Line data Source code
1 : /*
2 : * WPA Supplicant - PeerKey for Direct Link Setup (DLS)
3 : * Copyright (c) 2006-2008, Jouni Malinen <j@w1.fi>
4 : *
5 : * This software may be distributed under the terms of the BSD license.
6 : * See README for more details.
7 : */
8 :
9 : #include "includes.h"
10 :
11 : #ifdef CONFIG_PEERKEY
12 :
13 : #include "common.h"
14 : #include "eloop.h"
15 : #include "crypto/sha1.h"
16 : #include "crypto/sha256.h"
17 : #include "crypto/random.h"
18 : #include "common/ieee802_11_defs.h"
19 : #include "wpa.h"
20 : #include "wpa_i.h"
21 : #include "wpa_ie.h"
22 : #include "peerkey.h"
23 :
24 :
25 7 : static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
26 : {
27 7 : os_memcpy(pos, ie, ie_len);
28 7 : return pos + ie_len;
29 : }
30 :
31 :
32 14 : static u8 * wpa_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len)
33 : {
34 14 : *pos++ = WLAN_EID_VENDOR_SPECIFIC;
35 14 : *pos++ = RSN_SELECTOR_LEN + data_len;
36 14 : RSN_SELECTOR_PUT(pos, kde);
37 14 : pos += RSN_SELECTOR_LEN;
38 14 : os_memcpy(pos, data, data_len);
39 14 : pos += data_len;
40 14 : return pos;
41 : }
42 :
43 :
44 0 : static void wpa_supplicant_smk_timeout(void *eloop_ctx, void *timeout_ctx)
45 : {
46 : #if 0
47 : struct wpa_sm *sm = eloop_ctx;
48 : struct wpa_peerkey *peerkey = timeout_ctx;
49 : #endif
50 : /* TODO: time out SMK and any STK that was generated using this SMK */
51 0 : }
52 :
53 :
54 5 : static void wpa_supplicant_peerkey_free(struct wpa_sm *sm,
55 : struct wpa_peerkey *peerkey)
56 : {
57 5 : eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey);
58 5 : os_free(peerkey);
59 5 : }
60 :
61 :
62 2 : static int wpa_supplicant_send_smk_error(struct wpa_sm *sm, const u8 *dst,
63 : const u8 *peer,
64 : u16 mui, u16 error_type, int ver)
65 : {
66 : size_t rlen;
67 : struct wpa_eapol_key *err;
68 : struct rsn_error_kde error;
69 : u8 *rbuf, *pos;
70 : size_t kde_len;
71 : u16 key_info;
72 :
73 2 : kde_len = 2 + RSN_SELECTOR_LEN + sizeof(error);
74 2 : if (peer)
75 2 : kde_len += 2 + RSN_SELECTOR_LEN + ETH_ALEN;
76 :
77 2 : rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
78 : NULL, sizeof(*err) + kde_len, &rlen,
79 : (void *) &err);
80 2 : if (rbuf == NULL)
81 0 : return -1;
82 :
83 2 : err->type = EAPOL_KEY_TYPE_RSN;
84 2 : key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
85 : WPA_KEY_INFO_SECURE | WPA_KEY_INFO_ERROR |
86 : WPA_KEY_INFO_REQUEST;
87 2 : WPA_PUT_BE16(err->key_info, key_info);
88 2 : WPA_PUT_BE16(err->key_length, 0);
89 2 : os_memcpy(err->replay_counter, sm->request_counter,
90 : WPA_REPLAY_COUNTER_LEN);
91 2 : inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
92 :
93 2 : WPA_PUT_BE16(err->key_data_length, (u16) kde_len);
94 2 : pos = (u8 *) (err + 1);
95 :
96 2 : if (peer) {
97 : /* Peer MAC Address KDE */
98 2 : pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN);
99 : }
100 :
101 : /* Error KDE */
102 2 : error.mui = host_to_be16(mui);
103 2 : error.error_type = host_to_be16(error_type);
104 2 : wpa_add_kde(pos, RSN_KEY_DATA_ERROR, (u8 *) &error, sizeof(error));
105 :
106 2 : if (peer) {
107 14 : wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error (peer "
108 : MACSTR " mui %d error_type %d)",
109 12 : MAC2STR(peer), mui, error_type);
110 : } else {
111 0 : wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error "
112 : "(mui %d error_type %d)", mui, error_type);
113 : }
114 :
115 2 : wpa_eapol_key_send(sm, sm->ptk.kck, ver, dst, ETH_P_EAPOL,
116 2 : rbuf, rlen, err->key_mic);
117 :
118 2 : return 0;
119 : }
120 :
121 :
122 1 : static int wpa_supplicant_send_smk_m3(struct wpa_sm *sm,
123 : const unsigned char *src_addr,
124 : const struct wpa_eapol_key *key,
125 : int ver, struct wpa_peerkey *peerkey)
126 : {
127 : size_t rlen;
128 : struct wpa_eapol_key *reply;
129 : u8 *rbuf, *pos;
130 : size_t kde_len;
131 : u16 key_info;
132 :
133 : /* KDEs: Peer RSN IE, Initiator MAC Address, Initiator Nonce */
134 1 : kde_len = peerkey->rsnie_p_len +
135 : 2 + RSN_SELECTOR_LEN + ETH_ALEN +
136 : 2 + RSN_SELECTOR_LEN + WPA_NONCE_LEN;
137 :
138 1 : rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
139 : NULL, sizeof(*reply) + kde_len, &rlen,
140 : (void *) &reply);
141 1 : if (rbuf == NULL)
142 0 : return -1;
143 :
144 1 : reply->type = EAPOL_KEY_TYPE_RSN;
145 1 : key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
146 : WPA_KEY_INFO_SECURE;
147 1 : WPA_PUT_BE16(reply->key_info, key_info);
148 1 : WPA_PUT_BE16(reply->key_length, 0);
149 1 : os_memcpy(reply->replay_counter, key->replay_counter,
150 : WPA_REPLAY_COUNTER_LEN);
151 :
152 1 : os_memcpy(reply->key_nonce, peerkey->pnonce, WPA_NONCE_LEN);
153 :
154 1 : WPA_PUT_BE16(reply->key_data_length, (u16) kde_len);
155 1 : pos = (u8 *) (reply + 1);
156 :
157 : /* Peer RSN IE */
158 1 : pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len);
159 :
160 : /* Initiator MAC Address KDE */
161 1 : pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peerkey->addr, ETH_ALEN);
162 :
163 : /* Initiator Nonce */
164 1 : wpa_add_kde(pos, RSN_KEY_DATA_NONCE, peerkey->inonce, WPA_NONCE_LEN);
165 :
166 1 : wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK M3");
167 1 : wpa_eapol_key_send(sm, sm->ptk.kck, ver, src_addr, ETH_P_EAPOL,
168 1 : rbuf, rlen, reply->key_mic);
169 :
170 1 : return 0;
171 : }
172 :
173 :
174 3 : static int wpa_supplicant_process_smk_m2(
175 : struct wpa_sm *sm, const unsigned char *src_addr,
176 : const struct wpa_eapol_key *key, size_t extra_len, int ver)
177 : {
178 : struct wpa_peerkey *peerkey;
179 : struct wpa_eapol_ie_parse kde;
180 : struct wpa_ie_data ie;
181 : int cipher;
182 : struct rsn_ie_hdr *hdr;
183 : u8 *pos;
184 :
185 3 : wpa_printf(MSG_DEBUG, "RSN: Received SMK M2");
186 :
187 3 : if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
188 0 : wpa_printf(MSG_INFO, "RSN: SMK handshake not allowed for "
189 : "the current network");
190 0 : return -1;
191 : }
192 :
193 3 : if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
194 : 0) {
195 0 : wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M2");
196 0 : return -1;
197 : }
198 :
199 6 : if (kde.rsn_ie == NULL || kde.mac_addr == NULL ||
200 3 : kde.mac_addr_len < ETH_ALEN) {
201 0 : wpa_printf(MSG_INFO, "RSN: No RSN IE or MAC address KDE in "
202 : "SMK M2");
203 0 : return -1;
204 : }
205 :
206 18 : wpa_printf(MSG_DEBUG, "RSN: SMK M2 - SMK initiator " MACSTR,
207 18 : MAC2STR(kde.mac_addr));
208 :
209 3 : if (kde.rsn_ie_len > PEERKEY_MAX_IE_LEN) {
210 0 : wpa_printf(MSG_INFO, "RSN: Too long Initiator RSN IE in SMK "
211 : "M2");
212 0 : return -1;
213 : }
214 :
215 3 : if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
216 0 : wpa_printf(MSG_INFO, "RSN: Failed to parse RSN IE in SMK M2");
217 0 : return -1;
218 : }
219 :
220 6 : cipher = wpa_pick_pairwise_cipher(ie.pairwise_cipher &
221 3 : sm->allowed_pairwise_cipher, 0);
222 3 : if (cipher < 0) {
223 2 : wpa_printf(MSG_INFO, "RSN: No acceptable cipher in SMK M2");
224 2 : wpa_supplicant_send_smk_error(sm, src_addr, kde.mac_addr,
225 : STK_MUI_SMK, STK_ERR_CPHR_NS,
226 : ver);
227 2 : return -1;
228 : }
229 1 : wpa_printf(MSG_DEBUG, "RSN: Using %s for PeerKey",
230 : wpa_cipher_txt(cipher));
231 :
232 : /* TODO: find existing entry and if found, use that instead of adding
233 : * a new one; how to handle the case where both ends initiate at the
234 : * same time? */
235 1 : peerkey = os_zalloc(sizeof(*peerkey));
236 1 : if (peerkey == NULL)
237 0 : return -1;
238 1 : os_memcpy(peerkey->addr, kde.mac_addr, ETH_ALEN);
239 1 : os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN);
240 1 : os_memcpy(peerkey->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
241 1 : peerkey->rsnie_i_len = kde.rsn_ie_len;
242 1 : peerkey->cipher = cipher;
243 : #ifdef CONFIG_IEEE80211W
244 1 : if (ie.key_mgmt & (WPA_KEY_MGMT_IEEE8021X_SHA256 |
245 : WPA_KEY_MGMT_PSK_SHA256))
246 0 : peerkey->use_sha256 = 1;
247 : #endif /* CONFIG_IEEE80211W */
248 :
249 1 : if (random_get_bytes(peerkey->pnonce, WPA_NONCE_LEN)) {
250 0 : wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
251 : "WPA: Failed to get random data for PNonce");
252 0 : wpa_supplicant_peerkey_free(sm, peerkey);
253 0 : return -1;
254 : }
255 :
256 1 : hdr = (struct rsn_ie_hdr *) peerkey->rsnie_p;
257 1 : hdr->elem_id = WLAN_EID_RSN;
258 1 : WPA_PUT_LE16(hdr->version, RSN_VERSION);
259 1 : pos = (u8 *) (hdr + 1);
260 : /* Group Suite can be anything for SMK RSN IE; receiver will just
261 : * ignore it. */
262 1 : RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
263 1 : pos += RSN_SELECTOR_LEN;
264 : /* Include only the selected cipher in pairwise cipher suite */
265 1 : WPA_PUT_LE16(pos, 1);
266 1 : pos += 2;
267 1 : RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, cipher));
268 1 : pos += RSN_SELECTOR_LEN;
269 :
270 1 : hdr->len = (pos - peerkey->rsnie_p) - 2;
271 1 : peerkey->rsnie_p_len = pos - peerkey->rsnie_p;
272 2 : wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake",
273 1 : peerkey->rsnie_p, peerkey->rsnie_p_len);
274 :
275 1 : wpa_supplicant_send_smk_m3(sm, src_addr, key, ver, peerkey);
276 :
277 1 : peerkey->next = sm->peerkey;
278 1 : sm->peerkey = peerkey;
279 :
280 1 : return 0;
281 : }
282 :
283 :
284 : /**
285 : * rsn_smkid - Derive SMK identifier
286 : * @smk: Station master key (32 bytes)
287 : * @pnonce: Peer Nonce
288 : * @mac_p: Peer MAC address
289 : * @inonce: Initiator Nonce
290 : * @mac_i: Initiator MAC address
291 : * @use_sha256: Whether to use SHA256-based KDF
292 : *
293 : * 8.5.1.4 Station to station (STK) key hierarchy
294 : * SMKID = HMAC-SHA1-128(SMK, "SMK Name" || PNonce || MAC_P || INonce || MAC_I)
295 : */
296 2 : static void rsn_smkid(const u8 *smk, const u8 *pnonce, const u8 *mac_p,
297 : const u8 *inonce, const u8 *mac_i, u8 *smkid,
298 : int use_sha256)
299 : {
300 2 : char *title = "SMK Name";
301 : const u8 *addr[5];
302 2 : const size_t len[5] = { 8, WPA_NONCE_LEN, ETH_ALEN, WPA_NONCE_LEN,
303 : ETH_ALEN };
304 : unsigned char hash[SHA256_MAC_LEN];
305 :
306 2 : addr[0] = (u8 *) title;
307 2 : addr[1] = pnonce;
308 2 : addr[2] = mac_p;
309 2 : addr[3] = inonce;
310 2 : addr[4] = mac_i;
311 :
312 : #ifdef CONFIG_IEEE80211W
313 2 : if (use_sha256)
314 0 : hmac_sha256_vector(smk, PMK_LEN, 5, addr, len, hash);
315 : else
316 : #endif /* CONFIG_IEEE80211W */
317 2 : hmac_sha1_vector(smk, PMK_LEN, 5, addr, len, hash);
318 2 : os_memcpy(smkid, hash, PMKID_LEN);
319 2 : }
320 :
321 :
322 1 : static void wpa_supplicant_send_stk_1_of_4(struct wpa_sm *sm,
323 : struct wpa_peerkey *peerkey)
324 : {
325 : size_t mlen;
326 : struct wpa_eapol_key *msg;
327 : u8 *mbuf;
328 : size_t kde_len;
329 : u16 key_info, ver;
330 :
331 1 : kde_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
332 :
333 1 : mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
334 : sizeof(*msg) + kde_len, &mlen,
335 : (void *) &msg);
336 1 : if (mbuf == NULL)
337 0 : return;
338 :
339 1 : msg->type = EAPOL_KEY_TYPE_RSN;
340 :
341 1 : if (peerkey->cipher != WPA_CIPHER_TKIP)
342 1 : ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
343 : else
344 0 : ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
345 :
346 1 : key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK;
347 1 : WPA_PUT_BE16(msg->key_info, key_info);
348 :
349 1 : if (peerkey->cipher != WPA_CIPHER_TKIP)
350 1 : WPA_PUT_BE16(msg->key_length, 16);
351 : else
352 0 : WPA_PUT_BE16(msg->key_length, 32);
353 :
354 1 : os_memcpy(msg->replay_counter, peerkey->replay_counter,
355 : WPA_REPLAY_COUNTER_LEN);
356 1 : inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN);
357 :
358 1 : WPA_PUT_BE16(msg->key_data_length, kde_len);
359 1 : wpa_add_kde((u8 *) (msg + 1), RSN_KEY_DATA_PMKID,
360 1 : peerkey->smkid, PMKID_LEN);
361 :
362 1 : if (random_get_bytes(peerkey->inonce, WPA_NONCE_LEN)) {
363 0 : wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
364 : "RSN: Failed to get random data for INonce (STK)");
365 0 : os_free(mbuf);
366 0 : return;
367 : }
368 1 : wpa_hexdump(MSG_DEBUG, "RSN: INonce for STK 4-Way Handshake",
369 1 : peerkey->inonce, WPA_NONCE_LEN);
370 1 : os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
371 :
372 6 : wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 1/4 to " MACSTR,
373 6 : MAC2STR(peerkey->addr));
374 1 : wpa_eapol_key_send(sm, NULL, ver, peerkey->addr, ETH_P_EAPOL,
375 : mbuf, mlen, NULL);
376 : }
377 :
378 :
379 1 : static void wpa_supplicant_send_stk_3_of_4(struct wpa_sm *sm,
380 : struct wpa_peerkey *peerkey)
381 : {
382 : size_t mlen;
383 : struct wpa_eapol_key *msg;
384 : u8 *mbuf, *pos;
385 : size_t kde_len;
386 : u16 key_info, ver;
387 : be32 lifetime;
388 :
389 1 : kde_len = peerkey->rsnie_i_len +
390 : 2 + RSN_SELECTOR_LEN + sizeof(lifetime);
391 :
392 1 : mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
393 : sizeof(*msg) + kde_len, &mlen,
394 : (void *) &msg);
395 1 : if (mbuf == NULL)
396 1 : return;
397 :
398 1 : msg->type = EAPOL_KEY_TYPE_RSN;
399 :
400 1 : if (peerkey->cipher != WPA_CIPHER_TKIP)
401 1 : ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
402 : else
403 0 : ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
404 :
405 1 : key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK |
406 : WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE;
407 1 : WPA_PUT_BE16(msg->key_info, key_info);
408 :
409 1 : if (peerkey->cipher != WPA_CIPHER_TKIP)
410 1 : WPA_PUT_BE16(msg->key_length, 16);
411 : else
412 0 : WPA_PUT_BE16(msg->key_length, 32);
413 :
414 1 : os_memcpy(msg->replay_counter, peerkey->replay_counter,
415 : WPA_REPLAY_COUNTER_LEN);
416 1 : inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN);
417 :
418 1 : WPA_PUT_BE16(msg->key_data_length, kde_len);
419 1 : pos = (u8 *) (msg + 1);
420 1 : pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len);
421 1 : lifetime = host_to_be32(peerkey->lifetime);
422 1 : wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME,
423 : (u8 *) &lifetime, sizeof(lifetime));
424 :
425 1 : os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
426 :
427 6 : wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 3/4 to " MACSTR,
428 6 : MAC2STR(peerkey->addr));
429 1 : wpa_eapol_key_send(sm, peerkey->stk.kck, ver, peerkey->addr,
430 1 : ETH_P_EAPOL, mbuf, mlen, msg->key_mic);
431 : }
432 :
433 :
434 1 : static int wpa_supplicant_process_smk_m4(struct wpa_peerkey *peerkey,
435 : struct wpa_eapol_ie_parse *kde)
436 : {
437 6 : wpa_printf(MSG_DEBUG, "RSN: Received SMK M4 (Initiator " MACSTR ")",
438 6 : MAC2STR(kde->mac_addr));
439 :
440 1 : if (os_memcmp(kde->smk + PMK_LEN, peerkey->pnonce, WPA_NONCE_LEN) != 0)
441 : {
442 0 : wpa_printf(MSG_INFO, "RSN: PNonce in SMK KDE does not "
443 : "match with the one used in SMK M3");
444 0 : return -1;
445 : }
446 :
447 1 : if (os_memcmp(kde->nonce, peerkey->inonce, WPA_NONCE_LEN) != 0) {
448 0 : wpa_printf(MSG_INFO, "RSN: INonce in SMK M4 did not "
449 : "match with the one received in SMK M2");
450 0 : return -1;
451 : }
452 :
453 1 : return 0;
454 : }
455 :
456 :
457 1 : static int wpa_supplicant_process_smk_m5(struct wpa_sm *sm,
458 : const unsigned char *src_addr,
459 : const struct wpa_eapol_key *key,
460 : int ver,
461 : struct wpa_peerkey *peerkey,
462 : struct wpa_eapol_ie_parse *kde)
463 : {
464 : int cipher;
465 : struct wpa_ie_data ie;
466 :
467 6 : wpa_printf(MSG_DEBUG, "RSN: Received SMK M5 (Peer " MACSTR ")",
468 6 : MAC2STR(kde->mac_addr));
469 2 : if (kde->rsn_ie == NULL || kde->rsn_ie_len > PEERKEY_MAX_IE_LEN ||
470 1 : wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0) {
471 0 : wpa_printf(MSG_INFO, "RSN: No RSN IE in SMK M5");
472 : /* TODO: abort negotiation */
473 0 : return -1;
474 : }
475 :
476 1 : if (os_memcmp(key->key_nonce, peerkey->inonce, WPA_NONCE_LEN) != 0) {
477 0 : wpa_printf(MSG_INFO, "RSN: Key Nonce in SMK M5 does "
478 : "not match with INonce used in SMK M1");
479 0 : return -1;
480 : }
481 :
482 1 : if (os_memcmp(kde->smk + PMK_LEN, peerkey->inonce, WPA_NONCE_LEN) != 0)
483 : {
484 0 : wpa_printf(MSG_INFO, "RSN: INonce in SMK KDE does not "
485 : "match with the one used in SMK M1");
486 0 : return -1;
487 : }
488 :
489 1 : os_memcpy(peerkey->rsnie_p, kde->rsn_ie, kde->rsn_ie_len);
490 1 : peerkey->rsnie_p_len = kde->rsn_ie_len;
491 1 : os_memcpy(peerkey->pnonce, kde->nonce, WPA_NONCE_LEN);
492 :
493 2 : cipher = wpa_pick_pairwise_cipher(ie.pairwise_cipher &
494 1 : sm->allowed_pairwise_cipher, 0);
495 1 : if (cipher < 0) {
496 0 : wpa_printf(MSG_INFO, "RSN: SMK Peer STA " MACSTR " selected "
497 0 : "unacceptable cipher", MAC2STR(kde->mac_addr));
498 0 : wpa_supplicant_send_smk_error(sm, src_addr, kde->mac_addr,
499 : STK_MUI_SMK, STK_ERR_CPHR_NS,
500 : ver);
501 : /* TODO: abort negotiation */
502 0 : return -1;
503 : }
504 1 : wpa_printf(MSG_DEBUG, "RSN: Using %s for PeerKey",
505 : wpa_cipher_txt(cipher));
506 1 : peerkey->cipher = cipher;
507 :
508 1 : return 0;
509 : }
510 :
511 :
512 2 : static int wpa_supplicant_process_smk_m45(
513 : struct wpa_sm *sm, const unsigned char *src_addr,
514 : const struct wpa_eapol_key *key, size_t extra_len, int ver)
515 : {
516 : struct wpa_peerkey *peerkey;
517 : struct wpa_eapol_ie_parse kde;
518 : u32 lifetime;
519 :
520 2 : if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
521 0 : wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for "
522 : "the current network");
523 0 : return -1;
524 : }
525 :
526 2 : if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
527 : 0) {
528 0 : wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M4/M5");
529 0 : return -1;
530 : }
531 :
532 4 : if (kde.mac_addr == NULL || kde.mac_addr_len < ETH_ALEN ||
533 6 : kde.nonce == NULL || kde.nonce_len < WPA_NONCE_LEN ||
534 6 : kde.smk == NULL || kde.smk_len < PMK_LEN + WPA_NONCE_LEN ||
535 4 : kde.lifetime == NULL || kde.lifetime_len < 4) {
536 0 : wpa_printf(MSG_INFO, "RSN: No MAC Address, Nonce, SMK, or "
537 : "Lifetime KDE in SMK M4/M5");
538 0 : return -1;
539 : }
540 :
541 2 : for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
542 4 : if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) == 0 &&
543 2 : os_memcmp(peerkey->initiator ? peerkey->inonce :
544 : peerkey->pnonce,
545 : key->key_nonce, WPA_NONCE_LEN) == 0)
546 2 : break;
547 : }
548 2 : if (peerkey == NULL) {
549 0 : wpa_printf(MSG_INFO, "RSN: No matching SMK handshake found "
550 : "for SMK M4/M5: peer " MACSTR,
551 0 : MAC2STR(kde.mac_addr));
552 0 : return -1;
553 : }
554 :
555 2 : if (peerkey->initiator) {
556 1 : if (wpa_supplicant_process_smk_m5(sm, src_addr, key, ver,
557 : peerkey, &kde) < 0)
558 0 : return -1;
559 : } else {
560 1 : if (wpa_supplicant_process_smk_m4(peerkey, &kde) < 0)
561 0 : return -1;
562 : }
563 :
564 2 : os_memcpy(peerkey->smk, kde.smk, PMK_LEN);
565 2 : peerkey->smk_complete = 1;
566 2 : wpa_hexdump_key(MSG_DEBUG, "RSN: SMK", peerkey->smk, PMK_LEN);
567 2 : lifetime = WPA_GET_BE32(kde.lifetime);
568 2 : wpa_printf(MSG_DEBUG, "RSN: SMK lifetime %u seconds", lifetime);
569 2 : if (lifetime > 1000000000)
570 0 : lifetime = 1000000000; /* avoid overflowing eloop time */
571 2 : peerkey->lifetime = lifetime;
572 2 : eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout,
573 : sm, peerkey);
574 :
575 2 : if (peerkey->initiator) {
576 2 : rsn_smkid(peerkey->smk, peerkey->pnonce, peerkey->addr,
577 1 : peerkey->inonce, sm->own_addr, peerkey->smkid,
578 : peerkey->use_sha256);
579 1 : wpa_supplicant_send_stk_1_of_4(sm, peerkey);
580 : } else {
581 2 : rsn_smkid(peerkey->smk, peerkey->pnonce, sm->own_addr,
582 1 : peerkey->inonce, peerkey->addr, peerkey->smkid,
583 : peerkey->use_sha256);
584 : }
585 2 : wpa_hexdump(MSG_DEBUG, "RSN: SMKID", peerkey->smkid, PMKID_LEN);
586 :
587 2 : return 0;
588 : }
589 :
590 :
591 3 : static int wpa_supplicant_process_smk_error(
592 : struct wpa_sm *sm, const unsigned char *src_addr,
593 : const struct wpa_eapol_key *key, size_t extra_len)
594 : {
595 : struct wpa_eapol_ie_parse kde;
596 : struct rsn_error_kde error;
597 : u8 peer[ETH_ALEN];
598 : u16 error_type;
599 :
600 3 : wpa_printf(MSG_DEBUG, "RSN: Received SMK Error");
601 :
602 3 : if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
603 0 : wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for "
604 : "the current network");
605 0 : return -1;
606 : }
607 :
608 3 : if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
609 : 0) {
610 0 : wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK Error");
611 0 : return -1;
612 : }
613 :
614 3 : if (kde.error == NULL || kde.error_len < sizeof(error)) {
615 0 : wpa_printf(MSG_INFO, "RSN: No Error KDE in SMK Error");
616 0 : return -1;
617 : }
618 :
619 3 : if (kde.mac_addr && kde.mac_addr_len >= ETH_ALEN)
620 3 : os_memcpy(peer, kde.mac_addr, ETH_ALEN);
621 : else
622 0 : os_memset(peer, 0, ETH_ALEN);
623 3 : os_memcpy(&error, kde.error, sizeof(error));
624 3 : error_type = be_to_host16(error.error_type);
625 21 : wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
626 : "RSN: SMK Error KDE received: MUI %d error_type %d peer "
627 : MACSTR,
628 3 : be_to_host16(error.mui), error_type,
629 18 : MAC2STR(peer));
630 :
631 3 : if (kde.mac_addr &&
632 2 : (error_type == STK_ERR_STA_NR || error_type == STK_ERR_STA_NRSN ||
633 : error_type == STK_ERR_CPHR_NS)) {
634 : struct wpa_peerkey *peerkey;
635 :
636 3 : for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
637 3 : if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) ==
638 : 0)
639 3 : break;
640 : }
641 3 : if (peerkey == NULL) {
642 0 : wpa_printf(MSG_DEBUG, "RSN: No matching SMK handshake "
643 : "found for SMK Error");
644 0 : return -1;
645 : }
646 : /* TODO: abort SMK/STK handshake and remove all related keys */
647 : }
648 :
649 3 : return 0;
650 : }
651 :
652 :
653 1 : static void wpa_supplicant_process_stk_1_of_4(struct wpa_sm *sm,
654 : struct wpa_peerkey *peerkey,
655 : const struct wpa_eapol_key *key,
656 : u16 ver)
657 : {
658 : struct wpa_eapol_ie_parse ie;
659 : const u8 *kde;
660 : size_t len, kde_buf_len;
661 : struct wpa_ptk *stk;
662 : u8 buf[8], *kde_buf, *pos;
663 : be32 lifetime;
664 :
665 7 : wpa_printf(MSG_DEBUG, "RSN: RX message 1 of STK 4-Way Handshake from "
666 6 : MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
667 :
668 1 : os_memset(&ie, 0, sizeof(ie));
669 :
670 : /* RSN: msg 1/4 should contain SMKID for the selected SMK */
671 1 : kde = (const u8 *) (key + 1);
672 1 : len = WPA_GET_BE16(key->key_data_length);
673 1 : wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", kde, len);
674 1 : if (wpa_supplicant_parse_ies(kde, len, &ie) < 0 || ie.pmkid == NULL) {
675 0 : wpa_printf(MSG_DEBUG, "RSN: No SMKID in STK 1/4");
676 0 : return;
677 : }
678 1 : if (os_memcmp(ie.pmkid, peerkey->smkid, PMKID_LEN) != 0) {
679 0 : wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 1/4",
680 0 : ie.pmkid, PMKID_LEN);
681 0 : return;
682 : }
683 :
684 1 : if (random_get_bytes(peerkey->pnonce, WPA_NONCE_LEN)) {
685 0 : wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
686 : "RSN: Failed to get random data for PNonce");
687 0 : return;
688 : }
689 1 : wpa_hexdump(MSG_DEBUG, "WPA: Renewed PNonce",
690 1 : peerkey->pnonce, WPA_NONCE_LEN);
691 :
692 : /* Calculate STK which will be stored as a temporary STK until it has
693 : * been verified when processing message 3/4. */
694 1 : stk = &peerkey->tstk;
695 2 : wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion",
696 1 : sm->own_addr, peerkey->addr,
697 1 : peerkey->pnonce, key->key_nonce,
698 : (u8 *) stk, sizeof(*stk),
699 : peerkey->use_sha256);
700 : /* Supplicant: swap tx/rx Mic keys */
701 1 : os_memcpy(buf, stk->u.auth.tx_mic_key, 8);
702 1 : os_memcpy(stk->u.auth.tx_mic_key, stk->u.auth.rx_mic_key, 8);
703 1 : os_memcpy(stk->u.auth.rx_mic_key, buf, 8);
704 1 : peerkey->tstk_set = 1;
705 :
706 1 : kde_buf_len = peerkey->rsnie_p_len +
707 : 2 + RSN_SELECTOR_LEN + sizeof(lifetime) +
708 : 2 + RSN_SELECTOR_LEN + PMKID_LEN;
709 1 : kde_buf = os_malloc(kde_buf_len);
710 1 : if (kde_buf == NULL)
711 0 : return;
712 1 : pos = kde_buf;
713 1 : pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len);
714 1 : lifetime = host_to_be32(peerkey->lifetime);
715 1 : pos = wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME,
716 : (u8 *) &lifetime, sizeof(lifetime));
717 1 : wpa_add_kde(pos, RSN_KEY_DATA_PMKID, peerkey->smkid, PMKID_LEN);
718 :
719 1 : if (wpa_supplicant_send_2_of_4(sm, peerkey->addr, key, ver,
720 1 : peerkey->pnonce, kde_buf, kde_buf_len,
721 : stk)) {
722 0 : os_free(kde_buf);
723 0 : return;
724 : }
725 1 : os_free(kde_buf);
726 :
727 1 : os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN);
728 : }
729 :
730 :
731 2 : static void wpa_supplicant_update_smk_lifetime(struct wpa_sm *sm,
732 : struct wpa_peerkey *peerkey,
733 : struct wpa_eapol_ie_parse *kde)
734 : {
735 : u32 lifetime;
736 :
737 2 : if (kde->lifetime == NULL || kde->lifetime_len < sizeof(lifetime))
738 0 : return;
739 :
740 2 : lifetime = WPA_GET_BE32(kde->lifetime);
741 :
742 2 : if (lifetime >= peerkey->lifetime) {
743 2 : wpa_printf(MSG_DEBUG, "RSN: Peer used SMK lifetime %u seconds "
744 : "which is larger than or equal to own value %u "
745 : "seconds - ignored", lifetime, peerkey->lifetime);
746 2 : return;
747 : }
748 :
749 0 : wpa_printf(MSG_DEBUG, "RSN: Peer used shorter SMK lifetime %u seconds "
750 : "(own was %u seconds) - updated",
751 : lifetime, peerkey->lifetime);
752 0 : peerkey->lifetime = lifetime;
753 :
754 0 : eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey);
755 0 : eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout,
756 : sm, peerkey);
757 : }
758 :
759 :
760 1 : static void wpa_supplicant_process_stk_2_of_4(struct wpa_sm *sm,
761 : struct wpa_peerkey *peerkey,
762 : const struct wpa_eapol_key *key,
763 : u16 ver)
764 : {
765 : struct wpa_eapol_ie_parse kde;
766 : const u8 *keydata;
767 : size_t len;
768 :
769 7 : wpa_printf(MSG_DEBUG, "RSN: RX message 2 of STK 4-Way Handshake from "
770 6 : MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
771 :
772 1 : os_memset(&kde, 0, sizeof(kde));
773 :
774 : /* RSN: msg 2/4 should contain SMKID for the selected SMK and RSN IE
775 : * from the peer. It may also include Lifetime KDE. */
776 1 : keydata = (const u8 *) (key + 1);
777 1 : len = WPA_GET_BE16(key->key_data_length);
778 1 : wpa_hexdump(MSG_DEBUG, "RSN: msg 2/4 key data", keydata, len);
779 2 : if (wpa_supplicant_parse_ies(keydata, len, &kde) < 0 ||
780 2 : kde.pmkid == NULL || kde.rsn_ie == NULL) {
781 0 : wpa_printf(MSG_DEBUG, "RSN: No SMKID or RSN IE in STK 2/4");
782 0 : return;
783 : }
784 :
785 1 : if (os_memcmp(kde.pmkid, peerkey->smkid, PMKID_LEN) != 0) {
786 0 : wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 2/4",
787 0 : kde.pmkid, PMKID_LEN);
788 0 : return;
789 : }
790 :
791 2 : if (kde.rsn_ie_len != peerkey->rsnie_p_len ||
792 1 : os_memcmp(kde.rsn_ie, peerkey->rsnie_p, kde.rsn_ie_len) != 0) {
793 0 : wpa_printf(MSG_INFO, "RSN: Peer RSN IE in SMK and STK "
794 : "handshakes did not match");
795 0 : wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in SMK handshake",
796 0 : peerkey->rsnie_p, peerkey->rsnie_p_len);
797 0 : wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in STK handshake",
798 0 : kde.rsn_ie, kde.rsn_ie_len);
799 0 : return;
800 : }
801 :
802 1 : wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde);
803 :
804 1 : wpa_supplicant_send_stk_3_of_4(sm, peerkey);
805 1 : os_memcpy(peerkey->pnonce, key->key_nonce, WPA_NONCE_LEN);
806 : }
807 :
808 :
809 1 : static void wpa_supplicant_process_stk_3_of_4(struct wpa_sm *sm,
810 : struct wpa_peerkey *peerkey,
811 : const struct wpa_eapol_key *key,
812 : u16 ver)
813 : {
814 : struct wpa_eapol_ie_parse kde;
815 : const u8 *keydata;
816 : size_t len, key_len;
817 : const u8 *_key;
818 : u8 key_buf[32], rsc[6];
819 :
820 7 : wpa_printf(MSG_DEBUG, "RSN: RX message 3 of STK 4-Way Handshake from "
821 6 : MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
822 :
823 1 : os_memset(&kde, 0, sizeof(kde));
824 :
825 : /* RSN: msg 3/4 should contain Initiator RSN IE. It may also include
826 : * Lifetime KDE. */
827 1 : keydata = (const u8 *) (key + 1);
828 1 : len = WPA_GET_BE16(key->key_data_length);
829 1 : wpa_hexdump(MSG_DEBUG, "RSN: msg 3/4 key data", keydata, len);
830 1 : if (wpa_supplicant_parse_ies(keydata, len, &kde) < 0) {
831 0 : wpa_printf(MSG_DEBUG, "RSN: Failed to parse key data in "
832 : "STK 3/4");
833 0 : return;
834 : }
835 :
836 2 : if (kde.rsn_ie_len != peerkey->rsnie_i_len ||
837 1 : os_memcmp(kde.rsn_ie, peerkey->rsnie_i, kde.rsn_ie_len) != 0) {
838 0 : wpa_printf(MSG_INFO, "RSN: Initiator RSN IE in SMK and STK "
839 : "handshakes did not match");
840 0 : wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in SMK "
841 : "handshake",
842 0 : peerkey->rsnie_i, peerkey->rsnie_i_len);
843 0 : wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in STK "
844 : "handshake",
845 0 : kde.rsn_ie, kde.rsn_ie_len);
846 0 : return;
847 : }
848 :
849 1 : if (os_memcmp(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
850 0 : wpa_printf(MSG_WARNING, "RSN: INonce from message 1 of STK "
851 : "4-Way Handshake differs from 3 of STK 4-Way "
852 : "Handshake - drop packet (src=" MACSTR ")",
853 0 : MAC2STR(peerkey->addr));
854 0 : return;
855 : }
856 :
857 1 : wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde);
858 :
859 2 : if (wpa_supplicant_send_4_of_4(sm, peerkey->addr, key, ver,
860 1 : WPA_GET_BE16(key->key_info),
861 : &peerkey->stk))
862 0 : return;
863 :
864 1 : _key = (u8 *) peerkey->stk.tk1;
865 1 : if (peerkey->cipher == WPA_CIPHER_TKIP) {
866 : /* Swap Tx/Rx keys for Michael MIC */
867 0 : os_memcpy(key_buf, _key, 16);
868 0 : os_memcpy(key_buf + 16, peerkey->stk.u.auth.rx_mic_key, 8);
869 0 : os_memcpy(key_buf + 24, peerkey->stk.u.auth.tx_mic_key, 8);
870 0 : _key = key_buf;
871 0 : key_len = 32;
872 : } else
873 1 : key_len = 16;
874 :
875 1 : os_memset(rsc, 0, 6);
876 1 : if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1,
877 : rsc, sizeof(rsc), _key, key_len) < 0) {
878 1 : wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the "
879 : "driver.");
880 1 : return;
881 : }
882 : }
883 :
884 :
885 1 : static void wpa_supplicant_process_stk_4_of_4(struct wpa_sm *sm,
886 : struct wpa_peerkey *peerkey,
887 : const struct wpa_eapol_key *key,
888 : u16 ver)
889 : {
890 : u8 rsc[6];
891 :
892 7 : wpa_printf(MSG_DEBUG, "RSN: RX message 4 of STK 4-Way Handshake from "
893 6 : MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
894 :
895 1 : os_memset(rsc, 0, 6);
896 2 : if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1,
897 1 : rsc, sizeof(rsc), (u8 *) peerkey->stk.tk1,
898 1 : peerkey->cipher == WPA_CIPHER_TKIP ? 32 : 16) < 0) {
899 1 : wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the "
900 : "driver.");
901 1 : return;
902 : }
903 : }
904 :
905 :
906 : /**
907 : * peerkey_verify_eapol_key_mic - Verify PeerKey MIC
908 : * @sm: Pointer to WPA state machine data from wpa_sm_init()
909 : * @peerkey: Pointer to the PeerKey data for the peer
910 : * @key: Pointer to the EAPOL-Key frame header
911 : * @ver: Version bits from EAPOL-Key Key Info
912 : * @buf: Pointer to the beginning of EAPOL-Key frame
913 : * @len: Length of the EAPOL-Key frame
914 : * Returns: 0 on success, -1 on failure
915 : */
916 3 : int peerkey_verify_eapol_key_mic(struct wpa_sm *sm,
917 : struct wpa_peerkey *peerkey,
918 : struct wpa_eapol_key *key, u16 ver,
919 : const u8 *buf, size_t len)
920 : {
921 : u8 mic[16];
922 3 : int ok = 0;
923 :
924 3 : if (peerkey->initiator && !peerkey->stk_set) {
925 2 : wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion",
926 1 : sm->own_addr, peerkey->addr,
927 1 : peerkey->inonce, key->key_nonce,
928 1 : (u8 *) &peerkey->stk, sizeof(peerkey->stk),
929 : peerkey->use_sha256);
930 1 : peerkey->stk_set = 1;
931 : }
932 :
933 3 : os_memcpy(mic, key->key_mic, 16);
934 3 : if (peerkey->tstk_set) {
935 1 : os_memset(key->key_mic, 0, 16);
936 1 : wpa_eapol_key_mic(peerkey->tstk.kck, ver, buf, len,
937 1 : key->key_mic);
938 1 : if (os_memcmp(mic, key->key_mic, 16) != 0) {
939 0 : wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC "
940 : "when using TSTK - ignoring TSTK");
941 : } else {
942 1 : ok = 1;
943 1 : peerkey->tstk_set = 0;
944 1 : peerkey->stk_set = 1;
945 1 : os_memcpy(&peerkey->stk, &peerkey->tstk,
946 : sizeof(peerkey->stk));
947 : }
948 : }
949 :
950 3 : if (!ok && peerkey->stk_set) {
951 2 : os_memset(key->key_mic, 0, 16);
952 2 : wpa_eapol_key_mic(peerkey->stk.kck, ver, buf, len,
953 2 : key->key_mic);
954 2 : if (os_memcmp(mic, key->key_mic, 16) != 0) {
955 0 : wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC "
956 : "- dropping packet");
957 0 : return -1;
958 : }
959 2 : ok = 1;
960 : }
961 :
962 3 : if (!ok) {
963 0 : wpa_printf(MSG_WARNING, "RSN: Could not verify EAPOL-Key MIC "
964 : "- dropping packet");
965 0 : return -1;
966 : }
967 :
968 3 : os_memcpy(peerkey->replay_counter, key->replay_counter,
969 : WPA_REPLAY_COUNTER_LEN);
970 3 : peerkey->replay_counter_set = 1;
971 3 : return 0;
972 : }
973 :
974 :
975 : /**
976 : * wpa_sm_stkstart - Send EAPOL-Key Request for STK handshake (STK M1)
977 : * @sm: Pointer to WPA state machine data from wpa_sm_init()
978 : * @peer: MAC address of the peer STA
979 : * Returns: 0 on success, or -1 on failure
980 : *
981 : * Send an EAPOL-Key Request to the current authenticator to start STK
982 : * handshake with the peer.
983 : */
984 5 : int wpa_sm_stkstart(struct wpa_sm *sm, const u8 *peer)
985 : {
986 : size_t rlen, kde_len;
987 : struct wpa_eapol_key *req;
988 : int key_info, ver;
989 : u8 bssid[ETH_ALEN], *rbuf, *pos, *count_pos;
990 : u16 count;
991 : struct rsn_ie_hdr *hdr;
992 : struct wpa_peerkey *peerkey;
993 : struct wpa_ie_data ie;
994 :
995 5 : if (sm->proto != WPA_PROTO_RSN || !sm->ptk_set || !sm->peerkey_enabled)
996 1 : return -1;
997 :
998 8 : if (sm->ap_rsn_ie &&
999 8 : wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &ie) == 0 &&
1000 4 : !(ie.capabilities & WPA_CAPABILITY_PEERKEY_ENABLED)) {
1001 0 : wpa_printf(MSG_DEBUG, "RSN: Current AP does not support STK");
1002 0 : return -1;
1003 : }
1004 :
1005 4 : if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
1006 3 : ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1007 : else
1008 1 : ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1009 :
1010 4 : if (wpa_sm_get_bssid(sm, bssid) < 0) {
1011 0 : wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key "
1012 : "SMK M1");
1013 0 : return -1;
1014 : }
1015 :
1016 : /* TODO: find existing entry and if found, use that instead of adding
1017 : * a new one */
1018 4 : peerkey = os_zalloc(sizeof(*peerkey));
1019 4 : if (peerkey == NULL)
1020 0 : return -1;
1021 4 : peerkey->initiator = 1;
1022 4 : os_memcpy(peerkey->addr, peer, ETH_ALEN);
1023 : #ifdef CONFIG_IEEE80211W
1024 4 : if (wpa_key_mgmt_sha256(sm->key_mgmt))
1025 0 : peerkey->use_sha256 = 1;
1026 : #endif /* CONFIG_IEEE80211W */
1027 :
1028 : /* SMK M1:
1029 : * EAPOL-Key(S=1, M=1, A=0, I=0, K=0, SM=1, KeyRSC=0, Nonce=INonce,
1030 : * MIC=MIC, DataKDs=(RSNIE_I, MAC_P KDE))
1031 : */
1032 :
1033 4 : hdr = (struct rsn_ie_hdr *) peerkey->rsnie_i;
1034 4 : hdr->elem_id = WLAN_EID_RSN;
1035 4 : WPA_PUT_LE16(hdr->version, RSN_VERSION);
1036 4 : pos = (u8 *) (hdr + 1);
1037 : /* Group Suite can be anything for SMK RSN IE; receiver will just
1038 : * ignore it. */
1039 4 : RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1040 4 : pos += RSN_SELECTOR_LEN;
1041 4 : count_pos = pos;
1042 4 : pos += 2;
1043 :
1044 4 : count = rsn_cipher_put_suites(pos, sm->allowed_pairwise_cipher);
1045 4 : pos += count * RSN_SELECTOR_LEN;
1046 4 : WPA_PUT_LE16(count_pos, count);
1047 :
1048 4 : hdr->len = (pos - peerkey->rsnie_i) - 2;
1049 4 : peerkey->rsnie_i_len = pos - peerkey->rsnie_i;
1050 8 : wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake",
1051 4 : peerkey->rsnie_i, peerkey->rsnie_i_len);
1052 :
1053 4 : kde_len = peerkey->rsnie_i_len + 2 + RSN_SELECTOR_LEN + ETH_ALEN;
1054 :
1055 4 : rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1056 : sizeof(*req) + kde_len, &rlen,
1057 : (void *) &req);
1058 4 : if (rbuf == NULL) {
1059 0 : wpa_supplicant_peerkey_free(sm, peerkey);
1060 0 : return -1;
1061 : }
1062 :
1063 4 : req->type = EAPOL_KEY_TYPE_RSN;
1064 4 : key_info = WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
1065 : WPA_KEY_INFO_SECURE | WPA_KEY_INFO_REQUEST | ver;
1066 4 : WPA_PUT_BE16(req->key_info, key_info);
1067 4 : WPA_PUT_BE16(req->key_length, 0);
1068 4 : os_memcpy(req->replay_counter, sm->request_counter,
1069 : WPA_REPLAY_COUNTER_LEN);
1070 4 : inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
1071 :
1072 4 : if (random_get_bytes(peerkey->inonce, WPA_NONCE_LEN)) {
1073 0 : wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1074 : "WPA: Failed to get random data for INonce");
1075 0 : os_free(rbuf);
1076 0 : wpa_supplicant_peerkey_free(sm, peerkey);
1077 0 : return -1;
1078 : }
1079 4 : os_memcpy(req->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
1080 4 : wpa_hexdump(MSG_DEBUG, "WPA: INonce for SMK handshake",
1081 4 : req->key_nonce, WPA_NONCE_LEN);
1082 :
1083 4 : WPA_PUT_BE16(req->key_data_length, (u16) kde_len);
1084 4 : pos = (u8 *) (req + 1);
1085 :
1086 : /* Initiator RSN IE */
1087 4 : pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len);
1088 : /* Peer MAC address KDE */
1089 4 : wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN);
1090 :
1091 24 : wpa_printf(MSG_INFO, "RSN: Sending EAPOL-Key SMK M1 Request (peer "
1092 24 : MACSTR ")", MAC2STR(peer));
1093 4 : wpa_eapol_key_send(sm, sm->ptk.kck, ver, bssid, ETH_P_EAPOL,
1094 4 : rbuf, rlen, req->key_mic);
1095 :
1096 4 : peerkey->next = sm->peerkey;
1097 4 : sm->peerkey = peerkey;
1098 :
1099 4 : return 0;
1100 : }
1101 :
1102 :
1103 : /**
1104 : * peerkey_deinit - Free PeerKey values
1105 : * @sm: Pointer to WPA state machine data from wpa_sm_init()
1106 : */
1107 1163 : void peerkey_deinit(struct wpa_sm *sm)
1108 : {
1109 1163 : struct wpa_peerkey *prev, *peerkey = sm->peerkey;
1110 2331 : while (peerkey) {
1111 5 : prev = peerkey;
1112 5 : peerkey = peerkey->next;
1113 5 : wpa_supplicant_peerkey_free(sm, prev);
1114 : }
1115 1163 : sm->peerkey = NULL;
1116 1163 : }
1117 :
1118 :
1119 4 : void peerkey_rx_eapol_4way(struct wpa_sm *sm, struct wpa_peerkey *peerkey,
1120 : struct wpa_eapol_key *key, u16 key_info, u16 ver)
1121 : {
1122 4 : if ((key_info & (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) ==
1123 : (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) {
1124 : /* 3/4 STK 4-Way Handshake */
1125 1 : wpa_supplicant_process_stk_3_of_4(sm, peerkey, key, ver);
1126 3 : } else if (key_info & WPA_KEY_INFO_ACK) {
1127 : /* 1/4 STK 4-Way Handshake */
1128 1 : wpa_supplicant_process_stk_1_of_4(sm, peerkey, key, ver);
1129 2 : } else if (key_info & WPA_KEY_INFO_SECURE) {
1130 : /* 4/4 STK 4-Way Handshake */
1131 1 : wpa_supplicant_process_stk_4_of_4(sm, peerkey, key, ver);
1132 : } else {
1133 : /* 2/4 STK 4-Way Handshake */
1134 1 : wpa_supplicant_process_stk_2_of_4(sm, peerkey, key, ver);
1135 : }
1136 4 : }
1137 :
1138 :
1139 8 : void peerkey_rx_eapol_smk(struct wpa_sm *sm, const u8 *src_addr,
1140 : struct wpa_eapol_key *key, size_t extra_len,
1141 : u16 key_info, u16 ver)
1142 : {
1143 8 : if (key_info & WPA_KEY_INFO_ERROR) {
1144 : /* SMK Error */
1145 3 : wpa_supplicant_process_smk_error(sm, src_addr, key, extra_len);
1146 5 : } else if (key_info & WPA_KEY_INFO_ACK) {
1147 : /* SMK M2 */
1148 3 : wpa_supplicant_process_smk_m2(sm, src_addr, key, extra_len,
1149 : ver);
1150 : } else {
1151 : /* SMK M4 or M5 */
1152 2 : wpa_supplicant_process_smk_m45(sm, src_addr, key, extra_len,
1153 : ver);
1154 : }
1155 8 : }
1156 :
1157 : #endif /* CONFIG_PEERKEY */
|
