 	if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) {
    763 		wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
    764 			   "key_data overflow (%d > %lu)",
    765 			   key_data_length,
    766 			   (unsigned long) (data_len - sizeof(*hdr) -
    767 					    sizeof(*key)));
    768 		return;
    769 	}
    770 
    771 	if (sm->wpa == WPA_VERSION_WPA2) {
    772 		if (key->type == EAPOL_KEY_TYPE_WPA) {
    773 			/*
    774 			 * Some deployed station implementations seem to send
    775 			 * msg 4/4 with incorrect type value in WPA2 mode.
    776 			 */
    777 			wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
    778 				   "with unexpected WPA type in RSN mode");
    779 		} else if (key->type != EAPOL_KEY_TYPE_RSN) {
    780 			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
    781 				   "unexpected type %d in RSN mode",
    782 				   key->type);
    783 			return;
    784 		}
    785 	} else {
    786 		if (key->type != EAPOL_KEY_TYPE_WPA) {
    787 			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
    788 				   "unexpected type %d in WPA mode",
    789 				   key->type);
    790 			return;
    791 		}
    792 	}
    793 
    794 	wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
    795 		    WPA_NONCE_LEN);
    796 	wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
    797 		    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
    798 
    799 	/* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
    800 	 * are set */
    801 
    802 	if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
    803 	    (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
    804 		if (key_info & WPA_KEY_INFO_ERROR) {
    805 			msg = SMK_ERROR;
    806 			msgtxt = "SMK Error";
    807 		} else {
    808 			msg = SMK_M1;
    809 			msgtxt = "SMK M1";
    810 		}
    811 	} else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
    812 		msg = SMK_M3;
    813 		msgtxt = "SMK M3";
    814 	} else if (key_info & WPA_KEY_INFO_REQUEST) {
    815 		msg = REQUEST;
    816 		msgtxt = "Request";
    817 	} else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
    818 		msg = GROUP_2;
    819 		msgtxt = "2/2 Group";
    820 	} else if (key_data_length == 0) {
    821 		msg = PAIRWISE_4;
    822 		msgtxt = "4/4 Pairwise";
    823 	} else {
    824 		msg = PAIRWISE_2;
    825 		msgtxt = "2/4 Pairwise";
    826 	}
    827 
    828 	/* TODO: key_info type validation for PeerKey */
    829 	if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
    830 	    msg == GROUP_2) {
    831 		u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
    832 		if (sm->pairwise == WPA_CIPHER_CCMP ||
    833 		    sm->pairwise == WPA_CIPHER_GCMP) {
    834 			if (wpa_use_aes_cmac(sm) &&
    835 			    ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
    836 				wpa_auth_logger(wpa_auth, sm->addr,
    837 						LOGGER_WARNING,
    838 						"advertised support for "
    839 						"AES-128-CMAC, but did not "
    840 						"use it");
    841 				return;
    842 			}
    843 
    844 			if (!wpa_use_aes_cmac(sm) &&
    845 			    ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
    846 				wpa_auth_logger(wpa_auth, sm->addr,
    847 						LOGGER_WARNING,
    848 						"did not use HMAC-SHA1-AES "
    849 						"with CCMP/GCMP");
    850 				return;
    851 			}
    852 		}
    853 	}
    854 
    855 	if (key_info & WPA_KEY_INFO_REQUEST) {
    856 		if (sm->req_replay_counter_used &&
    857 		    os_memcmp(key->replay_counter, sm->req_replay_counter,
    858 			      WPA_REPLAY_COUNTER_LEN) <= 0) {
    859 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
    860 					"received EAPOL-Key request with "
    861 					"replayed counter");
    862 			return;
    863 		}
    864 	}
    865 
    866 	if (!(key_info & WPA_KEY_INFO_REQUEST) &&
    867 	    !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
    868 		int i;
    869 
    870 		if (msg == PAIRWISE_2 &&
    871 		    wpa_replay_counter_valid(sm->prev_key_replay,
    872 					     key->replay_counter) &&
    873 		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
    874 		    os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
    875 		{
    876 			/*
    877 			 * Some supplicant implementations (e.g., Windows XP
    878 			 * WZC) update SNonce for each EAPOL-Key 2/4. This
    879 			 * breaks the workaround on accepting any of the
    880 			 * pending requests, so allow the SNonce to be updated
    881 			 * even if we have already sent out EAPOL-Key 3/4.
    882 			 */
    883 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
    884 					 "Process SNonce update from STA "
    885 					 "based on retransmitted EAPOL-Key "
    886 					 "1/4");
    887 			sm->update_snonce = 1;
    888 			wpa_replay_counter_mark_invalid(sm->prev_key_replay,
    889 							key->replay_counter);
    890 			goto continue_processing;
    891 		}
    892 
    893 		if (msg == PAIRWISE_2 &&
    894 		    wpa_replay_counter_valid(sm->prev_key_replay,
    895 					     key->replay_counter) &&
    896 		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
    897 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
    898 					 "ignore retransmitted EAPOL-Key %s - "
    899 					 "SNonce did not change", msgtxt);
    900 		} else {
    901 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
    902 					 "received EAPOL-Key %s with "
    903 					 "unexpected replay counter", msgtxt);
    904 		}
    905 		for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
    906 			if (!sm->key_replay[i].valid)
    907 				break;
    908 			wpa_hexdump(MSG_DEBUG, "pending replay counter",
    909 				    sm->key_replay[i].counter,
    910 				    WPA_REPLAY_COUNTER_LEN);
    911 		}
    912 		wpa_hexdump(MSG_DEBUG, "received replay counter",
    913 			    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
    914 		return;
    915 	}
    916 
    917 continue_processing:
    918 	switch (msg) {
    919 	case PAIRWISE_2:
    920 		if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
    921 		    sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
    922 		    (!sm->update_snonce ||
    923 		     sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
    924 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
    925 					 "received EAPOL-Key msg 2/4 in "
    926 					 "invalid state (%d) - dropped",
    927 					 sm->wpa_ptk_state);
    928 			return;
    929 		}
    930 		random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
    931 		if (sm->group->reject_4way_hs_for_entropy) {
    932 			/*
    933 			 * The system did not have enough entropy to generate
    934 			 * strong random numbers. Reject the first 4-way
    935 			 * handshake(s) and collect some entropy based on the
    936 			 * information from it. Once enough entropy is
    937 			 * available, the next atempt will trigger GMK/Key
    938 			 * Counter update and the station will be allowed to
    939 			 * continue.
    940 			 */
    941 			wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
    942 				   "collect more entropy for random number "
    943 				   "generation");
    944 			random_mark_pool_ready();
    945 			wpa_sta_disconnect(wpa_auth, sm->addr);
    946 			return;
    947 		}
    948 		if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length,
    949 				      &kde) < 0) {
    950 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
    951 					 "received EAPOL-Key msg 2/4 with "
    952 					 "invalid Key Data contents");
    953 			return;
    954 		}
    955 		if (kde.rsn_ie) {
    956 			eapol_key_ie = kde.rsn_ie;
    957 			eapol_key_ie_len = kde.rsn_ie_len;
    958 		} else {
    959 			eapol_key_ie = kde.wpa_ie;
    960 			eapol_key_ie_len = kde.wpa_ie_len;
    961 		}
    962 		ft = sm->wpa == WPA_VERSION_WPA2 &&
    963 			wpa_key_mgmt_ft(sm->wpa_key_mgmt);
    964 		if (sm->wpa_ie == NULL ||
    965 		    wpa_compare_rsn_ie(ft,
    966 				       sm->wpa_ie, sm->wpa_ie_len,
    967 				       eapol_key_ie, eapol_key_ie_len)) {
    968 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
    969 					"WPA IE from (Re)AssocReq did not "
    970 					"match with msg 2/4");
    971 			if (sm->wpa_ie) {
    972 				wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
    973 					    sm->wpa_ie, sm->wpa_ie_len);
    974 			}
    975 			wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
    976 				    eapol_key_ie, eapol_key_ie_len);
    977 			/* MLME-DEAUTHENTICATE.request */
    978 			wpa_sta_disconnect(wpa_auth, sm->addr);
    979 			return;
    980 		}
    981 #ifdef CONFIG_IEEE80211R
    982 		if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
    983 			wpa_sta_disconnect(wpa_auth, sm->addr);
    984 			return;
    985 		}
    986 #endif /* CONFIG_IEEE80211R */
    987 		break;
    988 	case PAIRWISE_4:
    989 		if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
    990 		    !sm->PTK_valid) {
    991 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
    992 					 "received EAPOL-Key msg 4/4 in "
    993 					 "invalid state (%d) - dropped",
    994 					 sm->wpa_ptk_state);
    995 			return;
    996 		}
    997 		break;
    998 	case GROUP_2:
    999 		if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
   1000 		    || !sm->PTK_valid) {
   1001 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
   1002 					 "received EAPOL-Key msg 2/2 in "
   1003 					 "invalid state (%d) - dropped",
   1004 					 sm->wpa_ptk_group_state);
   1005 			return;
   1006 		}
   1007 		break;
   1008 #ifdef CONFIG_PEERKEY
   1009 	case SMK_M1:
   1010 	case SMK_M3:
   1011 	case SMK_ERROR:
   1012 		if (!wpa_auth->conf.peerkey) {
   1013 			wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
   1014 				   "PeerKey use disabled - ignoring message");
   1015 			return;
   1016 		}
   1017 		if (!sm->PTK_valid) {
   1018 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
   1019 					"received EAPOL-Key msg SMK in "
   1020 					"invalid state - dropped");
   1021 			return;
   1022 		}
   1023 		break;
   1024 #else /* CONFIG_PEERKEY */
   1025 	case SMK_M1:
   1026 	case SMK_M3:
   1027 	case SMK_ERROR:
   1028 		return; /* STSL disabled - ignore SMK messages */
   1029 #endif /* CONFIG_PEERKEY */
   1030 	case REQUEST:
   1031 		break;
   1032 	}
   1033 
   1034 	wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
   1035 			 "received EAPOL-Key frame (%s)", msgtxt);
   1036 
   1037 	if (key_info & WPA_KEY_INFO_ACK) {
   1038 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
   1039 				"received invalid EAPOL-Key: Key Ack set");
   1040 		return;
   1041 	}
   1042 
   1043 	if (!(key_info & WPA_KEY_INFO_MIC)) {
   1044 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
   1045 				"received invalid EAPOL-Key: Key MIC not set");
   1046 		return;
   1047 	}
   1048 
   1049 	sm->MICVerified = FALSE;
   1050 	if (sm->PTK_valid && !sm->update_snonce) {
   1051 		if (wpa_verify_key_mic(&sm->PTK, data, data_len)) {
   1052 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
   1053 					"received EAPOL-Key with invalid MIC");
   1054 			return;
   1055 		}
   1056 		sm->MICVerified = TRUE;
   1057 		eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
   1058 		sm->pending_1_of_4_timeout = 0;
   1059 	}
   1060 
   1061 	if (key_info & WPA_KEY_INFO_REQUEST) {
   1062 		if (sm->MICVerified) {
   1063 			sm->req_replay_counter_used = 1;
   1064 			os_memcpy(sm->req_replay_counter, key->replay_counter,
   1065 				  WPA_REPLAY_COUNTER_LEN);
   1066 		} else {
   1067 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
   1068 					"received EAPOL-Key request with "
   1069 					"invalid MIC");
   1070 			return;
   1071 		}
   1072 
   1073 		/*
   1074 		 * TODO: should decrypt key data field if encryption was used;
   1075 		 * even though MAC address KDE is not normally encrypted,
   1076 		 * supplicant is allowed to encrypt it.
   1077 		 */
   1078 		if (msg == SMK_ERROR) {
   1079 #ifdef CONFIG_PEERKEY
   1080 			wpa_smk_error(wpa_auth, sm, key);
   1081 #endif /* CONFIG_PEERKEY */
   1082 			return;
   1083 		} else if (key_info & WPA_KEY_INFO_ERROR) {
   1084 			wpa_receive_error_report(
   1085 				wpa_auth, sm,
   1086 				!(key_info & WPA_KEY_INFO_KEY_TYPE));
   1087 		} else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
   1088 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
   1089 					"received EAPOL-Key Request for new "
   1090 					"4-Way Handshake");
   1091 			wpa_request_new_ptk(sm);
   1092 #ifdef CONFIG_PEERKEY
   1093 		} else if (msg == SMK_M1) {
   1094 			wpa_smk_m1(wpa_auth, sm, key);
   1095 #endif /* CONFIG_PEERKEY */
   1096 		} else if (key_data_length > 0 &&
   1097 			   wpa_parse_kde_ies((const u8 *) (key + 1),
   1098 					     key_data_length, &kde) == 0 &&
   1099 			   kde.mac_addr) {
   1100 		} else {
   1101 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
   1102 					"received EAPOL-Key Request for GTK "
   1103 					"rekeying");
   1104 			eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
   1105 			wpa_rekey_gtk(wpa_auth, NULL);
   1106 		}
   1107 	} else {
   1108 		/* Do not allow the same key replay counter to be reused. */
   1109 		wpa_replay_counter_mark_invalid(sm->key_replay,
   1110 						key->replay_counter);
   1111 
   1112 		if (msg == PAIRWISE_2) {
   1113 			/*
   1114 			 * Maintain a copy of the pending EAPOL-Key frames in
   1115 			 * case the EAPOL-Key frame was retransmitted. This is
   1116 			 * needed to allow EAPOL-Key msg 2/4 reply to another
   1117 			 * pending msg 1/4 to update the SNonce to work around
   1118 			 * unexpected supplicant behavior.
   1119 			 */
   1120 			os_memcpy(sm->prev_key_replay, sm->key_replay,
   1121 				  sizeof(sm->key_replay));
   1122 		} else {
   1123 			os_memset(sm->prev_key_replay, 0,
   1124 				  sizeof(sm->prev_key_replay));
   1125 		}
   1126 
   1127 		/*
   1128 		 * Make sure old valid counters are not accepted anymore and
   1129 		 * do not get copied again.
   1130 		 */
   1131 		wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
   1132 	}
   1133 
   1134 #ifdef CONFIG_PEERKEY
   1135 	if (msg == SMK_M3) {
   1136 		wpa_smk_m3(wpa_auth, sm, key);
   1137 		return;
   1138 	}
   1139 #endif /* CONFIG_PEERKEY */
   1140 
   1141 	os_free(sm->last_rx_eapol_key);
   1142 	sm->last_rx_eapol_key = os_malloc(data_len);
   1143 	if (sm->last_rx_eapol_key == NULL)
   1144 		return;
   1145 	os_memcpy(sm->last_rx_eapol_key, data, data_len);
   1146 	sm->last_rx_eapol_key_len = data_len;
   1147 
   1148 	sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
   1149 	sm->EAPOLKeyReceived = TRUE;
   1150 	sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
   1151 	sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
   1152 	os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
   1153 	wpa_sm_step(sm);
   1154 }
   1155 
   1156 
   1157 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
   1158 			  const u8 *gnonce, u8 *gtk, size_t gtk_len)
   1159 {
   1160 	u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
   1161 	u8 *pos;
   1162 	int ret = 0;
   1163 
   1164 	/* GTK = PRF-X(GMK, "Group key expansion",
   1165 	 *	AA || GNonce || Time || random data)
   1166 	 * The example described in the IEEE 802.11 standard uses only AA and
   1167 	 * GNonce as inputs here. Add some more entropy since this derivation
   1168 	 * is done only at the Authenticator and as such, does not need to be
   1169 	 * exactly same.
   1170 	 */
   1171 	os_memcpy(data, addr, ETH_ALEN);
   1172 	os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
   1173 	pos = data + ETH_ALEN + WPA_NONCE_LEN;
   1174 	wpa_get_ntp_timestamp(pos);
   1175 	pos += 8;
   1176 	if (random_get_bytes(pos, 16) < 0)
   1177 		ret = -1;
   1178 
   1179 #ifdef CONFIG_IEEE80211W
   1180 	sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
   1181 #else /* CONFIG_IEEE80211W */
   1182 	if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
   1183 	    < 0)
   1184 		ret = -1;
   1185 #endif /* CONFIG_IEEE80211W */
   1186 
   1187 	return ret;
   1188 }
   1189 
   1190 
   1191 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
   1192 {
   1193 	struct wpa_authenticator *wpa_auth = eloop_ctx;
   1194 	struct wpa_state_machine *sm = timeout_ctx;
   1195 
   1196 	sm->pending_1_of_4_timeout = 0;
   1197 	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
   1198 	sm->TimeoutEvt = TRUE;
   1199 	wpa_sm_step(sm);
   1200 }
   1201 
   1202 
   1203 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
   1204 		      struct wpa_state_machine *sm, int key_info,
   1205 		      const u8 *key_rsc, const u8 *nonce,
   1206 		      const u8 *kde, size_t kde_len,
   1207 		      int keyidx, int encr, int force_version)
   1208 {
   1209 	struct ieee802_1x_hdr *hdr;
   1210 	struct wpa_eapol_key *key;
   1211 	size_t len;
   1212 	int alg;
   1213 	int key_data_len, pad_len = 0;
   1214 	u8 *buf, *pos;
   1215 	int version, pairwise;
   1216 	int i;
   1217 
   1218 	len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key);
   1219 
   1220 	if (force_version)
   1221 		version = force_version;
   1222 	else if (wpa_use_aes_cmac(sm))
   1223 		version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
   1224 	else if (sm->pairwise != WPA_CIPHER_TKIP)
   1225 		version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
   1226 	else
   1227 		version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
   1228 
   1229 	pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
   1230 
   1231 	wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
   1232 		   "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
   1233 		   "encr=%d)",
   1234 		   version,
   1235 		   (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
   1236 		   (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
   1237 		   (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
   1238 		   (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
   1239 		   pairwise, (unsigned long) kde_len, keyidx, encr);
   1240 
   1241 	key_data_len = kde_len;
   1242 
   1243 	if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
   1244 	     version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
   1245 		pad_len = key_data_len % 8;
   1246 		if (pad_len)
   1247 			pad_len = 8 - pad_len;
   1248 		key_data_len += pad_len + 8;
   1249 	}
   1250 
   1251 	len += key_data_len;
   1252 
   1253 	hdr = os_zalloc(len);
   1254 	if (hdr == NULL)
   1255 		return;
   1256 	hdr->version = wpa_auth->conf.eapol_version;
   1257 	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
   1258 	hdr->length = host_to_be16(len  - sizeof(*hdr));
   1259 	key = (struct wpa_eapol_key *) (hdr + 1);
   1260 
   1261 	key->type = sm->wpa == WPA_VERSION_WPA2 ?
   1262 		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
   1263 	key_info |= version;
   1264 	if (encr && sm->wpa == WPA_VERSION_WPA2)
   1265 		key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
   1266 	if (sm->wpa != WPA_VERSION_WPA2)
   1267 		key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
   1268 	WPA_PUT_BE16(key->key_info, key_info);
   1269 
   1270 	alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
   1271 	WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
   1272 	if (key_info & WPA_KEY_INFO_SMK_MESSAGE)
   1273 		WPA_PUT_BE16(key->key_length, 0);
   1274 
   1275 	/* FIX: STSL: what to use as key_replay_counter? */
   1276 	for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
   1277 		sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
   1278 		os_memcpy(sm->key_replay[i].counter,
   1279 			  sm->key_replay[i - 1].counter,
   1280 			  WPA_REPLAY_COUNTER_LEN);
   1281 	}
   1282 	inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
   1283 	os_memcpy(key->replay_counter, sm->key_replay[0].counter,
   1284 		  WPA_REPLAY_COUNTER_LEN);
   1285 	sm->key_replay[0].valid = TRUE;
   1286 
   1287 	if (nonce)
   1288 		os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
   1289 
   1290 	if (key_rsc)
   1291 		os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
   1292 
   1293 	if (kde && !encr) {
   1294 		os_memcpy(key + 1, kde, kde_len);
   1295 		WPA_PUT_BE16(key->key_data_length, kde_len);
   1296 	} else if (encr && kde) {
   1297 		buf = os_zalloc(key_data_len);
   1298 		if (buf == NULL) {
   1299 			os_free(hdr);
   1300 			return;
   1301 		}
   1302 		pos = buf;
   1303 		os_memcpy(pos, kde, kde_len);
   1304 		pos += kde_len;
   1305 
   1306 		if (pad_len)
   1307 			*pos++ = 0xdd;
   1308 
   1309 		wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
   1310 				buf, key_data_len);
   1311 		if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
   1312 		    version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
   1313 			if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf,
   1314 				     (u8 *) (key + 1))) {
   1315 				os_free(hdr);
   1316 				os_free(buf);
   1317 				return;
   1318 			}
   1319 			WPA_PUT_BE16(key->key_data_length, key_data_len);
   1320 		} else {
   1321 			u8 ek[32];
   1322 			os_memcpy(key->key_iv,
   1323 				  sm->group->Counter + WPA_NONCE_LEN - 16, 16);
   1324 			inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
   1325 			os_memcpy(ek, key->key_iv, 16);
   1326 			os_memcpy(ek + 16, sm->PTK.kek, 16);
   1327 			os_memcpy(key + 1, buf, key_data_len);
   1328 			rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len);
   1329 			WPA_PUT_BE16(key->key_data_length, key_data_len);
   1330 		}
   1331 		os_free(buf);
   1332 	}
   1333 
   1334 	if (key_info & WPA_KEY_INFO_MIC) {
   1335 		if (!sm->PTK_valid) {
   1336 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
   1337 					"PTK not valid when sending EAPOL-Key "
   1338 					"frame");
   1339 			os_free(hdr);
   1340 			return;
   1341 		}
   1342 		wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len,
   1343 				  key->key_mic);
   1344 	}
   1345 
   1346 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
   1347 			   1);
   1348 	wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
   1349 			    sm->pairwise_set);
   1350 	os_free(hdr);
   1351 }
   1352 
   1353 
   1354 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
   1355 			   struct wpa_state_machine *sm, int key_info,
   1356 			   const u8 *key_rsc, const u8 *nonce,
   1357 			   const u8 *kde, size_t kde_len,
   1358 			   int keyidx, int encr)
   1359 {
   1360 	int timeout_ms;
   1361 	int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
   1362 	int ctr;
   1363 
   1364 	if (sm == NULL)
   1365 		return;
   1366 
   1367 	__wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
   1368 			 keyidx, encr, 0);
   1369 
   1370 	ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
   1371 	if (ctr == 1 && wpa_auth->conf.tx_status)
   1372 		timeout_ms = pairwise ? eapol_key_timeout_first :
   1373 			eapol_key_timeout_first_group;
   1374 	else
   1375 		timeout_ms = eapol_key_timeout_subseq;
   1376 	if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
   1377 		sm->pending_1_of_4_timeout = 1;
   1378 	wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
   1379 		   "counter %d)", timeout_ms, ctr);
   1380 	eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
   1381 			       wpa_send_eapol_timeout, wpa_auth, sm);
   1382 }
   1383 
   1384 
   1385 static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len)
   1386 {
   1387 	struct ieee802_1x_hdr *hdr;
   1388 	struct wpa_eapol_key *key;
   1389 	u16 key_info;
   1390 	int ret = 0;
   1391 	u8 mic[16];
   1392 
   1393 	if (data_len < sizeof(*hdr) + sizeof(*key))
   1394 		return -1;
   1395 
   1396 	hdr = (struct ieee802_1x_hdr *) data;
   1397 	key = (struct wpa_eapol_key *) (hdr + 1);
   1398 	key_info = WPA_GET_BE16(key->key_info);
   1399 	os_memcpy(mic, key->key_mic, 16);
   1400 	os_memset(key->key_mic, 0, 16);
   1401 	if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK,
   1402 			      data, data_len, key->key_mic) ||
   1403 	    os_memcmp(mic, key->key_mic, 16) != 0)
   1404 		ret = -1;
   1405 	os_memcpy(key->key_mic, mic, 16);
   1406 	return ret;
   1407 }
   1408 
   1409 
   1410 void wpa_remove_ptk(struct wpa_state_machine *sm)
   1411 {
   1412 	sm->PTK_valid = FALSE;
   1413 	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
   1414 	wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0);
   1415 	sm->pairwise_set = FALSE;
   1416 	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
   1417 }
   1418 
   1419 
   1420 int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event)
   1421 {
   1422 	int remove_ptk = 1;
   1423 
   1424 	if (sm == NULL)
   1425 		return -1;
   1426 
   1427 	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   1428 			 "event %d notification", event);
   1429 
   1430 	switch (event) {
   1431 	case WPA_AUTH:
   1432 	case WPA_ASSOC:
   1433 		break;
   1434 	case WPA_DEAUTH:
   1435 	case WPA_DISASSOC:
   1436 		sm->DeauthenticationRequest = TRUE;
   1437 		break;
   1438 	case WPA_REAUTH:
   1439 	case WPA_REAUTH_EAPOL:
   1440 		if (!sm->started) {
   1441 			/*
   1442 			 * When using WPS, we may end up here if the STA
   1443 			 * manages to re-associate without the previous STA
   1444 			 * entry getting removed. Consequently, we need to make
   1445 			 * sure that the WPA state machines gets initialized
   1446 			 * properly at this point.
   1447 			 */
   1448 			wpa_printf(MSG_DEBUG, "WPA state machine had not been "
   1449 				   "started - initialize now");
   1450 			sm->started = 1;
   1451 			sm->Init = TRUE;
   1452 			if (wpa_sm_step(sm) == 1)
   1453 				return 1; /* should not really happen */
   1454 			sm->Init = FALSE;
   1455 			sm->AuthenticationRequest = TRUE;
   1456 			break;
   1457 		}
   1458 		if (sm->GUpdateStationKeys) {
   1459 			/*
   1460 			 * Reauthentication cancels the pending group key
   1461 			 * update for this STA.
   1462 			 */
   1463 			sm->group->GKeyDoneStations--;
   1464 			sm->GUpdateStationKeys = FALSE;
   1465 			sm->PtkGroupInit = TRUE;
   1466 		}
   1467 		sm->ReAuthenticationRequest = TRUE;
   1468 		break;
   1469 	case WPA_ASSOC_FT:
   1470 #ifdef CONFIG_IEEE80211R
   1471 		wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
   1472 			   "after association");
   1473 		wpa_ft_install_ptk(sm);
   1474 
   1475 		/* Using FT protocol, not WPA auth state machine */
   1476 		sm->ft_completed = 1;
   1477 		return 0;
   1478 #else /* CONFIG_IEEE80211R */
   1479 		break;
   1480 #endif /* CONFIG_IEEE80211R */
   1481 	}
   1482 
   1483 #ifdef CONFIG_IEEE80211R
   1484 	sm->ft_completed = 0;
   1485 #endif /* CONFIG_IEEE80211R */
   1486 
   1487 #ifdef CONFIG_IEEE80211W
   1488 	if (sm->mgmt_frame_prot && event == WPA_AUTH)
   1489 		remove_ptk = 0;
   1490 #endif /* CONFIG_IEEE80211W */
   1491 
   1492 	if (remove_ptk) {
   1493 		sm->PTK_valid = FALSE;
   1494 		os_memset(&sm->PTK, 0, sizeof(sm->PTK));
   1495 
   1496 		if (event != WPA_REAUTH_EAPOL)
   1497 			wpa_remove_ptk(sm);
   1498 	}
   1499 
   1500 	return wpa_sm_step(sm);
   1501 }
   1502 
   1503 
   1504 SM_STATE(WPA_PTK, INITIALIZE)
   1505 {
   1506 	SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
   1507 	if (sm->Init) {
   1508 		/* Init flag is not cleared here, so avoid busy
   1509 		 * loop by claiming nothing changed. */
   1510 		sm->changed = FALSE;
   1511 	}
   1512 
   1513 	sm->keycount = 0;
   1514 	if (sm->GUpdateStationKeys)
   1515 		sm->group->GKeyDoneStations--;
   1516 	sm->GUpdateStationKeys = FALSE;
   1517 	if (sm->wpa == WPA_VERSION_WPA)
   1518 		sm->PInitAKeys = FALSE;
   1519 	if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
   1520 	       * Local AA > Remote AA)) */) {
   1521 		sm->Pair = TRUE;
   1522 	}
   1523 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
   1524 	wpa_remove_ptk(sm);
   1525 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
   1526 	sm->TimeoutCtr = 0;
   1527 	if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
   1528 		wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
   1529 				   WPA_EAPOL_authorized, 0);
   1530 	}
   1531 }
   1532 
   1533 
   1534 SM_STATE(WPA_PTK, DISCONNECT)
   1535 {
   1536 	SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
   1537 	sm->Disconnect = FALSE;
   1538 	wpa_sta_disconnect(sm->wpa_auth, sm->addr);
   1539 }
   1540 
   1541 
   1542 SM_STATE(WPA_PTK, DISCONNECTED)
   1543 {
   1544 	SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
   1545 	sm->DeauthenticationRequest = FALSE;
   1546 }
   1547 
   1548 
   1549 SM_STATE(WPA_PTK, AUTHENTICATION)
   1550 {
   1551 	SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
   1552 	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
   1553 	sm->PTK_valid = FALSE;
   1554 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
   1555 			   1);
   1556 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
   1557 	sm->AuthenticationRequest = FALSE;
   1558 }
   1559 
   1560 
   1561 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
   1562 				  struct wpa_group *group)
   1563 {
   1564 	if (group->first_sta_seen)
   1565 		return;
   1566 	/*
   1567 	 * System has run bit further than at the time hostapd was started
   1568 	 * potentially very early during boot up. This provides better chances
   1569 	 * of collecting more randomness on embedded systems. Re-initialize the
   1570 	 * GMK and Counter here to improve their strength if there was not
   1571 	 * enough entropy available immediately after system startup.
   1572 	 */
   1573 	wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
   1574 		   "station");
   1575 	if (random_pool_ready() != 1) {
   1576 		wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
   1577 			   "to proceed - reject first 4-way handshake");
   1578 		group->reject_4way_hs_for_entropy = TRUE;
   1579 	} else {
   1580 		group->first_sta_seen = TRUE;
   1581 		group->reject_4way_hs_for_entropy = FALSE;
   1582 	}
   1583 
   1584 	wpa_group_init_gmk_and_counter(wpa_auth, group);
   1585 	wpa_gtk_update(wpa_auth, group);
   1586 	wpa_group_config_group_keys(wpa_auth, group);
   1587 }
   1588 
   1589 
   1590 SM_STATE(WPA_PTK, AUTHENTICATION2)
   1591 {
   1592 	SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
   1593 
   1594 	wpa_group_ensure_init(sm->wpa_auth, sm->group);
   1595 
   1596 	/*
   1597 	 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
   1598 	 * ambiguous. The Authenticator state machine uses a counter that is
   1599 	 * incremented by one for each 4-way handshake. However, the security
   1600 	 * analysis of 4-way handshake points out that unpredictable nonces
   1601 	 * help in preventing precomputation attacks. Instead of the state
   1602 	 * machine definition, use an unpredictable nonce value here to provide
   1603 	 * stronger protection against potential precomputation attacks.
   1604 	 */
   1605 	if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
   1606 		wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
   1607 			   "ANonce.");
   1608 		wpa_sta_disconnect(sm->wpa_auth, sm->addr);
   1609 		return;
   1610 	}
   1611 	wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
   1612 		    WPA_NONCE_LEN);
   1613 	sm->ReAuthenticationRequest = FALSE;
   1614 	/* IEEE 802.11i does not clear TimeoutCtr here, but this is more
   1615 	 * logical place than INITIALIZE since AUTHENTICATION2 can be
   1616 	 * re-entered on ReAuthenticationRequest without going through
   1617 	 * INITIALIZE. */
   1618 	sm->TimeoutCtr = 0;
   1619 }
   1620 
   1621 
   1622 SM_STATE(WPA_PTK, INITPMK)
   1623 {
   1624 	u8 msk[2 * PMK_LEN];
   1625 	size_t len = 2 * PMK_LEN;
   1626 
   1627 	SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
   1628 #ifdef CONFIG_IEEE80211R
   1629 	sm->xxkey_len = 0;
   1630 #endif /* CONFIG_IEEE80211R */
   1631 	if (sm->pmksa) {
   1632 		wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
   1633 		os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN);
   1634 	} else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
   1635 		wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
   1636 			   "(len=%lu)", (unsigned long) len);
   1637 		os_memcpy(sm->PMK, msk, PMK_LEN);
   1638 #ifdef CONFIG_IEEE80211R
   1639 		if (len >= 2 * PMK_LEN) {
   1640 			os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
   1641 			sm->xxkey_len = PMK_LEN;
   1642 		}
   1643 #endif /* CONFIG_IEEE80211R */
   1644 	} else {
   1645 		wpa_printf(MSG_DEBUG, "WPA: Could not get PMK");
   1646 	}
   1647 
   1648 	sm->req_replay_counter_used = 0;
   1649 	/* IEEE 802.11i does not set keyRun to FALSE, but not doing this
   1650 	 * will break reauthentication since EAPOL state machines may not be
   1651 	 * get into AUTHENTICATING state that clears keyRun before WPA state
   1652 	 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
   1653 	 * state and takes PMK from the previously used AAA Key. This will
   1654 	 * eventually fail in 4-Way Handshake because Supplicant uses PMK
   1655 	 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
   1656 	 * be good workaround for this issue. */
   1657 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
   1658 }
   1659 
   1660 
   1661 SM_STATE(WPA_PTK, INITPSK)
   1662 {
   1663 	const u8 *psk;
   1664 	SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
   1665 	psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL);
   1666 	if (psk) {
   1667 		os_memcpy(sm->PMK, psk, PMK_LEN);
   1668 #ifdef CONFIG_IEEE80211R
   1669 		os_memcpy(sm->xxkey, psk, PMK_LEN);
   1670 		sm->xxkey_len = PMK_LEN;
   1671 #endif /* CONFIG_IEEE80211R */
   1672 	}
   1673 	sm->req_replay_counter_used = 0;
   1674 }
   1675 
   1676 
   1677 SM_STATE(WPA_PTK, PTKSTART)
   1678 {
   1679 	u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
   1680 	size_t pmkid_len = 0;
   1681 
   1682 	SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
   1683 	sm->PTKRequest = FALSE;
   1684 	sm->TimeoutEvt = FALSE;
   1685 
   1686 	sm->TimeoutCtr++;
   1687 	if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
   1688 		/* No point in sending the EAPOL-Key - we will disconnect
   1689 		 * immediately following this. */
   1690 		return;
   1691 	}
   1692 
   1693 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   1694 			"sending 1/4 msg of 4-Way Handshake");
   1695 	/*
   1696 	 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
   1697 	 * one possible PSK for this STA.
   1698 	 */
   1699 	if (sm->wpa == WPA_VERSION_WPA2 &&
   1700 	    wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt)) {
   1701 		pmkid = buf;
   1702 		pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
   1703 		pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
   1704 		pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
   1705 		RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
   1706 		if (sm->pmksa)
   1707 			os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
   1708 				  sm->pmksa->pmkid, PMKID_LEN);
   1709 		else {
   1710 			/*
   1711 			 * Calculate PMKID since no PMKSA cache entry was
   1712 			 * available with pre-calculated PMKID.
   1713 			 */
   1714 			rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr,
   1715 				  sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
   1716 				  wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
   1717 		}
   1718 	}
   1719 	wpa_send_eapol(sm->wpa_auth, sm,
   1720 		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
   1721 		       sm->ANonce, pmkid, pmkid_len, 0, 0);
   1722 }
   1723 
   1724 
   1725 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk,
   1726 			  struct wpa_ptk *ptk)
   1727 {
   1728 	size_t ptk_len = sm->pairwise != WPA_CIPHER_TKIP ? 48 : 64;
   1729 #ifdef CONFIG_IEEE80211R
   1730 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
   1731 		return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len);
   1732 #endif /* CONFIG_IEEE80211R */
   1733 
   1734 	wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion",
   1735 		       sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce,
   1736 		       (u8 *) ptk, ptk_len,
   1737 		       wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
   1738 
   1739 	return 0;
   1740 }
   1741 
   1742 
   1743 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
   1744 {
   1745 	struct wpa_ptk PTK;
   1746 	int ok = 0;
   1747 	const u8 *pmk = NULL;
   1748 
   1749 	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
   1750 	sm->EAPOLKeyReceived = FALSE;
   1751 	sm->update_snonce = FALSE;
   1752 
   1753 	/* WPA with IEEE 802.1X: use the derived PMK from EAP
   1754 	 * WPA-PSK: iterate through possible PSKs and select the one matching
   1755 	 * the packet */
   1756 	for (;;) {
   1757 		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
   1758 			pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, pmk);
   1759 			if (pmk == NULL)
   1760 				break;
   1761 		} else
   1762 			pmk = sm->PMK;
   1763 
   1764 		wpa_derive_ptk(sm, pmk, &PTK);
   1765 
   1766 		if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key,
   1767 				       sm->last_rx_eapol_key_len) == 0) {
   1768 			ok = 1;
   1769 			break;
   1770 		}
   1771 
   1772 		if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
   1773 			break;
   1774 	}
   1775 
   1776 	if (!ok) {
   1777 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   1778 				"invalid MIC in msg 2/4 of 4-Way Handshake");
   1779 		return;
   1780 	}
   1781 
   1782 #ifdef CONFIG_IEEE80211R
   1783 	if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
   1784 		/*
   1785 		 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
   1786 		 * with the value we derived.
   1787 		 */
   1788 		if (os_memcmp(sm->sup_pmk_r1_name, sm->pmk_r1_name,
   1789 			      WPA_PMK_NAME_LEN) != 0) {
   1790 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   1791 					"PMKR1Name mismatch in FT 4-way "
   1792 					"handshake");
   1793 			wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
   1794 				    "Supplicant",
   1795 				    sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
   1796 			wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
   1797 				    sm->pmk_r1_name, WPA_PMK_NAME_LEN);
   1798 			return;
   1799 		}
   1800 	}
   1801 #endif /* CONFIG_IEEE80211R */
   1802 
   1803 	sm->pending_1_of_4_timeout = 0;
   1804 	eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
   1805 
   1806 	if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
   1807 		/* PSK may have changed from the previous choice, so update
   1808 		 * state machine data based on whatever PSK was selected here.
   1809 		 */
   1810 		os_memcpy(sm->PMK, pmk, PMK_LEN);
   1811 	}
   1812 
   1813 	sm->MICVerified = TRUE;
   1814 
   1815 	os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
   1816 	sm->PTK_valid = TRUE;
   1817 }
   1818 
   1819 
   1820 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
   1821 {
   1822 	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
   1823 	sm->TimeoutCtr = 0;
   1824 }
   1825 
   1826 
   1827 #ifdef CONFIG_IEEE80211W
   1828 
   1829 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
   1830 {
   1831 	if (sm->mgmt_frame_prot) {
   1832 		return 2 + RSN_SELECTOR_LEN + sizeof(struct wpa_igtk_kde);
   1833 	}
   1834 
   1835 	return 0;
   1836 }
   1837 
   1838 
   1839 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
   1840 {
   1841 	struct wpa_igtk_kde igtk;
   1842 	struct wpa_group *gsm = sm->group;
   1843 
   1844 	if (!sm->mgmt_frame_prot)
   1845 		return pos;
   1846 
   1847 	igtk.keyid[0] = gsm->GN_igtk;
   1848 	igtk.keyid[1] = 0;
   1849 	if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
   1850 	    wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, igtk.pn) < 0)
   1851 		os_memset(igtk.pn, 0, sizeof(igtk.pn));
   1852 	os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
   1853 	if (sm->wpa_auth->conf.disable_gtk) {
   1854 		/*
   1855 		 * Provide unique random IGTK to each STA to prevent use of
   1856 		 * IGTK in the BSS.
   1857 		 */
   1858 		if (random_get_bytes(igtk.igtk, WPA_IGTK_LEN) < 0)
   1859 			return pos;
   1860 	}
   1861 	pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
   1862 			  (const u8 *) &igtk, sizeof(igtk), NULL, 0);
   1863 
   1864 	return pos;
   1865 }
   1866 
   1867 #else /* CONFIG_IEEE80211W */
   1868 
   1869 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
   1870 {
   1871 	return 0;
   1872 }
   1873 
   1874 
   1875 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
   1876 {
   1877 	return pos;
   1878 }
   1879 
   1880 #endif /* CONFIG_IEEE80211W */
   1881 
   1882 
   1883 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
   1884 {
   1885 	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
   1886 	size_t gtk_len, kde_len;
   1887 	struct wpa_group *gsm = sm->group;
   1888 	u8 *wpa_ie;
   1889 	int wpa_ie_len, secure, keyidx, encr = 0;
   1890 
   1891 	SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
   1892 	sm->TimeoutEvt = FALSE;
   1893 
   1894 	sm->TimeoutCtr++;
   1895 	if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
   1896 		/* No point in sending the EAPOL-Key - we will disconnect
   1897 		 * immediately following this. */
   1898 		return;
   1899 	}
   1900 
   1901 	/* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
   1902 	   GTK[GN], IGTK, [FTIE], [TIE * 2])
   1903 	 */
   1904 	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
   1905 	wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
   1906 	/* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
   1907 	wpa_ie = sm->wpa_auth->wpa_ie;
   1908 	wpa_ie_len = sm->wpa_auth->wpa_ie_len;
   1909 	if (sm->wpa == WPA_VERSION_WPA &&
   1910 	    (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
   1911 	    wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
   1912 		/* WPA-only STA, remove RSN IE */
   1913 		wpa_ie = wpa_ie + wpa_ie[1] + 2;
   1914 		wpa_ie_len = wpa_ie[1] + 2;
   1915 	}
   1916 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   1917 			"sending 3/4 msg of 4-Way Handshake");
   1918 	if (sm->wpa == WPA_VERSION_WPA2) {
   1919 		/* WPA2 send GTK in the 4-way handshake */
   1920 		secure = 1;
   1921 		gtk = gsm->GTK[gsm->GN - 1];
   1922 		gtk_len = gsm->GTK_len;
   1923 		if (sm->wpa_auth->conf.disable_gtk) {
   1924 			/*
   1925 			 * Provide unique random GTK to each STA to prevent use
   1926 			 * of GTK in the BSS.
   1927 			 */
   1928 			if (random_get_bytes(dummy_gtk, gtk_len) < 0)
   1929 				return;
   1930 			gtk = dummy_gtk;
   1931 		}
   1932 		keyidx = gsm->GN;
   1933 		_rsc = rsc;
   1934 		encr = 1;
   1935 	} else {
   1936 		/* WPA does not include GTK in msg 3/4 */
   1937 		secure = 0;
   1938 		gtk = NULL;
   1939 		gtk_len = 0;
   1940 		keyidx = 0;
   1941 		_rsc = NULL;
   1942 		if (sm->rx_eapol_key_secure) {
   1943 			/*
   1944 			 * It looks like Windows 7 supplicant tries to use
   1945 			 * Secure bit in msg 2/4 after having reported Michael
   1946 			 * MIC failure and it then rejects the 4-way handshake
   1947 			 * if msg 3/4 does not set Secure bit. Work around this
   1948 			 * by setting the Secure bit here even in the case of
   1949 			 * WPA if the supplicant used it first.
   1950 			 */
   1951 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   1952 					"STA used Secure bit in WPA msg 2/4 - "
   1953 					"set Secure for 3/4 as workaround");
   1954 			secure = 1;
   1955 		}
   1956 	}
   1957 
   1958 	kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
   1959 	if (gtk)
   1960 		kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
   1961 #ifdef CONFIG_IEEE80211R
   1962 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
   1963 		kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
   1964 		kde_len += 300; /* FTIE + 2 * TIE */
   1965 	}
   1966 #endif /* CONFIG_IEEE80211R */
   1967 	kde = os_malloc(kde_len);
   1968 	if (kde == NULL)
   1969 		return;
   1970 
   1971 	pos = kde;
   1972 	os_memcpy(pos, wpa_ie, wpa_ie_len);
   1973 	pos += wpa_ie_len;
   1974 #ifdef CONFIG_IEEE80211R
   1975 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
   1976 		int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name);
   1977 		if (res < 0) {
   1978 			wpa_printf(MSG_ERROR, "FT: Failed to insert "
   1979 				   "PMKR1Name into RSN IE in EAPOL-Key data");
   1980 			os_free(kde);
   1981 			return;
   1982 		}
   1983 		pos += res;
   1984 	}
   1985 #endif /* CONFIG_IEEE80211R */
   1986 	if (gtk) {
   1987 		u8 hdr[2];
   1988 		hdr[0] = keyidx & 0x03;
   1989 		hdr[1] = 0;
   1990 		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
   1991 				  gtk, gtk_len);
   1992 	}
   1993 	pos = ieee80211w_kde_add(sm, pos);
   1994 
   1995 #ifdef CONFIG_IEEE80211R
   1996 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
   1997 		int res;
   1998 		struct wpa_auth_config *conf;
   1999 
   2000 		conf = &sm->wpa_auth->conf;
   2001 		res = wpa_write_ftie(conf, conf->r0_key_holder,
   2002 				     conf->r0_key_holder_len,
   2003 				     NULL, NULL, pos, kde + kde_len - pos,
   2004 				     NULL, 0);
   2005 		if (res < 0) {
   2006 			wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
   2007 				   "into EAPOL-Key Key Data");
   2008 			os_free(kde);
   2009 			return;
   2010 		}
   2011 		pos += res;
   2012 
   2013 		/* TIE[ReassociationDeadline] (TU) */
   2014 		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
   2015 		*pos++ = 5;
   2016 		*pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
   2017 		WPA_PUT_LE32(pos, conf->reassociation_deadline);
   2018 		pos += 4;
   2019 
   2020 		/* TIE[KeyLifetime] (seconds) */
   2021 		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
   2022 		*pos++ = 5;
   2023 		*pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
   2024 		WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
   2025 		pos += 4;
   2026 	}
   2027 #endif /* CONFIG_IEEE80211R */
   2028 
   2029 	wpa_send_eapol(sm->wpa_auth, sm,
   2030 		       (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC |
   2031 		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
   2032 		       WPA_KEY_INFO_KEY_TYPE,
   2033 		       _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
   2034 	os_free(kde);
   2035 }
   2036 
   2037 
   2038 SM_STATE(WPA_PTK, PTKINITDONE)
   2039 {
   2040 	SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
   2041 	sm->EAPOLKeyReceived = FALSE;
   2042 	if (sm->Pair) {
   2043 		enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
   2044 		int klen = wpa_cipher_key_len(sm->pairwise);
   2045 		if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
   2046 				     sm->PTK.tk1, klen)) {
   2047 			wpa_sta_disconnect(sm->wpa_auth, sm->addr);
   2048 			return;
   2049 		}
   2050 		/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
   2051 		sm->pairwise_set = TRUE;
   2052 
   2053 		if (sm->wpa_auth->conf.wpa_ptk_rekey) {
   2054 			eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
   2055 			eloop_register_timeout(sm->wpa_auth->conf.
   2056 					       wpa_ptk_rekey, 0, wpa_rekey_ptk,
   2057 					       sm->wpa_auth, sm);
   2058 		}
   2059 
   2060 		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
   2061 			wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
   2062 					   WPA_EAPOL_authorized, 1);
   2063 		}
   2064 	}
   2065 
   2066 	if (0 /* IBSS == TRUE */) {
   2067 		sm->keycount++;
   2068 		if (sm->keycount == 2) {
   2069 			wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
   2070 					   WPA_EAPOL_portValid, 1);
   2071 		}
   2072 	} else {
   2073 		wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
   2074 				   1);
   2075 	}
   2076 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
   2077 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
   2078 	if (sm->wpa == WPA_VERSION_WPA)
   2079 		sm->PInitAKeys = TRUE;
   2080 	else
   2081 		sm->has_GTK = TRUE;
   2082 	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
   2083 			 "pairwise key handshake completed (%s)",
   2084 			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
   2085 
   2086 #ifdef CONFIG_IEEE80211R
   2087 	wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
   2088 #endif /* CONFIG_IEEE80211R */
   2089 }
   2090 
   2091 
   2092 SM_STEP(WPA_PTK)
   2093 {
   2094 	struct wpa_authenticator *wpa_auth = sm->wpa_auth;
   2095 
   2096 	if (sm->Init)
   2097 		SM_ENTER(WPA_PTK, INITIALIZE);
   2098 	else if (sm->Disconnect
   2099 		 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
   2100 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
   2101 				"WPA_PTK: sm->Disconnect");
   2102 		SM_ENTER(WPA_PTK, DISCONNECT);
   2103 	}
   2104 	else if (sm->DeauthenticationRequest)
   2105 		SM_ENTER(WPA_PTK, DISCONNECTED);
   2106 	else if (sm->AuthenticationRequest)
   2107 		SM_ENTER(WPA_PTK, AUTHENTICATION);
   2108 	else if (sm->ReAuthenticationRequest)
   2109 		SM_ENTER(WPA_PTK, AUTHENTICATION2);
   2110 	else if (sm->PTKRequest)
   2111 		SM_ENTER(WPA_PTK, PTKSTART);
   2112 	else switch (sm->wpa_ptk_state) {
   2113 	case WPA_PTK_INITIALIZE:
   2114 		break;
   2115 	case WPA_PTK_DISCONNECT:
   2116 		SM_ENTER(WPA_PTK, DISCONNECTED);
   2117 		break;
   2118 	case WPA_PTK_DISCONNECTED:
   2119 		SM_ENTER(WPA_PTK, INITIALIZE);
   2120 		break;
   2121 	case WPA_PTK_AUTHENTICATION:
   2122 		SM_ENTER(WPA_PTK, AUTHENTICATION2);
   2123 		break;
   2124 	case WPA_PTK_AUTHENTICATION2:
   2125 		if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
   2126 		    wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
   2127 				       WPA_EAPOL_keyRun) > 0)
   2128 			SM_ENTER(WPA_PTK, INITPMK);
   2129 		else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)
   2130 			 /* FIX: && 802.1X::keyRun */)
   2131 			SM_ENTER(WPA_PTK, INITPSK);
   2132 		break;
   2133 	case WPA_PTK_INITPMK:
   2134 		if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
   2135 				       WPA_EAPOL_keyAvailable) > 0)
   2136 			SM_ENTER(WPA_PTK, PTKSTART);
   2137 		else {
   2138 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
   2139 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
   2140 					"INITPMK - keyAvailable = false");
   2141 			SM_ENTER(WPA_PTK, DISCONNECT);
   2142 		}
   2143 		break;
   2144 	case WPA_PTK_INITPSK:
   2145 		if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL))
   2146 			SM_ENTER(WPA_PTK, PTKSTART);
   2147 		else {
   2148 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
   2149 					"no PSK configured for the STA");
   2150 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
   2151 			SM_ENTER(WPA_PTK, DISCONNECT);
   2152 		}
   2153 		break;
   2154 	case WPA_PTK_PTKSTART:
   2155 		if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
   2156 		    sm->EAPOLKeyPairwise)
   2157 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
   2158 		else if (sm->TimeoutCtr >
   2159 			 (int) dot11RSNAConfigPairwiseUpdateCount) {
   2160 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
   2161 			wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   2162 					 "PTKSTART: Retry limit %d reached",
   2163 					 dot11RSNAConfigPairwiseUpdateCount);
   2164 			SM_ENTER(WPA_PTK, DISCONNECT);
   2165 		} else if (sm->TimeoutEvt)
   2166 			SM_ENTER(WPA_PTK, PTKSTART);
   2167 		break;
   2168 	case WPA_PTK_PTKCALCNEGOTIATING:
   2169 		if (sm->MICVerified)
   2170 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
   2171 		else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
   2172 			 sm->EAPOLKeyPairwise)
   2173 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
   2174 		else if (sm->TimeoutEvt)
   2175 			SM_ENTER(WPA_PTK, PTKSTART);
   2176 		break;
   2177 	case WPA_PTK_PTKCALCNEGOTIATING2:
   2178 		SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
   2179 		break;
   2180 	case WPA_PTK_PTKINITNEGOTIATING:
   2181 		if (sm->update_snonce)
   2182 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
   2183 		else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
   2184 			 sm->EAPOLKeyPairwise && sm->MICVerified)
   2185 			SM_ENTER(WPA_PTK, PTKINITDONE);
   2186 		else if (sm->TimeoutCtr >
   2187 			 (int) dot11RSNAConfigPairwiseUpdateCount) {
   2188 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
   2189 			wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   2190 					 "PTKINITNEGOTIATING: Retry limit %d "
   2191 					 "reached",
   2192 					 dot11RSNAConfigPairwiseUpdateCount);
   2193 			SM_ENTER(WPA_PTK, DISCONNECT);
   2194 		} else if (sm->TimeoutEvt)
   2195 			SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
   2196 		break;
   2197 	case WPA_PTK_PTKINITDONE:
   2198 		break;
   2199 	}
   2200 }
   2201 
   2202 
   2203 SM_STATE(WPA_PTK_GROUP, IDLE)
   2204 {
   2205 	SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
   2206 	if (sm->Init) {
   2207 		/* Init flag is not cleared here, so avoid busy
   2208 		 * loop by claiming nothing changed. */
   2209 		sm->changed = FALSE;
   2210 	}
   2211 	sm->GTimeoutCtr = 0;
   2212 }
   2213 
   2214 
   2215 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
   2216 {
   2217 	u8 rsc[WPA_KEY_RSC_LEN];
   2218 	struct wpa_group *gsm = sm->group;
   2219 	u8 *kde, *pos, hdr[2];
   2220 	size_t kde_len;
   2221 	u8 *gtk, dummy_gtk[32];
   2222 
   2223 	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
   2224 
   2225 	sm->GTimeoutCtr++;
   2226 	if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) {
   2227 		/* No point in sending the EAPOL-Key - we will disconnect
   2228 		 * immediately following this. */
   2229 		return;
   2230 	}
   2231 
   2232 	if (sm->wpa == WPA_VERSION_WPA)
   2233 		sm->PInitAKeys = FALSE;
   2234 	sm->TimeoutEvt = FALSE;
   2235 	/* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
   2236 	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
   2237 	if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
   2238 		wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
   2239 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   2240 			"sending 1/2 msg of Group Key Handshake");
   2241 
   2242 	gtk = gsm->GTK[gsm->GN - 1];
   2243 	if (sm->wpa_auth->conf.disable_gtk) {
   2244 		/*
   2245 		 * Provide unique random GTK to each STA to prevent use
   2246 		 * of GTK in the BSS.
   2247 		 */
   2248 		if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
   2249 			return;
   2250 		gtk = dummy_gtk;
   2251 	}
   2252 	if (sm->wpa == WPA_VERSION_WPA2) {
   2253 		kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
   2254 			ieee80211w_kde_len(sm);
   2255 		kde = os_malloc(kde_len);
   2256 		if (kde == NULL)
   2257 			return;
   2258 
   2259 		pos = kde;
   2260 		hdr[0] = gsm->GN & 0x03;
   2261 		hdr[1] = 0;
   2262 		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
   2263 				  gtk, gsm->GTK_len);
   2264 		pos = ieee80211w_kde_add(sm, pos);
   2265 	} else {
   2266 		kde = gtk;
   2267 		pos = kde + gsm->GTK_len;
   2268 	}
   2269 
   2270 	wpa_send_eapol(sm->wpa_auth, sm,
   2271 		       WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
   2272 		       WPA_KEY_INFO_ACK |
   2273 		       (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
   2274 		       rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1);
   2275 	if (sm->wpa == WPA_VERSION_WPA2)
   2276 		os_free(kde);
   2277 }
   2278 
   2279 
   2280 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
   2281 {
   2282 	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
   2283 	sm->EAPOLKeyReceived = FALSE;
   2284 	if (sm->GUpdateStationKeys)
   2285 		sm->group->GKeyDoneStations--;
   2286 	sm->GUpdateStationKeys = FALSE;
   2287 	sm->GTimeoutCtr = 0;
   2288 	/* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
   2289 	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
   2290 			 "group key handshake completed (%s)",
   2291 			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
   2292 	sm->has_GTK = TRUE;
   2293 }
   2294 
   2295 
   2296 SM_STATE(WPA_PTK_GROUP, KEYERROR)
   2297 {
   2298 	SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
   2299 	if (sm->GUpdateStationKeys)
   2300 		sm->group->GKeyDoneStations--;
   2301 	sm->GUpdateStationKeys = FALSE;
   2302 	sm->Disconnect = TRUE;
   2303 }
   2304 
   2305 
   2306 SM_STEP(WPA_PTK_GROUP)
   2307 {
   2308 	if (sm->Init || sm->PtkGroupInit) {
   2309 		SM_ENTER(WPA_PTK_GROUP, IDLE);
   2310 		sm->PtkGroupInit = FALSE;
   2311 	} else switch (sm->wpa_ptk_group_state) {
   2312 	case WPA_PTK_GROUP_IDLE:
   2313 		if (sm->GUpdateStationKeys ||
   2314 		    (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
   2315 			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
   2316 		break;
   2317 	case WPA_PTK_GROUP_REKEYNEGOTIATING:
   2318 		if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
   2319 		    !sm->EAPOLKeyPairwise && sm->MICVerified)
   2320 			SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
   2321 		else if (sm->GTimeoutCtr >
   2322 			 (int) dot11RSNAConfigGroupUpdateCount)
   2323 			SM_ENTER(WPA_PTK_GROUP, KEYERROR);
   2324 		else if (sm->TimeoutEvt)
   2325 			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
   2326 		break;
   2327 	case WPA_PTK_GROUP_KEYERROR:
   2328 		SM_ENTER(WPA_PTK_GROUP, IDLE);
   2329 		break;
   2330 	case WPA_PTK_GROUP_REKEYESTABLISHED:
   2331 		SM_ENTER(WPA_PTK_GROUP, IDLE);
   2332 		break;
   2333 	}
   2334 }
   2335 
   2336 
   2337 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
   2338 			  struct wpa_group *group)
   2339 {
   2340 	int ret = 0;
   2341 
   2342 	os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
   2343 	inc_byte_array(group->Counter, WPA_NONCE_LEN);
   2344 	if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
   2345 			   wpa_auth->addr, group->GNonce,
   2346 			   group->GTK[group->GN - 1], group->GTK_len) < 0)
   2347 		ret = -1;
   2348 	wpa_hexdump_key(MSG_DEBUG, "GTK",
   2349 			group->GTK[group->GN - 1], group->GTK_len);
   2350 
   2351 #ifdef CONFIG_IEEE80211W
   2352 	if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
   2353 		os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
   2354 		inc_byte_array(group->Counter, WPA_NONCE_LEN);
   2355 		if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
   2356 				   wpa_auth->addr, group->GNonce,
   2357 				   group->IGTK[group->GN_igtk - 4],
   2358 				   WPA_IGTK_LEN) < 0)
   2359 			ret = -1;
   2360 		wpa_hexdump_key(MSG_DEBUG, "IGTK",
   2361 				group->IGTK[group->GN_igtk - 4], WPA_IGTK_LEN);
   2362 	}
   2363 #endif /* CONFIG_IEEE80211W */
   2364 
   2365 	return ret;
   2366 }
   2367 
   2368 
   2369 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
   2370 			       struct wpa_group *group)
   2371 {
   2372 	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
   2373 		   "GTK_INIT (VLAN-ID %d)", group->vlan_id);
   2374 	group->changed = FALSE; /* GInit is not cleared here; avoid loop */
   2375 	group->wpa_group_state = WPA_GROUP_GTK_INIT;
   2376 
   2377 	/* GTK[0..N] = 0 */
   2378 	os_memset(group->GTK, 0, sizeof(group->GTK));
   2379 	group->GN = 1;
   2380 	group->GM = 2;
   2381 #ifdef CONFIG_IEEE80211W
   2382 	group->GN_igtk = 4;
   2383 	group->GM_igtk = 5;
   2384 #endif /* CONFIG_IEEE80211W */
   2385 	/* GTK[GN] = CalcGTK() */
   2386 	wpa_gtk_update(wpa_auth, group);
   2387 }
   2388 
   2389 
   2390 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
   2391 {
   2392 	if (ctx != NULL && ctx != sm->group)
   2393 		return 0;
   2394 
   2395 	if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
   2396 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   2397 				"Not in PTKINITDONE; skip Group Key update");
   2398 		sm->GUpdateStationKeys = FALSE;
   2399 		return 0;
   2400 	}
   2401 	if (sm->GUpdateStationKeys) {
   2402 		/*
   2403 		 * This should not really happen, so add a debug log entry.
   2404 		 * Since we clear the GKeyDoneStations before the loop, the
   2405 		 * station needs to be counted here anyway.
   2406 		 */
   2407 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
   2408 				"GUpdateStationKeys was already set when "
   2409 				"marking station for GTK rekeying");
   2410 	}
   2411 
   2412 #ifdef CONFIG_IEEE80211V
   2413 	/* Do not rekey GTK/IGTK when STA is in wnmsleep */
   2414 	if (sm->is_wnmsleep)
   2415 		return 0;
   2416 #endif /* CONFIG_IEEE80211V */
   2417 
   2418 	sm->group->GKeyDoneStations++;
   2419 	sm->GUpdateStationKeys = TRUE;
   2420 
   2421 	wpa_sm_step(sm);
   2422 	return 0;
   2423 }
   2424 
   2425 
   2426 #ifdef CONFIG_IEEE80211V
   2427 /* update GTK when exiting wnmsleep mode */
   2428 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
   2429 {
   2430 	if (sm->is_wnmsleep)
   2431 		return;
   2432 
   2433 	wpa_group_update_sta(sm, NULL);
   2434 }
   2435 
   2436 
   2437 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
   2438 {
   2439 	sm->is_wnmsleep = !!flag;
   2440 }
   2441 
   2442 
   2443 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
   2444 {
   2445 	u8 *subelem;
   2446 	struct wpa_group *gsm = sm->group;
   2447 	size_t subelem_len, pad_len;
   2448 	const u8 *key;
   2449 	size_t key_len;
   2450 	u8 keybuf[32];
   2451 
   2452 	/* GTK subslement */
   2453 	key_len = gsm->GTK_len;
   2454 	if (key_len > sizeof(keybuf))
   2455 		return 0;
   2456 
   2457 	/*
   2458 	 * Pad key for AES Key Wrap if it is not multiple of 8 bytes or is less
   2459 	 * than 16 bytes.
   2460 	 */
   2461 	pad_len = key_len % 8;
   2462 	if (pad_len)
   2463 		pad_len = 8 - pad_len;
   2464 	if (key_len + pad_len < 16)
   2465 		pad_len += 8;
   2466 	if (pad_len) {
   2467 		os_memcpy(keybuf, gsm->GTK[gsm->GN - 1], key_len);
   2468 		os_memset(keybuf + key_len, 0, pad_len);
   2469 		keybuf[key_len] = 0xdd;
   2470 		key_len += pad_len;
   2471 		key = keybuf;
   2472 	} else
   2473 		key = gsm->GTK[gsm->GN - 1];
   2474 
   2475 	/*
   2476 	 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
   2477 	 * Key[5..32] | 8 padding.
   2478 	 */
   2479 	subelem_len = 13 + key_len + 8;
   2480 	subelem = os_zalloc(subelem_len);
   2481 	if (subelem == NULL)
   2482 		return 0;
   2483 
   2484 	subelem[0] = WNM_SLEEP_SUBELEM_GTK;
   2485 	subelem[1] = 11 + key_len + 8;
   2486 	/* Key ID in B0-B1 of Key Info */
   2487 	WPA_PUT_LE16(&subelem[2], gsm->GN & 0x03);
   2488 	subelem[4] = gsm->GTK_len;
   2489 	if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, subelem + 5) != 0)
   2490 	{
   2491 		os_free(subelem);
   2492 		return 0;
   2493 	}
   2494 	if (aes_wrap(sm->PTK.kek, key_len / 8, key, subelem + 13)) {
   2495 		os_free(subelem);
   2496 		return 0;
   2497 	}
   2498 
   2499 	os_memcpy(pos, subelem, subelem_len);
   2500 
   2501 	wpa_hexdump_key(MSG_DEBUG, "Plaintext GTK",
   2502 			gsm->GTK[gsm->GN - 1], gsm->GTK_len);
   2503 	os_free(subelem);
   2504 
   2505 	return subelem_len;
   2506 }
   2507 
   2508 
   2509 #ifdef CONFIG_IEEE80211W
   2510 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
   2511 {
   2512 	u8 *subelem, *ptr;
   2513 	struct wpa_group *gsm = sm->group;
   2514 	size_t subelem_len;
   2515 
   2516 	/* IGTK subelement
   2517 	 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] |
   2518 	 * Key[16] | 8 padding */
   2519 	subelem_len = 1 + 1 + 2 + 6 + WPA_IGTK_LEN + 8;
   2520 	subelem = os_zalloc(subelem_len);
   2521 	if (subelem == NULL)
   2522 		return 0;
   2523 
   2524 	ptr = subelem;
   2525 	*ptr++ = WNM_SLEEP_SUBELEM_IGTK;
   2526 	*ptr++ = subelem_len - 2;
   2527 	WPA_PUT_LE16(ptr, gsm->GN_igtk);
   2528 	ptr += 2;
   2529 	if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, ptr) != 0) {
   2530 		os_free(subelem);
   2531 		return 0;
   2532 	}
   2533 	ptr += 6;
   2534 	if (aes_wrap(sm->PTK.kek, WPA_IGTK_LEN / 8,
   2535 		     gsm->IGTK[gsm->GN_igtk - 4], ptr)) {
   2536 		os_free(subelem);
   2537 		return -1;
   2538 	}
   2539 
   2540 	os_memcpy(pos, subelem, subelem_len);
   2541 
   2542 	wpa_hexdump_key(MSG_DEBUG, "Plaintext IGTK",
   2543 			gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
   2544 	os_free(subelem);
   2545 
   2546 	return subelem_len;
   2547 }
   2548 #endif /* CONFIG_IEEE80211W */
   2549 #endif /* CONFIG_IEEE80211V */
   2550 
   2551 
   2552 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
   2553 			      struct wpa_group *group)
   2554 {
   2555 	int tmp;
   2556 
   2557 	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
   2558 		   "SETKEYS (VLAN-ID %d)", group->vlan_id);
   2559 	group->changed = TRUE;
   2560 	group->wpa_group_state = WPA_GROUP_SETKEYS;
   2561 	group->GTKReKey = FALSE;
   2562 	tmp = group->GM;
   2563 	group->GM = group->GN;
   2564 	group->GN = tmp;
   2565 #ifdef CONFIG_IEEE80211W
   2566 	tmp = group->GM_igtk;
   2567 	group->GM_igtk = group->GN_igtk;
   2568 	group->GN_igtk = tmp;
   2569 #endif /* CONFIG_IEEE80211W */
   2570 	/* "GKeyDoneStations = GNoStations" is done in more robust way by
   2571 	 * counting the STAs that are marked with GUpdateStationKeys instead of
   2572 	 * including all STAs that could be in not-yet-completed state. */
   2573 	wpa_gtk_update(wpa_auth, group);
   2574 
   2575 	if (group->GKeyDoneStations) {
   2576 		wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
   2577 			   "GKeyDoneStations=%d when starting new GTK rekey",
   2578 			   group->GKeyDoneStations);
   2579 		group->GKeyDoneStations = 0;
   2580 	}
   2581 	wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
   2582 	wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
   2583 		   group->GKeyDoneStations);
   2584 }
   2585 
   2586 
   2587 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
   2588 				       struct wpa_group *group)
   2589 {
   2590 	int ret = 0;
   2591 
   2592 	if (wpa_auth_set_key(wpa_auth, group->vlan_id,
   2593 			     wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
   2594 			     broadcast_ether_addr, group->GN,
   2595 			     group->GTK[group->GN - 1], group->GTK_len) < 0)
   2596 		ret = -1;
   2597 
   2598 #ifdef CONFIG_IEEE80211W
   2599 	if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION &&
   2600 	    wpa_auth_set_key(wpa_auth, group->vlan_id, WPA_ALG_IGTK,
   2601 			     broadcast_ether_addr, group->GN_igtk,
   2602 			     group->IGTK[group->GN_igtk - 4],
   2603 			     WPA_IGTK_LEN) < 0)
   2604 		ret = -1;
   2605 #endif /* CONFIG_IEEE80211W */
   2606 
   2607 	return ret;
   2608 }
   2609 
   2610 
   2611 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
   2612 				 struct wpa_group *group)
   2613 {
   2614 	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
   2615 		   "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
   2616 	group->changed = TRUE;
   2617 	group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
   2618 
   2619 	if (wpa_group_config_group_keys(wpa_auth, group) < 0)
   2620 		return -1;
   2621 
   2622 	return 0;
   2623 }
   2624 
   2625 
   2626 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
   2627 			      struct wpa_group *group)
   2628 {
   2629 	if (group->GInit) {
   2630 		wpa_group_gtk_init(wpa_auth, group);
   2631 	} else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
   2632 		   group->GTKAuthenticator) {
   2633 		wpa_group_setkeysdone(wpa_auth, group);
   2634 	} else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
   2635 		   group->GTKReKey) {
   2636 		wpa_group_setkeys(wpa_auth, group);
   2637 	} else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
   2638 		if (group->GKeyDoneStations == 0)
   2639 			wpa_group_setkeysdone(wpa_auth, group);
   2640 		else if (group->GTKReKey)
   2641 			wpa_group_setkeys(wpa_auth, group);
   2642 	}
   2643 }
   2644 
   2645 
   2646 static int wpa_sm_step(struct wpa_state_machine *sm)
   2647 {
   2648 	if (sm == NULL)
   2649 		return 0;
   2650 
   2651 	if (sm->in_step_loop) {
   2652 		/* This should not happen, but if it does, make sure we do not
   2653 		 * end up freeing the state machine too early by exiting the
   2654 		 * recursive call. */
   2655 		wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
   2656 		return 0;
   2657 	}
   2658 
   2659 	sm->in_step_loop = 1;
   2660 	do {
   2661 		if (sm->pending_deinit)
   2662 			break;
   2663 
   2664 		sm->changed = FALSE;
   2665 		sm->wpa_auth->group->changed = FALSE;
   2666 
   2667 		SM_STEP_RUN(WPA_PTK);
   2668 		if (sm->pending_deinit)
   2669 			break;
   2670 		SM_STEP_RUN(WPA_PTK_GROUP);
   2671 		if (sm->pending_deinit)
   2672 			break;
   2673 		wpa_group_sm_step(sm->wpa_auth, sm->group);
   2674 	} while (sm->changed || sm->wpa_auth->group->changed);
   2675 	sm->in_step_loop = 0;
   2676 
   2677 	if (sm->pending_deinit) {
   2678 		wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
   2679 			   "machine deinit for " MACSTR, MAC2STR(sm->addr));
   2680 		wpa_free_sta_sm(sm);
   2681 		return 1;
   2682 	}
   2683 	return 0;
   2684 }
   2685 
   2686 
   2687 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
   2688 {
   2689 	struct wpa_state_machine *sm = eloop_ctx;
   2690 	wpa_sm_step(sm);
   2691 }
   2692 
   2693 
   2694 void wpa_auth_sm_notify(struct wpa_state_machine *sm)
   2695 {
   2696 	if (sm == NULL)
   2697 		return;
   2698 	eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
   2699 }
   2700 
   2701 
   2702 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
   2703 {
   2704 	int tmp, i;
   2705 	struct wpa_group *group;
   2706 
   2707 	if (wpa_auth == NULL)
   2708 		return;
   2709 
   2710 	group = wpa_auth->group;
   2711 
   2712 	for (i = 0; i < 2; i++) {
   2713 		tmp = group->GM;
   2714 		group->GM = group->GN;
   2715 		group->GN = tmp;
   2716 #ifdef CONFIG_IEEE80211W
   2717 		tmp = group->GM_igtk;
   2718 		group->GM_igtk = group->GN_igtk;
   2719 		group->GN_igtk = tmp;
   2720 #endif /* CONFIG_IEEE80211W */
   2721 		wpa_gtk_update(wpa_auth, group);
   2722 		wpa_group_config_group_keys(wpa_auth, group);
   2723 	}
   2724 }
   2725 
   2726 
   2727 static const char * wpa_bool_txt(int bool)
   2728 {
   2729 	return bool ? "TRUE" : "FALSE";
   2730 }
   2731 
   2732 
   2733 #define RSN_SUITE "%02x-%02x-%02x-%d"
   2734 #define RSN_SUITE_ARG(s) \
   2735 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
   2736 
   2737 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
   2738 {
   2739 	int len = 0, ret;
   2740 	char pmkid_txt[PMKID_LEN * 2 + 1];
   2741 #ifdef CONFIG_RSN_PREAUTH
   2742 	const int preauth = 1;
   2743 #else /* CONFIG_RSN_PREAUTH */
   2744 	const int preauth = 0;
   2745 #endif /* CONFIG_RSN_PREAUTH */
   2746 
   2747 	if (wpa_auth == NULL)
   2748 		return len;
   2749 
   2750 	ret = os_snprintf(buf + len, buflen - len,
   2751 			  "dot11RSNAOptionImplemented=TRUE\n"
   2752 			  "dot11RSNAPreauthenticationImplemented=%s\n"
   2753 			  "dot11RSNAEnabled=%s\n"
   2754 			  "dot11RSNAPreauthenticationEnabled=%s\n",
   2755 			  wpa_bool_txt(preauth),
   2756 			  wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
   2757 			  wpa_bool_txt(wpa_auth->conf.rsn_preauth));
   2758 	if (ret < 0 || (size_t) ret >= buflen - len)
   2759 		return len;
   2760 	len += ret;
   2761 
   2762 	wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
   2763 			 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
   2764 
   2765 	ret = os_snprintf(
   2766 		buf + len, buflen - len,
   2767 		"dot11RSNAConfigVersion=%u\n"
   2768 		"dot11RSNAConfigPairwiseKeysSupported=9999\n"
   2769 		/* FIX: dot11RSNAConfigGroupCipher */
   2770 		/* FIX: dot11RSNAConfigGroupRekeyMethod */
   2771 		/* FIX: dot11RSNAConfigGroupRekeyTime */
   2772 		/* FIX: dot11RSNAConfigGroupRekeyPackets */
   2773 		"dot11RSNAConfigGroupRekeyStrict=%u\n"
   2774 		"dot11RSNAConfigGroupUpdateCount=%u\n"
   2775 		"dot11RSNAConfigPairwiseUpdateCount=%u\n"
   2776 		"dot11RSNAConfigGroupCipherSize=%u\n"
   2777 		"dot11RSNAConfigPMKLifetime=%u\n"
   2778 		"dot11RSNAConfigPMKReauthThreshold=%u\n"
   2779 		"dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
   2780 		"dot11RSNAConfigSATimeout=%u\n"
   2781 		"dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
   2782 		"dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
   2783 		"dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
   2784 		"dot11RSNAPMKIDUsed=%s\n"
   2785 		"dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
   2786 		"dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
   2787 		"dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
   2788 		"dot11RSNATKIPCounterMeasuresInvoked=%u\n"
   2789 		"dot11RSNA4WayHandshakeFailures=%u\n"
   2790 		"dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
   2791 		RSN_VERSION,
   2792 		!!wpa_auth->conf.wpa_strict_rekey,
   2793 		dot11RSNAConfigGroupUpdateCount,
   2794 		dot11RSNAConfigPairwiseUpdateCount,
   2795 		wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
   2796 		dot11RSNAConfigPMKLifetime,
   2797 		dot11RSNAConfigPMKReauthThreshold,
   2798 		dot11RSNAConfigSATimeout,
   2799 		RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
   2800 		RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
   2801 		RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
   2802 		pmkid_txt,
   2803 		RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
   2804 		RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
   2805 		RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
   2806 		wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
   2807 		wpa_auth->dot11RSNA4WayHandshakeFailures);
   2808 	if (ret < 0 || (size_t) ret >= buflen - len)
   2809 		return len;
   2810 	len += ret;
   2811 
   2812 	/* TODO: dot11RSNAConfigPairwiseCiphersTable */
   2813 	/* TODO: dot11RSNAConfigAuthenticationSuitesTable */
   2814 
   2815 	/* Private MIB */
   2816 	ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
   2817 			  wpa_auth->group->wpa_group_state);
   2818 	if (ret < 0 || (size_t) ret >= buflen - len)
   2819 		return len;
   2820 	len += ret;
   2821 
   2822 	return len;
   2823 }
   2824 
   2825 
   2826 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
   2827 {
   2828 	int len = 0, ret;
   2829 	u32 pairwise = 0;
   2830 
   2831 	if (sm == NULL)
   2832 		return 0;
   2833 
   2834 	/* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
   2835 
   2836 	/* dot11RSNAStatsEntry */
   2837 
   2838 	pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
   2839 				       WPA_PROTO_RSN : WPA_PROTO_WPA,
   2840 				       sm->pairwise);
   2841 	if (pairwise == 0)
   2842 		return 0;
   2843 
   2844 	ret = os_snprintf(
   2845 		buf + len, buflen - len,
   2846 		/* TODO: dot11RSNAStatsIndex */
   2847 		"dot11RSNAStatsSTAAddress=" MACSTR "\n"
   2848 		"dot11RSNAStatsVersion=1\n"
   2849 		"dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
   2850 		/* TODO: dot11RSNAStatsTKIPICVErrors */
   2851 		"dot11RSNAStatsTKIPLocalMICFailures=%u\n"
   2852 		"dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
   2853 		/* TODO: dot11RSNAStatsCCMPReplays */
   2854 		/* TODO: dot11RSNAStatsCCMPDecryptErrors */
   2855 		/* TODO: dot11RSNAStatsTKIPReplays */,
   2856 		MAC2STR(sm->addr),
   2857 		RSN_SUITE_ARG(pairwise),
   2858 		sm->dot11RSNAStatsTKIPLocalMICFailures,
   2859 		sm->dot11RSNAStatsTKIPRemoteMICFailures);
   2860 	if (ret < 0 || (size_t) ret >= buflen - len)
   2861 		return len;
   2862 	len += ret;
   2863 
   2864 	/* Private MIB */
   2865 	ret = os_snprintf(buf + len, buflen - len,
   2866 			  "hostapdWPAPTKState=%d\n"
   2867 			  "hostapdWPAPTKGroupState=%d\n",
   2868 			  sm->wpa_ptk_state,
   2869 			  sm->wpa_ptk_group_state);
   2870 	if (ret < 0 || (size_t) ret >= buflen - len)
   2871 		return len;
   2872 	len += ret;
   2873 
   2874 	return len;
   2875 }
   2876 
   2877 
   2878 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
   2879 {
   2880 	if (wpa_auth)
   2881 		wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
   2882 }
   2883 
   2884 
   2885 int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
   2886 {
   2887 	return sm && sm->pairwise_set;
   2888 }
   2889 
   2890 
   2891 int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
   2892 {
   2893 	return sm->pairwise;
   2894 }
   2895 
   2896 
   2897 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
   2898 {
   2899 	if (sm == NULL)
   2900 		return -1;
   2901 	return sm->wpa_key_mgmt;
   2902 }
   2903 
   2904 
   2905 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
   2906 {
   2907 	if (sm == NULL)
   2908 		return 0;
   2909 	return sm->wpa;
   2910 }
   2911 
   2912 
   2913 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
   2914 			     struct rsn_pmksa_cache_entry *entry)
   2915 {
   2916 	if (sm == NULL || sm->pmksa != entry)
   2917 		return -1;
   2918 	sm->pmksa = NULL;
   2919 	return 0;
   2920 }
   2921 
   2922 
   2923 struct rsn_pmksa_cache_entry *
   2924 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
   2925 {
   2926 	return sm ? sm->pmksa : NULL;
   2927 }
   2928 
   2929 
   2930 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
   2931 {
   2932 	if (sm)
   2933 		sm->dot11RSNAStatsTKIPLocalMICFailures++;
   2934 }
   2935 
   2936 
   2937 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
   2938 {
   2939 	if (wpa_auth == NULL)
   2940 		return NULL;
   2941 	*len = wpa_auth->wpa_ie_len;
   2942 	return wpa_auth->wpa_ie;
   2943 }
   2944 
   2945 
   2946 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
   2947 		       int session_timeout, struct eapol_state_machine *eapol)
   2948 {
   2949 	if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
   2950 	    sm->wpa_auth->conf.disable_pmksa_caching)
   2951 		return -1;
   2952 
   2953 	if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN,
   2954 				 sm->wpa_auth->addr, sm->addr, session_timeout,
   2955 				 eapol, sm->wpa_key_mgmt))
   2956 		return 0;
   2957 
   2958 	return -1;
   2959 }
   2960 
   2961 
   2962 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
   2963 			       const u8 *pmk, size_t len, const u8 *sta_addr,
   2964 			       int session_timeout,
   2965 			       struct eapol_state_machine *eapol)
   2966 {
   2967 	if (wpa_auth == NULL)
   2968 		return -1;
   2969 
   2970 	if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr,
   2971 				 sta_addr, session_timeout, eapol,
   2972 				 WPA_KEY_MGMT_IEEE8021X))
   2973 		return 0;
   2974 
   2975 	return -1;
   2976 }
   2977 
   2978 
   2979 static struct wpa_group *
   2980 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
   2981 {
   2982 	struct wpa_group *group;
   2983 
   2984 	if (wpa_auth == NULL || wpa_auth->group == NULL)
   2985 		return NULL;
   2986 
   2987 	wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
   2988 		   vlan_id);
   2989 	group = wpa_group_init(wpa_auth, vlan_id, 0);
   2990 	if (group == NULL)
   2991 		return NULL;
   2992 
   2993 	group->next = wpa_auth->group->next;
   2994 	wpa_auth->group->next = group;
   2995 
   2996 	return group;
   2997 }
   2998 
   2999 
   3000 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
   3001 {
   3002 	struct wpa_group *group;
   3003 
   3004 	if (sm == NULL || sm->wpa_auth == NULL)
   3005 		return 0;
   3006 
   3007 	group = sm->wpa_auth->group;
   3008 	while (group) {
   3009 		if (group->vlan_id == vlan_id)
   3010 			break;
   3011 		group = group->next;
   3012 	}
   3013 
   3014 	if (group == NULL) {
   3015 		group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
   3016 		if (group == NULL)
   3017 			return -1;
   3018 	}
   3019 
   3020 	if (sm->group == group)
   3021 		return 0;
   3022 
   3023 	wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
   3024 		   "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
   3025 
   3026 	sm->group = group;
   3027 	return 0;
   3028 }
   3029 
   3030 
   3031 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
   3032 				  struct wpa_state_machine *sm, int ack)
   3033 {
   3034 	if (wpa_auth == NULL || sm == NULL)
   3035 		return;
   3036 	wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
   3037 		   " ack=%d", MAC2STR(sm->addr), ack);
   3038 	if (sm->pending_1_of_4_timeout && ack) {
   3039 		/*
   3040 		 * Some deployed supplicant implementations update their SNonce
   3041 		 * for each EAPOL-Key 2/4 message even within the same 4-way
   3042 		 * handshake and then fail to use the first SNonce when
   3043 		 * deriving the PTK. This results in unsuccessful 4-way
   3044 		 * handshake whenever the relatively short initial timeout is
   3045 		 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
   3046 		 * around this by increasing the timeout now that we know that
   3047 		 * the station has received the frame.
   3048 		 */
   3049 		int timeout_ms = eapol_key_timeout_subseq;
   3050 		wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
   3051 			   "timeout by %u ms because of acknowledged frame",
   3052 			   timeout_ms);
   3053 		eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
   3054 		eloop_register_timeout(timeout_ms / 1000,
   3055 				       (timeout_ms % 1000) * 1000,
   3056 				       wpa_send_eapol_timeout, wpa_auth, sm);
   3057 	}
   3058 }
   3059