1 /*
2 * WPA Supplicant - PeerKey for Direct Link Setup (DLS)
3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #ifdef CONFIG_PEERKEY
12
13 #include "common.h"
14 #include "eloop.h"
15 #include "crypto/sha1.h"
16 #include "crypto/sha256.h"
17 #include "crypto/random.h"
18 #include "common/ieee802_11_defs.h"
19 #include "wpa.h"
20 #include "wpa_i.h"
21 #include "wpa_ie.h"
22 #include "peerkey.h"
23
24
wpa_add_ie(u8 * pos,const u8 * ie,size_t ie_len)25 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
26 {
27 os_memcpy(pos, ie, ie_len);
28 return pos + ie_len;
29 }
30
31
wpa_add_kde(u8 * pos,u32 kde,const u8 * data,size_t data_len)32 static u8 * wpa_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len)
33 {
34 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
35 *pos++ = RSN_SELECTOR_LEN + data_len;
36 RSN_SELECTOR_PUT(pos, kde);
37 pos += RSN_SELECTOR_LEN;
38 os_memcpy(pos, data, data_len);
39 pos += data_len;
40 return pos;
41 }
42
43
wpa_supplicant_smk_timeout(void * eloop_ctx,void * timeout_ctx)44 static void wpa_supplicant_smk_timeout(void *eloop_ctx, void *timeout_ctx)
45 {
46 #if 0
47 struct wpa_sm *sm = eloop_ctx;
48 struct wpa_peerkey *peerkey = timeout_ctx;
49 #endif
50 /* TODO: time out SMK and any STK that was generated using this SMK */
51 }
52
53
wpa_supplicant_peerkey_free(struct wpa_sm * sm,struct wpa_peerkey * peerkey)54 static void wpa_supplicant_peerkey_free(struct wpa_sm *sm,
55 struct wpa_peerkey *peerkey)
56 {
57 eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey);
58 os_free(peerkey);
59 }
60
61
wpa_supplicant_send_smk_error(struct wpa_sm * sm,const u8 * dst,const u8 * peer,u16 mui,u16 error_type,int ver)62 static int wpa_supplicant_send_smk_error(struct wpa_sm *sm, const u8 *dst,
63 const u8 *peer,
64 u16 mui, u16 error_type, int ver)
65 {
66 size_t rlen;
67 struct wpa_eapol_key *err;
68 struct wpa_eapol_key_192 *err192;
69 struct rsn_error_kde error;
70 u8 *rbuf, *pos;
71 size_t kde_len;
72 u16 key_info;
73
74 kde_len = 2 + RSN_SELECTOR_LEN + sizeof(error);
75 if (peer)
76 kde_len += 2 + RSN_SELECTOR_LEN + ETH_ALEN;
77
78 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
79 NULL, sizeof(*err) + kde_len, &rlen,
80 (void *) &err);
81 if (rbuf == NULL)
82 return -1;
83 err192 = (struct wpa_eapol_key_192 *) err;
84
85 err->type = EAPOL_KEY_TYPE_RSN;
86 key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
87 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_ERROR |
88 WPA_KEY_INFO_REQUEST;
89 WPA_PUT_BE16(err->key_info, key_info);
90 WPA_PUT_BE16(err->key_length, 0);
91 os_memcpy(err->replay_counter, sm->request_counter,
92 WPA_REPLAY_COUNTER_LEN);
93 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
94
95 WPA_PUT_BE16(err->key_data_length, (u16) kde_len);
96 pos = (u8 *) (err + 1);
97
98 if (peer) {
99 /* Peer MAC Address KDE */
100 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN);
101 }
102
103 /* Error KDE */
104 error.mui = host_to_be16(mui);
105 error.error_type = host_to_be16(error_type);
106 wpa_add_kde(pos, RSN_KEY_DATA_ERROR, (u8 *) &error, sizeof(error));
107
108 if (peer) {
109 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error (peer "
110 MACSTR " mui %d error_type %d)",
111 MAC2STR(peer), mui, error_type);
112 } else {
113 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error "
114 "(mui %d error_type %d)", mui, error_type);
115 }
116
117 wpa_eapol_key_send(sm, sm->ptk.kck, sm->ptk.kck_len, ver, dst,
118 ETH_P_EAPOL, rbuf, rlen, err192->key_mic);
119
120 return 0;
121 }
122
123
wpa_supplicant_send_smk_m3(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,int ver,struct wpa_peerkey * peerkey)124 static int wpa_supplicant_send_smk_m3(struct wpa_sm *sm,
125 const unsigned char *src_addr,
126 const struct wpa_eapol_key *key,
127 int ver, struct wpa_peerkey *peerkey)
128 {
129 size_t rlen;
130 struct wpa_eapol_key *reply;
131 struct wpa_eapol_key_192 *reply192;
132 u8 *rbuf, *pos;
133 size_t kde_len;
134 u16 key_info;
135
136 /* KDEs: Peer RSN IE, Initiator MAC Address, Initiator Nonce */
137 kde_len = peerkey->rsnie_p_len +
138 2 + RSN_SELECTOR_LEN + ETH_ALEN +
139 2 + RSN_SELECTOR_LEN + WPA_NONCE_LEN;
140
141 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
142 NULL, sizeof(*reply) + kde_len, &rlen,
143 (void *) &reply);
144 if (rbuf == NULL)
145 return -1;
146 reply192 = (struct wpa_eapol_key_192 *) reply;
147
148 reply->type = EAPOL_KEY_TYPE_RSN;
149 key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
150 WPA_KEY_INFO_SECURE;
151 WPA_PUT_BE16(reply->key_info, key_info);
152 WPA_PUT_BE16(reply->key_length, 0);
153 os_memcpy(reply->replay_counter, key->replay_counter,
154 WPA_REPLAY_COUNTER_LEN);
155
156 os_memcpy(reply->key_nonce, peerkey->pnonce, WPA_NONCE_LEN);
157
158 WPA_PUT_BE16(reply->key_data_length, (u16) kde_len);
159 pos = (u8 *) (reply + 1);
160
161 /* Peer RSN IE */
162 pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len);
163
164 /* Initiator MAC Address KDE */
165 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peerkey->addr, ETH_ALEN);
166
167 /* Initiator Nonce */
168 wpa_add_kde(pos, RSN_KEY_DATA_NONCE, peerkey->inonce, WPA_NONCE_LEN);
169
170 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK M3");
171 wpa_eapol_key_send(sm, sm->ptk.kck, sm->ptk.kck_len, ver, src_addr,
172 ETH_P_EAPOL, rbuf, rlen, reply192->key_mic);
173
174 return 0;
175 }
176
177
wpa_supplicant_process_smk_m2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,size_t extra_len,int ver)178 static int wpa_supplicant_process_smk_m2(
179 struct wpa_sm *sm, const unsigned char *src_addr,
180 const struct wpa_eapol_key *key, size_t extra_len, int ver)
181 {
182 struct wpa_peerkey *peerkey;
183 struct wpa_eapol_ie_parse kde;
184 struct wpa_ie_data ie;
185 int cipher;
186 struct rsn_ie_hdr *hdr;
187 u8 *pos;
188
189 wpa_printf(MSG_DEBUG, "RSN: Received SMK M2");
190
191 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
192 wpa_printf(MSG_INFO, "RSN: SMK handshake not allowed for "
193 "the current network");
194 return -1;
195 }
196
197 if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
198 0) {
199 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M2");
200 return -1;
201 }
202
203 if (kde.rsn_ie == NULL || kde.mac_addr == NULL ||
204 kde.mac_addr_len < ETH_ALEN) {
205 wpa_printf(MSG_INFO, "RSN: No RSN IE or MAC address KDE in "
206 "SMK M2");
207 return -1;
208 }
209
210 wpa_printf(MSG_DEBUG, "RSN: SMK M2 - SMK initiator " MACSTR,
211 MAC2STR(kde.mac_addr));
212
213 if (kde.rsn_ie_len > PEERKEY_MAX_IE_LEN) {
214 wpa_printf(MSG_INFO, "RSN: Too long Initiator RSN IE in SMK "
215 "M2");
216 return -1;
217 }
218
219 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
220 wpa_printf(MSG_INFO, "RSN: Failed to parse RSN IE in SMK M2");
221 return -1;
222 }
223
224 cipher = wpa_pick_pairwise_cipher(ie.pairwise_cipher &
225 sm->allowed_pairwise_cipher, 0);
226 if (cipher < 0) {
227 wpa_printf(MSG_INFO, "RSN: No acceptable cipher in SMK M2");
228 wpa_supplicant_send_smk_error(sm, src_addr, kde.mac_addr,
229 STK_MUI_SMK, STK_ERR_CPHR_NS,
230 ver);
231 return -1;
232 }
233 wpa_printf(MSG_DEBUG, "RSN: Using %s for PeerKey",
234 wpa_cipher_txt(cipher));
235
236 /* TODO: find existing entry and if found, use that instead of adding
237 * a new one; how to handle the case where both ends initiate at the
238 * same time? */
239 peerkey = os_zalloc(sizeof(*peerkey));
240 if (peerkey == NULL)
241 return -1;
242 os_memcpy(peerkey->addr, kde.mac_addr, ETH_ALEN);
243 os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN);
244 os_memcpy(peerkey->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
245 peerkey->rsnie_i_len = kde.rsn_ie_len;
246 peerkey->cipher = cipher;
247 peerkey->akmp = ie.key_mgmt;
248
249 if (random_get_bytes(peerkey->pnonce, WPA_NONCE_LEN)) {
250 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
251 "WPA: Failed to get random data for PNonce");
252 wpa_supplicant_peerkey_free(sm, peerkey);
253 return -1;
254 }
255
256 hdr = (struct rsn_ie_hdr *) peerkey->rsnie_p;
257 hdr->elem_id = WLAN_EID_RSN;
258 WPA_PUT_LE16(hdr->version, RSN_VERSION);
259 pos = (u8 *) (hdr + 1);
260 /* Group Suite can be anything for SMK RSN IE; receiver will just
261 * ignore it. */
262 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
263 pos += RSN_SELECTOR_LEN;
264 /* Include only the selected cipher in pairwise cipher suite */
265 WPA_PUT_LE16(pos, 1);
266 pos += 2;
267 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, cipher));
268 pos += RSN_SELECTOR_LEN;
269
270 hdr->len = (pos - peerkey->rsnie_p) - 2;
271 peerkey->rsnie_p_len = pos - peerkey->rsnie_p;
272 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake",
273 peerkey->rsnie_p, peerkey->rsnie_p_len);
274
275 wpa_supplicant_send_smk_m3(sm, src_addr, key, ver, peerkey);
276
277 peerkey->next = sm->peerkey;
278 sm->peerkey = peerkey;
279
280 return 0;
281 }
282
283
284 /**
285 * rsn_smkid - Derive SMK identifier
286 * @smk: Station master key (32 bytes)
287 * @pnonce: Peer Nonce
288 * @mac_p: Peer MAC address
289 * @inonce: Initiator Nonce
290 * @mac_i: Initiator MAC address
291 * @akmp: Negotiated AKM
292 *
293 * 8.5.1.4 Station to station (STK) key hierarchy
294 * SMKID = HMAC-SHA1-128(SMK, "SMK Name" || PNonce || MAC_P || INonce || MAC_I)
295 */
rsn_smkid(const u8 * smk,const u8 * pnonce,const u8 * mac_p,const u8 * inonce,const u8 * mac_i,u8 * smkid,int akmp)296 static void rsn_smkid(const u8 *smk, const u8 *pnonce, const u8 *mac_p,
297 const u8 *inonce, const u8 *mac_i, u8 *smkid,
298 int akmp)
299 {
300 char *title = "SMK Name";
301 const u8 *addr[5];
302 const size_t len[5] = { 8, WPA_NONCE_LEN, ETH_ALEN, WPA_NONCE_LEN,
303 ETH_ALEN };
304 unsigned char hash[SHA256_MAC_LEN];
305
306 addr[0] = (u8 *) title;
307 addr[1] = pnonce;
308 addr[2] = mac_p;
309 addr[3] = inonce;
310 addr[4] = mac_i;
311
312 #ifdef CONFIG_IEEE80211W
313 if (wpa_key_mgmt_sha256(akmp))
314 hmac_sha256_vector(smk, PMK_LEN, 5, addr, len, hash);
315 else
316 #endif /* CONFIG_IEEE80211W */
317 hmac_sha1_vector(smk, PMK_LEN, 5, addr, len, hash);
318 os_memcpy(smkid, hash, PMKID_LEN);
319 }
320
321
wpa_supplicant_send_stk_1_of_4(struct wpa_sm * sm,struct wpa_peerkey * peerkey)322 static void wpa_supplicant_send_stk_1_of_4(struct wpa_sm *sm,
323 struct wpa_peerkey *peerkey)
324 {
325 size_t mlen;
326 struct wpa_eapol_key *msg;
327 u8 *mbuf;
328 size_t kde_len;
329 u16 key_info, ver;
330
331 kde_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
332
333 mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
334 sizeof(*msg) + kde_len, &mlen,
335 (void *) &msg);
336 if (mbuf == NULL)
337 return;
338
339 msg->type = EAPOL_KEY_TYPE_RSN;
340
341 if (peerkey->cipher != WPA_CIPHER_TKIP)
342 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
343 else
344 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
345
346 key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK;
347 WPA_PUT_BE16(msg->key_info, key_info);
348
349 if (peerkey->cipher != WPA_CIPHER_TKIP)
350 WPA_PUT_BE16(msg->key_length, 16);
351 else
352 WPA_PUT_BE16(msg->key_length, 32);
353
354 os_memcpy(msg->replay_counter, peerkey->replay_counter,
355 WPA_REPLAY_COUNTER_LEN);
356 inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN);
357
358 WPA_PUT_BE16(msg->key_data_length, kde_len);
359 wpa_add_kde((u8 *) (msg + 1), RSN_KEY_DATA_PMKID,
360 peerkey->smkid, PMKID_LEN);
361
362 if (random_get_bytes(peerkey->inonce, WPA_NONCE_LEN)) {
363 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
364 "RSN: Failed to get random data for INonce (STK)");
365 os_free(mbuf);
366 return;
367 }
368 wpa_hexdump(MSG_DEBUG, "RSN: INonce for STK 4-Way Handshake",
369 peerkey->inonce, WPA_NONCE_LEN);
370 os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
371
372 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 1/4 to " MACSTR,
373 MAC2STR(peerkey->addr));
374 wpa_eapol_key_send(sm, NULL, 0, ver, peerkey->addr, ETH_P_EAPOL,
375 mbuf, mlen, NULL);
376 }
377
378
wpa_supplicant_send_stk_3_of_4(struct wpa_sm * sm,struct wpa_peerkey * peerkey)379 static void wpa_supplicant_send_stk_3_of_4(struct wpa_sm *sm,
380 struct wpa_peerkey *peerkey)
381 {
382 size_t mlen;
383 struct wpa_eapol_key *msg;
384 u8 *mbuf, *pos;
385 size_t kde_len;
386 u16 key_info, ver;
387 be32 lifetime;
388
389 kde_len = peerkey->rsnie_i_len +
390 2 + RSN_SELECTOR_LEN + sizeof(lifetime);
391
392 mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
393 sizeof(*msg) + kde_len, &mlen,
394 (void *) &msg);
395 if (mbuf == NULL)
396 return;
397
398 msg->type = EAPOL_KEY_TYPE_RSN;
399
400 if (peerkey->cipher != WPA_CIPHER_TKIP)
401 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
402 else
403 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
404
405 key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK |
406 WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE;
407 WPA_PUT_BE16(msg->key_info, key_info);
408
409 if (peerkey->cipher != WPA_CIPHER_TKIP)
410 WPA_PUT_BE16(msg->key_length, 16);
411 else
412 WPA_PUT_BE16(msg->key_length, 32);
413
414 os_memcpy(msg->replay_counter, peerkey->replay_counter,
415 WPA_REPLAY_COUNTER_LEN);
416 inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN);
417
418 WPA_PUT_BE16(msg->key_data_length, kde_len);
419 pos = (u8 *) (msg + 1);
420 pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len);
421 lifetime = host_to_be32(peerkey->lifetime);
422 wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME,
423 (u8 *) &lifetime, sizeof(lifetime));
424
425 os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
426
427 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 3/4 to " MACSTR,
428 MAC2STR(peerkey->addr));
429 wpa_eapol_key_send(sm, peerkey->stk.kck, peerkey->stk.kck_len, ver,
430 peerkey->addr, ETH_P_EAPOL, mbuf, mlen,
431 msg->key_mic);
432 }
433
434
wpa_supplicant_process_smk_m4(struct wpa_peerkey * peerkey,struct wpa_eapol_ie_parse * kde)435 static int wpa_supplicant_process_smk_m4(struct wpa_peerkey *peerkey,
436 struct wpa_eapol_ie_parse *kde)
437 {
438 wpa_printf(MSG_DEBUG, "RSN: Received SMK M4 (Initiator " MACSTR ")",
439 MAC2STR(kde->mac_addr));
440
441 if (os_memcmp(kde->smk + PMK_LEN, peerkey->pnonce, WPA_NONCE_LEN) != 0)
442 {
443 wpa_printf(MSG_INFO, "RSN: PNonce in SMK KDE does not "
444 "match with the one used in SMK M3");
445 return -1;
446 }
447
448 if (os_memcmp(kde->nonce, peerkey->inonce, WPA_NONCE_LEN) != 0) {
449 wpa_printf(MSG_INFO, "RSN: INonce in SMK M4 did not "
450 "match with the one received in SMK M2");
451 return -1;
452 }
453
454 return 0;
455 }
456
457
wpa_supplicant_process_smk_m5(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,int ver,struct wpa_peerkey * peerkey,struct wpa_eapol_ie_parse * kde)458 static int wpa_supplicant_process_smk_m5(struct wpa_sm *sm,
459 const unsigned char *src_addr,
460 const struct wpa_eapol_key *key,
461 int ver,
462 struct wpa_peerkey *peerkey,
463 struct wpa_eapol_ie_parse *kde)
464 {
465 int cipher;
466 struct wpa_ie_data ie;
467
468 wpa_printf(MSG_DEBUG, "RSN: Received SMK M5 (Peer " MACSTR ")",
469 MAC2STR(kde->mac_addr));
470 if (kde->rsn_ie == NULL || kde->rsn_ie_len > PEERKEY_MAX_IE_LEN ||
471 wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0) {
472 wpa_printf(MSG_INFO, "RSN: No RSN IE in SMK M5");
473 /* TODO: abort negotiation */
474 return -1;
475 }
476
477 if (os_memcmp(key->key_nonce, peerkey->inonce, WPA_NONCE_LEN) != 0) {
478 wpa_printf(MSG_INFO, "RSN: Key Nonce in SMK M5 does "
479 "not match with INonce used in SMK M1");
480 return -1;
481 }
482
483 if (os_memcmp(kde->smk + PMK_LEN, peerkey->inonce, WPA_NONCE_LEN) != 0)
484 {
485 wpa_printf(MSG_INFO, "RSN: INonce in SMK KDE does not "
486 "match with the one used in SMK M1");
487 return -1;
488 }
489
490 os_memcpy(peerkey->rsnie_p, kde->rsn_ie, kde->rsn_ie_len);
491 peerkey->rsnie_p_len = kde->rsn_ie_len;
492 os_memcpy(peerkey->pnonce, kde->nonce, WPA_NONCE_LEN);
493
494 cipher = wpa_pick_pairwise_cipher(ie.pairwise_cipher &
495 sm->allowed_pairwise_cipher, 0);
496 if (cipher < 0) {
497 wpa_printf(MSG_INFO, "RSN: SMK Peer STA " MACSTR " selected "
498 "unacceptable cipher", MAC2STR(kde->mac_addr));
499 wpa_supplicant_send_smk_error(sm, src_addr, kde->mac_addr,
500 STK_MUI_SMK, STK_ERR_CPHR_NS,
501 ver);
502 /* TODO: abort negotiation */
503 return -1;
504 }
505 wpa_printf(MSG_DEBUG, "RSN: Using %s for PeerKey",
506 wpa_cipher_txt(cipher));
507 peerkey->cipher = cipher;
508
509 return 0;
510 }
511
512
wpa_supplicant_process_smk_m45(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,size_t extra_len,int ver)513 static int wpa_supplicant_process_smk_m45(
514 struct wpa_sm *sm, const unsigned char *src_addr,
515 const struct wpa_eapol_key *key, size_t extra_len, int ver)
516 {
517 struct wpa_peerkey *peerkey;
518 struct wpa_eapol_ie_parse kde;
519 u32 lifetime;
520
521 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
522 wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for "
523 "the current network");
524 return -1;
525 }
526
527 if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
528 0) {
529 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M4/M5");
530 return -1;
531 }
532
533 if (kde.mac_addr == NULL || kde.mac_addr_len < ETH_ALEN ||
534 kde.nonce == NULL || kde.nonce_len < WPA_NONCE_LEN ||
535 kde.smk == NULL || kde.smk_len < PMK_LEN + WPA_NONCE_LEN ||
536 kde.lifetime == NULL || kde.lifetime_len < 4) {
537 wpa_printf(MSG_INFO, "RSN: No MAC Address, Nonce, SMK, or "
538 "Lifetime KDE in SMK M4/M5");
539 return -1;
540 }
541
542 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
543 if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) == 0 &&
544 os_memcmp(peerkey->initiator ? peerkey->inonce :
545 peerkey->pnonce,
546 key->key_nonce, WPA_NONCE_LEN) == 0)
547 break;
548 }
549 if (peerkey == NULL) {
550 wpa_printf(MSG_INFO, "RSN: No matching SMK handshake found "
551 "for SMK M4/M5: peer " MACSTR,
552 MAC2STR(kde.mac_addr));
553 return -1;
554 }
555
556 if (peerkey->initiator) {
557 if (wpa_supplicant_process_smk_m5(sm, src_addr, key, ver,
558 peerkey, &kde) < 0)
559 return -1;
560 } else {
561 if (wpa_supplicant_process_smk_m4(peerkey, &kde) < 0)
562 return -1;
563 }
564
565 os_memcpy(peerkey->smk, kde.smk, PMK_LEN);
566 peerkey->smk_complete = 1;
567 wpa_hexdump_key(MSG_DEBUG, "RSN: SMK", peerkey->smk, PMK_LEN);
568 lifetime = WPA_GET_BE32(kde.lifetime);
569 wpa_printf(MSG_DEBUG, "RSN: SMK lifetime %u seconds", lifetime);
570 if (lifetime > 1000000000)
571 lifetime = 1000000000; /* avoid overflowing eloop time */
572 peerkey->lifetime = lifetime;
573 eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout,
574 sm, peerkey);
575
576 if (peerkey->initiator) {
577 rsn_smkid(peerkey->smk, peerkey->pnonce, peerkey->addr,
578 peerkey->inonce, sm->own_addr, peerkey->smkid,
579 peerkey->akmp);
580 wpa_supplicant_send_stk_1_of_4(sm, peerkey);
581 } else {
582 rsn_smkid(peerkey->smk, peerkey->pnonce, sm->own_addr,
583 peerkey->inonce, peerkey->addr, peerkey->smkid,
584 peerkey->akmp);
585 }
586 wpa_hexdump(MSG_DEBUG, "RSN: SMKID", peerkey->smkid, PMKID_LEN);
587
588 return 0;
589 }
590
591
wpa_supplicant_process_smk_error(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,size_t extra_len)592 static int wpa_supplicant_process_smk_error(
593 struct wpa_sm *sm, const unsigned char *src_addr,
594 const struct wpa_eapol_key *key, size_t extra_len)
595 {
596 struct wpa_eapol_ie_parse kde;
597 struct rsn_error_kde error;
598 u8 peer[ETH_ALEN];
599 u16 error_type;
600
601 wpa_printf(MSG_DEBUG, "RSN: Received SMK Error");
602
603 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
604 wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for "
605 "the current network");
606 return -1;
607 }
608
609 if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
610 0) {
611 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK Error");
612 return -1;
613 }
614
615 if (kde.error == NULL || kde.error_len < sizeof(error)) {
616 wpa_printf(MSG_INFO, "RSN: No Error KDE in SMK Error");
617 return -1;
618 }
619
620 if (kde.mac_addr && kde.mac_addr_len >= ETH_ALEN)
621 os_memcpy(peer, kde.mac_addr, ETH_ALEN);
622 else
623 os_memset(peer, 0, ETH_ALEN);
624 os_memcpy(&error, kde.error, sizeof(error));
625 error_type = be_to_host16(error.error_type);
626 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
627 "RSN: SMK Error KDE received: MUI %d error_type %d peer "
628 MACSTR,
629 be_to_host16(error.mui), error_type,
630 MAC2STR(peer));
631
632 if (kde.mac_addr &&
633 (error_type == STK_ERR_STA_NR || error_type == STK_ERR_STA_NRSN ||
634 error_type == STK_ERR_CPHR_NS)) {
635 struct wpa_peerkey *peerkey;
636
637 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
638 if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) ==
639 0)
640 break;
641 }
642 if (peerkey == NULL) {
643 wpa_printf(MSG_DEBUG, "RSN: No matching SMK handshake "
644 "found for SMK Error");
645 return -1;
646 }
647 /* TODO: abort SMK/STK handshake and remove all related keys */
648 }
649
650 return 0;
651 }
652
653
wpa_supplicant_process_stk_1_of_4(struct wpa_sm * sm,struct wpa_peerkey * peerkey,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)654 static void wpa_supplicant_process_stk_1_of_4(struct wpa_sm *sm,
655 struct wpa_peerkey *peerkey,
656 const struct wpa_eapol_key *key,
657 u16 ver, const u8 *key_data,
658 size_t key_data_len)
659 {
660 struct wpa_eapol_ie_parse ie;
661 size_t kde_buf_len;
662 struct wpa_ptk *stk;
663 u8 buf[8], *kde_buf, *pos;
664 be32 lifetime;
665
666 wpa_printf(MSG_DEBUG, "RSN: RX message 1 of STK 4-Way Handshake from "
667 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
668
669 os_memset(&ie, 0, sizeof(ie));
670
671 /* RSN: msg 1/4 should contain SMKID for the selected SMK */
672 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", key_data, key_data_len);
673 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0 ||
674 ie.pmkid == NULL) {
675 wpa_printf(MSG_DEBUG, "RSN: No SMKID in STK 1/4");
676 return;
677 }
678 if (os_memcmp_const(ie.pmkid, peerkey->smkid, PMKID_LEN) != 0) {
679 wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 1/4",
680 ie.pmkid, PMKID_LEN);
681 return;
682 }
683
684 if (random_get_bytes(peerkey->pnonce, WPA_NONCE_LEN)) {
685 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
686 "RSN: Failed to get random data for PNonce");
687 return;
688 }
689 wpa_hexdump(MSG_DEBUG, "WPA: Renewed PNonce",
690 peerkey->pnonce, WPA_NONCE_LEN);
691
692 /* Calculate STK which will be stored as a temporary STK until it has
693 * been verified when processing message 3/4. */
694 stk = &peerkey->tstk;
695 wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion",
696 sm->own_addr, peerkey->addr,
697 peerkey->pnonce, key->key_nonce,
698 stk, peerkey->akmp, peerkey->cipher);
699 /* Supplicant: swap tx/rx Mic keys */
700 os_memcpy(buf, &stk->tk[16], 8);
701 os_memcpy(&stk->tk[16], &stk->tk[24], 8);
702 os_memcpy(&stk->tk[24], buf, 8);
703 peerkey->tstk_set = 1;
704
705 kde_buf_len = peerkey->rsnie_p_len +
706 2 + RSN_SELECTOR_LEN + sizeof(lifetime) +
707 2 + RSN_SELECTOR_LEN + PMKID_LEN;
708 kde_buf = os_malloc(kde_buf_len);
709 if (kde_buf == NULL)
710 return;
711 pos = kde_buf;
712 pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len);
713 lifetime = host_to_be32(peerkey->lifetime);
714 pos = wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME,
715 (u8 *) &lifetime, sizeof(lifetime));
716 wpa_add_kde(pos, RSN_KEY_DATA_PMKID, peerkey->smkid, PMKID_LEN);
717
718 if (wpa_supplicant_send_2_of_4(sm, peerkey->addr, key, ver,
719 peerkey->pnonce, kde_buf, kde_buf_len,
720 stk)) {
721 os_free(kde_buf);
722 return;
723 }
724 os_free(kde_buf);
725
726 os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN);
727 }
728
729
wpa_supplicant_update_smk_lifetime(struct wpa_sm * sm,struct wpa_peerkey * peerkey,struct wpa_eapol_ie_parse * kde)730 static void wpa_supplicant_update_smk_lifetime(struct wpa_sm *sm,
731 struct wpa_peerkey *peerkey,
732 struct wpa_eapol_ie_parse *kde)
733 {
734 u32 lifetime;
735
736 if (kde->lifetime == NULL || kde->lifetime_len < sizeof(lifetime))
737 return;
738
739 lifetime = WPA_GET_BE32(kde->lifetime);
740
741 if (lifetime >= peerkey->lifetime) {
742 wpa_printf(MSG_DEBUG, "RSN: Peer used SMK lifetime %u seconds "
743 "which is larger than or equal to own value %u "
744 "seconds - ignored", lifetime, peerkey->lifetime);
745 return;
746 }
747
748 wpa_printf(MSG_DEBUG, "RSN: Peer used shorter SMK lifetime %u seconds "
749 "(own was %u seconds) - updated",
750 lifetime, peerkey->lifetime);
751 peerkey->lifetime = lifetime;
752
753 eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey);
754 eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout,
755 sm, peerkey);
756 }
757
758
wpa_supplicant_process_stk_2_of_4(struct wpa_sm * sm,struct wpa_peerkey * peerkey,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)759 static void wpa_supplicant_process_stk_2_of_4(struct wpa_sm *sm,
760 struct wpa_peerkey *peerkey,
761 const struct wpa_eapol_key *key,
762 u16 ver, const u8 *key_data,
763 size_t key_data_len)
764 {
765 struct wpa_eapol_ie_parse kde;
766
767 wpa_printf(MSG_DEBUG, "RSN: RX message 2 of STK 4-Way Handshake from "
768 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
769
770 os_memset(&kde, 0, sizeof(kde));
771
772 /* RSN: msg 2/4 should contain SMKID for the selected SMK and RSN IE
773 * from the peer. It may also include Lifetime KDE. */
774 wpa_hexdump(MSG_DEBUG, "RSN: msg 2/4 key data", key_data, key_data_len);
775 if (wpa_supplicant_parse_ies(key_data, key_data_len, &kde) < 0 ||
776 kde.pmkid == NULL || kde.rsn_ie == NULL) {
777 wpa_printf(MSG_DEBUG, "RSN: No SMKID or RSN IE in STK 2/4");
778 return;
779 }
780
781 if (os_memcmp_const(kde.pmkid, peerkey->smkid, PMKID_LEN) != 0) {
782 wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 2/4",
783 kde.pmkid, PMKID_LEN);
784 return;
785 }
786
787 if (kde.rsn_ie_len != peerkey->rsnie_p_len ||
788 os_memcmp(kde.rsn_ie, peerkey->rsnie_p, kde.rsn_ie_len) != 0) {
789 wpa_printf(MSG_INFO, "RSN: Peer RSN IE in SMK and STK "
790 "handshakes did not match");
791 wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in SMK handshake",
792 peerkey->rsnie_p, peerkey->rsnie_p_len);
793 wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in STK handshake",
794 kde.rsn_ie, kde.rsn_ie_len);
795 return;
796 }
797
798 wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde);
799
800 wpa_supplicant_send_stk_3_of_4(sm, peerkey);
801 os_memcpy(peerkey->pnonce, key->key_nonce, WPA_NONCE_LEN);
802 }
803
804
wpa_supplicant_process_stk_3_of_4(struct wpa_sm * sm,struct wpa_peerkey * peerkey,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)805 static void wpa_supplicant_process_stk_3_of_4(struct wpa_sm *sm,
806 struct wpa_peerkey *peerkey,
807 const struct wpa_eapol_key *key,
808 u16 ver, const u8 *key_data,
809 size_t key_data_len)
810 {
811 struct wpa_eapol_ie_parse kde;
812 size_t key_len;
813 const u8 *_key;
814 u8 key_buf[32], rsc[6];
815
816 wpa_printf(MSG_DEBUG, "RSN: RX message 3 of STK 4-Way Handshake from "
817 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
818
819 os_memset(&kde, 0, sizeof(kde));
820
821 /* RSN: msg 3/4 should contain Initiator RSN IE. It may also include
822 * Lifetime KDE. */
823 wpa_hexdump(MSG_DEBUG, "RSN: msg 3/4 key data", key_data, key_data_len);
824 if (wpa_supplicant_parse_ies(key_data, key_data_len, &kde) < 0) {
825 wpa_printf(MSG_DEBUG, "RSN: Failed to parse key data in "
826 "STK 3/4");
827 return;
828 }
829
830 if (kde.rsn_ie_len != peerkey->rsnie_i_len ||
831 os_memcmp(kde.rsn_ie, peerkey->rsnie_i, kde.rsn_ie_len) != 0) {
832 wpa_printf(MSG_INFO, "RSN: Initiator RSN IE in SMK and STK "
833 "handshakes did not match");
834 wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in SMK "
835 "handshake",
836 peerkey->rsnie_i, peerkey->rsnie_i_len);
837 wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in STK "
838 "handshake",
839 kde.rsn_ie, kde.rsn_ie_len);
840 return;
841 }
842
843 if (os_memcmp(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
844 wpa_printf(MSG_WARNING, "RSN: INonce from message 1 of STK "
845 "4-Way Handshake differs from 3 of STK 4-Way "
846 "Handshake - drop packet (src=" MACSTR ")",
847 MAC2STR(peerkey->addr));
848 return;
849 }
850
851 wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde);
852
853 if (wpa_supplicant_send_4_of_4(sm, peerkey->addr, key, ver,
854 WPA_GET_BE16(key->key_info),
855 &peerkey->stk))
856 return;
857
858 _key = peerkey->stk.tk;
859 if (peerkey->cipher == WPA_CIPHER_TKIP) {
860 /* Swap Tx/Rx keys for Michael MIC */
861 os_memcpy(key_buf, _key, 16);
862 os_memcpy(key_buf + 16, _key + 24, 8);
863 os_memcpy(key_buf + 24, _key + 16, 8);
864 _key = key_buf;
865 key_len = 32;
866 } else
867 key_len = 16;
868
869 os_memset(rsc, 0, 6);
870 if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1,
871 rsc, sizeof(rsc), _key, key_len) < 0) {
872 os_memset(key_buf, 0, sizeof(key_buf));
873 wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the "
874 "driver.");
875 return;
876 }
877 os_memset(key_buf, 0, sizeof(key_buf));
878 }
879
880
wpa_supplicant_process_stk_4_of_4(struct wpa_sm * sm,struct wpa_peerkey * peerkey,const struct wpa_eapol_key * key,u16 ver)881 static void wpa_supplicant_process_stk_4_of_4(struct wpa_sm *sm,
882 struct wpa_peerkey *peerkey,
883 const struct wpa_eapol_key *key,
884 u16 ver)
885 {
886 u8 rsc[6];
887
888 wpa_printf(MSG_DEBUG, "RSN: RX message 4 of STK 4-Way Handshake from "
889 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
890
891 os_memset(rsc, 0, 6);
892 if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1,
893 rsc, sizeof(rsc), peerkey->stk.tk,
894 peerkey->cipher == WPA_CIPHER_TKIP ? 32 : 16) < 0) {
895 wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the "
896 "driver.");
897 return;
898 }
899 }
900
901
902 /**
903 * peerkey_verify_eapol_key_mic - Verify PeerKey MIC
904 * @sm: Pointer to WPA state machine data from wpa_sm_init()
905 * @peerkey: Pointer to the PeerKey data for the peer
906 * @key: Pointer to the EAPOL-Key frame header
907 * @ver: Version bits from EAPOL-Key Key Info
908 * @buf: Pointer to the beginning of EAPOL-Key frame
909 * @len: Length of the EAPOL-Key frame
910 * Returns: 0 on success, -1 on failure
911 */
peerkey_verify_eapol_key_mic(struct wpa_sm * sm,struct wpa_peerkey * peerkey,struct wpa_eapol_key_192 * key,u16 ver,const u8 * buf,size_t len)912 int peerkey_verify_eapol_key_mic(struct wpa_sm *sm,
913 struct wpa_peerkey *peerkey,
914 struct wpa_eapol_key_192 *key, u16 ver,
915 const u8 *buf, size_t len)
916 {
917 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
918 size_t mic_len = 16;
919 int ok = 0;
920
921 if (peerkey->initiator && !peerkey->stk_set) {
922 wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion",
923 sm->own_addr, peerkey->addr,
924 peerkey->inonce, key->key_nonce,
925 &peerkey->stk, peerkey->akmp, peerkey->cipher);
926 peerkey->stk_set = 1;
927 }
928
929 os_memcpy(mic, key->key_mic, mic_len);
930 if (peerkey->tstk_set) {
931 os_memset(key->key_mic, 0, mic_len);
932 wpa_eapol_key_mic(peerkey->tstk.kck, peerkey->tstk.kck_len,
933 sm->key_mgmt, ver, buf, len, key->key_mic);
934 if (os_memcmp_const(mic, key->key_mic, mic_len) != 0) {
935 wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC "
936 "when using TSTK - ignoring TSTK");
937 } else {
938 ok = 1;
939 peerkey->tstk_set = 0;
940 peerkey->stk_set = 1;
941 os_memcpy(&peerkey->stk, &peerkey->tstk,
942 sizeof(peerkey->stk));
943 os_memset(&peerkey->tstk, 0, sizeof(peerkey->tstk));
944 }
945 }
946
947 if (!ok && peerkey->stk_set) {
948 os_memset(key->key_mic, 0, mic_len);
949 wpa_eapol_key_mic(peerkey->stk.kck, peerkey->stk.kck_len,
950 sm->key_mgmt, ver, buf, len, key->key_mic);
951 if (os_memcmp_const(mic, key->key_mic, mic_len) != 0) {
952 wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC "
953 "- dropping packet");
954 return -1;
955 }
956 ok = 1;
957 }
958
959 if (!ok) {
960 wpa_printf(MSG_WARNING, "RSN: Could not verify EAPOL-Key MIC "
961 "- dropping packet");
962 return -1;
963 }
964
965 os_memcpy(peerkey->replay_counter, key->replay_counter,
966 WPA_REPLAY_COUNTER_LEN);
967 peerkey->replay_counter_set = 1;
968 return 0;
969 }
970
971
972 /**
973 * wpa_sm_stkstart - Send EAPOL-Key Request for STK handshake (STK M1)
974 * @sm: Pointer to WPA state machine data from wpa_sm_init()
975 * @peer: MAC address of the peer STA
976 * Returns: 0 on success, or -1 on failure
977 *
978 * Send an EAPOL-Key Request to the current authenticator to start STK
979 * handshake with the peer.
980 */
wpa_sm_stkstart(struct wpa_sm * sm,const u8 * peer)981 int wpa_sm_stkstart(struct wpa_sm *sm, const u8 *peer)
982 {
983 size_t rlen, kde_len;
984 struct wpa_eapol_key *req;
985 int key_info, ver;
986 u8 bssid[ETH_ALEN], *rbuf, *pos, *count_pos;
987 u16 count;
988 struct rsn_ie_hdr *hdr;
989 struct wpa_peerkey *peerkey;
990 struct wpa_ie_data ie;
991
992 if (sm->proto != WPA_PROTO_RSN || !sm->ptk_set || !sm->peerkey_enabled)
993 return -1;
994
995 if (sm->ap_rsn_ie &&
996 wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &ie) == 0 &&
997 !(ie.capabilities & WPA_CAPABILITY_PEERKEY_ENABLED)) {
998 wpa_printf(MSG_DEBUG, "RSN: Current AP does not support STK");
999 return -1;
1000 }
1001
1002 if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
1003 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1004 else
1005 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1006
1007 if (wpa_sm_get_bssid(sm, bssid) < 0) {
1008 wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key "
1009 "SMK M1");
1010 return -1;
1011 }
1012
1013 /* TODO: find existing entry and if found, use that instead of adding
1014 * a new one */
1015 peerkey = os_zalloc(sizeof(*peerkey));
1016 if (peerkey == NULL)
1017 return -1;
1018 peerkey->initiator = 1;
1019 os_memcpy(peerkey->addr, peer, ETH_ALEN);
1020 peerkey->akmp = sm->key_mgmt;
1021
1022 /* SMK M1:
1023 * EAPOL-Key(S=1, M=1, A=0, I=0, K=0, SM=1, KeyRSC=0, Nonce=INonce,
1024 * MIC=MIC, DataKDs=(RSNIE_I, MAC_P KDE))
1025 */
1026
1027 hdr = (struct rsn_ie_hdr *) peerkey->rsnie_i;
1028 hdr->elem_id = WLAN_EID_RSN;
1029 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1030 pos = (u8 *) (hdr + 1);
1031 /* Group Suite can be anything for SMK RSN IE; receiver will just
1032 * ignore it. */
1033 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1034 pos += RSN_SELECTOR_LEN;
1035 count_pos = pos;
1036 pos += 2;
1037
1038 count = rsn_cipher_put_suites(pos, sm->allowed_pairwise_cipher);
1039 pos += count * RSN_SELECTOR_LEN;
1040 WPA_PUT_LE16(count_pos, count);
1041
1042 hdr->len = (pos - peerkey->rsnie_i) - 2;
1043 peerkey->rsnie_i_len = pos - peerkey->rsnie_i;
1044 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake",
1045 peerkey->rsnie_i, peerkey->rsnie_i_len);
1046
1047 kde_len = peerkey->rsnie_i_len + 2 + RSN_SELECTOR_LEN + ETH_ALEN;
1048
1049 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1050 sizeof(*req) + kde_len, &rlen,
1051 (void *) &req);
1052 if (rbuf == NULL) {
1053 wpa_supplicant_peerkey_free(sm, peerkey);
1054 return -1;
1055 }
1056
1057 req->type = EAPOL_KEY_TYPE_RSN;
1058 key_info = WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
1059 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_REQUEST | ver;
1060 WPA_PUT_BE16(req->key_info, key_info);
1061 WPA_PUT_BE16(req->key_length, 0);
1062 os_memcpy(req->replay_counter, sm->request_counter,
1063 WPA_REPLAY_COUNTER_LEN);
1064 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
1065
1066 if (random_get_bytes(peerkey->inonce, WPA_NONCE_LEN)) {
1067 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1068 "WPA: Failed to get random data for INonce");
1069 os_free(rbuf);
1070 wpa_supplicant_peerkey_free(sm, peerkey);
1071 return -1;
1072 }
1073 os_memcpy(req->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
1074 wpa_hexdump(MSG_DEBUG, "WPA: INonce for SMK handshake",
1075 req->key_nonce, WPA_NONCE_LEN);
1076
1077 WPA_PUT_BE16(req->key_data_length, (u16) kde_len);
1078 pos = (u8 *) (req + 1);
1079
1080 /* Initiator RSN IE */
1081 pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len);
1082 /* Peer MAC address KDE */
1083 wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN);
1084
1085 wpa_printf(MSG_INFO, "RSN: Sending EAPOL-Key SMK M1 Request (peer "
1086 MACSTR ")", MAC2STR(peer));
1087 wpa_eapol_key_send(sm, sm->ptk.kck, sm->ptk.kck_len, ver, bssid,
1088 ETH_P_EAPOL, rbuf, rlen, req->key_mic);
1089
1090 peerkey->next = sm->peerkey;
1091 sm->peerkey = peerkey;
1092
1093 return 0;
1094 }
1095
1096
1097 /**
1098 * peerkey_deinit - Free PeerKey values
1099 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1100 */
peerkey_deinit(struct wpa_sm * sm)1101 void peerkey_deinit(struct wpa_sm *sm)
1102 {
1103 struct wpa_peerkey *prev, *peerkey = sm->peerkey;
1104 while (peerkey) {
1105 prev = peerkey;
1106 peerkey = peerkey->next;
1107 wpa_supplicant_peerkey_free(sm, prev);
1108 }
1109 sm->peerkey = NULL;
1110 }
1111
1112
peerkey_rx_eapol_4way(struct wpa_sm * sm,struct wpa_peerkey * peerkey,struct wpa_eapol_key * key,u16 key_info,u16 ver,const u8 * key_data,size_t key_data_len)1113 void peerkey_rx_eapol_4way(struct wpa_sm *sm, struct wpa_peerkey *peerkey,
1114 struct wpa_eapol_key *key, u16 key_info, u16 ver,
1115 const u8 *key_data, size_t key_data_len)
1116 {
1117 if ((key_info & (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) ==
1118 (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) {
1119 /* 3/4 STK 4-Way Handshake */
1120 wpa_supplicant_process_stk_3_of_4(sm, peerkey, key, ver,
1121 key_data, key_data_len);
1122 } else if (key_info & WPA_KEY_INFO_ACK) {
1123 /* 1/4 STK 4-Way Handshake */
1124 wpa_supplicant_process_stk_1_of_4(sm, peerkey, key, ver,
1125 key_data, key_data_len);
1126 } else if (key_info & WPA_KEY_INFO_SECURE) {
1127 /* 4/4 STK 4-Way Handshake */
1128 wpa_supplicant_process_stk_4_of_4(sm, peerkey, key, ver);
1129 } else {
1130 /* 2/4 STK 4-Way Handshake */
1131 wpa_supplicant_process_stk_2_of_4(sm, peerkey, key, ver,
1132 key_data, key_data_len);
1133 }
1134 }
1135
1136
peerkey_rx_eapol_smk(struct wpa_sm * sm,const u8 * src_addr,struct wpa_eapol_key * key,size_t extra_len,u16 key_info,u16 ver)1137 void peerkey_rx_eapol_smk(struct wpa_sm *sm, const u8 *src_addr,
1138 struct wpa_eapol_key *key, size_t extra_len,
1139 u16 key_info, u16 ver)
1140 {
1141 if (key_info & WPA_KEY_INFO_ERROR) {
1142 /* SMK Error */
1143 wpa_supplicant_process_smk_error(sm, src_addr, key, extra_len);
1144 } else if (key_info & WPA_KEY_INFO_ACK) {
1145 /* SMK M2 */
1146 wpa_supplicant_process_smk_m2(sm, src_addr, key, extra_len,
1147 ver);
1148 } else {
1149 /* SMK M4 or M5 */
1150 wpa_supplicant_process_smk_m45(sm, src_addr, key, extra_len,
1151 ver);
1152 }
1153 }
1154
1155 #endif /* CONFIG_PEERKEY */
1156