1 /*
2 * PASN initiator processing
3 *
4 * Copyright (C) 2019, Intel Corporation
5 * Copyright (C) 2022, Qualcomm Innovation Center, Inc.
6 *
7 * This software may be distributed under the terms of the BSD license.
8 * See README for more details.
9 */
10
11 #include "utils/includes.h"
12
13 #include "utils/common.h"
14 #include "common/wpa_common.h"
15 #include "common/sae.h"
16 #include "common/ieee802_11_common.h"
17 #include "common/ieee802_11_defs.h"
18 #include "common/dragonfly.h"
19 #include "crypto/sha384.h"
20 #include "crypto/crypto.h"
21 #include "crypto/random.h"
22 #include "eap_common/eap_defs.h"
23 #include "eapol_supp/eapol_supp_sm.h"
24 #include "rsn_supp/wpa.h"
25 #include "rsn_supp/pmksa_cache.h"
26 #include "pasn_common.h"
27
28
pasn_initiator_pmksa_cache_init(void)29 struct rsn_pmksa_cache * pasn_initiator_pmksa_cache_init(void)
30 {
31 return pmksa_cache_init(NULL, NULL, NULL, NULL, NULL);
32 }
33
34
pasn_initiator_pmksa_cache_deinit(struct rsn_pmksa_cache * pmksa)35 void pasn_initiator_pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa)
36 {
37 return pmksa_cache_deinit(pmksa);
38 }
39
40
pasn_initiator_pmksa_cache_add(struct rsn_pmksa_cache * pmksa,const u8 * own_addr,const u8 * bssid,const u8 * pmk,size_t pmk_len,const u8 * pmkid)41 int pasn_initiator_pmksa_cache_add(struct rsn_pmksa_cache *pmksa,
42 const u8 *own_addr, const u8 *bssid,
43 const u8 *pmk,
44 size_t pmk_len, const u8 *pmkid)
45 {
46 if (pmksa_cache_add(pmksa, pmk, pmk_len, pmkid, NULL, 0, bssid,
47 own_addr, NULL, WPA_KEY_MGMT_SAE, NULL))
48 return 0;
49 return -1;
50 }
51
52
pasn_initiator_pmksa_cache_remove(struct rsn_pmksa_cache * pmksa,const u8 * bssid)53 void pasn_initiator_pmksa_cache_remove(struct rsn_pmksa_cache *pmksa,
54 const u8 *bssid)
55 {
56 struct rsn_pmksa_cache_entry *entry;
57
58 entry = pmksa_cache_get(pmksa, bssid, NULL, NULL, NULL, 0);
59 if (!entry)
60 return;
61
62 pmksa_cache_remove(pmksa, entry);
63 }
64
65
pasn_initiator_pmksa_cache_get(struct rsn_pmksa_cache * pmksa,const u8 * bssid,u8 * pmkid,u8 * pmk,size_t * pmk_len)66 int pasn_initiator_pmksa_cache_get(struct rsn_pmksa_cache *pmksa,
67 const u8 *bssid, u8 *pmkid, u8 *pmk,
68 size_t *pmk_len)
69 {
70 struct rsn_pmksa_cache_entry *entry;
71
72 entry = pmksa_cache_get(pmksa, bssid, NULL, NULL, NULL, 0);
73 if (entry) {
74 os_memcpy(pmkid, entry->pmkid, PMKID_LEN);
75 os_memcpy(pmk, entry->pmk, entry->pmk_len);
76 *pmk_len = entry->pmk_len;
77 return 0;
78 }
79 return -1;
80 }
81
82
pasn_initiator_pmksa_cache_flush(struct rsn_pmksa_cache * pmksa)83 void pasn_initiator_pmksa_cache_flush(struct rsn_pmksa_cache *pmksa)
84 {
85 return pmksa_cache_flush(pmksa, NULL, NULL, 0, false);
86 }
87
88
pasn_set_initiator_pmksa(struct pasn_data * pasn,struct rsn_pmksa_cache * pmksa)89 void pasn_set_initiator_pmksa(struct pasn_data *pasn,
90 struct rsn_pmksa_cache *pmksa)
91 {
92 if (pasn)
93 pasn->pmksa = pmksa;
94 }
95
96
97 #ifdef CONFIG_SAE
98
wpas_pasn_wd_sae_commit(struct pasn_data * pasn)99 static struct wpabuf * wpas_pasn_wd_sae_commit(struct pasn_data *pasn)
100 {
101 struct wpabuf *buf = NULL;
102 int ret;
103
104 ret = sae_set_group(&pasn->sae, pasn->group);
105 if (ret) {
106 wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
107 return NULL;
108 }
109
110 ret = sae_prepare_commit_pt(&pasn->sae, pasn->pt,
111 pasn->own_addr, pasn->peer_addr,
112 NULL, NULL);
113 if (ret) {
114 wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
115 return NULL;
116 }
117
118 /* Need to add the entire Authentication frame body */
119 buf = wpabuf_alloc(6 + SAE_COMMIT_MAX_LEN);
120 if (!buf) {
121 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
122 return NULL;
123 }
124
125 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
126 wpabuf_put_le16(buf, 1);
127 wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
128
129 sae_write_commit(&pasn->sae, buf, NULL, NULL);
130 pasn->sae.state = SAE_COMMITTED;
131
132 return buf;
133 }
134
135
wpas_pasn_wd_sae_rx(struct pasn_data * pasn,struct wpabuf * wd)136 static int wpas_pasn_wd_sae_rx(struct pasn_data *pasn, struct wpabuf *wd)
137 {
138 const u8 *data;
139 size_t buf_len;
140 u16 len, res, alg, seq, status;
141 int groups[] = { pasn->group, 0 };
142 int ret;
143
144 if (!wd)
145 return -1;
146
147 data = wpabuf_head_u8(wd);
148 buf_len = wpabuf_len(wd);
149
150 /* first handle the commit message */
151 if (buf_len < 2) {
152 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short (commit)");
153 return -1;
154 }
155
156 len = WPA_GET_LE16(data);
157 if (len < 6 || buf_len - 2 < len) {
158 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short for commit");
159 return -1;
160 }
161
162 buf_len -= 2;
163 data += 2;
164
165 alg = WPA_GET_LE16(data);
166 seq = WPA_GET_LE16(data + 2);
167 status = WPA_GET_LE16(data + 4);
168
169 wpa_printf(MSG_DEBUG, "PASN: SAE: commit: alg=%u, seq=%u, status=%u",
170 alg, seq, status);
171
172 if (alg != WLAN_AUTH_SAE || seq != 1 ||
173 status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
174 wpa_printf(MSG_DEBUG, "PASN: SAE: dropping peer commit");
175 return -1;
176 }
177
178 res = sae_parse_commit(&pasn->sae, data + 6, len - 6, NULL, NULL,
179 groups, 1, NULL);
180 if (res != WLAN_STATUS_SUCCESS) {
181 wpa_printf(MSG_DEBUG, "PASN: SAE failed parsing commit");
182 return -1;
183 }
184
185 /* Process the commit message and derive the PMK */
186 ret = sae_process_commit(&pasn->sae);
187 if (ret) {
188 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
189 return -1;
190 }
191
192 buf_len -= len;
193 data += len;
194
195 /* Handle the confirm message */
196 if (buf_len < 2) {
197 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short (confirm)");
198 return -1;
199 }
200
201 len = WPA_GET_LE16(data);
202 if (len < 6 || buf_len - 2 < len) {
203 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short for confirm");
204 return -1;
205 }
206
207 buf_len -= 2;
208 data += 2;
209
210 alg = WPA_GET_LE16(data);
211 seq = WPA_GET_LE16(data + 2);
212 status = WPA_GET_LE16(data + 4);
213
214 wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
215 alg, seq, status);
216
217 if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
218 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
219 return -1;
220 }
221
222 res = sae_check_confirm(&pasn->sae, data + 6, len - 6, NULL);
223 if (res != WLAN_STATUS_SUCCESS) {
224 wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
225 return -1;
226 }
227
228 wpa_printf(MSG_DEBUG, "PASN: SAE completed successfully");
229 pasn->sae.state = SAE_ACCEPTED;
230
231 return 0;
232 }
233
234
wpas_pasn_wd_sae_confirm(struct pasn_data * pasn)235 static struct wpabuf * wpas_pasn_wd_sae_confirm(struct pasn_data *pasn)
236 {
237 struct wpabuf *buf = NULL;
238
239 /* Need to add the entire authentication frame body */
240 buf = wpabuf_alloc(6 + SAE_CONFIRM_MAX_LEN);
241 if (!buf) {
242 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
243 return NULL;
244 }
245
246 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
247 wpabuf_put_le16(buf, 2);
248 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
249
250 sae_write_confirm(&pasn->sae, buf);
251 pasn->sae.state = SAE_CONFIRMED;
252
253 return buf;
254 }
255
256 #endif /* CONFIG_SAE */
257
258
259 #ifdef CONFIG_FILS
260
wpas_pasn_fils_build_auth(struct pasn_data * pasn)261 static struct wpabuf * wpas_pasn_fils_build_auth(struct pasn_data *pasn)
262 {
263 struct wpabuf *buf = NULL;
264 struct wpabuf *erp_msg;
265 int ret;
266
267 erp_msg = eapol_sm_build_erp_reauth_start(pasn->eapol);
268 if (!erp_msg) {
269 wpa_printf(MSG_DEBUG,
270 "PASN: FILS: ERP EAP-Initiate/Re-auth unavailable");
271 return NULL;
272 }
273
274 if (random_get_bytes(pasn->fils.nonce, FILS_NONCE_LEN) < 0 ||
275 random_get_bytes(pasn->fils.session, FILS_SESSION_LEN) < 0)
276 goto fail;
277
278 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", pasn->fils.nonce,
279 FILS_NONCE_LEN);
280
281 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", pasn->fils.session,
282 FILS_SESSION_LEN);
283
284 buf = wpabuf_alloc(1500);
285 if (!buf)
286 goto fail;
287
288 /* Add the authentication algorithm */
289 wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
290
291 /* Authentication Transaction seq# */
292 wpabuf_put_le16(buf, 1);
293
294 /* Status Code */
295 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
296
297 /* Own RSNE */
298 wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
299
300 /* FILS Nonce */
301 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
302 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
303 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
304 wpabuf_put_data(buf, pasn->fils.nonce, FILS_NONCE_LEN);
305
306 /* FILS Session */
307 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
308 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
309 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
310 wpabuf_put_data(buf, pasn->fils.session, FILS_SESSION_LEN);
311
312 /* Wrapped Data (ERP) */
313 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
314 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg));
315 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
316 wpabuf_put_buf(buf, erp_msg);
317
318 /*
319 * Calculate pending PMKID here so that we do not need to maintain a
320 * copy of the EAP-Initiate/Reauth message.
321 */
322 ret = fils_pmkid_erp(pasn->akmp, wpabuf_head(erp_msg),
323 wpabuf_len(erp_msg),
324 pasn->fils.erp_pmkid);
325 if (ret) {
326 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ERP PMKID");
327 goto fail;
328 }
329
330 wpabuf_free(erp_msg);
331 erp_msg = NULL;
332
333 wpa_hexdump_buf(MSG_DEBUG, "PASN: FILS: Authentication frame", buf);
334 return buf;
335 fail:
336 wpabuf_free(erp_msg);
337 wpabuf_free(buf);
338 return NULL;
339 }
340
341
wpas_pasn_wd_fils_auth(struct pasn_data * pasn)342 static struct wpabuf * wpas_pasn_wd_fils_auth(struct pasn_data *pasn)
343 {
344 wpa_printf(MSG_DEBUG, "PASN: FILS: wrapped data - completed=%u",
345 pasn->fils.completed);
346
347 /* Nothing to add as we are done */
348 if (pasn->fils.completed)
349 return NULL;
350
351 if (!pasn->fils_eapol) {
352 wpa_printf(MSG_DEBUG,
353 "PASN: FILS: Missing Indication IE or PFS");
354 return NULL;
355 }
356
357 return wpas_pasn_fils_build_auth(pasn);
358 }
359
360
wpas_pasn_wd_fils_rx(struct pasn_data * pasn,struct wpabuf * wd)361 static int wpas_pasn_wd_fils_rx(struct pasn_data *pasn, struct wpabuf *wd)
362 {
363 struct ieee802_11_elems elems;
364 struct wpa_ie_data rsne_data;
365 u8 rmsk[ERP_MAX_KEY_LEN];
366 size_t rmsk_len;
367 u8 anonce[FILS_NONCE_LEN];
368 const u8 *data;
369 size_t buf_len;
370 struct wpabuf *fils_wd = NULL;
371 u16 alg, seq, status;
372 int ret;
373
374 if (!wd)
375 return -1;
376
377 data = wpabuf_head(wd);
378 buf_len = wpabuf_len(wd);
379
380 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Authentication frame len=%zu",
381 data, buf_len);
382
383 /* first handle the header */
384 if (buf_len < 6) {
385 wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short");
386 return -1;
387 }
388
389 alg = WPA_GET_LE16(data);
390 seq = WPA_GET_LE16(data + 2);
391 status = WPA_GET_LE16(data + 4);
392
393 wpa_printf(MSG_DEBUG, "PASN: FILS: commit: alg=%u, seq=%u, status=%u",
394 alg, seq, status);
395
396 if (alg != WLAN_AUTH_FILS_SK || seq != 2 ||
397 status != WLAN_STATUS_SUCCESS) {
398 wpa_printf(MSG_DEBUG,
399 "PASN: FILS: Dropping peer authentication");
400 return -1;
401 }
402
403 data += 6;
404 buf_len -= 6;
405
406 if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
407 wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
408 return -1;
409 }
410
411 if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
412 !elems.wrapped_data) {
413 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
414 return -1;
415 }
416
417 ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
418 &rsne_data);
419 if (ret) {
420 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RSNE");
421 return -1;
422 }
423
424 ret = wpa_pasn_validate_rsne(&rsne_data);
425 if (ret) {
426 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
427 return -1;
428 }
429
430 if (rsne_data.num_pmkid) {
431 wpa_printf(MSG_DEBUG,
432 "PASN: FILS: Not expecting PMKID in RSNE");
433 return -1;
434 }
435
436 wpa_hexdump(MSG_DEBUG, "PASN: FILS: ANonce", elems.fils_nonce,
437 FILS_NONCE_LEN);
438 os_memcpy(anonce, elems.fils_nonce, FILS_NONCE_LEN);
439
440 wpa_hexdump(MSG_DEBUG, "PASN: FILS: FILS Session", elems.fils_session,
441 FILS_SESSION_LEN);
442
443 if (os_memcmp(pasn->fils.session, elems.fils_session,
444 FILS_SESSION_LEN)) {
445 wpa_printf(MSG_DEBUG, "PASN: FILS: Session mismatch");
446 return -1;
447 }
448
449 fils_wd = ieee802_11_defrag(elems.wrapped_data, elems.wrapped_data_len,
450 true);
451
452 if (!fils_wd) {
453 wpa_printf(MSG_DEBUG,
454 "PASN: FILS: Failed getting wrapped data");
455 return -1;
456 }
457
458 eapol_sm_process_erp_finish(pasn->eapol, wpabuf_head(fils_wd),
459 wpabuf_len(fils_wd));
460
461 wpabuf_free(fils_wd);
462 fils_wd = NULL;
463
464 if (eapol_sm_failed(pasn->eapol)) {
465 wpa_printf(MSG_DEBUG, "PASN: FILS: ERP finish failed");
466 return -1;
467 }
468
469 rmsk_len = ERP_MAX_KEY_LEN;
470 ret = eapol_sm_get_key(pasn->eapol, rmsk, rmsk_len);
471
472 if (ret == PMK_LEN) {
473 rmsk_len = PMK_LEN;
474 ret = eapol_sm_get_key(pasn->eapol, rmsk, rmsk_len);
475 }
476
477 if (ret) {
478 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed getting RMSK");
479 return -1;
480 }
481
482 ret = fils_rmsk_to_pmk(pasn->akmp, rmsk, rmsk_len,
483 pasn->fils.nonce, anonce, NULL, 0,
484 pasn->pmk, &pasn->pmk_len);
485
486 forced_memzero(rmsk, sizeof(rmsk));
487
488 if (ret) {
489 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PMK");
490 return -1;
491 }
492
493 wpa_hexdump(MSG_DEBUG, "PASN: FILS: PMKID", pasn->fils.erp_pmkid,
494 PMKID_LEN);
495
496 wpa_printf(MSG_DEBUG, "PASN: FILS: ERP processing succeeded");
497
498 pasn->pmksa_entry = pmksa_cache_add(pasn->pmksa, pasn->pmk,
499 pasn->pmk_len, pasn->fils.erp_pmkid,
500 NULL, 0, pasn->peer_addr,
501 pasn->own_addr, NULL,
502 pasn->akmp, NULL);
503
504 pasn->fils.completed = true;
505 return 0;
506 }
507
508 #endif /* CONFIG_FILS */
509
510
wpas_pasn_get_wrapped_data(struct pasn_data * pasn)511 static struct wpabuf * wpas_pasn_get_wrapped_data(struct pasn_data *pasn)
512 {
513 if (pasn->using_pmksa)
514 return NULL;
515
516 switch (pasn->akmp) {
517 case WPA_KEY_MGMT_PASN:
518 /* no wrapped data */
519 return NULL;
520 case WPA_KEY_MGMT_SAE:
521 #ifdef CONFIG_SAE
522 if (pasn->trans_seq == 0)
523 return wpas_pasn_wd_sae_commit(pasn);
524 if (pasn->trans_seq == 2)
525 return wpas_pasn_wd_sae_confirm(pasn);
526 #endif /* CONFIG_SAE */
527 wpa_printf(MSG_ERROR,
528 "PASN: SAE: Cannot derive wrapped data");
529 return NULL;
530 case WPA_KEY_MGMT_FILS_SHA256:
531 case WPA_KEY_MGMT_FILS_SHA384:
532 #ifdef CONFIG_FILS
533 return wpas_pasn_wd_fils_auth(pasn);
534 #endif /* CONFIG_FILS */
535 case WPA_KEY_MGMT_FT_PSK:
536 case WPA_KEY_MGMT_FT_IEEE8021X:
537 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
538 /*
539 * Wrapped data with these AKMs is optional and is only needed
540 * for further validation of FT security parameters. For now do
541 * not use them.
542 */
543 return NULL;
544 default:
545 wpa_printf(MSG_ERROR,
546 "PASN: TODO: Wrapped data for akmp=0x%x",
547 pasn->akmp);
548 return NULL;
549 }
550 }
551
552
wpas_pasn_get_wrapped_data_format(struct pasn_data * pasn)553 static u8 wpas_pasn_get_wrapped_data_format(struct pasn_data *pasn)
554 {
555 if (pasn->using_pmksa)
556 return WPA_PASN_WRAPPED_DATA_NO;
557
558 /* Note: Valid AKMP is expected to already be validated */
559 switch (pasn->akmp) {
560 case WPA_KEY_MGMT_SAE:
561 return WPA_PASN_WRAPPED_DATA_SAE;
562 case WPA_KEY_MGMT_FILS_SHA256:
563 case WPA_KEY_MGMT_FILS_SHA384:
564 return WPA_PASN_WRAPPED_DATA_FILS_SK;
565 case WPA_KEY_MGMT_FT_PSK:
566 case WPA_KEY_MGMT_FT_IEEE8021X:
567 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
568 /*
569 * Wrapped data with these AKMs is optional and is only needed
570 * for further validation of FT security parameters. For now do
571 * not use them.
572 */
573 return WPA_PASN_WRAPPED_DATA_NO;
574 case WPA_KEY_MGMT_PASN:
575 default:
576 return WPA_PASN_WRAPPED_DATA_NO;
577 }
578 }
579
580
wpas_pasn_build_auth_1(struct pasn_data * pasn,const struct wpabuf * comeback,bool verify)581 static struct wpabuf * wpas_pasn_build_auth_1(struct pasn_data *pasn,
582 const struct wpabuf *comeback,
583 bool verify)
584 {
585 struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
586 const u8 *pmkid;
587 u8 wrapped_data;
588 int ret;
589
590 wpa_printf(MSG_DEBUG, "PASN: Building frame 1");
591
592 if (pasn->trans_seq)
593 return NULL;
594
595 buf = wpabuf_alloc(1500);
596 if (!buf)
597 goto fail;
598
599 /* Get public key */
600 pubkey = crypto_ecdh_get_pubkey(pasn->ecdh, 0);
601 pubkey = wpabuf_zeropad(pubkey, crypto_ecdh_prime_len(pasn->ecdh));
602 if (!pubkey) {
603 wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
604 goto fail;
605 }
606
607 wrapped_data = wpas_pasn_get_wrapped_data_format(pasn);
608
609 wpa_pasn_build_auth_header(buf, pasn->bssid,
610 pasn->own_addr, pasn->peer_addr,
611 pasn->trans_seq + 1, WLAN_STATUS_SUCCESS);
612
613 pmkid = NULL;
614 if (wpa_key_mgmt_ft(pasn->akmp)) {
615 #ifdef CONFIG_IEEE80211R
616 pmkid = pasn->pmk_r1_name;
617 #else /* CONFIG_IEEE80211R */
618 goto fail;
619 #endif /* CONFIG_IEEE80211R */
620 } else if (wrapped_data != WPA_PASN_WRAPPED_DATA_NO) {
621 struct rsn_pmksa_cache_entry *pmksa;
622
623 pmksa = pmksa_cache_get(pasn->pmksa, pasn->peer_addr,
624 pasn->own_addr, NULL, NULL, pasn->akmp);
625 if (pmksa && pasn->custom_pmkid_valid)
626 pmkid = pasn->custom_pmkid;
627 else if (pmksa)
628 pmkid = pmksa->pmkid;
629
630 /*
631 * Note: Even when PMKSA is available, also add wrapped data as
632 * it is possible that the PMKID is no longer valid at the AP.
633 */
634 if (!verify)
635 wrapped_data_buf = wpas_pasn_get_wrapped_data(pasn);
636 }
637
638 if (wpa_pasn_add_rsne(buf, pmkid, pasn->akmp, pasn->cipher) < 0)
639 goto fail;
640
641 if (!wrapped_data_buf)
642 wrapped_data = WPA_PASN_WRAPPED_DATA_NO;
643
644 wpa_pasn_add_parameter_ie(buf, pasn->group, wrapped_data,
645 pubkey, true, comeback, -1);
646
647 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
648 goto fail;
649
650 if (pasn->rsnxe_ie)
651 wpabuf_put_data(buf, pasn->rsnxe_ie, 2 + pasn->rsnxe_ie[1]);
652 else
653 wpa_pasn_add_rsnxe(buf, pasn->rsnxe_capab);
654
655 wpa_pasn_add_extra_ies(buf, pasn->extra_ies, pasn->extra_ies_len);
656
657 ret = pasn_auth_frame_hash(pasn->akmp, pasn->cipher,
658 wpabuf_head_u8(buf) + IEEE80211_HDRLEN,
659 wpabuf_len(buf) - IEEE80211_HDRLEN,
660 pasn->hash);
661 if (ret) {
662 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
663 goto fail;
664 }
665
666 pasn->trans_seq++;
667
668 wpabuf_free(wrapped_data_buf);
669 wpabuf_free(pubkey);
670
671 wpa_printf(MSG_DEBUG, "PASN: Frame 1: Success");
672 return buf;
673 fail:
674 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
675 wpabuf_free(wrapped_data_buf);
676 wpabuf_free(pubkey);
677 wpabuf_free(buf);
678 return NULL;
679 }
680
681
wpas_pasn_build_auth_3(struct pasn_data * pasn)682 static struct wpabuf * wpas_pasn_build_auth_3(struct pasn_data *pasn)
683 {
684 struct wpabuf *buf, *wrapped_data_buf = NULL;
685 u8 mic[WPA_PASN_MAX_MIC_LEN];
686 u8 mic_len;
687 size_t data_len;
688 const u8 *data;
689 u8 *ptr;
690 u8 wrapped_data;
691 int ret;
692
693 wpa_printf(MSG_DEBUG, "PASN: Building frame 3");
694
695 if (pasn->trans_seq != 2)
696 return NULL;
697
698 buf = wpabuf_alloc(1500);
699 if (!buf)
700 goto fail;
701
702 wrapped_data = wpas_pasn_get_wrapped_data_format(pasn);
703
704 wpa_pasn_build_auth_header(buf, pasn->bssid,
705 pasn->own_addr, pasn->peer_addr,
706 pasn->trans_seq + 1, WLAN_STATUS_SUCCESS);
707
708 wrapped_data_buf = wpas_pasn_get_wrapped_data(pasn);
709
710 if (!wrapped_data_buf)
711 wrapped_data = WPA_PASN_WRAPPED_DATA_NO;
712
713 wpa_pasn_add_parameter_ie(buf, pasn->group, wrapped_data,
714 NULL, false, NULL, -1);
715
716 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
717 goto fail;
718 wpabuf_free(wrapped_data_buf);
719 wrapped_data_buf = NULL;
720
721 if (pasn->prepare_data_element && pasn->cb_ctx)
722 pasn->prepare_data_element(pasn->cb_ctx, pasn->peer_addr);
723
724 wpa_pasn_add_extra_ies(buf, pasn->extra_ies, pasn->extra_ies_len);
725
726 /* Add the MIC */
727 mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
728 wpabuf_put_u8(buf, WLAN_EID_MIC);
729 wpabuf_put_u8(buf, mic_len);
730 ptr = wpabuf_put(buf, mic_len);
731
732 os_memset(ptr, 0, mic_len);
733
734 data = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
735 data_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
736
737 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
738 pasn->own_addr, pasn->peer_addr,
739 pasn->hash, mic_len * 2, data, data_len, mic);
740 if (ret) {
741 wpa_printf(MSG_DEBUG, "PASN: frame 3: Failed MIC calculation");
742 goto fail;
743 }
744
745 #ifdef CONFIG_TESTING_OPTIONS
746 if (pasn->corrupt_mic) {
747 wpa_printf(MSG_DEBUG, "PASN: frame 3: Corrupt MIC");
748 mic[0] = ~mic[0];
749 }
750 #endif /* CONFIG_TESTING_OPTIONS */
751
752 os_memcpy(ptr, mic, mic_len);
753
754 pasn->trans_seq++;
755
756 wpa_printf(MSG_DEBUG, "PASN: frame 3: Success");
757 return buf;
758 fail:
759 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
760 wpabuf_free(wrapped_data_buf);
761 wpabuf_free(buf);
762 return NULL;
763 }
764
765
wpa_pasn_reset(struct pasn_data * pasn)766 void wpa_pasn_reset(struct pasn_data *pasn)
767 {
768 wpa_printf(MSG_DEBUG, "PASN: Reset");
769
770 crypto_ecdh_deinit(pasn->ecdh);
771 pasn->ecdh = NULL;
772
773
774 pasn->akmp = 0;
775 pasn->cipher = 0;
776 pasn->group = 0;
777 pasn->trans_seq = 0;
778 pasn->pmk_len = 0;
779 pasn->using_pmksa = false;
780
781 forced_memzero(pasn->pmk, sizeof(pasn->pmk));
782 forced_memzero(&pasn->ptk, sizeof(pasn->ptk));
783 forced_memzero(&pasn->hash, sizeof(pasn->hash));
784
785 wpabuf_free(pasn->beacon_rsne_rsnxe);
786 pasn->beacon_rsne_rsnxe = NULL;
787
788 wpabuf_free(pasn->comeback);
789 pasn->comeback = NULL;
790 pasn->comeback_after = 0;
791
792 #ifdef CONFIG_SAE
793 sae_clear_data(&pasn->sae);
794 if (pasn->pt) {
795 sae_deinit_pt(pasn->pt);
796 pasn->pt = NULL;
797 }
798 #endif /* CONFIG_SAE */
799
800 #ifdef CONFIG_FILS
801 pasn->fils_eapol = false;
802 os_memset(&pasn->fils, 0, sizeof(pasn->fils));
803 #endif /* CONFIG_FILS*/
804
805 #ifdef CONFIG_IEEE80211R
806 forced_memzero(pasn->pmk_r1, sizeof(pasn->pmk_r1));
807 pasn->pmk_r1_len = 0;
808 os_memset(pasn->pmk_r1_name, 0, sizeof(pasn->pmk_r1_name));
809 #endif /* CONFIG_IEEE80211R */
810 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
811 pasn->pmksa_entry = NULL;
812 #ifdef CONFIG_TESTING_OPTIONS
813 pasn->corrupt_mic = 0;
814 #endif /* CONFIG_TESTING_OPTIONS */
815 pasn->network_id = 0;
816 pasn->derive_kdk = false;
817 pasn->rsn_ie = NULL;
818 pasn->rsn_ie_len = 0;
819 os_free(pasn->rsnxe_ie);
820 pasn->rsnxe_ie = NULL;
821 pasn->custom_pmkid_valid = false;
822
823 if (pasn->extra_ies) {
824 os_free((u8 *) pasn->extra_ies);
825 pasn->extra_ies = NULL;
826 }
827
828 wpabuf_free(pasn->frame);
829 pasn->frame = NULL;
830 }
831
832
wpas_pasn_set_pmk(struct pasn_data * pasn,struct wpa_ie_data * rsn_data,struct wpa_pasn_params_data * pasn_data,struct wpabuf * wrapped_data)833 static int wpas_pasn_set_pmk(struct pasn_data *pasn,
834 struct wpa_ie_data *rsn_data,
835 struct wpa_pasn_params_data *pasn_data,
836 struct wpabuf *wrapped_data)
837 {
838 static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
839
840 os_memset(pasn->pmk, 0, sizeof(pasn->pmk));
841 pasn->pmk_len = 0;
842
843 if (pasn->akmp == WPA_KEY_MGMT_PASN) {
844 wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
845
846 pasn->pmk_len = WPA_PASN_PMK_LEN;
847 os_memcpy(pasn->pmk, pasn_default_pmk,
848 sizeof(pasn_default_pmk));
849 return 0;
850 }
851
852 if (wpa_key_mgmt_ft(pasn->akmp)) {
853 #ifdef CONFIG_IEEE80211R
854 wpa_printf(MSG_DEBUG, "PASN: FT: Using PMK-R1");
855 pasn->pmk_len = pasn->pmk_r1_len;
856 os_memcpy(pasn->pmk, pasn->pmk_r1, pasn->pmk_r1_len);
857 pasn->using_pmksa = true;
858 return 0;
859 #else /* CONFIG_IEEE80211R */
860 wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
861 return -1;
862 #endif /* CONFIG_IEEE80211R */
863 }
864
865 if (rsn_data->num_pmkid) {
866 int ret;
867 struct rsn_pmksa_cache_entry *pmksa;
868 const u8 *pmkid = NULL;
869
870 if (pasn->custom_pmkid_valid) {
871 ret = pasn->validate_custom_pmkid(pasn->cb_ctx,
872 pasn->peer_addr,
873 rsn_data->pmkid);
874 if (ret) {
875 wpa_printf(MSG_DEBUG,
876 "PASN: Failed custom PMKID validation");
877 return -1;
878 }
879 } else {
880 pmkid = rsn_data->pmkid;
881 }
882
883 pmksa = pmksa_cache_get(pasn->pmksa, pasn->peer_addr,
884 pasn->own_addr,
885 pmkid, NULL, pasn->akmp);
886 if (pmksa) {
887 wpa_printf(MSG_DEBUG, "PASN: Using PMKSA");
888
889 pasn->pmk_len = pmksa->pmk_len;
890 os_memcpy(pasn->pmk, pmksa->pmk, pmksa->pmk_len);
891 pasn->using_pmksa = true;
892
893 return 0;
894 }
895 }
896
897 #ifdef CONFIG_SAE
898 if (pasn->akmp == WPA_KEY_MGMT_SAE) {
899 int ret;
900
901 ret = wpas_pasn_wd_sae_rx(pasn, wrapped_data);
902 if (ret) {
903 wpa_printf(MSG_DEBUG,
904 "PASN: Failed processing SAE wrapped data");
905 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
906 return -1;
907 }
908
909 wpa_printf(MSG_DEBUG, "PASN: Success deriving PMK with SAE");
910 pasn->pmk_len = PMK_LEN;
911 os_memcpy(pasn->pmk, pasn->sae.pmk, PMK_LEN);
912
913 pasn->pmksa_entry = pmksa_cache_add(pasn->pmksa, pasn->pmk,
914 pasn->pmk_len,
915 pasn->sae.pmkid,
916 NULL, 0, pasn->peer_addr,
917 pasn->own_addr, NULL,
918 pasn->akmp, NULL);
919 return 0;
920 }
921 #endif /* CONFIG_SAE */
922
923 #ifdef CONFIG_FILS
924 if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
925 pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
926 int ret;
927
928 ret = wpas_pasn_wd_fils_rx(pasn, wrapped_data);
929 if (ret) {
930 wpa_printf(MSG_DEBUG,
931 "PASN: Failed processing FILS wrapped data");
932 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
933 return -1;
934 }
935
936 return 0;
937 }
938 #endif /* CONFIG_FILS */
939
940 /* TODO: Derive PMK based on wrapped data */
941 wpa_printf(MSG_DEBUG, "PASN: Missing implementation to derive PMK");
942 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
943 return -1;
944 }
945
946
wpas_pasn_send_auth_1(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * bssid,int akmp,int cipher,u16 group,int freq,const u8 * beacon_rsne,u8 beacon_rsne_len,const u8 * beacon_rsnxe,u8 beacon_rsnxe_len,const struct wpabuf * comeback,bool verify)947 static int wpas_pasn_send_auth_1(struct pasn_data *pasn, const u8 *own_addr,
948 const u8 *peer_addr, const u8 *bssid, int akmp,
949 int cipher, u16 group, int freq,
950 const u8 *beacon_rsne, u8 beacon_rsne_len,
951 const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
952 const struct wpabuf *comeback, bool verify)
953 {
954 struct wpabuf *frame;
955 int ret;
956
957 pasn->ecdh = crypto_ecdh_init(group);
958 if (!pasn->ecdh) {
959 wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
960 goto fail;
961 }
962
963 if (beacon_rsne && beacon_rsne_len) {
964 pasn->beacon_rsne_rsnxe = wpabuf_alloc(beacon_rsne_len +
965 beacon_rsnxe_len);
966 if (!pasn->beacon_rsne_rsnxe) {
967 wpa_printf(MSG_DEBUG,
968 "PASN: Failed storing beacon RSNE/RSNXE");
969 goto fail;
970 }
971
972 wpabuf_put_data(pasn->beacon_rsne_rsnxe, beacon_rsne,
973 beacon_rsne_len);
974 if (beacon_rsnxe && beacon_rsnxe_len)
975 wpabuf_put_data(pasn->beacon_rsne_rsnxe, beacon_rsnxe,
976 beacon_rsnxe_len);
977 }
978
979 pasn->akmp = akmp;
980 pasn->cipher = cipher;
981 pasn->group = group;
982 pasn->freq = freq;
983
984 os_memcpy(pasn->own_addr, own_addr, ETH_ALEN);
985 os_memcpy(pasn->peer_addr, peer_addr, ETH_ALEN);
986 os_memcpy(pasn->bssid, bssid, ETH_ALEN);
987
988 wpa_printf(MSG_DEBUG,
989 "PASN: Init%s: " MACSTR " akmp=0x%x, cipher=0x%x, group=%u",
990 verify ? " (verify)" : "",
991 MAC2STR(pasn->peer_addr), pasn->akmp, pasn->cipher,
992 pasn->group);
993
994 frame = wpas_pasn_build_auth_1(pasn, comeback, verify);
995 if (!frame) {
996 wpa_printf(MSG_DEBUG, "PASN: Failed building 1st auth frame");
997 goto fail;
998 }
999
1000 wpabuf_free(pasn->frame);
1001 pasn->frame = NULL;
1002
1003 ret = pasn->send_mgmt(pasn->cb_ctx,
1004 wpabuf_head(frame), wpabuf_len(frame), 0,
1005 pasn->freq, 1000);
1006
1007 if (ret) {
1008 wpa_printf(MSG_DEBUG, "PASN: Failed sending 1st auth frame");
1009 wpabuf_free(frame);
1010 goto fail;
1011 }
1012
1013 pasn->frame = frame;
1014 return 0;
1015
1016 fail:
1017 return -1;
1018 }
1019
1020
wpas_pasn_start(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * bssid,int akmp,int cipher,u16 group,int freq,const u8 * beacon_rsne,u8 beacon_rsne_len,const u8 * beacon_rsnxe,u8 beacon_rsnxe_len,const struct wpabuf * comeback)1021 int wpas_pasn_start(struct pasn_data *pasn, const u8 *own_addr,
1022 const u8 *peer_addr, const u8 *bssid,
1023 int akmp, int cipher, u16 group,
1024 int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
1025 const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
1026 const struct wpabuf *comeback)
1027 {
1028 /* TODO: Currently support only ECC groups */
1029 if (!dragonfly_suitable_group(group, 1)) {
1030 wpa_printf(MSG_DEBUG,
1031 "PASN: Reject unsuitable group %u", group);
1032 return -1;
1033 }
1034
1035 switch (akmp) {
1036 case WPA_KEY_MGMT_PASN:
1037 break;
1038 #ifdef CONFIG_SAE
1039 case WPA_KEY_MGMT_SAE:
1040
1041 if (beacon_rsnxe &&
1042 !ieee802_11_rsnx_capab(beacon_rsnxe,
1043 WLAN_RSNX_CAPAB_SAE_H2E)) {
1044 wpa_printf(MSG_DEBUG,
1045 "PASN: AP does not support SAE H2E");
1046 return -1;
1047 }
1048
1049 pasn->sae.state = SAE_NOTHING;
1050 pasn->sae.send_confirm = 0;
1051 break;
1052 #endif /* CONFIG_SAE */
1053 #ifdef CONFIG_FILS
1054 case WPA_KEY_MGMT_FILS_SHA256:
1055 case WPA_KEY_MGMT_FILS_SHA384:
1056 break;
1057 #endif /* CONFIG_FILS */
1058 #ifdef CONFIG_IEEE80211R
1059 case WPA_KEY_MGMT_FT_PSK:
1060 case WPA_KEY_MGMT_FT_IEEE8021X:
1061 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
1062 break;
1063 #endif /* CONFIG_IEEE80211R */
1064 default:
1065 wpa_printf(MSG_ERROR, "PASN: Unsupported AKMP=0x%x", akmp);
1066 return -1;
1067 }
1068
1069 return wpas_pasn_send_auth_1(pasn, own_addr, peer_addr, bssid, akmp,
1070 cipher, group,
1071 freq, beacon_rsne, beacon_rsne_len,
1072 beacon_rsnxe, beacon_rsnxe_len, comeback,
1073 false);
1074 }
1075
1076 /*
1077 * Wi-Fi Aware uses PASN handshake to authenticate peer devices.
1078 * Devices can simply verify each other for subsequent sessions using
1079 * pairing verification procedure.
1080 *
1081 * In pairing verification, Wi-Fi aware devices use PASN authentication
1082 * frames with a custom PMKID and Wi-Fi Aware R4 specific verification IEs.
1083 * It does not use wrapped data in the Authentication frames. This function
1084 * provides support to construct PASN Authentication frames for pairing
1085 * verification.
1086 */
wpa_pasn_verify(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * bssid,int akmp,int cipher,u16 group,int freq,const u8 * beacon_rsne,u8 beacon_rsne_len,const u8 * beacon_rsnxe,u8 beacon_rsnxe_len,const struct wpabuf * comeback)1087 int wpa_pasn_verify(struct pasn_data *pasn, const u8 *own_addr,
1088 const u8 *peer_addr, const u8 *bssid,
1089 int akmp, int cipher, u16 group,
1090 int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
1091 const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
1092 const struct wpabuf *comeback)
1093 {
1094 return wpas_pasn_send_auth_1(pasn, own_addr, peer_addr, bssid, akmp,
1095 cipher, group, freq, beacon_rsne,
1096 beacon_rsne_len, beacon_rsnxe,
1097 beacon_rsnxe_len, comeback, true);
1098 }
1099
1100
is_pasn_auth_frame(struct pasn_data * pasn,const struct ieee80211_mgmt * mgmt,size_t len,bool rx)1101 static bool is_pasn_auth_frame(struct pasn_data *pasn,
1102 const struct ieee80211_mgmt *mgmt,
1103 size_t len, bool rx)
1104 {
1105 u16 fc;
1106
1107 if (!mgmt || len < offsetof(struct ieee80211_mgmt, u.auth.variable))
1108 return false;
1109
1110 /* Not an Authentication frame; do nothing */
1111 fc = le_to_host16(mgmt->frame_control);
1112 if (WLAN_FC_GET_TYPE(fc) != WLAN_FC_TYPE_MGMT ||
1113 WLAN_FC_GET_STYPE(fc) != WLAN_FC_STYPE_AUTH)
1114 return false;
1115
1116 /* Not our frame; do nothing */
1117 if (!ether_addr_equal(mgmt->bssid, pasn->bssid))
1118 return false;
1119
1120 if (rx && (!ether_addr_equal(mgmt->da, pasn->own_addr) ||
1121 !ether_addr_equal(mgmt->sa, pasn->peer_addr)))
1122 return false;
1123
1124 if (!rx && (!ether_addr_equal(mgmt->sa, pasn->own_addr) ||
1125 !ether_addr_equal(mgmt->da, pasn->peer_addr)))
1126 return false;
1127
1128 /* Not PASN; do nothing */
1129 if (mgmt->u.auth.auth_alg != host_to_le16(WLAN_AUTH_PASN))
1130 return false;
1131
1132 return true;
1133 }
1134
1135
wpa_pasn_auth_rx(struct pasn_data * pasn,const u8 * data,size_t len,struct wpa_pasn_params_data * pasn_params)1136 int wpa_pasn_auth_rx(struct pasn_data *pasn, const u8 *data, size_t len,
1137 struct wpa_pasn_params_data *pasn_params)
1138
1139 {
1140 struct ieee802_11_elems elems;
1141 struct wpa_ie_data rsn_data;
1142 const struct ieee80211_mgmt *mgmt =
1143 (const struct ieee80211_mgmt *) data;
1144 struct wpabuf *wrapped_data = NULL, *secret = NULL, *frame = NULL;
1145 u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
1146 u8 mic_len;
1147 u16 status;
1148 int ret, inc_y;
1149 u8 *copy = NULL;
1150 size_t mic_offset, copy_len;
1151
1152 if (!is_pasn_auth_frame(pasn, mgmt, len, true))
1153 return -2;
1154
1155 if (mgmt->u.auth.auth_transaction !=
1156 host_to_le16(pasn->trans_seq + 1)) {
1157 wpa_printf(MSG_DEBUG,
1158 "PASN: RX: Invalid transaction sequence: (%u != %u)",
1159 le_to_host16(mgmt->u.auth.auth_transaction),
1160 pasn->trans_seq + 1);
1161 return -3;
1162 }
1163
1164 status = le_to_host16(mgmt->u.auth.status_code);
1165
1166 if (status != WLAN_STATUS_SUCCESS &&
1167 status != WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
1168 wpa_printf(MSG_DEBUG,
1169 "PASN: Authentication rejected - status=%u", status);
1170 goto fail;
1171 }
1172
1173 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
1174 len - offsetof(struct ieee80211_mgmt,
1175 u.auth.variable),
1176 &elems, 0) == ParseFailed) {
1177 wpa_printf(MSG_DEBUG,
1178 "PASN: Failed parsing Authentication frame");
1179 goto fail;
1180 }
1181
1182 /* Check that the MIC IE exists. Save it and zero out the memory */
1183 mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
1184 if (status == WLAN_STATUS_SUCCESS) {
1185 if (!elems.mic || elems.mic_len != mic_len) {
1186 wpa_printf(MSG_DEBUG,
1187 "PASN: Invalid MIC. Expecting len=%u",
1188 mic_len);
1189 goto fail;
1190 }
1191 os_memcpy(mic, elems.mic, mic_len);
1192 }
1193
1194 if (!elems.pasn_params || !elems.pasn_params_len) {
1195 wpa_printf(MSG_DEBUG,
1196 "PASN: Missing PASN Parameters IE");
1197 goto fail;
1198 }
1199
1200 if (!pasn_params) {
1201 wpa_printf(MSG_DEBUG, "PASN: pasn_params == NULL");
1202 goto fail;
1203 }
1204
1205 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
1206 elems.pasn_params_len + 3,
1207 true, pasn_params);
1208 if (ret) {
1209 wpa_printf(MSG_DEBUG,
1210 "PASN: Failed validation PASN of Parameters IE");
1211 goto fail;
1212 }
1213
1214 if (status == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
1215 wpa_printf(MSG_DEBUG,
1216 "PASN: Authentication temporarily rejected");
1217
1218 if (pasn_params->comeback && pasn_params->comeback_len) {
1219 wpa_printf(MSG_DEBUG,
1220 "PASN: Comeback token available. After=%u",
1221 pasn_params->after);
1222
1223 if (!pasn_params->after)
1224 return 1;
1225
1226 pasn->comeback = wpabuf_alloc_copy(
1227 pasn_params->comeback,
1228 pasn_params->comeback_len);
1229 if (pasn->comeback)
1230 pasn->comeback_after = pasn_params->after;
1231 }
1232
1233 pasn->status = status;
1234 goto fail;
1235 }
1236
1237 if (!elems.rsn_ie) {
1238 wpa_printf(MSG_DEBUG, "PASN: Missing RSNE");
1239 goto fail;
1240 }
1241
1242 ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1243 &rsn_data);
1244 if (ret) {
1245 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RSNE");
1246 goto fail;
1247 }
1248
1249 ret = wpa_pasn_validate_rsne(&rsn_data);
1250 if (ret) {
1251 wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
1252 goto fail;
1253 }
1254
1255 if (pasn->akmp != rsn_data.key_mgmt ||
1256 pasn->cipher != rsn_data.pairwise_cipher) {
1257 wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
1258 goto fail;
1259 }
1260
1261 if (pasn->group != pasn_params->group) {
1262 wpa_printf(MSG_DEBUG, "PASN: Mismatch in group");
1263 goto fail;
1264 }
1265
1266 if (!pasn_params->pubkey || !pasn_params->pubkey_len) {
1267 wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
1268 goto fail;
1269 }
1270
1271 if (pasn_params->pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) {
1272 inc_y = 1;
1273 } else if (pasn_params->pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 ||
1274 pasn_params->pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) {
1275 inc_y = 0;
1276 } else {
1277 wpa_printf(MSG_DEBUG,
1278 "PASN: Invalid first octet in pubkey=0x%x",
1279 pasn_params->pubkey[0]);
1280 goto fail;
1281 }
1282
1283 secret = crypto_ecdh_set_peerkey(pasn->ecdh, inc_y,
1284 pasn_params->pubkey + 1,
1285 pasn_params->pubkey_len - 1);
1286
1287 if (!secret) {
1288 wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
1289 goto fail;
1290 }
1291
1292 if (pasn_params->wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
1293 wrapped_data = ieee802_11_defrag(elems.wrapped_data,
1294 elems.wrapped_data_len,
1295 true);
1296
1297 if (!wrapped_data) {
1298 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
1299 goto fail;
1300 }
1301 }
1302
1303 ret = wpas_pasn_set_pmk(pasn, &rsn_data, pasn_params, wrapped_data);
1304 if (ret) {
1305 wpa_printf(MSG_DEBUG, "PASN: Failed to set PMK");
1306 goto fail;
1307 }
1308
1309 ret = pasn_pmk_to_ptk(pasn->pmk, pasn->pmk_len,
1310 pasn->own_addr, pasn->peer_addr,
1311 wpabuf_head(secret), wpabuf_len(secret),
1312 &pasn->ptk, pasn->akmp, pasn->cipher,
1313 pasn->kdk_len, pasn->kek_len);
1314 if (ret) {
1315 wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
1316 goto fail;
1317 }
1318
1319 if (pasn->secure_ltf) {
1320 ret = wpa_ltf_keyseed(&pasn->ptk, pasn->akmp, pasn->cipher);
1321 if (ret) {
1322 wpa_printf(MSG_DEBUG,
1323 "PASN: Failed to derive LTF keyseed");
1324 goto fail;
1325 }
1326 }
1327
1328 wpabuf_free(wrapped_data);
1329 wrapped_data = NULL;
1330 wpabuf_free(secret);
1331 secret = NULL;
1332
1333 /* Use a copy of the message since we need to clear the MIC field */
1334 if (!elems.mic)
1335 goto fail;
1336 mic_offset = elems.mic - (const u8 *) &mgmt->u.auth;
1337 copy_len = len - offsetof(struct ieee80211_mgmt, u.auth);
1338 if (mic_offset + mic_len > copy_len)
1339 goto fail;
1340 copy = os_memdup(&mgmt->u.auth, copy_len);
1341 if (!copy)
1342 goto fail;
1343 os_memset(copy + mic_offset, 0, mic_len);
1344
1345 if (pasn->beacon_rsne_rsnxe) {
1346 /* Verify the MIC */
1347 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
1348 pasn->peer_addr, pasn->own_addr,
1349 wpabuf_head(pasn->beacon_rsne_rsnxe),
1350 wpabuf_len(pasn->beacon_rsne_rsnxe),
1351 copy, copy_len, out_mic);
1352 } else {
1353 u8 *rsne_rsnxe;
1354 size_t rsne_rsnxe_len = 0;
1355
1356 /*
1357 * Note: When Beacon rsne_rsnxe is not initialized, it is likely
1358 * that this is for Wi-Fi Aware using PASN handshake for which
1359 * Beacon RSNE/RSNXE are same as RSNE/RSNXE in the
1360 * Authentication frame
1361 */
1362 if (elems.rsn_ie && elems.rsn_ie_len)
1363 rsne_rsnxe_len += elems.rsn_ie_len + 2;
1364 if (elems.rsnxe && elems.rsnxe_len)
1365 rsne_rsnxe_len += elems.rsnxe_len + 2;
1366
1367 rsne_rsnxe = os_zalloc(rsne_rsnxe_len);
1368 if (!rsne_rsnxe)
1369 goto fail;
1370
1371 if (elems.rsn_ie && elems.rsn_ie_len)
1372 os_memcpy(rsne_rsnxe, elems.rsn_ie - 2,
1373 elems.rsn_ie_len + 2);
1374 if (elems.rsnxe && elems.rsnxe_len)
1375 os_memcpy(rsne_rsnxe + elems.rsn_ie_len + 2,
1376 elems.rsnxe - 2, elems.rsnxe_len + 2);
1377
1378 wpa_hexdump_key(MSG_DEBUG, "PASN: RSN + RSNXE buf",
1379 rsne_rsnxe, rsne_rsnxe_len);
1380
1381 /* Verify the MIC */
1382 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
1383 pasn->peer_addr, pasn->own_addr,
1384 rsne_rsnxe,
1385 rsne_rsnxe_len,
1386 copy, copy_len, out_mic);
1387
1388 os_free(rsne_rsnxe);
1389 }
1390 os_free(copy);
1391 copy = NULL;
1392
1393 wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
1394 if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
1395 wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
1396 goto fail;
1397 }
1398
1399 pasn->trans_seq++;
1400
1401 wpa_printf(MSG_DEBUG, "PASN: Success verifying Authentication frame");
1402
1403 if (pasn_parse_encrypted_data(pasn, data, len) < 0) {
1404 wpa_printf(MSG_DEBUG, "PASN: Encrypted data processing failed");
1405 goto fail;
1406 }
1407
1408 frame = wpas_pasn_build_auth_3(pasn);
1409 if (!frame) {
1410 wpa_printf(MSG_DEBUG, "PASN: Failed building 3rd auth frame");
1411 goto fail;
1412 }
1413
1414 wpabuf_free(pasn->frame);
1415 pasn->frame = NULL;
1416
1417 ret = pasn->send_mgmt(pasn->cb_ctx,
1418 wpabuf_head(frame), wpabuf_len(frame), 0,
1419 pasn->freq, 100);
1420 if (ret) {
1421 wpa_printf(MSG_DEBUG, "PASN: Failed sending 3st auth frame");
1422 wpabuf_free(frame);
1423 goto fail;
1424 }
1425
1426 pasn->frame = frame;
1427 wpa_printf(MSG_DEBUG, "PASN: Success sending last frame. Store PTK");
1428
1429 pasn->status = WLAN_STATUS_SUCCESS;
1430
1431 return 0;
1432 fail:
1433 wpa_printf(MSG_DEBUG, "PASN: Failed RX processing - terminating");
1434 wpabuf_free(wrapped_data);
1435 wpabuf_free(secret);
1436 os_free(copy);
1437
1438 /*
1439 * TODO: In case of an error the standard allows to silently drop
1440 * the frame and terminate the authentication exchange. However, better
1441 * reply to the AP with an error status.
1442 */
1443 if (status == WLAN_STATUS_SUCCESS)
1444 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1445 else
1446 pasn->status = status;
1447
1448 return -1;
1449 }
1450
1451
wpa_pasn_auth_tx_status(struct pasn_data * pasn,const u8 * data,size_t data_len,u8 acked)1452 int wpa_pasn_auth_tx_status(struct pasn_data *pasn,
1453 const u8 *data, size_t data_len, u8 acked)
1454
1455 {
1456 const struct ieee80211_mgmt *mgmt =
1457 (const struct ieee80211_mgmt *) data;
1458
1459 wpa_printf(MSG_DEBUG, "PASN: auth_tx_status: acked=%u", acked);
1460
1461 if (!is_pasn_auth_frame(pasn, mgmt, data_len, false))
1462 return -1;
1463
1464 if (mgmt->u.auth.auth_transaction != host_to_le16(pasn->trans_seq)) {
1465 wpa_printf(MSG_ERROR,
1466 "PASN: Invalid transaction sequence: (%u != %u)",
1467 pasn->trans_seq,
1468 le_to_host16(mgmt->u.auth.auth_transaction));
1469 return 0;
1470 }
1471
1472 wpa_printf(MSG_ERROR,
1473 "PASN: auth with trans_seq=%u, acked=%u", pasn->trans_seq,
1474 acked);
1475
1476 /*
1477 * Even if the frame was not acked, do not treat this is an error, and
1478 * try to complete the flow, relying on the PASN timeout callback to
1479 * clean up.
1480 */
1481 if (pasn->trans_seq == 3) {
1482 wpa_printf(MSG_DEBUG, "PASN: auth complete with: " MACSTR,
1483 MAC2STR(pasn->peer_addr));
1484 /*
1485 * Either frame was not ACKed or it was ACKed but the trans_seq
1486 * != 1, i.e., not expecting an RX frame, so we are done.
1487 */
1488 return 1;
1489 }
1490
1491 return 0;
1492 }
1493