• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * IEEE 802.11 RSN / WPA Authenticator
3  * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "utils/state_machine.h"
14 #include "common/ieee802_11_defs.h"
15 #include "crypto/aes_wrap.h"
16 #include "crypto/crypto.h"
17 #include "crypto/sha1.h"
18 #include "crypto/sha256.h"
19 #include "crypto/random.h"
20 #include "eapol_auth/eapol_auth_sm.h"
21 #include "ap_config.h"
22 #include "ieee802_11.h"
23 #include "wpa_auth.h"
24 #include "pmksa_cache_auth.h"
25 #include "wpa_auth_i.h"
26 #include "wpa_auth_ie.h"
27 
28 #define STATE_MACHINE_DATA struct wpa_state_machine
29 #define STATE_MACHINE_DEBUG_PREFIX "WPA"
30 #define STATE_MACHINE_ADDR sm->addr
31 
32 
33 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx);
34 static int wpa_sm_step(struct wpa_state_machine *sm);
35 static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len);
36 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx);
37 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
38 			      struct wpa_group *group);
39 static void wpa_request_new_ptk(struct wpa_state_machine *sm);
40 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
41 			  struct wpa_group *group);
42 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
43 				       struct wpa_group *group);
44 
45 static const u32 dot11RSNAConfigGroupUpdateCount = 4;
46 static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
47 static const u32 eapol_key_timeout_first = 100; /* ms */
48 static const u32 eapol_key_timeout_subseq = 1000; /* ms */
49 static const u32 eapol_key_timeout_first_group = 500; /* ms */
50 
51 /* TODO: make these configurable */
52 static const int dot11RSNAConfigPMKLifetime = 43200;
53 static const int dot11RSNAConfigPMKReauthThreshold = 70;
54 static const int dot11RSNAConfigSATimeout = 60;
55 
56 
wpa_auth_mic_failure_report(struct wpa_authenticator * wpa_auth,const u8 * addr)57 static inline void wpa_auth_mic_failure_report(
58 	struct wpa_authenticator *wpa_auth, const u8 *addr)
59 {
60 	if (wpa_auth->cb.mic_failure_report)
61 		wpa_auth->cb.mic_failure_report(wpa_auth->cb.ctx, addr);
62 }
63 
64 
wpa_auth_set_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var,int value)65 static inline void wpa_auth_set_eapol(struct wpa_authenticator *wpa_auth,
66 				      const u8 *addr, wpa_eapol_variable var,
67 				      int value)
68 {
69 	if (wpa_auth->cb.set_eapol)
70 		wpa_auth->cb.set_eapol(wpa_auth->cb.ctx, addr, var, value);
71 }
72 
73 
wpa_auth_get_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,wpa_eapol_variable var)74 static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
75 				     const u8 *addr, wpa_eapol_variable var)
76 {
77 	if (wpa_auth->cb.get_eapol == NULL)
78 		return -1;
79 	return wpa_auth->cb.get_eapol(wpa_auth->cb.ctx, addr, var);
80 }
81 
82 
wpa_auth_get_psk(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * prev_psk)83 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
84 					  const u8 *addr, const u8 *prev_psk)
85 {
86 	if (wpa_auth->cb.get_psk == NULL)
87 		return NULL;
88 	return wpa_auth->cb.get_psk(wpa_auth->cb.ctx, addr, prev_psk);
89 }
90 
91 
wpa_auth_get_msk(struct wpa_authenticator * wpa_auth,const u8 * addr,u8 * msk,size_t * len)92 static inline int wpa_auth_get_msk(struct wpa_authenticator *wpa_auth,
93 				   const u8 *addr, u8 *msk, size_t *len)
94 {
95 	if (wpa_auth->cb.get_msk == NULL)
96 		return -1;
97 	return wpa_auth->cb.get_msk(wpa_auth->cb.ctx, addr, msk, len);
98 }
99 
100 
wpa_auth_set_key(struct wpa_authenticator * wpa_auth,int vlan_id,enum wpa_alg alg,const u8 * addr,int idx,u8 * key,size_t key_len)101 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
102 				   int vlan_id,
103 				   enum wpa_alg alg, const u8 *addr, int idx,
104 				   u8 *key, size_t key_len)
105 {
106 	if (wpa_auth->cb.set_key == NULL)
107 		return -1;
108 	return wpa_auth->cb.set_key(wpa_auth->cb.ctx, vlan_id, alg, addr, idx,
109 				    key, key_len);
110 }
111 
112 
wpa_auth_get_seqnum(struct wpa_authenticator * wpa_auth,const u8 * addr,int idx,u8 * seq)113 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
114 				      const u8 *addr, int idx, u8 *seq)
115 {
116 	if (wpa_auth->cb.get_seqnum == NULL)
117 		return -1;
118 	return wpa_auth->cb.get_seqnum(wpa_auth->cb.ctx, addr, idx, seq);
119 }
120 
121 
122 static inline int
wpa_auth_send_eapol(struct wpa_authenticator * wpa_auth,const u8 * addr,const u8 * data,size_t data_len,int encrypt)123 wpa_auth_send_eapol(struct wpa_authenticator *wpa_auth, const u8 *addr,
124 		    const u8 *data, size_t data_len, int encrypt)
125 {
126 	if (wpa_auth->cb.send_eapol == NULL)
127 		return -1;
128 	return wpa_auth->cb.send_eapol(wpa_auth->cb.ctx, addr, data, data_len,
129 				       encrypt);
130 }
131 
132 
wpa_auth_for_each_sta(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_state_machine * sm,void * ctx),void * cb_ctx)133 int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
134 			  int (*cb)(struct wpa_state_machine *sm, void *ctx),
135 			  void *cb_ctx)
136 {
137 	if (wpa_auth->cb.for_each_sta == NULL)
138 		return 0;
139 	return wpa_auth->cb.for_each_sta(wpa_auth->cb.ctx, cb, cb_ctx);
140 }
141 
142 
wpa_auth_for_each_auth(struct wpa_authenticator * wpa_auth,int (* cb)(struct wpa_authenticator * a,void * ctx),void * cb_ctx)143 int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
144 			   int (*cb)(struct wpa_authenticator *a, void *ctx),
145 			   void *cb_ctx)
146 {
147 	if (wpa_auth->cb.for_each_auth == NULL)
148 		return 0;
149 	return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx);
150 }
151 
152 
wpa_auth_logger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * txt)153 void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
154 		     logger_level level, const char *txt)
155 {
156 	if (wpa_auth->cb.logger == NULL)
157 		return;
158 	wpa_auth->cb.logger(wpa_auth->cb.ctx, addr, level, txt);
159 }
160 
161 
wpa_auth_vlogger(struct wpa_authenticator * wpa_auth,const u8 * addr,logger_level level,const char * fmt,...)162 void wpa_auth_vlogger(struct wpa_authenticator *wpa_auth, const u8 *addr,
163 		      logger_level level, const char *fmt, ...)
164 {
165 	char *format;
166 	int maxlen;
167 	va_list ap;
168 
169 	if (wpa_auth->cb.logger == NULL)
170 		return;
171 
172 	maxlen = os_strlen(fmt) + 100;
173 	format = os_malloc(maxlen);
174 	if (!format)
175 		return;
176 
177 	va_start(ap, fmt);
178 	vsnprintf(format, maxlen, fmt, ap);
179 	va_end(ap);
180 
181 	wpa_auth_logger(wpa_auth, addr, level, format);
182 
183 	os_free(format);
184 }
185 
186 
wpa_sta_disconnect(struct wpa_authenticator * wpa_auth,const u8 * addr)187 static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
188 			       const u8 *addr)
189 {
190 	if (wpa_auth->cb.disconnect == NULL)
191 		return;
192 	wpa_printf(MSG_DEBUG, "wpa_sta_disconnect STA " MACSTR, MAC2STR(addr));
193 	wpa_auth->cb.disconnect(wpa_auth->cb.ctx, addr,
194 				WLAN_REASON_PREV_AUTH_NOT_VALID);
195 }
196 
197 
wpa_use_aes_cmac(struct wpa_state_machine * sm)198 static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
199 {
200 	int ret = 0;
201 #ifdef CONFIG_IEEE80211R
202 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
203 		ret = 1;
204 #endif /* CONFIG_IEEE80211R */
205 #ifdef CONFIG_IEEE80211W
206 	if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
207 		ret = 1;
208 #endif /* CONFIG_IEEE80211W */
209 	return ret;
210 }
211 
212 
wpa_rekey_gmk(void * eloop_ctx,void * timeout_ctx)213 static void wpa_rekey_gmk(void *eloop_ctx, void *timeout_ctx)
214 {
215 	struct wpa_authenticator *wpa_auth = eloop_ctx;
216 
217 	if (random_get_bytes(wpa_auth->group->GMK, WPA_GMK_LEN)) {
218 		wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
219 			   "initialization.");
220 	} else {
221 		wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "GMK rekeyd");
222 		wpa_hexdump_key(MSG_DEBUG, "GMK",
223 				wpa_auth->group->GMK, WPA_GMK_LEN);
224 	}
225 
226 	if (wpa_auth->conf.wpa_gmk_rekey) {
227 		eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
228 				       wpa_rekey_gmk, wpa_auth, NULL);
229 	}
230 }
231 
232 
wpa_rekey_gtk(void * eloop_ctx,void * timeout_ctx)233 static void wpa_rekey_gtk(void *eloop_ctx, void *timeout_ctx)
234 {
235 	struct wpa_authenticator *wpa_auth = eloop_ctx;
236 	struct wpa_group *group;
237 
238 	wpa_auth_logger(wpa_auth, NULL, LOGGER_DEBUG, "rekeying GTK");
239 	for (group = wpa_auth->group; group; group = group->next) {
240 		group->GTKReKey = TRUE;
241 		do {
242 			group->changed = FALSE;
243 			wpa_group_sm_step(wpa_auth, group);
244 		} while (group->changed);
245 	}
246 
247 	if (wpa_auth->conf.wpa_group_rekey) {
248 		eloop_register_timeout(wpa_auth->conf.wpa_group_rekey,
249 				       0, wpa_rekey_gtk, wpa_auth, NULL);
250 	}
251 }
252 
253 
wpa_rekey_ptk(void * eloop_ctx,void * timeout_ctx)254 static void wpa_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
255 {
256 	struct wpa_authenticator *wpa_auth = eloop_ctx;
257 	struct wpa_state_machine *sm = timeout_ctx;
258 
259 	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
260 	wpa_request_new_ptk(sm);
261 	wpa_sm_step(sm);
262 }
263 
264 
wpa_auth_pmksa_clear_cb(struct wpa_state_machine * sm,void * ctx)265 static int wpa_auth_pmksa_clear_cb(struct wpa_state_machine *sm, void *ctx)
266 {
267 	if (sm->pmksa == ctx)
268 		sm->pmksa = NULL;
269 	return 0;
270 }
271 
272 
wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry * entry,void * ctx)273 static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry,
274 				   void *ctx)
275 {
276 	struct wpa_authenticator *wpa_auth = ctx;
277 	wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry);
278 }
279 
280 
wpa_group_init_gmk_and_counter(struct wpa_authenticator * wpa_auth,struct wpa_group * group)281 static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
282 					  struct wpa_group *group)
283 {
284 	u8 buf[ETH_ALEN + 8 + sizeof(group)];
285 	u8 rkey[32];
286 
287 	if (random_get_bytes(group->GMK, WPA_GMK_LEN) < 0)
288 		return -1;
289 	wpa_hexdump_key(MSG_DEBUG, "GMK", group->GMK, WPA_GMK_LEN);
290 
291 	/*
292 	 * Counter = PRF-256(Random number, "Init Counter",
293 	 *                   Local MAC Address || Time)
294 	 */
295 	os_memcpy(buf, wpa_auth->addr, ETH_ALEN);
296 	wpa_get_ntp_timestamp(buf + ETH_ALEN);
297 	os_memcpy(buf + ETH_ALEN + 8, &group, sizeof(group));
298 	if (random_get_bytes(rkey, sizeof(rkey)) < 0)
299 		return -1;
300 
301 	if (sha1_prf(rkey, sizeof(rkey), "Init Counter", buf, sizeof(buf),
302 		     group->Counter, WPA_NONCE_LEN) < 0)
303 		return -1;
304 	wpa_hexdump_key(MSG_DEBUG, "Key Counter",
305 			group->Counter, WPA_NONCE_LEN);
306 
307 	return 0;
308 }
309 
310 
wpa_group_init(struct wpa_authenticator * wpa_auth,int vlan_id,int delay_init)311 static struct wpa_group * wpa_group_init(struct wpa_authenticator *wpa_auth,
312 					 int vlan_id, int delay_init)
313 {
314 	struct wpa_group *group;
315 
316 	group = os_zalloc(sizeof(struct wpa_group));
317 	if (group == NULL)
318 		return NULL;
319 
320 	group->GTKAuthenticator = TRUE;
321 	group->vlan_id = vlan_id;
322 	group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
323 
324 	if (random_pool_ready() != 1) {
325 		wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
326 			   "for secure operations - update keys later when "
327 			   "the first station connects");
328 	}
329 
330 	/*
331 	 * Set initial GMK/Counter value here. The actual values that will be
332 	 * used in negotiations will be set once the first station tries to
333 	 * connect. This allows more time for collecting additional randomness
334 	 * on embedded devices.
335 	 */
336 	if (wpa_group_init_gmk_and_counter(wpa_auth, group) < 0) {
337 		wpa_printf(MSG_ERROR, "Failed to get random data for WPA "
338 			   "initialization.");
339 		os_free(group);
340 		return NULL;
341 	}
342 
343 	group->GInit = TRUE;
344 	if (delay_init) {
345 		wpa_printf(MSG_DEBUG, "WPA: Delay group state machine start "
346 			   "until Beacon frames have been configured");
347 		/* Initialization is completed in wpa_init_keys(). */
348 	} else {
349 		wpa_group_sm_step(wpa_auth, group);
350 		group->GInit = FALSE;
351 		wpa_group_sm_step(wpa_auth, group);
352 	}
353 
354 	return group;
355 }
356 
357 
358 /**
359  * wpa_init - Initialize WPA authenticator
360  * @addr: Authenticator address
361  * @conf: Configuration for WPA authenticator
362  * @cb: Callback functions for WPA authenticator
363  * Returns: Pointer to WPA authenticator data or %NULL on failure
364  */
wpa_init(const u8 * addr,struct wpa_auth_config * conf,struct wpa_auth_callbacks * cb)365 struct wpa_authenticator * wpa_init(const u8 *addr,
366 				    struct wpa_auth_config *conf,
367 				    struct wpa_auth_callbacks *cb)
368 {
369 	struct wpa_authenticator *wpa_auth;
370 
371 	wpa_auth = os_zalloc(sizeof(struct wpa_authenticator));
372 	if (wpa_auth == NULL)
373 		return NULL;
374 	os_memcpy(wpa_auth->addr, addr, ETH_ALEN);
375 	os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
376 	os_memcpy(&wpa_auth->cb, cb, sizeof(*cb));
377 
378 	if (wpa_auth_gen_wpa_ie(wpa_auth)) {
379 		wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
380 		os_free(wpa_auth);
381 		return NULL;
382 	}
383 
384 	wpa_auth->group = wpa_group_init(wpa_auth, 0, 1);
385 	if (wpa_auth->group == NULL) {
386 		os_free(wpa_auth->wpa_ie);
387 		os_free(wpa_auth);
388 		return NULL;
389 	}
390 
391 	wpa_auth->pmksa = pmksa_cache_auth_init(wpa_auth_pmksa_free_cb,
392 						wpa_auth);
393 	if (wpa_auth->pmksa == NULL) {
394 		wpa_printf(MSG_ERROR, "PMKSA cache initialization failed.");
395 		os_free(wpa_auth->wpa_ie);
396 		os_free(wpa_auth);
397 		return NULL;
398 	}
399 
400 #ifdef CONFIG_IEEE80211R
401 	wpa_auth->ft_pmk_cache = wpa_ft_pmk_cache_init();
402 	if (wpa_auth->ft_pmk_cache == NULL) {
403 		wpa_printf(MSG_ERROR, "FT PMK cache initialization failed.");
404 		os_free(wpa_auth->wpa_ie);
405 		pmksa_cache_auth_deinit(wpa_auth->pmksa);
406 		os_free(wpa_auth);
407 		return NULL;
408 	}
409 #endif /* CONFIG_IEEE80211R */
410 
411 	if (wpa_auth->conf.wpa_gmk_rekey) {
412 		eloop_register_timeout(wpa_auth->conf.wpa_gmk_rekey, 0,
413 				       wpa_rekey_gmk, wpa_auth, NULL);
414 	}
415 
416 	if (wpa_auth->conf.wpa_group_rekey) {
417 		eloop_register_timeout(wpa_auth->conf.wpa_group_rekey, 0,
418 				       wpa_rekey_gtk, wpa_auth, NULL);
419 	}
420 
421 	return wpa_auth;
422 }
423 
424 
wpa_init_keys(struct wpa_authenticator * wpa_auth)425 int wpa_init_keys(struct wpa_authenticator *wpa_auth)
426 {
427 	struct wpa_group *group = wpa_auth->group;
428 
429 	wpa_printf(MSG_DEBUG, "WPA: Start group state machine to set initial "
430 		   "keys");
431 	wpa_group_sm_step(wpa_auth, group);
432 	group->GInit = FALSE;
433 	wpa_group_sm_step(wpa_auth, group);
434 	return 0;
435 }
436 
437 
438 /**
439  * wpa_deinit - Deinitialize WPA authenticator
440  * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
441  */
wpa_deinit(struct wpa_authenticator * wpa_auth)442 void wpa_deinit(struct wpa_authenticator *wpa_auth)
443 {
444 	struct wpa_group *group, *prev;
445 
446 	eloop_cancel_timeout(wpa_rekey_gmk, wpa_auth, NULL);
447 	eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
448 
449 #ifdef CONFIG_PEERKEY
450 	while (wpa_auth->stsl_negotiations)
451 		wpa_stsl_remove(wpa_auth, wpa_auth->stsl_negotiations);
452 #endif /* CONFIG_PEERKEY */
453 
454 	pmksa_cache_auth_deinit(wpa_auth->pmksa);
455 
456 #ifdef CONFIG_IEEE80211R
457 	wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
458 	wpa_auth->ft_pmk_cache = NULL;
459 #endif /* CONFIG_IEEE80211R */
460 
461 	os_free(wpa_auth->wpa_ie);
462 
463 	group = wpa_auth->group;
464 	while (group) {
465 		prev = group;
466 		group = group->next;
467 		os_free(prev);
468 	}
469 
470 	os_free(wpa_auth);
471 }
472 
473 
474 /**
475  * wpa_reconfig - Update WPA authenticator configuration
476  * @wpa_auth: Pointer to WPA authenticator data from wpa_init()
477  * @conf: Configuration for WPA authenticator
478  */
wpa_reconfig(struct wpa_authenticator * wpa_auth,struct wpa_auth_config * conf)479 int wpa_reconfig(struct wpa_authenticator *wpa_auth,
480 		 struct wpa_auth_config *conf)
481 {
482 	struct wpa_group *group;
483 	if (wpa_auth == NULL)
484 		return 0;
485 
486 	os_memcpy(&wpa_auth->conf, conf, sizeof(*conf));
487 	if (wpa_auth_gen_wpa_ie(wpa_auth)) {
488 		wpa_printf(MSG_ERROR, "Could not generate WPA IE.");
489 		return -1;
490 	}
491 
492 	/*
493 	 * Reinitialize GTK to make sure it is suitable for the new
494 	 * configuration.
495 	 */
496 	group = wpa_auth->group;
497 	group->GTK_len = wpa_cipher_key_len(wpa_auth->conf.wpa_group);
498 	group->GInit = TRUE;
499 	wpa_group_sm_step(wpa_auth, group);
500 	group->GInit = FALSE;
501 	wpa_group_sm_step(wpa_auth, group);
502 
503 	return 0;
504 }
505 
506 
507 struct wpa_state_machine *
wpa_auth_sta_init(struct wpa_authenticator * wpa_auth,const u8 * addr)508 wpa_auth_sta_init(struct wpa_authenticator *wpa_auth, const u8 *addr)
509 {
510 	struct wpa_state_machine *sm;
511 
512 	sm = os_zalloc(sizeof(struct wpa_state_machine));
513 	if (sm == NULL)
514 		return NULL;
515 	os_memcpy(sm->addr, addr, ETH_ALEN);
516 
517 	sm->wpa_auth = wpa_auth;
518 	sm->group = wpa_auth->group;
519 
520 	return sm;
521 }
522 
523 
wpa_auth_sta_associated(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm)524 int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
525 			    struct wpa_state_machine *sm)
526 {
527 	if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
528 		return -1;
529 
530 #ifdef CONFIG_IEEE80211R
531 	if (sm->ft_completed) {
532 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
533 				"FT authentication already completed - do not "
534 				"start 4-way handshake");
535 		return 0;
536 	}
537 #endif /* CONFIG_IEEE80211R */
538 
539 	if (sm->started) {
540 		os_memset(&sm->key_replay, 0, sizeof(sm->key_replay));
541 		sm->ReAuthenticationRequest = TRUE;
542 		return wpa_sm_step(sm);
543 	}
544 
545 	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
546 			"start authentication");
547 	sm->started = 1;
548 
549 	sm->Init = TRUE;
550 	if (wpa_sm_step(sm) == 1)
551 		return 1; /* should not really happen */
552 	sm->Init = FALSE;
553 	sm->AuthenticationRequest = TRUE;
554 	return wpa_sm_step(sm);
555 }
556 
557 
wpa_auth_sta_no_wpa(struct wpa_state_machine * sm)558 void wpa_auth_sta_no_wpa(struct wpa_state_machine *sm)
559 {
560 	/* WPA/RSN was not used - clear WPA state. This is needed if the STA
561 	 * reassociates back to the same AP while the previous entry for the
562 	 * STA has not yet been removed. */
563 	if (sm == NULL)
564 		return;
565 
566 	sm->wpa_key_mgmt = 0;
567 }
568 
569 
wpa_free_sta_sm(struct wpa_state_machine * sm)570 static void wpa_free_sta_sm(struct wpa_state_machine *sm)
571 {
572 	if (sm->GUpdateStationKeys) {
573 		sm->group->GKeyDoneStations--;
574 		sm->GUpdateStationKeys = FALSE;
575 	}
576 #ifdef CONFIG_IEEE80211R
577 	os_free(sm->assoc_resp_ftie);
578 #endif /* CONFIG_IEEE80211R */
579 	os_free(sm->last_rx_eapol_key);
580 	os_free(sm->wpa_ie);
581 	os_free(sm);
582 }
583 
584 
wpa_auth_sta_deinit(struct wpa_state_machine * sm)585 void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
586 {
587 	if (sm == NULL)
588 		return;
589 
590 	if (sm->wpa_auth->conf.wpa_strict_rekey && sm->has_GTK) {
591 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
592 				"strict rekeying - force GTK rekey since STA "
593 				"is leaving");
594 		eloop_cancel_timeout(wpa_rekey_gtk, sm->wpa_auth, NULL);
595 		eloop_register_timeout(0, 500000, wpa_rekey_gtk, sm->wpa_auth,
596 				       NULL);
597 	}
598 
599 	eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
600 	sm->pending_1_of_4_timeout = 0;
601 	eloop_cancel_timeout(wpa_sm_call_step, sm, NULL);
602 	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
603 	if (sm->in_step_loop) {
604 		/* Must not free state machine while wpa_sm_step() is running.
605 		 * Freeing will be completed in the end of wpa_sm_step(). */
606 		wpa_printf(MSG_DEBUG, "WPA: Registering pending STA state "
607 			   "machine deinit for " MACSTR, MAC2STR(sm->addr));
608 		sm->pending_deinit = 1;
609 	} else
610 		wpa_free_sta_sm(sm);
611 }
612 
613 
wpa_request_new_ptk(struct wpa_state_machine * sm)614 static void wpa_request_new_ptk(struct wpa_state_machine *sm)
615 {
616 	if (sm == NULL)
617 		return;
618 
619 	sm->PTKRequest = TRUE;
620 	sm->PTK_valid = 0;
621 }
622 
623 
wpa_replay_counter_valid(struct wpa_key_replay_counter * ctr,const u8 * replay_counter)624 static int wpa_replay_counter_valid(struct wpa_key_replay_counter *ctr,
625 				    const u8 *replay_counter)
626 {
627 	int i;
628 	for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
629 		if (!ctr[i].valid)
630 			break;
631 		if (os_memcmp(replay_counter, ctr[i].counter,
632 			      WPA_REPLAY_COUNTER_LEN) == 0)
633 			return 1;
634 	}
635 	return 0;
636 }
637 
638 
wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter * ctr,const u8 * replay_counter)639 static void wpa_replay_counter_mark_invalid(struct wpa_key_replay_counter *ctr,
640 					    const u8 *replay_counter)
641 {
642 	int i;
643 	for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
644 		if (ctr[i].valid &&
645 		    (replay_counter == NULL ||
646 		     os_memcmp(replay_counter, ctr[i].counter,
647 			       WPA_REPLAY_COUNTER_LEN) == 0))
648 			ctr[i].valid = FALSE;
649 	}
650 }
651 
652 
653 #ifdef CONFIG_IEEE80211R
ft_check_msg_2_of_4(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,struct wpa_eapol_ie_parse * kde)654 static int ft_check_msg_2_of_4(struct wpa_authenticator *wpa_auth,
655 			       struct wpa_state_machine *sm,
656 			       struct wpa_eapol_ie_parse *kde)
657 {
658 	struct wpa_ie_data ie;
659 	struct rsn_mdie *mdie;
660 
661 	if (wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0 ||
662 	    ie.num_pmkid != 1 || ie.pmkid == NULL) {
663 		wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
664 			   "FT 4-way handshake message 2/4");
665 		return -1;
666 	}
667 
668 	os_memcpy(sm->sup_pmk_r1_name, ie.pmkid, PMKID_LEN);
669 	wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Supplicant",
670 		    sm->sup_pmk_r1_name, PMKID_LEN);
671 
672 	if (!kde->mdie || !kde->ftie) {
673 		wpa_printf(MSG_DEBUG, "FT: No %s in FT 4-way handshake "
674 			   "message 2/4", kde->mdie ? "FTIE" : "MDIE");
675 		return -1;
676 	}
677 
678 	mdie = (struct rsn_mdie *) (kde->mdie + 2);
679 	if (kde->mdie[1] < sizeof(struct rsn_mdie) ||
680 	    os_memcmp(wpa_auth->conf.mobility_domain, mdie->mobility_domain,
681 		      MOBILITY_DOMAIN_ID_LEN) != 0) {
682 		wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
683 		return -1;
684 	}
685 
686 	if (sm->assoc_resp_ftie &&
687 	    (kde->ftie[1] != sm->assoc_resp_ftie[1] ||
688 	     os_memcmp(kde->ftie, sm->assoc_resp_ftie,
689 		       2 + sm->assoc_resp_ftie[1]) != 0)) {
690 		wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
691 		wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 2/4",
692 			    kde->ftie, kde->ftie_len);
693 		wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)AssocResp",
694 			    sm->assoc_resp_ftie, 2 + sm->assoc_resp_ftie[1]);
695 		return -1;
696 	}
697 
698 	return 0;
699 }
700 #endif /* CONFIG_IEEE80211R */
701 
702 
wpa_receive_error_report(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int group)703 static void wpa_receive_error_report(struct wpa_authenticator *wpa_auth,
704 				     struct wpa_state_machine *sm, int group)
705 {
706 	/* Supplicant reported a Michael MIC error */
707 	wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
708 			 "received EAPOL-Key Error Request "
709 			 "(STA detected Michael MIC failure (group=%d))",
710 			 group);
711 
712 	if (group && wpa_auth->conf.wpa_group != WPA_CIPHER_TKIP) {
713 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
714 				"ignore Michael MIC failure report since "
715 				"group cipher is not TKIP");
716 	} else if (!group && sm->pairwise != WPA_CIPHER_TKIP) {
717 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
718 				"ignore Michael MIC failure report since "
719 				"pairwise cipher is not TKIP");
720 	} else {
721 		wpa_auth_mic_failure_report(wpa_auth, sm->addr);
722 		sm->dot11RSNAStatsTKIPRemoteMICFailures++;
723 		wpa_auth->dot11RSNAStatsTKIPRemoteMICFailures++;
724 	}
725 
726 	/*
727 	 * Error report is not a request for a new key handshake, but since
728 	 * Authenticator may do it, let's change the keys now anyway.
729 	 */
730 	wpa_request_new_ptk(sm);
731 }
732 
733 
wpa_receive(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,u8 * data,size_t data_len)734 void wpa_receive(struct wpa_authenticator *wpa_auth,
735 		 struct wpa_state_machine *sm,
736 		 u8 *data, size_t data_len)
737 {
738 	struct ieee802_1x_hdr *hdr;
739 	struct wpa_eapol_key *key;
740 	u16 key_info, key_data_length;
741 	enum { PAIRWISE_2, PAIRWISE_4, GROUP_2, REQUEST,
742 	       SMK_M1, SMK_M3, SMK_ERROR } msg;
743 	char *msgtxt;
744 	struct wpa_eapol_ie_parse kde;
745 	int ft;
746 	const u8 *eapol_key_ie;
747 	size_t eapol_key_ie_len;
748 
749 	if (wpa_auth == NULL || !wpa_auth->conf.wpa || sm == NULL)
750 		return;
751 
752 	if (data_len < sizeof(*hdr) + sizeof(*key))
753 		return;
754 
755 	hdr = (struct ieee802_1x_hdr *) data;
756 	key = (struct wpa_eapol_key *) (hdr + 1);
757 	key_info = WPA_GET_BE16(key->key_info);
758 	key_data_length = WPA_GET_BE16(key->key_data_length);
759 	wpa_printf(MSG_DEBUG, "WPA: Received EAPOL-Key from " MACSTR
760 		   " key_info=0x%x type=%u key_data_length=%u",
761 		   MAC2STR(sm->addr), key_info, key->type, key_data_length);
762 	if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) {
763 		wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - "
764 			   "key_data overflow (%d > %lu)",
765 			   key_data_length,
766 			   (unsigned long) (data_len - sizeof(*hdr) -
767 					    sizeof(*key)));
768 		return;
769 	}
770 
771 	if (sm->wpa == WPA_VERSION_WPA2) {
772 		if (key->type == EAPOL_KEY_TYPE_WPA) {
773 			/*
774 			 * Some deployed station implementations seem to send
775 			 * msg 4/4 with incorrect type value in WPA2 mode.
776 			 */
777 			wpa_printf(MSG_DEBUG, "Workaround: Allow EAPOL-Key "
778 				   "with unexpected WPA type in RSN mode");
779 		} else if (key->type != EAPOL_KEY_TYPE_RSN) {
780 			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
781 				   "unexpected type %d in RSN mode",
782 				   key->type);
783 			return;
784 		}
785 	} else {
786 		if (key->type != EAPOL_KEY_TYPE_WPA) {
787 			wpa_printf(MSG_DEBUG, "Ignore EAPOL-Key with "
788 				   "unexpected type %d in WPA mode",
789 				   key->type);
790 			return;
791 		}
792 	}
793 
794 	wpa_hexdump(MSG_DEBUG, "WPA: Received Key Nonce", key->key_nonce,
795 		    WPA_NONCE_LEN);
796 	wpa_hexdump(MSG_DEBUG, "WPA: Received Replay Counter",
797 		    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
798 
799 	/* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys
800 	 * are set */
801 
802 	if ((key_info & (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) ==
803 	    (WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_REQUEST)) {
804 		if (key_info & WPA_KEY_INFO_ERROR) {
805 			msg = SMK_ERROR;
806 			msgtxt = "SMK Error";
807 		} else {
808 			msg = SMK_M1;
809 			msgtxt = "SMK M1";
810 		}
811 	} else if (key_info & WPA_KEY_INFO_SMK_MESSAGE) {
812 		msg = SMK_M3;
813 		msgtxt = "SMK M3";
814 	} else if (key_info & WPA_KEY_INFO_REQUEST) {
815 		msg = REQUEST;
816 		msgtxt = "Request";
817 	} else if (!(key_info & WPA_KEY_INFO_KEY_TYPE)) {
818 		msg = GROUP_2;
819 		msgtxt = "2/2 Group";
820 	} else if (key_data_length == 0) {
821 		msg = PAIRWISE_4;
822 		msgtxt = "4/4 Pairwise";
823 	} else {
824 		msg = PAIRWISE_2;
825 		msgtxt = "2/4 Pairwise";
826 	}
827 
828 	/* TODO: key_info type validation for PeerKey */
829 	if (msg == REQUEST || msg == PAIRWISE_2 || msg == PAIRWISE_4 ||
830 	    msg == GROUP_2) {
831 		u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
832 		if (sm->pairwise == WPA_CIPHER_CCMP ||
833 		    sm->pairwise == WPA_CIPHER_GCMP) {
834 			if (wpa_use_aes_cmac(sm) &&
835 			    ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
836 				wpa_auth_logger(wpa_auth, sm->addr,
837 						LOGGER_WARNING,
838 						"advertised support for "
839 						"AES-128-CMAC, but did not "
840 						"use it");
841 				return;
842 			}
843 
844 			if (!wpa_use_aes_cmac(sm) &&
845 			    ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
846 				wpa_auth_logger(wpa_auth, sm->addr,
847 						LOGGER_WARNING,
848 						"did not use HMAC-SHA1-AES "
849 						"with CCMP/GCMP");
850 				return;
851 			}
852 		}
853 	}
854 
855 	if (key_info & WPA_KEY_INFO_REQUEST) {
856 		if (sm->req_replay_counter_used &&
857 		    os_memcmp(key->replay_counter, sm->req_replay_counter,
858 			      WPA_REPLAY_COUNTER_LEN) <= 0) {
859 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
860 					"received EAPOL-Key request with "
861 					"replayed counter");
862 			return;
863 		}
864 	}
865 
866 	if (!(key_info & WPA_KEY_INFO_REQUEST) &&
867 	    !wpa_replay_counter_valid(sm->key_replay, key->replay_counter)) {
868 		int i;
869 
870 		if (msg == PAIRWISE_2 &&
871 		    wpa_replay_counter_valid(sm->prev_key_replay,
872 					     key->replay_counter) &&
873 		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING &&
874 		    os_memcmp(sm->SNonce, key->key_nonce, WPA_NONCE_LEN) != 0)
875 		{
876 			/*
877 			 * Some supplicant implementations (e.g., Windows XP
878 			 * WZC) update SNonce for each EAPOL-Key 2/4. This
879 			 * breaks the workaround on accepting any of the
880 			 * pending requests, so allow the SNonce to be updated
881 			 * even if we have already sent out EAPOL-Key 3/4.
882 			 */
883 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
884 					 "Process SNonce update from STA "
885 					 "based on retransmitted EAPOL-Key "
886 					 "1/4");
887 			sm->update_snonce = 1;
888 			wpa_replay_counter_mark_invalid(sm->prev_key_replay,
889 							key->replay_counter);
890 			goto continue_processing;
891 		}
892 
893 		if (msg == PAIRWISE_2 &&
894 		    wpa_replay_counter_valid(sm->prev_key_replay,
895 					     key->replay_counter) &&
896 		    sm->wpa_ptk_state == WPA_PTK_PTKINITNEGOTIATING) {
897 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
898 					 "ignore retransmitted EAPOL-Key %s - "
899 					 "SNonce did not change", msgtxt);
900 		} else {
901 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
902 					 "received EAPOL-Key %s with "
903 					 "unexpected replay counter", msgtxt);
904 		}
905 		for (i = 0; i < RSNA_MAX_EAPOL_RETRIES; i++) {
906 			if (!sm->key_replay[i].valid)
907 				break;
908 			wpa_hexdump(MSG_DEBUG, "pending replay counter",
909 				    sm->key_replay[i].counter,
910 				    WPA_REPLAY_COUNTER_LEN);
911 		}
912 		wpa_hexdump(MSG_DEBUG, "received replay counter",
913 			    key->replay_counter, WPA_REPLAY_COUNTER_LEN);
914 		return;
915 	}
916 
917 continue_processing:
918 	switch (msg) {
919 	case PAIRWISE_2:
920 		if (sm->wpa_ptk_state != WPA_PTK_PTKSTART &&
921 		    sm->wpa_ptk_state != WPA_PTK_PTKCALCNEGOTIATING &&
922 		    (!sm->update_snonce ||
923 		     sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING)) {
924 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
925 					 "received EAPOL-Key msg 2/4 in "
926 					 "invalid state (%d) - dropped",
927 					 sm->wpa_ptk_state);
928 			return;
929 		}
930 		random_add_randomness(key->key_nonce, WPA_NONCE_LEN);
931 		if (sm->group->reject_4way_hs_for_entropy) {
932 			/*
933 			 * The system did not have enough entropy to generate
934 			 * strong random numbers. Reject the first 4-way
935 			 * handshake(s) and collect some entropy based on the
936 			 * information from it. Once enough entropy is
937 			 * available, the next atempt will trigger GMK/Key
938 			 * Counter update and the station will be allowed to
939 			 * continue.
940 			 */
941 			wpa_printf(MSG_DEBUG, "WPA: Reject 4-way handshake to "
942 				   "collect more entropy for random number "
943 				   "generation");
944 			random_mark_pool_ready();
945 			wpa_sta_disconnect(wpa_auth, sm->addr);
946 			return;
947 		}
948 		if (wpa_parse_kde_ies((u8 *) (key + 1), key_data_length,
949 				      &kde) < 0) {
950 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
951 					 "received EAPOL-Key msg 2/4 with "
952 					 "invalid Key Data contents");
953 			return;
954 		}
955 		if (kde.rsn_ie) {
956 			eapol_key_ie = kde.rsn_ie;
957 			eapol_key_ie_len = kde.rsn_ie_len;
958 		} else {
959 			eapol_key_ie = kde.wpa_ie;
960 			eapol_key_ie_len = kde.wpa_ie_len;
961 		}
962 		ft = sm->wpa == WPA_VERSION_WPA2 &&
963 			wpa_key_mgmt_ft(sm->wpa_key_mgmt);
964 		if (sm->wpa_ie == NULL ||
965 		    wpa_compare_rsn_ie(ft,
966 				       sm->wpa_ie, sm->wpa_ie_len,
967 				       eapol_key_ie, eapol_key_ie_len)) {
968 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
969 					"WPA IE from (Re)AssocReq did not "
970 					"match with msg 2/4");
971 			if (sm->wpa_ie) {
972 				wpa_hexdump(MSG_DEBUG, "WPA IE in AssocReq",
973 					    sm->wpa_ie, sm->wpa_ie_len);
974 			}
975 			wpa_hexdump(MSG_DEBUG, "WPA IE in msg 2/4",
976 				    eapol_key_ie, eapol_key_ie_len);
977 			/* MLME-DEAUTHENTICATE.request */
978 			wpa_sta_disconnect(wpa_auth, sm->addr);
979 			return;
980 		}
981 #ifdef CONFIG_IEEE80211R
982 		if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
983 			wpa_sta_disconnect(wpa_auth, sm->addr);
984 			return;
985 		}
986 #endif /* CONFIG_IEEE80211R */
987 		break;
988 	case PAIRWISE_4:
989 		if (sm->wpa_ptk_state != WPA_PTK_PTKINITNEGOTIATING ||
990 		    !sm->PTK_valid) {
991 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
992 					 "received EAPOL-Key msg 4/4 in "
993 					 "invalid state (%d) - dropped",
994 					 sm->wpa_ptk_state);
995 			return;
996 		}
997 		break;
998 	case GROUP_2:
999 		if (sm->wpa_ptk_group_state != WPA_PTK_GROUP_REKEYNEGOTIATING
1000 		    || !sm->PTK_valid) {
1001 			wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
1002 					 "received EAPOL-Key msg 2/2 in "
1003 					 "invalid state (%d) - dropped",
1004 					 sm->wpa_ptk_group_state);
1005 			return;
1006 		}
1007 		break;
1008 #ifdef CONFIG_PEERKEY
1009 	case SMK_M1:
1010 	case SMK_M3:
1011 	case SMK_ERROR:
1012 		if (!wpa_auth->conf.peerkey) {
1013 			wpa_printf(MSG_DEBUG, "RSN: SMK M1/M3/Error, but "
1014 				   "PeerKey use disabled - ignoring message");
1015 			return;
1016 		}
1017 		if (!sm->PTK_valid) {
1018 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1019 					"received EAPOL-Key msg SMK in "
1020 					"invalid state - dropped");
1021 			return;
1022 		}
1023 		break;
1024 #else /* CONFIG_PEERKEY */
1025 	case SMK_M1:
1026 	case SMK_M3:
1027 	case SMK_ERROR:
1028 		return; /* STSL disabled - ignore SMK messages */
1029 #endif /* CONFIG_PEERKEY */
1030 	case REQUEST:
1031 		break;
1032 	}
1033 
1034 	wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
1035 			 "received EAPOL-Key frame (%s)", msgtxt);
1036 
1037 	if (key_info & WPA_KEY_INFO_ACK) {
1038 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1039 				"received invalid EAPOL-Key: Key Ack set");
1040 		return;
1041 	}
1042 
1043 	if (!(key_info & WPA_KEY_INFO_MIC)) {
1044 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1045 				"received invalid EAPOL-Key: Key MIC not set");
1046 		return;
1047 	}
1048 
1049 	sm->MICVerified = FALSE;
1050 	if (sm->PTK_valid && !sm->update_snonce) {
1051 		if (wpa_verify_key_mic(&sm->PTK, data, data_len)) {
1052 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1053 					"received EAPOL-Key with invalid MIC");
1054 			return;
1055 		}
1056 		sm->MICVerified = TRUE;
1057 		eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
1058 		sm->pending_1_of_4_timeout = 0;
1059 	}
1060 
1061 	if (key_info & WPA_KEY_INFO_REQUEST) {
1062 		if (sm->MICVerified) {
1063 			sm->req_replay_counter_used = 1;
1064 			os_memcpy(sm->req_replay_counter, key->replay_counter,
1065 				  WPA_REPLAY_COUNTER_LEN);
1066 		} else {
1067 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1068 					"received EAPOL-Key request with "
1069 					"invalid MIC");
1070 			return;
1071 		}
1072 
1073 		/*
1074 		 * TODO: should decrypt key data field if encryption was used;
1075 		 * even though MAC address KDE is not normally encrypted,
1076 		 * supplicant is allowed to encrypt it.
1077 		 */
1078 		if (msg == SMK_ERROR) {
1079 #ifdef CONFIG_PEERKEY
1080 			wpa_smk_error(wpa_auth, sm, key);
1081 #endif /* CONFIG_PEERKEY */
1082 			return;
1083 		} else if (key_info & WPA_KEY_INFO_ERROR) {
1084 			wpa_receive_error_report(
1085 				wpa_auth, sm,
1086 				!(key_info & WPA_KEY_INFO_KEY_TYPE));
1087 		} else if (key_info & WPA_KEY_INFO_KEY_TYPE) {
1088 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1089 					"received EAPOL-Key Request for new "
1090 					"4-Way Handshake");
1091 			wpa_request_new_ptk(sm);
1092 #ifdef CONFIG_PEERKEY
1093 		} else if (msg == SMK_M1) {
1094 			wpa_smk_m1(wpa_auth, sm, key);
1095 #endif /* CONFIG_PEERKEY */
1096 		} else if (key_data_length > 0 &&
1097 			   wpa_parse_kde_ies((const u8 *) (key + 1),
1098 					     key_data_length, &kde) == 0 &&
1099 			   kde.mac_addr) {
1100 		} else {
1101 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
1102 					"received EAPOL-Key Request for GTK "
1103 					"rekeying");
1104 			eloop_cancel_timeout(wpa_rekey_gtk, wpa_auth, NULL);
1105 			wpa_rekey_gtk(wpa_auth, NULL);
1106 		}
1107 	} else {
1108 		/* Do not allow the same key replay counter to be reused. */
1109 		wpa_replay_counter_mark_invalid(sm->key_replay,
1110 						key->replay_counter);
1111 
1112 		if (msg == PAIRWISE_2) {
1113 			/*
1114 			 * Maintain a copy of the pending EAPOL-Key frames in
1115 			 * case the EAPOL-Key frame was retransmitted. This is
1116 			 * needed to allow EAPOL-Key msg 2/4 reply to another
1117 			 * pending msg 1/4 to update the SNonce to work around
1118 			 * unexpected supplicant behavior.
1119 			 */
1120 			os_memcpy(sm->prev_key_replay, sm->key_replay,
1121 				  sizeof(sm->key_replay));
1122 		} else {
1123 			os_memset(sm->prev_key_replay, 0,
1124 				  sizeof(sm->prev_key_replay));
1125 		}
1126 
1127 		/*
1128 		 * Make sure old valid counters are not accepted anymore and
1129 		 * do not get copied again.
1130 		 */
1131 		wpa_replay_counter_mark_invalid(sm->key_replay, NULL);
1132 	}
1133 
1134 #ifdef CONFIG_PEERKEY
1135 	if (msg == SMK_M3) {
1136 		wpa_smk_m3(wpa_auth, sm, key);
1137 		return;
1138 	}
1139 #endif /* CONFIG_PEERKEY */
1140 
1141 	os_free(sm->last_rx_eapol_key);
1142 	sm->last_rx_eapol_key = os_malloc(data_len);
1143 	if (sm->last_rx_eapol_key == NULL)
1144 		return;
1145 	os_memcpy(sm->last_rx_eapol_key, data, data_len);
1146 	sm->last_rx_eapol_key_len = data_len;
1147 
1148 	sm->rx_eapol_key_secure = !!(key_info & WPA_KEY_INFO_SECURE);
1149 	sm->EAPOLKeyReceived = TRUE;
1150 	sm->EAPOLKeyPairwise = !!(key_info & WPA_KEY_INFO_KEY_TYPE);
1151 	sm->EAPOLKeyRequest = !!(key_info & WPA_KEY_INFO_REQUEST);
1152 	os_memcpy(sm->SNonce, key->key_nonce, WPA_NONCE_LEN);
1153 	wpa_sm_step(sm);
1154 }
1155 
1156 
wpa_gmk_to_gtk(const u8 * gmk,const char * label,const u8 * addr,const u8 * gnonce,u8 * gtk,size_t gtk_len)1157 static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
1158 			  const u8 *gnonce, u8 *gtk, size_t gtk_len)
1159 {
1160 	u8 data[ETH_ALEN + WPA_NONCE_LEN + 8 + 16];
1161 	u8 *pos;
1162 	int ret = 0;
1163 
1164 	/* GTK = PRF-X(GMK, "Group key expansion",
1165 	 *	AA || GNonce || Time || random data)
1166 	 * The example described in the IEEE 802.11 standard uses only AA and
1167 	 * GNonce as inputs here. Add some more entropy since this derivation
1168 	 * is done only at the Authenticator and as such, does not need to be
1169 	 * exactly same.
1170 	 */
1171 	os_memcpy(data, addr, ETH_ALEN);
1172 	os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
1173 	pos = data + ETH_ALEN + WPA_NONCE_LEN;
1174 	wpa_get_ntp_timestamp(pos);
1175 	pos += 8;
1176 	if (random_get_bytes(pos, 16) < 0)
1177 		ret = -1;
1178 
1179 #ifdef CONFIG_IEEE80211W
1180 	sha256_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len);
1181 #else /* CONFIG_IEEE80211W */
1182 	if (sha1_prf(gmk, WPA_GMK_LEN, label, data, sizeof(data), gtk, gtk_len)
1183 	    < 0)
1184 		ret = -1;
1185 #endif /* CONFIG_IEEE80211W */
1186 
1187 	return ret;
1188 }
1189 
1190 
wpa_send_eapol_timeout(void * eloop_ctx,void * timeout_ctx)1191 static void wpa_send_eapol_timeout(void *eloop_ctx, void *timeout_ctx)
1192 {
1193 	struct wpa_authenticator *wpa_auth = eloop_ctx;
1194 	struct wpa_state_machine *sm = timeout_ctx;
1195 
1196 	sm->pending_1_of_4_timeout = 0;
1197 	wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "EAPOL-Key timeout");
1198 	sm->TimeoutEvt = TRUE;
1199 	wpa_sm_step(sm);
1200 }
1201 
1202 
__wpa_send_eapol(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int key_info,const u8 * key_rsc,const u8 * nonce,const u8 * kde,size_t kde_len,int keyidx,int encr,int force_version)1203 void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1204 		      struct wpa_state_machine *sm, int key_info,
1205 		      const u8 *key_rsc, const u8 *nonce,
1206 		      const u8 *kde, size_t kde_len,
1207 		      int keyidx, int encr, int force_version)
1208 {
1209 	struct ieee802_1x_hdr *hdr;
1210 	struct wpa_eapol_key *key;
1211 	size_t len;
1212 	int alg;
1213 	int key_data_len, pad_len = 0;
1214 	u8 *buf, *pos;
1215 	int version, pairwise;
1216 	int i;
1217 
1218 	len = sizeof(struct ieee802_1x_hdr) + sizeof(struct wpa_eapol_key);
1219 
1220 	if (force_version)
1221 		version = force_version;
1222 	else if (wpa_use_aes_cmac(sm))
1223 		version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
1224 	else if (sm->pairwise != WPA_CIPHER_TKIP)
1225 		version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1226 	else
1227 		version = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1228 
1229 	pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1230 
1231 	wpa_printf(MSG_DEBUG, "WPA: Send EAPOL(version=%d secure=%d mic=%d "
1232 		   "ack=%d install=%d pairwise=%d kde_len=%lu keyidx=%d "
1233 		   "encr=%d)",
1234 		   version,
1235 		   (key_info & WPA_KEY_INFO_SECURE) ? 1 : 0,
1236 		   (key_info & WPA_KEY_INFO_MIC) ? 1 : 0,
1237 		   (key_info & WPA_KEY_INFO_ACK) ? 1 : 0,
1238 		   (key_info & WPA_KEY_INFO_INSTALL) ? 1 : 0,
1239 		   pairwise, (unsigned long) kde_len, keyidx, encr);
1240 
1241 	key_data_len = kde_len;
1242 
1243 	if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1244 	     version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
1245 		pad_len = key_data_len % 8;
1246 		if (pad_len)
1247 			pad_len = 8 - pad_len;
1248 		key_data_len += pad_len + 8;
1249 	}
1250 
1251 	len += key_data_len;
1252 
1253 	hdr = os_zalloc(len);
1254 	if (hdr == NULL)
1255 		return;
1256 	hdr->version = wpa_auth->conf.eapol_version;
1257 	hdr->type = IEEE802_1X_TYPE_EAPOL_KEY;
1258 	hdr->length = host_to_be16(len  - sizeof(*hdr));
1259 	key = (struct wpa_eapol_key *) (hdr + 1);
1260 
1261 	key->type = sm->wpa == WPA_VERSION_WPA2 ?
1262 		EAPOL_KEY_TYPE_RSN : EAPOL_KEY_TYPE_WPA;
1263 	key_info |= version;
1264 	if (encr && sm->wpa == WPA_VERSION_WPA2)
1265 		key_info |= WPA_KEY_INFO_ENCR_KEY_DATA;
1266 	if (sm->wpa != WPA_VERSION_WPA2)
1267 		key_info |= keyidx << WPA_KEY_INFO_KEY_INDEX_SHIFT;
1268 	WPA_PUT_BE16(key->key_info, key_info);
1269 
1270 	alg = pairwise ? sm->pairwise : wpa_auth->conf.wpa_group;
1271 	WPA_PUT_BE16(key->key_length, wpa_cipher_key_len(alg));
1272 	if (key_info & WPA_KEY_INFO_SMK_MESSAGE)
1273 		WPA_PUT_BE16(key->key_length, 0);
1274 
1275 	/* FIX: STSL: what to use as key_replay_counter? */
1276 	for (i = RSNA_MAX_EAPOL_RETRIES - 1; i > 0; i--) {
1277 		sm->key_replay[i].valid = sm->key_replay[i - 1].valid;
1278 		os_memcpy(sm->key_replay[i].counter,
1279 			  sm->key_replay[i - 1].counter,
1280 			  WPA_REPLAY_COUNTER_LEN);
1281 	}
1282 	inc_byte_array(sm->key_replay[0].counter, WPA_REPLAY_COUNTER_LEN);
1283 	os_memcpy(key->replay_counter, sm->key_replay[0].counter,
1284 		  WPA_REPLAY_COUNTER_LEN);
1285 	sm->key_replay[0].valid = TRUE;
1286 
1287 	if (nonce)
1288 		os_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);
1289 
1290 	if (key_rsc)
1291 		os_memcpy(key->key_rsc, key_rsc, WPA_KEY_RSC_LEN);
1292 
1293 	if (kde && !encr) {
1294 		os_memcpy(key + 1, kde, kde_len);
1295 		WPA_PUT_BE16(key->key_data_length, kde_len);
1296 	} else if (encr && kde) {
1297 		buf = os_zalloc(key_data_len);
1298 		if (buf == NULL) {
1299 			os_free(hdr);
1300 			return;
1301 		}
1302 		pos = buf;
1303 		os_memcpy(pos, kde, kde_len);
1304 		pos += kde_len;
1305 
1306 		if (pad_len)
1307 			*pos++ = 0xdd;
1308 
1309 		wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
1310 				buf, key_data_len);
1311 		if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
1312 		    version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
1313 			if (aes_wrap(sm->PTK.kek, (key_data_len - 8) / 8, buf,
1314 				     (u8 *) (key + 1))) {
1315 				os_free(hdr);
1316 				os_free(buf);
1317 				return;
1318 			}
1319 			WPA_PUT_BE16(key->key_data_length, key_data_len);
1320 		} else {
1321 			u8 ek[32];
1322 			os_memcpy(key->key_iv,
1323 				  sm->group->Counter + WPA_NONCE_LEN - 16, 16);
1324 			inc_byte_array(sm->group->Counter, WPA_NONCE_LEN);
1325 			os_memcpy(ek, key->key_iv, 16);
1326 			os_memcpy(ek + 16, sm->PTK.kek, 16);
1327 			os_memcpy(key + 1, buf, key_data_len);
1328 			rc4_skip(ek, 32, 256, (u8 *) (key + 1), key_data_len);
1329 			WPA_PUT_BE16(key->key_data_length, key_data_len);
1330 		}
1331 		os_free(buf);
1332 	}
1333 
1334 	if (key_info & WPA_KEY_INFO_MIC) {
1335 		if (!sm->PTK_valid) {
1336 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
1337 					"PTK not valid when sending EAPOL-Key "
1338 					"frame");
1339 			os_free(hdr);
1340 			return;
1341 		}
1342 		wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len,
1343 				  key->key_mic);
1344 	}
1345 
1346 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
1347 			   1);
1348 	wpa_auth_send_eapol(wpa_auth, sm->addr, (u8 *) hdr, len,
1349 			    sm->pairwise_set);
1350 	os_free(hdr);
1351 }
1352 
1353 
wpa_send_eapol(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int key_info,const u8 * key_rsc,const u8 * nonce,const u8 * kde,size_t kde_len,int keyidx,int encr)1354 static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
1355 			   struct wpa_state_machine *sm, int key_info,
1356 			   const u8 *key_rsc, const u8 *nonce,
1357 			   const u8 *kde, size_t kde_len,
1358 			   int keyidx, int encr)
1359 {
1360 	int timeout_ms;
1361 	int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
1362 	int ctr;
1363 
1364 	if (sm == NULL)
1365 		return;
1366 
1367 	__wpa_send_eapol(wpa_auth, sm, key_info, key_rsc, nonce, kde, kde_len,
1368 			 keyidx, encr, 0);
1369 
1370 	ctr = pairwise ? sm->TimeoutCtr : sm->GTimeoutCtr;
1371 	if (ctr == 1 && wpa_auth->conf.tx_status)
1372 		timeout_ms = pairwise ? eapol_key_timeout_first :
1373 			eapol_key_timeout_first_group;
1374 	else
1375 		timeout_ms = eapol_key_timeout_subseq;
1376 	if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
1377 		sm->pending_1_of_4_timeout = 1;
1378 	wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
1379 		   "counter %d)", timeout_ms, ctr);
1380 	eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
1381 			       wpa_send_eapol_timeout, wpa_auth, sm);
1382 }
1383 
1384 
wpa_verify_key_mic(struct wpa_ptk * PTK,u8 * data,size_t data_len)1385 static int wpa_verify_key_mic(struct wpa_ptk *PTK, u8 *data, size_t data_len)
1386 {
1387 	struct ieee802_1x_hdr *hdr;
1388 	struct wpa_eapol_key *key;
1389 	u16 key_info;
1390 	int ret = 0;
1391 	u8 mic[16];
1392 
1393 	if (data_len < sizeof(*hdr) + sizeof(*key))
1394 		return -1;
1395 
1396 	hdr = (struct ieee802_1x_hdr *) data;
1397 	key = (struct wpa_eapol_key *) (hdr + 1);
1398 	key_info = WPA_GET_BE16(key->key_info);
1399 	os_memcpy(mic, key->key_mic, 16);
1400 	os_memset(key->key_mic, 0, 16);
1401 	if (wpa_eapol_key_mic(PTK->kck, key_info & WPA_KEY_INFO_TYPE_MASK,
1402 			      data, data_len, key->key_mic) ||
1403 	    os_memcmp(mic, key->key_mic, 16) != 0)
1404 		ret = -1;
1405 	os_memcpy(key->key_mic, mic, 16);
1406 	return ret;
1407 }
1408 
1409 
wpa_remove_ptk(struct wpa_state_machine * sm)1410 void wpa_remove_ptk(struct wpa_state_machine *sm)
1411 {
1412 	sm->PTK_valid = FALSE;
1413 	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1414 	wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0);
1415 	sm->pairwise_set = FALSE;
1416 	eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
1417 }
1418 
1419 
wpa_auth_sm_event(struct wpa_state_machine * sm,wpa_event event)1420 int wpa_auth_sm_event(struct wpa_state_machine *sm, wpa_event event)
1421 {
1422 	int remove_ptk = 1;
1423 
1424 	if (sm == NULL)
1425 		return -1;
1426 
1427 	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1428 			 "event %d notification", event);
1429 
1430 	switch (event) {
1431 	case WPA_AUTH:
1432 	case WPA_ASSOC:
1433 		break;
1434 	case WPA_DEAUTH:
1435 	case WPA_DISASSOC:
1436 		sm->DeauthenticationRequest = TRUE;
1437 		break;
1438 	case WPA_REAUTH:
1439 	case WPA_REAUTH_EAPOL:
1440 		if (!sm->started) {
1441 			/*
1442 			 * When using WPS, we may end up here if the STA
1443 			 * manages to re-associate without the previous STA
1444 			 * entry getting removed. Consequently, we need to make
1445 			 * sure that the WPA state machines gets initialized
1446 			 * properly at this point.
1447 			 */
1448 			wpa_printf(MSG_DEBUG, "WPA state machine had not been "
1449 				   "started - initialize now");
1450 			sm->started = 1;
1451 			sm->Init = TRUE;
1452 			if (wpa_sm_step(sm) == 1)
1453 				return 1; /* should not really happen */
1454 			sm->Init = FALSE;
1455 			sm->AuthenticationRequest = TRUE;
1456 			break;
1457 		}
1458 		if (sm->GUpdateStationKeys) {
1459 			/*
1460 			 * Reauthentication cancels the pending group key
1461 			 * update for this STA.
1462 			 */
1463 			sm->group->GKeyDoneStations--;
1464 			sm->GUpdateStationKeys = FALSE;
1465 			sm->PtkGroupInit = TRUE;
1466 		}
1467 		sm->ReAuthenticationRequest = TRUE;
1468 		break;
1469 	case WPA_ASSOC_FT:
1470 #ifdef CONFIG_IEEE80211R
1471 		wpa_printf(MSG_DEBUG, "FT: Retry PTK configuration "
1472 			   "after association");
1473 		wpa_ft_install_ptk(sm);
1474 
1475 		/* Using FT protocol, not WPA auth state machine */
1476 		sm->ft_completed = 1;
1477 		return 0;
1478 #else /* CONFIG_IEEE80211R */
1479 		break;
1480 #endif /* CONFIG_IEEE80211R */
1481 	}
1482 
1483 #ifdef CONFIG_IEEE80211R
1484 	sm->ft_completed = 0;
1485 #endif /* CONFIG_IEEE80211R */
1486 
1487 #ifdef CONFIG_IEEE80211W
1488 	if (sm->mgmt_frame_prot && event == WPA_AUTH)
1489 		remove_ptk = 0;
1490 #endif /* CONFIG_IEEE80211W */
1491 
1492 	if (remove_ptk) {
1493 		sm->PTK_valid = FALSE;
1494 		os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1495 
1496 		if (event != WPA_REAUTH_EAPOL)
1497 			wpa_remove_ptk(sm);
1498 	}
1499 
1500 	return wpa_sm_step(sm);
1501 }
1502 
1503 
SM_STATE(WPA_PTK,INITIALIZE)1504 SM_STATE(WPA_PTK, INITIALIZE)
1505 {
1506 	SM_ENTRY_MA(WPA_PTK, INITIALIZE, wpa_ptk);
1507 	if (sm->Init) {
1508 		/* Init flag is not cleared here, so avoid busy
1509 		 * loop by claiming nothing changed. */
1510 		sm->changed = FALSE;
1511 	}
1512 
1513 	sm->keycount = 0;
1514 	if (sm->GUpdateStationKeys)
1515 		sm->group->GKeyDoneStations--;
1516 	sm->GUpdateStationKeys = FALSE;
1517 	if (sm->wpa == WPA_VERSION_WPA)
1518 		sm->PInitAKeys = FALSE;
1519 	if (1 /* Unicast cipher supported AND (ESS OR ((IBSS or WDS) and
1520 	       * Local AA > Remote AA)) */) {
1521 		sm->Pair = TRUE;
1522 	}
1523 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 0);
1524 	wpa_remove_ptk(sm);
1525 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid, 0);
1526 	sm->TimeoutCtr = 0;
1527 	if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1528 		wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
1529 				   WPA_EAPOL_authorized, 0);
1530 	}
1531 }
1532 
1533 
SM_STATE(WPA_PTK,DISCONNECT)1534 SM_STATE(WPA_PTK, DISCONNECT)
1535 {
1536 	SM_ENTRY_MA(WPA_PTK, DISCONNECT, wpa_ptk);
1537 	sm->Disconnect = FALSE;
1538 	wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1539 }
1540 
1541 
SM_STATE(WPA_PTK,DISCONNECTED)1542 SM_STATE(WPA_PTK, DISCONNECTED)
1543 {
1544 	SM_ENTRY_MA(WPA_PTK, DISCONNECTED, wpa_ptk);
1545 	sm->DeauthenticationRequest = FALSE;
1546 }
1547 
1548 
SM_STATE(WPA_PTK,AUTHENTICATION)1549 SM_STATE(WPA_PTK, AUTHENTICATION)
1550 {
1551 	SM_ENTRY_MA(WPA_PTK, AUTHENTICATION, wpa_ptk);
1552 	os_memset(&sm->PTK, 0, sizeof(sm->PTK));
1553 	sm->PTK_valid = FALSE;
1554 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portControl_Auto,
1555 			   1);
1556 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portEnabled, 1);
1557 	sm->AuthenticationRequest = FALSE;
1558 }
1559 
1560 
wpa_group_ensure_init(struct wpa_authenticator * wpa_auth,struct wpa_group * group)1561 static void wpa_group_ensure_init(struct wpa_authenticator *wpa_auth,
1562 				  struct wpa_group *group)
1563 {
1564 	if (group->first_sta_seen)
1565 		return;
1566 	/*
1567 	 * System has run bit further than at the time hostapd was started
1568 	 * potentially very early during boot up. This provides better chances
1569 	 * of collecting more randomness on embedded systems. Re-initialize the
1570 	 * GMK and Counter here to improve their strength if there was not
1571 	 * enough entropy available immediately after system startup.
1572 	 */
1573 	wpa_printf(MSG_DEBUG, "WPA: Re-initialize GMK/Counter on first "
1574 		   "station");
1575 	if (random_pool_ready() != 1) {
1576 		wpa_printf(MSG_INFO, "WPA: Not enough entropy in random pool "
1577 			   "to proceed - reject first 4-way handshake");
1578 		group->reject_4way_hs_for_entropy = TRUE;
1579 	} else {
1580 		group->first_sta_seen = TRUE;
1581 		group->reject_4way_hs_for_entropy = FALSE;
1582 	}
1583 
1584 	wpa_group_init_gmk_and_counter(wpa_auth, group);
1585 	wpa_gtk_update(wpa_auth, group);
1586 	wpa_group_config_group_keys(wpa_auth, group);
1587 }
1588 
1589 
SM_STATE(WPA_PTK,AUTHENTICATION2)1590 SM_STATE(WPA_PTK, AUTHENTICATION2)
1591 {
1592 	SM_ENTRY_MA(WPA_PTK, AUTHENTICATION2, wpa_ptk);
1593 
1594 	wpa_group_ensure_init(sm->wpa_auth, sm->group);
1595 
1596 	/*
1597 	 * Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
1598 	 * ambiguous. The Authenticator state machine uses a counter that is
1599 	 * incremented by one for each 4-way handshake. However, the security
1600 	 * analysis of 4-way handshake points out that unpredictable nonces
1601 	 * help in preventing precomputation attacks. Instead of the state
1602 	 * machine definition, use an unpredictable nonce value here to provide
1603 	 * stronger protection against potential precomputation attacks.
1604 	 */
1605 	if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
1606 		wpa_printf(MSG_ERROR, "WPA: Failed to get random data for "
1607 			   "ANonce.");
1608 		wpa_sta_disconnect(sm->wpa_auth, sm->addr);
1609 		return;
1610 	}
1611 	wpa_hexdump(MSG_DEBUG, "WPA: Assign ANonce", sm->ANonce,
1612 		    WPA_NONCE_LEN);
1613 	sm->ReAuthenticationRequest = FALSE;
1614 	/* IEEE 802.11i does not clear TimeoutCtr here, but this is more
1615 	 * logical place than INITIALIZE since AUTHENTICATION2 can be
1616 	 * re-entered on ReAuthenticationRequest without going through
1617 	 * INITIALIZE. */
1618 	sm->TimeoutCtr = 0;
1619 }
1620 
1621 
SM_STATE(WPA_PTK,INITPMK)1622 SM_STATE(WPA_PTK, INITPMK)
1623 {
1624 	u8 msk[2 * PMK_LEN];
1625 	size_t len = 2 * PMK_LEN;
1626 
1627 	SM_ENTRY_MA(WPA_PTK, INITPMK, wpa_ptk);
1628 #ifdef CONFIG_IEEE80211R
1629 	sm->xxkey_len = 0;
1630 #endif /* CONFIG_IEEE80211R */
1631 	if (sm->pmksa) {
1632 		wpa_printf(MSG_DEBUG, "WPA: PMK from PMKSA cache");
1633 		os_memcpy(sm->PMK, sm->pmksa->pmk, PMK_LEN);
1634 	} else if (wpa_auth_get_msk(sm->wpa_auth, sm->addr, msk, &len) == 0) {
1635 		wpa_printf(MSG_DEBUG, "WPA: PMK from EAPOL state machine "
1636 			   "(len=%lu)", (unsigned long) len);
1637 		os_memcpy(sm->PMK, msk, PMK_LEN);
1638 #ifdef CONFIG_IEEE80211R
1639 		if (len >= 2 * PMK_LEN) {
1640 			os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
1641 			sm->xxkey_len = PMK_LEN;
1642 		}
1643 #endif /* CONFIG_IEEE80211R */
1644 	} else {
1645 		wpa_printf(MSG_DEBUG, "WPA: Could not get PMK");
1646 	}
1647 
1648 	sm->req_replay_counter_used = 0;
1649 	/* IEEE 802.11i does not set keyRun to FALSE, but not doing this
1650 	 * will break reauthentication since EAPOL state machines may not be
1651 	 * get into AUTHENTICATING state that clears keyRun before WPA state
1652 	 * machine enters AUTHENTICATION2 state and goes immediately to INITPMK
1653 	 * state and takes PMK from the previously used AAA Key. This will
1654 	 * eventually fail in 4-Way Handshake because Supplicant uses PMK
1655 	 * derived from the new AAA Key. Setting keyRun = FALSE here seems to
1656 	 * be good workaround for this issue. */
1657 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyRun, 0);
1658 }
1659 
1660 
SM_STATE(WPA_PTK,INITPSK)1661 SM_STATE(WPA_PTK, INITPSK)
1662 {
1663 	const u8 *psk;
1664 	SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
1665 	psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL);
1666 	if (psk) {
1667 		os_memcpy(sm->PMK, psk, PMK_LEN);
1668 #ifdef CONFIG_IEEE80211R
1669 		os_memcpy(sm->xxkey, psk, PMK_LEN);
1670 		sm->xxkey_len = PMK_LEN;
1671 #endif /* CONFIG_IEEE80211R */
1672 	}
1673 	sm->req_replay_counter_used = 0;
1674 }
1675 
1676 
SM_STATE(WPA_PTK,PTKSTART)1677 SM_STATE(WPA_PTK, PTKSTART)
1678 {
1679 	u8 buf[2 + RSN_SELECTOR_LEN + PMKID_LEN], *pmkid = NULL;
1680 	size_t pmkid_len = 0;
1681 
1682 	SM_ENTRY_MA(WPA_PTK, PTKSTART, wpa_ptk);
1683 	sm->PTKRequest = FALSE;
1684 	sm->TimeoutEvt = FALSE;
1685 
1686 	sm->TimeoutCtr++;
1687 	if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
1688 		/* No point in sending the EAPOL-Key - we will disconnect
1689 		 * immediately following this. */
1690 		return;
1691 	}
1692 
1693 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1694 			"sending 1/4 msg of 4-Way Handshake");
1695 	/*
1696 	 * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
1697 	 * one possible PSK for this STA.
1698 	 */
1699 	if (sm->wpa == WPA_VERSION_WPA2 &&
1700 	    wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt)) {
1701 		pmkid = buf;
1702 		pmkid_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
1703 		pmkid[0] = WLAN_EID_VENDOR_SPECIFIC;
1704 		pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
1705 		RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
1706 		if (sm->pmksa)
1707 			os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
1708 				  sm->pmksa->pmkid, PMKID_LEN);
1709 		else {
1710 			/*
1711 			 * Calculate PMKID since no PMKSA cache entry was
1712 			 * available with pre-calculated PMKID.
1713 			 */
1714 			rsn_pmkid(sm->PMK, PMK_LEN, sm->wpa_auth->addr,
1715 				  sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
1716 				  wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
1717 		}
1718 	}
1719 	wpa_send_eapol(sm->wpa_auth, sm,
1720 		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_KEY_TYPE, NULL,
1721 		       sm->ANonce, pmkid, pmkid_len, 0, 0);
1722 }
1723 
1724 
wpa_derive_ptk(struct wpa_state_machine * sm,const u8 * pmk,struct wpa_ptk * ptk)1725 static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *pmk,
1726 			  struct wpa_ptk *ptk)
1727 {
1728 	size_t ptk_len = sm->pairwise != WPA_CIPHER_TKIP ? 48 : 64;
1729 #ifdef CONFIG_IEEE80211R
1730 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
1731 		return wpa_auth_derive_ptk_ft(sm, pmk, ptk, ptk_len);
1732 #endif /* CONFIG_IEEE80211R */
1733 
1734 	wpa_pmk_to_ptk(pmk, PMK_LEN, "Pairwise key expansion",
1735 		       sm->wpa_auth->addr, sm->addr, sm->ANonce, sm->SNonce,
1736 		       (u8 *) ptk, ptk_len,
1737 		       wpa_key_mgmt_sha256(sm->wpa_key_mgmt));
1738 
1739 	return 0;
1740 }
1741 
1742 
SM_STATE(WPA_PTK,PTKCALCNEGOTIATING)1743 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
1744 {
1745 	struct wpa_ptk PTK;
1746 	int ok = 0;
1747 	const u8 *pmk = NULL;
1748 
1749 	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
1750 	sm->EAPOLKeyReceived = FALSE;
1751 	sm->update_snonce = FALSE;
1752 
1753 	/* WPA with IEEE 802.1X: use the derived PMK from EAP
1754 	 * WPA-PSK: iterate through possible PSKs and select the one matching
1755 	 * the packet */
1756 	for (;;) {
1757 		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1758 			pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, pmk);
1759 			if (pmk == NULL)
1760 				break;
1761 		} else
1762 			pmk = sm->PMK;
1763 
1764 		wpa_derive_ptk(sm, pmk, &PTK);
1765 
1766 		if (wpa_verify_key_mic(&PTK, sm->last_rx_eapol_key,
1767 				       sm->last_rx_eapol_key_len) == 0) {
1768 			ok = 1;
1769 			break;
1770 		}
1771 
1772 		if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
1773 			break;
1774 	}
1775 
1776 	if (!ok) {
1777 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1778 				"invalid MIC in msg 2/4 of 4-Way Handshake");
1779 		return;
1780 	}
1781 
1782 #ifdef CONFIG_IEEE80211R
1783 	if (sm->wpa == WPA_VERSION_WPA2 && wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
1784 		/*
1785 		 * Verify that PMKR1Name from EAPOL-Key message 2/4 matches
1786 		 * with the value we derived.
1787 		 */
1788 		if (os_memcmp(sm->sup_pmk_r1_name, sm->pmk_r1_name,
1789 			      WPA_PMK_NAME_LEN) != 0) {
1790 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1791 					"PMKR1Name mismatch in FT 4-way "
1792 					"handshake");
1793 			wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
1794 				    "Supplicant",
1795 				    sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
1796 			wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
1797 				    sm->pmk_r1_name, WPA_PMK_NAME_LEN);
1798 			return;
1799 		}
1800 	}
1801 #endif /* CONFIG_IEEE80211R */
1802 
1803 	sm->pending_1_of_4_timeout = 0;
1804 	eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
1805 
1806 	if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
1807 		/* PSK may have changed from the previous choice, so update
1808 		 * state machine data based on whatever PSK was selected here.
1809 		 */
1810 		os_memcpy(sm->PMK, pmk, PMK_LEN);
1811 	}
1812 
1813 	sm->MICVerified = TRUE;
1814 
1815 	os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
1816 	sm->PTK_valid = TRUE;
1817 }
1818 
1819 
SM_STATE(WPA_PTK,PTKCALCNEGOTIATING2)1820 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING2)
1821 {
1822 	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING2, wpa_ptk);
1823 	sm->TimeoutCtr = 0;
1824 }
1825 
1826 
1827 #ifdef CONFIG_IEEE80211W
1828 
ieee80211w_kde_len(struct wpa_state_machine * sm)1829 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
1830 {
1831 	if (sm->mgmt_frame_prot) {
1832 		return 2 + RSN_SELECTOR_LEN + sizeof(struct wpa_igtk_kde);
1833 	}
1834 
1835 	return 0;
1836 }
1837 
1838 
ieee80211w_kde_add(struct wpa_state_machine * sm,u8 * pos)1839 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
1840 {
1841 	struct wpa_igtk_kde igtk;
1842 	struct wpa_group *gsm = sm->group;
1843 
1844 	if (!sm->mgmt_frame_prot)
1845 		return pos;
1846 
1847 	igtk.keyid[0] = gsm->GN_igtk;
1848 	igtk.keyid[1] = 0;
1849 	if (gsm->wpa_group_state != WPA_GROUP_SETKEYSDONE ||
1850 	    wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, igtk.pn) < 0)
1851 		os_memset(igtk.pn, 0, sizeof(igtk.pn));
1852 	os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
1853 	if (sm->wpa_auth->conf.disable_gtk) {
1854 		/*
1855 		 * Provide unique random IGTK to each STA to prevent use of
1856 		 * IGTK in the BSS.
1857 		 */
1858 		if (random_get_bytes(igtk.igtk, WPA_IGTK_LEN) < 0)
1859 			return pos;
1860 	}
1861 	pos = wpa_add_kde(pos, RSN_KEY_DATA_IGTK,
1862 			  (const u8 *) &igtk, sizeof(igtk), NULL, 0);
1863 
1864 	return pos;
1865 }
1866 
1867 #else /* CONFIG_IEEE80211W */
1868 
ieee80211w_kde_len(struct wpa_state_machine * sm)1869 static int ieee80211w_kde_len(struct wpa_state_machine *sm)
1870 {
1871 	return 0;
1872 }
1873 
1874 
ieee80211w_kde_add(struct wpa_state_machine * sm,u8 * pos)1875 static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
1876 {
1877 	return pos;
1878 }
1879 
1880 #endif /* CONFIG_IEEE80211W */
1881 
1882 
SM_STATE(WPA_PTK,PTKINITNEGOTIATING)1883 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
1884 {
1885 	u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
1886 	size_t gtk_len, kde_len;
1887 	struct wpa_group *gsm = sm->group;
1888 	u8 *wpa_ie;
1889 	int wpa_ie_len, secure, keyidx, encr = 0;
1890 
1891 	SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
1892 	sm->TimeoutEvt = FALSE;
1893 
1894 	sm->TimeoutCtr++;
1895 	if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
1896 		/* No point in sending the EAPOL-Key - we will disconnect
1897 		 * immediately following this. */
1898 		return;
1899 	}
1900 
1901 	/* Send EAPOL(1, 1, 1, Pair, P, RSC, ANonce, MIC(PTK), RSNIE, [MDIE],
1902 	   GTK[GN], IGTK, [FTIE], [TIE * 2])
1903 	 */
1904 	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
1905 	wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
1906 	/* If FT is used, wpa_auth->wpa_ie includes both RSNIE and MDIE */
1907 	wpa_ie = sm->wpa_auth->wpa_ie;
1908 	wpa_ie_len = sm->wpa_auth->wpa_ie_len;
1909 	if (sm->wpa == WPA_VERSION_WPA &&
1910 	    (sm->wpa_auth->conf.wpa & WPA_PROTO_RSN) &&
1911 	    wpa_ie_len > wpa_ie[1] + 2 && wpa_ie[0] == WLAN_EID_RSN) {
1912 		/* WPA-only STA, remove RSN IE */
1913 		wpa_ie = wpa_ie + wpa_ie[1] + 2;
1914 		wpa_ie_len = wpa_ie[1] + 2;
1915 	}
1916 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1917 			"sending 3/4 msg of 4-Way Handshake");
1918 	if (sm->wpa == WPA_VERSION_WPA2) {
1919 		/* WPA2 send GTK in the 4-way handshake */
1920 		secure = 1;
1921 		gtk = gsm->GTK[gsm->GN - 1];
1922 		gtk_len = gsm->GTK_len;
1923 		if (sm->wpa_auth->conf.disable_gtk) {
1924 			/*
1925 			 * Provide unique random GTK to each STA to prevent use
1926 			 * of GTK in the BSS.
1927 			 */
1928 			if (random_get_bytes(dummy_gtk, gtk_len) < 0)
1929 				return;
1930 			gtk = dummy_gtk;
1931 		}
1932 		keyidx = gsm->GN;
1933 		_rsc = rsc;
1934 		encr = 1;
1935 	} else {
1936 		/* WPA does not include GTK in msg 3/4 */
1937 		secure = 0;
1938 		gtk = NULL;
1939 		gtk_len = 0;
1940 		keyidx = 0;
1941 		_rsc = NULL;
1942 		if (sm->rx_eapol_key_secure) {
1943 			/*
1944 			 * It looks like Windows 7 supplicant tries to use
1945 			 * Secure bit in msg 2/4 after having reported Michael
1946 			 * MIC failure and it then rejects the 4-way handshake
1947 			 * if msg 3/4 does not set Secure bit. Work around this
1948 			 * by setting the Secure bit here even in the case of
1949 			 * WPA if the supplicant used it first.
1950 			 */
1951 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
1952 					"STA used Secure bit in WPA msg 2/4 - "
1953 					"set Secure for 3/4 as workaround");
1954 			secure = 1;
1955 		}
1956 	}
1957 
1958 	kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
1959 	if (gtk)
1960 		kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
1961 #ifdef CONFIG_IEEE80211R
1962 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
1963 		kde_len += 2 + PMKID_LEN; /* PMKR1Name into RSN IE */
1964 		kde_len += 300; /* FTIE + 2 * TIE */
1965 	}
1966 #endif /* CONFIG_IEEE80211R */
1967 	kde = os_malloc(kde_len);
1968 	if (kde == NULL)
1969 		return;
1970 
1971 	pos = kde;
1972 	os_memcpy(pos, wpa_ie, wpa_ie_len);
1973 	pos += wpa_ie_len;
1974 #ifdef CONFIG_IEEE80211R
1975 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
1976 		int res = wpa_insert_pmkid(kde, pos - kde, sm->pmk_r1_name);
1977 		if (res < 0) {
1978 			wpa_printf(MSG_ERROR, "FT: Failed to insert "
1979 				   "PMKR1Name into RSN IE in EAPOL-Key data");
1980 			os_free(kde);
1981 			return;
1982 		}
1983 		pos += res;
1984 	}
1985 #endif /* CONFIG_IEEE80211R */
1986 	if (gtk) {
1987 		u8 hdr[2];
1988 		hdr[0] = keyidx & 0x03;
1989 		hdr[1] = 0;
1990 		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
1991 				  gtk, gtk_len);
1992 	}
1993 	pos = ieee80211w_kde_add(sm, pos);
1994 
1995 #ifdef CONFIG_IEEE80211R
1996 	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
1997 		int res;
1998 		struct wpa_auth_config *conf;
1999 
2000 		conf = &sm->wpa_auth->conf;
2001 		res = wpa_write_ftie(conf, conf->r0_key_holder,
2002 				     conf->r0_key_holder_len,
2003 				     NULL, NULL, pos, kde + kde_len - pos,
2004 				     NULL, 0);
2005 		if (res < 0) {
2006 			wpa_printf(MSG_ERROR, "FT: Failed to insert FTIE "
2007 				   "into EAPOL-Key Key Data");
2008 			os_free(kde);
2009 			return;
2010 		}
2011 		pos += res;
2012 
2013 		/* TIE[ReassociationDeadline] (TU) */
2014 		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2015 		*pos++ = 5;
2016 		*pos++ = WLAN_TIMEOUT_REASSOC_DEADLINE;
2017 		WPA_PUT_LE32(pos, conf->reassociation_deadline);
2018 		pos += 4;
2019 
2020 		/* TIE[KeyLifetime] (seconds) */
2021 		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
2022 		*pos++ = 5;
2023 		*pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
2024 		WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
2025 		pos += 4;
2026 	}
2027 #endif /* CONFIG_IEEE80211R */
2028 
2029 	wpa_send_eapol(sm->wpa_auth, sm,
2030 		       (secure ? WPA_KEY_INFO_SECURE : 0) | WPA_KEY_INFO_MIC |
2031 		       WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL |
2032 		       WPA_KEY_INFO_KEY_TYPE,
2033 		       _rsc, sm->ANonce, kde, pos - kde, keyidx, encr);
2034 	os_free(kde);
2035 }
2036 
2037 
SM_STATE(WPA_PTK,PTKINITDONE)2038 SM_STATE(WPA_PTK, PTKINITDONE)
2039 {
2040 	SM_ENTRY_MA(WPA_PTK, PTKINITDONE, wpa_ptk);
2041 	sm->EAPOLKeyReceived = FALSE;
2042 	if (sm->Pair) {
2043 		enum wpa_alg alg = wpa_cipher_to_alg(sm->pairwise);
2044 		int klen = wpa_cipher_key_len(sm->pairwise);
2045 		if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
2046 				     sm->PTK.tk1, klen)) {
2047 			wpa_sta_disconnect(sm->wpa_auth, sm->addr);
2048 			return;
2049 		}
2050 		/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
2051 		sm->pairwise_set = TRUE;
2052 
2053 		if (sm->wpa_auth->conf.wpa_ptk_rekey) {
2054 			eloop_cancel_timeout(wpa_rekey_ptk, sm->wpa_auth, sm);
2055 			eloop_register_timeout(sm->wpa_auth->conf.
2056 					       wpa_ptk_rekey, 0, wpa_rekey_ptk,
2057 					       sm->wpa_auth, sm);
2058 		}
2059 
2060 		if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)) {
2061 			wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2062 					   WPA_EAPOL_authorized, 1);
2063 		}
2064 	}
2065 
2066 	if (0 /* IBSS == TRUE */) {
2067 		sm->keycount++;
2068 		if (sm->keycount == 2) {
2069 			wpa_auth_set_eapol(sm->wpa_auth, sm->addr,
2070 					   WPA_EAPOL_portValid, 1);
2071 		}
2072 	} else {
2073 		wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_portValid,
2074 				   1);
2075 	}
2076 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyAvailable, 0);
2077 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_keyDone, 1);
2078 	if (sm->wpa == WPA_VERSION_WPA)
2079 		sm->PInitAKeys = TRUE;
2080 	else
2081 		sm->has_GTK = TRUE;
2082 	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2083 			 "pairwise key handshake completed (%s)",
2084 			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2085 
2086 #ifdef CONFIG_IEEE80211R
2087 	wpa_ft_push_pmk_r1(sm->wpa_auth, sm->addr);
2088 #endif /* CONFIG_IEEE80211R */
2089 }
2090 
2091 
SM_STEP(WPA_PTK)2092 SM_STEP(WPA_PTK)
2093 {
2094 	struct wpa_authenticator *wpa_auth = sm->wpa_auth;
2095 
2096 	if (sm->Init)
2097 		SM_ENTER(WPA_PTK, INITIALIZE);
2098 	else if (sm->Disconnect
2099 		 /* || FIX: dot11RSNAConfigSALifetime timeout */) {
2100 		wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG,
2101 				"WPA_PTK: sm->Disconnect");
2102 		SM_ENTER(WPA_PTK, DISCONNECT);
2103 	}
2104 	else if (sm->DeauthenticationRequest)
2105 		SM_ENTER(WPA_PTK, DISCONNECTED);
2106 	else if (sm->AuthenticationRequest)
2107 		SM_ENTER(WPA_PTK, AUTHENTICATION);
2108 	else if (sm->ReAuthenticationRequest)
2109 		SM_ENTER(WPA_PTK, AUTHENTICATION2);
2110 	else if (sm->PTKRequest)
2111 		SM_ENTER(WPA_PTK, PTKSTART);
2112 	else switch (sm->wpa_ptk_state) {
2113 	case WPA_PTK_INITIALIZE:
2114 		break;
2115 	case WPA_PTK_DISCONNECT:
2116 		SM_ENTER(WPA_PTK, DISCONNECTED);
2117 		break;
2118 	case WPA_PTK_DISCONNECTED:
2119 		SM_ENTER(WPA_PTK, INITIALIZE);
2120 		break;
2121 	case WPA_PTK_AUTHENTICATION:
2122 		SM_ENTER(WPA_PTK, AUTHENTICATION2);
2123 		break;
2124 	case WPA_PTK_AUTHENTICATION2:
2125 		if (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) &&
2126 		    wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2127 				       WPA_EAPOL_keyRun) > 0)
2128 			SM_ENTER(WPA_PTK, INITPMK);
2129 		else if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt)
2130 			 /* FIX: && 802.1X::keyRun */)
2131 			SM_ENTER(WPA_PTK, INITPSK);
2132 		break;
2133 	case WPA_PTK_INITPMK:
2134 		if (wpa_auth_get_eapol(sm->wpa_auth, sm->addr,
2135 				       WPA_EAPOL_keyAvailable) > 0)
2136 			SM_ENTER(WPA_PTK, PTKSTART);
2137 		else {
2138 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2139 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2140 					"INITPMK - keyAvailable = false");
2141 			SM_ENTER(WPA_PTK, DISCONNECT);
2142 		}
2143 		break;
2144 	case WPA_PTK_INITPSK:
2145 		if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, NULL))
2146 			SM_ENTER(WPA_PTK, PTKSTART);
2147 		else {
2148 			wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2149 					"no PSK configured for the STA");
2150 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2151 			SM_ENTER(WPA_PTK, DISCONNECT);
2152 		}
2153 		break;
2154 	case WPA_PTK_PTKSTART:
2155 		if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2156 		    sm->EAPOLKeyPairwise)
2157 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2158 		else if (sm->TimeoutCtr >
2159 			 (int) dot11RSNAConfigPairwiseUpdateCount) {
2160 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2161 			wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2162 					 "PTKSTART: Retry limit %d reached",
2163 					 dot11RSNAConfigPairwiseUpdateCount);
2164 			SM_ENTER(WPA_PTK, DISCONNECT);
2165 		} else if (sm->TimeoutEvt)
2166 			SM_ENTER(WPA_PTK, PTKSTART);
2167 		break;
2168 	case WPA_PTK_PTKCALCNEGOTIATING:
2169 		if (sm->MICVerified)
2170 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING2);
2171 		else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2172 			 sm->EAPOLKeyPairwise)
2173 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2174 		else if (sm->TimeoutEvt)
2175 			SM_ENTER(WPA_PTK, PTKSTART);
2176 		break;
2177 	case WPA_PTK_PTKCALCNEGOTIATING2:
2178 		SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2179 		break;
2180 	case WPA_PTK_PTKINITNEGOTIATING:
2181 		if (sm->update_snonce)
2182 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
2183 		else if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2184 			 sm->EAPOLKeyPairwise && sm->MICVerified)
2185 			SM_ENTER(WPA_PTK, PTKINITDONE);
2186 		else if (sm->TimeoutCtr >
2187 			 (int) dot11RSNAConfigPairwiseUpdateCount) {
2188 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
2189 			wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2190 					 "PTKINITNEGOTIATING: Retry limit %d "
2191 					 "reached",
2192 					 dot11RSNAConfigPairwiseUpdateCount);
2193 			SM_ENTER(WPA_PTK, DISCONNECT);
2194 		} else if (sm->TimeoutEvt)
2195 			SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
2196 		break;
2197 	case WPA_PTK_PTKINITDONE:
2198 		break;
2199 	}
2200 }
2201 
2202 
SM_STATE(WPA_PTK_GROUP,IDLE)2203 SM_STATE(WPA_PTK_GROUP, IDLE)
2204 {
2205 	SM_ENTRY_MA(WPA_PTK_GROUP, IDLE, wpa_ptk_group);
2206 	if (sm->Init) {
2207 		/* Init flag is not cleared here, so avoid busy
2208 		 * loop by claiming nothing changed. */
2209 		sm->changed = FALSE;
2210 	}
2211 	sm->GTimeoutCtr = 0;
2212 }
2213 
2214 
SM_STATE(WPA_PTK_GROUP,REKEYNEGOTIATING)2215 SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
2216 {
2217 	u8 rsc[WPA_KEY_RSC_LEN];
2218 	struct wpa_group *gsm = sm->group;
2219 	u8 *kde, *pos, hdr[2];
2220 	size_t kde_len;
2221 	u8 *gtk, dummy_gtk[32];
2222 
2223 	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
2224 
2225 	sm->GTimeoutCtr++;
2226 	if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) {
2227 		/* No point in sending the EAPOL-Key - we will disconnect
2228 		 * immediately following this. */
2229 		return;
2230 	}
2231 
2232 	if (sm->wpa == WPA_VERSION_WPA)
2233 		sm->PInitAKeys = FALSE;
2234 	sm->TimeoutEvt = FALSE;
2235 	/* Send EAPOL(1, 1, 1, !Pair, G, RSC, GNonce, MIC(PTK), GTK[GN]) */
2236 	os_memset(rsc, 0, WPA_KEY_RSC_LEN);
2237 	if (gsm->wpa_group_state == WPA_GROUP_SETKEYSDONE)
2238 		wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, rsc);
2239 	wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2240 			"sending 1/2 msg of Group Key Handshake");
2241 
2242 	gtk = gsm->GTK[gsm->GN - 1];
2243 	if (sm->wpa_auth->conf.disable_gtk) {
2244 		/*
2245 		 * Provide unique random GTK to each STA to prevent use
2246 		 * of GTK in the BSS.
2247 		 */
2248 		if (random_get_bytes(dummy_gtk, gsm->GTK_len) < 0)
2249 			return;
2250 		gtk = dummy_gtk;
2251 	}
2252 	if (sm->wpa == WPA_VERSION_WPA2) {
2253 		kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
2254 			ieee80211w_kde_len(sm);
2255 		kde = os_malloc(kde_len);
2256 		if (kde == NULL)
2257 			return;
2258 
2259 		pos = kde;
2260 		hdr[0] = gsm->GN & 0x03;
2261 		hdr[1] = 0;
2262 		pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
2263 				  gtk, gsm->GTK_len);
2264 		pos = ieee80211w_kde_add(sm, pos);
2265 	} else {
2266 		kde = gtk;
2267 		pos = kde + gsm->GTK_len;
2268 	}
2269 
2270 	wpa_send_eapol(sm->wpa_auth, sm,
2271 		       WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
2272 		       WPA_KEY_INFO_ACK |
2273 		       (!sm->Pair ? WPA_KEY_INFO_INSTALL : 0),
2274 		       rsc, gsm->GNonce, kde, pos - kde, gsm->GN, 1);
2275 	if (sm->wpa == WPA_VERSION_WPA2)
2276 		os_free(kde);
2277 }
2278 
2279 
SM_STATE(WPA_PTK_GROUP,REKEYESTABLISHED)2280 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
2281 {
2282 	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
2283 	sm->EAPOLKeyReceived = FALSE;
2284 	if (sm->GUpdateStationKeys)
2285 		sm->group->GKeyDoneStations--;
2286 	sm->GUpdateStationKeys = FALSE;
2287 	sm->GTimeoutCtr = 0;
2288 	/* FIX: MLME.SetProtection.Request(TA, Tx_Rx) */
2289 	wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_INFO,
2290 			 "group key handshake completed (%s)",
2291 			 sm->wpa == WPA_VERSION_WPA ? "WPA" : "RSN");
2292 	sm->has_GTK = TRUE;
2293 }
2294 
2295 
SM_STATE(WPA_PTK_GROUP,KEYERROR)2296 SM_STATE(WPA_PTK_GROUP, KEYERROR)
2297 {
2298 	SM_ENTRY_MA(WPA_PTK_GROUP, KEYERROR, wpa_ptk_group);
2299 	if (sm->GUpdateStationKeys)
2300 		sm->group->GKeyDoneStations--;
2301 	sm->GUpdateStationKeys = FALSE;
2302 	sm->Disconnect = TRUE;
2303 }
2304 
2305 
SM_STEP(WPA_PTK_GROUP)2306 SM_STEP(WPA_PTK_GROUP)
2307 {
2308 	if (sm->Init || sm->PtkGroupInit) {
2309 		SM_ENTER(WPA_PTK_GROUP, IDLE);
2310 		sm->PtkGroupInit = FALSE;
2311 	} else switch (sm->wpa_ptk_group_state) {
2312 	case WPA_PTK_GROUP_IDLE:
2313 		if (sm->GUpdateStationKeys ||
2314 		    (sm->wpa == WPA_VERSION_WPA && sm->PInitAKeys))
2315 			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2316 		break;
2317 	case WPA_PTK_GROUP_REKEYNEGOTIATING:
2318 		if (sm->EAPOLKeyReceived && !sm->EAPOLKeyRequest &&
2319 		    !sm->EAPOLKeyPairwise && sm->MICVerified)
2320 			SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
2321 		else if (sm->GTimeoutCtr >
2322 			 (int) dot11RSNAConfigGroupUpdateCount)
2323 			SM_ENTER(WPA_PTK_GROUP, KEYERROR);
2324 		else if (sm->TimeoutEvt)
2325 			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
2326 		break;
2327 	case WPA_PTK_GROUP_KEYERROR:
2328 		SM_ENTER(WPA_PTK_GROUP, IDLE);
2329 		break;
2330 	case WPA_PTK_GROUP_REKEYESTABLISHED:
2331 		SM_ENTER(WPA_PTK_GROUP, IDLE);
2332 		break;
2333 	}
2334 }
2335 
2336 
wpa_gtk_update(struct wpa_authenticator * wpa_auth,struct wpa_group * group)2337 static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
2338 			  struct wpa_group *group)
2339 {
2340 	int ret = 0;
2341 
2342 	os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2343 	inc_byte_array(group->Counter, WPA_NONCE_LEN);
2344 	if (wpa_gmk_to_gtk(group->GMK, "Group key expansion",
2345 			   wpa_auth->addr, group->GNonce,
2346 			   group->GTK[group->GN - 1], group->GTK_len) < 0)
2347 		ret = -1;
2348 	wpa_hexdump_key(MSG_DEBUG, "GTK",
2349 			group->GTK[group->GN - 1], group->GTK_len);
2350 
2351 #ifdef CONFIG_IEEE80211W
2352 	if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
2353 		os_memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
2354 		inc_byte_array(group->Counter, WPA_NONCE_LEN);
2355 		if (wpa_gmk_to_gtk(group->GMK, "IGTK key expansion",
2356 				   wpa_auth->addr, group->GNonce,
2357 				   group->IGTK[group->GN_igtk - 4],
2358 				   WPA_IGTK_LEN) < 0)
2359 			ret = -1;
2360 		wpa_hexdump_key(MSG_DEBUG, "IGTK",
2361 				group->IGTK[group->GN_igtk - 4], WPA_IGTK_LEN);
2362 	}
2363 #endif /* CONFIG_IEEE80211W */
2364 
2365 	return ret;
2366 }
2367 
2368 
wpa_group_gtk_init(struct wpa_authenticator * wpa_auth,struct wpa_group * group)2369 static void wpa_group_gtk_init(struct wpa_authenticator *wpa_auth,
2370 			       struct wpa_group *group)
2371 {
2372 	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2373 		   "GTK_INIT (VLAN-ID %d)", group->vlan_id);
2374 	group->changed = FALSE; /* GInit is not cleared here; avoid loop */
2375 	group->wpa_group_state = WPA_GROUP_GTK_INIT;
2376 
2377 	/* GTK[0..N] = 0 */
2378 	os_memset(group->GTK, 0, sizeof(group->GTK));
2379 	group->GN = 1;
2380 	group->GM = 2;
2381 #ifdef CONFIG_IEEE80211W
2382 	group->GN_igtk = 4;
2383 	group->GM_igtk = 5;
2384 #endif /* CONFIG_IEEE80211W */
2385 	/* GTK[GN] = CalcGTK() */
2386 	wpa_gtk_update(wpa_auth, group);
2387 }
2388 
2389 
wpa_group_update_sta(struct wpa_state_machine * sm,void * ctx)2390 static int wpa_group_update_sta(struct wpa_state_machine *sm, void *ctx)
2391 {
2392 	if (ctx != NULL && ctx != sm->group)
2393 		return 0;
2394 
2395 	if (sm->wpa_ptk_state != WPA_PTK_PTKINITDONE) {
2396 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2397 				"Not in PTKINITDONE; skip Group Key update");
2398 		sm->GUpdateStationKeys = FALSE;
2399 		return 0;
2400 	}
2401 	if (sm->GUpdateStationKeys) {
2402 		/*
2403 		 * This should not really happen, so add a debug log entry.
2404 		 * Since we clear the GKeyDoneStations before the loop, the
2405 		 * station needs to be counted here anyway.
2406 		 */
2407 		wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
2408 				"GUpdateStationKeys was already set when "
2409 				"marking station for GTK rekeying");
2410 	}
2411 
2412 #ifdef CONFIG_IEEE80211V
2413 	/* Do not rekey GTK/IGTK when STA is in wnmsleep */
2414 	if (sm->is_wnmsleep)
2415 		return 0;
2416 #endif /* CONFIG_IEEE80211V */
2417 
2418 	sm->group->GKeyDoneStations++;
2419 	sm->GUpdateStationKeys = TRUE;
2420 
2421 	wpa_sm_step(sm);
2422 	return 0;
2423 }
2424 
2425 
2426 #ifdef CONFIG_IEEE80211V
2427 /* update GTK when exiting wnmsleep mode */
wpa_wnmsleep_rekey_gtk(struct wpa_state_machine * sm)2428 void wpa_wnmsleep_rekey_gtk(struct wpa_state_machine *sm)
2429 {
2430 	if (sm->is_wnmsleep)
2431 		return;
2432 
2433 	wpa_group_update_sta(sm, NULL);
2434 }
2435 
2436 
wpa_set_wnmsleep(struct wpa_state_machine * sm,int flag)2437 void wpa_set_wnmsleep(struct wpa_state_machine *sm, int flag)
2438 {
2439 	sm->is_wnmsleep = !!flag;
2440 }
2441 
2442 
wpa_wnmsleep_gtk_subelem(struct wpa_state_machine * sm,u8 * pos)2443 int wpa_wnmsleep_gtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2444 {
2445 	u8 *subelem;
2446 	struct wpa_group *gsm = sm->group;
2447 	size_t subelem_len, pad_len;
2448 	const u8 *key;
2449 	size_t key_len;
2450 	u8 keybuf[32];
2451 
2452 	/* GTK subslement */
2453 	key_len = gsm->GTK_len;
2454 	if (key_len > sizeof(keybuf))
2455 		return 0;
2456 
2457 	/*
2458 	 * Pad key for AES Key Wrap if it is not multiple of 8 bytes or is less
2459 	 * than 16 bytes.
2460 	 */
2461 	pad_len = key_len % 8;
2462 	if (pad_len)
2463 		pad_len = 8 - pad_len;
2464 	if (key_len + pad_len < 16)
2465 		pad_len += 8;
2466 	if (pad_len) {
2467 		os_memcpy(keybuf, gsm->GTK[gsm->GN - 1], key_len);
2468 		os_memset(keybuf + key_len, 0, pad_len);
2469 		keybuf[key_len] = 0xdd;
2470 		key_len += pad_len;
2471 		key = keybuf;
2472 	} else
2473 		key = gsm->GTK[gsm->GN - 1];
2474 
2475 	/*
2476 	 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
2477 	 * Key[5..32] | 8 padding.
2478 	 */
2479 	subelem_len = 13 + key_len + 8;
2480 	subelem = os_zalloc(subelem_len);
2481 	if (subelem == NULL)
2482 		return 0;
2483 
2484 	subelem[0] = WNM_SLEEP_SUBELEM_GTK;
2485 	subelem[1] = 11 + key_len + 8;
2486 	/* Key ID in B0-B1 of Key Info */
2487 	WPA_PUT_LE16(&subelem[2], gsm->GN & 0x03);
2488 	subelem[4] = gsm->GTK_len;
2489 	if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, subelem + 5) != 0)
2490 	{
2491 		os_free(subelem);
2492 		return 0;
2493 	}
2494 	if (aes_wrap(sm->PTK.kek, key_len / 8, key, subelem + 13)) {
2495 		os_free(subelem);
2496 		return 0;
2497 	}
2498 
2499 	os_memcpy(pos, subelem, subelem_len);
2500 
2501 	wpa_hexdump_key(MSG_DEBUG, "Plaintext GTK",
2502 			gsm->GTK[gsm->GN - 1], gsm->GTK_len);
2503 	os_free(subelem);
2504 
2505 	return subelem_len;
2506 }
2507 
2508 
2509 #ifdef CONFIG_IEEE80211W
wpa_wnmsleep_igtk_subelem(struct wpa_state_machine * sm,u8 * pos)2510 int wpa_wnmsleep_igtk_subelem(struct wpa_state_machine *sm, u8 *pos)
2511 {
2512 	u8 *subelem, *ptr;
2513 	struct wpa_group *gsm = sm->group;
2514 	size_t subelem_len;
2515 
2516 	/* IGTK subelement
2517 	 * Sub-elem ID[1] | Length[1] | KeyID[2] | PN[6] |
2518 	 * Key[16] | 8 padding */
2519 	subelem_len = 1 + 1 + 2 + 6 + WPA_IGTK_LEN + 8;
2520 	subelem = os_zalloc(subelem_len);
2521 	if (subelem == NULL)
2522 		return 0;
2523 
2524 	ptr = subelem;
2525 	*ptr++ = WNM_SLEEP_SUBELEM_IGTK;
2526 	*ptr++ = subelem_len - 2;
2527 	WPA_PUT_LE16(ptr, gsm->GN_igtk);
2528 	ptr += 2;
2529 	if (wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, ptr) != 0) {
2530 		os_free(subelem);
2531 		return 0;
2532 	}
2533 	ptr += 6;
2534 	if (aes_wrap(sm->PTK.kek, WPA_IGTK_LEN / 8,
2535 		     gsm->IGTK[gsm->GN_igtk - 4], ptr)) {
2536 		os_free(subelem);
2537 		return -1;
2538 	}
2539 
2540 	os_memcpy(pos, subelem, subelem_len);
2541 
2542 	wpa_hexdump_key(MSG_DEBUG, "Plaintext IGTK",
2543 			gsm->IGTK[gsm->GN_igtk - 4], WPA_IGTK_LEN);
2544 	os_free(subelem);
2545 
2546 	return subelem_len;
2547 }
2548 #endif /* CONFIG_IEEE80211W */
2549 #endif /* CONFIG_IEEE80211V */
2550 
2551 
wpa_group_setkeys(struct wpa_authenticator * wpa_auth,struct wpa_group * group)2552 static void wpa_group_setkeys(struct wpa_authenticator *wpa_auth,
2553 			      struct wpa_group *group)
2554 {
2555 	int tmp;
2556 
2557 	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2558 		   "SETKEYS (VLAN-ID %d)", group->vlan_id);
2559 	group->changed = TRUE;
2560 	group->wpa_group_state = WPA_GROUP_SETKEYS;
2561 	group->GTKReKey = FALSE;
2562 	tmp = group->GM;
2563 	group->GM = group->GN;
2564 	group->GN = tmp;
2565 #ifdef CONFIG_IEEE80211W
2566 	tmp = group->GM_igtk;
2567 	group->GM_igtk = group->GN_igtk;
2568 	group->GN_igtk = tmp;
2569 #endif /* CONFIG_IEEE80211W */
2570 	/* "GKeyDoneStations = GNoStations" is done in more robust way by
2571 	 * counting the STAs that are marked with GUpdateStationKeys instead of
2572 	 * including all STAs that could be in not-yet-completed state. */
2573 	wpa_gtk_update(wpa_auth, group);
2574 
2575 	if (group->GKeyDoneStations) {
2576 		wpa_printf(MSG_DEBUG, "wpa_group_setkeys: Unexpected "
2577 			   "GKeyDoneStations=%d when starting new GTK rekey",
2578 			   group->GKeyDoneStations);
2579 		group->GKeyDoneStations = 0;
2580 	}
2581 	wpa_auth_for_each_sta(wpa_auth, wpa_group_update_sta, group);
2582 	wpa_printf(MSG_DEBUG, "wpa_group_setkeys: GKeyDoneStations=%d",
2583 		   group->GKeyDoneStations);
2584 }
2585 
2586 
wpa_group_config_group_keys(struct wpa_authenticator * wpa_auth,struct wpa_group * group)2587 static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
2588 				       struct wpa_group *group)
2589 {
2590 	int ret = 0;
2591 
2592 	if (wpa_auth_set_key(wpa_auth, group->vlan_id,
2593 			     wpa_cipher_to_alg(wpa_auth->conf.wpa_group),
2594 			     broadcast_ether_addr, group->GN,
2595 			     group->GTK[group->GN - 1], group->GTK_len) < 0)
2596 		ret = -1;
2597 
2598 #ifdef CONFIG_IEEE80211W
2599 	if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION &&
2600 	    wpa_auth_set_key(wpa_auth, group->vlan_id, WPA_ALG_IGTK,
2601 			     broadcast_ether_addr, group->GN_igtk,
2602 			     group->IGTK[group->GN_igtk - 4],
2603 			     WPA_IGTK_LEN) < 0)
2604 		ret = -1;
2605 #endif /* CONFIG_IEEE80211W */
2606 
2607 	return ret;
2608 }
2609 
2610 
wpa_group_setkeysdone(struct wpa_authenticator * wpa_auth,struct wpa_group * group)2611 static int wpa_group_setkeysdone(struct wpa_authenticator *wpa_auth,
2612 				 struct wpa_group *group)
2613 {
2614 	wpa_printf(MSG_DEBUG, "WPA: group state machine entering state "
2615 		   "SETKEYSDONE (VLAN-ID %d)", group->vlan_id);
2616 	group->changed = TRUE;
2617 	group->wpa_group_state = WPA_GROUP_SETKEYSDONE;
2618 
2619 	if (wpa_group_config_group_keys(wpa_auth, group) < 0)
2620 		return -1;
2621 
2622 	return 0;
2623 }
2624 
2625 
wpa_group_sm_step(struct wpa_authenticator * wpa_auth,struct wpa_group * group)2626 static void wpa_group_sm_step(struct wpa_authenticator *wpa_auth,
2627 			      struct wpa_group *group)
2628 {
2629 	if (group->GInit) {
2630 		wpa_group_gtk_init(wpa_auth, group);
2631 	} else if (group->wpa_group_state == WPA_GROUP_GTK_INIT &&
2632 		   group->GTKAuthenticator) {
2633 		wpa_group_setkeysdone(wpa_auth, group);
2634 	} else if (group->wpa_group_state == WPA_GROUP_SETKEYSDONE &&
2635 		   group->GTKReKey) {
2636 		wpa_group_setkeys(wpa_auth, group);
2637 	} else if (group->wpa_group_state == WPA_GROUP_SETKEYS) {
2638 		if (group->GKeyDoneStations == 0)
2639 			wpa_group_setkeysdone(wpa_auth, group);
2640 		else if (group->GTKReKey)
2641 			wpa_group_setkeys(wpa_auth, group);
2642 	}
2643 }
2644 
2645 
wpa_sm_step(struct wpa_state_machine * sm)2646 static int wpa_sm_step(struct wpa_state_machine *sm)
2647 {
2648 	if (sm == NULL)
2649 		return 0;
2650 
2651 	if (sm->in_step_loop) {
2652 		/* This should not happen, but if it does, make sure we do not
2653 		 * end up freeing the state machine too early by exiting the
2654 		 * recursive call. */
2655 		wpa_printf(MSG_ERROR, "WPA: wpa_sm_step() called recursively");
2656 		return 0;
2657 	}
2658 
2659 	sm->in_step_loop = 1;
2660 	do {
2661 		if (sm->pending_deinit)
2662 			break;
2663 
2664 		sm->changed = FALSE;
2665 		sm->wpa_auth->group->changed = FALSE;
2666 
2667 		SM_STEP_RUN(WPA_PTK);
2668 		if (sm->pending_deinit)
2669 			break;
2670 		SM_STEP_RUN(WPA_PTK_GROUP);
2671 		if (sm->pending_deinit)
2672 			break;
2673 		wpa_group_sm_step(sm->wpa_auth, sm->group);
2674 	} while (sm->changed || sm->wpa_auth->group->changed);
2675 	sm->in_step_loop = 0;
2676 
2677 	if (sm->pending_deinit) {
2678 		wpa_printf(MSG_DEBUG, "WPA: Completing pending STA state "
2679 			   "machine deinit for " MACSTR, MAC2STR(sm->addr));
2680 		wpa_free_sta_sm(sm);
2681 		return 1;
2682 	}
2683 	return 0;
2684 }
2685 
2686 
wpa_sm_call_step(void * eloop_ctx,void * timeout_ctx)2687 static void wpa_sm_call_step(void *eloop_ctx, void *timeout_ctx)
2688 {
2689 	struct wpa_state_machine *sm = eloop_ctx;
2690 	wpa_sm_step(sm);
2691 }
2692 
2693 
wpa_auth_sm_notify(struct wpa_state_machine * sm)2694 void wpa_auth_sm_notify(struct wpa_state_machine *sm)
2695 {
2696 	if (sm == NULL)
2697 		return;
2698 	eloop_register_timeout(0, 0, wpa_sm_call_step, sm, NULL);
2699 }
2700 
2701 
wpa_gtk_rekey(struct wpa_authenticator * wpa_auth)2702 void wpa_gtk_rekey(struct wpa_authenticator *wpa_auth)
2703 {
2704 	int tmp, i;
2705 	struct wpa_group *group;
2706 
2707 	if (wpa_auth == NULL)
2708 		return;
2709 
2710 	group = wpa_auth->group;
2711 
2712 	for (i = 0; i < 2; i++) {
2713 		tmp = group->GM;
2714 		group->GM = group->GN;
2715 		group->GN = tmp;
2716 #ifdef CONFIG_IEEE80211W
2717 		tmp = group->GM_igtk;
2718 		group->GM_igtk = group->GN_igtk;
2719 		group->GN_igtk = tmp;
2720 #endif /* CONFIG_IEEE80211W */
2721 		wpa_gtk_update(wpa_auth, group);
2722 		wpa_group_config_group_keys(wpa_auth, group);
2723 	}
2724 }
2725 
2726 
wpa_bool_txt(int bool)2727 static const char * wpa_bool_txt(int bool)
2728 {
2729 	return bool ? "TRUE" : "FALSE";
2730 }
2731 
2732 
2733 #define RSN_SUITE "%02x-%02x-%02x-%d"
2734 #define RSN_SUITE_ARG(s) \
2735 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
2736 
wpa_get_mib(struct wpa_authenticator * wpa_auth,char * buf,size_t buflen)2737 int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
2738 {
2739 	int len = 0, ret;
2740 	char pmkid_txt[PMKID_LEN * 2 + 1];
2741 #ifdef CONFIG_RSN_PREAUTH
2742 	const int preauth = 1;
2743 #else /* CONFIG_RSN_PREAUTH */
2744 	const int preauth = 0;
2745 #endif /* CONFIG_RSN_PREAUTH */
2746 
2747 	if (wpa_auth == NULL)
2748 		return len;
2749 
2750 	ret = os_snprintf(buf + len, buflen - len,
2751 			  "dot11RSNAOptionImplemented=TRUE\n"
2752 			  "dot11RSNAPreauthenticationImplemented=%s\n"
2753 			  "dot11RSNAEnabled=%s\n"
2754 			  "dot11RSNAPreauthenticationEnabled=%s\n",
2755 			  wpa_bool_txt(preauth),
2756 			  wpa_bool_txt(wpa_auth->conf.wpa & WPA_PROTO_RSN),
2757 			  wpa_bool_txt(wpa_auth->conf.rsn_preauth));
2758 	if (ret < 0 || (size_t) ret >= buflen - len)
2759 		return len;
2760 	len += ret;
2761 
2762 	wpa_snprintf_hex(pmkid_txt, sizeof(pmkid_txt),
2763 			 wpa_auth->dot11RSNAPMKIDUsed, PMKID_LEN);
2764 
2765 	ret = os_snprintf(
2766 		buf + len, buflen - len,
2767 		"dot11RSNAConfigVersion=%u\n"
2768 		"dot11RSNAConfigPairwiseKeysSupported=9999\n"
2769 		/* FIX: dot11RSNAConfigGroupCipher */
2770 		/* FIX: dot11RSNAConfigGroupRekeyMethod */
2771 		/* FIX: dot11RSNAConfigGroupRekeyTime */
2772 		/* FIX: dot11RSNAConfigGroupRekeyPackets */
2773 		"dot11RSNAConfigGroupRekeyStrict=%u\n"
2774 		"dot11RSNAConfigGroupUpdateCount=%u\n"
2775 		"dot11RSNAConfigPairwiseUpdateCount=%u\n"
2776 		"dot11RSNAConfigGroupCipherSize=%u\n"
2777 		"dot11RSNAConfigPMKLifetime=%u\n"
2778 		"dot11RSNAConfigPMKReauthThreshold=%u\n"
2779 		"dot11RSNAConfigNumberOfPTKSAReplayCounters=0\n"
2780 		"dot11RSNAConfigSATimeout=%u\n"
2781 		"dot11RSNAAuthenticationSuiteSelected=" RSN_SUITE "\n"
2782 		"dot11RSNAPairwiseCipherSelected=" RSN_SUITE "\n"
2783 		"dot11RSNAGroupCipherSelected=" RSN_SUITE "\n"
2784 		"dot11RSNAPMKIDUsed=%s\n"
2785 		"dot11RSNAAuthenticationSuiteRequested=" RSN_SUITE "\n"
2786 		"dot11RSNAPairwiseCipherRequested=" RSN_SUITE "\n"
2787 		"dot11RSNAGroupCipherRequested=" RSN_SUITE "\n"
2788 		"dot11RSNATKIPCounterMeasuresInvoked=%u\n"
2789 		"dot11RSNA4WayHandshakeFailures=%u\n"
2790 		"dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
2791 		RSN_VERSION,
2792 		!!wpa_auth->conf.wpa_strict_rekey,
2793 		dot11RSNAConfigGroupUpdateCount,
2794 		dot11RSNAConfigPairwiseUpdateCount,
2795 		wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
2796 		dot11RSNAConfigPMKLifetime,
2797 		dot11RSNAConfigPMKReauthThreshold,
2798 		dot11RSNAConfigSATimeout,
2799 		RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteSelected),
2800 		RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherSelected),
2801 		RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherSelected),
2802 		pmkid_txt,
2803 		RSN_SUITE_ARG(wpa_auth->dot11RSNAAuthenticationSuiteRequested),
2804 		RSN_SUITE_ARG(wpa_auth->dot11RSNAPairwiseCipherRequested),
2805 		RSN_SUITE_ARG(wpa_auth->dot11RSNAGroupCipherRequested),
2806 		wpa_auth->dot11RSNATKIPCounterMeasuresInvoked,
2807 		wpa_auth->dot11RSNA4WayHandshakeFailures);
2808 	if (ret < 0 || (size_t) ret >= buflen - len)
2809 		return len;
2810 	len += ret;
2811 
2812 	/* TODO: dot11RSNAConfigPairwiseCiphersTable */
2813 	/* TODO: dot11RSNAConfigAuthenticationSuitesTable */
2814 
2815 	/* Private MIB */
2816 	ret = os_snprintf(buf + len, buflen - len, "hostapdWPAGroupState=%d\n",
2817 			  wpa_auth->group->wpa_group_state);
2818 	if (ret < 0 || (size_t) ret >= buflen - len)
2819 		return len;
2820 	len += ret;
2821 
2822 	return len;
2823 }
2824 
2825 
wpa_get_mib_sta(struct wpa_state_machine * sm,char * buf,size_t buflen)2826 int wpa_get_mib_sta(struct wpa_state_machine *sm, char *buf, size_t buflen)
2827 {
2828 	int len = 0, ret;
2829 	u32 pairwise = 0;
2830 
2831 	if (sm == NULL)
2832 		return 0;
2833 
2834 	/* TODO: FF-FF-FF-FF-FF-FF entry for broadcast/multicast stats */
2835 
2836 	/* dot11RSNAStatsEntry */
2837 
2838 	pairwise = wpa_cipher_to_suite(sm->wpa == WPA_VERSION_WPA2 ?
2839 				       WPA_PROTO_RSN : WPA_PROTO_WPA,
2840 				       sm->pairwise);
2841 	if (pairwise == 0)
2842 		return 0;
2843 
2844 	ret = os_snprintf(
2845 		buf + len, buflen - len,
2846 		/* TODO: dot11RSNAStatsIndex */
2847 		"dot11RSNAStatsSTAAddress=" MACSTR "\n"
2848 		"dot11RSNAStatsVersion=1\n"
2849 		"dot11RSNAStatsSelectedPairwiseCipher=" RSN_SUITE "\n"
2850 		/* TODO: dot11RSNAStatsTKIPICVErrors */
2851 		"dot11RSNAStatsTKIPLocalMICFailures=%u\n"
2852 		"dot11RSNAStatsTKIPRemoteMICFailures=%u\n"
2853 		/* TODO: dot11RSNAStatsCCMPReplays */
2854 		/* TODO: dot11RSNAStatsCCMPDecryptErrors */
2855 		/* TODO: dot11RSNAStatsTKIPReplays */,
2856 		MAC2STR(sm->addr),
2857 		RSN_SUITE_ARG(pairwise),
2858 		sm->dot11RSNAStatsTKIPLocalMICFailures,
2859 		sm->dot11RSNAStatsTKIPRemoteMICFailures);
2860 	if (ret < 0 || (size_t) ret >= buflen - len)
2861 		return len;
2862 	len += ret;
2863 
2864 	/* Private MIB */
2865 	ret = os_snprintf(buf + len, buflen - len,
2866 			  "hostapdWPAPTKState=%d\n"
2867 			  "hostapdWPAPTKGroupState=%d\n",
2868 			  sm->wpa_ptk_state,
2869 			  sm->wpa_ptk_group_state);
2870 	if (ret < 0 || (size_t) ret >= buflen - len)
2871 		return len;
2872 	len += ret;
2873 
2874 	return len;
2875 }
2876 
2877 
wpa_auth_countermeasures_start(struct wpa_authenticator * wpa_auth)2878 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
2879 {
2880 	if (wpa_auth)
2881 		wpa_auth->dot11RSNATKIPCounterMeasuresInvoked++;
2882 }
2883 
2884 
wpa_auth_pairwise_set(struct wpa_state_machine * sm)2885 int wpa_auth_pairwise_set(struct wpa_state_machine *sm)
2886 {
2887 	return sm && sm->pairwise_set;
2888 }
2889 
2890 
wpa_auth_get_pairwise(struct wpa_state_machine * sm)2891 int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
2892 {
2893 	return sm->pairwise;
2894 }
2895 
2896 
wpa_auth_sta_key_mgmt(struct wpa_state_machine * sm)2897 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
2898 {
2899 	if (sm == NULL)
2900 		return -1;
2901 	return sm->wpa_key_mgmt;
2902 }
2903 
2904 
wpa_auth_sta_wpa_version(struct wpa_state_machine * sm)2905 int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
2906 {
2907 	if (sm == NULL)
2908 		return 0;
2909 	return sm->wpa;
2910 }
2911 
2912 
wpa_auth_sta_clear_pmksa(struct wpa_state_machine * sm,struct rsn_pmksa_cache_entry * entry)2913 int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
2914 			     struct rsn_pmksa_cache_entry *entry)
2915 {
2916 	if (sm == NULL || sm->pmksa != entry)
2917 		return -1;
2918 	sm->pmksa = NULL;
2919 	return 0;
2920 }
2921 
2922 
2923 struct rsn_pmksa_cache_entry *
wpa_auth_sta_get_pmksa(struct wpa_state_machine * sm)2924 wpa_auth_sta_get_pmksa(struct wpa_state_machine *sm)
2925 {
2926 	return sm ? sm->pmksa : NULL;
2927 }
2928 
2929 
wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine * sm)2930 void wpa_auth_sta_local_mic_failure_report(struct wpa_state_machine *sm)
2931 {
2932 	if (sm)
2933 		sm->dot11RSNAStatsTKIPLocalMICFailures++;
2934 }
2935 
2936 
wpa_auth_get_wpa_ie(struct wpa_authenticator * wpa_auth,size_t * len)2937 const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
2938 {
2939 	if (wpa_auth == NULL)
2940 		return NULL;
2941 	*len = wpa_auth->wpa_ie_len;
2942 	return wpa_auth->wpa_ie;
2943 }
2944 
2945 
wpa_auth_pmksa_add(struct wpa_state_machine * sm,const u8 * pmk,int session_timeout,struct eapol_state_machine * eapol)2946 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
2947 		       int session_timeout, struct eapol_state_machine *eapol)
2948 {
2949 	if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
2950 	    sm->wpa_auth->conf.disable_pmksa_caching)
2951 		return -1;
2952 
2953 	if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN,
2954 				 sm->wpa_auth->addr, sm->addr, session_timeout,
2955 				 eapol, sm->wpa_key_mgmt))
2956 		return 0;
2957 
2958 	return -1;
2959 }
2960 
2961 
wpa_auth_pmksa_add_preauth(struct wpa_authenticator * wpa_auth,const u8 * pmk,size_t len,const u8 * sta_addr,int session_timeout,struct eapol_state_machine * eapol)2962 int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
2963 			       const u8 *pmk, size_t len, const u8 *sta_addr,
2964 			       int session_timeout,
2965 			       struct eapol_state_machine *eapol)
2966 {
2967 	if (wpa_auth == NULL)
2968 		return -1;
2969 
2970 	if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, len, wpa_auth->addr,
2971 				 sta_addr, session_timeout, eapol,
2972 				 WPA_KEY_MGMT_IEEE8021X))
2973 		return 0;
2974 
2975 	return -1;
2976 }
2977 
2978 
2979 static struct wpa_group *
wpa_auth_add_group(struct wpa_authenticator * wpa_auth,int vlan_id)2980 wpa_auth_add_group(struct wpa_authenticator *wpa_auth, int vlan_id)
2981 {
2982 	struct wpa_group *group;
2983 
2984 	if (wpa_auth == NULL || wpa_auth->group == NULL)
2985 		return NULL;
2986 
2987 	wpa_printf(MSG_DEBUG, "WPA: Add group state machine for VLAN-ID %d",
2988 		   vlan_id);
2989 	group = wpa_group_init(wpa_auth, vlan_id, 0);
2990 	if (group == NULL)
2991 		return NULL;
2992 
2993 	group->next = wpa_auth->group->next;
2994 	wpa_auth->group->next = group;
2995 
2996 	return group;
2997 }
2998 
2999 
wpa_auth_sta_set_vlan(struct wpa_state_machine * sm,int vlan_id)3000 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id)
3001 {
3002 	struct wpa_group *group;
3003 
3004 	if (sm == NULL || sm->wpa_auth == NULL)
3005 		return 0;
3006 
3007 	group = sm->wpa_auth->group;
3008 	while (group) {
3009 		if (group->vlan_id == vlan_id)
3010 			break;
3011 		group = group->next;
3012 	}
3013 
3014 	if (group == NULL) {
3015 		group = wpa_auth_add_group(sm->wpa_auth, vlan_id);
3016 		if (group == NULL)
3017 			return -1;
3018 	}
3019 
3020 	if (sm->group == group)
3021 		return 0;
3022 
3023 	wpa_printf(MSG_DEBUG, "WPA: Moving STA " MACSTR " to use group state "
3024 		   "machine for VLAN ID %d", MAC2STR(sm->addr), vlan_id);
3025 
3026 	sm->group = group;
3027 	return 0;
3028 }
3029 
3030 
wpa_auth_eapol_key_tx_status(struct wpa_authenticator * wpa_auth,struct wpa_state_machine * sm,int ack)3031 void wpa_auth_eapol_key_tx_status(struct wpa_authenticator *wpa_auth,
3032 				  struct wpa_state_machine *sm, int ack)
3033 {
3034 	if (wpa_auth == NULL || sm == NULL)
3035 		return;
3036 	wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key TX status for STA " MACSTR
3037 		   " ack=%d", MAC2STR(sm->addr), ack);
3038 	if (sm->pending_1_of_4_timeout && ack) {
3039 		/*
3040 		 * Some deployed supplicant implementations update their SNonce
3041 		 * for each EAPOL-Key 2/4 message even within the same 4-way
3042 		 * handshake and then fail to use the first SNonce when
3043 		 * deriving the PTK. This results in unsuccessful 4-way
3044 		 * handshake whenever the relatively short initial timeout is
3045 		 * reached and EAPOL-Key 1/4 is retransmitted. Try to work
3046 		 * around this by increasing the timeout now that we know that
3047 		 * the station has received the frame.
3048 		 */
3049 		int timeout_ms = eapol_key_timeout_subseq;
3050 		wpa_printf(MSG_DEBUG, "WPA: Increase initial EAPOL-Key 1/4 "
3051 			   "timeout by %u ms because of acknowledged frame",
3052 			   timeout_ms);
3053 		eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
3054 		eloop_register_timeout(timeout_ms / 1000,
3055 				       (timeout_ms % 1000) * 1000,
3056 				       wpa_send_eapol_timeout, wpa_auth, sm);
3057 	}
3058 }
3059