1 /* 2 * PASN responder processing 3 * 4 * Copyright (C) 2019, Intel Corporation 5 * Copyright (C) 2022, Qualcomm Innovation Center, Inc. 6 * 7 * This software may be distributed under the terms of the BSD license. 8 * See README for more details. 9 */ 10 11 #include "utils/includes.h" 12 13 #include "utils/common.h" 14 #include "common/wpa_common.h" 15 #include "common/sae.h" 16 #include "common/ieee802_11_common.h" 17 #include "common/ieee802_11_defs.h" 18 #include "crypto/sha384.h" 19 #include "crypto/sha256.h" 20 #include "crypto/random.h" 21 #include "crypto/crypto.h" 22 #include "ap/hostapd.h" 23 #include "ap/comeback_token.h" 24 #include "ap/ieee802_1x.h" 25 #include "ap/pmksa_cache_auth.h" 26 #include "pasn_common.h" 27 28 pasn_responder_pmksa_cache_init(void)29 struct rsn_pmksa_cache * pasn_responder_pmksa_cache_init(void) 30 { 31 return pmksa_cache_auth_init(NULL, NULL); 32 } 33 34 pasn_responder_pmksa_cache_deinit(struct rsn_pmksa_cache * pmksa)35 void pasn_responder_pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa) 36 { 37 return pmksa_cache_auth_deinit(pmksa); 38 } 39 40 pasn_responder_pmksa_cache_add(struct rsn_pmksa_cache * pmksa,const u8 * own_addr,const u8 * bssid,const u8 * pmk,size_t pmk_len,const u8 * pmkid)41 int pasn_responder_pmksa_cache_add(struct rsn_pmksa_cache *pmksa, 42 const u8 *own_addr, const u8 *bssid, 43 const u8 *pmk, size_t pmk_len, 44 const u8 *pmkid) 45 { 46 if (pmksa_cache_auth_add(pmksa, pmk, pmk_len, pmkid, NULL, 0, own_addr, 47 bssid, 0, NULL, WPA_KEY_MGMT_SAE)) 48 return 0; 49 return -1; 50 } 51 52 pasn_responder_pmksa_cache_get(struct rsn_pmksa_cache * pmksa,const u8 * bssid,u8 * pmkid,u8 * pmk,size_t * pmk_len)53 int pasn_responder_pmksa_cache_get(struct rsn_pmksa_cache *pmksa, 54 const u8 *bssid, u8 *pmkid, u8 *pmk, 55 size_t *pmk_len) 56 { 57 struct rsn_pmksa_cache_entry *entry; 58 59 entry = pmksa_cache_auth_get(pmksa, bssid, NULL); 60 if (entry) { 61 os_memcpy(pmkid, entry->pmkid, PMKID_LEN); 62 os_memcpy(pmk, entry->pmk, entry->pmk_len); 63 *pmk_len = entry->pmk_len; 64 return 0; 65 } 66 return -1; 67 } 68 69 pasn_responder_pmksa_cache_remove(struct rsn_pmksa_cache * pmksa,const u8 * bssid)70 void pasn_responder_pmksa_cache_remove(struct rsn_pmksa_cache *pmksa, 71 const u8 *bssid) 72 { 73 struct rsn_pmksa_cache_entry *entry; 74 75 entry = pmksa_cache_auth_get(pmksa, bssid, NULL); 76 if (!entry) 77 return; 78 79 pmksa_cache_free_entry(pmksa, entry); 80 } 81 82 pasn_responder_pmksa_cache_flush(struct rsn_pmksa_cache * pmksa)83 void pasn_responder_pmksa_cache_flush(struct rsn_pmksa_cache *pmksa) 84 { 85 return pmksa_cache_auth_flush(pmksa); 86 } 87 88 pasn_set_responder_pmksa(struct pasn_data * pasn,struct rsn_pmksa_cache * pmksa)89 void pasn_set_responder_pmksa(struct pasn_data *pasn, 90 struct rsn_pmksa_cache *pmksa) 91 { 92 if (pasn) 93 pasn->pmksa = pmksa; 94 } 95 96 97 #ifdef CONFIG_PASN 98 #ifdef CONFIG_SAE 99 pasn_wd_handle_sae_commit(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,struct wpabuf * wd)100 static int pasn_wd_handle_sae_commit(struct pasn_data *pasn, 101 const u8 *own_addr, const u8 *peer_addr, 102 struct wpabuf *wd) 103 { 104 const u8 *data; 105 size_t buf_len; 106 u16 res, alg, seq, status; 107 int groups[] = { pasn->group, 0 }; 108 int ret; 109 110 if (!wd) 111 return -1; 112 113 data = wpabuf_head_u8(wd); 114 buf_len = wpabuf_len(wd); 115 116 if (buf_len < 6) { 117 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu", 118 buf_len); 119 return -1; 120 } 121 122 alg = WPA_GET_LE16(data); 123 seq = WPA_GET_LE16(data + 2); 124 status = WPA_GET_LE16(data + 4); 125 126 wpa_printf(MSG_DEBUG, "PASN: SAE commit: alg=%u, seq=%u, status=%u", 127 alg, seq, status); 128 129 if (alg != WLAN_AUTH_SAE || seq != 1 || 130 status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) { 131 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE commit"); 132 return -1; 133 } 134 135 sae_clear_data(&pasn->sae); 136 pasn->sae.state = SAE_NOTHING; 137 138 ret = sae_set_group(&pasn->sae, pasn->group); 139 if (ret) { 140 wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group"); 141 return -1; 142 } 143 144 if (!pasn->password || !pasn->pt) { 145 wpa_printf(MSG_DEBUG, "PASN: No SAE PT found"); 146 return -1; 147 } 148 149 ret = sae_prepare_commit_pt(&pasn->sae, pasn->pt, own_addr, peer_addr, 150 NULL, NULL); 151 if (ret) { 152 wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit"); 153 return -1; 154 } 155 156 res = sae_parse_commit(&pasn->sae, data + 6, buf_len - 6, NULL, NULL, 157 groups, 0, NULL); 158 if (res != WLAN_STATUS_SUCCESS) { 159 wpa_printf(MSG_DEBUG, "PASN: Failed parsing SAE commit"); 160 return -1; 161 } 162 163 /* Process the commit message and derive the PMK */ 164 ret = sae_process_commit(&pasn->sae); 165 if (ret) { 166 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit"); 167 return -1; 168 } 169 170 pasn->sae.state = SAE_COMMITTED; 171 172 return 0; 173 } 174 175 pasn_wd_handle_sae_confirm(struct pasn_data * pasn,const u8 * peer_addr,struct wpabuf * wd)176 static int pasn_wd_handle_sae_confirm(struct pasn_data *pasn, 177 const u8 *peer_addr, struct wpabuf *wd) 178 { 179 const u8 *data; 180 size_t buf_len; 181 u16 res, alg, seq, status; 182 183 if (!wd) 184 return -1; 185 186 data = wpabuf_head_u8(wd); 187 buf_len = wpabuf_len(wd); 188 189 if (buf_len < 6) { 190 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu", 191 buf_len); 192 return -1; 193 } 194 195 alg = WPA_GET_LE16(data); 196 seq = WPA_GET_LE16(data + 2); 197 status = WPA_GET_LE16(data + 4); 198 199 wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u", 200 alg, seq, status); 201 202 if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) { 203 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm"); 204 return -1; 205 } 206 207 res = sae_check_confirm(&pasn->sae, data + 6, buf_len - 6, NULL); 208 if (res != WLAN_STATUS_SUCCESS) { 209 wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm"); 210 return -1; 211 } 212 213 pasn->sae.state = SAE_ACCEPTED; 214 215 /* 216 * TODO: Based on on IEEE P802.11az/D2.6, the PMKSA derived with 217 * PASN/SAE should only be allowed with future PASN only. For now do not 218 * restrict this only for PASN. 219 */ 220 if (pasn->disable_pmksa_caching) 221 return 0; 222 223 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE", 224 pasn->sae.pmk, pasn->sae.pmk_len); 225 if (!pasn->sae.akmp) 226 pasn->sae.akmp = WPA_KEY_MGMT_SAE; 227 228 pmksa_cache_auth_add(pasn->pmksa, pasn->sae.pmk, pasn->sae.pmk_len, 229 pasn->sae.pmkid, NULL, 0, pasn->own_addr, 230 peer_addr, 0, NULL, pasn->sae.akmp); 231 return 0; 232 } 233 234 pasn_get_sae_wd(struct pasn_data * pasn)235 static struct wpabuf * pasn_get_sae_wd(struct pasn_data *pasn) 236 { 237 struct wpabuf *buf = NULL; 238 u8 *len_ptr; 239 size_t len; 240 241 /* Need to add the entire Authentication frame body */ 242 buf = wpabuf_alloc(8 + SAE_COMMIT_MAX_LEN + 8 + SAE_CONFIRM_MAX_LEN); 243 if (!buf) { 244 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer"); 245 return NULL; 246 } 247 248 /* Need to add the entire authentication frame body for the commit */ 249 len_ptr = wpabuf_put(buf, 2); 250 wpabuf_put_le16(buf, WLAN_AUTH_SAE); 251 wpabuf_put_le16(buf, 1); 252 wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT); 253 254 /* Write the actual commit and update the length accordingly */ 255 sae_write_commit(&pasn->sae, buf, NULL, NULL); 256 len = wpabuf_len(buf); 257 WPA_PUT_LE16(len_ptr, len - 2); 258 259 /* Need to add the entire Authentication frame body for the confirm */ 260 len_ptr = wpabuf_put(buf, 2); 261 wpabuf_put_le16(buf, WLAN_AUTH_SAE); 262 wpabuf_put_le16(buf, 2); 263 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 264 265 sae_write_confirm(&pasn->sae, buf); 266 WPA_PUT_LE16(len_ptr, wpabuf_len(buf) - len - 2); 267 268 pasn->sae.state = SAE_CONFIRMED; 269 270 return buf; 271 } 272 273 #endif /* CONFIG_SAE */ 274 275 276 #ifdef CONFIG_FILS 277 pasn_get_fils_wd(struct pasn_data * pasn)278 static struct wpabuf * pasn_get_fils_wd(struct pasn_data *pasn) 279 { 280 struct pasn_fils *fils = &pasn->fils; 281 struct wpabuf *buf = NULL; 282 283 if (!fils->erp_resp) { 284 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing erp_resp"); 285 return NULL; 286 } 287 288 buf = wpabuf_alloc(1500); 289 if (!buf) 290 return NULL; 291 292 /* Add the authentication algorithm */ 293 wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK); 294 295 /* Authentication Transaction seq# */ 296 wpabuf_put_le16(buf, 2); 297 298 /* Status Code */ 299 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS); 300 301 /* Own RSNE */ 302 wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher); 303 304 /* FILS Nonce */ 305 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); 306 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN); 307 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE); 308 wpabuf_put_data(buf, fils->anonce, FILS_NONCE_LEN); 309 310 /* FILS Session */ 311 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); 312 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN); 313 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION); 314 wpabuf_put_data(buf, fils->session, FILS_SESSION_LEN); 315 316 /* Wrapped Data */ 317 wpabuf_put_u8(buf, WLAN_EID_EXTENSION); 318 wpabuf_put_u8(buf, 1 + wpabuf_len(fils->erp_resp)); 319 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA); 320 wpabuf_put_buf(buf, fils->erp_resp); 321 322 return buf; 323 } 324 325 #endif /* CONFIG_FILS */ 326 pasn_get_wrapped_data(struct pasn_data * pasn)327 static struct wpabuf * pasn_get_wrapped_data(struct pasn_data *pasn) 328 { 329 switch (pasn->akmp) { 330 case WPA_KEY_MGMT_PASN: 331 /* no wrapped data */ 332 return NULL; 333 case WPA_KEY_MGMT_SAE: 334 #ifdef CONFIG_SAE 335 return pasn_get_sae_wd(pasn); 336 #else /* CONFIG_SAE */ 337 wpa_printf(MSG_ERROR, 338 "PASN: SAE: Cannot derive wrapped data"); 339 return NULL; 340 #endif /* CONFIG_SAE */ 341 case WPA_KEY_MGMT_FILS_SHA256: 342 case WPA_KEY_MGMT_FILS_SHA384: 343 #ifdef CONFIG_FILS 344 return pasn_get_fils_wd(pasn); 345 #endif /* CONFIG_FILS */ 346 /* fall through */ 347 case WPA_KEY_MGMT_FT_PSK: 348 case WPA_KEY_MGMT_FT_IEEE8021X: 349 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384: 350 default: 351 wpa_printf(MSG_ERROR, 352 "PASN: TODO: Wrapped data for akmp=0x%x", 353 pasn->akmp); 354 return NULL; 355 } 356 } 357 358 359 static int pasn_derive_keys(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * cached_pmk,size_t cached_pmk_len,struct wpa_pasn_params_data * pasn_data,struct wpabuf * wrapped_data,struct wpabuf * secret)360 pasn_derive_keys(struct pasn_data *pasn, 361 const u8 *own_addr, const u8 *peer_addr, 362 const u8 *cached_pmk, size_t cached_pmk_len, 363 struct wpa_pasn_params_data *pasn_data, 364 struct wpabuf *wrapped_data, 365 struct wpabuf *secret) 366 { 367 static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'}; 368 u8 pmk[PMK_LEN_MAX]; 369 u8 pmk_len; 370 int ret; 371 372 os_memset(pmk, 0, sizeof(pmk)); 373 pmk_len = 0; 374 375 if (!cached_pmk || !cached_pmk_len) 376 wpa_printf(MSG_DEBUG, "PASN: No valid PMKSA entry"); 377 378 if (pasn->akmp == WPA_KEY_MGMT_PASN) { 379 wpa_printf(MSG_DEBUG, "PASN: Using default PMK"); 380 381 pmk_len = WPA_PASN_PMK_LEN; 382 os_memcpy(pmk, pasn_default_pmk, sizeof(pasn_default_pmk)); 383 } else if (cached_pmk && cached_pmk_len) { 384 wpa_printf(MSG_DEBUG, "PASN: Using PMKSA entry"); 385 386 pmk_len = cached_pmk_len; 387 os_memcpy(pmk, cached_pmk, cached_pmk_len); 388 } else { 389 switch (pasn->akmp) { 390 #ifdef CONFIG_SAE 391 case WPA_KEY_MGMT_SAE: 392 if (pasn->sae.state == SAE_COMMITTED) { 393 pmk_len = PMK_LEN; 394 os_memcpy(pmk, pasn->sae.pmk, PMK_LEN); 395 break; 396 } 397 #endif /* CONFIG_SAE */ 398 /* fall through */ 399 default: 400 /* TODO: Derive PMK based on wrapped data */ 401 wpa_printf(MSG_DEBUG, 402 "PASN: Missing PMK derivation"); 403 return -1; 404 } 405 } 406 407 pasn->pmk_len = pmk_len; 408 os_memcpy(pasn->pmk, pmk, pmk_len); 409 ret = pasn_pmk_to_ptk(pmk, pmk_len, peer_addr, own_addr, 410 wpabuf_head(secret), wpabuf_len(secret), 411 &pasn->ptk, pasn->akmp, 412 pasn->cipher, pasn->kdk_len, pasn->kek_len); 413 if (ret) { 414 wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK"); 415 return -1; 416 } 417 418 if (pasn->secure_ltf) { 419 ret = wpa_ltf_keyseed(&pasn->ptk, pasn->akmp, 420 pasn->cipher); 421 if (ret) { 422 wpa_printf(MSG_DEBUG, 423 "PASN: Failed to derive LTF keyseed"); 424 return -1; 425 } 426 } 427 428 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived"); 429 return 0; 430 } 431 432 handle_auth_pasn_comeback(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,u16 group)433 static void handle_auth_pasn_comeback(struct pasn_data *pasn, 434 const u8 *own_addr, const u8 *peer_addr, 435 u16 group) 436 { 437 struct wpabuf *buf, *comeback; 438 int ret; 439 440 wpa_printf(MSG_DEBUG, 441 "PASN: Building comeback frame 2. Comeback after=%u", 442 pasn->comeback_after); 443 444 buf = wpabuf_alloc(1500); 445 if (!buf) 446 return; 447 448 wpa_pasn_build_auth_header(buf, pasn->bssid, own_addr, peer_addr, 2, 449 WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY); 450 451 /* 452 * Do not include the group as a part of the token since it is not going 453 * to be used. 454 */ 455 comeback = auth_build_token_req(&pasn->last_comeback_key_update, 456 pasn->comeback_key, pasn->comeback_idx, 457 pasn->comeback_pending_idx, 458 sizeof(u16) * COMEBACK_PENDING_IDX_SIZE, 459 0, peer_addr, 0); 460 if (!comeback) { 461 wpa_printf(MSG_DEBUG, 462 "PASN: Failed sending auth with comeback"); 463 wpabuf_free(buf); 464 return; 465 } 466 467 wpa_pasn_add_parameter_ie(buf, group, 468 WPA_PASN_WRAPPED_DATA_NO, 469 NULL, 0, comeback, 470 pasn->comeback_after); 471 wpabuf_free(comeback); 472 473 wpa_printf(MSG_DEBUG, 474 "PASN: comeback: STA=" MACSTR, MAC2STR(peer_addr)); 475 476 ret = pasn->send_mgmt(pasn->cb_ctx, wpabuf_head_u8(buf), 477 wpabuf_len(buf), 0, pasn->freq, 0); 478 if (ret) 479 wpa_printf(MSG_INFO, "PASN: Failed to send comeback frame 2"); 480 481 wpabuf_free(buf); 482 } 483 484 handle_auth_pasn_resp(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,struct rsn_pmksa_cache_entry * pmksa,u16 status)485 int handle_auth_pasn_resp(struct pasn_data *pasn, const u8 *own_addr, 486 const u8 *peer_addr, 487 struct rsn_pmksa_cache_entry *pmksa, u16 status) 488 { 489 struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL; 490 struct wpabuf *rsn_buf = NULL; 491 u8 mic[WPA_PASN_MAX_MIC_LEN]; 492 u8 mic_len; 493 u8 *ptr; 494 const u8 *frame, *data, *rsn_ie, *rsnxe_ie; 495 u8 *data_buf = NULL; 496 size_t frame_len, data_len; 497 int ret; 498 const u8 *pmkid = NULL; 499 500 wpa_printf(MSG_DEBUG, "PASN: Building frame 2: status=%u", status); 501 502 buf = wpabuf_alloc(1500); 503 if (!buf) 504 goto fail; 505 506 wpa_pasn_build_auth_header(buf, pasn->bssid, own_addr, peer_addr, 2, 507 status); 508 509 if (status != WLAN_STATUS_SUCCESS) 510 goto done; 511 512 if (pmksa && pasn->custom_pmkid_valid) 513 pmkid = pasn->custom_pmkid; 514 else if (pmksa) { 515 pmkid = pmksa->pmkid; 516 #ifdef CONFIG_SAE 517 } else if (pasn->akmp == WPA_KEY_MGMT_SAE) { 518 wpa_printf(MSG_DEBUG, "PASN: Use SAE PMKID"); 519 pmkid = pasn->sae.pmkid; 520 #endif /* CONFIG_SAE */ 521 #ifdef CONFIG_FILS 522 } else if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 || 523 pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) { 524 wpa_printf(MSG_DEBUG, "PASN: Use FILS ERP PMKID"); 525 pmkid = pasn->fils.erp_pmkid; 526 #endif /* CONFIG_FILS */ 527 } 528 529 if (wpa_pasn_add_rsne(buf, pmkid, 530 pasn->akmp, pasn->cipher) < 0) 531 goto fail; 532 533 /* No need to derive PMK if PMKSA is given */ 534 if (!pmksa) 535 wrapped_data_buf = pasn_get_wrapped_data(pasn); 536 else 537 pasn->wrapped_data_format = WPA_PASN_WRAPPED_DATA_NO; 538 539 /* Get public key */ 540 pubkey = crypto_ecdh_get_pubkey(pasn->ecdh, 0); 541 pubkey = wpabuf_zeropad(pubkey, 542 crypto_ecdh_prime_len(pasn->ecdh)); 543 if (!pubkey) { 544 wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey"); 545 goto fail; 546 } 547 548 wpa_pasn_add_parameter_ie(buf, pasn->group, 549 pasn->wrapped_data_format, 550 pubkey, true, NULL, 0); 551 552 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0) 553 goto fail; 554 555 wpabuf_free(wrapped_data_buf); 556 wrapped_data_buf = NULL; 557 wpabuf_free(pubkey); 558 pubkey = NULL; 559 560 /* Add RSNXE if needed */ 561 rsnxe_ie = pasn->rsnxe_ie; 562 if (rsnxe_ie) 563 wpabuf_put_data(buf, rsnxe_ie, 2 + rsnxe_ie[1]); 564 565 if (pasn->prepare_data_element && pasn->cb_ctx) 566 pasn->prepare_data_element(pasn->cb_ctx, peer_addr); 567 568 wpa_pasn_add_extra_ies(buf, pasn->extra_ies, pasn->extra_ies_len); 569 570 /* Add the mic */ 571 mic_len = pasn_mic_len(pasn->akmp, pasn->cipher); 572 wpabuf_put_u8(buf, WLAN_EID_MIC); 573 wpabuf_put_u8(buf, mic_len); 574 ptr = wpabuf_put(buf, mic_len); 575 576 os_memset(ptr, 0, mic_len); 577 578 frame = wpabuf_head_u8(buf) + IEEE80211_HDRLEN; 579 frame_len = wpabuf_len(buf) - IEEE80211_HDRLEN; 580 581 if (pasn->rsn_ie && pasn->rsn_ie_len) { 582 rsn_ie = pasn->rsn_ie; 583 } else { 584 /* 585 * Note: when pasn->rsn_ie is NULL, it is likely that Beacon 586 * frame RSNE is not initialized. This is possible in case of 587 * PASN authentication used for Wi-Fi Aware for which Beacon 588 * frame RSNE and RSNXE are same as RSNE and RSNXE in the 589 * Authentication frame. 590 */ 591 rsn_buf = wpabuf_alloc(500); 592 if (!rsn_buf) 593 goto fail; 594 595 if (wpa_pasn_add_rsne(rsn_buf, pmkid, 596 pasn->akmp, pasn->cipher) < 0) 597 goto fail; 598 599 rsn_ie = wpabuf_head_u8(rsn_buf); 600 } 601 602 /* 603 * Note: wpa_auth_get_wpa_ie() might return not only the RSNE but also 604 * MDE, etc. Thus, do not use the returned length but instead use the 605 * length specified in the IE header. 606 */ 607 data_len = rsn_ie[1] + 2; 608 if (rsnxe_ie) { 609 data_buf = os_zalloc(rsn_ie[1] + 2 + rsnxe_ie[1] + 2); 610 if (!data_buf) 611 goto fail; 612 613 os_memcpy(data_buf, rsn_ie, rsn_ie[1] + 2); 614 os_memcpy(data_buf + rsn_ie[1] + 2, rsnxe_ie, rsnxe_ie[1] + 2); 615 data_len += rsnxe_ie[1] + 2; 616 data = data_buf; 617 } else { 618 data = rsn_ie; 619 } 620 621 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher, 622 own_addr, peer_addr, data, data_len, 623 frame, frame_len, mic); 624 os_free(data_buf); 625 if (ret) { 626 wpa_printf(MSG_DEBUG, "PASN: Frame 3: Failed MIC calculation"); 627 goto fail; 628 } 629 630 #ifdef CONFIG_TESTING_OPTIONS 631 if (pasn->corrupt_mic) { 632 wpa_printf(MSG_DEBUG, "PASN: frame 2: Corrupt MIC"); 633 mic[0] = ~mic[0]; 634 } 635 #endif /* CONFIG_TESTING_OPTIONS */ 636 637 os_memcpy(ptr, mic, mic_len); 638 639 done: 640 wpa_printf(MSG_DEBUG, 641 "PASN: Building frame 2: success; resp STA=" MACSTR, 642 MAC2STR(peer_addr)); 643 wpabuf_free(pasn->frame); 644 pasn->frame = NULL; 645 646 ret = pasn->send_mgmt(pasn->cb_ctx, wpabuf_head_u8(buf), 647 wpabuf_len(buf), 0, pasn->freq, 0); 648 if (ret) 649 wpa_printf(MSG_INFO, "send_auth_reply: Send failed"); 650 651 wpabuf_free(rsn_buf); 652 pasn->frame = buf; 653 return ret; 654 fail: 655 wpabuf_free(wrapped_data_buf); 656 wpabuf_free(pubkey); 657 wpabuf_free(rsn_buf); 658 wpabuf_free(buf); 659 return -1; 660 } 661 662 handle_auth_pasn_1(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const struct ieee80211_mgmt * mgmt,size_t len,bool reject)663 int handle_auth_pasn_1(struct pasn_data *pasn, 664 const u8 *own_addr, const u8 *peer_addr, 665 const struct ieee80211_mgmt *mgmt, size_t len, 666 bool reject) 667 { 668 struct ieee802_11_elems elems; 669 struct wpa_ie_data rsn_data; 670 struct wpa_pasn_params_data pasn_params; 671 struct rsn_pmksa_cache_entry *pmksa = NULL; 672 const u8 *cached_pmk = NULL; 673 size_t cached_pmk_len = 0; 674 struct wpabuf *wrapped_data = NULL, *secret = NULL; 675 const int *groups = pasn->pasn_groups; 676 static const int default_groups[] = { 19, 0 }; 677 u16 status = WLAN_STATUS_SUCCESS; 678 int ret, inc_y; 679 bool derive_keys; 680 u32 i; 681 682 if (!groups) 683 groups = default_groups; 684 685 if (reject) { 686 wpa_printf(MSG_DEBUG, "PASN: Received Rejection"); 687 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 688 goto send_resp; 689 } 690 691 if (ieee802_11_parse_elems(mgmt->u.auth.variable, 692 len - offsetof(struct ieee80211_mgmt, 693 u.auth.variable), 694 &elems, 0) == ParseFailed) { 695 wpa_printf(MSG_DEBUG, 696 "PASN: Failed parsing Authentication frame"); 697 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 698 goto send_resp; 699 } 700 701 if (!elems.rsn_ie) { 702 wpa_printf(MSG_DEBUG, "PASN: No RSNE"); 703 status = WLAN_STATUS_INVALID_RSNIE; 704 goto send_resp; 705 } 706 707 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2, 708 &rsn_data); 709 if (ret) { 710 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RSNE"); 711 status = WLAN_STATUS_INVALID_RSNIE; 712 goto send_resp; 713 } 714 715 ret = wpa_pasn_validate_rsne(&rsn_data); 716 if (ret) { 717 wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE"); 718 status = WLAN_STATUS_INVALID_RSNIE; 719 goto send_resp; 720 } 721 722 if (!(rsn_data.key_mgmt & pasn->wpa_key_mgmt) || 723 !(rsn_data.pairwise_cipher & pasn->rsn_pairwise)) { 724 wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher"); 725 status = WLAN_STATUS_INVALID_RSNIE; 726 goto send_resp; 727 } 728 729 pasn->akmp = rsn_data.key_mgmt; 730 pasn->cipher = rsn_data.pairwise_cipher; 731 732 if (pasn->derive_kdk && 733 ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len, 734 WLAN_RSNX_CAPAB_SECURE_LTF)) 735 pasn->secure_ltf = true; 736 737 if (pasn->derive_kdk) 738 pasn->kdk_len = WPA_KDK_MAX_LEN; 739 else 740 pasn->kdk_len = 0; 741 742 wpa_printf(MSG_DEBUG, "PASN: kdk_len=%zu", pasn->kdk_len); 743 744 if (!ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len, 745 WLAN_RSNX_CAPAB_KEK_IN_PASN)) { 746 pasn->kek_len = 0; 747 pasn->derive_kek = false; 748 } 749 750 wpa_printf(MSG_DEBUG, "PASN: kek_len=%zu", pasn->kek_len); 751 752 if (!elems.pasn_params || !elems.pasn_params_len) { 753 wpa_printf(MSG_DEBUG, 754 "PASN: No PASN Parameters element found"); 755 status = WLAN_STATUS_INVALID_PARAMETERS; 756 goto send_resp; 757 } 758 759 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3, 760 elems.pasn_params_len + 3, 761 false, &pasn_params); 762 if (ret) { 763 wpa_printf(MSG_DEBUG, 764 "PASN: Failed validation of PASN Parameters IE"); 765 status = WLAN_STATUS_INVALID_PARAMETERS; 766 goto send_resp; 767 } 768 769 for (i = 0; groups[i] > 0 && groups[i] != pasn_params.group; i++) 770 ; 771 772 if (!pasn_params.group || groups[i] != pasn_params.group) { 773 wpa_printf(MSG_DEBUG, "PASN: Requested group=%hu not allowed", 774 pasn_params.group); 775 status = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED; 776 goto send_resp; 777 } 778 779 if (!pasn_params.pubkey || !pasn_params.pubkey_len) { 780 wpa_printf(MSG_DEBUG, "PASN: Invalid public key"); 781 status = WLAN_STATUS_INVALID_PARAMETERS; 782 goto send_resp; 783 } 784 785 if (pasn_params.comeback) { 786 wpa_printf(MSG_DEBUG, "PASN: Checking peer comeback token"); 787 788 ret = check_comeback_token(pasn->comeback_key, 789 pasn->comeback_pending_idx, 790 peer_addr, 791 pasn_params.comeback, 792 pasn_params.comeback_len); 793 794 if (ret) { 795 wpa_printf(MSG_DEBUG, "PASN: Invalid comeback token"); 796 status = WLAN_STATUS_INVALID_PARAMETERS; 797 goto send_resp; 798 } 799 } else if (pasn->use_anti_clogging) { 800 wpa_printf(MSG_DEBUG, "PASN: Respond with comeback"); 801 handle_auth_pasn_comeback(pasn, own_addr, peer_addr, 802 pasn_params.group); 803 return -1; 804 } 805 806 pasn->ecdh = crypto_ecdh_init(pasn_params.group); 807 if (!pasn->ecdh) { 808 wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH"); 809 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 810 goto send_resp; 811 } 812 813 pasn->group = pasn_params.group; 814 815 if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) { 816 inc_y = 1; 817 } else if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 || 818 pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) { 819 inc_y = 0; 820 } else { 821 wpa_printf(MSG_DEBUG, 822 "PASN: Invalid first octet in pubkey=0x%x", 823 pasn_params.pubkey[0]); 824 status = WLAN_STATUS_INVALID_PUBLIC_KEY; 825 goto send_resp; 826 } 827 828 secret = crypto_ecdh_set_peerkey(pasn->ecdh, inc_y, 829 pasn_params.pubkey + 1, 830 pasn_params.pubkey_len - 1); 831 if (!secret) { 832 wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret"); 833 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 834 goto send_resp; 835 } 836 837 if (!pasn->noauth && pasn->akmp == WPA_KEY_MGMT_PASN) { 838 wpa_printf(MSG_DEBUG, "PASN: Refuse PASN-UNAUTH"); 839 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 840 goto send_resp; 841 } 842 843 derive_keys = true; 844 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) { 845 wrapped_data = ieee802_11_defrag(elems.wrapped_data, 846 elems.wrapped_data_len, true); 847 if (!wrapped_data) { 848 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data"); 849 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 850 goto send_resp; 851 } 852 853 #ifdef CONFIG_SAE 854 if (pasn->akmp == WPA_KEY_MGMT_SAE) { 855 ret = pasn_wd_handle_sae_commit(pasn, own_addr, 856 peer_addr, 857 wrapped_data); 858 if (ret) { 859 wpa_printf(MSG_DEBUG, 860 "PASN: Failed processing SAE commit"); 861 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 862 goto send_resp; 863 } 864 } 865 #endif /* CONFIG_SAE */ 866 #ifdef CONFIG_FILS 867 if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 || 868 pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) { 869 if (!pasn->fils_wd_valid) { 870 wpa_printf(MSG_DEBUG, 871 "PASN: Invalid FILS wrapped data"); 872 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 873 goto send_resp; 874 } 875 876 wpa_printf(MSG_DEBUG, 877 "PASN: FILS: Pending AS response"); 878 879 /* 880 * With PASN/FILS, keys can be derived only after a 881 * response from the AS is processed. 882 */ 883 derive_keys = false; 884 } 885 #endif /* CONFIG_FILS */ 886 } 887 888 pasn->wrapped_data_format = pasn_params.wrapped_data_format; 889 890 ret = pasn_auth_frame_hash(pasn->akmp, pasn->cipher, 891 ((const u8 *) mgmt) + IEEE80211_HDRLEN, 892 len - IEEE80211_HDRLEN, pasn->hash); 893 if (ret) { 894 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash"); 895 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 896 goto send_resp; 897 } 898 899 if (!derive_keys) { 900 wpa_printf(MSG_DEBUG, "PASN: Storing secret"); 901 pasn->secret = secret; 902 wpabuf_free(wrapped_data); 903 return 0; 904 } 905 906 if (rsn_data.num_pmkid) { 907 if (wpa_key_mgmt_ft(pasn->akmp)) { 908 #ifdef CONFIG_IEEE80211R_AP 909 wpa_printf(MSG_DEBUG, "PASN: FT: Fetch PMK-R1"); 910 911 if (!pasn->pmk_r1_len) { 912 wpa_printf(MSG_DEBUG, 913 "PASN: FT: Failed getting PMK-R1"); 914 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 915 goto send_resp; 916 } 917 cached_pmk = pasn->pmk_r1; 918 cached_pmk_len = pasn->pmk_r1_len; 919 #else /* CONFIG_IEEE80211R_AP */ 920 wpa_printf(MSG_DEBUG, "PASN: FT: Not supported"); 921 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 922 goto send_resp; 923 #endif /* CONFIG_IEEE80211R_AP */ 924 } else { 925 wpa_printf(MSG_DEBUG, "PASN: Try to find PMKSA entry"); 926 927 if (pasn->pmksa) { 928 const u8 *pmkid = NULL; 929 930 if (pasn->custom_pmkid_valid) { 931 ret = pasn->validate_custom_pmkid( 932 pasn->cb_ctx, peer_addr, 933 rsn_data.pmkid); 934 if (ret) { 935 wpa_printf(MSG_DEBUG, 936 "PASN: Failed custom PMKID validation"); 937 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 938 goto send_resp; 939 } 940 } else { 941 pmkid = rsn_data.pmkid; 942 } 943 944 pmksa = pmksa_cache_auth_get(pasn->pmksa, 945 peer_addr, 946 pmkid); 947 if (pmksa) { 948 cached_pmk = pmksa->pmk; 949 cached_pmk_len = pmksa->pmk_len; 950 } 951 } 952 } 953 } else { 954 wpa_printf(MSG_DEBUG, "PASN: No PMKID specified"); 955 } 956 957 ret = pasn_derive_keys(pasn, own_addr, peer_addr, 958 cached_pmk, cached_pmk_len, 959 &pasn_params, wrapped_data, secret); 960 if (ret) { 961 wpa_printf(MSG_DEBUG, "PASN: Failed to derive keys"); 962 status = WLAN_STATUS_PASN_BASE_AKMP_FAILED; 963 goto send_resp; 964 } 965 966 ret = pasn_auth_frame_hash(pasn->akmp, pasn->cipher, 967 ((const u8 *) mgmt) + IEEE80211_HDRLEN, 968 len - IEEE80211_HDRLEN, pasn->hash); 969 if (ret) { 970 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash"); 971 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 972 } 973 974 send_resp: 975 ret = handle_auth_pasn_resp(pasn, own_addr, peer_addr, pmksa, status); 976 if (ret) { 977 wpa_printf(MSG_DEBUG, "PASN: Failed to send response"); 978 status = WLAN_STATUS_UNSPECIFIED_FAILURE; 979 } else { 980 wpa_printf(MSG_DEBUG, 981 "PASN: Success handling transaction == 1"); 982 } 983 984 wpabuf_free(secret); 985 wpabuf_free(wrapped_data); 986 987 if (status != WLAN_STATUS_SUCCESS) 988 return -1; 989 990 return 0; 991 } 992 993 handle_auth_pasn_3(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const struct ieee80211_mgmt * mgmt,size_t len)994 int handle_auth_pasn_3(struct pasn_data *pasn, const u8 *own_addr, 995 const u8 *peer_addr, 996 const struct ieee80211_mgmt *mgmt, size_t len) 997 { 998 struct ieee802_11_elems elems; 999 struct wpa_pasn_params_data pasn_params; 1000 struct wpabuf *wrapped_data = NULL; 1001 u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN]; 1002 u8 mic_len; 1003 int ret; 1004 u8 *copy = NULL; 1005 size_t copy_len, mic_offset; 1006 1007 if (ieee802_11_parse_elems(mgmt->u.auth.variable, 1008 len - offsetof(struct ieee80211_mgmt, 1009 u.auth.variable), 1010 &elems, 0) == ParseFailed) { 1011 wpa_printf(MSG_DEBUG, 1012 "PASN: Failed parsing Authentication frame"); 1013 goto fail; 1014 } 1015 1016 /* Check that the MIC IE exists. Save it and zero out the memory. */ 1017 mic_len = pasn_mic_len(pasn->akmp, pasn->cipher); 1018 if (!elems.mic || elems.mic_len != mic_len) { 1019 wpa_printf(MSG_DEBUG, 1020 "PASN: Invalid MIC. Expecting len=%u", mic_len); 1021 goto fail; 1022 } 1023 os_memcpy(mic, elems.mic, mic_len); 1024 1025 if (!elems.pasn_params || !elems.pasn_params_len) { 1026 wpa_printf(MSG_DEBUG, 1027 "PASN: No PASN Parameters element found"); 1028 goto fail; 1029 } 1030 1031 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3, 1032 elems.pasn_params_len + 3, 1033 false, &pasn_params); 1034 if (ret) { 1035 wpa_printf(MSG_DEBUG, 1036 "PASN: Failed validation of PASN Parameters IE"); 1037 goto fail; 1038 } 1039 1040 if (pasn_params.pubkey || pasn_params.pubkey_len) { 1041 wpa_printf(MSG_DEBUG, 1042 "PASN: Public key should not be included"); 1043 goto fail; 1044 } 1045 1046 /* Verify the MIC */ 1047 copy_len = len - offsetof(struct ieee80211_mgmt, u.auth); 1048 mic_offset = elems.mic - (const u8 *) &mgmt->u.auth; 1049 copy_len = len - offsetof(struct ieee80211_mgmt, u.auth); 1050 if (mic_offset + mic_len > copy_len) 1051 goto fail; 1052 copy = os_memdup(&mgmt->u.auth, copy_len); 1053 if (!copy) 1054 goto fail; 1055 os_memset(copy + mic_offset, 0, mic_len); 1056 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher, 1057 peer_addr, own_addr, 1058 pasn->hash, mic_len * 2, 1059 copy, copy_len, out_mic); 1060 os_free(copy); 1061 copy = NULL; 1062 1063 wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len); 1064 if (ret || os_memcmp(mic, out_mic, mic_len) != 0) { 1065 wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification"); 1066 goto fail; 1067 } 1068 1069 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) { 1070 wrapped_data = ieee802_11_defrag(elems.wrapped_data, 1071 elems.wrapped_data_len, 1072 true); 1073 1074 if (!wrapped_data) { 1075 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data"); 1076 goto fail; 1077 } 1078 1079 #ifdef CONFIG_SAE 1080 if (pasn->akmp == WPA_KEY_MGMT_SAE) { 1081 ret = pasn_wd_handle_sae_confirm(pasn, peer_addr, 1082 wrapped_data); 1083 if (ret) { 1084 wpa_printf(MSG_DEBUG, 1085 "PASN: Failed processing SAE confirm"); 1086 wpabuf_free(wrapped_data); 1087 goto fail; 1088 } 1089 } 1090 #endif /* CONFIG_SAE */ 1091 #ifdef CONFIG_FILS 1092 if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 || 1093 pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) { 1094 if (wrapped_data) { 1095 wpa_printf(MSG_DEBUG, 1096 "PASN: FILS: Ignore wrapped data"); 1097 } 1098 } 1099 #endif /* CONFIG_FILS */ 1100 wpabuf_free(wrapped_data); 1101 } 1102 1103 if (pasn_parse_encrypted_data(pasn, (const u8 *) mgmt, len) < 0) { 1104 wpa_printf(MSG_DEBUG, "PASN: Encrypted data processing failed"); 1105 goto fail; 1106 } 1107 1108 wpa_printf(MSG_INFO, 1109 "PASN: Success handling transaction == 3. Store PTK"); 1110 return 0; 1111 1112 fail: 1113 os_free(copy); 1114 return -1; 1115 } 1116 1117 #endif /* CONFIG_PASN */ 1118