1 /*
2  * PASN initiator processing
3  *
4  * Copyright (C) 2019, Intel Corporation
5  * Copyright (C) 2022, Qualcomm Innovation Center, Inc.
6  *
7  * This software may be distributed under the terms of the BSD license.
8  * See README for more details.
9  */
10 
11 #include "utils/includes.h"
12 
13 #include "utils/common.h"
14 #include "common/wpa_common.h"
15 #include "common/sae.h"
16 #include "common/ieee802_11_common.h"
17 #include "common/ieee802_11_defs.h"
18 #include "common/dragonfly.h"
19 #include "crypto/sha384.h"
20 #include "crypto/crypto.h"
21 #include "crypto/random.h"
22 #include "eap_common/eap_defs.h"
23 #include "eapol_supp/eapol_supp_sm.h"
24 #include "rsn_supp/wpa.h"
25 #include "rsn_supp/pmksa_cache.h"
26 #include "pasn_common.h"
27 
28 
pasn_initiator_pmksa_cache_init(void)29 struct rsn_pmksa_cache * pasn_initiator_pmksa_cache_init(void)
30 {
31 	return pmksa_cache_init(NULL, NULL, NULL, NULL, NULL);
32 }
33 
34 
pasn_initiator_pmksa_cache_deinit(struct rsn_pmksa_cache * pmksa)35 void pasn_initiator_pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa)
36 {
37 	return pmksa_cache_deinit(pmksa);
38 }
39 
40 
pasn_initiator_pmksa_cache_add(struct rsn_pmksa_cache * pmksa,const u8 * own_addr,const u8 * bssid,const u8 * pmk,size_t pmk_len,const u8 * pmkid)41 int pasn_initiator_pmksa_cache_add(struct rsn_pmksa_cache *pmksa,
42 				   const u8 *own_addr, const u8 *bssid,
43 				   const u8 *pmk,
44 				   size_t pmk_len, const u8 *pmkid)
45 {
46 	if (pmksa_cache_add(pmksa, pmk, pmk_len, pmkid, NULL, 0, bssid,
47 			    own_addr, NULL, WPA_KEY_MGMT_SAE, NULL))
48 		return 0;
49 	return -1;
50 }
51 
52 
pasn_initiator_pmksa_cache_remove(struct rsn_pmksa_cache * pmksa,const u8 * bssid)53 void pasn_initiator_pmksa_cache_remove(struct rsn_pmksa_cache *pmksa,
54 				       const u8 *bssid)
55 {
56 	struct rsn_pmksa_cache_entry *entry;
57 
58 	entry = pmksa_cache_get(pmksa, bssid, NULL, NULL, NULL, 0);
59 	if (!entry)
60 		return;
61 
62 	pmksa_cache_remove(pmksa, entry);
63 }
64 
65 
pasn_initiator_pmksa_cache_get(struct rsn_pmksa_cache * pmksa,const u8 * bssid,u8 * pmkid,u8 * pmk,size_t * pmk_len)66 int pasn_initiator_pmksa_cache_get(struct rsn_pmksa_cache *pmksa,
67 				   const u8 *bssid, u8 *pmkid, u8 *pmk,
68 				   size_t *pmk_len)
69 {
70 	struct rsn_pmksa_cache_entry *entry;
71 
72 	entry = pmksa_cache_get(pmksa, bssid, NULL, NULL, NULL, 0);
73 	if (entry) {
74 		os_memcpy(pmkid, entry->pmkid, PMKID_LEN);
75 		os_memcpy(pmk, entry->pmk, entry->pmk_len);
76 		*pmk_len = entry->pmk_len;
77 		return 0;
78 	}
79 	return -1;
80 }
81 
82 
pasn_initiator_pmksa_cache_flush(struct rsn_pmksa_cache * pmksa)83 void pasn_initiator_pmksa_cache_flush(struct rsn_pmksa_cache *pmksa)
84 {
85 	return pmksa_cache_flush(pmksa, NULL, NULL, 0, false);
86 }
87 
88 
pasn_set_initiator_pmksa(struct pasn_data * pasn,struct rsn_pmksa_cache * pmksa)89 void pasn_set_initiator_pmksa(struct pasn_data *pasn,
90 			      struct rsn_pmksa_cache *pmksa)
91 {
92 	if (pasn)
93 		pasn->pmksa = pmksa;
94 }
95 
96 
97 #ifdef CONFIG_SAE
98 
wpas_pasn_wd_sae_commit(struct pasn_data * pasn)99 static struct wpabuf * wpas_pasn_wd_sae_commit(struct pasn_data *pasn)
100 {
101 	struct wpabuf *buf = NULL;
102 	int ret;
103 
104 	ret = sae_set_group(&pasn->sae, pasn->group);
105 	if (ret) {
106 		wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
107 		return NULL;
108 	}
109 
110 	ret = sae_prepare_commit_pt(&pasn->sae, pasn->pt,
111 				    pasn->own_addr, pasn->peer_addr,
112 				    NULL, NULL);
113 	if (ret) {
114 		wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
115 		return NULL;
116 	}
117 
118 	/* Need to add the entire Authentication frame body */
119 	buf = wpabuf_alloc(6 + SAE_COMMIT_MAX_LEN);
120 	if (!buf) {
121 		wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
122 		return NULL;
123 	}
124 
125 	wpabuf_put_le16(buf, WLAN_AUTH_SAE);
126 	wpabuf_put_le16(buf, 1);
127 	wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
128 
129 	sae_write_commit(&pasn->sae, buf, NULL, NULL);
130 	pasn->sae.state = SAE_COMMITTED;
131 
132 	return buf;
133 }
134 
135 
wpas_pasn_wd_sae_rx(struct pasn_data * pasn,struct wpabuf * wd)136 static int wpas_pasn_wd_sae_rx(struct pasn_data *pasn, struct wpabuf *wd)
137 {
138 	const u8 *data;
139 	size_t buf_len;
140 	u16 len, res, alg, seq, status;
141 	int groups[] = { pasn->group, 0 };
142 	int ret;
143 
144 	if (!wd)
145 		return -1;
146 
147 	data = wpabuf_head_u8(wd);
148 	buf_len = wpabuf_len(wd);
149 
150 	/* first handle the commit message */
151 	if (buf_len < 2) {
152 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short (commit)");
153 		return -1;
154 	}
155 
156 	len = WPA_GET_LE16(data);
157 	if (len < 6 || buf_len - 2 < len) {
158 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short for commit");
159 		return -1;
160 	}
161 
162 	buf_len -= 2;
163 	data += 2;
164 
165 	alg = WPA_GET_LE16(data);
166 	seq = WPA_GET_LE16(data + 2);
167 	status = WPA_GET_LE16(data + 4);
168 
169 	wpa_printf(MSG_DEBUG, "PASN: SAE: commit: alg=%u, seq=%u, status=%u",
170 		   alg, seq, status);
171 
172 	if (alg != WLAN_AUTH_SAE || seq != 1 ||
173 	    status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
174 		wpa_printf(MSG_DEBUG, "PASN: SAE: dropping peer commit");
175 		return -1;
176 	}
177 
178 	res = sae_parse_commit(&pasn->sae, data + 6, len - 6, NULL, NULL,
179 			       groups, 1, NULL);
180 	if (res != WLAN_STATUS_SUCCESS) {
181 		wpa_printf(MSG_DEBUG, "PASN: SAE failed parsing commit");
182 		return -1;
183 	}
184 
185 	/* Process the commit message and derive the PMK */
186 	ret = sae_process_commit(&pasn->sae);
187 	if (ret) {
188 		wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
189 		return -1;
190 	}
191 
192 	buf_len -= len;
193 	data += len;
194 
195 	/* Handle the confirm message */
196 	if (buf_len < 2) {
197 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short (confirm)");
198 		return -1;
199 	}
200 
201 	len = WPA_GET_LE16(data);
202 	if (len < 6 || buf_len - 2 < len) {
203 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short for confirm");
204 		return -1;
205 	}
206 
207 	buf_len -= 2;
208 	data += 2;
209 
210 	alg = WPA_GET_LE16(data);
211 	seq = WPA_GET_LE16(data + 2);
212 	status = WPA_GET_LE16(data + 4);
213 
214 	wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
215 		   alg, seq, status);
216 
217 	if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
218 		wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
219 		return -1;
220 	}
221 
222 	res = sae_check_confirm(&pasn->sae, data + 6, len - 6, NULL);
223 	if (res != WLAN_STATUS_SUCCESS) {
224 		wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
225 		return -1;
226 	}
227 
228 	wpa_printf(MSG_DEBUG, "PASN: SAE completed successfully");
229 	pasn->sae.state = SAE_ACCEPTED;
230 
231 	return 0;
232 }
233 
234 
wpas_pasn_wd_sae_confirm(struct pasn_data * pasn)235 static struct wpabuf * wpas_pasn_wd_sae_confirm(struct pasn_data *pasn)
236 {
237 	struct wpabuf *buf = NULL;
238 
239 	/* Need to add the entire authentication frame body */
240 	buf = wpabuf_alloc(6 + SAE_CONFIRM_MAX_LEN);
241 	if (!buf) {
242 		wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
243 		return NULL;
244 	}
245 
246 	wpabuf_put_le16(buf, WLAN_AUTH_SAE);
247 	wpabuf_put_le16(buf, 2);
248 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
249 
250 	sae_write_confirm(&pasn->sae, buf);
251 	pasn->sae.state = SAE_CONFIRMED;
252 
253 	return buf;
254 }
255 
256 #endif /* CONFIG_SAE */
257 
258 
259 #ifdef CONFIG_FILS
260 
wpas_pasn_fils_build_auth(struct pasn_data * pasn)261 static struct wpabuf * wpas_pasn_fils_build_auth(struct pasn_data *pasn)
262 {
263 	struct wpabuf *buf = NULL;
264 	struct wpabuf *erp_msg;
265 	int ret;
266 
267 	erp_msg = eapol_sm_build_erp_reauth_start(pasn->eapol);
268 	if (!erp_msg) {
269 		wpa_printf(MSG_DEBUG,
270 			   "PASN: FILS: ERP EAP-Initiate/Re-auth unavailable");
271 		return NULL;
272 	}
273 
274 	if (random_get_bytes(pasn->fils.nonce, FILS_NONCE_LEN) < 0 ||
275 	    random_get_bytes(pasn->fils.session, FILS_SESSION_LEN) < 0)
276 		goto fail;
277 
278 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", pasn->fils.nonce,
279 		    FILS_NONCE_LEN);
280 
281 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", pasn->fils.session,
282 		    FILS_SESSION_LEN);
283 
284 	buf = wpabuf_alloc(1500);
285 	if (!buf)
286 		goto fail;
287 
288 	/* Add the authentication algorithm */
289 	wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
290 
291 	/* Authentication Transaction seq# */
292 	wpabuf_put_le16(buf, 1);
293 
294 	/* Status Code */
295 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
296 
297 	/* Own RSNE */
298 	wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
299 
300 	/* FILS Nonce */
301 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
302 	wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
303 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
304 	wpabuf_put_data(buf, pasn->fils.nonce, FILS_NONCE_LEN);
305 
306 	/* FILS Session */
307 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
308 	wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
309 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
310 	wpabuf_put_data(buf, pasn->fils.session, FILS_SESSION_LEN);
311 
312 	/* Wrapped Data (ERP) */
313 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
314 	wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg));
315 	wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
316 	wpabuf_put_buf(buf, erp_msg);
317 
318 	/*
319 	 * Calculate pending PMKID here so that we do not need to maintain a
320 	 * copy of the EAP-Initiate/Reauth message.
321 	 */
322 	ret = fils_pmkid_erp(pasn->akmp, wpabuf_head(erp_msg),
323 			     wpabuf_len(erp_msg),
324 			     pasn->fils.erp_pmkid);
325 	if (ret) {
326 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ERP PMKID");
327 		goto fail;
328 	}
329 
330 	wpabuf_free(erp_msg);
331 	erp_msg = NULL;
332 
333 	wpa_hexdump_buf(MSG_DEBUG, "PASN: FILS: Authentication frame", buf);
334 	return buf;
335 fail:
336 	wpabuf_free(erp_msg);
337 	wpabuf_free(buf);
338 	return NULL;
339 }
340 
341 
wpas_pasn_wd_fils_auth(struct pasn_data * pasn)342 static struct wpabuf * wpas_pasn_wd_fils_auth(struct pasn_data *pasn)
343 {
344 	wpa_printf(MSG_DEBUG, "PASN: FILS: wrapped data - completed=%u",
345 		   pasn->fils.completed);
346 
347 	/* Nothing to add as we are done */
348 	if (pasn->fils.completed)
349 		return NULL;
350 
351 	if (!pasn->fils_eapol) {
352 		wpa_printf(MSG_DEBUG,
353 			   "PASN: FILS: Missing Indication IE or PFS");
354 		return NULL;
355 	}
356 
357 	return wpas_pasn_fils_build_auth(pasn);
358 }
359 
360 
wpas_pasn_wd_fils_rx(struct pasn_data * pasn,struct wpabuf * wd)361 static int wpas_pasn_wd_fils_rx(struct pasn_data *pasn, struct wpabuf *wd)
362 {
363 	struct ieee802_11_elems elems;
364 	struct wpa_ie_data rsne_data;
365 	u8 rmsk[ERP_MAX_KEY_LEN];
366 	size_t rmsk_len;
367 	u8 anonce[FILS_NONCE_LEN];
368 	const u8 *data;
369 	size_t buf_len;
370 	struct wpabuf *fils_wd = NULL;
371 	u16 alg, seq, status;
372 	int ret;
373 
374 	if (!wd)
375 		return -1;
376 
377 	data = wpabuf_head(wd);
378 	buf_len = wpabuf_len(wd);
379 
380 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: Authentication frame len=%zu",
381 		    data, buf_len);
382 
383 	/* first handle the header */
384 	if (buf_len < 6) {
385 		wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short");
386 		return -1;
387 	}
388 
389 	alg = WPA_GET_LE16(data);
390 	seq = WPA_GET_LE16(data + 2);
391 	status = WPA_GET_LE16(data + 4);
392 
393 	wpa_printf(MSG_DEBUG, "PASN: FILS: commit: alg=%u, seq=%u, status=%u",
394 		   alg, seq, status);
395 
396 	if (alg != WLAN_AUTH_FILS_SK || seq != 2 ||
397 	    status != WLAN_STATUS_SUCCESS) {
398 		wpa_printf(MSG_DEBUG,
399 			   "PASN: FILS: Dropping peer authentication");
400 		return -1;
401 	}
402 
403 	data += 6;
404 	buf_len -= 6;
405 
406 	if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
407 		wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
408 		return -1;
409 	}
410 
411 	if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
412 	    !elems.wrapped_data) {
413 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
414 		return -1;
415 	}
416 
417 	ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
418 			       &rsne_data);
419 	if (ret) {
420 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RSNE");
421 		return -1;
422 	}
423 
424 	ret = wpa_pasn_validate_rsne(&rsne_data);
425 	if (ret) {
426 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
427 		return -1;
428 	}
429 
430 	if (rsne_data.num_pmkid) {
431 		wpa_printf(MSG_DEBUG,
432 			   "PASN: FILS: Not expecting PMKID in RSNE");
433 		return -1;
434 	}
435 
436 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: ANonce", elems.fils_nonce,
437 		    FILS_NONCE_LEN);
438 	os_memcpy(anonce, elems.fils_nonce, FILS_NONCE_LEN);
439 
440 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: FILS Session", elems.fils_session,
441 		    FILS_SESSION_LEN);
442 
443 	if (os_memcmp(pasn->fils.session, elems.fils_session,
444 		      FILS_SESSION_LEN)) {
445 		wpa_printf(MSG_DEBUG, "PASN: FILS: Session mismatch");
446 		return -1;
447 	}
448 
449 	fils_wd = ieee802_11_defrag(elems.wrapped_data, elems.wrapped_data_len,
450 				    true);
451 
452 	if (!fils_wd) {
453 		wpa_printf(MSG_DEBUG,
454 			   "PASN: FILS: Failed getting wrapped data");
455 		return -1;
456 	}
457 
458 	eapol_sm_process_erp_finish(pasn->eapol, wpabuf_head(fils_wd),
459 				    wpabuf_len(fils_wd));
460 
461 	wpabuf_free(fils_wd);
462 	fils_wd = NULL;
463 
464 	if (eapol_sm_failed(pasn->eapol)) {
465 		wpa_printf(MSG_DEBUG, "PASN: FILS: ERP finish failed");
466 		return -1;
467 	}
468 
469 	rmsk_len = ERP_MAX_KEY_LEN;
470 	ret = eapol_sm_get_key(pasn->eapol, rmsk, rmsk_len);
471 
472 	if (ret == PMK_LEN) {
473 		rmsk_len = PMK_LEN;
474 		ret = eapol_sm_get_key(pasn->eapol, rmsk, rmsk_len);
475 	}
476 
477 	if (ret) {
478 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed getting RMSK");
479 		return -1;
480 	}
481 
482 	ret = fils_rmsk_to_pmk(pasn->akmp, rmsk, rmsk_len,
483 			       pasn->fils.nonce, anonce, NULL, 0,
484 			       pasn->pmk, &pasn->pmk_len);
485 
486 	forced_memzero(rmsk, sizeof(rmsk));
487 
488 	if (ret) {
489 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PMK");
490 		return -1;
491 	}
492 
493 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: PMKID", pasn->fils.erp_pmkid,
494 		    PMKID_LEN);
495 
496 	wpa_printf(MSG_DEBUG, "PASN: FILS: ERP processing succeeded");
497 
498 	pasn->pmksa_entry = pmksa_cache_add(pasn->pmksa, pasn->pmk,
499 					    pasn->pmk_len, pasn->fils.erp_pmkid,
500 					    NULL, 0, pasn->peer_addr,
501 					    pasn->own_addr, NULL,
502 					    pasn->akmp, NULL);
503 
504 	pasn->fils.completed = true;
505 	return 0;
506 }
507 
508 #endif /* CONFIG_FILS */
509 
510 
wpas_pasn_get_wrapped_data(struct pasn_data * pasn)511 static struct wpabuf * wpas_pasn_get_wrapped_data(struct pasn_data *pasn)
512 {
513 	if (pasn->using_pmksa)
514 		return NULL;
515 
516 	switch (pasn->akmp) {
517 	case WPA_KEY_MGMT_PASN:
518 		/* no wrapped data */
519 		return NULL;
520 	case WPA_KEY_MGMT_SAE:
521 #ifdef CONFIG_SAE
522 		if (pasn->trans_seq == 0)
523 			return wpas_pasn_wd_sae_commit(pasn);
524 		if (pasn->trans_seq == 2)
525 			return wpas_pasn_wd_sae_confirm(pasn);
526 #endif /* CONFIG_SAE */
527 		wpa_printf(MSG_ERROR,
528 			   "PASN: SAE: Cannot derive wrapped data");
529 		return NULL;
530 	case WPA_KEY_MGMT_FILS_SHA256:
531 	case WPA_KEY_MGMT_FILS_SHA384:
532 #ifdef CONFIG_FILS
533 		return wpas_pasn_wd_fils_auth(pasn);
534 #endif /* CONFIG_FILS */
535 	case WPA_KEY_MGMT_FT_PSK:
536 	case WPA_KEY_MGMT_FT_IEEE8021X:
537 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
538 		/*
539 		 * Wrapped data with these AKMs is optional and is only needed
540 		 * for further validation of FT security parameters. For now do
541 		 * not use them.
542 		 */
543 		return NULL;
544 	default:
545 		wpa_printf(MSG_ERROR,
546 			   "PASN: TODO: Wrapped data for akmp=0x%x",
547 			   pasn->akmp);
548 		return NULL;
549 	}
550 }
551 
552 
wpas_pasn_get_wrapped_data_format(struct pasn_data * pasn)553 static u8 wpas_pasn_get_wrapped_data_format(struct pasn_data *pasn)
554 {
555 	if (pasn->using_pmksa)
556 		return WPA_PASN_WRAPPED_DATA_NO;
557 
558 	/* Note: Valid AKMP is expected to already be validated */
559 	switch (pasn->akmp) {
560 	case WPA_KEY_MGMT_SAE:
561 		return WPA_PASN_WRAPPED_DATA_SAE;
562 	case WPA_KEY_MGMT_FILS_SHA256:
563 	case WPA_KEY_MGMT_FILS_SHA384:
564 		return WPA_PASN_WRAPPED_DATA_FILS_SK;
565 	case WPA_KEY_MGMT_FT_PSK:
566 	case WPA_KEY_MGMT_FT_IEEE8021X:
567 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
568 		/*
569 		 * Wrapped data with these AKMs is optional and is only needed
570 		 * for further validation of FT security parameters. For now do
571 		 * not use them.
572 		 */
573 		return WPA_PASN_WRAPPED_DATA_NO;
574 	case WPA_KEY_MGMT_PASN:
575 	default:
576 		return WPA_PASN_WRAPPED_DATA_NO;
577 	}
578 }
579 
580 
wpas_pasn_build_auth_1(struct pasn_data * pasn,const struct wpabuf * comeback,bool verify)581 static struct wpabuf * wpas_pasn_build_auth_1(struct pasn_data *pasn,
582 					      const struct wpabuf *comeback,
583 					      bool verify)
584 {
585 	struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
586 	const u8 *pmkid;
587 	u8 wrapped_data;
588 	int ret;
589 
590 	wpa_printf(MSG_DEBUG, "PASN: Building frame 1");
591 
592 	if (pasn->trans_seq)
593 		return NULL;
594 
595 	buf = wpabuf_alloc(1500);
596 	if (!buf)
597 		goto fail;
598 
599 	/* Get public key */
600 	pubkey = crypto_ecdh_get_pubkey(pasn->ecdh, 0);
601 	pubkey = wpabuf_zeropad(pubkey, crypto_ecdh_prime_len(pasn->ecdh));
602 	if (!pubkey) {
603 		wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
604 		goto fail;
605 	}
606 
607 	wrapped_data = wpas_pasn_get_wrapped_data_format(pasn);
608 
609 	wpa_pasn_build_auth_header(buf, pasn->bssid,
610 				   pasn->own_addr, pasn->peer_addr,
611 				   pasn->trans_seq + 1, WLAN_STATUS_SUCCESS);
612 
613 	pmkid = NULL;
614 	if (wpa_key_mgmt_ft(pasn->akmp)) {
615 #ifdef CONFIG_IEEE80211R
616 		pmkid = pasn->pmk_r1_name;
617 #else /* CONFIG_IEEE80211R */
618 		goto fail;
619 #endif /* CONFIG_IEEE80211R */
620 	} else if (wrapped_data != WPA_PASN_WRAPPED_DATA_NO) {
621 		struct rsn_pmksa_cache_entry *pmksa;
622 
623 		pmksa = pmksa_cache_get(pasn->pmksa, pasn->peer_addr,
624 					pasn->own_addr, NULL, NULL, pasn->akmp);
625 		if (pmksa && pasn->custom_pmkid_valid)
626 			pmkid = pasn->custom_pmkid;
627 		else if (pmksa)
628 			pmkid = pmksa->pmkid;
629 
630 		/*
631 		 * Note: Even when PMKSA is available, also add wrapped data as
632 		 * it is possible that the PMKID is no longer valid at the AP.
633 		 */
634 		if (!verify)
635 			wrapped_data_buf = wpas_pasn_get_wrapped_data(pasn);
636 	}
637 
638 	if (wpa_pasn_add_rsne(buf, pmkid, pasn->akmp, pasn->cipher) < 0)
639 		goto fail;
640 
641 	if (!wrapped_data_buf)
642 		wrapped_data = WPA_PASN_WRAPPED_DATA_NO;
643 
644 	wpa_pasn_add_parameter_ie(buf, pasn->group, wrapped_data,
645 				  pubkey, true, comeback, -1);
646 
647 	if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
648 		goto fail;
649 
650 	if (pasn->rsnxe_ie)
651 		wpabuf_put_data(buf, pasn->rsnxe_ie, 2 + pasn->rsnxe_ie[1]);
652 	else
653 		wpa_pasn_add_rsnxe(buf, pasn->rsnxe_capab);
654 
655 	wpa_pasn_add_extra_ies(buf, pasn->extra_ies, pasn->extra_ies_len);
656 
657 	ret = pasn_auth_frame_hash(pasn->akmp, pasn->cipher,
658 				   wpabuf_head_u8(buf) + IEEE80211_HDRLEN,
659 				   wpabuf_len(buf) - IEEE80211_HDRLEN,
660 				   pasn->hash);
661 	if (ret) {
662 		wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
663 		goto fail;
664 	}
665 
666 	pasn->trans_seq++;
667 
668 	wpabuf_free(wrapped_data_buf);
669 	wpabuf_free(pubkey);
670 
671 	wpa_printf(MSG_DEBUG, "PASN: Frame 1: Success");
672 	return buf;
673 fail:
674 	pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
675 	wpabuf_free(wrapped_data_buf);
676 	wpabuf_free(pubkey);
677 	wpabuf_free(buf);
678 	return NULL;
679 }
680 
681 
wpas_pasn_build_auth_3(struct pasn_data * pasn)682 static struct wpabuf * wpas_pasn_build_auth_3(struct pasn_data *pasn)
683 {
684 	struct wpabuf *buf, *wrapped_data_buf = NULL;
685 	u8 mic[WPA_PASN_MAX_MIC_LEN];
686 	u8 mic_len;
687 	size_t data_len;
688 	const u8 *data;
689 	u8 *ptr;
690 	u8 wrapped_data;
691 	int ret;
692 
693 	wpa_printf(MSG_DEBUG, "PASN: Building frame 3");
694 
695 	if (pasn->trans_seq != 2)
696 		return NULL;
697 
698 	buf = wpabuf_alloc(1500);
699 	if (!buf)
700 		goto fail;
701 
702 	wrapped_data = wpas_pasn_get_wrapped_data_format(pasn);
703 
704 	wpa_pasn_build_auth_header(buf, pasn->bssid,
705 				   pasn->own_addr, pasn->peer_addr,
706 				   pasn->trans_seq + 1, WLAN_STATUS_SUCCESS);
707 
708 	wrapped_data_buf = wpas_pasn_get_wrapped_data(pasn);
709 
710 	if (!wrapped_data_buf)
711 		wrapped_data = WPA_PASN_WRAPPED_DATA_NO;
712 
713 	wpa_pasn_add_parameter_ie(buf, pasn->group, wrapped_data,
714 				  NULL, false, NULL, -1);
715 
716 	if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
717 		goto fail;
718 	wpabuf_free(wrapped_data_buf);
719 	wrapped_data_buf = NULL;
720 
721 	if (pasn->prepare_data_element && pasn->cb_ctx)
722 		pasn->prepare_data_element(pasn->cb_ctx, pasn->peer_addr);
723 
724 	wpa_pasn_add_extra_ies(buf, pasn->extra_ies, pasn->extra_ies_len);
725 
726 	/* Add the MIC */
727 	mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
728 	wpabuf_put_u8(buf, WLAN_EID_MIC);
729 	wpabuf_put_u8(buf, mic_len);
730 	ptr = wpabuf_put(buf, mic_len);
731 
732 	os_memset(ptr, 0, mic_len);
733 
734 	data = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
735 	data_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
736 
737 	ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
738 		       pasn->own_addr, pasn->peer_addr,
739 		       pasn->hash, mic_len * 2, data, data_len, mic);
740 	if (ret) {
741 		wpa_printf(MSG_DEBUG, "PASN: frame 3: Failed MIC calculation");
742 		goto fail;
743 	}
744 
745 #ifdef CONFIG_TESTING_OPTIONS
746 	if (pasn->corrupt_mic) {
747 		wpa_printf(MSG_DEBUG, "PASN: frame 3: Corrupt MIC");
748 		mic[0] = ~mic[0];
749 	}
750 #endif /* CONFIG_TESTING_OPTIONS */
751 
752 	os_memcpy(ptr, mic, mic_len);
753 
754 	pasn->trans_seq++;
755 
756 	wpa_printf(MSG_DEBUG, "PASN: frame 3: Success");
757 	return buf;
758 fail:
759 	pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
760 	wpabuf_free(wrapped_data_buf);
761 	wpabuf_free(buf);
762 	return NULL;
763 }
764 
765 
wpa_pasn_reset(struct pasn_data * pasn)766 void wpa_pasn_reset(struct pasn_data *pasn)
767 {
768 	wpa_printf(MSG_DEBUG, "PASN: Reset");
769 
770 	crypto_ecdh_deinit(pasn->ecdh);
771 	pasn->ecdh = NULL;
772 
773 
774 	pasn->akmp = 0;
775 	pasn->cipher = 0;
776 	pasn->group = 0;
777 	pasn->trans_seq = 0;
778 	pasn->pmk_len = 0;
779 	pasn->using_pmksa = false;
780 
781 	forced_memzero(pasn->pmk, sizeof(pasn->pmk));
782 	forced_memzero(&pasn->ptk, sizeof(pasn->ptk));
783 	forced_memzero(&pasn->hash, sizeof(pasn->hash));
784 
785 	wpabuf_free(pasn->beacon_rsne_rsnxe);
786 	pasn->beacon_rsne_rsnxe = NULL;
787 
788 	wpabuf_free(pasn->comeback);
789 	pasn->comeback = NULL;
790 	pasn->comeback_after = 0;
791 
792 #ifdef CONFIG_SAE
793 	sae_clear_data(&pasn->sae);
794 	if (pasn->pt) {
795 		sae_deinit_pt(pasn->pt);
796 		pasn->pt = NULL;
797 	}
798 #endif /* CONFIG_SAE */
799 
800 #ifdef CONFIG_FILS
801 	pasn->fils_eapol = false;
802 	os_memset(&pasn->fils, 0, sizeof(pasn->fils));
803 #endif /* CONFIG_FILS*/
804 
805 #ifdef CONFIG_IEEE80211R
806 	forced_memzero(pasn->pmk_r1, sizeof(pasn->pmk_r1));
807 	pasn->pmk_r1_len = 0;
808 	os_memset(pasn->pmk_r1_name, 0, sizeof(pasn->pmk_r1_name));
809 #endif /* CONFIG_IEEE80211R */
810 	pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
811 	pasn->pmksa_entry = NULL;
812 #ifdef CONFIG_TESTING_OPTIONS
813 	pasn->corrupt_mic = 0;
814 #endif /* CONFIG_TESTING_OPTIONS */
815 	pasn->network_id = 0;
816 	pasn->derive_kdk = false;
817 	pasn->rsn_ie = NULL;
818 	pasn->rsn_ie_len = 0;
819 	os_free(pasn->rsnxe_ie);
820 	pasn->rsnxe_ie = NULL;
821 	pasn->custom_pmkid_valid = false;
822 
823 	if (pasn->extra_ies) {
824 		os_free((u8 *) pasn->extra_ies);
825 		pasn->extra_ies = NULL;
826 	}
827 
828 	wpabuf_free(pasn->frame);
829 	pasn->frame = NULL;
830 }
831 
832 
wpas_pasn_set_pmk(struct pasn_data * pasn,struct wpa_ie_data * rsn_data,struct wpa_pasn_params_data * pasn_data,struct wpabuf * wrapped_data)833 static int wpas_pasn_set_pmk(struct pasn_data *pasn,
834 			     struct wpa_ie_data *rsn_data,
835 			     struct wpa_pasn_params_data *pasn_data,
836 			     struct wpabuf *wrapped_data)
837 {
838 	static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
839 
840 	os_memset(pasn->pmk, 0, sizeof(pasn->pmk));
841 	pasn->pmk_len = 0;
842 
843 	if (pasn->akmp == WPA_KEY_MGMT_PASN) {
844 		wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
845 
846 		pasn->pmk_len = WPA_PASN_PMK_LEN;
847 		os_memcpy(pasn->pmk, pasn_default_pmk,
848 			  sizeof(pasn_default_pmk));
849 		return 0;
850 	}
851 
852 	if (wpa_key_mgmt_ft(pasn->akmp)) {
853 #ifdef CONFIG_IEEE80211R
854 		wpa_printf(MSG_DEBUG, "PASN: FT: Using PMK-R1");
855 		pasn->pmk_len = pasn->pmk_r1_len;
856 		os_memcpy(pasn->pmk, pasn->pmk_r1, pasn->pmk_r1_len);
857 		pasn->using_pmksa = true;
858 		return 0;
859 #else /* CONFIG_IEEE80211R */
860 		wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
861 		return -1;
862 #endif /* CONFIG_IEEE80211R */
863 	}
864 
865 	if (rsn_data->num_pmkid) {
866 		int ret;
867 		struct rsn_pmksa_cache_entry *pmksa;
868 		const u8 *pmkid = NULL;
869 
870 		if (pasn->custom_pmkid_valid) {
871 			ret = pasn->validate_custom_pmkid(pasn->cb_ctx,
872 							  pasn->peer_addr,
873 							  rsn_data->pmkid);
874 			if (ret) {
875 				wpa_printf(MSG_DEBUG,
876 					   "PASN: Failed custom PMKID validation");
877 				return -1;
878 			}
879 		} else {
880 			pmkid = rsn_data->pmkid;
881 		}
882 
883 		pmksa = pmksa_cache_get(pasn->pmksa, pasn->peer_addr,
884 					pasn->own_addr,
885 					pmkid, NULL, pasn->akmp);
886 		if (pmksa) {
887 			wpa_printf(MSG_DEBUG, "PASN: Using PMKSA");
888 
889 			pasn->pmk_len = pmksa->pmk_len;
890 			os_memcpy(pasn->pmk, pmksa->pmk, pmksa->pmk_len);
891 			pasn->using_pmksa = true;
892 
893 			return 0;
894 		}
895 	}
896 
897 #ifdef CONFIG_SAE
898 	if (pasn->akmp == WPA_KEY_MGMT_SAE) {
899 		int ret;
900 
901 		ret = wpas_pasn_wd_sae_rx(pasn, wrapped_data);
902 		if (ret) {
903 			wpa_printf(MSG_DEBUG,
904 				   "PASN: Failed processing SAE wrapped data");
905 			pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
906 			return -1;
907 		}
908 
909 		wpa_printf(MSG_DEBUG, "PASN: Success deriving PMK with SAE");
910 		pasn->pmk_len = PMK_LEN;
911 		os_memcpy(pasn->pmk, pasn->sae.pmk, PMK_LEN);
912 
913 		pasn->pmksa_entry = pmksa_cache_add(pasn->pmksa, pasn->pmk,
914 						    pasn->pmk_len,
915 						    pasn->sae.pmkid,
916 						    NULL, 0, pasn->peer_addr,
917 						    pasn->own_addr, NULL,
918 						    pasn->akmp, NULL);
919 		return 0;
920 	}
921 #endif /* CONFIG_SAE */
922 
923 #ifdef CONFIG_FILS
924 	if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
925 	    pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
926 		int ret;
927 
928 		ret = wpas_pasn_wd_fils_rx(pasn, wrapped_data);
929 		if (ret) {
930 			wpa_printf(MSG_DEBUG,
931 				   "PASN: Failed processing FILS wrapped data");
932 			pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
933 			return -1;
934 		}
935 
936 		return 0;
937 	}
938 #endif	/* CONFIG_FILS */
939 
940 	/* TODO: Derive PMK based on wrapped data */
941 	wpa_printf(MSG_DEBUG, "PASN: Missing implementation to derive PMK");
942 	pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
943 	return -1;
944 }
945 
946 
wpas_pasn_send_auth_1(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * bssid,int akmp,int cipher,u16 group,int freq,const u8 * beacon_rsne,u8 beacon_rsne_len,const u8 * beacon_rsnxe,u8 beacon_rsnxe_len,const struct wpabuf * comeback,bool verify)947 static int wpas_pasn_send_auth_1(struct pasn_data *pasn, const u8 *own_addr,
948 				 const u8 *peer_addr, const u8 *bssid, int akmp,
949 				 int cipher, u16 group, int freq,
950 				 const u8 *beacon_rsne, u8 beacon_rsne_len,
951 				 const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
952 				 const struct wpabuf *comeback, bool verify)
953 {
954 	struct wpabuf *frame;
955 	int ret;
956 
957 	pasn->ecdh = crypto_ecdh_init(group);
958 	if (!pasn->ecdh) {
959 		wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
960 		goto fail;
961 	}
962 
963 	if (beacon_rsne && beacon_rsne_len) {
964 		pasn->beacon_rsne_rsnxe = wpabuf_alloc(beacon_rsne_len +
965 						       beacon_rsnxe_len);
966 		if (!pasn->beacon_rsne_rsnxe) {
967 			wpa_printf(MSG_DEBUG,
968 				   "PASN: Failed storing beacon RSNE/RSNXE");
969 			goto fail;
970 		}
971 
972 		wpabuf_put_data(pasn->beacon_rsne_rsnxe, beacon_rsne,
973 				beacon_rsne_len);
974 		if (beacon_rsnxe && beacon_rsnxe_len)
975 			wpabuf_put_data(pasn->beacon_rsne_rsnxe, beacon_rsnxe,
976 					beacon_rsnxe_len);
977 	}
978 
979 	pasn->akmp = akmp;
980 	pasn->cipher = cipher;
981 	pasn->group = group;
982 	pasn->freq = freq;
983 
984 	os_memcpy(pasn->own_addr, own_addr, ETH_ALEN);
985 	os_memcpy(pasn->peer_addr, peer_addr, ETH_ALEN);
986 	os_memcpy(pasn->bssid, bssid, ETH_ALEN);
987 
988 	wpa_printf(MSG_DEBUG,
989 		   "PASN: Init%s: " MACSTR " akmp=0x%x, cipher=0x%x, group=%u",
990 		   verify ? " (verify)" : "",
991 		   MAC2STR(pasn->peer_addr), pasn->akmp, pasn->cipher,
992 		   pasn->group);
993 
994 	frame = wpas_pasn_build_auth_1(pasn, comeback, verify);
995 	if (!frame) {
996 		wpa_printf(MSG_DEBUG, "PASN: Failed building 1st auth frame");
997 		goto fail;
998 	}
999 
1000 	wpabuf_free(pasn->frame);
1001 	pasn->frame = NULL;
1002 
1003 	ret = pasn->send_mgmt(pasn->cb_ctx,
1004 			      wpabuf_head(frame), wpabuf_len(frame), 0,
1005 			      pasn->freq, 1000);
1006 
1007 	if (ret) {
1008 		wpa_printf(MSG_DEBUG, "PASN: Failed sending 1st auth frame");
1009 		wpabuf_free(frame);
1010 		goto fail;
1011 	}
1012 
1013 	pasn->frame = frame;
1014 	return 0;
1015 
1016 fail:
1017 	return -1;
1018 }
1019 
1020 
wpas_pasn_start(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * bssid,int akmp,int cipher,u16 group,int freq,const u8 * beacon_rsne,u8 beacon_rsne_len,const u8 * beacon_rsnxe,u8 beacon_rsnxe_len,const struct wpabuf * comeback)1021 int wpas_pasn_start(struct pasn_data *pasn, const u8 *own_addr,
1022 		    const u8 *peer_addr, const u8 *bssid,
1023 		    int akmp, int cipher, u16 group,
1024 		    int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
1025 		    const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
1026 		    const struct wpabuf *comeback)
1027 {
1028 	/* TODO: Currently support only ECC groups */
1029 	if (!dragonfly_suitable_group(group, 1)) {
1030 		wpa_printf(MSG_DEBUG,
1031 			   "PASN: Reject unsuitable group %u", group);
1032 		return -1;
1033 	}
1034 
1035 	switch (akmp) {
1036 	case WPA_KEY_MGMT_PASN:
1037 		break;
1038 #ifdef CONFIG_SAE
1039 	case WPA_KEY_MGMT_SAE:
1040 
1041 		if (beacon_rsnxe &&
1042 		    !ieee802_11_rsnx_capab(beacon_rsnxe,
1043 					   WLAN_RSNX_CAPAB_SAE_H2E)) {
1044 			wpa_printf(MSG_DEBUG,
1045 				   "PASN: AP does not support SAE H2E");
1046 			return -1;
1047 		}
1048 
1049 		pasn->sae.state = SAE_NOTHING;
1050 		pasn->sae.send_confirm = 0;
1051 		break;
1052 #endif /* CONFIG_SAE */
1053 #ifdef CONFIG_FILS
1054 	case WPA_KEY_MGMT_FILS_SHA256:
1055 	case WPA_KEY_MGMT_FILS_SHA384:
1056 		break;
1057 #endif /* CONFIG_FILS */
1058 #ifdef CONFIG_IEEE80211R
1059 	case WPA_KEY_MGMT_FT_PSK:
1060 	case WPA_KEY_MGMT_FT_IEEE8021X:
1061 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
1062 		break;
1063 #endif /* CONFIG_IEEE80211R */
1064 	default:
1065 		wpa_printf(MSG_ERROR, "PASN: Unsupported AKMP=0x%x", akmp);
1066 		return -1;
1067 	}
1068 
1069 	return wpas_pasn_send_auth_1(pasn, own_addr, peer_addr, bssid, akmp,
1070 				     cipher, group,
1071 				     freq, beacon_rsne, beacon_rsne_len,
1072 				     beacon_rsnxe, beacon_rsnxe_len, comeback,
1073 				     false);
1074 }
1075 
1076 /*
1077  * Wi-Fi Aware uses PASN handshake to authenticate peer devices.
1078  * Devices can simply verify each other for subsequent sessions using
1079  * pairing verification procedure.
1080  *
1081  * In pairing verification, Wi-Fi aware devices use PASN authentication
1082  * frames with a custom PMKID and Wi-Fi Aware R4 specific verification IEs.
1083  * It does not use wrapped data in the Authentication frames. This function
1084  * provides support to construct PASN Authentication frames for pairing
1085  * verification.
1086  */
wpa_pasn_verify(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * bssid,int akmp,int cipher,u16 group,int freq,const u8 * beacon_rsne,u8 beacon_rsne_len,const u8 * beacon_rsnxe,u8 beacon_rsnxe_len,const struct wpabuf * comeback)1087 int wpa_pasn_verify(struct pasn_data *pasn, const u8 *own_addr,
1088 		    const u8 *peer_addr, const u8 *bssid,
1089 		    int akmp, int cipher, u16 group,
1090 		    int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
1091 		    const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
1092 		    const struct wpabuf *comeback)
1093 {
1094 	return wpas_pasn_send_auth_1(pasn, own_addr, peer_addr, bssid, akmp,
1095 				     cipher, group, freq, beacon_rsne,
1096 				     beacon_rsne_len, beacon_rsnxe,
1097 				     beacon_rsnxe_len, comeback, true);
1098 }
1099 
1100 
is_pasn_auth_frame(struct pasn_data * pasn,const struct ieee80211_mgmt * mgmt,size_t len,bool rx)1101 static bool is_pasn_auth_frame(struct pasn_data *pasn,
1102 			       const struct ieee80211_mgmt *mgmt,
1103 			       size_t len, bool rx)
1104 {
1105 	u16 fc;
1106 
1107 	if (!mgmt || len < offsetof(struct ieee80211_mgmt, u.auth.variable))
1108 		return false;
1109 
1110 	/* Not an Authentication frame; do nothing */
1111 	fc = le_to_host16(mgmt->frame_control);
1112 	if (WLAN_FC_GET_TYPE(fc) != WLAN_FC_TYPE_MGMT ||
1113 	    WLAN_FC_GET_STYPE(fc) != WLAN_FC_STYPE_AUTH)
1114 		return false;
1115 
1116 	/* Not our frame; do nothing */
1117 	if (!ether_addr_equal(mgmt->bssid, pasn->bssid))
1118 		return false;
1119 
1120 	if (rx && (!ether_addr_equal(mgmt->da, pasn->own_addr) ||
1121 		   !ether_addr_equal(mgmt->sa, pasn->peer_addr)))
1122 		return false;
1123 
1124 	if (!rx && (!ether_addr_equal(mgmt->sa, pasn->own_addr) ||
1125 		    !ether_addr_equal(mgmt->da, pasn->peer_addr)))
1126 		return false;
1127 
1128 	/* Not PASN; do nothing */
1129 	if (mgmt->u.auth.auth_alg != host_to_le16(WLAN_AUTH_PASN))
1130 		return false;
1131 
1132 	return true;
1133 }
1134 
1135 
wpa_pasn_auth_rx(struct pasn_data * pasn,const u8 * data,size_t len,struct wpa_pasn_params_data * pasn_params)1136 int wpa_pasn_auth_rx(struct pasn_data *pasn, const u8 *data, size_t len,
1137 		     struct wpa_pasn_params_data *pasn_params)
1138 
1139 {
1140 	struct ieee802_11_elems elems;
1141 	struct wpa_ie_data rsn_data;
1142 	const struct ieee80211_mgmt *mgmt =
1143 		(const struct ieee80211_mgmt *) data;
1144 	struct wpabuf *wrapped_data = NULL, *secret = NULL, *frame = NULL;
1145 	u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
1146 	u8 mic_len;
1147 	u16 status;
1148 	int ret, inc_y;
1149 	u8 *copy = NULL;
1150 	size_t mic_offset, copy_len;
1151 
1152 	if (!is_pasn_auth_frame(pasn, mgmt, len, true))
1153 		return -2;
1154 
1155 	if (mgmt->u.auth.auth_transaction !=
1156 	    host_to_le16(pasn->trans_seq + 1)) {
1157 		wpa_printf(MSG_DEBUG,
1158 			   "PASN: RX: Invalid transaction sequence: (%u != %u)",
1159 			   le_to_host16(mgmt->u.auth.auth_transaction),
1160 			   pasn->trans_seq + 1);
1161 		return -3;
1162 	}
1163 
1164 	status = le_to_host16(mgmt->u.auth.status_code);
1165 
1166 	if (status != WLAN_STATUS_SUCCESS &&
1167 	    status != WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
1168 		wpa_printf(MSG_DEBUG,
1169 			   "PASN: Authentication rejected - status=%u", status);
1170 		goto fail;
1171 	}
1172 
1173 	if (ieee802_11_parse_elems(mgmt->u.auth.variable,
1174 				   len - offsetof(struct ieee80211_mgmt,
1175 						  u.auth.variable),
1176 				   &elems, 0) == ParseFailed) {
1177 		wpa_printf(MSG_DEBUG,
1178 			   "PASN: Failed parsing Authentication frame");
1179 		goto fail;
1180 	}
1181 
1182 	/* Check that the MIC IE exists. Save it and zero out the memory */
1183 	mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
1184 	if (status == WLAN_STATUS_SUCCESS) {
1185 		if (!elems.mic || elems.mic_len != mic_len) {
1186 			wpa_printf(MSG_DEBUG,
1187 				   "PASN: Invalid MIC. Expecting len=%u",
1188 				   mic_len);
1189 			goto fail;
1190 		}
1191 		os_memcpy(mic, elems.mic, mic_len);
1192 	}
1193 
1194 	if (!elems.pasn_params || !elems.pasn_params_len) {
1195 		wpa_printf(MSG_DEBUG,
1196 			   "PASN: Missing PASN Parameters IE");
1197 		goto fail;
1198 	}
1199 
1200 	if (!pasn_params) {
1201 		wpa_printf(MSG_DEBUG, "PASN: pasn_params == NULL");
1202 		goto fail;
1203 	}
1204 
1205 	ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
1206 					  elems.pasn_params_len + 3,
1207 					  true, pasn_params);
1208 	if (ret) {
1209 		wpa_printf(MSG_DEBUG,
1210 			   "PASN: Failed validation PASN of Parameters IE");
1211 		goto fail;
1212 	}
1213 
1214 	if (status == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
1215 		wpa_printf(MSG_DEBUG,
1216 			   "PASN: Authentication temporarily rejected");
1217 
1218 		if (pasn_params->comeback && pasn_params->comeback_len) {
1219 			wpa_printf(MSG_DEBUG,
1220 				   "PASN: Comeback token available. After=%u",
1221 				   pasn_params->after);
1222 
1223 			if (!pasn_params->after)
1224 				return 1;
1225 
1226 			pasn->comeback = wpabuf_alloc_copy(
1227 				pasn_params->comeback,
1228 				pasn_params->comeback_len);
1229 			if (pasn->comeback)
1230 				pasn->comeback_after = pasn_params->after;
1231 		}
1232 
1233 		pasn->status = status;
1234 		goto fail;
1235 	}
1236 
1237 	if (!elems.rsn_ie) {
1238 		wpa_printf(MSG_DEBUG, "PASN: Missing RSNE");
1239 		goto fail;
1240 	}
1241 
1242 	ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1243 			       &rsn_data);
1244 	if (ret) {
1245 		wpa_printf(MSG_DEBUG, "PASN: Failed parsing RSNE");
1246 		goto fail;
1247 	}
1248 
1249 	ret = wpa_pasn_validate_rsne(&rsn_data);
1250 	if (ret) {
1251 		wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
1252 		goto fail;
1253 	}
1254 
1255 	if (pasn->akmp != rsn_data.key_mgmt ||
1256 	    pasn->cipher != rsn_data.pairwise_cipher) {
1257 		wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
1258 		goto fail;
1259 	}
1260 
1261 	if (pasn->group != pasn_params->group) {
1262 		wpa_printf(MSG_DEBUG, "PASN: Mismatch in group");
1263 		goto fail;
1264 	}
1265 
1266 	if (!pasn_params->pubkey || !pasn_params->pubkey_len) {
1267 		wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
1268 		goto fail;
1269 	}
1270 
1271 	if (pasn_params->pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) {
1272 		inc_y = 1;
1273 	} else if (pasn_params->pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 ||
1274 		   pasn_params->pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) {
1275 		inc_y = 0;
1276 	} else {
1277 		wpa_printf(MSG_DEBUG,
1278 			   "PASN: Invalid first octet in pubkey=0x%x",
1279 			   pasn_params->pubkey[0]);
1280 		goto fail;
1281 	}
1282 
1283 	secret = crypto_ecdh_set_peerkey(pasn->ecdh, inc_y,
1284 					 pasn_params->pubkey + 1,
1285 					 pasn_params->pubkey_len - 1);
1286 
1287 	if (!secret) {
1288 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
1289 		goto fail;
1290 	}
1291 
1292 	if (pasn_params->wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
1293 		wrapped_data = ieee802_11_defrag(elems.wrapped_data,
1294 						 elems.wrapped_data_len,
1295 						 true);
1296 
1297 		if (!wrapped_data) {
1298 			wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
1299 			goto fail;
1300 		}
1301 	}
1302 
1303 	ret = wpas_pasn_set_pmk(pasn, &rsn_data, pasn_params, wrapped_data);
1304 	if (ret) {
1305 		wpa_printf(MSG_DEBUG, "PASN: Failed to set PMK");
1306 		goto fail;
1307 	}
1308 
1309 	ret = pasn_pmk_to_ptk(pasn->pmk, pasn->pmk_len,
1310 			      pasn->own_addr, pasn->peer_addr,
1311 			      wpabuf_head(secret), wpabuf_len(secret),
1312 			      &pasn->ptk, pasn->akmp, pasn->cipher,
1313 			      pasn->kdk_len, pasn->kek_len);
1314 	if (ret) {
1315 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
1316 		goto fail;
1317 	}
1318 
1319 	if (pasn->secure_ltf) {
1320 		ret = wpa_ltf_keyseed(&pasn->ptk, pasn->akmp, pasn->cipher);
1321 		if (ret) {
1322 			wpa_printf(MSG_DEBUG,
1323 				   "PASN: Failed to derive LTF keyseed");
1324 			goto fail;
1325 		}
1326 	}
1327 
1328 	wpabuf_free(wrapped_data);
1329 	wrapped_data = NULL;
1330 	wpabuf_free(secret);
1331 	secret = NULL;
1332 
1333 	/* Use a copy of the message since we need to clear the MIC field */
1334 	if (!elems.mic)
1335 		goto fail;
1336 	mic_offset = elems.mic - (const u8 *) &mgmt->u.auth;
1337 	copy_len = len - offsetof(struct ieee80211_mgmt, u.auth);
1338 	if (mic_offset + mic_len > copy_len)
1339 		goto fail;
1340 	copy = os_memdup(&mgmt->u.auth, copy_len);
1341 	if (!copy)
1342 		goto fail;
1343 	os_memset(copy + mic_offset, 0, mic_len);
1344 
1345 	if (pasn->beacon_rsne_rsnxe) {
1346 		/* Verify the MIC */
1347 		ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
1348 			       pasn->peer_addr, pasn->own_addr,
1349 			       wpabuf_head(pasn->beacon_rsne_rsnxe),
1350 			       wpabuf_len(pasn->beacon_rsne_rsnxe),
1351 			       copy, copy_len, out_mic);
1352 	} else {
1353 		u8 *rsne_rsnxe;
1354 		size_t rsne_rsnxe_len = 0;
1355 
1356 		/*
1357 		 * Note: When Beacon rsne_rsnxe is not initialized, it is likely
1358 		 * that this is for Wi-Fi Aware using PASN handshake for which
1359 		 * Beacon RSNE/RSNXE are same as RSNE/RSNXE in the
1360 		 * Authentication frame
1361 		 */
1362 		if (elems.rsn_ie && elems.rsn_ie_len)
1363 			rsne_rsnxe_len += elems.rsn_ie_len + 2;
1364 		if (elems.rsnxe && elems.rsnxe_len)
1365 			rsne_rsnxe_len += elems.rsnxe_len + 2;
1366 
1367 		rsne_rsnxe = os_zalloc(rsne_rsnxe_len);
1368 		if (!rsne_rsnxe)
1369 			goto fail;
1370 
1371 		if (elems.rsn_ie && elems.rsn_ie_len)
1372 			os_memcpy(rsne_rsnxe, elems.rsn_ie - 2,
1373 				  elems.rsn_ie_len + 2);
1374 		if (elems.rsnxe && elems.rsnxe_len)
1375 			os_memcpy(rsne_rsnxe + elems.rsn_ie_len + 2,
1376 				  elems.rsnxe - 2, elems.rsnxe_len + 2);
1377 
1378 		wpa_hexdump_key(MSG_DEBUG, "PASN: RSN + RSNXE buf",
1379 				rsne_rsnxe, rsne_rsnxe_len);
1380 
1381 		/* Verify the MIC */
1382 		ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
1383 			       pasn->peer_addr, pasn->own_addr,
1384 			       rsne_rsnxe,
1385 			       rsne_rsnxe_len,
1386 			       copy, copy_len, out_mic);
1387 
1388 		os_free(rsne_rsnxe);
1389 	}
1390 	os_free(copy);
1391 	copy = NULL;
1392 
1393 	wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
1394 	if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
1395 		wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
1396 		goto fail;
1397 	}
1398 
1399 	pasn->trans_seq++;
1400 
1401 	wpa_printf(MSG_DEBUG, "PASN: Success verifying Authentication frame");
1402 
1403 	if (pasn_parse_encrypted_data(pasn, data, len) < 0) {
1404 		wpa_printf(MSG_DEBUG, "PASN: Encrypted data processing failed");
1405 		goto fail;
1406 	}
1407 
1408 	frame = wpas_pasn_build_auth_3(pasn);
1409 	if (!frame) {
1410 		wpa_printf(MSG_DEBUG, "PASN: Failed building 3rd auth frame");
1411 		goto fail;
1412 	}
1413 
1414 	wpabuf_free(pasn->frame);
1415 	pasn->frame = NULL;
1416 
1417 	ret = pasn->send_mgmt(pasn->cb_ctx,
1418 			      wpabuf_head(frame), wpabuf_len(frame), 0,
1419 			      pasn->freq, 100);
1420 	if (ret) {
1421 		wpa_printf(MSG_DEBUG, "PASN: Failed sending 3st auth frame");
1422 		wpabuf_free(frame);
1423 		goto fail;
1424 	}
1425 
1426 	pasn->frame = frame;
1427 	wpa_printf(MSG_DEBUG, "PASN: Success sending last frame. Store PTK");
1428 
1429 	pasn->status = WLAN_STATUS_SUCCESS;
1430 
1431 	return 0;
1432 fail:
1433 	wpa_printf(MSG_DEBUG, "PASN: Failed RX processing - terminating");
1434 	wpabuf_free(wrapped_data);
1435 	wpabuf_free(secret);
1436 	os_free(copy);
1437 
1438 	/*
1439 	 * TODO: In case of an error the standard allows to silently drop
1440 	 * the frame and terminate the authentication exchange. However, better
1441 	 * reply to the AP with an error status.
1442 	 */
1443 	if (status == WLAN_STATUS_SUCCESS)
1444 		pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1445 	else
1446 		pasn->status = status;
1447 
1448 	return -1;
1449 }
1450 
1451 
wpa_pasn_auth_tx_status(struct pasn_data * pasn,const u8 * data,size_t data_len,u8 acked)1452 int wpa_pasn_auth_tx_status(struct pasn_data *pasn,
1453 			    const u8 *data, size_t data_len, u8 acked)
1454 
1455 {
1456 	const struct ieee80211_mgmt *mgmt =
1457 		(const struct ieee80211_mgmt *) data;
1458 
1459 	wpa_printf(MSG_DEBUG, "PASN: auth_tx_status: acked=%u", acked);
1460 
1461 	if (!is_pasn_auth_frame(pasn, mgmt, data_len, false))
1462 		return -1;
1463 
1464 	if (mgmt->u.auth.auth_transaction != host_to_le16(pasn->trans_seq)) {
1465 		wpa_printf(MSG_ERROR,
1466 			   "PASN: Invalid transaction sequence: (%u != %u)",
1467 			   pasn->trans_seq,
1468 			   le_to_host16(mgmt->u.auth.auth_transaction));
1469 		return 0;
1470 	}
1471 
1472 	wpa_printf(MSG_ERROR,
1473 		   "PASN: auth with trans_seq=%u, acked=%u", pasn->trans_seq,
1474 		   acked);
1475 
1476 	/*
1477 	 * Even if the frame was not acked, do not treat this is an error, and
1478 	 * try to complete the flow, relying on the PASN timeout callback to
1479 	 * clean up.
1480 	 */
1481 	if (pasn->trans_seq == 3) {
1482 		wpa_printf(MSG_DEBUG, "PASN: auth complete with: " MACSTR,
1483 			   MAC2STR(pasn->peer_addr));
1484 		/*
1485 		 * Either frame was not ACKed or it was ACKed but the trans_seq
1486 		 * != 1, i.e., not expecting an RX frame, so we are done.
1487 		 */
1488 		return 1;
1489 	}
1490 
1491 	return 0;
1492 }
1493