1 /*
2 * WPA Supplicant - PeerKey for Direct Link Setup (DLS)
3 * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #ifdef CONFIG_PEERKEY
12
13 #include "common.h"
14 #include "eloop.h"
15 #include "crypto/sha1.h"
16 #include "crypto/sha256.h"
17 #include "crypto/random.h"
18 #include "common/ieee802_11_defs.h"
19 #include "wpa.h"
20 #include "wpa_i.h"
21 #include "wpa_ie.h"
22 #include "peerkey.h"
23
24
wpa_add_ie(u8 * pos,const u8 * ie,size_t ie_len)25 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
26 {
27 os_memcpy(pos, ie, ie_len);
28 return pos + ie_len;
29 }
30
31
wpa_add_kde(u8 * pos,u32 kde,const u8 * data,size_t data_len)32 static u8 * wpa_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len)
33 {
34 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
35 *pos++ = RSN_SELECTOR_LEN + data_len;
36 RSN_SELECTOR_PUT(pos, kde);
37 pos += RSN_SELECTOR_LEN;
38 os_memcpy(pos, data, data_len);
39 pos += data_len;
40 return pos;
41 }
42
43
wpa_supplicant_smk_timeout(void * eloop_ctx,void * timeout_ctx)44 static void wpa_supplicant_smk_timeout(void *eloop_ctx, void *timeout_ctx)
45 {
46 #if 0
47 struct wpa_sm *sm = eloop_ctx;
48 struct wpa_peerkey *peerkey = timeout_ctx;
49 #endif
50 /* TODO: time out SMK and any STK that was generated using this SMK */
51 }
52
53
wpa_supplicant_peerkey_free(struct wpa_sm * sm,struct wpa_peerkey * peerkey)54 static void wpa_supplicant_peerkey_free(struct wpa_sm *sm,
55 struct wpa_peerkey *peerkey)
56 {
57 eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey);
58 os_free(peerkey);
59 }
60
61
wpa_supplicant_send_smk_error(struct wpa_sm * sm,const u8 * dst,const u8 * peer,u16 mui,u16 error_type,int ver)62 static int wpa_supplicant_send_smk_error(struct wpa_sm *sm, const u8 *dst,
63 const u8 *peer,
64 u16 mui, u16 error_type, int ver)
65 {
66 size_t rlen;
67 struct wpa_eapol_key *err;
68 struct rsn_error_kde error;
69 u8 *rbuf, *pos, *mic;
70 size_t kde_len, mic_len = 16;
71 u16 key_info;
72
73 kde_len = 2 + RSN_SELECTOR_LEN + sizeof(error);
74 if (peer)
75 kde_len += 2 + RSN_SELECTOR_LEN + ETH_ALEN;
76
77 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
78 NULL, sizeof(*err) + mic_len + 2 + kde_len,
79 &rlen, (void *) &err);
80 if (rbuf == NULL)
81 return -1;
82 mic = (u8 *) (err + 1);
83
84 err->type = EAPOL_KEY_TYPE_RSN;
85 key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
86 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_ERROR |
87 WPA_KEY_INFO_REQUEST;
88 WPA_PUT_BE16(err->key_info, key_info);
89 WPA_PUT_BE16(err->key_length, 0);
90 os_memcpy(err->replay_counter, sm->request_counter,
91 WPA_REPLAY_COUNTER_LEN);
92 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
93
94 WPA_PUT_BE16(mic + mic_len, (u16) kde_len);
95 pos = mic + mic_len + 2;
96
97 if (peer) {
98 /* Peer MAC Address KDE */
99 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN);
100 }
101
102 /* Error KDE */
103 error.mui = host_to_be16(mui);
104 error.error_type = host_to_be16(error_type);
105 wpa_add_kde(pos, RSN_KEY_DATA_ERROR, (u8 *) &error, sizeof(error));
106
107 if (peer) {
108 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error (peer "
109 MACSTR " mui %d error_type %d)",
110 MAC2STR(peer), mui, error_type);
111 } else {
112 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error "
113 "(mui %d error_type %d)", mui, error_type);
114 }
115
116 wpa_eapol_key_send(sm, &sm->ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen,
117 mic);
118
119 return 0;
120 }
121
122
wpa_supplicant_send_smk_m3(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,int ver,struct wpa_peerkey * peerkey)123 static int wpa_supplicant_send_smk_m3(struct wpa_sm *sm,
124 const unsigned char *src_addr,
125 const struct wpa_eapol_key *key,
126 int ver, struct wpa_peerkey *peerkey)
127 {
128 size_t rlen;
129 struct wpa_eapol_key *reply;
130 u8 *rbuf, *pos, *mic;
131 size_t kde_len, mic_len = 16;
132 u16 key_info;
133
134 /* KDEs: Peer RSN IE, Initiator MAC Address, Initiator Nonce */
135 kde_len = peerkey->rsnie_p_len +
136 2 + RSN_SELECTOR_LEN + ETH_ALEN +
137 2 + RSN_SELECTOR_LEN + WPA_NONCE_LEN;
138
139 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
140 NULL, sizeof(*reply) + mic_len + 2 + kde_len,
141 &rlen, (void *) &reply);
142 if (rbuf == NULL)
143 return -1;
144
145 reply->type = EAPOL_KEY_TYPE_RSN;
146 key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
147 WPA_KEY_INFO_SECURE;
148 WPA_PUT_BE16(reply->key_info, key_info);
149 WPA_PUT_BE16(reply->key_length, 0);
150 os_memcpy(reply->replay_counter, key->replay_counter,
151 WPA_REPLAY_COUNTER_LEN);
152
153 os_memcpy(reply->key_nonce, peerkey->pnonce, WPA_NONCE_LEN);
154
155 mic = (u8 *) (reply + 1);
156 WPA_PUT_BE16(mic + mic_len, (u16) kde_len);
157 pos = mic + mic_len + 2;
158
159 /* Peer RSN IE */
160 pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len);
161
162 /* Initiator MAC Address KDE */
163 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peerkey->addr, ETH_ALEN);
164
165 /* Initiator Nonce */
166 wpa_add_kde(pos, RSN_KEY_DATA_NONCE, peerkey->inonce, WPA_NONCE_LEN);
167
168 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK M3");
169 wpa_eapol_key_send(sm, &sm->ptk, ver, src_addr, ETH_P_EAPOL, rbuf, rlen,
170 mic);
171
172 return 0;
173 }
174
175
wpa_supplicant_process_smk_m2(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,int ver)176 static int wpa_supplicant_process_smk_m2(
177 struct wpa_sm *sm, const unsigned char *src_addr,
178 const struct wpa_eapol_key *key, const u8 *key_data,
179 size_t key_data_len, int ver)
180 {
181 struct wpa_peerkey *peerkey;
182 struct wpa_eapol_ie_parse kde;
183 struct wpa_ie_data ie;
184 int cipher;
185 struct rsn_ie_hdr *hdr;
186 u8 *pos;
187
188 wpa_printf(MSG_DEBUG, "RSN: Received SMK M2");
189
190 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
191 wpa_printf(MSG_INFO, "RSN: SMK handshake not allowed for "
192 "the current network");
193 return -1;
194 }
195
196 if (wpa_supplicant_parse_ies(key_data, key_data_len, &kde) < 0) {
197 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M2");
198 return -1;
199 }
200
201 if (kde.rsn_ie == NULL || kde.mac_addr == NULL ||
202 kde.mac_addr_len < ETH_ALEN) {
203 wpa_printf(MSG_INFO, "RSN: No RSN IE or MAC address KDE in "
204 "SMK M2");
205 return -1;
206 }
207
208 wpa_printf(MSG_DEBUG, "RSN: SMK M2 - SMK initiator " MACSTR,
209 MAC2STR(kde.mac_addr));
210
211 if (kde.rsn_ie_len > PEERKEY_MAX_IE_LEN) {
212 wpa_printf(MSG_INFO, "RSN: Too long Initiator RSN IE in SMK "
213 "M2");
214 return -1;
215 }
216
217 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
218 wpa_printf(MSG_INFO, "RSN: Failed to parse RSN IE in SMK M2");
219 return -1;
220 }
221
222 cipher = wpa_pick_pairwise_cipher(ie.pairwise_cipher &
223 sm->allowed_pairwise_cipher, 0);
224 if (cipher < 0) {
225 wpa_printf(MSG_INFO, "RSN: No acceptable cipher in SMK M2");
226 wpa_supplicant_send_smk_error(sm, src_addr, kde.mac_addr,
227 STK_MUI_SMK, STK_ERR_CPHR_NS,
228 ver);
229 return -1;
230 }
231 wpa_printf(MSG_DEBUG, "RSN: Using %s for PeerKey",
232 wpa_cipher_txt(cipher));
233
234 /* TODO: find existing entry and if found, use that instead of adding
235 * a new one; how to handle the case where both ends initiate at the
236 * same time? */
237 peerkey = os_zalloc(sizeof(*peerkey));
238 if (peerkey == NULL)
239 return -1;
240 os_memcpy(peerkey->addr, kde.mac_addr, ETH_ALEN);
241 os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN);
242 os_memcpy(peerkey->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
243 peerkey->rsnie_i_len = kde.rsn_ie_len;
244 peerkey->cipher = cipher;
245 peerkey->akmp = ie.key_mgmt;
246
247 if (random_get_bytes(peerkey->pnonce, WPA_NONCE_LEN)) {
248 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
249 "WPA: Failed to get random data for PNonce");
250 wpa_supplicant_peerkey_free(sm, peerkey);
251 return -1;
252 }
253
254 hdr = (struct rsn_ie_hdr *) peerkey->rsnie_p;
255 hdr->elem_id = WLAN_EID_RSN;
256 WPA_PUT_LE16(hdr->version, RSN_VERSION);
257 pos = (u8 *) (hdr + 1);
258 /* Group Suite can be anything for SMK RSN IE; receiver will just
259 * ignore it. */
260 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
261 pos += RSN_SELECTOR_LEN;
262 /* Include only the selected cipher in pairwise cipher suite */
263 WPA_PUT_LE16(pos, 1);
264 pos += 2;
265 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, cipher));
266 pos += RSN_SELECTOR_LEN;
267
268 hdr->len = (pos - peerkey->rsnie_p) - 2;
269 peerkey->rsnie_p_len = pos - peerkey->rsnie_p;
270 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake",
271 peerkey->rsnie_p, peerkey->rsnie_p_len);
272
273 wpa_supplicant_send_smk_m3(sm, src_addr, key, ver, peerkey);
274
275 peerkey->next = sm->peerkey;
276 sm->peerkey = peerkey;
277
278 return 0;
279 }
280
281
282 /**
283 * rsn_smkid - Derive SMK identifier
284 * @smk: Station master key (32 bytes)
285 * @pnonce: Peer Nonce
286 * @mac_p: Peer MAC address
287 * @inonce: Initiator Nonce
288 * @mac_i: Initiator MAC address
289 * @akmp: Negotiated AKM
290 *
291 * 8.5.1.4 Station to station (STK) key hierarchy
292 * SMKID = HMAC-SHA1-128(SMK, "SMK Name" || PNonce || MAC_P || INonce || MAC_I)
293 */
rsn_smkid(const u8 * smk,const u8 * pnonce,const u8 * mac_p,const u8 * inonce,const u8 * mac_i,u8 * smkid,int akmp)294 static void rsn_smkid(const u8 *smk, const u8 *pnonce, const u8 *mac_p,
295 const u8 *inonce, const u8 *mac_i, u8 *smkid,
296 int akmp)
297 {
298 char *title = "SMK Name";
299 const u8 *addr[5];
300 const size_t len[5] = { 8, WPA_NONCE_LEN, ETH_ALEN, WPA_NONCE_LEN,
301 ETH_ALEN };
302 unsigned char hash[SHA256_MAC_LEN];
303
304 addr[0] = (u8 *) title;
305 addr[1] = pnonce;
306 addr[2] = mac_p;
307 addr[3] = inonce;
308 addr[4] = mac_i;
309
310 #ifdef CONFIG_IEEE80211W
311 if (wpa_key_mgmt_sha256(akmp))
312 hmac_sha256_vector(smk, PMK_LEN, 5, addr, len, hash);
313 else
314 #endif /* CONFIG_IEEE80211W */
315 hmac_sha1_vector(smk, PMK_LEN, 5, addr, len, hash);
316 os_memcpy(smkid, hash, PMKID_LEN);
317 }
318
319
wpa_supplicant_send_stk_1_of_4(struct wpa_sm * sm,struct wpa_peerkey * peerkey)320 static void wpa_supplicant_send_stk_1_of_4(struct wpa_sm *sm,
321 struct wpa_peerkey *peerkey)
322 {
323 size_t mlen;
324 struct wpa_eapol_key *msg;
325 u8 *mbuf, *mic;
326 size_t kde_len, mic_len = 16;
327 u16 key_info, ver;
328
329 kde_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
330
331 mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
332 sizeof(*msg) + mic_len + 2 + kde_len, &mlen,
333 (void *) &msg);
334 if (mbuf == NULL)
335 return;
336
337 mic = (u8 *) (msg + 1);
338 msg->type = EAPOL_KEY_TYPE_RSN;
339
340 if (peerkey->cipher != WPA_CIPHER_TKIP)
341 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
342 else
343 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
344
345 key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK;
346 WPA_PUT_BE16(msg->key_info, key_info);
347
348 if (peerkey->cipher != WPA_CIPHER_TKIP)
349 WPA_PUT_BE16(msg->key_length, 16);
350 else
351 WPA_PUT_BE16(msg->key_length, 32);
352
353 os_memcpy(msg->replay_counter, peerkey->replay_counter,
354 WPA_REPLAY_COUNTER_LEN);
355 inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN);
356
357 WPA_PUT_BE16(mic + mic_len, kde_len);
358 wpa_add_kde(mic + mic_len + 2, RSN_KEY_DATA_PMKID,
359 peerkey->smkid, PMKID_LEN);
360
361 if (random_get_bytes(peerkey->inonce, WPA_NONCE_LEN)) {
362 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
363 "RSN: Failed to get random data for INonce (STK)");
364 os_free(mbuf);
365 return;
366 }
367 wpa_hexdump(MSG_DEBUG, "RSN: INonce for STK 4-Way Handshake",
368 peerkey->inonce, WPA_NONCE_LEN);
369 os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
370
371 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 1/4 to " MACSTR,
372 MAC2STR(peerkey->addr));
373 wpa_eapol_key_send(sm, NULL, ver, peerkey->addr, ETH_P_EAPOL,
374 mbuf, mlen, NULL);
375 }
376
377
wpa_supplicant_send_stk_3_of_4(struct wpa_sm * sm,struct wpa_peerkey * peerkey)378 static void wpa_supplicant_send_stk_3_of_4(struct wpa_sm *sm,
379 struct wpa_peerkey *peerkey)
380 {
381 size_t mlen;
382 struct wpa_eapol_key *msg;
383 u8 *mbuf, *pos, *mic;
384 size_t kde_len, mic_len = 16;
385 u16 key_info, ver;
386 be32 lifetime;
387
388 kde_len = peerkey->rsnie_i_len +
389 2 + RSN_SELECTOR_LEN + sizeof(lifetime);
390
391 mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
392 sizeof(*msg) + mic_len + 2 + kde_len, &mlen,
393 (void *) &msg);
394 if (mbuf == NULL)
395 return;
396
397 mic = (u8 *) (msg + 1);
398 msg->type = EAPOL_KEY_TYPE_RSN;
399
400 if (peerkey->cipher != WPA_CIPHER_TKIP)
401 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
402 else
403 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
404
405 key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK |
406 WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE;
407 WPA_PUT_BE16(msg->key_info, key_info);
408
409 if (peerkey->cipher != WPA_CIPHER_TKIP)
410 WPA_PUT_BE16(msg->key_length, 16);
411 else
412 WPA_PUT_BE16(msg->key_length, 32);
413
414 os_memcpy(msg->replay_counter, peerkey->replay_counter,
415 WPA_REPLAY_COUNTER_LEN);
416 inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN);
417
418 WPA_PUT_BE16(mic + mic_len, kde_len);
419 pos = mic + mic_len + 2;
420 pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len);
421 lifetime = host_to_be32(peerkey->lifetime);
422 wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME,
423 (u8 *) &lifetime, sizeof(lifetime));
424
425 os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
426
427 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 3/4 to " MACSTR,
428 MAC2STR(peerkey->addr));
429 wpa_eapol_key_send(sm, &peerkey->stk, ver, peerkey->addr, ETH_P_EAPOL,
430 mbuf, mlen, mic);
431 }
432
433
wpa_supplicant_process_smk_m4(struct wpa_peerkey * peerkey,struct wpa_eapol_ie_parse * kde)434 static int wpa_supplicant_process_smk_m4(struct wpa_peerkey *peerkey,
435 struct wpa_eapol_ie_parse *kde)
436 {
437 wpa_printf(MSG_DEBUG, "RSN: Received SMK M4 (Initiator " MACSTR ")",
438 MAC2STR(kde->mac_addr));
439
440 if (os_memcmp(kde->smk + PMK_LEN, peerkey->pnonce, WPA_NONCE_LEN) != 0)
441 {
442 wpa_printf(MSG_INFO, "RSN: PNonce in SMK KDE does not "
443 "match with the one used in SMK M3");
444 return -1;
445 }
446
447 if (os_memcmp(kde->nonce, peerkey->inonce, WPA_NONCE_LEN) != 0) {
448 wpa_printf(MSG_INFO, "RSN: INonce in SMK M4 did not "
449 "match with the one received in SMK M2");
450 return -1;
451 }
452
453 return 0;
454 }
455
456
wpa_supplicant_process_smk_m5(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,int ver,struct wpa_peerkey * peerkey,struct wpa_eapol_ie_parse * kde)457 static int wpa_supplicant_process_smk_m5(struct wpa_sm *sm,
458 const unsigned char *src_addr,
459 const struct wpa_eapol_key *key,
460 int ver,
461 struct wpa_peerkey *peerkey,
462 struct wpa_eapol_ie_parse *kde)
463 {
464 int cipher;
465 struct wpa_ie_data ie;
466
467 wpa_printf(MSG_DEBUG, "RSN: Received SMK M5 (Peer " MACSTR ")",
468 MAC2STR(kde->mac_addr));
469 if (kde->rsn_ie == NULL || kde->rsn_ie_len > PEERKEY_MAX_IE_LEN ||
470 wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0) {
471 wpa_printf(MSG_INFO, "RSN: No RSN IE in SMK M5");
472 /* TODO: abort negotiation */
473 return -1;
474 }
475
476 if (os_memcmp(key->key_nonce, peerkey->inonce, WPA_NONCE_LEN) != 0) {
477 wpa_printf(MSG_INFO, "RSN: Key Nonce in SMK M5 does "
478 "not match with INonce used in SMK M1");
479 return -1;
480 }
481
482 if (os_memcmp(kde->smk + PMK_LEN, peerkey->inonce, WPA_NONCE_LEN) != 0)
483 {
484 wpa_printf(MSG_INFO, "RSN: INonce in SMK KDE does not "
485 "match with the one used in SMK M1");
486 return -1;
487 }
488
489 os_memcpy(peerkey->rsnie_p, kde->rsn_ie, kde->rsn_ie_len);
490 peerkey->rsnie_p_len = kde->rsn_ie_len;
491 os_memcpy(peerkey->pnonce, kde->nonce, WPA_NONCE_LEN);
492
493 cipher = wpa_pick_pairwise_cipher(ie.pairwise_cipher &
494 sm->allowed_pairwise_cipher, 0);
495 if (cipher < 0) {
496 wpa_printf(MSG_INFO, "RSN: SMK Peer STA " MACSTR " selected "
497 "unacceptable cipher", MAC2STR(kde->mac_addr));
498 wpa_supplicant_send_smk_error(sm, src_addr, kde->mac_addr,
499 STK_MUI_SMK, STK_ERR_CPHR_NS,
500 ver);
501 /* TODO: abort negotiation */
502 return -1;
503 }
504 wpa_printf(MSG_DEBUG, "RSN: Using %s for PeerKey",
505 wpa_cipher_txt(cipher));
506 peerkey->cipher = cipher;
507
508 return 0;
509 }
510
511
wpa_supplicant_process_smk_m45(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,int ver)512 static int wpa_supplicant_process_smk_m45(
513 struct wpa_sm *sm, const unsigned char *src_addr,
514 const struct wpa_eapol_key *key, const u8 *key_data,
515 size_t key_data_len, int ver)
516 {
517 struct wpa_peerkey *peerkey;
518 struct wpa_eapol_ie_parse kde;
519 u32 lifetime;
520
521 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
522 wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for "
523 "the current network");
524 return -1;
525 }
526
527 if (wpa_supplicant_parse_ies(key_data, key_data_len, &kde) < 0) {
528 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M4/M5");
529 return -1;
530 }
531
532 if (kde.mac_addr == NULL || kde.mac_addr_len < ETH_ALEN ||
533 kde.nonce == NULL || kde.nonce_len < WPA_NONCE_LEN ||
534 kde.smk == NULL || kde.smk_len < PMK_LEN + WPA_NONCE_LEN ||
535 kde.lifetime == NULL || kde.lifetime_len < 4) {
536 wpa_printf(MSG_INFO, "RSN: No MAC Address, Nonce, SMK, or "
537 "Lifetime KDE in SMK M4/M5");
538 return -1;
539 }
540
541 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
542 if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) == 0 &&
543 os_memcmp(peerkey->initiator ? peerkey->inonce :
544 peerkey->pnonce,
545 key->key_nonce, WPA_NONCE_LEN) == 0)
546 break;
547 }
548 if (peerkey == NULL) {
549 wpa_printf(MSG_INFO, "RSN: No matching SMK handshake found "
550 "for SMK M4/M5: peer " MACSTR,
551 MAC2STR(kde.mac_addr));
552 return -1;
553 }
554
555 if (peerkey->initiator) {
556 if (wpa_supplicant_process_smk_m5(sm, src_addr, key, ver,
557 peerkey, &kde) < 0)
558 return -1;
559 } else {
560 if (wpa_supplicant_process_smk_m4(peerkey, &kde) < 0)
561 return -1;
562 }
563
564 os_memcpy(peerkey->smk, kde.smk, PMK_LEN);
565 peerkey->smk_complete = 1;
566 wpa_hexdump_key(MSG_DEBUG, "RSN: SMK", peerkey->smk, PMK_LEN);
567 lifetime = WPA_GET_BE32(kde.lifetime);
568 wpa_printf(MSG_DEBUG, "RSN: SMK lifetime %u seconds", lifetime);
569 if (lifetime > 1000000000)
570 lifetime = 1000000000; /* avoid overflowing eloop time */
571 peerkey->lifetime = lifetime;
572 eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout,
573 sm, peerkey);
574
575 if (peerkey->initiator) {
576 rsn_smkid(peerkey->smk, peerkey->pnonce, peerkey->addr,
577 peerkey->inonce, sm->own_addr, peerkey->smkid,
578 peerkey->akmp);
579 wpa_supplicant_send_stk_1_of_4(sm, peerkey);
580 } else {
581 rsn_smkid(peerkey->smk, peerkey->pnonce, sm->own_addr,
582 peerkey->inonce, peerkey->addr, peerkey->smkid,
583 peerkey->akmp);
584 }
585 wpa_hexdump(MSG_DEBUG, "RSN: SMKID", peerkey->smkid, PMKID_LEN);
586
587 return 0;
588 }
589
590
wpa_supplicant_process_smk_error(struct wpa_sm * sm,const unsigned char * src_addr,const u8 * key_data,size_t key_data_len)591 static int wpa_supplicant_process_smk_error(
592 struct wpa_sm *sm, const unsigned char *src_addr,
593 const u8 *key_data, size_t key_data_len)
594 {
595 struct wpa_eapol_ie_parse kde;
596 struct rsn_error_kde error;
597 u8 peer[ETH_ALEN];
598 u16 error_type;
599
600 wpa_printf(MSG_DEBUG, "RSN: Received SMK Error");
601
602 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
603 wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for "
604 "the current network");
605 return -1;
606 }
607
608 if (wpa_supplicant_parse_ies(key_data, key_data_len, &kde) < 0) {
609 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK Error");
610 return -1;
611 }
612
613 if (kde.error == NULL || kde.error_len < sizeof(error)) {
614 wpa_printf(MSG_INFO, "RSN: No Error KDE in SMK Error");
615 return -1;
616 }
617
618 if (kde.mac_addr && kde.mac_addr_len >= ETH_ALEN)
619 os_memcpy(peer, kde.mac_addr, ETH_ALEN);
620 else
621 os_memset(peer, 0, ETH_ALEN);
622 os_memcpy(&error, kde.error, sizeof(error));
623 error_type = be_to_host16(error.error_type);
624 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
625 "RSN: SMK Error KDE received: MUI %d error_type %d peer "
626 MACSTR,
627 be_to_host16(error.mui), error_type,
628 MAC2STR(peer));
629
630 if (kde.mac_addr &&
631 (error_type == STK_ERR_STA_NR || error_type == STK_ERR_STA_NRSN ||
632 error_type == STK_ERR_CPHR_NS)) {
633 struct wpa_peerkey *peerkey;
634
635 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
636 if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) ==
637 0)
638 break;
639 }
640 if (peerkey == NULL) {
641 wpa_printf(MSG_DEBUG, "RSN: No matching SMK handshake "
642 "found for SMK Error");
643 return -1;
644 }
645 /* TODO: abort SMK/STK handshake and remove all related keys */
646 }
647
648 return 0;
649 }
650
651
wpa_supplicant_process_stk_1_of_4(struct wpa_sm * sm,struct wpa_peerkey * peerkey,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)652 static void wpa_supplicant_process_stk_1_of_4(struct wpa_sm *sm,
653 struct wpa_peerkey *peerkey,
654 const struct wpa_eapol_key *key,
655 u16 ver, const u8 *key_data,
656 size_t key_data_len)
657 {
658 struct wpa_eapol_ie_parse ie;
659 size_t kde_buf_len;
660 struct wpa_ptk *stk;
661 u8 buf[8], *kde_buf, *pos;
662 be32 lifetime;
663
664 wpa_printf(MSG_DEBUG, "RSN: RX message 1 of STK 4-Way Handshake from "
665 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
666
667 os_memset(&ie, 0, sizeof(ie));
668
669 /* RSN: msg 1/4 should contain SMKID for the selected SMK */
670 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", key_data, key_data_len);
671 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0 ||
672 ie.pmkid == NULL) {
673 wpa_printf(MSG_DEBUG, "RSN: No SMKID in STK 1/4");
674 return;
675 }
676 if (os_memcmp_const(ie.pmkid, peerkey->smkid, PMKID_LEN) != 0) {
677 wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 1/4",
678 ie.pmkid, PMKID_LEN);
679 return;
680 }
681
682 if (random_get_bytes(peerkey->pnonce, WPA_NONCE_LEN)) {
683 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
684 "RSN: Failed to get random data for PNonce");
685 return;
686 }
687 wpa_hexdump(MSG_DEBUG, "WPA: Renewed PNonce",
688 peerkey->pnonce, WPA_NONCE_LEN);
689
690 /* Calculate STK which will be stored as a temporary STK until it has
691 * been verified when processing message 3/4. */
692 stk = &peerkey->tstk;
693 wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion",
694 sm->own_addr, peerkey->addr,
695 peerkey->pnonce, key->key_nonce,
696 stk, peerkey->akmp, peerkey->cipher);
697 /* Supplicant: swap tx/rx Mic keys */
698 os_memcpy(buf, &stk->tk[16], 8);
699 os_memcpy(&stk->tk[16], &stk->tk[24], 8);
700 os_memcpy(&stk->tk[24], buf, 8);
701 peerkey->tstk_set = 1;
702
703 kde_buf_len = peerkey->rsnie_p_len +
704 2 + RSN_SELECTOR_LEN + sizeof(lifetime) +
705 2 + RSN_SELECTOR_LEN + PMKID_LEN;
706 kde_buf = os_malloc(kde_buf_len);
707 if (kde_buf == NULL)
708 return;
709 pos = kde_buf;
710 pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len);
711 lifetime = host_to_be32(peerkey->lifetime);
712 pos = wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME,
713 (u8 *) &lifetime, sizeof(lifetime));
714 wpa_add_kde(pos, RSN_KEY_DATA_PMKID, peerkey->smkid, PMKID_LEN);
715
716 if (wpa_supplicant_send_2_of_4(sm, peerkey->addr, key, ver,
717 peerkey->pnonce, kde_buf, kde_buf_len,
718 stk) < 0) {
719 wpa_printf(MSG_INFO, "RSN: Failed to send STK message 2/4");
720 os_free(kde_buf);
721 return;
722 }
723 os_free(kde_buf);
724
725 os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN);
726 }
727
728
wpa_supplicant_update_smk_lifetime(struct wpa_sm * sm,struct wpa_peerkey * peerkey,struct wpa_eapol_ie_parse * kde)729 static void wpa_supplicant_update_smk_lifetime(struct wpa_sm *sm,
730 struct wpa_peerkey *peerkey,
731 struct wpa_eapol_ie_parse *kde)
732 {
733 u32 lifetime;
734
735 if (kde->lifetime == NULL || kde->lifetime_len < sizeof(lifetime))
736 return;
737
738 lifetime = WPA_GET_BE32(kde->lifetime);
739
740 if (lifetime >= peerkey->lifetime) {
741 wpa_printf(MSG_DEBUG, "RSN: Peer used SMK lifetime %u seconds "
742 "which is larger than or equal to own value %u "
743 "seconds - ignored", lifetime, peerkey->lifetime);
744 return;
745 }
746
747 wpa_printf(MSG_DEBUG, "RSN: Peer used shorter SMK lifetime %u seconds "
748 "(own was %u seconds) - updated",
749 lifetime, peerkey->lifetime);
750 peerkey->lifetime = lifetime;
751
752 eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey);
753 eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout,
754 sm, peerkey);
755 }
756
757
wpa_supplicant_process_stk_2_of_4(struct wpa_sm * sm,struct wpa_peerkey * peerkey,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)758 static void wpa_supplicant_process_stk_2_of_4(struct wpa_sm *sm,
759 struct wpa_peerkey *peerkey,
760 const struct wpa_eapol_key *key,
761 u16 ver, const u8 *key_data,
762 size_t key_data_len)
763 {
764 struct wpa_eapol_ie_parse kde;
765
766 wpa_printf(MSG_DEBUG, "RSN: RX message 2 of STK 4-Way Handshake from "
767 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
768
769 os_memset(&kde, 0, sizeof(kde));
770
771 /* RSN: msg 2/4 should contain SMKID for the selected SMK and RSN IE
772 * from the peer. It may also include Lifetime KDE. */
773 wpa_hexdump(MSG_DEBUG, "RSN: msg 2/4 key data", key_data, key_data_len);
774 if (wpa_supplicant_parse_ies(key_data, key_data_len, &kde) < 0 ||
775 kde.pmkid == NULL || kde.rsn_ie == NULL) {
776 wpa_printf(MSG_DEBUG, "RSN: No SMKID or RSN IE in STK 2/4");
777 return;
778 }
779
780 if (os_memcmp_const(kde.pmkid, peerkey->smkid, PMKID_LEN) != 0) {
781 wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 2/4",
782 kde.pmkid, PMKID_LEN);
783 return;
784 }
785
786 if (kde.rsn_ie_len != peerkey->rsnie_p_len ||
787 os_memcmp(kde.rsn_ie, peerkey->rsnie_p, kde.rsn_ie_len) != 0) {
788 wpa_printf(MSG_INFO, "RSN: Peer RSN IE in SMK and STK "
789 "handshakes did not match");
790 wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in SMK handshake",
791 peerkey->rsnie_p, peerkey->rsnie_p_len);
792 wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in STK handshake",
793 kde.rsn_ie, kde.rsn_ie_len);
794 return;
795 }
796
797 wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde);
798
799 wpa_supplicant_send_stk_3_of_4(sm, peerkey);
800 os_memcpy(peerkey->pnonce, key->key_nonce, WPA_NONCE_LEN);
801 }
802
803
wpa_supplicant_process_stk_3_of_4(struct wpa_sm * sm,struct wpa_peerkey * peerkey,const struct wpa_eapol_key * key,u16 ver,const u8 * key_data,size_t key_data_len)804 static void wpa_supplicant_process_stk_3_of_4(struct wpa_sm *sm,
805 struct wpa_peerkey *peerkey,
806 const struct wpa_eapol_key *key,
807 u16 ver, const u8 *key_data,
808 size_t key_data_len)
809 {
810 struct wpa_eapol_ie_parse kde;
811 size_t key_len;
812 const u8 *_key;
813 u8 key_buf[32], rsc[6];
814
815 wpa_printf(MSG_DEBUG, "RSN: RX message 3 of STK 4-Way Handshake from "
816 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
817
818 os_memset(&kde, 0, sizeof(kde));
819
820 /* RSN: msg 3/4 should contain Initiator RSN IE. It may also include
821 * Lifetime KDE. */
822 wpa_hexdump(MSG_DEBUG, "RSN: msg 3/4 key data", key_data, key_data_len);
823 if (wpa_supplicant_parse_ies(key_data, key_data_len, &kde) < 0) {
824 wpa_printf(MSG_DEBUG, "RSN: Failed to parse key data in "
825 "STK 3/4");
826 return;
827 }
828
829 if (kde.rsn_ie_len != peerkey->rsnie_i_len ||
830 os_memcmp(kde.rsn_ie, peerkey->rsnie_i, kde.rsn_ie_len) != 0) {
831 wpa_printf(MSG_INFO, "RSN: Initiator RSN IE in SMK and STK "
832 "handshakes did not match");
833 wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in SMK "
834 "handshake",
835 peerkey->rsnie_i, peerkey->rsnie_i_len);
836 wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in STK "
837 "handshake",
838 kde.rsn_ie, kde.rsn_ie_len);
839 return;
840 }
841
842 if (os_memcmp(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
843 wpa_printf(MSG_WARNING, "RSN: INonce from message 1 of STK "
844 "4-Way Handshake differs from 3 of STK 4-Way "
845 "Handshake - drop packet (src=" MACSTR ")",
846 MAC2STR(peerkey->addr));
847 wpa_hexdump(MSG_DEBUG, "RSN: INonce from message 1",
848 peerkey->inonce, WPA_NONCE_LEN);
849 wpa_hexdump(MSG_DEBUG, "RSN: INonce from message 3",
850 key->key_nonce, WPA_NONCE_LEN);
851 return;
852 }
853
854 wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde);
855
856 if (wpa_supplicant_send_4_of_4(sm, peerkey->addr, key, ver,
857 WPA_GET_BE16(key->key_info),
858 &peerkey->stk) < 0) {
859 wpa_printf(MSG_INFO, "RSN: Failed to send STK message 4/4");
860 return;
861 }
862
863 _key = peerkey->stk.tk;
864 if (peerkey->cipher == WPA_CIPHER_TKIP) {
865 /* Swap Tx/Rx keys for Michael MIC */
866 os_memcpy(key_buf, _key, 16);
867 os_memcpy(key_buf + 16, _key + 24, 8);
868 os_memcpy(key_buf + 24, _key + 16, 8);
869 _key = key_buf;
870 key_len = 32;
871 } else
872 key_len = 16;
873
874 os_memset(rsc, 0, 6);
875 if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1,
876 rsc, sizeof(rsc), _key, key_len) < 0) {
877 os_memset(key_buf, 0, sizeof(key_buf));
878 wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the "
879 "driver.");
880 return;
881 }
882 os_memset(key_buf, 0, sizeof(key_buf));
883 }
884
885
wpa_supplicant_process_stk_4_of_4(struct wpa_sm * sm,struct wpa_peerkey * peerkey,const struct wpa_eapol_key * key,u16 ver)886 static void wpa_supplicant_process_stk_4_of_4(struct wpa_sm *sm,
887 struct wpa_peerkey *peerkey,
888 const struct wpa_eapol_key *key,
889 u16 ver)
890 {
891 u8 rsc[6];
892
893 wpa_printf(MSG_DEBUG, "RSN: RX message 4 of STK 4-Way Handshake from "
894 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
895
896 os_memset(rsc, 0, 6);
897 if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1,
898 rsc, sizeof(rsc), peerkey->stk.tk,
899 peerkey->cipher == WPA_CIPHER_TKIP ? 32 : 16) < 0) {
900 wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the "
901 "driver.");
902 return;
903 }
904 }
905
906
907 /**
908 * peerkey_verify_eapol_key_mic - Verify PeerKey MIC
909 * @sm: Pointer to WPA state machine data from wpa_sm_init()
910 * @peerkey: Pointer to the PeerKey data for the peer
911 * @key: Pointer to the EAPOL-Key frame header
912 * @ver: Version bits from EAPOL-Key Key Info
913 * @buf: Pointer to the beginning of EAPOL-Key frame
914 * @len: Length of the EAPOL-Key frame
915 * Returns: 0 on success, -1 on failure
916 */
peerkey_verify_eapol_key_mic(struct wpa_sm * sm,struct wpa_peerkey * peerkey,struct wpa_eapol_key * key,u16 ver,const u8 * buf,size_t len)917 int peerkey_verify_eapol_key_mic(struct wpa_sm *sm,
918 struct wpa_peerkey *peerkey,
919 struct wpa_eapol_key *key, u16 ver,
920 const u8 *buf, size_t len)
921 {
922 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos;
923 size_t mic_len = 16;
924 int ok = 0;
925
926 if (peerkey->initiator && !peerkey->stk_set) {
927 wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion",
928 sm->own_addr, peerkey->addr,
929 peerkey->inonce, key->key_nonce,
930 &peerkey->stk, peerkey->akmp, peerkey->cipher);
931 peerkey->stk_set = 1;
932 }
933
934 mic_pos = (u8 *) (key + 1);
935 os_memcpy(mic, mic_pos, mic_len);
936 if (peerkey->tstk_set) {
937 os_memset(mic_pos, 0, mic_len);
938 wpa_eapol_key_mic(peerkey->tstk.kck, peerkey->tstk.kck_len,
939 sm->key_mgmt, ver, buf, len, mic_pos);
940 if (os_memcmp_const(mic, mic_pos, mic_len) != 0) {
941 wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC "
942 "when using TSTK - ignoring TSTK");
943 } else {
944 ok = 1;
945 peerkey->tstk_set = 0;
946 peerkey->stk_set = 1;
947 os_memcpy(&peerkey->stk, &peerkey->tstk,
948 sizeof(peerkey->stk));
949 os_memset(&peerkey->tstk, 0, sizeof(peerkey->tstk));
950 }
951 }
952
953 if (!ok && peerkey->stk_set) {
954 os_memset(mic_pos, 0, mic_len);
955 wpa_eapol_key_mic(peerkey->stk.kck, peerkey->stk.kck_len,
956 sm->key_mgmt, ver, buf, len, mic_pos);
957 if (os_memcmp_const(mic, mic_pos, mic_len) != 0) {
958 wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC "
959 "- dropping packet");
960 return -1;
961 }
962 ok = 1;
963 }
964
965 if (!ok) {
966 wpa_printf(MSG_WARNING, "RSN: Could not verify EAPOL-Key MIC "
967 "- dropping packet");
968 return -1;
969 }
970
971 os_memcpy(peerkey->replay_counter, key->replay_counter,
972 WPA_REPLAY_COUNTER_LEN);
973 peerkey->replay_counter_set = 1;
974 return 0;
975 }
976
977
978 /**
979 * wpa_sm_stkstart - Send EAPOL-Key Request for STK handshake (STK M1)
980 * @sm: Pointer to WPA state machine data from wpa_sm_init()
981 * @peer: MAC address of the peer STA
982 * Returns: 0 on success, or -1 on failure
983 *
984 * Send an EAPOL-Key Request to the current authenticator to start STK
985 * handshake with the peer.
986 */
wpa_sm_stkstart(struct wpa_sm * sm,const u8 * peer)987 int wpa_sm_stkstart(struct wpa_sm *sm, const u8 *peer)
988 {
989 size_t rlen, kde_len, mic_len;
990 struct wpa_eapol_key *req;
991 int key_info, ver;
992 u8 bssid[ETH_ALEN], *rbuf, *pos, *count_pos, *mic;
993 u16 count;
994 struct rsn_ie_hdr *hdr;
995 struct wpa_peerkey *peerkey;
996 struct wpa_ie_data ie;
997
998 if (sm->proto != WPA_PROTO_RSN || !sm->ptk_set || !sm->peerkey_enabled)
999 return -1;
1000
1001 if (sm->ap_rsn_ie &&
1002 wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &ie) == 0 &&
1003 !(ie.capabilities & WPA_CAPABILITY_PEERKEY_ENABLED)) {
1004 wpa_printf(MSG_DEBUG, "RSN: Current AP does not support STK");
1005 return -1;
1006 }
1007
1008 mic_len = wpa_mic_len(sm->key_mgmt);
1009 if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
1010 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1011 else
1012 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1013
1014 if (wpa_sm_get_bssid(sm, bssid) < 0) {
1015 wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key "
1016 "SMK M1");
1017 return -1;
1018 }
1019
1020 /* TODO: find existing entry and if found, use that instead of adding
1021 * a new one */
1022 peerkey = os_zalloc(sizeof(*peerkey));
1023 if (peerkey == NULL)
1024 return -1;
1025 peerkey->initiator = 1;
1026 os_memcpy(peerkey->addr, peer, ETH_ALEN);
1027 peerkey->akmp = sm->key_mgmt;
1028
1029 /* SMK M1:
1030 * EAPOL-Key(S=1, M=1, A=0, I=0, K=0, SM=1, KeyRSC=0, Nonce=INonce,
1031 * MIC=MIC, DataKDs=(RSNIE_I, MAC_P KDE))
1032 */
1033
1034 hdr = (struct rsn_ie_hdr *) peerkey->rsnie_i;
1035 hdr->elem_id = WLAN_EID_RSN;
1036 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1037 pos = (u8 *) (hdr + 1);
1038 /* Group Suite can be anything for SMK RSN IE; receiver will just
1039 * ignore it. */
1040 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1041 pos += RSN_SELECTOR_LEN;
1042 count_pos = pos;
1043 pos += 2;
1044
1045 count = rsn_cipher_put_suites(pos, sm->allowed_pairwise_cipher);
1046 pos += count * RSN_SELECTOR_LEN;
1047 WPA_PUT_LE16(count_pos, count);
1048
1049 hdr->len = (pos - peerkey->rsnie_i) - 2;
1050 peerkey->rsnie_i_len = pos - peerkey->rsnie_i;
1051 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake",
1052 peerkey->rsnie_i, peerkey->rsnie_i_len);
1053
1054 kde_len = peerkey->rsnie_i_len + 2 + RSN_SELECTOR_LEN + ETH_ALEN;
1055
1056 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1057 sizeof(*req) + mic_len + 2 + kde_len, &rlen,
1058 (void *) &req);
1059 if (rbuf == NULL) {
1060 wpa_supplicant_peerkey_free(sm, peerkey);
1061 return -1;
1062 }
1063
1064 req->type = EAPOL_KEY_TYPE_RSN;
1065 key_info = WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
1066 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_REQUEST | ver;
1067 WPA_PUT_BE16(req->key_info, key_info);
1068 WPA_PUT_BE16(req->key_length, 0);
1069 os_memcpy(req->replay_counter, sm->request_counter,
1070 WPA_REPLAY_COUNTER_LEN);
1071 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
1072
1073 if (random_get_bytes(peerkey->inonce, WPA_NONCE_LEN)) {
1074 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1075 "WPA: Failed to get random data for INonce");
1076 os_free(rbuf);
1077 wpa_supplicant_peerkey_free(sm, peerkey);
1078 return -1;
1079 }
1080 os_memcpy(req->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
1081 wpa_hexdump(MSG_DEBUG, "WPA: INonce for SMK handshake",
1082 req->key_nonce, WPA_NONCE_LEN);
1083
1084 mic = pos = (u8 *) (req + 1);
1085 pos += mic_len;
1086 WPA_PUT_BE16(pos, (u16) kde_len);
1087 pos += 2;
1088
1089 /* Initiator RSN IE */
1090 pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len);
1091 /* Peer MAC address KDE */
1092 wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN);
1093
1094 wpa_printf(MSG_INFO, "RSN: Sending EAPOL-Key SMK M1 Request (peer "
1095 MACSTR ")", MAC2STR(peer));
1096 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen,
1097 mic);
1098
1099 peerkey->next = sm->peerkey;
1100 sm->peerkey = peerkey;
1101
1102 return 0;
1103 }
1104
1105
1106 /**
1107 * peerkey_deinit - Free PeerKey values
1108 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1109 */
peerkey_deinit(struct wpa_sm * sm)1110 void peerkey_deinit(struct wpa_sm *sm)
1111 {
1112 struct wpa_peerkey *prev, *peerkey = sm->peerkey;
1113 while (peerkey) {
1114 prev = peerkey;
1115 peerkey = peerkey->next;
1116 wpa_supplicant_peerkey_free(sm, prev);
1117 }
1118 sm->peerkey = NULL;
1119 }
1120
1121
peerkey_rx_eapol_4way(struct wpa_sm * sm,struct wpa_peerkey * peerkey,struct wpa_eapol_key * key,u16 key_info,u16 ver,const u8 * key_data,size_t key_data_len)1122 void peerkey_rx_eapol_4way(struct wpa_sm *sm, struct wpa_peerkey *peerkey,
1123 struct wpa_eapol_key *key, u16 key_info, u16 ver,
1124 const u8 *key_data, size_t key_data_len)
1125 {
1126 if ((key_info & (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) ==
1127 (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) {
1128 /* 3/4 STK 4-Way Handshake */
1129 wpa_supplicant_process_stk_3_of_4(sm, peerkey, key, ver,
1130 key_data, key_data_len);
1131 } else if (key_info & WPA_KEY_INFO_ACK) {
1132 /* 1/4 STK 4-Way Handshake */
1133 wpa_supplicant_process_stk_1_of_4(sm, peerkey, key, ver,
1134 key_data, key_data_len);
1135 } else if (key_info & WPA_KEY_INFO_SECURE) {
1136 /* 4/4 STK 4-Way Handshake */
1137 wpa_supplicant_process_stk_4_of_4(sm, peerkey, key, ver);
1138 } else {
1139 /* 2/4 STK 4-Way Handshake */
1140 wpa_supplicant_process_stk_2_of_4(sm, peerkey, key, ver,
1141 key_data, key_data_len);
1142 }
1143 }
1144
1145
peerkey_rx_eapol_smk(struct wpa_sm * sm,const u8 * src_addr,struct wpa_eapol_key * key,const u8 * key_data,size_t key_data_len,u16 key_info,u16 ver)1146 void peerkey_rx_eapol_smk(struct wpa_sm *sm, const u8 *src_addr,
1147 struct wpa_eapol_key *key, const u8 *key_data,
1148 size_t key_data_len,
1149 u16 key_info, u16 ver)
1150 {
1151 if (key_info & WPA_KEY_INFO_ERROR) {
1152 /* SMK Error */
1153 wpa_supplicant_process_smk_error(sm, src_addr, key_data,
1154 key_data_len);
1155 } else if (key_info & WPA_KEY_INFO_ACK) {
1156 /* SMK M2 */
1157 wpa_supplicant_process_smk_m2(sm, src_addr, key, key_data,
1158 key_data_len, ver);
1159 } else {
1160 /* SMK M4 or M5 */
1161 wpa_supplicant_process_smk_m45(sm, src_addr, key, key_data,
1162 key_data_len, ver);
1163 }
1164 }
1165
1166 #endif /* CONFIG_PEERKEY */
1167