1 /* 2 * WPA Supplicant - PeerKey for Direct Link Setup (DLS) 3 * Copyright (c) 2006-2008, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #ifdef CONFIG_PEERKEY 12 13 #include "common.h" 14 #include "eloop.h" 15 #include "crypto/sha1.h" 16 #include "crypto/sha256.h" 17 #include "crypto/random.h" 18 #include "common/ieee802_11_defs.h" 19 #include "wpa.h" 20 #include "wpa_i.h" 21 #include "wpa_ie.h" 22 #include "peerkey.h" 23 24 25 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 26 { 27 os_memcpy(pos, ie, ie_len); 28 return pos + ie_len; 29 } 30 31 32 static u8 * wpa_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len) 33 { 34 *pos++ = WLAN_EID_VENDOR_SPECIFIC; 35 *pos++ = RSN_SELECTOR_LEN + data_len; 36 RSN_SELECTOR_PUT(pos, kde); 37 pos += RSN_SELECTOR_LEN; 38 os_memcpy(pos, data, data_len); 39 pos += data_len; 40 return pos; 41 } 42 43 44 static void wpa_supplicant_smk_timeout(void *eloop_ctx, void *timeout_ctx) 45 { 46 #if 0 47 struct wpa_sm *sm = eloop_ctx; 48 struct wpa_peerkey *peerkey = timeout_ctx; 49 #endif 50 /* TODO: time out SMK and any STK that was generated using this SMK */ 51 } 52 53 54 static void wpa_supplicant_peerkey_free(struct wpa_sm *sm, 55 struct wpa_peerkey *peerkey) 56 { 57 eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey); 58 os_free(peerkey); 59 } 60 61 62 static int wpa_supplicant_send_smk_error(struct wpa_sm *sm, const u8 *dst, 63 const u8 *peer, 64 u16 mui, u16 error_type, int ver) 65 { 66 size_t rlen; 67 struct wpa_eapol_key *err; 68 struct rsn_error_kde error; 69 u8 *rbuf, *pos; 70 size_t kde_len; 71 u16 key_info; 72 73 kde_len = 2 + RSN_SELECTOR_LEN + sizeof(error); 74 if (peer) 75 kde_len += 2 + RSN_SELECTOR_LEN + ETH_ALEN; 76 77 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, 78 NULL, sizeof(*err) + kde_len, &rlen, 79 (void *) &err); 80 if (rbuf == NULL) 81 return -1; 82 83 err->type = EAPOL_KEY_TYPE_RSN; 84 key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC | 85 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_ERROR | 86 WPA_KEY_INFO_REQUEST; 87 WPA_PUT_BE16(err->key_info, key_info); 88 WPA_PUT_BE16(err->key_length, 0); 89 os_memcpy(err->replay_counter, sm->request_counter, 90 WPA_REPLAY_COUNTER_LEN); 91 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN); 92 93 WPA_PUT_BE16(err->key_data_length, (u16) kde_len); 94 pos = (u8 *) (err + 1); 95 96 if (peer) { 97 /* Peer MAC Address KDE */ 98 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN); 99 } 100 101 /* Error KDE */ 102 error.mui = host_to_be16(mui); 103 error.error_type = host_to_be16(error_type); 104 wpa_add_kde(pos, RSN_KEY_DATA_ERROR, (u8 *) &error, sizeof(error)); 105 106 if (peer) { 107 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error (peer " 108 MACSTR " mui %d error_type %d)", 109 MAC2STR(peer), mui, error_type); 110 } else { 111 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error " 112 "(mui %d error_type %d)", mui, error_type); 113 } 114 115 wpa_eapol_key_send(sm, sm->ptk.kck, ver, dst, ETH_P_EAPOL, 116 rbuf, rlen, err->key_mic); 117 118 return 0; 119 } 120 121 122 static int wpa_supplicant_send_smk_m3(struct wpa_sm *sm, 123 const unsigned char *src_addr, 124 const struct wpa_eapol_key *key, 125 int ver, struct wpa_peerkey *peerkey) 126 { 127 size_t rlen; 128 struct wpa_eapol_key *reply; 129 u8 *rbuf, *pos; 130 size_t kde_len; 131 u16 key_info; 132 133 /* KDEs: Peer RSN IE, Initiator MAC Address, Initiator Nonce */ 134 kde_len = peerkey->rsnie_p_len + 135 2 + RSN_SELECTOR_LEN + ETH_ALEN + 136 2 + RSN_SELECTOR_LEN + WPA_NONCE_LEN; 137 138 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, 139 NULL, sizeof(*reply) + kde_len, &rlen, 140 (void *) &reply); 141 if (rbuf == NULL) 142 return -1; 143 144 reply->type = EAPOL_KEY_TYPE_RSN; 145 key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC | 146 WPA_KEY_INFO_SECURE; 147 WPA_PUT_BE16(reply->key_info, key_info); 148 WPA_PUT_BE16(reply->key_length, 0); 149 os_memcpy(reply->replay_counter, key->replay_counter, 150 WPA_REPLAY_COUNTER_LEN); 151 152 os_memcpy(reply->key_nonce, peerkey->pnonce, WPA_NONCE_LEN); 153 154 WPA_PUT_BE16(reply->key_data_length, (u16) kde_len); 155 pos = (u8 *) (reply + 1); 156 157 /* Peer RSN IE */ 158 pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len); 159 160 /* Initiator MAC Address KDE */ 161 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peerkey->addr, ETH_ALEN); 162 163 /* Initiator Nonce */ 164 wpa_add_kde(pos, RSN_KEY_DATA_NONCE, peerkey->inonce, WPA_NONCE_LEN); 165 166 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK M3"); 167 wpa_eapol_key_send(sm, sm->ptk.kck, ver, src_addr, ETH_P_EAPOL, 168 rbuf, rlen, reply->key_mic); 169 170 return 0; 171 } 172 173 174 static int wpa_supplicant_process_smk_m2( 175 struct wpa_sm *sm, const unsigned char *src_addr, 176 const struct wpa_eapol_key *key, size_t extra_len, int ver) 177 { 178 struct wpa_peerkey *peerkey; 179 struct wpa_eapol_ie_parse kde; 180 struct wpa_ie_data ie; 181 int cipher; 182 struct rsn_ie_hdr *hdr; 183 u8 *pos; 184 185 wpa_printf(MSG_DEBUG, "RSN: Received SMK M2"); 186 187 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) { 188 wpa_printf(MSG_INFO, "RSN: SMK handshake not allowed for " 189 "the current network"); 190 return -1; 191 } 192 193 if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) < 194 0) { 195 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M2"); 196 return -1; 197 } 198 199 if (kde.rsn_ie == NULL || kde.mac_addr == NULL || 200 kde.mac_addr_len < ETH_ALEN) { 201 wpa_printf(MSG_INFO, "RSN: No RSN IE or MAC address KDE in " 202 "SMK M2"); 203 return -1; 204 } 205 206 wpa_printf(MSG_DEBUG, "RSN: SMK M2 - SMK initiator " MACSTR, 207 MAC2STR(kde.mac_addr)); 208 209 if (kde.rsn_ie_len > PEERKEY_MAX_IE_LEN) { 210 wpa_printf(MSG_INFO, "RSN: Too long Initiator RSN IE in SMK " 211 "M2"); 212 return -1; 213 } 214 215 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 216 wpa_printf(MSG_INFO, "RSN: Failed to parse RSN IE in SMK M2"); 217 return -1; 218 } 219 220 cipher = ie.pairwise_cipher & sm->allowed_pairwise_cipher; 221 if (cipher & WPA_CIPHER_CCMP) { 222 wpa_printf(MSG_DEBUG, "RSN: Using CCMP for PeerKey"); 223 cipher = WPA_CIPHER_CCMP; 224 } else if (cipher & WPA_CIPHER_TKIP) { 225 wpa_printf(MSG_DEBUG, "RSN: Using TKIP for PeerKey"); 226 cipher = WPA_CIPHER_TKIP; 227 } else { 228 wpa_printf(MSG_INFO, "RSN: No acceptable cipher in SMK M2"); 229 wpa_supplicant_send_smk_error(sm, src_addr, kde.mac_addr, 230 STK_MUI_SMK, STK_ERR_CPHR_NS, 231 ver); 232 return -1; 233 } 234 235 /* TODO: find existing entry and if found, use that instead of adding 236 * a new one; how to handle the case where both ends initiate at the 237 * same time? */ 238 peerkey = os_zalloc(sizeof(*peerkey)); 239 if (peerkey == NULL) 240 return -1; 241 os_memcpy(peerkey->addr, kde.mac_addr, ETH_ALEN); 242 os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN); 243 os_memcpy(peerkey->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 244 peerkey->rsnie_i_len = kde.rsn_ie_len; 245 peerkey->cipher = cipher; 246 #ifdef CONFIG_IEEE80211W 247 if (ie.key_mgmt & (WPA_KEY_MGMT_IEEE8021X_SHA256 | 248 WPA_KEY_MGMT_PSK_SHA256)) 249 peerkey->use_sha256 = 1; 250 #endif /* CONFIG_IEEE80211W */ 251 252 if (random_get_bytes(peerkey->pnonce, WPA_NONCE_LEN)) { 253 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 254 "WPA: Failed to get random data for PNonce"); 255 wpa_supplicant_peerkey_free(sm, peerkey); 256 return -1; 257 } 258 259 hdr = (struct rsn_ie_hdr *) peerkey->rsnie_p; 260 hdr->elem_id = WLAN_EID_RSN; 261 WPA_PUT_LE16(hdr->version, RSN_VERSION); 262 pos = (u8 *) (hdr + 1); 263 /* Group Suite can be anything for SMK RSN IE; receiver will just 264 * ignore it. */ 265 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 266 pos += RSN_SELECTOR_LEN; 267 /* Include only the selected cipher in pairwise cipher suite */ 268 WPA_PUT_LE16(pos, 1); 269 pos += 2; 270 if (cipher == WPA_CIPHER_CCMP) 271 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 272 else if (cipher == WPA_CIPHER_TKIP) 273 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP); 274 pos += RSN_SELECTOR_LEN; 275 276 hdr->len = (pos - peerkey->rsnie_p) - 2; 277 peerkey->rsnie_p_len = pos - peerkey->rsnie_p; 278 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake", 279 peerkey->rsnie_p, peerkey->rsnie_p_len); 280 281 wpa_supplicant_send_smk_m3(sm, src_addr, key, ver, peerkey); 282 283 peerkey->next = sm->peerkey; 284 sm->peerkey = peerkey; 285 286 return 0; 287 } 288 289 290 /** 291 * rsn_smkid - Derive SMK identifier 292 * @smk: Station master key (32 bytes) 293 * @pnonce: Peer Nonce 294 * @mac_p: Peer MAC address 295 * @inonce: Initiator Nonce 296 * @mac_i: Initiator MAC address 297 * @use_sha256: Whether to use SHA256-based KDF 298 * 299 * 8.5.1.4 Station to station (STK) key hierarchy 300 * SMKID = HMAC-SHA1-128(SMK, "SMK Name" || PNonce || MAC_P || INonce || MAC_I) 301 */ 302 static void rsn_smkid(const u8 *smk, const u8 *pnonce, const u8 *mac_p, 303 const u8 *inonce, const u8 *mac_i, u8 *smkid, 304 int use_sha256) 305 { 306 char *title = "SMK Name"; 307 const u8 *addr[5]; 308 const size_t len[5] = { 8, WPA_NONCE_LEN, ETH_ALEN, WPA_NONCE_LEN, 309 ETH_ALEN }; 310 unsigned char hash[SHA256_MAC_LEN]; 311 312 addr[0] = (u8 *) title; 313 addr[1] = pnonce; 314 addr[2] = mac_p; 315 addr[3] = inonce; 316 addr[4] = mac_i; 317 318 #ifdef CONFIG_IEEE80211W 319 if (use_sha256) 320 hmac_sha256_vector(smk, PMK_LEN, 5, addr, len, hash); 321 else 322 #endif /* CONFIG_IEEE80211W */ 323 hmac_sha1_vector(smk, PMK_LEN, 5, addr, len, hash); 324 os_memcpy(smkid, hash, PMKID_LEN); 325 } 326 327 328 static void wpa_supplicant_send_stk_1_of_4(struct wpa_sm *sm, 329 struct wpa_peerkey *peerkey) 330 { 331 size_t mlen; 332 struct wpa_eapol_key *msg; 333 u8 *mbuf; 334 size_t kde_len; 335 u16 key_info, ver; 336 337 kde_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 338 339 mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 340 sizeof(*msg) + kde_len, &mlen, 341 (void *) &msg); 342 if (mbuf == NULL) 343 return; 344 345 msg->type = EAPOL_KEY_TYPE_RSN; 346 347 if (peerkey->cipher == WPA_CIPHER_CCMP) 348 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 349 else 350 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 351 352 key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK; 353 WPA_PUT_BE16(msg->key_info, key_info); 354 355 if (peerkey->cipher == WPA_CIPHER_CCMP) 356 WPA_PUT_BE16(msg->key_length, 16); 357 else 358 WPA_PUT_BE16(msg->key_length, 32); 359 360 os_memcpy(msg->replay_counter, peerkey->replay_counter, 361 WPA_REPLAY_COUNTER_LEN); 362 inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN); 363 364 WPA_PUT_BE16(msg->key_data_length, kde_len); 365 wpa_add_kde((u8 *) (msg + 1), RSN_KEY_DATA_PMKID, 366 peerkey->smkid, PMKID_LEN); 367 368 if (random_get_bytes(peerkey->inonce, WPA_NONCE_LEN)) { 369 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 370 "RSN: Failed to get random data for INonce (STK)"); 371 os_free(mbuf); 372 return; 373 } 374 wpa_hexdump(MSG_DEBUG, "RSN: INonce for STK 4-Way Handshake", 375 peerkey->inonce, WPA_NONCE_LEN); 376 os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN); 377 378 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 1/4 to " MACSTR, 379 MAC2STR(peerkey->addr)); 380 wpa_eapol_key_send(sm, NULL, ver, peerkey->addr, ETH_P_EAPOL, 381 mbuf, mlen, NULL); 382 } 383 384 385 static void wpa_supplicant_send_stk_3_of_4(struct wpa_sm *sm, 386 struct wpa_peerkey *peerkey) 387 { 388 size_t mlen; 389 struct wpa_eapol_key *msg; 390 u8 *mbuf, *pos; 391 size_t kde_len; 392 u16 key_info, ver; 393 be32 lifetime; 394 395 kde_len = peerkey->rsnie_i_len + 396 2 + RSN_SELECTOR_LEN + sizeof(lifetime); 397 398 mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 399 sizeof(*msg) + kde_len, &mlen, 400 (void *) &msg); 401 if (mbuf == NULL) 402 return; 403 404 msg->type = EAPOL_KEY_TYPE_RSN; 405 406 if (peerkey->cipher == WPA_CIPHER_CCMP) 407 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 408 else 409 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 410 411 key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK | 412 WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE; 413 WPA_PUT_BE16(msg->key_info, key_info); 414 415 if (peerkey->cipher == WPA_CIPHER_CCMP) 416 WPA_PUT_BE16(msg->key_length, 16); 417 else 418 WPA_PUT_BE16(msg->key_length, 32); 419 420 os_memcpy(msg->replay_counter, peerkey->replay_counter, 421 WPA_REPLAY_COUNTER_LEN); 422 inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN); 423 424 WPA_PUT_BE16(msg->key_data_length, kde_len); 425 pos = (u8 *) (msg + 1); 426 pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len); 427 lifetime = host_to_be32(peerkey->lifetime); 428 wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME, 429 (u8 *) &lifetime, sizeof(lifetime)); 430 431 os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN); 432 433 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 3/4 to " MACSTR, 434 MAC2STR(peerkey->addr)); 435 wpa_eapol_key_send(sm, peerkey->stk.kck, ver, peerkey->addr, 436 ETH_P_EAPOL, mbuf, mlen, msg->key_mic); 437 } 438 439 440 static int wpa_supplicant_process_smk_m4(struct wpa_peerkey *peerkey, 441 struct wpa_eapol_ie_parse *kde) 442 { 443 wpa_printf(MSG_DEBUG, "RSN: Received SMK M4 (Initiator " MACSTR ")", 444 MAC2STR(kde->mac_addr)); 445 446 if (os_memcmp(kde->smk + PMK_LEN, peerkey->pnonce, WPA_NONCE_LEN) != 0) 447 { 448 wpa_printf(MSG_INFO, "RSN: PNonce in SMK KDE does not " 449 "match with the one used in SMK M3"); 450 return -1; 451 } 452 453 if (os_memcmp(kde->nonce, peerkey->inonce, WPA_NONCE_LEN) != 0) { 454 wpa_printf(MSG_INFO, "RSN: INonce in SMK M4 did not " 455 "match with the one received in SMK M2"); 456 return -1; 457 } 458 459 return 0; 460 } 461 462 463 static int wpa_supplicant_process_smk_m5(struct wpa_sm *sm, 464 const unsigned char *src_addr, 465 const struct wpa_eapol_key *key, 466 int ver, 467 struct wpa_peerkey *peerkey, 468 struct wpa_eapol_ie_parse *kde) 469 { 470 int cipher; 471 struct wpa_ie_data ie; 472 473 wpa_printf(MSG_DEBUG, "RSN: Received SMK M5 (Peer " MACSTR ")", 474 MAC2STR(kde->mac_addr)); 475 if (kde->rsn_ie == NULL || kde->rsn_ie_len > PEERKEY_MAX_IE_LEN || 476 wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0) { 477 wpa_printf(MSG_INFO, "RSN: No RSN IE in SMK M5"); 478 /* TODO: abort negotiation */ 479 return -1; 480 } 481 482 if (os_memcmp(key->key_nonce, peerkey->inonce, WPA_NONCE_LEN) != 0) { 483 wpa_printf(MSG_INFO, "RSN: Key Nonce in SMK M5 does " 484 "not match with INonce used in SMK M1"); 485 return -1; 486 } 487 488 if (os_memcmp(kde->smk + PMK_LEN, peerkey->inonce, WPA_NONCE_LEN) != 0) 489 { 490 wpa_printf(MSG_INFO, "RSN: INonce in SMK KDE does not " 491 "match with the one used in SMK M1"); 492 return -1; 493 } 494 495 os_memcpy(peerkey->rsnie_p, kde->rsn_ie, kde->rsn_ie_len); 496 peerkey->rsnie_p_len = kde->rsn_ie_len; 497 os_memcpy(peerkey->pnonce, kde->nonce, WPA_NONCE_LEN); 498 499 cipher = ie.pairwise_cipher & sm->allowed_pairwise_cipher; 500 if (cipher & WPA_CIPHER_CCMP) { 501 wpa_printf(MSG_DEBUG, "RSN: Using CCMP for PeerKey"); 502 peerkey->cipher = WPA_CIPHER_CCMP; 503 } else if (cipher & WPA_CIPHER_TKIP) { 504 wpa_printf(MSG_DEBUG, "RSN: Using TKIP for PeerKey"); 505 peerkey->cipher = WPA_CIPHER_TKIP; 506 } else { 507 wpa_printf(MSG_INFO, "RSN: SMK Peer STA " MACSTR " selected " 508 "unacceptable cipher", MAC2STR(kde->mac_addr)); 509 wpa_supplicant_send_smk_error(sm, src_addr, kde->mac_addr, 510 STK_MUI_SMK, STK_ERR_CPHR_NS, 511 ver); 512 /* TODO: abort negotiation */ 513 return -1; 514 } 515 516 return 0; 517 } 518 519 520 static int wpa_supplicant_process_smk_m45( 521 struct wpa_sm *sm, const unsigned char *src_addr, 522 const struct wpa_eapol_key *key, size_t extra_len, int ver) 523 { 524 struct wpa_peerkey *peerkey; 525 struct wpa_eapol_ie_parse kde; 526 u32 lifetime; 527 struct os_time now; 528 529 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) { 530 wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for " 531 "the current network"); 532 return -1; 533 } 534 535 if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) < 536 0) { 537 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M4/M5"); 538 return -1; 539 } 540 541 if (kde.mac_addr == NULL || kde.mac_addr_len < ETH_ALEN || 542 kde.nonce == NULL || kde.nonce_len < WPA_NONCE_LEN || 543 kde.smk == NULL || kde.smk_len < PMK_LEN + WPA_NONCE_LEN || 544 kde.lifetime == NULL || kde.lifetime_len < 4) { 545 wpa_printf(MSG_INFO, "RSN: No MAC Address, Nonce, SMK, or " 546 "Lifetime KDE in SMK M4/M5"); 547 return -1; 548 } 549 550 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) { 551 if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) == 0 && 552 os_memcmp(peerkey->initiator ? peerkey->inonce : 553 peerkey->pnonce, 554 key->key_nonce, WPA_NONCE_LEN) == 0) 555 break; 556 } 557 if (peerkey == NULL) { 558 wpa_printf(MSG_INFO, "RSN: No matching SMK handshake found " 559 "for SMK M4/M5: peer " MACSTR, 560 MAC2STR(kde.mac_addr)); 561 return -1; 562 } 563 564 if (peerkey->initiator) { 565 if (wpa_supplicant_process_smk_m5(sm, src_addr, key, ver, 566 peerkey, &kde) < 0) 567 return -1; 568 } else { 569 if (wpa_supplicant_process_smk_m4(peerkey, &kde) < 0) 570 return -1; 571 } 572 573 os_memcpy(peerkey->smk, kde.smk, PMK_LEN); 574 peerkey->smk_complete = 1; 575 wpa_hexdump_key(MSG_DEBUG, "RSN: SMK", peerkey->smk, PMK_LEN); 576 lifetime = WPA_GET_BE32(kde.lifetime); 577 wpa_printf(MSG_DEBUG, "RSN: SMK lifetime %u seconds", lifetime); 578 if (lifetime > 1000000000) 579 lifetime = 1000000000; /* avoid overflowing expiration time */ 580 peerkey->lifetime = lifetime; 581 os_get_time(&now); 582 peerkey->expiration = now.sec + lifetime; 583 eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout, 584 sm, peerkey); 585 586 if (peerkey->initiator) { 587 rsn_smkid(peerkey->smk, peerkey->pnonce, peerkey->addr, 588 peerkey->inonce, sm->own_addr, peerkey->smkid, 589 peerkey->use_sha256); 590 wpa_supplicant_send_stk_1_of_4(sm, peerkey); 591 } else { 592 rsn_smkid(peerkey->smk, peerkey->pnonce, sm->own_addr, 593 peerkey->inonce, peerkey->addr, peerkey->smkid, 594 peerkey->use_sha256); 595 } 596 wpa_hexdump(MSG_DEBUG, "RSN: SMKID", peerkey->smkid, PMKID_LEN); 597 598 return 0; 599 } 600 601 602 static int wpa_supplicant_process_smk_error( 603 struct wpa_sm *sm, const unsigned char *src_addr, 604 const struct wpa_eapol_key *key, size_t extra_len) 605 { 606 struct wpa_eapol_ie_parse kde; 607 struct rsn_error_kde error; 608 u8 peer[ETH_ALEN]; 609 u16 error_type; 610 611 wpa_printf(MSG_DEBUG, "RSN: Received SMK Error"); 612 613 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) { 614 wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for " 615 "the current network"); 616 return -1; 617 } 618 619 if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) < 620 0) { 621 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK Error"); 622 return -1; 623 } 624 625 if (kde.error == NULL || kde.error_len < sizeof(error)) { 626 wpa_printf(MSG_INFO, "RSN: No Error KDE in SMK Error"); 627 return -1; 628 } 629 630 if (kde.mac_addr && kde.mac_addr_len >= ETH_ALEN) 631 os_memcpy(peer, kde.mac_addr, ETH_ALEN); 632 else 633 os_memset(peer, 0, ETH_ALEN); 634 os_memcpy(&error, kde.error, sizeof(error)); 635 error_type = be_to_host16(error.error_type); 636 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 637 "RSN: SMK Error KDE received: MUI %d error_type %d peer " 638 MACSTR, 639 be_to_host16(error.mui), error_type, 640 MAC2STR(peer)); 641 642 if (kde.mac_addr && 643 (error_type == STK_ERR_STA_NR || error_type == STK_ERR_STA_NRSN || 644 error_type == STK_ERR_CPHR_NS)) { 645 struct wpa_peerkey *peerkey; 646 647 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) { 648 if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) == 649 0) 650 break; 651 } 652 if (peerkey == NULL) { 653 wpa_printf(MSG_DEBUG, "RSN: No matching SMK handshake " 654 "found for SMK Error"); 655 return -1; 656 } 657 /* TODO: abort SMK/STK handshake and remove all related keys */ 658 } 659 660 return 0; 661 } 662 663 664 static void wpa_supplicant_process_stk_1_of_4(struct wpa_sm *sm, 665 struct wpa_peerkey *peerkey, 666 const struct wpa_eapol_key *key, 667 u16 ver) 668 { 669 struct wpa_eapol_ie_parse ie; 670 const u8 *kde; 671 size_t len, kde_buf_len; 672 struct wpa_ptk *stk; 673 u8 buf[8], *kde_buf, *pos; 674 be32 lifetime; 675 676 wpa_printf(MSG_DEBUG, "RSN: RX message 1 of STK 4-Way Handshake from " 677 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver); 678 679 os_memset(&ie, 0, sizeof(ie)); 680 681 /* RSN: msg 1/4 should contain SMKID for the selected SMK */ 682 kde = (const u8 *) (key + 1); 683 len = WPA_GET_BE16(key->key_data_length); 684 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", kde, len); 685 if (wpa_supplicant_parse_ies(kde, len, &ie) < 0 || ie.pmkid == NULL) { 686 wpa_printf(MSG_DEBUG, "RSN: No SMKID in STK 1/4"); 687 return; 688 } 689 if (os_memcmp(ie.pmkid, peerkey->smkid, PMKID_LEN) != 0) { 690 wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 1/4", 691 ie.pmkid, PMKID_LEN); 692 return; 693 } 694 695 if (random_get_bytes(peerkey->pnonce, WPA_NONCE_LEN)) { 696 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 697 "RSN: Failed to get random data for PNonce"); 698 return; 699 } 700 wpa_hexdump(MSG_DEBUG, "WPA: Renewed PNonce", 701 peerkey->pnonce, WPA_NONCE_LEN); 702 703 /* Calculate STK which will be stored as a temporary STK until it has 704 * been verified when processing message 3/4. */ 705 stk = &peerkey->tstk; 706 wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion", 707 sm->own_addr, peerkey->addr, 708 peerkey->pnonce, key->key_nonce, 709 (u8 *) stk, sizeof(*stk), 710 peerkey->use_sha256); 711 /* Supplicant: swap tx/rx Mic keys */ 712 os_memcpy(buf, stk->u.auth.tx_mic_key, 8); 713 os_memcpy(stk->u.auth.tx_mic_key, stk->u.auth.rx_mic_key, 8); 714 os_memcpy(stk->u.auth.rx_mic_key, buf, 8); 715 peerkey->tstk_set = 1; 716 717 kde_buf_len = peerkey->rsnie_p_len + 718 2 + RSN_SELECTOR_LEN + sizeof(lifetime) + 719 2 + RSN_SELECTOR_LEN + PMKID_LEN; 720 kde_buf = os_malloc(kde_buf_len); 721 if (kde_buf == NULL) 722 return; 723 pos = kde_buf; 724 pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len); 725 lifetime = host_to_be32(peerkey->lifetime); 726 pos = wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME, 727 (u8 *) &lifetime, sizeof(lifetime)); 728 wpa_add_kde(pos, RSN_KEY_DATA_PMKID, peerkey->smkid, PMKID_LEN); 729 730 if (wpa_supplicant_send_2_of_4(sm, peerkey->addr, key, ver, 731 peerkey->pnonce, kde_buf, kde_buf_len, 732 stk)) { 733 os_free(kde_buf); 734 return; 735 } 736 os_free(kde_buf); 737 738 os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN); 739 } 740 741 742 static void wpa_supplicant_update_smk_lifetime(struct wpa_sm *sm, 743 struct wpa_peerkey *peerkey, 744 struct wpa_eapol_ie_parse *kde) 745 { 746 u32 lifetime; 747 struct os_time now; 748 749 if (kde->lifetime == NULL || kde->lifetime_len < sizeof(lifetime)) 750 return; 751 752 lifetime = WPA_GET_BE32(kde->lifetime); 753 754 if (lifetime >= peerkey->lifetime) { 755 wpa_printf(MSG_DEBUG, "RSN: Peer used SMK lifetime %u seconds " 756 "which is larger than or equal to own value %u " 757 "seconds - ignored", lifetime, peerkey->lifetime); 758 return; 759 } 760 761 wpa_printf(MSG_DEBUG, "RSN: Peer used shorter SMK lifetime %u seconds " 762 "(own was %u seconds) - updated", 763 lifetime, peerkey->lifetime); 764 peerkey->lifetime = lifetime; 765 766 os_get_time(&now); 767 peerkey->expiration = now.sec + lifetime; 768 eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey); 769 eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout, 770 sm, peerkey); 771 } 772 773 774 static void wpa_supplicant_process_stk_2_of_4(struct wpa_sm *sm, 775 struct wpa_peerkey *peerkey, 776 const struct wpa_eapol_key *key, 777 u16 ver) 778 { 779 struct wpa_eapol_ie_parse kde; 780 const u8 *keydata; 781 size_t len; 782 783 wpa_printf(MSG_DEBUG, "RSN: RX message 2 of STK 4-Way Handshake from " 784 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver); 785 786 os_memset(&kde, 0, sizeof(kde)); 787 788 /* RSN: msg 2/4 should contain SMKID for the selected SMK and RSN IE 789 * from the peer. It may also include Lifetime KDE. */ 790 keydata = (const u8 *) (key + 1); 791 len = WPA_GET_BE16(key->key_data_length); 792 wpa_hexdump(MSG_DEBUG, "RSN: msg 2/4 key data", keydata, len); 793 if (wpa_supplicant_parse_ies(keydata, len, &kde) < 0 || 794 kde.pmkid == NULL || kde.rsn_ie == NULL) { 795 wpa_printf(MSG_DEBUG, "RSN: No SMKID or RSN IE in STK 2/4"); 796 return; 797 } 798 799 if (os_memcmp(kde.pmkid, peerkey->smkid, PMKID_LEN) != 0) { 800 wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 2/4", 801 kde.pmkid, PMKID_LEN); 802 return; 803 } 804 805 if (kde.rsn_ie_len != peerkey->rsnie_p_len || 806 os_memcmp(kde.rsn_ie, peerkey->rsnie_p, kde.rsn_ie_len) != 0) { 807 wpa_printf(MSG_INFO, "RSN: Peer RSN IE in SMK and STK " 808 "handshakes did not match"); 809 wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in SMK handshake", 810 peerkey->rsnie_p, peerkey->rsnie_p_len); 811 wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in STK handshake", 812 kde.rsn_ie, kde.rsn_ie_len); 813 return; 814 } 815 816 wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde); 817 818 wpa_supplicant_send_stk_3_of_4(sm, peerkey); 819 os_memcpy(peerkey->pnonce, key->key_nonce, WPA_NONCE_LEN); 820 } 821 822 823 static void wpa_supplicant_process_stk_3_of_4(struct wpa_sm *sm, 824 struct wpa_peerkey *peerkey, 825 const struct wpa_eapol_key *key, 826 u16 ver) 827 { 828 struct wpa_eapol_ie_parse kde; 829 const u8 *keydata; 830 size_t len, key_len; 831 const u8 *_key; 832 u8 key_buf[32], rsc[6]; 833 834 wpa_printf(MSG_DEBUG, "RSN: RX message 3 of STK 4-Way Handshake from " 835 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver); 836 837 os_memset(&kde, 0, sizeof(kde)); 838 839 /* RSN: msg 3/4 should contain Initiator RSN IE. It may also include 840 * Lifetime KDE. */ 841 keydata = (const u8 *) (key + 1); 842 len = WPA_GET_BE16(key->key_data_length); 843 wpa_hexdump(MSG_DEBUG, "RSN: msg 3/4 key data", keydata, len); 844 if (wpa_supplicant_parse_ies(keydata, len, &kde) < 0) { 845 wpa_printf(MSG_DEBUG, "RSN: Failed to parse key data in " 846 "STK 3/4"); 847 return; 848 } 849 850 if (kde.rsn_ie_len != peerkey->rsnie_i_len || 851 os_memcmp(kde.rsn_ie, peerkey->rsnie_i, kde.rsn_ie_len) != 0) { 852 wpa_printf(MSG_INFO, "RSN: Initiator RSN IE in SMK and STK " 853 "handshakes did not match"); 854 wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in SMK " 855 "handshake", 856 peerkey->rsnie_i, peerkey->rsnie_i_len); 857 wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in STK " 858 "handshake", 859 kde.rsn_ie, kde.rsn_ie_len); 860 return; 861 } 862 863 if (os_memcmp(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN) != 0) { 864 wpa_printf(MSG_WARNING, "RSN: INonce from message 1 of STK " 865 "4-Way Handshake differs from 3 of STK 4-Way " 866 "Handshake - drop packet (src=" MACSTR ")", 867 MAC2STR(peerkey->addr)); 868 return; 869 } 870 871 wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde); 872 873 if (wpa_supplicant_send_4_of_4(sm, peerkey->addr, key, ver, 874 WPA_GET_BE16(key->key_info), 875 NULL, 0, &peerkey->stk)) 876 return; 877 878 _key = (u8 *) peerkey->stk.tk1; 879 if (peerkey->cipher == WPA_CIPHER_TKIP) { 880 /* Swap Tx/Rx keys for Michael MIC */ 881 os_memcpy(key_buf, _key, 16); 882 os_memcpy(key_buf + 16, peerkey->stk.u.auth.rx_mic_key, 8); 883 os_memcpy(key_buf + 24, peerkey->stk.u.auth.tx_mic_key, 8); 884 _key = key_buf; 885 key_len = 32; 886 } else 887 key_len = 16; 888 889 os_memset(rsc, 0, 6); 890 if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1, 891 rsc, sizeof(rsc), _key, key_len) < 0) { 892 wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the " 893 "driver."); 894 return; 895 } 896 } 897 898 899 static void wpa_supplicant_process_stk_4_of_4(struct wpa_sm *sm, 900 struct wpa_peerkey *peerkey, 901 const struct wpa_eapol_key *key, 902 u16 ver) 903 { 904 u8 rsc[6]; 905 906 wpa_printf(MSG_DEBUG, "RSN: RX message 4 of STK 4-Way Handshake from " 907 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver); 908 909 os_memset(rsc, 0, 6); 910 if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1, 911 rsc, sizeof(rsc), (u8 *) peerkey->stk.tk1, 912 peerkey->cipher == WPA_CIPHER_TKIP ? 32 : 16) < 0) { 913 wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the " 914 "driver."); 915 return; 916 } 917 } 918 919 920 /** 921 * peerkey_verify_eapol_key_mic - Verify PeerKey MIC 922 * @sm: Pointer to WPA state machine data from wpa_sm_init() 923 * @peerkey: Pointer to the PeerKey data for the peer 924 * @key: Pointer to the EAPOL-Key frame header 925 * @ver: Version bits from EAPOL-Key Key Info 926 * @buf: Pointer to the beginning of EAPOL-Key frame 927 * @len: Length of the EAPOL-Key frame 928 * Returns: 0 on success, -1 on failure 929 */ 930 int peerkey_verify_eapol_key_mic(struct wpa_sm *sm, 931 struct wpa_peerkey *peerkey, 932 struct wpa_eapol_key *key, u16 ver, 933 const u8 *buf, size_t len) 934 { 935 u8 mic[16]; 936 int ok = 0; 937 938 if (peerkey->initiator && !peerkey->stk_set) { 939 wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion", 940 sm->own_addr, peerkey->addr, 941 peerkey->inonce, key->key_nonce, 942 (u8 *) &peerkey->stk, sizeof(peerkey->stk), 943 peerkey->use_sha256); 944 peerkey->stk_set = 1; 945 } 946 947 os_memcpy(mic, key->key_mic, 16); 948 if (peerkey->tstk_set) { 949 os_memset(key->key_mic, 0, 16); 950 wpa_eapol_key_mic(peerkey->tstk.kck, ver, buf, len, 951 key->key_mic); 952 if (os_memcmp(mic, key->key_mic, 16) != 0) { 953 wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC " 954 "when using TSTK - ignoring TSTK"); 955 } else { 956 ok = 1; 957 peerkey->tstk_set = 0; 958 peerkey->stk_set = 1; 959 os_memcpy(&peerkey->stk, &peerkey->tstk, 960 sizeof(peerkey->stk)); 961 } 962 } 963 964 if (!ok && peerkey->stk_set) { 965 os_memset(key->key_mic, 0, 16); 966 wpa_eapol_key_mic(peerkey->stk.kck, ver, buf, len, 967 key->key_mic); 968 if (os_memcmp(mic, key->key_mic, 16) != 0) { 969 wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC " 970 "- dropping packet"); 971 return -1; 972 } 973 ok = 1; 974 } 975 976 if (!ok) { 977 wpa_printf(MSG_WARNING, "RSN: Could not verify EAPOL-Key MIC " 978 "- dropping packet"); 979 return -1; 980 } 981 982 os_memcpy(peerkey->replay_counter, key->replay_counter, 983 WPA_REPLAY_COUNTER_LEN); 984 peerkey->replay_counter_set = 1; 985 return 0; 986 } 987 988 989 /** 990 * wpa_sm_stkstart - Send EAPOL-Key Request for STK handshake (STK M1) 991 * @sm: Pointer to WPA state machine data from wpa_sm_init() 992 * @peer: MAC address of the peer STA 993 * Returns: 0 on success, or -1 on failure 994 * 995 * Send an EAPOL-Key Request to the current authenticator to start STK 996 * handshake with the peer. 997 */ 998 int wpa_sm_stkstart(struct wpa_sm *sm, const u8 *peer) 999 { 1000 size_t rlen, kde_len; 1001 struct wpa_eapol_key *req; 1002 int key_info, ver; 1003 u8 bssid[ETH_ALEN], *rbuf, *pos, *count_pos; 1004 u16 count; 1005 struct rsn_ie_hdr *hdr; 1006 struct wpa_peerkey *peerkey; 1007 struct wpa_ie_data ie; 1008 1009 if (sm->proto != WPA_PROTO_RSN || !sm->ptk_set || !sm->peerkey_enabled) 1010 return -1; 1011 1012 if (sm->ap_rsn_ie && 1013 wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &ie) == 0 && 1014 !(ie.capabilities & WPA_CAPABILITY_PEERKEY_ENABLED)) { 1015 wpa_printf(MSG_DEBUG, "RSN: Current AP does not support STK"); 1016 return -1; 1017 } 1018 1019 if (sm->pairwise_cipher == WPA_CIPHER_CCMP) 1020 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1021 else 1022 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1023 1024 if (wpa_sm_get_bssid(sm, bssid) < 0) { 1025 wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key " 1026 "SMK M1"); 1027 return -1; 1028 } 1029 1030 /* TODO: find existing entry and if found, use that instead of adding 1031 * a new one */ 1032 peerkey = os_zalloc(sizeof(*peerkey)); 1033 if (peerkey == NULL) 1034 return -1; 1035 peerkey->initiator = 1; 1036 os_memcpy(peerkey->addr, peer, ETH_ALEN); 1037 #ifdef CONFIG_IEEE80211W 1038 if (wpa_key_mgmt_sha256(sm->key_mgmt)) 1039 peerkey->use_sha256 = 1; 1040 #endif /* CONFIG_IEEE80211W */ 1041 1042 /* SMK M1: 1043 * EAPOL-Key(S=1, M=1, A=0, I=0, K=0, SM=1, KeyRSC=0, Nonce=INonce, 1044 * MIC=MIC, DataKDs=(RSNIE_I, MAC_P KDE)) 1045 */ 1046 1047 hdr = (struct rsn_ie_hdr *) peerkey->rsnie_i; 1048 hdr->elem_id = WLAN_EID_RSN; 1049 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1050 pos = (u8 *) (hdr + 1); 1051 /* Group Suite can be anything for SMK RSN IE; receiver will just 1052 * ignore it. */ 1053 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1054 pos += RSN_SELECTOR_LEN; 1055 count_pos = pos; 1056 pos += 2; 1057 1058 count = 0; 1059 if (sm->allowed_pairwise_cipher & WPA_CIPHER_CCMP) { 1060 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1061 pos += RSN_SELECTOR_LEN; 1062 count++; 1063 } 1064 if (sm->allowed_pairwise_cipher & WPA_CIPHER_TKIP) { 1065 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP); 1066 pos += RSN_SELECTOR_LEN; 1067 count++; 1068 } 1069 WPA_PUT_LE16(count_pos, count); 1070 1071 hdr->len = (pos - peerkey->rsnie_i) - 2; 1072 peerkey->rsnie_i_len = pos - peerkey->rsnie_i; 1073 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake", 1074 peerkey->rsnie_i, peerkey->rsnie_i_len); 1075 1076 kde_len = peerkey->rsnie_i_len + 2 + RSN_SELECTOR_LEN + ETH_ALEN; 1077 1078 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 1079 sizeof(*req) + kde_len, &rlen, 1080 (void *) &req); 1081 if (rbuf == NULL) { 1082 wpa_supplicant_peerkey_free(sm, peerkey); 1083 return -1; 1084 } 1085 1086 req->type = EAPOL_KEY_TYPE_RSN; 1087 key_info = WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC | 1088 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_REQUEST | ver; 1089 WPA_PUT_BE16(req->key_info, key_info); 1090 WPA_PUT_BE16(req->key_length, 0); 1091 os_memcpy(req->replay_counter, sm->request_counter, 1092 WPA_REPLAY_COUNTER_LEN); 1093 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN); 1094 1095 if (random_get_bytes(peerkey->inonce, WPA_NONCE_LEN)) { 1096 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1097 "WPA: Failed to get random data for INonce"); 1098 os_free(rbuf); 1099 wpa_supplicant_peerkey_free(sm, peerkey); 1100 return -1; 1101 } 1102 os_memcpy(req->key_nonce, peerkey->inonce, WPA_NONCE_LEN); 1103 wpa_hexdump(MSG_DEBUG, "WPA: INonce for SMK handshake", 1104 req->key_nonce, WPA_NONCE_LEN); 1105 1106 WPA_PUT_BE16(req->key_data_length, (u16) kde_len); 1107 pos = (u8 *) (req + 1); 1108 1109 /* Initiator RSN IE */ 1110 pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len); 1111 /* Peer MAC address KDE */ 1112 wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN); 1113 1114 wpa_printf(MSG_INFO, "RSN: Sending EAPOL-Key SMK M1 Request (peer " 1115 MACSTR ")", MAC2STR(peer)); 1116 wpa_eapol_key_send(sm, sm->ptk.kck, ver, bssid, ETH_P_EAPOL, 1117 rbuf, rlen, req->key_mic); 1118 1119 peerkey->next = sm->peerkey; 1120 sm->peerkey = peerkey; 1121 1122 return 0; 1123 } 1124 1125 1126 /** 1127 * peerkey_deinit - Free PeerKey values 1128 * @sm: Pointer to WPA state machine data from wpa_sm_init() 1129 */ 1130 void peerkey_deinit(struct wpa_sm *sm) 1131 { 1132 struct wpa_peerkey *prev, *peerkey = sm->peerkey; 1133 while (peerkey) { 1134 prev = peerkey; 1135 peerkey = peerkey->next; 1136 os_free(prev); 1137 } 1138 sm->peerkey = NULL; 1139 } 1140 1141 1142 void peerkey_rx_eapol_4way(struct wpa_sm *sm, struct wpa_peerkey *peerkey, 1143 struct wpa_eapol_key *key, u16 key_info, u16 ver) 1144 { 1145 if ((key_info & (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) == 1146 (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) { 1147 /* 3/4 STK 4-Way Handshake */ 1148 wpa_supplicant_process_stk_3_of_4(sm, peerkey, key, ver); 1149 } else if (key_info & WPA_KEY_INFO_ACK) { 1150 /* 1/4 STK 4-Way Handshake */ 1151 wpa_supplicant_process_stk_1_of_4(sm, peerkey, key, ver); 1152 } else if (key_info & WPA_KEY_INFO_SECURE) { 1153 /* 4/4 STK 4-Way Handshake */ 1154 wpa_supplicant_process_stk_4_of_4(sm, peerkey, key, ver); 1155 } else { 1156 /* 2/4 STK 4-Way Handshake */ 1157 wpa_supplicant_process_stk_2_of_4(sm, peerkey, key, ver); 1158 } 1159 } 1160 1161 1162 void peerkey_rx_eapol_smk(struct wpa_sm *sm, const u8 *src_addr, 1163 struct wpa_eapol_key *key, size_t extra_len, 1164 u16 key_info, u16 ver) 1165 { 1166 if (key_info & WPA_KEY_INFO_ERROR) { 1167 /* SMK Error */ 1168 wpa_supplicant_process_smk_error(sm, src_addr, key, extra_len); 1169 } else if (key_info & WPA_KEY_INFO_ACK) { 1170 /* SMK M2 */ 1171 wpa_supplicant_process_smk_m2(sm, src_addr, key, extra_len, 1172 ver); 1173 } else { 1174 /* SMK M4 or M5 */ 1175 wpa_supplicant_process_smk_m45(sm, src_addr, key, extra_len, 1176 ver); 1177 } 1178 } 1179 1180 #endif /* CONFIG_PEERKEY */ 1181
