contrib/hostapd/src/rsn_supp/peerkey.c

   1 /*
   2  * WPA Supplicant - PeerKey for Direct Link Setup (DLS)
   3  * Copyright (c) 2006-2008, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #ifdef CONFIG_PEERKEY
  12
  13 #include "common.h"
  14 #include "eloop.h"
  15 #include "crypto/sha1.h"
  16 #include "crypto/sha256.h"
  17 #include "crypto/random.h"
  18 #include "common/ieee802_11_defs.h"
  19 #include "wpa.h"
  20 #include "wpa_i.h"
  21 #include "wpa_ie.h"
  22 #include "peerkey.h"
  23
  24
  25 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
  26 {
  27         os_memcpy(pos, ie, ie_len);
  28         return pos + ie_len;
  29 }
  30
  31
  32 static u8 * wpa_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len)
  33 {
  34         *pos++ = WLAN_EID_VENDOR_SPECIFIC;
  35         *pos++ = RSN_SELECTOR_LEN + data_len;
  36         RSN_SELECTOR_PUT(pos, kde);
  37         pos += RSN_SELECTOR_LEN;
  38         os_memcpy(pos, data, data_len);
  39         pos += data_len;
  40         return pos;
  41 }
  42
  43
  44 static void wpa_supplicant_smk_timeout(void *eloop_ctx, void *timeout_ctx)
  45 {
  46 #if 0
  47         struct wpa_sm *sm = eloop_ctx;
  48         struct wpa_peerkey *peerkey = timeout_ctx;
  49 #endif
  50         /* TODO: time out SMK and any STK that was generated using this SMK */
  51 }
  52
  53
  54 static void wpa_supplicant_peerkey_free(struct wpa_sm *sm,
  55                                         struct wpa_peerkey *peerkey)
  56 {
  57         eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey);
  58         os_free(peerkey);
  59 }
  60
  61
  62 static int wpa_supplicant_send_smk_error(struct wpa_sm *sm, const u8 *dst,
  63                                          const u8 *peer,
  64                                          u16 mui, u16 error_type, int ver)
  65 {
  66         size_t rlen;
  67         struct wpa_eapol_key *err;
  68         struct rsn_error_kde error;
  69         u8 *rbuf, *pos;
  70         size_t kde_len;
  71         u16 key_info;
  72
  73         kde_len = 2 + RSN_SELECTOR_LEN + sizeof(error);
  74         if (peer)
  75                 kde_len += 2 + RSN_SELECTOR_LEN + ETH_ALEN;
  76
  77         rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
  78                                   NULL, sizeof(*err) + kde_len, &rlen,
  79                                   (void *) &err);
  80         if (rbuf == NULL)
  81                 return -1;
  82
  83         err->type = EAPOL_KEY_TYPE_RSN;
  84         key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
  85                 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_ERROR |
  86                 WPA_KEY_INFO_REQUEST;
  87         WPA_PUT_BE16(err->key_info, key_info);
  88         WPA_PUT_BE16(err->key_length, 0);
  89         os_memcpy(err->replay_counter, sm->request_counter,
  90                   WPA_REPLAY_COUNTER_LEN);
  91         inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
  92
  93         WPA_PUT_BE16(err->key_data_length, (u16) kde_len);
  94         pos = (u8 *) (err + 1);
  95
  96         if (peer) {
  97                 /* Peer MAC Address KDE */
  98                 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN);
  99         }
 100
 101         /* Error KDE */
 102         error.mui = host_to_be16(mui);
 103         error.error_type = host_to_be16(error_type);
 104         wpa_add_kde(pos, RSN_KEY_DATA_ERROR, (u8 *) &error, sizeof(error));
 105
 106         if (peer) {
 107                 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error (peer "
 108                            MACSTR " mui %d error_type %d)",
 109                            MAC2STR(peer), mui, error_type);
 110         } else {
 111                 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error "
 112                            "(mui %d error_type %d)", mui, error_type);
 113         }
 114
 115         wpa_eapol_key_send(sm, sm->ptk.kck, ver, dst, ETH_P_EAPOL,
 116                            rbuf, rlen, err->key_mic);
 117
 118         return 0;
 119 }
 120
 121
 122 static int wpa_supplicant_send_smk_m3(struct wpa_sm *sm,
 123                                       const unsigned char *src_addr,
 124                                       const struct wpa_eapol_key *key,
 125                                       int ver, struct wpa_peerkey *peerkey)
 126 {
 127         size_t rlen;
 128         struct wpa_eapol_key *reply;
 129         u8 *rbuf, *pos;
 130         size_t kde_len;
 131         u16 key_info;
 132
 133         /* KDEs: Peer RSN IE, Initiator MAC Address, Initiator Nonce */
 134         kde_len = peerkey->rsnie_p_len +
 135                 2 + RSN_SELECTOR_LEN + ETH_ALEN +
 136                 2 + RSN_SELECTOR_LEN + WPA_NONCE_LEN;
 137
 138         rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
 139                                   NULL, sizeof(*reply) + kde_len, &rlen,
 140                                   (void *) &reply);
 141         if (rbuf == NULL)
 142                 return -1;
 143
 144         reply->type = EAPOL_KEY_TYPE_RSN;
 145         key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
 146                 WPA_KEY_INFO_SECURE;
 147         WPA_PUT_BE16(reply->key_info, key_info);
 148         WPA_PUT_BE16(reply->key_length, 0);
 149         os_memcpy(reply->replay_counter, key->replay_counter,
 150                   WPA_REPLAY_COUNTER_LEN);
 151
 152         os_memcpy(reply->key_nonce, peerkey->pnonce, WPA_NONCE_LEN);
 153
 154         WPA_PUT_BE16(reply->key_data_length, (u16) kde_len);
 155         pos = (u8 *) (reply + 1);
 156
 157         /* Peer RSN IE */
 158         pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len);
 159
 160         /* Initiator MAC Address KDE */
 161         pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peerkey->addr, ETH_ALEN);
 162
 163         /* Initiator Nonce */
 164         wpa_add_kde(pos, RSN_KEY_DATA_NONCE, peerkey->inonce, WPA_NONCE_LEN);
 165
 166         wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK M3");
 167         wpa_eapol_key_send(sm, sm->ptk.kck, ver, src_addr, ETH_P_EAPOL,
 168                            rbuf, rlen, reply->key_mic);
 169
 170         return 0;
 171 }
 172
 173
 174 static int wpa_supplicant_process_smk_m2(
 175         struct wpa_sm *sm, const unsigned char *src_addr,
 176         const struct wpa_eapol_key *key, size_t extra_len, int ver)
 177 {
 178         struct wpa_peerkey *peerkey;
 179         struct wpa_eapol_ie_parse kde;
 180         struct wpa_ie_data ie;
 181         int cipher;
 182         struct rsn_ie_hdr *hdr;
 183         u8 *pos;
 184
 185         wpa_printf(MSG_DEBUG, "RSN: Received SMK M2");
 186
 187         if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
 188                 wpa_printf(MSG_INFO, "RSN: SMK handshake not allowed for "
 189                            "the current network");
 190                 return -1;
 191         }
 192
 193         if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
 194             0) {
 195                 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M2");
 196                 return -1;
 197         }
 198
 199         if (kde.rsn_ie == NULL || kde.mac_addr == NULL ||
 200             kde.mac_addr_len < ETH_ALEN) {
 201                 wpa_printf(MSG_INFO, "RSN: No RSN IE or MAC address KDE in "
 202                            "SMK M2");
 203                 return -1;
 204         }
 205
 206         wpa_printf(MSG_DEBUG, "RSN: SMK M2 - SMK initiator " MACSTR,
 207                    MAC2STR(kde.mac_addr));
 208
 209         if (kde.rsn_ie_len > PEERKEY_MAX_IE_LEN) {
 210                 wpa_printf(MSG_INFO, "RSN: Too long Initiator RSN IE in SMK "
 211                            "M2");
 212                 return -1;
 213         }
 214
 215         if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
 216                 wpa_printf(MSG_INFO, "RSN: Failed to parse RSN IE in SMK M2");
 217                 return -1;
 218         }
 219
 220         cipher = wpa_pick_pairwise_cipher(ie.pairwise_cipher &
 221                                           sm->allowed_pairwise_cipher, 0);
 222         if (cipher < 0) {
 223                 wpa_printf(MSG_INFO, "RSN: No acceptable cipher in SMK M2");
 224                 wpa_supplicant_send_smk_error(sm, src_addr, kde.mac_addr,
 225                                               STK_MUI_SMK, STK_ERR_CPHR_NS,
 226                                               ver);
 227                 return -1;
 228         }
 229         wpa_printf(MSG_DEBUG, "RSN: Using %s for PeerKey",
 230                    wpa_cipher_txt(cipher));
 231
 232         /* TODO: find existing entry and if found, use that instead of adding
 233          * a new one; how to handle the case where both ends initiate at the
 234          * same time? */
 235         peerkey = os_zalloc(sizeof(*peerkey));
 236         if (peerkey == NULL)
 237                 return -1;
 238         os_memcpy(peerkey->addr, kde.mac_addr, ETH_ALEN);
 239         os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN);
 240         os_memcpy(peerkey->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
 241         peerkey->rsnie_i_len = kde.rsn_ie_len;
 242         peerkey->cipher = cipher;
 243 #ifdef CONFIG_IEEE80211W
 244         if (ie.key_mgmt & (WPA_KEY_MGMT_IEEE8021X_SHA256 |
 245                            WPA_KEY_MGMT_PSK_SHA256))
 246                 peerkey->use_sha256 = 1;
 247 #endif /* CONFIG_IEEE80211W */
 248
 249         if (random_get_bytes(peerkey->pnonce, WPA_NONCE_LEN)) {
 250                 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 251                         "WPA: Failed to get random data for PNonce");
 252                 wpa_supplicant_peerkey_free(sm, peerkey);
 253                 return -1;
 254         }
 255
 256         hdr = (struct rsn_ie_hdr *) peerkey->rsnie_p;
 257         hdr->elem_id = WLAN_EID_RSN;
 258         WPA_PUT_LE16(hdr->version, RSN_VERSION);
 259         pos = (u8 *) (hdr + 1);
 260         /* Group Suite can be anything for SMK RSN IE; receiver will just
 261          * ignore it. */
 262         RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
 263         pos += RSN_SELECTOR_LEN;
 264         /* Include only the selected cipher in pairwise cipher suite */
 265         WPA_PUT_LE16(pos, 1);
 266         pos += 2;
 267         RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, cipher));
 268         pos += RSN_SELECTOR_LEN;
 269
 270         hdr->len = (pos - peerkey->rsnie_p) - 2;
 271         peerkey->rsnie_p_len = pos - peerkey->rsnie_p;
 272         wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake",
 273                     peerkey->rsnie_p, peerkey->rsnie_p_len);
 274
 275         wpa_supplicant_send_smk_m3(sm, src_addr, key, ver, peerkey);
 276
 277         peerkey->next = sm->peerkey;
 278         sm->peerkey = peerkey;
 279
 280         return 0;
 281 }
 282
 283
 284 /**
 285  * rsn_smkid - Derive SMK identifier
 286  * @smk: Station master key (32 bytes)
 287  * @pnonce: Peer Nonce
 288  * @mac_p: Peer MAC address
 289  * @inonce: Initiator Nonce
 290  * @mac_i: Initiator MAC address
 291  * @use_sha256: Whether to use SHA256-based KDF
 292  *
 293  * 8.5.1.4 Station to station (STK) key hierarchy
 294  * SMKID = HMAC-SHA1-128(SMK, "SMK Name" || PNonce || MAC_P || INonce || MAC_I)
 295  */
 296 static void rsn_smkid(const u8 *smk, const u8 *pnonce, const u8 *mac_p,
 297                       const u8 *inonce, const u8 *mac_i, u8 *smkid,
 298                       int use_sha256)
 299 {
 300         char *title = "SMK Name";
 301         const u8 *addr[5];
 302         const size_t len[5] = { 8, WPA_NONCE_LEN, ETH_ALEN, WPA_NONCE_LEN,
 303                                 ETH_ALEN };
 304         unsigned char hash[SHA256_MAC_LEN];
 305
 306         addr[0] = (u8 *) title;
 307         addr[1] = pnonce;
 308         addr[2] = mac_p;
 309         addr[3] = inonce;
 310         addr[4] = mac_i;
 311
 312 #ifdef CONFIG_IEEE80211W
 313         if (use_sha256)
 314                 hmac_sha256_vector(smk, PMK_LEN, 5, addr, len, hash);
 315         else
 316 #endif /* CONFIG_IEEE80211W */
 317                 hmac_sha1_vector(smk, PMK_LEN, 5, addr, len, hash);
 318         os_memcpy(smkid, hash, PMKID_LEN);
 319 }
 320
 321
 322 static void wpa_supplicant_send_stk_1_of_4(struct wpa_sm *sm,
 323                                            struct wpa_peerkey *peerkey)
 324 {
 325         size_t mlen;
 326         struct wpa_eapol_key *msg;
 327         u8 *mbuf;
 328         size_t kde_len;
 329         u16 key_info, ver;
 330
 331         kde_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
 332
 333         mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
 334                                   sizeof(*msg) + kde_len, &mlen,
 335                                   (void *) &msg);
 336         if (mbuf == NULL)
 337                 return;
 338
 339         msg->type = EAPOL_KEY_TYPE_RSN;
 340
 341         if (peerkey->cipher != WPA_CIPHER_TKIP)
 342                 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
 343         else
 344                 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
 345
 346         key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK;
 347         WPA_PUT_BE16(msg->key_info, key_info);
 348
 349         if (peerkey->cipher != WPA_CIPHER_TKIP)
 350                 WPA_PUT_BE16(msg->key_length, 16);
 351         else
 352                 WPA_PUT_BE16(msg->key_length, 32);
 353
 354         os_memcpy(msg->replay_counter, peerkey->replay_counter,
 355                   WPA_REPLAY_COUNTER_LEN);
 356         inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN);
 357
 358         WPA_PUT_BE16(msg->key_data_length, kde_len);
 359         wpa_add_kde((u8 *) (msg + 1), RSN_KEY_DATA_PMKID,
 360                     peerkey->smkid, PMKID_LEN);
 361
 362         if (random_get_bytes(peerkey->inonce, WPA_NONCE_LEN)) {
 363                 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 364                         "RSN: Failed to get random data for INonce (STK)");
 365                 os_free(mbuf);
 366                 return;
 367         }
 368         wpa_hexdump(MSG_DEBUG, "RSN: INonce for STK 4-Way Handshake",
 369                     peerkey->inonce, WPA_NONCE_LEN);
 370         os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
 371
 372         wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 1/4 to " MACSTR,
 373                    MAC2STR(peerkey->addr));
 374         wpa_eapol_key_send(sm, NULL, ver, peerkey->addr, ETH_P_EAPOL,
 375                            mbuf, mlen, NULL);
 376 }
 377
 378
 379 static void wpa_supplicant_send_stk_3_of_4(struct wpa_sm *sm,
 380                                            struct wpa_peerkey *peerkey)
 381 {
 382         size_t mlen;
 383         struct wpa_eapol_key *msg;
 384         u8 *mbuf, *pos;
 385         size_t kde_len;
 386         u16 key_info, ver;
 387         be32 lifetime;
 388
 389         kde_len = peerkey->rsnie_i_len +
 390                 2 + RSN_SELECTOR_LEN + sizeof(lifetime);
 391
 392         mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
 393                                   sizeof(*msg) + kde_len, &mlen,
 394                                   (void *) &msg);
 395         if (mbuf == NULL)
 396                 return;
 397
 398         msg->type = EAPOL_KEY_TYPE_RSN;
 399
 400         if (peerkey->cipher != WPA_CIPHER_TKIP)
 401                 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
 402         else
 403                 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
 404
 405         key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK |
 406                 WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE;
 407         WPA_PUT_BE16(msg->key_info, key_info);
 408
 409         if (peerkey->cipher != WPA_CIPHER_TKIP)
 410                 WPA_PUT_BE16(msg->key_length, 16);
 411         else
 412                 WPA_PUT_BE16(msg->key_length, 32);
 413
 414         os_memcpy(msg->replay_counter, peerkey->replay_counter,
 415                   WPA_REPLAY_COUNTER_LEN);
 416         inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN);
 417
 418         WPA_PUT_BE16(msg->key_data_length, kde_len);
 419         pos = (u8 *) (msg + 1);
 420         pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len);
 421         lifetime = host_to_be32(peerkey->lifetime);
 422         wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME,
 423                     (u8 *) &lifetime, sizeof(lifetime));
 424
 425         os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
 426
 427         wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 3/4 to " MACSTR,
 428                    MAC2STR(peerkey->addr));
 429         wpa_eapol_key_send(sm, peerkey->stk.kck, ver, peerkey->addr,
 430                            ETH_P_EAPOL, mbuf, mlen, msg->key_mic);
 431 }
 432
 433
 434 static int wpa_supplicant_process_smk_m4(struct wpa_peerkey *peerkey,
 435                                          struct wpa_eapol_ie_parse *kde)
 436 {
 437         wpa_printf(MSG_DEBUG, "RSN: Received SMK M4 (Initiator " MACSTR ")",
 438                    MAC2STR(kde->mac_addr));
 439
 440         if (os_memcmp(kde->smk + PMK_LEN, peerkey->pnonce, WPA_NONCE_LEN) != 0)
 441         {
 442                 wpa_printf(MSG_INFO, "RSN: PNonce in SMK KDE does not "
 443                            "match with the one used in SMK M3");
 444                 return -1;
 445         }
 446
 447         if (os_memcmp(kde->nonce, peerkey->inonce, WPA_NONCE_LEN) != 0) {
 448                 wpa_printf(MSG_INFO, "RSN: INonce in SMK M4 did not "
 449                            "match with the one received in SMK M2");
 450                 return -1;
 451         }
 452
 453         return 0;
 454 }
 455
 456
 457 static int wpa_supplicant_process_smk_m5(struct wpa_sm *sm,
 458                                          const unsigned char *src_addr,
 459                                          const struct wpa_eapol_key *key,
 460                                          int ver,
 461                                          struct wpa_peerkey *peerkey,
 462                                          struct wpa_eapol_ie_parse *kde)
 463 {
 464         int cipher;
 465         struct wpa_ie_data ie;
 466
 467         wpa_printf(MSG_DEBUG, "RSN: Received SMK M5 (Peer " MACSTR ")",
 468                    MAC2STR(kde->mac_addr));
 469         if (kde->rsn_ie == NULL || kde->rsn_ie_len > PEERKEY_MAX_IE_LEN ||
 470             wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0) {
 471                 wpa_printf(MSG_INFO, "RSN: No RSN IE in SMK M5");
 472                 /* TODO: abort negotiation */
 473                 return -1;
 474         }
 475
 476         if (os_memcmp(key->key_nonce, peerkey->inonce, WPA_NONCE_LEN) != 0) {
 477                 wpa_printf(MSG_INFO, "RSN: Key Nonce in SMK M5 does "
 478                            "not match with INonce used in SMK M1");
 479                 return -1;
 480         }
 481
 482         if (os_memcmp(kde->smk + PMK_LEN, peerkey->inonce, WPA_NONCE_LEN) != 0)
 483         {
 484                 wpa_printf(MSG_INFO, "RSN: INonce in SMK KDE does not "
 485                            "match with the one used in SMK M1");
 486                 return -1;
 487         }
 488
 489         os_memcpy(peerkey->rsnie_p, kde->rsn_ie, kde->rsn_ie_len);
 490         peerkey->rsnie_p_len = kde->rsn_ie_len;
 491         os_memcpy(peerkey->pnonce, kde->nonce, WPA_NONCE_LEN);
 492
 493         cipher = wpa_pick_pairwise_cipher(ie.pairwise_cipher &
 494                                           sm->allowed_pairwise_cipher, 0);
 495         if (cipher < 0) {
 496                 wpa_printf(MSG_INFO, "RSN: SMK Peer STA " MACSTR " selected "
 497                            "unacceptable cipher", MAC2STR(kde->mac_addr));
 498                 wpa_supplicant_send_smk_error(sm, src_addr, kde->mac_addr,
 499                                               STK_MUI_SMK, STK_ERR_CPHR_NS,
 500                                               ver);
 501                 /* TODO: abort negotiation */
 502                 return -1;
 503         }
 504         wpa_printf(MSG_DEBUG, "RSN: Using %s for PeerKey",
 505                    wpa_cipher_txt(cipher));
 506         peerkey->cipher = cipher;
 507
 508         return 0;
 509 }
 510
 511
 512 static int wpa_supplicant_process_smk_m45(
 513         struct wpa_sm *sm, const unsigned char *src_addr,
 514         const struct wpa_eapol_key *key, size_t extra_len, int ver)
 515 {
 516         struct wpa_peerkey *peerkey;
 517         struct wpa_eapol_ie_parse kde;
 518         u32 lifetime;
 519
 520         if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
 521                 wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for "
 522                            "the current network");
 523                 return -1;
 524         }
 525
 526         if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
 527             0) {
 528                 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M4/M5");
 529                 return -1;
 530         }
 531
 532         if (kde.mac_addr == NULL || kde.mac_addr_len < ETH_ALEN ||
 533             kde.nonce == NULL || kde.nonce_len < WPA_NONCE_LEN ||
 534             kde.smk == NULL || kde.smk_len < PMK_LEN + WPA_NONCE_LEN ||
 535             kde.lifetime == NULL || kde.lifetime_len < 4) {
 536                 wpa_printf(MSG_INFO, "RSN: No MAC Address, Nonce, SMK, or "
 537                            "Lifetime KDE in SMK M4/M5");
 538                 return -1;
 539         }
 540
 541         for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
 542                 if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) == 0 &&
 543                     os_memcmp(peerkey->initiator ? peerkey->inonce :
 544                            peerkey->pnonce,
 545                            key->key_nonce, WPA_NONCE_LEN) == 0)
 546                         break;
 547         }
 548         if (peerkey == NULL) {
 549                 wpa_printf(MSG_INFO, "RSN: No matching SMK handshake found "
 550                            "for SMK M4/M5: peer " MACSTR,
 551                            MAC2STR(kde.mac_addr));
 552                 return -1;
 553         }
 554
 555         if (peerkey->initiator) {
 556                 if (wpa_supplicant_process_smk_m5(sm, src_addr, key, ver,
 557                                                   peerkey, &kde) < 0)
 558                         return -1;
 559         } else {
 560                 if (wpa_supplicant_process_smk_m4(peerkey, &kde) < 0)
 561                         return -1;
 562         }
 563
 564         os_memcpy(peerkey->smk, kde.smk, PMK_LEN);
 565         peerkey->smk_complete = 1;
 566         wpa_hexdump_key(MSG_DEBUG, "RSN: SMK", peerkey->smk, PMK_LEN);
 567         lifetime = WPA_GET_BE32(kde.lifetime);
 568         wpa_printf(MSG_DEBUG, "RSN: SMK lifetime %u seconds", lifetime);
 569         if (lifetime > 1000000000)
 570                 lifetime = 1000000000; /* avoid overflowing eloop time */
 571         peerkey->lifetime = lifetime;
 572         eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout,
 573                                sm, peerkey);
 574
 575         if (peerkey->initiator) {
 576                 rsn_smkid(peerkey->smk, peerkey->pnonce, peerkey->addr,
 577                           peerkey->inonce, sm->own_addr, peerkey->smkid,
 578                           peerkey->use_sha256);
 579                 wpa_supplicant_send_stk_1_of_4(sm, peerkey);
 580         } else {
 581                 rsn_smkid(peerkey->smk, peerkey->pnonce, sm->own_addr,
 582                           peerkey->inonce, peerkey->addr, peerkey->smkid,
 583                           peerkey->use_sha256);
 584         }
 585         wpa_hexdump(MSG_DEBUG, "RSN: SMKID", peerkey->smkid, PMKID_LEN);
 586
 587         return 0;
 588 }
 589
 590
 591 static int wpa_supplicant_process_smk_error(
 592         struct wpa_sm *sm, const unsigned char *src_addr,
 593         const struct wpa_eapol_key *key, size_t extra_len)
 594 {
 595         struct wpa_eapol_ie_parse kde;
 596         struct rsn_error_kde error;
 597         u8 peer[ETH_ALEN];
 598         u16 error_type;
 599
 600         wpa_printf(MSG_DEBUG, "RSN: Received SMK Error");
 601
 602         if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
 603                 wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for "
 604                            "the current network");
 605                 return -1;
 606         }
 607
 608         if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
 609             0) {
 610                 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK Error");
 611                 return -1;
 612         }
 613
 614         if (kde.error == NULL || kde.error_len < sizeof(error)) {
 615                 wpa_printf(MSG_INFO, "RSN: No Error KDE in SMK Error");
 616                 return -1;
 617         }
 618
 619         if (kde.mac_addr && kde.mac_addr_len >= ETH_ALEN)
 620                 os_memcpy(peer, kde.mac_addr, ETH_ALEN);
 621         else
 622                 os_memset(peer, 0, ETH_ALEN);
 623         os_memcpy(&error, kde.error, sizeof(error));
 624         error_type = be_to_host16(error.error_type);
 625         wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
 626                 "RSN: SMK Error KDE received: MUI %d error_type %d peer "
 627                 MACSTR,
 628                 be_to_host16(error.mui), error_type,
 629                 MAC2STR(peer));
 630
 631         if (kde.mac_addr &&
 632             (error_type == STK_ERR_STA_NR || error_type == STK_ERR_STA_NRSN ||
 633              error_type == STK_ERR_CPHR_NS)) {
 634                 struct wpa_peerkey *peerkey;
 635
 636                 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
 637                         if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) ==
 638                             0)
 639                                 break;
 640                 }
 641                 if (peerkey == NULL) {
 642                         wpa_printf(MSG_DEBUG, "RSN: No matching SMK handshake "
 643                                    "found for SMK Error");
 644                         return -1;
 645                 }
 646                 /* TODO: abort SMK/STK handshake and remove all related keys */
 647         }
 648
 649         return 0;
 650 }
 651
 652
 653 static void wpa_supplicant_process_stk_1_of_4(struct wpa_sm *sm,
 654                                               struct wpa_peerkey *peerkey,
 655                                               const struct wpa_eapol_key *key,
 656                                               u16 ver)
 657 {
 658         struct wpa_eapol_ie_parse ie;
 659         const u8 *kde;
 660         size_t len, kde_buf_len;
 661         struct wpa_ptk *stk;
 662         u8 buf[8], *kde_buf, *pos;
 663         be32 lifetime;
 664
 665         wpa_printf(MSG_DEBUG, "RSN: RX message 1 of STK 4-Way Handshake from "
 666                    MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
 667
 668         os_memset(&ie, 0, sizeof(ie));
 669
 670         /* RSN: msg 1/4 should contain SMKID for the selected SMK */
 671         kde = (const u8 *) (key + 1);
 672         len = WPA_GET_BE16(key->key_data_length);
 673         wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", kde, len);
 674         if (wpa_supplicant_parse_ies(kde, len, &ie) < 0 || ie.pmkid == NULL) {
 675                 wpa_printf(MSG_DEBUG, "RSN: No SMKID in STK 1/4");
 676                 return;
 677         }
 678         if (os_memcmp(ie.pmkid, peerkey->smkid, PMKID_LEN) != 0) {
 679                 wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 1/4",
 680                             ie.pmkid, PMKID_LEN);
 681                 return;
 682         }
 683
 684         if (random_get_bytes(peerkey->pnonce, WPA_NONCE_LEN)) {
 685                 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
 686                         "RSN: Failed to get random data for PNonce");
 687                 return;
 688         }
 689         wpa_hexdump(MSG_DEBUG, "WPA: Renewed PNonce",
 690                     peerkey->pnonce, WPA_NONCE_LEN);
 691
 692         /* Calculate STK which will be stored as a temporary STK until it has
 693          * been verified when processing message 3/4. */
 694         stk = &peerkey->tstk;
 695         wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion",
 696                        sm->own_addr, peerkey->addr,
 697                        peerkey->pnonce, key->key_nonce,
 698                        (u8 *) stk, sizeof(*stk),
 699                        peerkey->use_sha256);
 700         /* Supplicant: swap tx/rx Mic keys */
 701         os_memcpy(buf, stk->u.auth.tx_mic_key, 8);
 702         os_memcpy(stk->u.auth.tx_mic_key, stk->u.auth.rx_mic_key, 8);
 703         os_memcpy(stk->u.auth.rx_mic_key, buf, 8);
 704         peerkey->tstk_set = 1;
 705
 706         kde_buf_len = peerkey->rsnie_p_len +
 707                 2 + RSN_SELECTOR_LEN + sizeof(lifetime) +
 708                 2 + RSN_SELECTOR_LEN + PMKID_LEN;
 709         kde_buf = os_malloc(kde_buf_len);
 710         if (kde_buf == NULL)
 711                 return;
 712         pos = kde_buf;
 713         pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len);
 714         lifetime = host_to_be32(peerkey->lifetime);
 715         pos = wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME,
 716                           (u8 *) &lifetime, sizeof(lifetime));
 717         wpa_add_kde(pos, RSN_KEY_DATA_PMKID, peerkey->smkid, PMKID_LEN);
 718
 719         if (wpa_supplicant_send_2_of_4(sm, peerkey->addr, key, ver,
 720                                        peerkey->pnonce, kde_buf, kde_buf_len,
 721                                        stk)) {
 722                 os_free(kde_buf);
 723                 return;
 724         }
 725         os_free(kde_buf);
 726
 727         os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN);
 728 }
 729
 730
 731 static void wpa_supplicant_update_smk_lifetime(struct wpa_sm *sm,
 732                                                struct wpa_peerkey *peerkey,
 733                                                struct wpa_eapol_ie_parse *kde)
 734 {
 735         u32 lifetime;
 736
 737         if (kde->lifetime == NULL || kde->lifetime_len < sizeof(lifetime))
 738                 return;
 739
 740         lifetime = WPA_GET_BE32(kde->lifetime);
 741
 742         if (lifetime >= peerkey->lifetime) {
 743                 wpa_printf(MSG_DEBUG, "RSN: Peer used SMK lifetime %u seconds "
 744                            "which is larger than or equal to own value %u "
 745                            "seconds - ignored", lifetime, peerkey->lifetime);
 746                 return;
 747         }
 748
 749         wpa_printf(MSG_DEBUG, "RSN: Peer used shorter SMK lifetime %u seconds "
 750                    "(own was %u seconds) - updated",
 751                    lifetime, peerkey->lifetime);
 752         peerkey->lifetime = lifetime;
 753
 754         eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey);
 755         eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout,
 756                                sm, peerkey);
 757 }
 758
 759
 760 static void wpa_supplicant_process_stk_2_of_4(struct wpa_sm *sm,
 761                                               struct wpa_peerkey *peerkey,
 762                                               const struct wpa_eapol_key *key,
 763                                               u16 ver)
 764 {
 765         struct wpa_eapol_ie_parse kde;
 766         const u8 *keydata;
 767         size_t len;
 768
 769         wpa_printf(MSG_DEBUG, "RSN: RX message 2 of STK 4-Way Handshake from "
 770                    MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
 771
 772         os_memset(&kde, 0, sizeof(kde));
 773
 774         /* RSN: msg 2/4 should contain SMKID for the selected SMK and RSN IE
 775          * from the peer. It may also include Lifetime KDE. */
 776         keydata = (const u8 *) (key + 1);
 777         len = WPA_GET_BE16(key->key_data_length);
 778         wpa_hexdump(MSG_DEBUG, "RSN: msg 2/4 key data", keydata, len);
 779         if (wpa_supplicant_parse_ies(keydata, len, &kde) < 0 ||
 780             kde.pmkid == NULL || kde.rsn_ie == NULL) {
 781                 wpa_printf(MSG_DEBUG, "RSN: No SMKID or RSN IE in STK 2/4");
 782                 return;
 783         }
 784
 785         if (os_memcmp(kde.pmkid, peerkey->smkid, PMKID_LEN) != 0) {
 786                 wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 2/4",
 787                             kde.pmkid, PMKID_LEN);
 788                 return;
 789         }
 790
 791         if (kde.rsn_ie_len != peerkey->rsnie_p_len ||
 792             os_memcmp(kde.rsn_ie, peerkey->rsnie_p, kde.rsn_ie_len) != 0) {
 793                 wpa_printf(MSG_INFO, "RSN: Peer RSN IE in SMK and STK "
 794                            "handshakes did not match");
 795                 wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in SMK handshake",
 796                             peerkey->rsnie_p, peerkey->rsnie_p_len);
 797                 wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in STK handshake",
 798                             kde.rsn_ie, kde.rsn_ie_len);
 799                 return;
 800         }
 801
 802         wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde);
 803
 804         wpa_supplicant_send_stk_3_of_4(sm, peerkey);
 805         os_memcpy(peerkey->pnonce, key->key_nonce, WPA_NONCE_LEN);
 806 }
 807
 808
 809 static void wpa_supplicant_process_stk_3_of_4(struct wpa_sm *sm,
 810                                               struct wpa_peerkey *peerkey,
 811                                               const struct wpa_eapol_key *key,
 812                                               u16 ver)
 813 {
 814         struct wpa_eapol_ie_parse kde;
 815         const u8 *keydata;
 816         size_t len, key_len;
 817         const u8 *_key;
 818         u8 key_buf[32], rsc[6];
 819
 820         wpa_printf(MSG_DEBUG, "RSN: RX message 3 of STK 4-Way Handshake from "
 821                    MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
 822
 823         os_memset(&kde, 0, sizeof(kde));
 824
 825         /* RSN: msg 3/4 should contain Initiator RSN IE. It may also include
 826          * Lifetime KDE. */
 827         keydata = (const u8 *) (key + 1);
 828         len = WPA_GET_BE16(key->key_data_length);
 829         wpa_hexdump(MSG_DEBUG, "RSN: msg 3/4 key data", keydata, len);
 830         if (wpa_supplicant_parse_ies(keydata, len, &kde) < 0) {
 831                 wpa_printf(MSG_DEBUG, "RSN: Failed to parse key data in "
 832                            "STK 3/4");
 833                 return;
 834         }
 835
 836         if (kde.rsn_ie_len != peerkey->rsnie_i_len ||
 837             os_memcmp(kde.rsn_ie, peerkey->rsnie_i, kde.rsn_ie_len) != 0) {
 838                 wpa_printf(MSG_INFO, "RSN: Initiator RSN IE in SMK and STK "
 839                            "handshakes did not match");
 840                 wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in SMK "
 841                             "handshake",
 842                             peerkey->rsnie_i, peerkey->rsnie_i_len);
 843                 wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in STK "
 844                             "handshake",
 845                             kde.rsn_ie, kde.rsn_ie_len);
 846                 return;
 847         }
 848
 849         if (os_memcmp(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
 850                 wpa_printf(MSG_WARNING, "RSN: INonce from message 1 of STK "
 851                            "4-Way Handshake differs from 3 of STK 4-Way "
 852                            "Handshake - drop packet (src=" MACSTR ")",
 853                            MAC2STR(peerkey->addr));
 854                 return;
 855         }
 856
 857         wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde);
 858
 859         if (wpa_supplicant_send_4_of_4(sm, peerkey->addr, key, ver,
 860                                        WPA_GET_BE16(key->key_info),
 861                                        NULL, 0, &peerkey->stk))
 862                 return;
 863
 864         _key = (u8 *) peerkey->stk.tk1;
 865         if (peerkey->cipher == WPA_CIPHER_TKIP) {
 866                 /* Swap Tx/Rx keys for Michael MIC */
 867                 os_memcpy(key_buf, _key, 16);
 868                 os_memcpy(key_buf + 16, peerkey->stk.u.auth.rx_mic_key, 8);
 869                 os_memcpy(key_buf + 24, peerkey->stk.u.auth.tx_mic_key, 8);
 870                 _key = key_buf;
 871                 key_len = 32;
 872         } else
 873                 key_len = 16;
 874
 875         os_memset(rsc, 0, 6);
 876         if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1,
 877                            rsc, sizeof(rsc), _key, key_len) < 0) {
 878                 wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the "
 879                            "driver.");
 880                 return;
 881         }
 882 }
 883
 884
 885 static void wpa_supplicant_process_stk_4_of_4(struct wpa_sm *sm,
 886                                               struct wpa_peerkey *peerkey,
 887                                               const struct wpa_eapol_key *key,
 888                                               u16 ver)
 889 {
 890         u8 rsc[6];
 891
 892         wpa_printf(MSG_DEBUG, "RSN: RX message 4 of STK 4-Way Handshake from "
 893                    MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
 894
 895         os_memset(rsc, 0, 6);
 896         if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1,
 897                            rsc, sizeof(rsc), (u8 *) peerkey->stk.tk1,
 898                            peerkey->cipher == WPA_CIPHER_TKIP ? 32 : 16) < 0) {
 899                 wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the "
 900                            "driver.");
 901                 return;
 902         }
 903 }
 904
 905
 906 /**
 907  * peerkey_verify_eapol_key_mic - Verify PeerKey MIC
 908  * @sm: Pointer to WPA state machine data from wpa_sm_init()
 909  * @peerkey: Pointer to the PeerKey data for the peer
 910  * @key: Pointer to the EAPOL-Key frame header
 911  * @ver: Version bits from EAPOL-Key Key Info
 912  * @buf: Pointer to the beginning of EAPOL-Key frame
 913  * @len: Length of the EAPOL-Key frame
 914  * Returns: 0 on success, -1 on failure
 915  */
 916 int peerkey_verify_eapol_key_mic(struct wpa_sm *sm,
 917                                  struct wpa_peerkey *peerkey,
 918                                  struct wpa_eapol_key *key, u16 ver,
 919                                  const u8 *buf, size_t len)
 920 {
 921         u8 mic[16];
 922         int ok = 0;
 923
 924         if (peerkey->initiator && !peerkey->stk_set) {
 925                 wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion",
 926                                sm->own_addr, peerkey->addr,
 927                                peerkey->inonce, key->key_nonce,
 928                                (u8 *) &peerkey->stk, sizeof(peerkey->stk),
 929                                peerkey->use_sha256);
 930                 peerkey->stk_set = 1;
 931         }
 932
 933         os_memcpy(mic, key->key_mic, 16);
 934         if (peerkey->tstk_set) {
 935                 os_memset(key->key_mic, 0, 16);
 936                 wpa_eapol_key_mic(peerkey->tstk.kck, ver, buf, len,
 937                                   key->key_mic);
 938                 if (os_memcmp(mic, key->key_mic, 16) != 0) {
 939                         wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC "
 940                                    "when using TSTK - ignoring TSTK");
 941                 } else {
 942                         ok = 1;
 943                         peerkey->tstk_set = 0;
 944                         peerkey->stk_set = 1;
 945                         os_memcpy(&peerkey->stk, &peerkey->tstk,
 946                                   sizeof(peerkey->stk));
 947                 }
 948         }
 949
 950         if (!ok && peerkey->stk_set) {
 951                 os_memset(key->key_mic, 0, 16);
 952                 wpa_eapol_key_mic(peerkey->stk.kck, ver, buf, len,
 953                                   key->key_mic);
 954                 if (os_memcmp(mic, key->key_mic, 16) != 0) {
 955                         wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC "
 956                                    "- dropping packet");
 957                         return -1;
 958                 }
 959                 ok = 1;
 960         }
 961
 962         if (!ok) {
 963                 wpa_printf(MSG_WARNING, "RSN: Could not verify EAPOL-Key MIC "
 964                            "- dropping packet");
 965                 return -1;
 966         }
 967
 968         os_memcpy(peerkey->replay_counter, key->replay_counter,
 969                   WPA_REPLAY_COUNTER_LEN);
 970         peerkey->replay_counter_set = 1;
 971         return 0;
 972 }
 973
 974
 975 /**
 976  * wpa_sm_stkstart - Send EAPOL-Key Request for STK handshake (STK M1)
 977  * @sm: Pointer to WPA state machine data from wpa_sm_init()
 978  * @peer: MAC address of the peer STA
 979  * Returns: 0 on success, or -1 on failure
 980  *
 981  * Send an EAPOL-Key Request to the current authenticator to start STK
 982  * handshake with the peer.
 983  */
 984 int wpa_sm_stkstart(struct wpa_sm *sm, const u8 *peer)
 985 {
 986         size_t rlen, kde_len;
 987         struct wpa_eapol_key *req;
 988         int key_info, ver;
 989         u8 bssid[ETH_ALEN], *rbuf, *pos, *count_pos;
 990         u16 count;
 991         struct rsn_ie_hdr *hdr;
 992         struct wpa_peerkey *peerkey;
 993         struct wpa_ie_data ie;
 994
 995         if (sm->proto != WPA_PROTO_RSN || !sm->ptk_set || !sm->peerkey_enabled)
 996                 return -1;
 997
 998         if (sm->ap_rsn_ie &&
 999             wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &ie) == 0 &&
1000             !(ie.capabilities & WPA_CAPABILITY_PEERKEY_ENABLED)) {
1001                 wpa_printf(MSG_DEBUG, "RSN: Current AP does not support STK");
1002                 return -1;
1003         }
1004
1005         if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
1006                 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1007         else
1008                 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1009
1010         if (wpa_sm_get_bssid(sm, bssid) < 0) {
1011                 wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key "
1012                            "SMK M1");
1013                 return -1;
1014         }
1015
1016         /* TODO: find existing entry and if found, use that instead of adding
1017          * a new one */
1018         peerkey = os_zalloc(sizeof(*peerkey));
1019         if (peerkey == NULL)
1020                 return -1;
1021         peerkey->initiator = 1;
1022         os_memcpy(peerkey->addr, peer, ETH_ALEN);
1023 #ifdef CONFIG_IEEE80211W
1024         if (wpa_key_mgmt_sha256(sm->key_mgmt))
1025                 peerkey->use_sha256 = 1;
1026 #endif /* CONFIG_IEEE80211W */
1027
1028         /* SMK M1:
1029          * EAPOL-Key(S=1, M=1, A=0, I=0, K=0, SM=1, KeyRSC=0, Nonce=INonce,
1030          *           MIC=MIC, DataKDs=(RSNIE_I, MAC_P KDE))
1031          */
1032
1033         hdr = (struct rsn_ie_hdr *) peerkey->rsnie_i;
1034         hdr->elem_id = WLAN_EID_RSN;
1035         WPA_PUT_LE16(hdr->version, RSN_VERSION);
1036         pos = (u8 *) (hdr + 1);
1037         /* Group Suite can be anything for SMK RSN IE; receiver will just
1038          * ignore it. */
1039         RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1040         pos += RSN_SELECTOR_LEN;
1041         count_pos = pos;
1042         pos += 2;
1043
1044         count = rsn_cipher_put_suites(pos, sm->allowed_pairwise_cipher);
1045         pos += count * RSN_SELECTOR_LEN;
1046         WPA_PUT_LE16(count_pos, count);
1047
1048         hdr->len = (pos - peerkey->rsnie_i) - 2;
1049         peerkey->rsnie_i_len = pos - peerkey->rsnie_i;
1050         wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake",
1051                     peerkey->rsnie_i, peerkey->rsnie_i_len);
1052
1053         kde_len = peerkey->rsnie_i_len + 2 + RSN_SELECTOR_LEN + ETH_ALEN;
1054
1055         rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1056                                   sizeof(*req) + kde_len, &rlen,
1057                                   (void *) &req);
1058         if (rbuf == NULL) {
1059                 wpa_supplicant_peerkey_free(sm, peerkey);
1060                 return -1;
1061         }
1062
1063         req->type = EAPOL_KEY_TYPE_RSN;
1064         key_info = WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
1065                 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_REQUEST | ver;
1066         WPA_PUT_BE16(req->key_info, key_info);
1067         WPA_PUT_BE16(req->key_length, 0);
1068         os_memcpy(req->replay_counter, sm->request_counter,
1069                   WPA_REPLAY_COUNTER_LEN);
1070         inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
1071
1072         if (random_get_bytes(peerkey->inonce, WPA_NONCE_LEN)) {
1073                 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1074                         "WPA: Failed to get random data for INonce");
1075                 os_free(rbuf);
1076                 wpa_supplicant_peerkey_free(sm, peerkey);
1077                 return -1;
1078         }
1079         os_memcpy(req->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
1080         wpa_hexdump(MSG_DEBUG, "WPA: INonce for SMK handshake",
1081                     req->key_nonce, WPA_NONCE_LEN);
1082
1083         WPA_PUT_BE16(req->key_data_length, (u16) kde_len);
1084         pos = (u8 *) (req + 1);
1085
1086         /* Initiator RSN IE */
1087         pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len);
1088         /* Peer MAC address KDE */
1089         wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN);
1090
1091         wpa_printf(MSG_INFO, "RSN: Sending EAPOL-Key SMK M1 Request (peer "
1092                    MACSTR ")", MAC2STR(peer));
1093         wpa_eapol_key_send(sm, sm->ptk.kck, ver, bssid, ETH_P_EAPOL,
1094                            rbuf, rlen, req->key_mic);
1095
1096         peerkey->next = sm->peerkey;
1097         sm->peerkey = peerkey;
1098
1099         return 0;
1100 }
1101
1102
1103 /**
1104  * peerkey_deinit - Free PeerKey values
1105  * @sm: Pointer to WPA state machine data from wpa_sm_init()
1106  */
1107 void peerkey_deinit(struct wpa_sm *sm)
1108 {
1109         struct wpa_peerkey *prev, *peerkey = sm->peerkey;
1110         while (peerkey) {
1111                 prev = peerkey;
1112                 peerkey = peerkey->next;
1113                 wpa_supplicant_peerkey_free(sm, prev);
1114         }
1115         sm->peerkey = NULL;
1116 }
1117
1118
1119 void peerkey_rx_eapol_4way(struct wpa_sm *sm, struct wpa_peerkey *peerkey,
1120                            struct wpa_eapol_key *key, u16 key_info, u16 ver)
1121 {
1122         if ((key_info & (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) ==
1123             (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) {
1124                 /* 3/4 STK 4-Way Handshake */
1125                 wpa_supplicant_process_stk_3_of_4(sm, peerkey, key, ver);
1126         } else if (key_info & WPA_KEY_INFO_ACK) {
1127                 /* 1/4 STK 4-Way Handshake */
1128                 wpa_supplicant_process_stk_1_of_4(sm, peerkey, key, ver);
1129         } else if (key_info & WPA_KEY_INFO_SECURE) {
1130                 /* 4/4 STK 4-Way Handshake */
1131                 wpa_supplicant_process_stk_4_of_4(sm, peerkey, key, ver);
1132         } else {
1133                 /* 2/4 STK 4-Way Handshake */
1134                 wpa_supplicant_process_stk_2_of_4(sm, peerkey, key, ver);
1135         }
1136 }
1137
1138
1139 void peerkey_rx_eapol_smk(struct wpa_sm *sm, const u8 *src_addr,
1140                           struct wpa_eapol_key *key, size_t extra_len,
1141                           u16 key_info, u16 ver)
1142 {
1143         if (key_info & WPA_KEY_INFO_ERROR) {
1144                 /* SMK Error */
1145                 wpa_supplicant_process_smk_error(sm, src_addr, key, extra_len);
1146         } else if (key_info & WPA_KEY_INFO_ACK) {
1147                 /* SMK M2 */
1148                 wpa_supplicant_process_smk_m2(sm, src_addr, key, extra_len,
1149                                               ver);
1150         } else {
1151                 /* SMK M4 or M5 */
1152                 wpa_supplicant_process_smk_m45(sm, src_addr, key, extra_len,
1153                                                ver);
1154         }
1155 }
1156
1157 #endif /* CONFIG_PEERKEY */