1 /*
2  * PASN info for initiator and responder
3  *
4  * Copyright (C) 2019, Intel Corporation
5  * Copyright (c) 2022, Jouni Malinen <j@w1.fi>
6  * Copyright (C) 2022, Qualcomm Innovation Center, Inc.
7  *
8  * This software may be distributed under the terms of the BSD license.
9  * See README for more details.
10  */
11 
12 #ifndef PASN_COMMON_H
13 #define PASN_COMMON_H
14 
15 #ifdef __cplusplus
16 extern "C" {
17 #endif
18 
19 enum pasn_fils_state {
20 	PASN_FILS_STATE_NONE = 0,
21 	PASN_FILS_STATE_PENDING_AS,
22 	PASN_FILS_STATE_COMPLETE
23 };
24 
25 struct pasn_fils {
26 	u8 state;
27 	u8 nonce[FILS_NONCE_LEN];
28 	u8 anonce[FILS_NONCE_LEN];
29 	u8 session[FILS_SESSION_LEN];
30 	u8 erp_pmkid[PMKID_LEN];
31 	bool completed;
32 	struct wpabuf *erp_resp;
33 };
34 
35 struct pasn_data {
36 	/* External modules access below variables using setter and getter
37 	 * functions */
38 	int akmp;
39 	int cipher;
40 	u8 own_addr[ETH_ALEN];
41 	u8 peer_addr[ETH_ALEN];
42 	u8 bssid[ETH_ALEN];
43 	struct rsn_pmksa_cache *pmksa;
44 	bool derive_kdk;
45 	size_t kdk_len;
46 	void *cb_ctx;
47 
48 #ifdef CONFIG_SAE
49 	struct sae_pt *pt;
50 #endif /* CONFIG_SAE */
51 
52 	/* Responder */
53 	const char *password;
54 	int wpa_key_mgmt;
55 	int rsn_pairwise;
56 	u16 rsnxe_capab;
57 	u8 *rsnxe_ie;
58 	bool custom_pmkid_valid;
59 	u8 custom_pmkid[PMKID_LEN];
60 
61 	/*
62 	 * Extra elements to add into Authentication frames. These can be used,
63 	 * e.g., for Wi-Fi Aware use cases.
64 	 */
65 	const u8 *extra_ies;
66 	size_t extra_ies_len;
67 
68 	/* External modules do not access below variables */
69 	bool derive_kek;
70 	size_t kek_len;
71 	u16 group;
72 	bool secure_ltf;
73 	int freq;
74 
75 	u8 trans_seq;
76 	u8 status;
77 
78 	size_t pmk_len;
79 	u8 pmk[PMK_LEN_MAX];
80 	bool using_pmksa;
81 
82 	u8 hash[SHA384_MAC_LEN];
83 
84 	struct wpabuf *beacon_rsne_rsnxe;
85 	struct wpa_ptk ptk;
86 	struct crypto_ecdh *ecdh;
87 
88 	struct wpabuf *comeback;
89 	u16 comeback_after;
90 
91 #ifdef CONFIG_SAE
92 	struct sae_data sae;
93 #endif /* CONFIG_SAE */
94 
95 #ifdef CONFIG_FILS
96 	bool fils_eapol;
97 	bool fils_wd_valid;
98 	struct pasn_fils fils;
99 #endif /* CONFIG_FILS */
100 
101 #ifdef CONFIG_IEEE80211R
102 	u8 pmk_r1[PMK_LEN_MAX];
103 	size_t pmk_r1_len;
104 	u8 pmk_r1_name[WPA_PMK_NAME_LEN];
105 #endif /* CONFIG_IEEE80211R */
106 	/* Note that this pointers to RSN PMKSA cache are actually defined
107 	 * differently for the PASN initiator (using RSN Supplicant
108 	 * implementation) and PASN responser (using RSN Authenticator
109 	 * implementation). Functions cannot be mixed between those cases. */
110 	struct rsn_pmksa_cache_entry *pmksa_entry;
111 	struct eapol_sm *eapol;
112 	int fast_reauth;
113 #ifdef CONFIG_TESTING_OPTIONS
114 	int corrupt_mic;
115 #endif /* CONFIG_TESTING_OPTIONS */
116 	int network_id;
117 
118 	u8 wrapped_data_format;
119 	struct wpabuf *secret;
120 
121 	/* Responder */
122 	bool noauth; /* Whether PASN without mutual authentication is enabled */
123 	int disable_pmksa_caching;
124 	int *pasn_groups;
125 	struct wpabuf *wrapped_data;
126 	int use_anti_clogging;
127 	const u8 *rsn_ie;
128 	size_t rsn_ie_len;
129 
130 	u8 *comeback_key;
131 	struct os_reltime last_comeback_key_update;
132 	u16 comeback_idx;
133 	u16 *comeback_pending_idx;
134 	struct wpabuf *frame;
135 
136 	/**
137 	 * send_mgmt - Function handler to transmit a Management frame
138 	 * @ctx: Callback context from cb_ctx
139 	 * @frame_buf : Frame to transmit
140 	 * @frame_len: Length of frame to transmit
141 	 * @freq: Frequency in MHz for the channel on which to transmit
142 	 * @wait_dur: How many milliseconds to wait for a response frame
143 	 * Returns: 0 on success, -1 on failure
144 	 */
145 	int (*send_mgmt)(void *ctx, const u8 *data, size_t data_len, int noack,
146 			 unsigned int freq, unsigned int wait);
147 	/**
148 	 * validate_custom_pmkid - Handler to validate vendor specific PMKID
149 	 * @ctx: Callback context from cb_ctx
150 	 * @addr : MAC address of the peer
151 	 * @pmkid: Custom PMKID
152 	 * Returns: 0 on success (valid PMKID), -1 on failure
153 	 */
154 	int (*validate_custom_pmkid)(void *ctx, const u8 *addr,
155 				     const u8 *pmkid);
156 
157 	int (*prepare_data_element)(void *ctx, const u8 *peer_addr);
158 
159 	int (*parse_data_element)(void *ctx, const u8 *data, size_t len);
160 };
161 
162 /* Initiator */
163 void wpa_pasn_reset(struct pasn_data *pasn);
164 int wpas_pasn_start(struct pasn_data *pasn, const u8 *own_addr,
165 		    const u8 *peer_addr, const u8 *bssid,
166 		    int akmp, int cipher, u16 group,
167 		    int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
168 		    const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
169 		    const struct wpabuf *comeback);
170 int wpa_pasn_verify(struct pasn_data *pasn, const u8 *own_addr,
171 		    const u8 *peer_addr, const u8 *bssid,
172 		    int akmp, int cipher, u16 group,
173 		    int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
174 		    const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
175 		    const struct wpabuf *comeback);
176 int wpa_pasn_auth_rx(struct pasn_data *pasn, const u8 *data, size_t len,
177 		     struct wpa_pasn_params_data *pasn_params);
178 int wpa_pasn_auth_tx_status(struct pasn_data *pasn,
179 			    const u8 *data, size_t data_len, u8 acked);
180 
181 /* Responder */
182 int handle_auth_pasn_1(struct pasn_data *pasn,
183 		       const u8 *own_addr, const u8 *peer_addr,
184 		       const struct ieee80211_mgmt *mgmt, size_t len,
185 		       bool reject);
186 int handle_auth_pasn_3(struct pasn_data *pasn, const u8 *own_addr,
187 		       const u8 *peer_addr,
188 		       const struct ieee80211_mgmt *mgmt, size_t len);
189 int handle_auth_pasn_resp(struct pasn_data *pasn, const u8 *own_addr,
190 			  const u8 *peer_addr,
191 			  struct rsn_pmksa_cache_entry *pmksa, u16 status);
192 
193 struct pasn_data * pasn_data_init(void);
194 void pasn_data_deinit(struct pasn_data *pasn);
195 void pasn_register_callbacks(struct pasn_data *pasn, void *cb_ctx,
196 			     int (*send_mgmt)(void *ctx, const u8 *data,
197 					      size_t data_len, int noack,
198 					      unsigned int freq,
199 					      unsigned int wait),
200 			     int (*validate_custom_pmkid)(void *ctx,
201 							  const u8 *addr,
202 							  const u8 *pmkid));
203 void pasn_enable_kdk_derivation(struct pasn_data *pasn);
204 void pasn_disable_kdk_derivation(struct pasn_data *pasn);
205 
206 void pasn_set_akmp(struct pasn_data *pasn, int akmp);
207 void pasn_set_cipher(struct pasn_data *pasn, int cipher);
208 void pasn_set_own_addr(struct pasn_data *pasn, const u8 *addr);
209 void pasn_set_peer_addr(struct pasn_data *pasn, const u8 *addr);
210 void pasn_set_bssid(struct pasn_data *pasn, const u8 *addr);
211 void pasn_set_initiator_pmksa(struct pasn_data *pasn,
212 			      struct rsn_pmksa_cache *pmksa);
213 void pasn_set_responder_pmksa(struct pasn_data *pasn,
214 			      struct rsn_pmksa_cache *pmksa);
215 int pasn_set_pt(struct pasn_data *pasn, struct sae_pt *pt);
216 struct rsn_pmksa_cache * pasn_initiator_pmksa_cache_init(void);
217 void pasn_initiator_pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa);
218 int pasn_initiator_pmksa_cache_add(struct rsn_pmksa_cache *pmksa,
219 				   const u8 *own_addr, const u8 *bssid,
220 				   const u8 *pmk, size_t pmk_len,
221 				   const u8 *pmkid);
222 int pasn_initiator_pmksa_cache_get(struct rsn_pmksa_cache *pmksa,
223 				   const u8 *bssid, u8 *pmkid, u8 *pmk,
224 				   size_t *pmk_len);
225 void pasn_initiator_pmksa_cache_remove(struct rsn_pmksa_cache *pmksa,
226 				       const u8 *bssid);
227 void pasn_initiator_pmksa_cache_flush(struct rsn_pmksa_cache *pmksa);
228 
229 /* Responder */
230 void pasn_set_noauth(struct pasn_data *pasn, bool noauth);
231 void pasn_set_password(struct pasn_data *pasn, const char *password);
232 void pasn_set_wpa_key_mgmt(struct pasn_data *pasn, int key_mgmt);
233 void pasn_set_rsn_pairwise(struct pasn_data *pasn, int rsn_pairwise);
234 void pasn_set_rsnxe_caps(struct pasn_data *pasn, u16 rsnxe_capab);
235 void pasn_set_rsnxe_ie(struct pasn_data *pasn, const u8 *rsnxe_ie);
236 void pasn_set_custom_pmkid(struct pasn_data *pasn, const u8 *pmkid);
237 int pasn_set_extra_ies(struct pasn_data *pasn, const u8 *extra_ies,
238 		       size_t extra_ies_len);
239 struct rsn_pmksa_cache * pasn_responder_pmksa_cache_init(void);
240 void pasn_responder_pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa);
241 int pasn_responder_pmksa_cache_add(struct rsn_pmksa_cache *pmksa,
242 				   const u8 *own_addr, const u8 *bssid,
243 				   const u8 *pmk, size_t pmk_len,
244 				   const u8 *pmkid);
245 int pasn_responder_pmksa_cache_get(struct rsn_pmksa_cache *pmksa,
246 				   const u8 *bssid, u8 *pmkid, u8 *pmk,
247 				   size_t *pmk_len);
248 void pasn_responder_pmksa_cache_remove(struct rsn_pmksa_cache *pmksa,
249 				       const u8 *bssid);
250 void pasn_responder_pmksa_cache_flush(struct rsn_pmksa_cache *pmksa);
251 
252 int pasn_get_akmp(struct pasn_data *pasn);
253 int pasn_get_cipher(struct pasn_data *pasn);
254 size_t pasn_get_pmk_len(struct pasn_data *pasn);
255 u8 * pasn_get_pmk(struct pasn_data *pasn);
256 struct wpa_ptk * pasn_get_ptk(struct pasn_data *pasn);
257 int pasn_add_encrypted_data(struct pasn_data *pasn, struct wpabuf *buf,
258 			    const u8 *data, size_t data_len);
259 int pasn_parse_encrypted_data(struct pasn_data *pasn, const u8 *data,
260 			      size_t len);
261 
262 #ifdef __cplusplus
263 }
264 #endif
265 #endif /* PASN_COMMON_H */
266