1 /* 2 * WPA Supplicant - PeerKey for Direct Link Setup (DLS) 3 * Copyright (c) 2006-2015, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #ifdef CONFIG_PEERKEY 12 13 #include "common.h" 14 #include "eloop.h" 15 #include "crypto/sha1.h" 16 #include "crypto/sha256.h" 17 #include "crypto/random.h" 18 #include "common/ieee802_11_defs.h" 19 #include "wpa.h" 20 #include "wpa_i.h" 21 #include "wpa_ie.h" 22 #include "peerkey.h" 23 24 25 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len) 26 { 27 os_memcpy(pos, ie, ie_len); 28 return pos + ie_len; 29 } 30 31 32 static u8 * wpa_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len) 33 { 34 *pos++ = WLAN_EID_VENDOR_SPECIFIC; 35 *pos++ = RSN_SELECTOR_LEN + data_len; 36 RSN_SELECTOR_PUT(pos, kde); 37 pos += RSN_SELECTOR_LEN; 38 os_memcpy(pos, data, data_len); 39 pos += data_len; 40 return pos; 41 } 42 43 44 static void wpa_supplicant_smk_timeout(void *eloop_ctx, void *timeout_ctx) 45 { 46 #if 0 47 struct wpa_sm *sm = eloop_ctx; 48 struct wpa_peerkey *peerkey = timeout_ctx; 49 #endif 50 /* TODO: time out SMK and any STK that was generated using this SMK */ 51 } 52 53 54 static void wpa_supplicant_peerkey_free(struct wpa_sm *sm, 55 struct wpa_peerkey *peerkey) 56 { 57 eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey); 58 os_free(peerkey); 59 } 60 61 62 static int wpa_supplicant_send_smk_error(struct wpa_sm *sm, const u8 *dst, 63 const u8 *peer, 64 u16 mui, u16 error_type, int ver) 65 { 66 size_t rlen; 67 struct wpa_eapol_key *err; 68 struct rsn_error_kde error; 69 u8 *rbuf, *pos, *mic; 70 size_t kde_len, mic_len = 16; 71 u16 key_info; 72 73 kde_len = 2 + RSN_SELECTOR_LEN + sizeof(error); 74 if (peer) 75 kde_len += 2 + RSN_SELECTOR_LEN + ETH_ALEN; 76 77 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, 78 NULL, sizeof(*err) + mic_len + 2 + kde_len, 79 &rlen, (void *) &err); 80 if (rbuf == NULL) 81 return -1; 82 mic = (u8 *) (err + 1); 83 84 err->type = EAPOL_KEY_TYPE_RSN; 85 key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC | 86 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_ERROR | 87 WPA_KEY_INFO_REQUEST; 88 WPA_PUT_BE16(err->key_info, key_info); 89 WPA_PUT_BE16(err->key_length, 0); 90 os_memcpy(err->replay_counter, sm->request_counter, 91 WPA_REPLAY_COUNTER_LEN); 92 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN); 93 94 WPA_PUT_BE16(mic + mic_len, (u16) kde_len); 95 pos = mic + mic_len + 2; 96 97 if (peer) { 98 /* Peer MAC Address KDE */ 99 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN); 100 } 101 102 /* Error KDE */ 103 error.mui = host_to_be16(mui); 104 error.error_type = host_to_be16(error_type); 105 wpa_add_kde(pos, RSN_KEY_DATA_ERROR, (u8 *) &error, sizeof(error)); 106 107 if (peer) { 108 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error (peer " 109 MACSTR " mui %d error_type %d)", 110 MAC2STR(peer), mui, error_type); 111 } else { 112 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error " 113 "(mui %d error_type %d)", mui, error_type); 114 } 115 116 wpa_eapol_key_send(sm, &sm->ptk, ver, dst, ETH_P_EAPOL, rbuf, rlen, 117 mic); 118 119 return 0; 120 } 121 122 123 static int wpa_supplicant_send_smk_m3(struct wpa_sm *sm, 124 const unsigned char *src_addr, 125 const struct wpa_eapol_key *key, 126 int ver, struct wpa_peerkey *peerkey) 127 { 128 size_t rlen; 129 struct wpa_eapol_key *reply; 130 u8 *rbuf, *pos, *mic; 131 size_t kde_len, mic_len = 16; 132 u16 key_info; 133 134 /* KDEs: Peer RSN IE, Initiator MAC Address, Initiator Nonce */ 135 kde_len = peerkey->rsnie_p_len + 136 2 + RSN_SELECTOR_LEN + ETH_ALEN + 137 2 + RSN_SELECTOR_LEN + WPA_NONCE_LEN; 138 139 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, 140 NULL, sizeof(*reply) + mic_len + 2 + kde_len, 141 &rlen, (void *) &reply); 142 if (rbuf == NULL) 143 return -1; 144 145 reply->type = EAPOL_KEY_TYPE_RSN; 146 key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC | 147 WPA_KEY_INFO_SECURE; 148 WPA_PUT_BE16(reply->key_info, key_info); 149 WPA_PUT_BE16(reply->key_length, 0); 150 os_memcpy(reply->replay_counter, key->replay_counter, 151 WPA_REPLAY_COUNTER_LEN); 152 153 os_memcpy(reply->key_nonce, peerkey->pnonce, WPA_NONCE_LEN); 154 155 mic = (u8 *) (reply + 1); 156 WPA_PUT_BE16(mic + mic_len, (u16) kde_len); 157 pos = mic + mic_len + 2; 158 159 /* Peer RSN IE */ 160 pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len); 161 162 /* Initiator MAC Address KDE */ 163 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peerkey->addr, ETH_ALEN); 164 165 /* Initiator Nonce */ 166 wpa_add_kde(pos, RSN_KEY_DATA_NONCE, peerkey->inonce, WPA_NONCE_LEN); 167 168 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK M3"); 169 wpa_eapol_key_send(sm, &sm->ptk, ver, src_addr, ETH_P_EAPOL, rbuf, rlen, 170 mic); 171 172 return 0; 173 } 174 175 176 static int wpa_supplicant_process_smk_m2( 177 struct wpa_sm *sm, const unsigned char *src_addr, 178 const struct wpa_eapol_key *key, const u8 *key_data, 179 size_t key_data_len, int ver) 180 { 181 struct wpa_peerkey *peerkey; 182 struct wpa_eapol_ie_parse kde; 183 struct wpa_ie_data ie; 184 int cipher; 185 struct rsn_ie_hdr *hdr; 186 u8 *pos; 187 188 wpa_printf(MSG_DEBUG, "RSN: Received SMK M2"); 189 190 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) { 191 wpa_printf(MSG_INFO, "RSN: SMK handshake not allowed for " 192 "the current network"); 193 return -1; 194 } 195 196 if (wpa_supplicant_parse_ies(key_data, key_data_len, &kde) < 0) { 197 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M2"); 198 return -1; 199 } 200 201 if (kde.rsn_ie == NULL || kde.mac_addr == NULL || 202 kde.mac_addr_len < ETH_ALEN) { 203 wpa_printf(MSG_INFO, "RSN: No RSN IE or MAC address KDE in " 204 "SMK M2"); 205 return -1; 206 } 207 208 wpa_printf(MSG_DEBUG, "RSN: SMK M2 - SMK initiator " MACSTR, 209 MAC2STR(kde.mac_addr)); 210 211 if (kde.rsn_ie_len > PEERKEY_MAX_IE_LEN) { 212 wpa_printf(MSG_INFO, "RSN: Too long Initiator RSN IE in SMK " 213 "M2"); 214 return -1; 215 } 216 217 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) { 218 wpa_printf(MSG_INFO, "RSN: Failed to parse RSN IE in SMK M2"); 219 return -1; 220 } 221 222 cipher = wpa_pick_pairwise_cipher(ie.pairwise_cipher & 223 sm->allowed_pairwise_cipher, 0); 224 if (cipher < 0) { 225 wpa_printf(MSG_INFO, "RSN: No acceptable cipher in SMK M2"); 226 wpa_supplicant_send_smk_error(sm, src_addr, kde.mac_addr, 227 STK_MUI_SMK, STK_ERR_CPHR_NS, 228 ver); 229 return -1; 230 } 231 wpa_printf(MSG_DEBUG, "RSN: Using %s for PeerKey", 232 wpa_cipher_txt(cipher)); 233 234 /* TODO: find existing entry and if found, use that instead of adding 235 * a new one; how to handle the case where both ends initiate at the 236 * same time? */ 237 peerkey = os_zalloc(sizeof(*peerkey)); 238 if (peerkey == NULL) 239 return -1; 240 os_memcpy(peerkey->addr, kde.mac_addr, ETH_ALEN); 241 os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN); 242 os_memcpy(peerkey->rsnie_i, kde.rsn_ie, kde.rsn_ie_len); 243 peerkey->rsnie_i_len = kde.rsn_ie_len; 244 peerkey->cipher = cipher; 245 peerkey->akmp = ie.key_mgmt; 246 247 if (random_get_bytes(peerkey->pnonce, WPA_NONCE_LEN)) { 248 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 249 "WPA: Failed to get random data for PNonce"); 250 wpa_supplicant_peerkey_free(sm, peerkey); 251 return -1; 252 } 253 254 hdr = (struct rsn_ie_hdr *) peerkey->rsnie_p; 255 hdr->elem_id = WLAN_EID_RSN; 256 WPA_PUT_LE16(hdr->version, RSN_VERSION); 257 pos = (u8 *) (hdr + 1); 258 /* Group Suite can be anything for SMK RSN IE; receiver will just 259 * ignore it. */ 260 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 261 pos += RSN_SELECTOR_LEN; 262 /* Include only the selected cipher in pairwise cipher suite */ 263 WPA_PUT_LE16(pos, 1); 264 pos += 2; 265 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, cipher)); 266 pos += RSN_SELECTOR_LEN; 267 268 hdr->len = (pos - peerkey->rsnie_p) - 2; 269 peerkey->rsnie_p_len = pos - peerkey->rsnie_p; 270 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake", 271 peerkey->rsnie_p, peerkey->rsnie_p_len); 272 273 wpa_supplicant_send_smk_m3(sm, src_addr, key, ver, peerkey); 274 275 peerkey->next = sm->peerkey; 276 sm->peerkey = peerkey; 277 278 return 0; 279 } 280 281 282 /** 283 * rsn_smkid - Derive SMK identifier 284 * @smk: Station master key (32 bytes) 285 * @pnonce: Peer Nonce 286 * @mac_p: Peer MAC address 287 * @inonce: Initiator Nonce 288 * @mac_i: Initiator MAC address 289 * @akmp: Negotiated AKM 290 * 291 * 8.5.1.4 Station to station (STK) key hierarchy 292 * SMKID = HMAC-SHA1-128(SMK, "SMK Name" || PNonce || MAC_P || INonce || MAC_I) 293 */ 294 static void rsn_smkid(const u8 *smk, const u8 *pnonce, const u8 *mac_p, 295 const u8 *inonce, const u8 *mac_i, u8 *smkid, 296 int akmp) 297 { 298 char *title = "SMK Name"; 299 const u8 *addr[5]; 300 const size_t len[5] = { 8, WPA_NONCE_LEN, ETH_ALEN, WPA_NONCE_LEN, 301 ETH_ALEN }; 302 unsigned char hash[SHA256_MAC_LEN]; 303 304 addr[0] = (u8 *) title; 305 addr[1] = pnonce; 306 addr[2] = mac_p; 307 addr[3] = inonce; 308 addr[4] = mac_i; 309 310 #ifdef CONFIG_IEEE80211W 311 if (wpa_key_mgmt_sha256(akmp)) 312 hmac_sha256_vector(smk, PMK_LEN, 5, addr, len, hash); 313 else 314 #endif /* CONFIG_IEEE80211W */ 315 hmac_sha1_vector(smk, PMK_LEN, 5, addr, len, hash); 316 os_memcpy(smkid, hash, PMKID_LEN); 317 } 318 319 320 static void wpa_supplicant_send_stk_1_of_4(struct wpa_sm *sm, 321 struct wpa_peerkey *peerkey) 322 { 323 size_t mlen; 324 struct wpa_eapol_key *msg; 325 u8 *mbuf, *mic; 326 size_t kde_len, mic_len = 16; 327 u16 key_info, ver; 328 329 kde_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN; 330 331 mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 332 sizeof(*msg) + mic_len + 2 + kde_len, &mlen, 333 (void *) &msg); 334 if (mbuf == NULL) 335 return; 336 337 mic = (u8 *) (msg + 1); 338 msg->type = EAPOL_KEY_TYPE_RSN; 339 340 if (peerkey->cipher != WPA_CIPHER_TKIP) 341 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 342 else 343 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 344 345 key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK; 346 WPA_PUT_BE16(msg->key_info, key_info); 347 348 if (peerkey->cipher != WPA_CIPHER_TKIP) 349 WPA_PUT_BE16(msg->key_length, 16); 350 else 351 WPA_PUT_BE16(msg->key_length, 32); 352 353 os_memcpy(msg->replay_counter, peerkey->replay_counter, 354 WPA_REPLAY_COUNTER_LEN); 355 inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN); 356 357 WPA_PUT_BE16(mic + mic_len, kde_len); 358 wpa_add_kde(mic + mic_len + 2, RSN_KEY_DATA_PMKID, 359 peerkey->smkid, PMKID_LEN); 360 361 if (random_get_bytes(peerkey->inonce, WPA_NONCE_LEN)) { 362 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 363 "RSN: Failed to get random data for INonce (STK)"); 364 os_free(mbuf); 365 return; 366 } 367 wpa_hexdump(MSG_DEBUG, "RSN: INonce for STK 4-Way Handshake", 368 peerkey->inonce, WPA_NONCE_LEN); 369 os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN); 370 371 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 1/4 to " MACSTR, 372 MAC2STR(peerkey->addr)); 373 wpa_eapol_key_send(sm, NULL, ver, peerkey->addr, ETH_P_EAPOL, 374 mbuf, mlen, NULL); 375 } 376 377 378 static void wpa_supplicant_send_stk_3_of_4(struct wpa_sm *sm, 379 struct wpa_peerkey *peerkey) 380 { 381 size_t mlen; 382 struct wpa_eapol_key *msg; 383 u8 *mbuf, *pos, *mic; 384 size_t kde_len, mic_len = 16; 385 u16 key_info, ver; 386 be32 lifetime; 387 388 kde_len = peerkey->rsnie_i_len + 389 2 + RSN_SELECTOR_LEN + sizeof(lifetime); 390 391 mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 392 sizeof(*msg) + mic_len + 2 + kde_len, &mlen, 393 (void *) &msg); 394 if (mbuf == NULL) 395 return; 396 397 mic = (u8 *) (msg + 1); 398 msg->type = EAPOL_KEY_TYPE_RSN; 399 400 if (peerkey->cipher != WPA_CIPHER_TKIP) 401 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 402 else 403 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 404 405 key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK | 406 WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE; 407 WPA_PUT_BE16(msg->key_info, key_info); 408 409 if (peerkey->cipher != WPA_CIPHER_TKIP) 410 WPA_PUT_BE16(msg->key_length, 16); 411 else 412 WPA_PUT_BE16(msg->key_length, 32); 413 414 os_memcpy(msg->replay_counter, peerkey->replay_counter, 415 WPA_REPLAY_COUNTER_LEN); 416 inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN); 417 418 WPA_PUT_BE16(mic + mic_len, kde_len); 419 pos = mic + mic_len + 2; 420 pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len); 421 lifetime = host_to_be32(peerkey->lifetime); 422 wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME, 423 (u8 *) &lifetime, sizeof(lifetime)); 424 425 os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN); 426 427 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 3/4 to " MACSTR, 428 MAC2STR(peerkey->addr)); 429 wpa_eapol_key_send(sm, &peerkey->stk, ver, peerkey->addr, ETH_P_EAPOL, 430 mbuf, mlen, mic); 431 } 432 433 434 static int wpa_supplicant_process_smk_m4(struct wpa_peerkey *peerkey, 435 struct wpa_eapol_ie_parse *kde) 436 { 437 wpa_printf(MSG_DEBUG, "RSN: Received SMK M4 (Initiator " MACSTR ")", 438 MAC2STR(kde->mac_addr)); 439 440 if (os_memcmp(kde->smk + PMK_LEN, peerkey->pnonce, WPA_NONCE_LEN) != 0) 441 { 442 wpa_printf(MSG_INFO, "RSN: PNonce in SMK KDE does not " 443 "match with the one used in SMK M3"); 444 return -1; 445 } 446 447 if (os_memcmp(kde->nonce, peerkey->inonce, WPA_NONCE_LEN) != 0) { 448 wpa_printf(MSG_INFO, "RSN: INonce in SMK M4 did not " 449 "match with the one received in SMK M2"); 450 return -1; 451 } 452 453 return 0; 454 } 455 456 457 static int wpa_supplicant_process_smk_m5(struct wpa_sm *sm, 458 const unsigned char *src_addr, 459 const struct wpa_eapol_key *key, 460 int ver, 461 struct wpa_peerkey *peerkey, 462 struct wpa_eapol_ie_parse *kde) 463 { 464 int cipher; 465 struct wpa_ie_data ie; 466 467 wpa_printf(MSG_DEBUG, "RSN: Received SMK M5 (Peer " MACSTR ")", 468 MAC2STR(kde->mac_addr)); 469 if (kde->rsn_ie == NULL || kde->rsn_ie_len > PEERKEY_MAX_IE_LEN || 470 wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0) { 471 wpa_printf(MSG_INFO, "RSN: No RSN IE in SMK M5"); 472 /* TODO: abort negotiation */ 473 return -1; 474 } 475 476 if (os_memcmp(key->key_nonce, peerkey->inonce, WPA_NONCE_LEN) != 0) { 477 wpa_printf(MSG_INFO, "RSN: Key Nonce in SMK M5 does " 478 "not match with INonce used in SMK M1"); 479 return -1; 480 } 481 482 if (os_memcmp(kde->smk + PMK_LEN, peerkey->inonce, WPA_NONCE_LEN) != 0) 483 { 484 wpa_printf(MSG_INFO, "RSN: INonce in SMK KDE does not " 485 "match with the one used in SMK M1"); 486 return -1; 487 } 488 489 os_memcpy(peerkey->rsnie_p, kde->rsn_ie, kde->rsn_ie_len); 490 peerkey->rsnie_p_len = kde->rsn_ie_len; 491 os_memcpy(peerkey->pnonce, kde->nonce, WPA_NONCE_LEN); 492 493 cipher = wpa_pick_pairwise_cipher(ie.pairwise_cipher & 494 sm->allowed_pairwise_cipher, 0); 495 if (cipher < 0) { 496 wpa_printf(MSG_INFO, "RSN: SMK Peer STA " MACSTR " selected " 497 "unacceptable cipher", MAC2STR(kde->mac_addr)); 498 wpa_supplicant_send_smk_error(sm, src_addr, kde->mac_addr, 499 STK_MUI_SMK, STK_ERR_CPHR_NS, 500 ver); 501 /* TODO: abort negotiation */ 502 return -1; 503 } 504 wpa_printf(MSG_DEBUG, "RSN: Using %s for PeerKey", 505 wpa_cipher_txt(cipher)); 506 peerkey->cipher = cipher; 507 508 return 0; 509 } 510 511 512 static int wpa_supplicant_process_smk_m45( 513 struct wpa_sm *sm, const unsigned char *src_addr, 514 const struct wpa_eapol_key *key, const u8 *key_data, 515 size_t key_data_len, int ver) 516 { 517 struct wpa_peerkey *peerkey; 518 struct wpa_eapol_ie_parse kde; 519 u32 lifetime; 520 521 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) { 522 wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for " 523 "the current network"); 524 return -1; 525 } 526 527 if (wpa_supplicant_parse_ies(key_data, key_data_len, &kde) < 0) { 528 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M4/M5"); 529 return -1; 530 } 531 532 if (kde.mac_addr == NULL || kde.mac_addr_len < ETH_ALEN || 533 kde.nonce == NULL || kde.nonce_len < WPA_NONCE_LEN || 534 kde.smk == NULL || kde.smk_len < PMK_LEN + WPA_NONCE_LEN || 535 kde.lifetime == NULL || kde.lifetime_len < 4) { 536 wpa_printf(MSG_INFO, "RSN: No MAC Address, Nonce, SMK, or " 537 "Lifetime KDE in SMK M4/M5"); 538 return -1; 539 } 540 541 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) { 542 if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) == 0 && 543 os_memcmp(peerkey->initiator ? peerkey->inonce : 544 peerkey->pnonce, 545 key->key_nonce, WPA_NONCE_LEN) == 0) 546 break; 547 } 548 if (peerkey == NULL) { 549 wpa_printf(MSG_INFO, "RSN: No matching SMK handshake found " 550 "for SMK M4/M5: peer " MACSTR, 551 MAC2STR(kde.mac_addr)); 552 return -1; 553 } 554 555 if (peerkey->initiator) { 556 if (wpa_supplicant_process_smk_m5(sm, src_addr, key, ver, 557 peerkey, &kde) < 0) 558 return -1; 559 } else { 560 if (wpa_supplicant_process_smk_m4(peerkey, &kde) < 0) 561 return -1; 562 } 563 564 os_memcpy(peerkey->smk, kde.smk, PMK_LEN); 565 peerkey->smk_complete = 1; 566 wpa_hexdump_key(MSG_DEBUG, "RSN: SMK", peerkey->smk, PMK_LEN); 567 lifetime = WPA_GET_BE32(kde.lifetime); 568 wpa_printf(MSG_DEBUG, "RSN: SMK lifetime %u seconds", lifetime); 569 if (lifetime > 1000000000) 570 lifetime = 1000000000; /* avoid overflowing eloop time */ 571 peerkey->lifetime = lifetime; 572 eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout, 573 sm, peerkey); 574 575 if (peerkey->initiator) { 576 rsn_smkid(peerkey->smk, peerkey->pnonce, peerkey->addr, 577 peerkey->inonce, sm->own_addr, peerkey->smkid, 578 peerkey->akmp); 579 wpa_supplicant_send_stk_1_of_4(sm, peerkey); 580 } else { 581 rsn_smkid(peerkey->smk, peerkey->pnonce, sm->own_addr, 582 peerkey->inonce, peerkey->addr, peerkey->smkid, 583 peerkey->akmp); 584 } 585 wpa_hexdump(MSG_DEBUG, "RSN: SMKID", peerkey->smkid, PMKID_LEN); 586 587 return 0; 588 } 589 590 591 static int wpa_supplicant_process_smk_error( 592 struct wpa_sm *sm, const unsigned char *src_addr, 593 const u8 *key_data, size_t key_data_len) 594 { 595 struct wpa_eapol_ie_parse kde; 596 struct rsn_error_kde error; 597 u8 peer[ETH_ALEN]; 598 u16 error_type; 599 600 wpa_printf(MSG_DEBUG, "RSN: Received SMK Error"); 601 602 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) { 603 wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for " 604 "the current network"); 605 return -1; 606 } 607 608 if (wpa_supplicant_parse_ies(key_data, key_data_len, &kde) < 0) { 609 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK Error"); 610 return -1; 611 } 612 613 if (kde.error == NULL || kde.error_len < sizeof(error)) { 614 wpa_printf(MSG_INFO, "RSN: No Error KDE in SMK Error"); 615 return -1; 616 } 617 618 if (kde.mac_addr && kde.mac_addr_len >= ETH_ALEN) 619 os_memcpy(peer, kde.mac_addr, ETH_ALEN); 620 else 621 os_memset(peer, 0, ETH_ALEN); 622 os_memcpy(&error, kde.error, sizeof(error)); 623 error_type = be_to_host16(error.error_type); 624 wpa_msg(sm->ctx->msg_ctx, MSG_INFO, 625 "RSN: SMK Error KDE received: MUI %d error_type %d peer " 626 MACSTR, 627 be_to_host16(error.mui), error_type, 628 MAC2STR(peer)); 629 630 if (kde.mac_addr && 631 (error_type == STK_ERR_STA_NR || error_type == STK_ERR_STA_NRSN || 632 error_type == STK_ERR_CPHR_NS)) { 633 struct wpa_peerkey *peerkey; 634 635 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) { 636 if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) == 637 0) 638 break; 639 } 640 if (peerkey == NULL) { 641 wpa_printf(MSG_DEBUG, "RSN: No matching SMK handshake " 642 "found for SMK Error"); 643 return -1; 644 } 645 /* TODO: abort SMK/STK handshake and remove all related keys */ 646 } 647 648 return 0; 649 } 650 651 652 static void wpa_supplicant_process_stk_1_of_4(struct wpa_sm *sm, 653 struct wpa_peerkey *peerkey, 654 const struct wpa_eapol_key *key, 655 u16 ver, const u8 *key_data, 656 size_t key_data_len) 657 { 658 struct wpa_eapol_ie_parse ie; 659 size_t kde_buf_len; 660 struct wpa_ptk *stk; 661 u8 buf[8], *kde_buf, *pos; 662 be32 lifetime; 663 664 wpa_printf(MSG_DEBUG, "RSN: RX message 1 of STK 4-Way Handshake from " 665 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver); 666 667 os_memset(&ie, 0, sizeof(ie)); 668 669 /* RSN: msg 1/4 should contain SMKID for the selected SMK */ 670 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", key_data, key_data_len); 671 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0 || 672 ie.pmkid == NULL) { 673 wpa_printf(MSG_DEBUG, "RSN: No SMKID in STK 1/4"); 674 return; 675 } 676 if (os_memcmp_const(ie.pmkid, peerkey->smkid, PMKID_LEN) != 0) { 677 wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 1/4", 678 ie.pmkid, PMKID_LEN); 679 return; 680 } 681 682 if (random_get_bytes(peerkey->pnonce, WPA_NONCE_LEN)) { 683 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 684 "RSN: Failed to get random data for PNonce"); 685 return; 686 } 687 wpa_hexdump(MSG_DEBUG, "WPA: Renewed PNonce", 688 peerkey->pnonce, WPA_NONCE_LEN); 689 690 /* Calculate STK which will be stored as a temporary STK until it has 691 * been verified when processing message 3/4. */ 692 stk = &peerkey->tstk; 693 wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion", 694 sm->own_addr, peerkey->addr, 695 peerkey->pnonce, key->key_nonce, 696 stk, peerkey->akmp, peerkey->cipher); 697 /* Supplicant: swap tx/rx Mic keys */ 698 os_memcpy(buf, &stk->tk[16], 8); 699 os_memcpy(&stk->tk[16], &stk->tk[24], 8); 700 os_memcpy(&stk->tk[24], buf, 8); 701 peerkey->tstk_set = 1; 702 703 kde_buf_len = peerkey->rsnie_p_len + 704 2 + RSN_SELECTOR_LEN + sizeof(lifetime) + 705 2 + RSN_SELECTOR_LEN + PMKID_LEN; 706 kde_buf = os_malloc(kde_buf_len); 707 if (kde_buf == NULL) 708 return; 709 pos = kde_buf; 710 pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len); 711 lifetime = host_to_be32(peerkey->lifetime); 712 pos = wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME, 713 (u8 *) &lifetime, sizeof(lifetime)); 714 wpa_add_kde(pos, RSN_KEY_DATA_PMKID, peerkey->smkid, PMKID_LEN); 715 716 if (wpa_supplicant_send_2_of_4(sm, peerkey->addr, key, ver, 717 peerkey->pnonce, kde_buf, kde_buf_len, 718 stk) < 0) { 719 wpa_printf(MSG_INFO, "RSN: Failed to send STK message 2/4"); 720 os_free(kde_buf); 721 return; 722 } 723 os_free(kde_buf); 724 725 os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN); 726 } 727 728 729 static void wpa_supplicant_update_smk_lifetime(struct wpa_sm *sm, 730 struct wpa_peerkey *peerkey, 731 struct wpa_eapol_ie_parse *kde) 732 { 733 u32 lifetime; 734 735 if (kde->lifetime == NULL || kde->lifetime_len < sizeof(lifetime)) 736 return; 737 738 lifetime = WPA_GET_BE32(kde->lifetime); 739 740 if (lifetime >= peerkey->lifetime) { 741 wpa_printf(MSG_DEBUG, "RSN: Peer used SMK lifetime %u seconds " 742 "which is larger than or equal to own value %u " 743 "seconds - ignored", lifetime, peerkey->lifetime); 744 return; 745 } 746 747 wpa_printf(MSG_DEBUG, "RSN: Peer used shorter SMK lifetime %u seconds " 748 "(own was %u seconds) - updated", 749 lifetime, peerkey->lifetime); 750 peerkey->lifetime = lifetime; 751 752 eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey); 753 eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout, 754 sm, peerkey); 755 } 756 757 758 static void wpa_supplicant_process_stk_2_of_4(struct wpa_sm *sm, 759 struct wpa_peerkey *peerkey, 760 const struct wpa_eapol_key *key, 761 u16 ver, const u8 *key_data, 762 size_t key_data_len) 763 { 764 struct wpa_eapol_ie_parse kde; 765 766 wpa_printf(MSG_DEBUG, "RSN: RX message 2 of STK 4-Way Handshake from " 767 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver); 768 769 os_memset(&kde, 0, sizeof(kde)); 770 771 /* RSN: msg 2/4 should contain SMKID for the selected SMK and RSN IE 772 * from the peer. It may also include Lifetime KDE. */ 773 wpa_hexdump(MSG_DEBUG, "RSN: msg 2/4 key data", key_data, key_data_len); 774 if (wpa_supplicant_parse_ies(key_data, key_data_len, &kde) < 0 || 775 kde.pmkid == NULL || kde.rsn_ie == NULL) { 776 wpa_printf(MSG_DEBUG, "RSN: No SMKID or RSN IE in STK 2/4"); 777 return; 778 } 779 780 if (os_memcmp_const(kde.pmkid, peerkey->smkid, PMKID_LEN) != 0) { 781 wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 2/4", 782 kde.pmkid, PMKID_LEN); 783 return; 784 } 785 786 if (kde.rsn_ie_len != peerkey->rsnie_p_len || 787 os_memcmp(kde.rsn_ie, peerkey->rsnie_p, kde.rsn_ie_len) != 0) { 788 wpa_printf(MSG_INFO, "RSN: Peer RSN IE in SMK and STK " 789 "handshakes did not match"); 790 wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in SMK handshake", 791 peerkey->rsnie_p, peerkey->rsnie_p_len); 792 wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in STK handshake", 793 kde.rsn_ie, kde.rsn_ie_len); 794 return; 795 } 796 797 wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde); 798 799 wpa_supplicant_send_stk_3_of_4(sm, peerkey); 800 os_memcpy(peerkey->pnonce, key->key_nonce, WPA_NONCE_LEN); 801 } 802 803 804 static void wpa_supplicant_process_stk_3_of_4(struct wpa_sm *sm, 805 struct wpa_peerkey *peerkey, 806 const struct wpa_eapol_key *key, 807 u16 ver, const u8 *key_data, 808 size_t key_data_len) 809 { 810 struct wpa_eapol_ie_parse kde; 811 size_t key_len; 812 const u8 *_key; 813 u8 key_buf[32], rsc[6]; 814 815 wpa_printf(MSG_DEBUG, "RSN: RX message 3 of STK 4-Way Handshake from " 816 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver); 817 818 os_memset(&kde, 0, sizeof(kde)); 819 820 /* RSN: msg 3/4 should contain Initiator RSN IE. It may also include 821 * Lifetime KDE. */ 822 wpa_hexdump(MSG_DEBUG, "RSN: msg 3/4 key data", key_data, key_data_len); 823 if (wpa_supplicant_parse_ies(key_data, key_data_len, &kde) < 0) { 824 wpa_printf(MSG_DEBUG, "RSN: Failed to parse key data in " 825 "STK 3/4"); 826 return; 827 } 828 829 if (kde.rsn_ie_len != peerkey->rsnie_i_len || 830 os_memcmp(kde.rsn_ie, peerkey->rsnie_i, kde.rsn_ie_len) != 0) { 831 wpa_printf(MSG_INFO, "RSN: Initiator RSN IE in SMK and STK " 832 "handshakes did not match"); 833 wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in SMK " 834 "handshake", 835 peerkey->rsnie_i, peerkey->rsnie_i_len); 836 wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in STK " 837 "handshake", 838 kde.rsn_ie, kde.rsn_ie_len); 839 return; 840 } 841 842 if (os_memcmp(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN) != 0) { 843 wpa_printf(MSG_WARNING, "RSN: INonce from message 1 of STK " 844 "4-Way Handshake differs from 3 of STK 4-Way " 845 "Handshake - drop packet (src=" MACSTR ")", 846 MAC2STR(peerkey->addr)); 847 wpa_hexdump(MSG_DEBUG, "RSN: INonce from message 1", 848 peerkey->inonce, WPA_NONCE_LEN); 849 wpa_hexdump(MSG_DEBUG, "RSN: INonce from message 3", 850 key->key_nonce, WPA_NONCE_LEN); 851 return; 852 } 853 854 wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde); 855 856 if (wpa_supplicant_send_4_of_4(sm, peerkey->addr, key, ver, 857 WPA_GET_BE16(key->key_info), 858 &peerkey->stk) < 0) { 859 wpa_printf(MSG_INFO, "RSN: Failed to send STK message 4/4"); 860 return; 861 } 862 863 _key = peerkey->stk.tk; 864 if (peerkey->cipher == WPA_CIPHER_TKIP) { 865 /* Swap Tx/Rx keys for Michael MIC */ 866 os_memcpy(key_buf, _key, 16); 867 os_memcpy(key_buf + 16, _key + 24, 8); 868 os_memcpy(key_buf + 24, _key + 16, 8); 869 _key = key_buf; 870 key_len = 32; 871 } else 872 key_len = 16; 873 874 os_memset(rsc, 0, 6); 875 if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1, 876 rsc, sizeof(rsc), _key, key_len) < 0) { 877 os_memset(key_buf, 0, sizeof(key_buf)); 878 wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the " 879 "driver."); 880 return; 881 } 882 os_memset(key_buf, 0, sizeof(key_buf)); 883 } 884 885 886 static void wpa_supplicant_process_stk_4_of_4(struct wpa_sm *sm, 887 struct wpa_peerkey *peerkey, 888 const struct wpa_eapol_key *key, 889 u16 ver) 890 { 891 u8 rsc[6]; 892 893 wpa_printf(MSG_DEBUG, "RSN: RX message 4 of STK 4-Way Handshake from " 894 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver); 895 896 os_memset(rsc, 0, 6); 897 if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1, 898 rsc, sizeof(rsc), peerkey->stk.tk, 899 peerkey->cipher == WPA_CIPHER_TKIP ? 32 : 16) < 0) { 900 wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the " 901 "driver."); 902 return; 903 } 904 } 905 906 907 /** 908 * peerkey_verify_eapol_key_mic - Verify PeerKey MIC 909 * @sm: Pointer to WPA state machine data from wpa_sm_init() 910 * @peerkey: Pointer to the PeerKey data for the peer 911 * @key: Pointer to the EAPOL-Key frame header 912 * @ver: Version bits from EAPOL-Key Key Info 913 * @buf: Pointer to the beginning of EAPOL-Key frame 914 * @len: Length of the EAPOL-Key frame 915 * Returns: 0 on success, -1 on failure 916 */ 917 int peerkey_verify_eapol_key_mic(struct wpa_sm *sm, 918 struct wpa_peerkey *peerkey, 919 struct wpa_eapol_key *key, u16 ver, 920 const u8 *buf, size_t len) 921 { 922 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN], *mic_pos; 923 size_t mic_len = 16; 924 int ok = 0; 925 926 if (peerkey->initiator && !peerkey->stk_set) { 927 wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion", 928 sm->own_addr, peerkey->addr, 929 peerkey->inonce, key->key_nonce, 930 &peerkey->stk, peerkey->akmp, peerkey->cipher); 931 peerkey->stk_set = 1; 932 } 933 934 mic_pos = (u8 *) (key + 1); 935 os_memcpy(mic, mic_pos, mic_len); 936 if (peerkey->tstk_set) { 937 os_memset(mic_pos, 0, mic_len); 938 wpa_eapol_key_mic(peerkey->tstk.kck, peerkey->tstk.kck_len, 939 sm->key_mgmt, ver, buf, len, mic_pos); 940 if (os_memcmp_const(mic, mic_pos, mic_len) != 0) { 941 wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC " 942 "when using TSTK - ignoring TSTK"); 943 } else { 944 ok = 1; 945 peerkey->tstk_set = 0; 946 peerkey->stk_set = 1; 947 os_memcpy(&peerkey->stk, &peerkey->tstk, 948 sizeof(peerkey->stk)); 949 os_memset(&peerkey->tstk, 0, sizeof(peerkey->tstk)); 950 } 951 } 952 953 if (!ok && peerkey->stk_set) { 954 os_memset(mic_pos, 0, mic_len); 955 wpa_eapol_key_mic(peerkey->stk.kck, peerkey->stk.kck_len, 956 sm->key_mgmt, ver, buf, len, mic_pos); 957 if (os_memcmp_const(mic, mic_pos, mic_len) != 0) { 958 wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC " 959 "- dropping packet"); 960 return -1; 961 } 962 ok = 1; 963 } 964 965 if (!ok) { 966 wpa_printf(MSG_WARNING, "RSN: Could not verify EAPOL-Key MIC " 967 "- dropping packet"); 968 return -1; 969 } 970 971 os_memcpy(peerkey->replay_counter, key->replay_counter, 972 WPA_REPLAY_COUNTER_LEN); 973 peerkey->replay_counter_set = 1; 974 return 0; 975 } 976 977 978 /** 979 * wpa_sm_stkstart - Send EAPOL-Key Request for STK handshake (STK M1) 980 * @sm: Pointer to WPA state machine data from wpa_sm_init() 981 * @peer: MAC address of the peer STA 982 * Returns: 0 on success, or -1 on failure 983 * 984 * Send an EAPOL-Key Request to the current authenticator to start STK 985 * handshake with the peer. 986 */ 987 int wpa_sm_stkstart(struct wpa_sm *sm, const u8 *peer) 988 { 989 size_t rlen, kde_len, mic_len; 990 struct wpa_eapol_key *req; 991 int key_info, ver; 992 u8 bssid[ETH_ALEN], *rbuf, *pos, *count_pos, *mic; 993 u16 count; 994 struct rsn_ie_hdr *hdr; 995 struct wpa_peerkey *peerkey; 996 struct wpa_ie_data ie; 997 998 if (sm->proto != WPA_PROTO_RSN || !sm->ptk_set || !sm->peerkey_enabled) 999 return -1; 1000 1001 if (sm->ap_rsn_ie && 1002 wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &ie) == 0 && 1003 !(ie.capabilities & WPA_CAPABILITY_PEERKEY_ENABLED)) { 1004 wpa_printf(MSG_DEBUG, "RSN: Current AP does not support STK"); 1005 return -1; 1006 } 1007 1008 mic_len = wpa_mic_len(sm->key_mgmt); 1009 if (sm->pairwise_cipher != WPA_CIPHER_TKIP) 1010 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES; 1011 else 1012 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4; 1013 1014 if (wpa_sm_get_bssid(sm, bssid) < 0) { 1015 wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key " 1016 "SMK M1"); 1017 return -1; 1018 } 1019 1020 /* TODO: find existing entry and if found, use that instead of adding 1021 * a new one */ 1022 peerkey = os_zalloc(sizeof(*peerkey)); 1023 if (peerkey == NULL) 1024 return -1; 1025 peerkey->initiator = 1; 1026 os_memcpy(peerkey->addr, peer, ETH_ALEN); 1027 peerkey->akmp = sm->key_mgmt; 1028 1029 /* SMK M1: 1030 * EAPOL-Key(S=1, M=1, A=0, I=0, K=0, SM=1, KeyRSC=0, Nonce=INonce, 1031 * MIC=MIC, DataKDs=(RSNIE_I, MAC_P KDE)) 1032 */ 1033 1034 hdr = (struct rsn_ie_hdr *) peerkey->rsnie_i; 1035 hdr->elem_id = WLAN_EID_RSN; 1036 WPA_PUT_LE16(hdr->version, RSN_VERSION); 1037 pos = (u8 *) (hdr + 1); 1038 /* Group Suite can be anything for SMK RSN IE; receiver will just 1039 * ignore it. */ 1040 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP); 1041 pos += RSN_SELECTOR_LEN; 1042 count_pos = pos; 1043 pos += 2; 1044 1045 count = rsn_cipher_put_suites(pos, sm->allowed_pairwise_cipher); 1046 pos += count * RSN_SELECTOR_LEN; 1047 WPA_PUT_LE16(count_pos, count); 1048 1049 hdr->len = (pos - peerkey->rsnie_i) - 2; 1050 peerkey->rsnie_i_len = pos - peerkey->rsnie_i; 1051 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake", 1052 peerkey->rsnie_i, peerkey->rsnie_i_len); 1053 1054 kde_len = peerkey->rsnie_i_len + 2 + RSN_SELECTOR_LEN + ETH_ALEN; 1055 1056 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL, 1057 sizeof(*req) + mic_len + 2 + kde_len, &rlen, 1058 (void *) &req); 1059 if (rbuf == NULL) { 1060 wpa_supplicant_peerkey_free(sm, peerkey); 1061 return -1; 1062 } 1063 1064 req->type = EAPOL_KEY_TYPE_RSN; 1065 key_info = WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC | 1066 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_REQUEST | ver; 1067 WPA_PUT_BE16(req->key_info, key_info); 1068 WPA_PUT_BE16(req->key_length, 0); 1069 os_memcpy(req->replay_counter, sm->request_counter, 1070 WPA_REPLAY_COUNTER_LEN); 1071 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN); 1072 1073 if (random_get_bytes(peerkey->inonce, WPA_NONCE_LEN)) { 1074 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, 1075 "WPA: Failed to get random data for INonce"); 1076 os_free(rbuf); 1077 wpa_supplicant_peerkey_free(sm, peerkey); 1078 return -1; 1079 } 1080 os_memcpy(req->key_nonce, peerkey->inonce, WPA_NONCE_LEN); 1081 wpa_hexdump(MSG_DEBUG, "WPA: INonce for SMK handshake", 1082 req->key_nonce, WPA_NONCE_LEN); 1083 1084 mic = pos = (u8 *) (req + 1); 1085 pos += mic_len; 1086 WPA_PUT_BE16(pos, (u16) kde_len); 1087 pos += 2; 1088 1089 /* Initiator RSN IE */ 1090 pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len); 1091 /* Peer MAC address KDE */ 1092 wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN); 1093 1094 wpa_printf(MSG_INFO, "RSN: Sending EAPOL-Key SMK M1 Request (peer " 1095 MACSTR ")", MAC2STR(peer)); 1096 wpa_eapol_key_send(sm, &sm->ptk, ver, bssid, ETH_P_EAPOL, rbuf, rlen, 1097 mic); 1098 1099 peerkey->next = sm->peerkey; 1100 sm->peerkey = peerkey; 1101 1102 return 0; 1103 } 1104 1105 1106 /** 1107 * peerkey_deinit - Free PeerKey values 1108 * @sm: Pointer to WPA state machine data from wpa_sm_init() 1109 */ 1110 void peerkey_deinit(struct wpa_sm *sm) 1111 { 1112 struct wpa_peerkey *prev, *peerkey = sm->peerkey; 1113 while (peerkey) { 1114 prev = peerkey; 1115 peerkey = peerkey->next; 1116 wpa_supplicant_peerkey_free(sm, prev); 1117 } 1118 sm->peerkey = NULL; 1119 } 1120 1121 1122 void peerkey_rx_eapol_4way(struct wpa_sm *sm, struct wpa_peerkey *peerkey, 1123 struct wpa_eapol_key *key, u16 key_info, u16 ver, 1124 const u8 *key_data, size_t key_data_len) 1125 { 1126 if ((key_info & (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) == 1127 (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) { 1128 /* 3/4 STK 4-Way Handshake */ 1129 wpa_supplicant_process_stk_3_of_4(sm, peerkey, key, ver, 1130 key_data, key_data_len); 1131 } else if (key_info & WPA_KEY_INFO_ACK) { 1132 /* 1/4 STK 4-Way Handshake */ 1133 wpa_supplicant_process_stk_1_of_4(sm, peerkey, key, ver, 1134 key_data, key_data_len); 1135 } else if (key_info & WPA_KEY_INFO_SECURE) { 1136 /* 4/4 STK 4-Way Handshake */ 1137 wpa_supplicant_process_stk_4_of_4(sm, peerkey, key, ver); 1138 } else { 1139 /* 2/4 STK 4-Way Handshake */ 1140 wpa_supplicant_process_stk_2_of_4(sm, peerkey, key, ver, 1141 key_data, key_data_len); 1142 } 1143 } 1144 1145 1146 void peerkey_rx_eapol_smk(struct wpa_sm *sm, const u8 *src_addr, 1147 struct wpa_eapol_key *key, const u8 *key_data, 1148 size_t key_data_len, 1149 u16 key_info, u16 ver) 1150 { 1151 if (key_info & WPA_KEY_INFO_ERROR) { 1152 /* SMK Error */ 1153 wpa_supplicant_process_smk_error(sm, src_addr, key_data, 1154 key_data_len); 1155 } else if (key_info & WPA_KEY_INFO_ACK) { 1156 /* SMK M2 */ 1157 wpa_supplicant_process_smk_m2(sm, src_addr, key, key_data, 1158 key_data_len, ver); 1159 } else { 1160 /* SMK M4 or M5 */ 1161 wpa_supplicant_process_smk_m45(sm, src_addr, key, key_data, 1162 key_data_len, ver); 1163 } 1164 } 1165 1166 #endif /* CONFIG_PEERKEY */ 1167
