2 * WPA Supplicant - PeerKey for Direct Link Setup (DLS)
3 * Copyright (c) 2006-2008, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
15 #include "crypto/sha1.h"
16 #include "crypto/sha256.h"
17 #include "crypto/random.h"
18 #include "common/ieee802_11_defs.h"
25 static u8 * wpa_add_ie(u8 *pos, const u8 *ie, size_t ie_len)
27 os_memcpy(pos, ie, ie_len);
32 static u8 * wpa_add_kde(u8 *pos, u32 kde, const u8 *data, size_t data_len)
34 *pos++ = WLAN_EID_VENDOR_SPECIFIC;
35 *pos++ = RSN_SELECTOR_LEN + data_len;
36 RSN_SELECTOR_PUT(pos, kde);
37 pos += RSN_SELECTOR_LEN;
38 os_memcpy(pos, data, data_len);
44 static void wpa_supplicant_smk_timeout(void *eloop_ctx, void *timeout_ctx)
47 struct wpa_sm *sm = eloop_ctx;
48 struct wpa_peerkey *peerkey = timeout_ctx;
50 /* TODO: time out SMK and any STK that was generated using this SMK */
54 static void wpa_supplicant_peerkey_free(struct wpa_sm *sm,
55 struct wpa_peerkey *peerkey)
57 eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey);
62 static int wpa_supplicant_send_smk_error(struct wpa_sm *sm, const u8 *dst,
64 u16 mui, u16 error_type, int ver)
67 struct wpa_eapol_key *err;
68 struct rsn_error_kde error;
73 kde_len = 2 + RSN_SELECTOR_LEN + sizeof(error);
75 kde_len += 2 + RSN_SELECTOR_LEN + ETH_ALEN;
77 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
78 NULL, sizeof(*err) + kde_len, &rlen,
83 err->type = EAPOL_KEY_TYPE_RSN;
84 key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
85 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_ERROR |
87 WPA_PUT_BE16(err->key_info, key_info);
88 WPA_PUT_BE16(err->key_length, 0);
89 os_memcpy(err->replay_counter, sm->request_counter,
90 WPA_REPLAY_COUNTER_LEN);
91 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
93 WPA_PUT_BE16(err->key_data_length, (u16) kde_len);
94 pos = (u8 *) (err + 1);
97 /* Peer MAC Address KDE */
98 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN);
102 error.mui = host_to_be16(mui);
103 error.error_type = host_to_be16(error_type);
104 wpa_add_kde(pos, RSN_KEY_DATA_ERROR, (u8 *) &error, sizeof(error));
107 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error (peer "
108 MACSTR " mui %d error_type %d)",
109 MAC2STR(peer), mui, error_type);
111 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK Error "
112 "(mui %d error_type %d)", mui, error_type);
115 wpa_eapol_key_send(sm, sm->ptk.kck, ver, dst, ETH_P_EAPOL,
116 rbuf, rlen, err->key_mic);
122 static int wpa_supplicant_send_smk_m3(struct wpa_sm *sm,
123 const unsigned char *src_addr,
124 const struct wpa_eapol_key *key,
125 int ver, struct wpa_peerkey *peerkey)
128 struct wpa_eapol_key *reply;
133 /* KDEs: Peer RSN IE, Initiator MAC Address, Initiator Nonce */
134 kde_len = peerkey->rsnie_p_len +
135 2 + RSN_SELECTOR_LEN + ETH_ALEN +
136 2 + RSN_SELECTOR_LEN + WPA_NONCE_LEN;
138 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY,
139 NULL, sizeof(*reply) + kde_len, &rlen,
144 reply->type = EAPOL_KEY_TYPE_RSN;
145 key_info = ver | WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
147 WPA_PUT_BE16(reply->key_info, key_info);
148 WPA_PUT_BE16(reply->key_length, 0);
149 os_memcpy(reply->replay_counter, key->replay_counter,
150 WPA_REPLAY_COUNTER_LEN);
152 os_memcpy(reply->key_nonce, peerkey->pnonce, WPA_NONCE_LEN);
154 WPA_PUT_BE16(reply->key_data_length, (u16) kde_len);
155 pos = (u8 *) (reply + 1);
158 pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len);
160 /* Initiator MAC Address KDE */
161 pos = wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peerkey->addr, ETH_ALEN);
163 /* Initiator Nonce */
164 wpa_add_kde(pos, RSN_KEY_DATA_NONCE, peerkey->inonce, WPA_NONCE_LEN);
166 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key SMK M3");
167 wpa_eapol_key_send(sm, sm->ptk.kck, ver, src_addr, ETH_P_EAPOL,
168 rbuf, rlen, reply->key_mic);
174 static int wpa_supplicant_process_smk_m2(
175 struct wpa_sm *sm, const unsigned char *src_addr,
176 const struct wpa_eapol_key *key, size_t extra_len, int ver)
178 struct wpa_peerkey *peerkey;
179 struct wpa_eapol_ie_parse kde;
180 struct wpa_ie_data ie;
182 struct rsn_ie_hdr *hdr;
185 wpa_printf(MSG_DEBUG, "RSN: Received SMK M2");
187 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
188 wpa_printf(MSG_INFO, "RSN: SMK handshake not allowed for "
189 "the current network");
193 if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
195 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M2");
199 if (kde.rsn_ie == NULL || kde.mac_addr == NULL ||
200 kde.mac_addr_len < ETH_ALEN) {
201 wpa_printf(MSG_INFO, "RSN: No RSN IE or MAC address KDE in "
206 wpa_printf(MSG_DEBUG, "RSN: SMK M2 - SMK initiator " MACSTR,
207 MAC2STR(kde.mac_addr));
209 if (kde.rsn_ie_len > PEERKEY_MAX_IE_LEN) {
210 wpa_printf(MSG_INFO, "RSN: Too long Initiator RSN IE in SMK "
215 if (wpa_parse_wpa_ie_rsn(kde.rsn_ie, kde.rsn_ie_len, &ie) < 0) {
216 wpa_printf(MSG_INFO, "RSN: Failed to parse RSN IE in SMK M2");
220 cipher = ie.pairwise_cipher & sm->allowed_pairwise_cipher;
221 if (cipher & WPA_CIPHER_CCMP) {
222 wpa_printf(MSG_DEBUG, "RSN: Using CCMP for PeerKey");
223 cipher = WPA_CIPHER_CCMP;
224 } else if (cipher & WPA_CIPHER_GCMP) {
225 wpa_printf(MSG_DEBUG, "RSN: Using GCMP for PeerKey");
226 cipher = WPA_CIPHER_GCMP;
227 } else if (cipher & WPA_CIPHER_TKIP) {
228 wpa_printf(MSG_DEBUG, "RSN: Using TKIP for PeerKey");
229 cipher = WPA_CIPHER_TKIP;
231 wpa_printf(MSG_INFO, "RSN: No acceptable cipher in SMK M2");
232 wpa_supplicant_send_smk_error(sm, src_addr, kde.mac_addr,
233 STK_MUI_SMK, STK_ERR_CPHR_NS,
238 /* TODO: find existing entry and if found, use that instead of adding
239 * a new one; how to handle the case where both ends initiate at the
241 peerkey = os_zalloc(sizeof(*peerkey));
244 os_memcpy(peerkey->addr, kde.mac_addr, ETH_ALEN);
245 os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN);
246 os_memcpy(peerkey->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
247 peerkey->rsnie_i_len = kde.rsn_ie_len;
248 peerkey->cipher = cipher;
249 #ifdef CONFIG_IEEE80211W
250 if (ie.key_mgmt & (WPA_KEY_MGMT_IEEE8021X_SHA256 |
251 WPA_KEY_MGMT_PSK_SHA256))
252 peerkey->use_sha256 = 1;
253 #endif /* CONFIG_IEEE80211W */
255 if (random_get_bytes(peerkey->pnonce, WPA_NONCE_LEN)) {
256 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
257 "WPA: Failed to get random data for PNonce");
258 wpa_supplicant_peerkey_free(sm, peerkey);
262 hdr = (struct rsn_ie_hdr *) peerkey->rsnie_p;
263 hdr->elem_id = WLAN_EID_RSN;
264 WPA_PUT_LE16(hdr->version, RSN_VERSION);
265 pos = (u8 *) (hdr + 1);
266 /* Group Suite can be anything for SMK RSN IE; receiver will just
268 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
269 pos += RSN_SELECTOR_LEN;
270 /* Include only the selected cipher in pairwise cipher suite */
271 WPA_PUT_LE16(pos, 1);
273 if (cipher == WPA_CIPHER_CCMP)
274 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
275 else if (cipher == WPA_CIPHER_GCMP)
276 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP);
277 else if (cipher == WPA_CIPHER_TKIP)
278 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
279 pos += RSN_SELECTOR_LEN;
281 hdr->len = (pos - peerkey->rsnie_p) - 2;
282 peerkey->rsnie_p_len = pos - peerkey->rsnie_p;
283 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake",
284 peerkey->rsnie_p, peerkey->rsnie_p_len);
286 wpa_supplicant_send_smk_m3(sm, src_addr, key, ver, peerkey);
288 peerkey->next = sm->peerkey;
289 sm->peerkey = peerkey;
296 * rsn_smkid - Derive SMK identifier
297 * @smk: Station master key (32 bytes)
298 * @pnonce: Peer Nonce
299 * @mac_p: Peer MAC address
300 * @inonce: Initiator Nonce
301 * @mac_i: Initiator MAC address
302 * @use_sha256: Whether to use SHA256-based KDF
304 * 8.5.1.4 Station to station (STK) key hierarchy
305 * SMKID = HMAC-SHA1-128(SMK, "SMK Name" || PNonce || MAC_P || INonce || MAC_I)
307 static void rsn_smkid(const u8 *smk, const u8 *pnonce, const u8 *mac_p,
308 const u8 *inonce, const u8 *mac_i, u8 *smkid,
311 char *title = "SMK Name";
313 const size_t len[5] = { 8, WPA_NONCE_LEN, ETH_ALEN, WPA_NONCE_LEN,
315 unsigned char hash[SHA256_MAC_LEN];
317 addr[0] = (u8 *) title;
323 #ifdef CONFIG_IEEE80211W
325 hmac_sha256_vector(smk, PMK_LEN, 5, addr, len, hash);
327 #endif /* CONFIG_IEEE80211W */
328 hmac_sha1_vector(smk, PMK_LEN, 5, addr, len, hash);
329 os_memcpy(smkid, hash, PMKID_LEN);
333 static void wpa_supplicant_send_stk_1_of_4(struct wpa_sm *sm,
334 struct wpa_peerkey *peerkey)
337 struct wpa_eapol_key *msg;
342 kde_len = 2 + RSN_SELECTOR_LEN + PMKID_LEN;
344 mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
345 sizeof(*msg) + kde_len, &mlen,
350 msg->type = EAPOL_KEY_TYPE_RSN;
352 if (peerkey->cipher != WPA_CIPHER_TKIP)
353 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
355 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
357 key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK;
358 WPA_PUT_BE16(msg->key_info, key_info);
360 if (peerkey->cipher != WPA_CIPHER_TKIP)
361 WPA_PUT_BE16(msg->key_length, 16);
363 WPA_PUT_BE16(msg->key_length, 32);
365 os_memcpy(msg->replay_counter, peerkey->replay_counter,
366 WPA_REPLAY_COUNTER_LEN);
367 inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN);
369 WPA_PUT_BE16(msg->key_data_length, kde_len);
370 wpa_add_kde((u8 *) (msg + 1), RSN_KEY_DATA_PMKID,
371 peerkey->smkid, PMKID_LEN);
373 if (random_get_bytes(peerkey->inonce, WPA_NONCE_LEN)) {
374 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
375 "RSN: Failed to get random data for INonce (STK)");
379 wpa_hexdump(MSG_DEBUG, "RSN: INonce for STK 4-Way Handshake",
380 peerkey->inonce, WPA_NONCE_LEN);
381 os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
383 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 1/4 to " MACSTR,
384 MAC2STR(peerkey->addr));
385 wpa_eapol_key_send(sm, NULL, ver, peerkey->addr, ETH_P_EAPOL,
390 static void wpa_supplicant_send_stk_3_of_4(struct wpa_sm *sm,
391 struct wpa_peerkey *peerkey)
394 struct wpa_eapol_key *msg;
400 kde_len = peerkey->rsnie_i_len +
401 2 + RSN_SELECTOR_LEN + sizeof(lifetime);
403 mbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
404 sizeof(*msg) + kde_len, &mlen,
409 msg->type = EAPOL_KEY_TYPE_RSN;
411 if (peerkey->cipher != WPA_CIPHER_TKIP)
412 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
414 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
416 key_info = ver | WPA_KEY_INFO_KEY_TYPE | WPA_KEY_INFO_ACK |
417 WPA_KEY_INFO_MIC | WPA_KEY_INFO_SECURE;
418 WPA_PUT_BE16(msg->key_info, key_info);
420 if (peerkey->cipher != WPA_CIPHER_TKIP)
421 WPA_PUT_BE16(msg->key_length, 16);
423 WPA_PUT_BE16(msg->key_length, 32);
425 os_memcpy(msg->replay_counter, peerkey->replay_counter,
426 WPA_REPLAY_COUNTER_LEN);
427 inc_byte_array(peerkey->replay_counter, WPA_REPLAY_COUNTER_LEN);
429 WPA_PUT_BE16(msg->key_data_length, kde_len);
430 pos = (u8 *) (msg + 1);
431 pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len);
432 lifetime = host_to_be32(peerkey->lifetime);
433 wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME,
434 (u8 *) &lifetime, sizeof(lifetime));
436 os_memcpy(msg->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
438 wpa_printf(MSG_DEBUG, "RSN: Sending EAPOL-Key STK 3/4 to " MACSTR,
439 MAC2STR(peerkey->addr));
440 wpa_eapol_key_send(sm, peerkey->stk.kck, ver, peerkey->addr,
441 ETH_P_EAPOL, mbuf, mlen, msg->key_mic);
445 static int wpa_supplicant_process_smk_m4(struct wpa_peerkey *peerkey,
446 struct wpa_eapol_ie_parse *kde)
448 wpa_printf(MSG_DEBUG, "RSN: Received SMK M4 (Initiator " MACSTR ")",
449 MAC2STR(kde->mac_addr));
451 if (os_memcmp(kde->smk + PMK_LEN, peerkey->pnonce, WPA_NONCE_LEN) != 0)
453 wpa_printf(MSG_INFO, "RSN: PNonce in SMK KDE does not "
454 "match with the one used in SMK M3");
458 if (os_memcmp(kde->nonce, peerkey->inonce, WPA_NONCE_LEN) != 0) {
459 wpa_printf(MSG_INFO, "RSN: INonce in SMK M4 did not "
460 "match with the one received in SMK M2");
468 static int wpa_supplicant_process_smk_m5(struct wpa_sm *sm,
469 const unsigned char *src_addr,
470 const struct wpa_eapol_key *key,
472 struct wpa_peerkey *peerkey,
473 struct wpa_eapol_ie_parse *kde)
476 struct wpa_ie_data ie;
478 wpa_printf(MSG_DEBUG, "RSN: Received SMK M5 (Peer " MACSTR ")",
479 MAC2STR(kde->mac_addr));
480 if (kde->rsn_ie == NULL || kde->rsn_ie_len > PEERKEY_MAX_IE_LEN ||
481 wpa_parse_wpa_ie_rsn(kde->rsn_ie, kde->rsn_ie_len, &ie) < 0) {
482 wpa_printf(MSG_INFO, "RSN: No RSN IE in SMK M5");
483 /* TODO: abort negotiation */
487 if (os_memcmp(key->key_nonce, peerkey->inonce, WPA_NONCE_LEN) != 0) {
488 wpa_printf(MSG_INFO, "RSN: Key Nonce in SMK M5 does "
489 "not match with INonce used in SMK M1");
493 if (os_memcmp(kde->smk + PMK_LEN, peerkey->inonce, WPA_NONCE_LEN) != 0)
495 wpa_printf(MSG_INFO, "RSN: INonce in SMK KDE does not "
496 "match with the one used in SMK M1");
500 os_memcpy(peerkey->rsnie_p, kde->rsn_ie, kde->rsn_ie_len);
501 peerkey->rsnie_p_len = kde->rsn_ie_len;
502 os_memcpy(peerkey->pnonce, kde->nonce, WPA_NONCE_LEN);
504 cipher = ie.pairwise_cipher & sm->allowed_pairwise_cipher;
505 if (cipher & WPA_CIPHER_CCMP) {
506 wpa_printf(MSG_DEBUG, "RSN: Using CCMP for PeerKey");
507 peerkey->cipher = WPA_CIPHER_CCMP;
508 } else if (cipher & WPA_CIPHER_GCMP) {
509 wpa_printf(MSG_DEBUG, "RSN: Using GCMP for PeerKey");
510 peerkey->cipher = WPA_CIPHER_GCMP;
511 } else if (cipher & WPA_CIPHER_TKIP) {
512 wpa_printf(MSG_DEBUG, "RSN: Using TKIP for PeerKey");
513 peerkey->cipher = WPA_CIPHER_TKIP;
515 wpa_printf(MSG_INFO, "RSN: SMK Peer STA " MACSTR " selected "
516 "unacceptable cipher", MAC2STR(kde->mac_addr));
517 wpa_supplicant_send_smk_error(sm, src_addr, kde->mac_addr,
518 STK_MUI_SMK, STK_ERR_CPHR_NS,
520 /* TODO: abort negotiation */
528 static int wpa_supplicant_process_smk_m45(
529 struct wpa_sm *sm, const unsigned char *src_addr,
530 const struct wpa_eapol_key *key, size_t extra_len, int ver)
532 struct wpa_peerkey *peerkey;
533 struct wpa_eapol_ie_parse kde;
537 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
538 wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for "
539 "the current network");
543 if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
545 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK M4/M5");
549 if (kde.mac_addr == NULL || kde.mac_addr_len < ETH_ALEN ||
550 kde.nonce == NULL || kde.nonce_len < WPA_NONCE_LEN ||
551 kde.smk == NULL || kde.smk_len < PMK_LEN + WPA_NONCE_LEN ||
552 kde.lifetime == NULL || kde.lifetime_len < 4) {
553 wpa_printf(MSG_INFO, "RSN: No MAC Address, Nonce, SMK, or "
554 "Lifetime KDE in SMK M4/M5");
558 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
559 if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) == 0 &&
560 os_memcmp(peerkey->initiator ? peerkey->inonce :
562 key->key_nonce, WPA_NONCE_LEN) == 0)
565 if (peerkey == NULL) {
566 wpa_printf(MSG_INFO, "RSN: No matching SMK handshake found "
567 "for SMK M4/M5: peer " MACSTR,
568 MAC2STR(kde.mac_addr));
572 if (peerkey->initiator) {
573 if (wpa_supplicant_process_smk_m5(sm, src_addr, key, ver,
577 if (wpa_supplicant_process_smk_m4(peerkey, &kde) < 0)
581 os_memcpy(peerkey->smk, kde.smk, PMK_LEN);
582 peerkey->smk_complete = 1;
583 wpa_hexdump_key(MSG_DEBUG, "RSN: SMK", peerkey->smk, PMK_LEN);
584 lifetime = WPA_GET_BE32(kde.lifetime);
585 wpa_printf(MSG_DEBUG, "RSN: SMK lifetime %u seconds", lifetime);
586 if (lifetime > 1000000000)
587 lifetime = 1000000000; /* avoid overflowing expiration time */
588 peerkey->lifetime = lifetime;
590 peerkey->expiration = now.sec + lifetime;
591 eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout,
594 if (peerkey->initiator) {
595 rsn_smkid(peerkey->smk, peerkey->pnonce, peerkey->addr,
596 peerkey->inonce, sm->own_addr, peerkey->smkid,
597 peerkey->use_sha256);
598 wpa_supplicant_send_stk_1_of_4(sm, peerkey);
600 rsn_smkid(peerkey->smk, peerkey->pnonce, sm->own_addr,
601 peerkey->inonce, peerkey->addr, peerkey->smkid,
602 peerkey->use_sha256);
604 wpa_hexdump(MSG_DEBUG, "RSN: SMKID", peerkey->smkid, PMKID_LEN);
610 static int wpa_supplicant_process_smk_error(
611 struct wpa_sm *sm, const unsigned char *src_addr,
612 const struct wpa_eapol_key *key, size_t extra_len)
614 struct wpa_eapol_ie_parse kde;
615 struct rsn_error_kde error;
619 wpa_printf(MSG_DEBUG, "RSN: Received SMK Error");
621 if (!sm->peerkey_enabled || sm->proto != WPA_PROTO_RSN) {
622 wpa_printf(MSG_DEBUG, "RSN: SMK handshake not allowed for "
623 "the current network");
627 if (wpa_supplicant_parse_ies((const u8 *) (key + 1), extra_len, &kde) <
629 wpa_printf(MSG_INFO, "RSN: Failed to parse KDEs in SMK Error");
633 if (kde.error == NULL || kde.error_len < sizeof(error)) {
634 wpa_printf(MSG_INFO, "RSN: No Error KDE in SMK Error");
638 if (kde.mac_addr && kde.mac_addr_len >= ETH_ALEN)
639 os_memcpy(peer, kde.mac_addr, ETH_ALEN);
641 os_memset(peer, 0, ETH_ALEN);
642 os_memcpy(&error, kde.error, sizeof(error));
643 error_type = be_to_host16(error.error_type);
644 wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
645 "RSN: SMK Error KDE received: MUI %d error_type %d peer "
647 be_to_host16(error.mui), error_type,
651 (error_type == STK_ERR_STA_NR || error_type == STK_ERR_STA_NRSN ||
652 error_type == STK_ERR_CPHR_NS)) {
653 struct wpa_peerkey *peerkey;
655 for (peerkey = sm->peerkey; peerkey; peerkey = peerkey->next) {
656 if (os_memcmp(peerkey->addr, kde.mac_addr, ETH_ALEN) ==
660 if (peerkey == NULL) {
661 wpa_printf(MSG_DEBUG, "RSN: No matching SMK handshake "
662 "found for SMK Error");
665 /* TODO: abort SMK/STK handshake and remove all related keys */
672 static void wpa_supplicant_process_stk_1_of_4(struct wpa_sm *sm,
673 struct wpa_peerkey *peerkey,
674 const struct wpa_eapol_key *key,
677 struct wpa_eapol_ie_parse ie;
679 size_t len, kde_buf_len;
681 u8 buf[8], *kde_buf, *pos;
684 wpa_printf(MSG_DEBUG, "RSN: RX message 1 of STK 4-Way Handshake from "
685 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
687 os_memset(&ie, 0, sizeof(ie));
689 /* RSN: msg 1/4 should contain SMKID for the selected SMK */
690 kde = (const u8 *) (key + 1);
691 len = WPA_GET_BE16(key->key_data_length);
692 wpa_hexdump(MSG_DEBUG, "RSN: msg 1/4 key data", kde, len);
693 if (wpa_supplicant_parse_ies(kde, len, &ie) < 0 || ie.pmkid == NULL) {
694 wpa_printf(MSG_DEBUG, "RSN: No SMKID in STK 1/4");
697 if (os_memcmp(ie.pmkid, peerkey->smkid, PMKID_LEN) != 0) {
698 wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 1/4",
699 ie.pmkid, PMKID_LEN);
703 if (random_get_bytes(peerkey->pnonce, WPA_NONCE_LEN)) {
704 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
705 "RSN: Failed to get random data for PNonce");
708 wpa_hexdump(MSG_DEBUG, "WPA: Renewed PNonce",
709 peerkey->pnonce, WPA_NONCE_LEN);
711 /* Calculate STK which will be stored as a temporary STK until it has
712 * been verified when processing message 3/4. */
713 stk = &peerkey->tstk;
714 wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion",
715 sm->own_addr, peerkey->addr,
716 peerkey->pnonce, key->key_nonce,
717 (u8 *) stk, sizeof(*stk),
718 peerkey->use_sha256);
719 /* Supplicant: swap tx/rx Mic keys */
720 os_memcpy(buf, stk->u.auth.tx_mic_key, 8);
721 os_memcpy(stk->u.auth.tx_mic_key, stk->u.auth.rx_mic_key, 8);
722 os_memcpy(stk->u.auth.rx_mic_key, buf, 8);
723 peerkey->tstk_set = 1;
725 kde_buf_len = peerkey->rsnie_p_len +
726 2 + RSN_SELECTOR_LEN + sizeof(lifetime) +
727 2 + RSN_SELECTOR_LEN + PMKID_LEN;
728 kde_buf = os_malloc(kde_buf_len);
732 pos = wpa_add_ie(pos, peerkey->rsnie_p, peerkey->rsnie_p_len);
733 lifetime = host_to_be32(peerkey->lifetime);
734 pos = wpa_add_kde(pos, RSN_KEY_DATA_LIFETIME,
735 (u8 *) &lifetime, sizeof(lifetime));
736 wpa_add_kde(pos, RSN_KEY_DATA_PMKID, peerkey->smkid, PMKID_LEN);
738 if (wpa_supplicant_send_2_of_4(sm, peerkey->addr, key, ver,
739 peerkey->pnonce, kde_buf, kde_buf_len,
746 os_memcpy(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN);
750 static void wpa_supplicant_update_smk_lifetime(struct wpa_sm *sm,
751 struct wpa_peerkey *peerkey,
752 struct wpa_eapol_ie_parse *kde)
757 if (kde->lifetime == NULL || kde->lifetime_len < sizeof(lifetime))
760 lifetime = WPA_GET_BE32(kde->lifetime);
762 if (lifetime >= peerkey->lifetime) {
763 wpa_printf(MSG_DEBUG, "RSN: Peer used SMK lifetime %u seconds "
764 "which is larger than or equal to own value %u "
765 "seconds - ignored", lifetime, peerkey->lifetime);
769 wpa_printf(MSG_DEBUG, "RSN: Peer used shorter SMK lifetime %u seconds "
770 "(own was %u seconds) - updated",
771 lifetime, peerkey->lifetime);
772 peerkey->lifetime = lifetime;
775 peerkey->expiration = now.sec + lifetime;
776 eloop_cancel_timeout(wpa_supplicant_smk_timeout, sm, peerkey);
777 eloop_register_timeout(lifetime, 0, wpa_supplicant_smk_timeout,
782 static void wpa_supplicant_process_stk_2_of_4(struct wpa_sm *sm,
783 struct wpa_peerkey *peerkey,
784 const struct wpa_eapol_key *key,
787 struct wpa_eapol_ie_parse kde;
791 wpa_printf(MSG_DEBUG, "RSN: RX message 2 of STK 4-Way Handshake from "
792 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
794 os_memset(&kde, 0, sizeof(kde));
796 /* RSN: msg 2/4 should contain SMKID for the selected SMK and RSN IE
797 * from the peer. It may also include Lifetime KDE. */
798 keydata = (const u8 *) (key + 1);
799 len = WPA_GET_BE16(key->key_data_length);
800 wpa_hexdump(MSG_DEBUG, "RSN: msg 2/4 key data", keydata, len);
801 if (wpa_supplicant_parse_ies(keydata, len, &kde) < 0 ||
802 kde.pmkid == NULL || kde.rsn_ie == NULL) {
803 wpa_printf(MSG_DEBUG, "RSN: No SMKID or RSN IE in STK 2/4");
807 if (os_memcmp(kde.pmkid, peerkey->smkid, PMKID_LEN) != 0) {
808 wpa_hexdump(MSG_DEBUG, "RSN: Unknown SMKID in STK 2/4",
809 kde.pmkid, PMKID_LEN);
813 if (kde.rsn_ie_len != peerkey->rsnie_p_len ||
814 os_memcmp(kde.rsn_ie, peerkey->rsnie_p, kde.rsn_ie_len) != 0) {
815 wpa_printf(MSG_INFO, "RSN: Peer RSN IE in SMK and STK "
816 "handshakes did not match");
817 wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in SMK handshake",
818 peerkey->rsnie_p, peerkey->rsnie_p_len);
819 wpa_hexdump(MSG_DEBUG, "RSN: Peer RSN IE in STK handshake",
820 kde.rsn_ie, kde.rsn_ie_len);
824 wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde);
826 wpa_supplicant_send_stk_3_of_4(sm, peerkey);
827 os_memcpy(peerkey->pnonce, key->key_nonce, WPA_NONCE_LEN);
831 static void wpa_supplicant_process_stk_3_of_4(struct wpa_sm *sm,
832 struct wpa_peerkey *peerkey,
833 const struct wpa_eapol_key *key,
836 struct wpa_eapol_ie_parse kde;
840 u8 key_buf[32], rsc[6];
842 wpa_printf(MSG_DEBUG, "RSN: RX message 3 of STK 4-Way Handshake from "
843 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
845 os_memset(&kde, 0, sizeof(kde));
847 /* RSN: msg 3/4 should contain Initiator RSN IE. It may also include
849 keydata = (const u8 *) (key + 1);
850 len = WPA_GET_BE16(key->key_data_length);
851 wpa_hexdump(MSG_DEBUG, "RSN: msg 3/4 key data", keydata, len);
852 if (wpa_supplicant_parse_ies(keydata, len, &kde) < 0) {
853 wpa_printf(MSG_DEBUG, "RSN: Failed to parse key data in "
858 if (kde.rsn_ie_len != peerkey->rsnie_i_len ||
859 os_memcmp(kde.rsn_ie, peerkey->rsnie_i, kde.rsn_ie_len) != 0) {
860 wpa_printf(MSG_INFO, "RSN: Initiator RSN IE in SMK and STK "
861 "handshakes did not match");
862 wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in SMK "
864 peerkey->rsnie_i, peerkey->rsnie_i_len);
865 wpa_hexdump(MSG_DEBUG, "RSN: Initiator RSN IE in STK "
867 kde.rsn_ie, kde.rsn_ie_len);
871 if (os_memcmp(peerkey->inonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
872 wpa_printf(MSG_WARNING, "RSN: INonce from message 1 of STK "
873 "4-Way Handshake differs from 3 of STK 4-Way "
874 "Handshake - drop packet (src=" MACSTR ")",
875 MAC2STR(peerkey->addr));
879 wpa_supplicant_update_smk_lifetime(sm, peerkey, &kde);
881 if (wpa_supplicant_send_4_of_4(sm, peerkey->addr, key, ver,
882 WPA_GET_BE16(key->key_info),
883 NULL, 0, &peerkey->stk))
886 _key = (u8 *) peerkey->stk.tk1;
887 if (peerkey->cipher == WPA_CIPHER_TKIP) {
888 /* Swap Tx/Rx keys for Michael MIC */
889 os_memcpy(key_buf, _key, 16);
890 os_memcpy(key_buf + 16, peerkey->stk.u.auth.rx_mic_key, 8);
891 os_memcpy(key_buf + 24, peerkey->stk.u.auth.tx_mic_key, 8);
897 os_memset(rsc, 0, 6);
898 if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1,
899 rsc, sizeof(rsc), _key, key_len) < 0) {
900 wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the "
907 static void wpa_supplicant_process_stk_4_of_4(struct wpa_sm *sm,
908 struct wpa_peerkey *peerkey,
909 const struct wpa_eapol_key *key,
914 wpa_printf(MSG_DEBUG, "RSN: RX message 4 of STK 4-Way Handshake from "
915 MACSTR " (ver=%d)", MAC2STR(peerkey->addr), ver);
917 os_memset(rsc, 0, 6);
918 if (wpa_sm_set_key(sm, peerkey->cipher, peerkey->addr, 0, 1,
919 rsc, sizeof(rsc), (u8 *) peerkey->stk.tk1,
920 peerkey->cipher == WPA_CIPHER_TKIP ? 32 : 16) < 0) {
921 wpa_printf(MSG_WARNING, "RSN: Failed to set STK to the "
929 * peerkey_verify_eapol_key_mic - Verify PeerKey MIC
930 * @sm: Pointer to WPA state machine data from wpa_sm_init()
931 * @peerkey: Pointer to the PeerKey data for the peer
932 * @key: Pointer to the EAPOL-Key frame header
933 * @ver: Version bits from EAPOL-Key Key Info
934 * @buf: Pointer to the beginning of EAPOL-Key frame
935 * @len: Length of the EAPOL-Key frame
936 * Returns: 0 on success, -1 on failure
938 int peerkey_verify_eapol_key_mic(struct wpa_sm *sm,
939 struct wpa_peerkey *peerkey,
940 struct wpa_eapol_key *key, u16 ver,
941 const u8 *buf, size_t len)
946 if (peerkey->initiator && !peerkey->stk_set) {
947 wpa_pmk_to_ptk(peerkey->smk, PMK_LEN, "Peer key expansion",
948 sm->own_addr, peerkey->addr,
949 peerkey->inonce, key->key_nonce,
950 (u8 *) &peerkey->stk, sizeof(peerkey->stk),
951 peerkey->use_sha256);
952 peerkey->stk_set = 1;
955 os_memcpy(mic, key->key_mic, 16);
956 if (peerkey->tstk_set) {
957 os_memset(key->key_mic, 0, 16);
958 wpa_eapol_key_mic(peerkey->tstk.kck, ver, buf, len,
960 if (os_memcmp(mic, key->key_mic, 16) != 0) {
961 wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC "
962 "when using TSTK - ignoring TSTK");
965 peerkey->tstk_set = 0;
966 peerkey->stk_set = 1;
967 os_memcpy(&peerkey->stk, &peerkey->tstk,
968 sizeof(peerkey->stk));
972 if (!ok && peerkey->stk_set) {
973 os_memset(key->key_mic, 0, 16);
974 wpa_eapol_key_mic(peerkey->stk.kck, ver, buf, len,
976 if (os_memcmp(mic, key->key_mic, 16) != 0) {
977 wpa_printf(MSG_WARNING, "RSN: Invalid EAPOL-Key MIC "
978 "- dropping packet");
985 wpa_printf(MSG_WARNING, "RSN: Could not verify EAPOL-Key MIC "
986 "- dropping packet");
990 os_memcpy(peerkey->replay_counter, key->replay_counter,
991 WPA_REPLAY_COUNTER_LEN);
992 peerkey->replay_counter_set = 1;
998 * wpa_sm_stkstart - Send EAPOL-Key Request for STK handshake (STK M1)
999 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1000 * @peer: MAC address of the peer STA
1001 * Returns: 0 on success, or -1 on failure
1003 * Send an EAPOL-Key Request to the current authenticator to start STK
1004 * handshake with the peer.
1006 int wpa_sm_stkstart(struct wpa_sm *sm, const u8 *peer)
1008 size_t rlen, kde_len;
1009 struct wpa_eapol_key *req;
1011 u8 bssid[ETH_ALEN], *rbuf, *pos, *count_pos;
1013 struct rsn_ie_hdr *hdr;
1014 struct wpa_peerkey *peerkey;
1015 struct wpa_ie_data ie;
1017 if (sm->proto != WPA_PROTO_RSN || !sm->ptk_set || !sm->peerkey_enabled)
1020 if (sm->ap_rsn_ie &&
1021 wpa_parse_wpa_ie_rsn(sm->ap_rsn_ie, sm->ap_rsn_ie_len, &ie) == 0 &&
1022 !(ie.capabilities & WPA_CAPABILITY_PEERKEY_ENABLED)) {
1023 wpa_printf(MSG_DEBUG, "RSN: Current AP does not support STK");
1027 if (sm->pairwise_cipher != WPA_CIPHER_TKIP)
1028 ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
1030 ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
1032 if (wpa_sm_get_bssid(sm, bssid) < 0) {
1033 wpa_printf(MSG_WARNING, "Failed to read BSSID for EAPOL-Key "
1038 /* TODO: find existing entry and if found, use that instead of adding
1040 peerkey = os_zalloc(sizeof(*peerkey));
1041 if (peerkey == NULL)
1043 peerkey->initiator = 1;
1044 os_memcpy(peerkey->addr, peer, ETH_ALEN);
1045 #ifdef CONFIG_IEEE80211W
1046 if (wpa_key_mgmt_sha256(sm->key_mgmt))
1047 peerkey->use_sha256 = 1;
1048 #endif /* CONFIG_IEEE80211W */
1051 * EAPOL-Key(S=1, M=1, A=0, I=0, K=0, SM=1, KeyRSC=0, Nonce=INonce,
1052 * MIC=MIC, DataKDs=(RSNIE_I, MAC_P KDE))
1055 hdr = (struct rsn_ie_hdr *) peerkey->rsnie_i;
1056 hdr->elem_id = WLAN_EID_RSN;
1057 WPA_PUT_LE16(hdr->version, RSN_VERSION);
1058 pos = (u8 *) (hdr + 1);
1059 /* Group Suite can be anything for SMK RSN IE; receiver will just
1061 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1062 pos += RSN_SELECTOR_LEN;
1067 if (sm->allowed_pairwise_cipher & WPA_CIPHER_CCMP) {
1068 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1069 pos += RSN_SELECTOR_LEN;
1072 if (sm->allowed_pairwise_cipher & WPA_CIPHER_GCMP) {
1073 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP);
1074 pos += RSN_SELECTOR_LEN;
1077 if (sm->allowed_pairwise_cipher & WPA_CIPHER_TKIP) {
1078 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
1079 pos += RSN_SELECTOR_LEN;
1082 WPA_PUT_LE16(count_pos, count);
1084 hdr->len = (pos - peerkey->rsnie_i) - 2;
1085 peerkey->rsnie_i_len = pos - peerkey->rsnie_i;
1086 wpa_hexdump(MSG_DEBUG, "WPA: RSN IE for SMK handshake",
1087 peerkey->rsnie_i, peerkey->rsnie_i_len);
1089 kde_len = peerkey->rsnie_i_len + 2 + RSN_SELECTOR_LEN + ETH_ALEN;
1091 rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
1092 sizeof(*req) + kde_len, &rlen,
1095 wpa_supplicant_peerkey_free(sm, peerkey);
1099 req->type = EAPOL_KEY_TYPE_RSN;
1100 key_info = WPA_KEY_INFO_SMK_MESSAGE | WPA_KEY_INFO_MIC |
1101 WPA_KEY_INFO_SECURE | WPA_KEY_INFO_REQUEST | ver;
1102 WPA_PUT_BE16(req->key_info, key_info);
1103 WPA_PUT_BE16(req->key_length, 0);
1104 os_memcpy(req->replay_counter, sm->request_counter,
1105 WPA_REPLAY_COUNTER_LEN);
1106 inc_byte_array(sm->request_counter, WPA_REPLAY_COUNTER_LEN);
1108 if (random_get_bytes(peerkey->inonce, WPA_NONCE_LEN)) {
1109 wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
1110 "WPA: Failed to get random data for INonce");
1112 wpa_supplicant_peerkey_free(sm, peerkey);
1115 os_memcpy(req->key_nonce, peerkey->inonce, WPA_NONCE_LEN);
1116 wpa_hexdump(MSG_DEBUG, "WPA: INonce for SMK handshake",
1117 req->key_nonce, WPA_NONCE_LEN);
1119 WPA_PUT_BE16(req->key_data_length, (u16) kde_len);
1120 pos = (u8 *) (req + 1);
1122 /* Initiator RSN IE */
1123 pos = wpa_add_ie(pos, peerkey->rsnie_i, peerkey->rsnie_i_len);
1124 /* Peer MAC address KDE */
1125 wpa_add_kde(pos, RSN_KEY_DATA_MAC_ADDR, peer, ETH_ALEN);
1127 wpa_printf(MSG_INFO, "RSN: Sending EAPOL-Key SMK M1 Request (peer "
1128 MACSTR ")", MAC2STR(peer));
1129 wpa_eapol_key_send(sm, sm->ptk.kck, ver, bssid, ETH_P_EAPOL,
1130 rbuf, rlen, req->key_mic);
1132 peerkey->next = sm->peerkey;
1133 sm->peerkey = peerkey;
1140 * peerkey_deinit - Free PeerKey values
1141 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1143 void peerkey_deinit(struct wpa_sm *sm)
1145 struct wpa_peerkey *prev, *peerkey = sm->peerkey;
1148 peerkey = peerkey->next;
1155 void peerkey_rx_eapol_4way(struct wpa_sm *sm, struct wpa_peerkey *peerkey,
1156 struct wpa_eapol_key *key, u16 key_info, u16 ver)
1158 if ((key_info & (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) ==
1159 (WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK)) {
1160 /* 3/4 STK 4-Way Handshake */
1161 wpa_supplicant_process_stk_3_of_4(sm, peerkey, key, ver);
1162 } else if (key_info & WPA_KEY_INFO_ACK) {
1163 /* 1/4 STK 4-Way Handshake */
1164 wpa_supplicant_process_stk_1_of_4(sm, peerkey, key, ver);
1165 } else if (key_info & WPA_KEY_INFO_SECURE) {
1166 /* 4/4 STK 4-Way Handshake */
1167 wpa_supplicant_process_stk_4_of_4(sm, peerkey, key, ver);
1169 /* 2/4 STK 4-Way Handshake */
1170 wpa_supplicant_process_stk_2_of_4(sm, peerkey, key, ver);
1175 void peerkey_rx_eapol_smk(struct wpa_sm *sm, const u8 *src_addr,
1176 struct wpa_eapol_key *key, size_t extra_len,
1177 u16 key_info, u16 ver)
1179 if (key_info & WPA_KEY_INFO_ERROR) {
1181 wpa_supplicant_process_smk_error(sm, src_addr, key, extra_len);
1182 } else if (key_info & WPA_KEY_INFO_ACK) {
1184 wpa_supplicant_process_smk_m2(sm, src_addr, key, extra_len,
1188 wpa_supplicant_process_smk_m45(sm, src_addr, key, extra_len,
1193 #endif /* CONFIG_PEERKEY */