1 /*
2 * PASN responder processing
3 *
4 * Copyright (C) 2019, Intel Corporation
5 * Copyright (C) 2022, Qualcomm Innovation Center, Inc.
6 *
7 * This software may be distributed under the terms of the BSD license.
8 * See README for more details.
9 */
10
11 #include "utils/includes.h"
12
13 #include "utils/common.h"
14 #include "common/wpa_common.h"
15 #include "common/sae.h"
16 #include "common/ieee802_11_common.h"
17 #include "common/ieee802_11_defs.h"
18 #include "crypto/sha384.h"
19 #include "crypto/sha256.h"
20 #include "crypto/random.h"
21 #include "crypto/crypto.h"
22 #include "ap/hostapd.h"
23 #include "ap/comeback_token.h"
24 #include "ap/ieee802_1x.h"
25 #include "ap/pmksa_cache_auth.h"
26 #include "pasn_common.h"
27
28
pasn_responder_pmksa_cache_init(void)29 struct rsn_pmksa_cache * pasn_responder_pmksa_cache_init(void)
30 {
31 return pmksa_cache_auth_init(NULL, NULL);
32 }
33
34
pasn_responder_pmksa_cache_deinit(struct rsn_pmksa_cache * pmksa)35 void pasn_responder_pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa)
36 {
37 return pmksa_cache_auth_deinit(pmksa);
38 }
39
40
pasn_responder_pmksa_cache_add(struct rsn_pmksa_cache * pmksa,const u8 * own_addr,const u8 * bssid,const u8 * pmk,size_t pmk_len,const u8 * pmkid)41 int pasn_responder_pmksa_cache_add(struct rsn_pmksa_cache *pmksa,
42 const u8 *own_addr, const u8 *bssid,
43 const u8 *pmk, size_t pmk_len,
44 const u8 *pmkid)
45 {
46 if (pmksa_cache_auth_add(pmksa, pmk, pmk_len, pmkid, NULL, 0, own_addr,
47 bssid, 0, NULL, WPA_KEY_MGMT_SAE))
48 return 0;
49 return -1;
50 }
51
52
pasn_responder_pmksa_cache_get(struct rsn_pmksa_cache * pmksa,const u8 * bssid,u8 * pmkid,u8 * pmk,size_t * pmk_len)53 int pasn_responder_pmksa_cache_get(struct rsn_pmksa_cache *pmksa,
54 const u8 *bssid, u8 *pmkid, u8 *pmk,
55 size_t *pmk_len)
56 {
57 struct rsn_pmksa_cache_entry *entry;
58
59 entry = pmksa_cache_auth_get(pmksa, bssid, NULL);
60 if (entry) {
61 os_memcpy(pmkid, entry->pmkid, PMKID_LEN);
62 os_memcpy(pmk, entry->pmk, entry->pmk_len);
63 *pmk_len = entry->pmk_len;
64 return 0;
65 }
66 return -1;
67 }
68
69
pasn_responder_pmksa_cache_remove(struct rsn_pmksa_cache * pmksa,const u8 * bssid)70 void pasn_responder_pmksa_cache_remove(struct rsn_pmksa_cache *pmksa,
71 const u8 *bssid)
72 {
73 struct rsn_pmksa_cache_entry *entry;
74
75 entry = pmksa_cache_auth_get(pmksa, bssid, NULL);
76 if (!entry)
77 return;
78
79 pmksa_cache_free_entry(pmksa, entry);
80 }
81
82
pasn_responder_pmksa_cache_flush(struct rsn_pmksa_cache * pmksa)83 void pasn_responder_pmksa_cache_flush(struct rsn_pmksa_cache *pmksa)
84 {
85 return pmksa_cache_auth_flush(pmksa);
86 }
87
88
pasn_set_responder_pmksa(struct pasn_data * pasn,struct rsn_pmksa_cache * pmksa)89 void pasn_set_responder_pmksa(struct pasn_data *pasn,
90 struct rsn_pmksa_cache *pmksa)
91 {
92 if (pasn)
93 pasn->pmksa = pmksa;
94 }
95
96
97 #ifdef CONFIG_PASN
98 #ifdef CONFIG_SAE
99
pasn_wd_handle_sae_commit(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,struct wpabuf * wd)100 static int pasn_wd_handle_sae_commit(struct pasn_data *pasn,
101 const u8 *own_addr, const u8 *peer_addr,
102 struct wpabuf *wd)
103 {
104 const u8 *data;
105 size_t buf_len;
106 u16 res, alg, seq, status;
107 int groups[] = { pasn->group, 0 };
108 int ret;
109
110 if (!wd)
111 return -1;
112
113 data = wpabuf_head_u8(wd);
114 buf_len = wpabuf_len(wd);
115
116 if (buf_len < 6) {
117 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
118 buf_len);
119 return -1;
120 }
121
122 alg = WPA_GET_LE16(data);
123 seq = WPA_GET_LE16(data + 2);
124 status = WPA_GET_LE16(data + 4);
125
126 wpa_printf(MSG_DEBUG, "PASN: SAE commit: alg=%u, seq=%u, status=%u",
127 alg, seq, status);
128
129 if (alg != WLAN_AUTH_SAE || seq != 1 ||
130 status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
131 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE commit");
132 return -1;
133 }
134
135 sae_clear_data(&pasn->sae);
136 pasn->sae.state = SAE_NOTHING;
137
138 ret = sae_set_group(&pasn->sae, pasn->group);
139 if (ret) {
140 wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
141 return -1;
142 }
143
144 if (!pasn->password || !pasn->pt) {
145 wpa_printf(MSG_DEBUG, "PASN: No SAE PT found");
146 return -1;
147 }
148
149 ret = sae_prepare_commit_pt(&pasn->sae, pasn->pt, own_addr, peer_addr,
150 NULL, NULL);
151 if (ret) {
152 wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
153 return -1;
154 }
155
156 res = sae_parse_commit(&pasn->sae, data + 6, buf_len - 6, NULL, NULL,
157 groups, 0, NULL);
158 if (res != WLAN_STATUS_SUCCESS) {
159 wpa_printf(MSG_DEBUG, "PASN: Failed parsing SAE commit");
160 return -1;
161 }
162
163 /* Process the commit message and derive the PMK */
164 ret = sae_process_commit(&pasn->sae);
165 if (ret) {
166 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
167 return -1;
168 }
169
170 pasn->sae.state = SAE_COMMITTED;
171
172 return 0;
173 }
174
175
pasn_wd_handle_sae_confirm(struct pasn_data * pasn,const u8 * peer_addr,struct wpabuf * wd)176 static int pasn_wd_handle_sae_confirm(struct pasn_data *pasn,
177 const u8 *peer_addr, struct wpabuf *wd)
178 {
179 const u8 *data;
180 size_t buf_len;
181 u16 res, alg, seq, status;
182
183 if (!wd)
184 return -1;
185
186 data = wpabuf_head_u8(wd);
187 buf_len = wpabuf_len(wd);
188
189 if (buf_len < 6) {
190 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
191 buf_len);
192 return -1;
193 }
194
195 alg = WPA_GET_LE16(data);
196 seq = WPA_GET_LE16(data + 2);
197 status = WPA_GET_LE16(data + 4);
198
199 wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
200 alg, seq, status);
201
202 if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
203 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
204 return -1;
205 }
206
207 res = sae_check_confirm(&pasn->sae, data + 6, buf_len - 6, NULL);
208 if (res != WLAN_STATUS_SUCCESS) {
209 wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
210 return -1;
211 }
212
213 pasn->sae.state = SAE_ACCEPTED;
214
215 /*
216 * TODO: Based on on IEEE P802.11az/D2.6, the PMKSA derived with
217 * PASN/SAE should only be allowed with future PASN only. For now do not
218 * restrict this only for PASN.
219 */
220 if (pasn->disable_pmksa_caching)
221 return 0;
222
223 wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE",
224 pasn->sae.pmk, pasn->sae.pmk_len);
225 if (!pasn->sae.akmp)
226 pasn->sae.akmp = WPA_KEY_MGMT_SAE;
227
228 pmksa_cache_auth_add(pasn->pmksa, pasn->sae.pmk, pasn->sae.pmk_len,
229 pasn->sae.pmkid, NULL, 0, pasn->own_addr,
230 peer_addr, 0, NULL, pasn->sae.akmp);
231 return 0;
232 }
233
234
pasn_get_sae_wd(struct pasn_data * pasn)235 static struct wpabuf * pasn_get_sae_wd(struct pasn_data *pasn)
236 {
237 struct wpabuf *buf = NULL;
238 u8 *len_ptr;
239 size_t len;
240
241 /* Need to add the entire Authentication frame body */
242 buf = wpabuf_alloc(8 + SAE_COMMIT_MAX_LEN + 8 + SAE_CONFIRM_MAX_LEN);
243 if (!buf) {
244 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
245 return NULL;
246 }
247
248 /* Need to add the entire authentication frame body for the commit */
249 len_ptr = wpabuf_put(buf, 2);
250 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
251 wpabuf_put_le16(buf, 1);
252 wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
253
254 /* Write the actual commit and update the length accordingly */
255 sae_write_commit(&pasn->sae, buf, NULL, NULL);
256 len = wpabuf_len(buf);
257 WPA_PUT_LE16(len_ptr, len - 2);
258
259 /* Need to add the entire Authentication frame body for the confirm */
260 len_ptr = wpabuf_put(buf, 2);
261 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
262 wpabuf_put_le16(buf, 2);
263 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
264
265 sae_write_confirm(&pasn->sae, buf);
266 WPA_PUT_LE16(len_ptr, wpabuf_len(buf) - len - 2);
267
268 pasn->sae.state = SAE_CONFIRMED;
269
270 return buf;
271 }
272
273 #endif /* CONFIG_SAE */
274
275
276 #ifdef CONFIG_FILS
277
pasn_get_fils_wd(struct pasn_data * pasn)278 static struct wpabuf * pasn_get_fils_wd(struct pasn_data *pasn)
279 {
280 struct pasn_fils *fils = &pasn->fils;
281 struct wpabuf *buf = NULL;
282
283 if (!fils->erp_resp) {
284 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing erp_resp");
285 return NULL;
286 }
287
288 buf = wpabuf_alloc(1500);
289 if (!buf)
290 return NULL;
291
292 /* Add the authentication algorithm */
293 wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
294
295 /* Authentication Transaction seq# */
296 wpabuf_put_le16(buf, 2);
297
298 /* Status Code */
299 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
300
301 /* Own RSNE */
302 wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
303
304 /* FILS Nonce */
305 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
306 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
307 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
308 wpabuf_put_data(buf, fils->anonce, FILS_NONCE_LEN);
309
310 /* FILS Session */
311 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
312 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
313 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
314 wpabuf_put_data(buf, fils->session, FILS_SESSION_LEN);
315
316 /* Wrapped Data */
317 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
318 wpabuf_put_u8(buf, 1 + wpabuf_len(fils->erp_resp));
319 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
320 wpabuf_put_buf(buf, fils->erp_resp);
321
322 return buf;
323 }
324
325 #endif /* CONFIG_FILS */
326
pasn_get_wrapped_data(struct pasn_data * pasn)327 static struct wpabuf * pasn_get_wrapped_data(struct pasn_data *pasn)
328 {
329 switch (pasn->akmp) {
330 case WPA_KEY_MGMT_PASN:
331 /* no wrapped data */
332 return NULL;
333 case WPA_KEY_MGMT_SAE:
334 #ifdef CONFIG_SAE
335 return pasn_get_sae_wd(pasn);
336 #else /* CONFIG_SAE */
337 wpa_printf(MSG_ERROR,
338 "PASN: SAE: Cannot derive wrapped data");
339 return NULL;
340 #endif /* CONFIG_SAE */
341 case WPA_KEY_MGMT_FILS_SHA256:
342 case WPA_KEY_MGMT_FILS_SHA384:
343 #ifdef CONFIG_FILS
344 return pasn_get_fils_wd(pasn);
345 #endif /* CONFIG_FILS */
346 /* fall through */
347 case WPA_KEY_MGMT_FT_PSK:
348 case WPA_KEY_MGMT_FT_IEEE8021X:
349 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
350 default:
351 wpa_printf(MSG_ERROR,
352 "PASN: TODO: Wrapped data for akmp=0x%x",
353 pasn->akmp);
354 return NULL;
355 }
356 }
357
358
359 static int
pasn_derive_keys(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * cached_pmk,size_t cached_pmk_len,struct wpa_pasn_params_data * pasn_data,struct wpabuf * wrapped_data,struct wpabuf * secret)360 pasn_derive_keys(struct pasn_data *pasn,
361 const u8 *own_addr, const u8 *peer_addr,
362 const u8 *cached_pmk, size_t cached_pmk_len,
363 struct wpa_pasn_params_data *pasn_data,
364 struct wpabuf *wrapped_data,
365 struct wpabuf *secret)
366 {
367 static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
368 u8 pmk[PMK_LEN_MAX];
369 u8 pmk_len;
370 int ret;
371
372 os_memset(pmk, 0, sizeof(pmk));
373 pmk_len = 0;
374
375 if (!cached_pmk || !cached_pmk_len)
376 wpa_printf(MSG_DEBUG, "PASN: No valid PMKSA entry");
377
378 if (pasn->akmp == WPA_KEY_MGMT_PASN) {
379 wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
380
381 pmk_len = WPA_PASN_PMK_LEN;
382 os_memcpy(pmk, pasn_default_pmk, sizeof(pasn_default_pmk));
383 } else if (cached_pmk && cached_pmk_len) {
384 wpa_printf(MSG_DEBUG, "PASN: Using PMKSA entry");
385
386 pmk_len = cached_pmk_len;
387 os_memcpy(pmk, cached_pmk, cached_pmk_len);
388 } else {
389 switch (pasn->akmp) {
390 #ifdef CONFIG_SAE
391 case WPA_KEY_MGMT_SAE:
392 if (pasn->sae.state == SAE_COMMITTED) {
393 pmk_len = PMK_LEN;
394 os_memcpy(pmk, pasn->sae.pmk, PMK_LEN);
395 break;
396 }
397 #endif /* CONFIG_SAE */
398 /* fall through */
399 default:
400 /* TODO: Derive PMK based on wrapped data */
401 wpa_printf(MSG_DEBUG,
402 "PASN: Missing PMK derivation");
403 return -1;
404 }
405 }
406
407 pasn->pmk_len = pmk_len;
408 os_memcpy(pasn->pmk, pmk, pmk_len);
409 ret = pasn_pmk_to_ptk(pmk, pmk_len, peer_addr, own_addr,
410 wpabuf_head(secret), wpabuf_len(secret),
411 &pasn->ptk, pasn->akmp,
412 pasn->cipher, pasn->kdk_len, pasn->kek_len);
413 if (ret) {
414 wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
415 return -1;
416 }
417
418 if (pasn->secure_ltf) {
419 ret = wpa_ltf_keyseed(&pasn->ptk, pasn->akmp,
420 pasn->cipher);
421 if (ret) {
422 wpa_printf(MSG_DEBUG,
423 "PASN: Failed to derive LTF keyseed");
424 return -1;
425 }
426 }
427
428 wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
429 return 0;
430 }
431
432
handle_auth_pasn_comeback(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,u16 group)433 static void handle_auth_pasn_comeback(struct pasn_data *pasn,
434 const u8 *own_addr, const u8 *peer_addr,
435 u16 group)
436 {
437 struct wpabuf *buf, *comeback;
438 int ret;
439
440 wpa_printf(MSG_DEBUG,
441 "PASN: Building comeback frame 2. Comeback after=%u",
442 pasn->comeback_after);
443
444 buf = wpabuf_alloc(1500);
445 if (!buf)
446 return;
447
448 wpa_pasn_build_auth_header(buf, pasn->bssid, own_addr, peer_addr, 2,
449 WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY);
450
451 /*
452 * Do not include the group as a part of the token since it is not going
453 * to be used.
454 */
455 comeback = auth_build_token_req(&pasn->last_comeback_key_update,
456 pasn->comeback_key, pasn->comeback_idx,
457 pasn->comeback_pending_idx,
458 sizeof(u16) * COMEBACK_PENDING_IDX_SIZE,
459 0, peer_addr, 0);
460 if (!comeback) {
461 wpa_printf(MSG_DEBUG,
462 "PASN: Failed sending auth with comeback");
463 wpabuf_free(buf);
464 return;
465 }
466
467 wpa_pasn_add_parameter_ie(buf, group,
468 WPA_PASN_WRAPPED_DATA_NO,
469 NULL, 0, comeback,
470 pasn->comeback_after);
471 wpabuf_free(comeback);
472
473 wpa_printf(MSG_DEBUG,
474 "PASN: comeback: STA=" MACSTR, MAC2STR(peer_addr));
475
476 ret = pasn->send_mgmt(pasn->cb_ctx, wpabuf_head_u8(buf),
477 wpabuf_len(buf), 0, pasn->freq, 0);
478 if (ret)
479 wpa_printf(MSG_INFO, "PASN: Failed to send comeback frame 2");
480
481 wpabuf_free(buf);
482 }
483
484
handle_auth_pasn_resp(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,struct rsn_pmksa_cache_entry * pmksa,u16 status)485 int handle_auth_pasn_resp(struct pasn_data *pasn, const u8 *own_addr,
486 const u8 *peer_addr,
487 struct rsn_pmksa_cache_entry *pmksa, u16 status)
488 {
489 struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
490 struct wpabuf *rsn_buf = NULL;
491 u8 mic[WPA_PASN_MAX_MIC_LEN];
492 u8 mic_len;
493 u8 *ptr;
494 const u8 *frame, *data, *rsn_ie, *rsnxe_ie;
495 u8 *data_buf = NULL;
496 size_t frame_len, data_len;
497 int ret;
498 const u8 *pmkid = NULL;
499
500 wpa_printf(MSG_DEBUG, "PASN: Building frame 2: status=%u", status);
501
502 buf = wpabuf_alloc(1500);
503 if (!buf)
504 goto fail;
505
506 wpa_pasn_build_auth_header(buf, pasn->bssid, own_addr, peer_addr, 2,
507 status);
508
509 if (status != WLAN_STATUS_SUCCESS)
510 goto done;
511
512 if (pmksa && pasn->custom_pmkid_valid)
513 pmkid = pasn->custom_pmkid;
514 else if (pmksa) {
515 pmkid = pmksa->pmkid;
516 #ifdef CONFIG_SAE
517 } else if (pasn->akmp == WPA_KEY_MGMT_SAE) {
518 wpa_printf(MSG_DEBUG, "PASN: Use SAE PMKID");
519 pmkid = pasn->sae.pmkid;
520 #endif /* CONFIG_SAE */
521 #ifdef CONFIG_FILS
522 } else if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
523 pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
524 wpa_printf(MSG_DEBUG, "PASN: Use FILS ERP PMKID");
525 pmkid = pasn->fils.erp_pmkid;
526 #endif /* CONFIG_FILS */
527 }
528
529 if (wpa_pasn_add_rsne(buf, pmkid,
530 pasn->akmp, pasn->cipher) < 0)
531 goto fail;
532
533 /* No need to derive PMK if PMKSA is given */
534 if (!pmksa)
535 wrapped_data_buf = pasn_get_wrapped_data(pasn);
536 else
537 pasn->wrapped_data_format = WPA_PASN_WRAPPED_DATA_NO;
538
539 /* Get public key */
540 pubkey = crypto_ecdh_get_pubkey(pasn->ecdh, 0);
541 pubkey = wpabuf_zeropad(pubkey,
542 crypto_ecdh_prime_len(pasn->ecdh));
543 if (!pubkey) {
544 wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
545 goto fail;
546 }
547
548 wpa_pasn_add_parameter_ie(buf, pasn->group,
549 pasn->wrapped_data_format,
550 pubkey, true, NULL, 0);
551
552 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
553 goto fail;
554
555 wpabuf_free(wrapped_data_buf);
556 wrapped_data_buf = NULL;
557 wpabuf_free(pubkey);
558 pubkey = NULL;
559
560 /* Add RSNXE if needed */
561 rsnxe_ie = pasn->rsnxe_ie;
562 if (rsnxe_ie)
563 wpabuf_put_data(buf, rsnxe_ie, 2 + rsnxe_ie[1]);
564
565 if (pasn->prepare_data_element && pasn->cb_ctx)
566 pasn->prepare_data_element(pasn->cb_ctx, peer_addr);
567
568 wpa_pasn_add_extra_ies(buf, pasn->extra_ies, pasn->extra_ies_len);
569
570 /* Add the mic */
571 mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
572 wpabuf_put_u8(buf, WLAN_EID_MIC);
573 wpabuf_put_u8(buf, mic_len);
574 ptr = wpabuf_put(buf, mic_len);
575
576 os_memset(ptr, 0, mic_len);
577
578 frame = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
579 frame_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
580
581 if (pasn->rsn_ie && pasn->rsn_ie_len) {
582 rsn_ie = pasn->rsn_ie;
583 } else {
584 /*
585 * Note: when pasn->rsn_ie is NULL, it is likely that Beacon
586 * frame RSNE is not initialized. This is possible in case of
587 * PASN authentication used for Wi-Fi Aware for which Beacon
588 * frame RSNE and RSNXE are same as RSNE and RSNXE in the
589 * Authentication frame.
590 */
591 rsn_buf = wpabuf_alloc(500);
592 if (!rsn_buf)
593 goto fail;
594
595 if (wpa_pasn_add_rsne(rsn_buf, pmkid,
596 pasn->akmp, pasn->cipher) < 0)
597 goto fail;
598
599 rsn_ie = wpabuf_head_u8(rsn_buf);
600 }
601
602 /*
603 * Note: wpa_auth_get_wpa_ie() might return not only the RSNE but also
604 * MDE, etc. Thus, do not use the returned length but instead use the
605 * length specified in the IE header.
606 */
607 data_len = rsn_ie[1] + 2;
608 if (rsnxe_ie) {
609 data_buf = os_zalloc(rsn_ie[1] + 2 + rsnxe_ie[1] + 2);
610 if (!data_buf)
611 goto fail;
612
613 os_memcpy(data_buf, rsn_ie, rsn_ie[1] + 2);
614 os_memcpy(data_buf + rsn_ie[1] + 2, rsnxe_ie, rsnxe_ie[1] + 2);
615 data_len += rsnxe_ie[1] + 2;
616 data = data_buf;
617 } else {
618 data = rsn_ie;
619 }
620
621 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
622 own_addr, peer_addr, data, data_len,
623 frame, frame_len, mic);
624 os_free(data_buf);
625 if (ret) {
626 wpa_printf(MSG_DEBUG, "PASN: Frame 3: Failed MIC calculation");
627 goto fail;
628 }
629
630 #ifdef CONFIG_TESTING_OPTIONS
631 if (pasn->corrupt_mic) {
632 wpa_printf(MSG_DEBUG, "PASN: frame 2: Corrupt MIC");
633 mic[0] = ~mic[0];
634 }
635 #endif /* CONFIG_TESTING_OPTIONS */
636
637 os_memcpy(ptr, mic, mic_len);
638
639 done:
640 wpa_printf(MSG_DEBUG,
641 "PASN: Building frame 2: success; resp STA=" MACSTR,
642 MAC2STR(peer_addr));
643 wpabuf_free(pasn->frame);
644 pasn->frame = NULL;
645
646 ret = pasn->send_mgmt(pasn->cb_ctx, wpabuf_head_u8(buf),
647 wpabuf_len(buf), 0, pasn->freq, 0);
648 if (ret)
649 wpa_printf(MSG_INFO, "send_auth_reply: Send failed");
650
651 wpabuf_free(rsn_buf);
652 pasn->frame = buf;
653 return ret;
654 fail:
655 wpabuf_free(wrapped_data_buf);
656 wpabuf_free(pubkey);
657 wpabuf_free(rsn_buf);
658 wpabuf_free(buf);
659 return -1;
660 }
661
662
handle_auth_pasn_1(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const struct ieee80211_mgmt * mgmt,size_t len,bool reject)663 int handle_auth_pasn_1(struct pasn_data *pasn,
664 const u8 *own_addr, const u8 *peer_addr,
665 const struct ieee80211_mgmt *mgmt, size_t len,
666 bool reject)
667 {
668 struct ieee802_11_elems elems;
669 struct wpa_ie_data rsn_data;
670 struct wpa_pasn_params_data pasn_params;
671 struct rsn_pmksa_cache_entry *pmksa = NULL;
672 const u8 *cached_pmk = NULL;
673 size_t cached_pmk_len = 0;
674 struct wpabuf *wrapped_data = NULL, *secret = NULL;
675 const int *groups = pasn->pasn_groups;
676 static const int default_groups[] = { 19, 0 };
677 u16 status = WLAN_STATUS_SUCCESS;
678 int ret, inc_y;
679 bool derive_keys;
680 u32 i;
681
682 if (!groups)
683 groups = default_groups;
684
685 if (reject) {
686 wpa_printf(MSG_DEBUG, "PASN: Received Rejection");
687 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
688 goto send_resp;
689 }
690
691 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
692 len - offsetof(struct ieee80211_mgmt,
693 u.auth.variable),
694 &elems, 0) == ParseFailed) {
695 wpa_printf(MSG_DEBUG,
696 "PASN: Failed parsing Authentication frame");
697 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
698 goto send_resp;
699 }
700
701 if (!elems.rsn_ie) {
702 wpa_printf(MSG_DEBUG, "PASN: No RSNE");
703 status = WLAN_STATUS_INVALID_RSNIE;
704 goto send_resp;
705 }
706
707 ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
708 &rsn_data);
709 if (ret) {
710 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RSNE");
711 status = WLAN_STATUS_INVALID_RSNIE;
712 goto send_resp;
713 }
714
715 ret = wpa_pasn_validate_rsne(&rsn_data);
716 if (ret) {
717 wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
718 status = WLAN_STATUS_INVALID_RSNIE;
719 goto send_resp;
720 }
721
722 if (!(rsn_data.key_mgmt & pasn->wpa_key_mgmt) ||
723 !(rsn_data.pairwise_cipher & pasn->rsn_pairwise)) {
724 wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
725 status = WLAN_STATUS_INVALID_RSNIE;
726 goto send_resp;
727 }
728
729 pasn->akmp = rsn_data.key_mgmt;
730 pasn->cipher = rsn_data.pairwise_cipher;
731
732 if (pasn->derive_kdk &&
733 ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
734 WLAN_RSNX_CAPAB_SECURE_LTF))
735 pasn->secure_ltf = true;
736
737 if (pasn->derive_kdk)
738 pasn->kdk_len = WPA_KDK_MAX_LEN;
739 else
740 pasn->kdk_len = 0;
741
742 wpa_printf(MSG_DEBUG, "PASN: kdk_len=%zu", pasn->kdk_len);
743
744 if (!ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
745 WLAN_RSNX_CAPAB_KEK_IN_PASN)) {
746 pasn->kek_len = 0;
747 pasn->derive_kek = false;
748 }
749
750 wpa_printf(MSG_DEBUG, "PASN: kek_len=%zu", pasn->kek_len);
751
752 if (!elems.pasn_params || !elems.pasn_params_len) {
753 wpa_printf(MSG_DEBUG,
754 "PASN: No PASN Parameters element found");
755 status = WLAN_STATUS_INVALID_PARAMETERS;
756 goto send_resp;
757 }
758
759 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
760 elems.pasn_params_len + 3,
761 false, &pasn_params);
762 if (ret) {
763 wpa_printf(MSG_DEBUG,
764 "PASN: Failed validation of PASN Parameters IE");
765 status = WLAN_STATUS_INVALID_PARAMETERS;
766 goto send_resp;
767 }
768
769 for (i = 0; groups[i] > 0 && groups[i] != pasn_params.group; i++)
770 ;
771
772 if (!pasn_params.group || groups[i] != pasn_params.group) {
773 wpa_printf(MSG_DEBUG, "PASN: Requested group=%hu not allowed",
774 pasn_params.group);
775 status = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
776 goto send_resp;
777 }
778
779 if (!pasn_params.pubkey || !pasn_params.pubkey_len) {
780 wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
781 status = WLAN_STATUS_INVALID_PARAMETERS;
782 goto send_resp;
783 }
784
785 if (pasn_params.comeback) {
786 wpa_printf(MSG_DEBUG, "PASN: Checking peer comeback token");
787
788 ret = check_comeback_token(pasn->comeback_key,
789 pasn->comeback_pending_idx,
790 peer_addr,
791 pasn_params.comeback,
792 pasn_params.comeback_len);
793
794 if (ret) {
795 wpa_printf(MSG_DEBUG, "PASN: Invalid comeback token");
796 status = WLAN_STATUS_INVALID_PARAMETERS;
797 goto send_resp;
798 }
799 } else if (pasn->use_anti_clogging) {
800 wpa_printf(MSG_DEBUG, "PASN: Respond with comeback");
801 handle_auth_pasn_comeback(pasn, own_addr, peer_addr,
802 pasn_params.group);
803 return -1;
804 }
805
806 pasn->ecdh = crypto_ecdh_init(pasn_params.group);
807 if (!pasn->ecdh) {
808 wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
809 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
810 goto send_resp;
811 }
812
813 pasn->group = pasn_params.group;
814
815 if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) {
816 inc_y = 1;
817 } else if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 ||
818 pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) {
819 inc_y = 0;
820 } else {
821 wpa_printf(MSG_DEBUG,
822 "PASN: Invalid first octet in pubkey=0x%x",
823 pasn_params.pubkey[0]);
824 status = WLAN_STATUS_INVALID_PUBLIC_KEY;
825 goto send_resp;
826 }
827
828 secret = crypto_ecdh_set_peerkey(pasn->ecdh, inc_y,
829 pasn_params.pubkey + 1,
830 pasn_params.pubkey_len - 1);
831 if (!secret) {
832 wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
833 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
834 goto send_resp;
835 }
836
837 if (!pasn->noauth && pasn->akmp == WPA_KEY_MGMT_PASN) {
838 wpa_printf(MSG_DEBUG, "PASN: Refuse PASN-UNAUTH");
839 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
840 goto send_resp;
841 }
842
843 derive_keys = true;
844 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
845 wrapped_data = ieee802_11_defrag(elems.wrapped_data,
846 elems.wrapped_data_len, true);
847 if (!wrapped_data) {
848 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
849 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
850 goto send_resp;
851 }
852
853 #ifdef CONFIG_SAE
854 if (pasn->akmp == WPA_KEY_MGMT_SAE) {
855 ret = pasn_wd_handle_sae_commit(pasn, own_addr,
856 peer_addr,
857 wrapped_data);
858 if (ret) {
859 wpa_printf(MSG_DEBUG,
860 "PASN: Failed processing SAE commit");
861 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
862 goto send_resp;
863 }
864 }
865 #endif /* CONFIG_SAE */
866 #ifdef CONFIG_FILS
867 if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
868 pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
869 if (!pasn->fils_wd_valid) {
870 wpa_printf(MSG_DEBUG,
871 "PASN: Invalid FILS wrapped data");
872 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
873 goto send_resp;
874 }
875
876 wpa_printf(MSG_DEBUG,
877 "PASN: FILS: Pending AS response");
878
879 /*
880 * With PASN/FILS, keys can be derived only after a
881 * response from the AS is processed.
882 */
883 derive_keys = false;
884 }
885 #endif /* CONFIG_FILS */
886 }
887
888 pasn->wrapped_data_format = pasn_params.wrapped_data_format;
889
890 ret = pasn_auth_frame_hash(pasn->akmp, pasn->cipher,
891 ((const u8 *) mgmt) + IEEE80211_HDRLEN,
892 len - IEEE80211_HDRLEN, pasn->hash);
893 if (ret) {
894 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
895 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
896 goto send_resp;
897 }
898
899 if (!derive_keys) {
900 wpa_printf(MSG_DEBUG, "PASN: Storing secret");
901 pasn->secret = secret;
902 wpabuf_free(wrapped_data);
903 return 0;
904 }
905
906 if (rsn_data.num_pmkid) {
907 if (wpa_key_mgmt_ft(pasn->akmp)) {
908 #ifdef CONFIG_IEEE80211R_AP
909 wpa_printf(MSG_DEBUG, "PASN: FT: Fetch PMK-R1");
910
911 if (!pasn->pmk_r1_len) {
912 wpa_printf(MSG_DEBUG,
913 "PASN: FT: Failed getting PMK-R1");
914 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
915 goto send_resp;
916 }
917 cached_pmk = pasn->pmk_r1;
918 cached_pmk_len = pasn->pmk_r1_len;
919 #else /* CONFIG_IEEE80211R_AP */
920 wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
921 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
922 goto send_resp;
923 #endif /* CONFIG_IEEE80211R_AP */
924 } else {
925 wpa_printf(MSG_DEBUG, "PASN: Try to find PMKSA entry");
926
927 if (pasn->pmksa) {
928 const u8 *pmkid = NULL;
929
930 if (pasn->custom_pmkid_valid) {
931 ret = pasn->validate_custom_pmkid(
932 pasn->cb_ctx, peer_addr,
933 rsn_data.pmkid);
934 if (ret) {
935 wpa_printf(MSG_DEBUG,
936 "PASN: Failed custom PMKID validation");
937 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
938 goto send_resp;
939 }
940 } else {
941 pmkid = rsn_data.pmkid;
942 }
943
944 pmksa = pmksa_cache_auth_get(pasn->pmksa,
945 peer_addr,
946 pmkid);
947 if (pmksa) {
948 cached_pmk = pmksa->pmk;
949 cached_pmk_len = pmksa->pmk_len;
950 }
951 }
952 }
953 } else {
954 wpa_printf(MSG_DEBUG, "PASN: No PMKID specified");
955 }
956
957 ret = pasn_derive_keys(pasn, own_addr, peer_addr,
958 cached_pmk, cached_pmk_len,
959 &pasn_params, wrapped_data, secret);
960 if (ret) {
961 wpa_printf(MSG_DEBUG, "PASN: Failed to derive keys");
962 status = WLAN_STATUS_PASN_BASE_AKMP_FAILED;
963 goto send_resp;
964 }
965
966 ret = pasn_auth_frame_hash(pasn->akmp, pasn->cipher,
967 ((const u8 *) mgmt) + IEEE80211_HDRLEN,
968 len - IEEE80211_HDRLEN, pasn->hash);
969 if (ret) {
970 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
971 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
972 }
973
974 send_resp:
975 ret = handle_auth_pasn_resp(pasn, own_addr, peer_addr, pmksa, status);
976 if (ret) {
977 wpa_printf(MSG_DEBUG, "PASN: Failed to send response");
978 status = WLAN_STATUS_UNSPECIFIED_FAILURE;
979 } else {
980 wpa_printf(MSG_DEBUG,
981 "PASN: Success handling transaction == 1");
982 }
983
984 wpabuf_free(secret);
985 wpabuf_free(wrapped_data);
986
987 if (status != WLAN_STATUS_SUCCESS)
988 return -1;
989
990 return 0;
991 }
992
993
handle_auth_pasn_3(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const struct ieee80211_mgmt * mgmt,size_t len)994 int handle_auth_pasn_3(struct pasn_data *pasn, const u8 *own_addr,
995 const u8 *peer_addr,
996 const struct ieee80211_mgmt *mgmt, size_t len)
997 {
998 struct ieee802_11_elems elems;
999 struct wpa_pasn_params_data pasn_params;
1000 struct wpabuf *wrapped_data = NULL;
1001 u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
1002 u8 mic_len;
1003 int ret;
1004 u8 *copy = NULL;
1005 size_t copy_len, mic_offset;
1006
1007 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
1008 len - offsetof(struct ieee80211_mgmt,
1009 u.auth.variable),
1010 &elems, 0) == ParseFailed) {
1011 wpa_printf(MSG_DEBUG,
1012 "PASN: Failed parsing Authentication frame");
1013 goto fail;
1014 }
1015
1016 /* Check that the MIC IE exists. Save it and zero out the memory. */
1017 mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
1018 if (!elems.mic || elems.mic_len != mic_len) {
1019 wpa_printf(MSG_DEBUG,
1020 "PASN: Invalid MIC. Expecting len=%u", mic_len);
1021 goto fail;
1022 }
1023 os_memcpy(mic, elems.mic, mic_len);
1024
1025 if (!elems.pasn_params || !elems.pasn_params_len) {
1026 wpa_printf(MSG_DEBUG,
1027 "PASN: No PASN Parameters element found");
1028 goto fail;
1029 }
1030
1031 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
1032 elems.pasn_params_len + 3,
1033 false, &pasn_params);
1034 if (ret) {
1035 wpa_printf(MSG_DEBUG,
1036 "PASN: Failed validation of PASN Parameters IE");
1037 goto fail;
1038 }
1039
1040 if (pasn_params.pubkey || pasn_params.pubkey_len) {
1041 wpa_printf(MSG_DEBUG,
1042 "PASN: Public key should not be included");
1043 goto fail;
1044 }
1045
1046 /* Verify the MIC */
1047 copy_len = len - offsetof(struct ieee80211_mgmt, u.auth);
1048 mic_offset = elems.mic - (const u8 *) &mgmt->u.auth;
1049 copy_len = len - offsetof(struct ieee80211_mgmt, u.auth);
1050 if (mic_offset + mic_len > copy_len)
1051 goto fail;
1052 copy = os_memdup(&mgmt->u.auth, copy_len);
1053 if (!copy)
1054 goto fail;
1055 os_memset(copy + mic_offset, 0, mic_len);
1056 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
1057 peer_addr, own_addr,
1058 pasn->hash, mic_len * 2,
1059 copy, copy_len, out_mic);
1060 os_free(copy);
1061 copy = NULL;
1062
1063 wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
1064 if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
1065 wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
1066 goto fail;
1067 }
1068
1069 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
1070 wrapped_data = ieee802_11_defrag(elems.wrapped_data,
1071 elems.wrapped_data_len,
1072 true);
1073
1074 if (!wrapped_data) {
1075 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
1076 goto fail;
1077 }
1078
1079 #ifdef CONFIG_SAE
1080 if (pasn->akmp == WPA_KEY_MGMT_SAE) {
1081 ret = pasn_wd_handle_sae_confirm(pasn, peer_addr,
1082 wrapped_data);
1083 if (ret) {
1084 wpa_printf(MSG_DEBUG,
1085 "PASN: Failed processing SAE confirm");
1086 wpabuf_free(wrapped_data);
1087 goto fail;
1088 }
1089 }
1090 #endif /* CONFIG_SAE */
1091 #ifdef CONFIG_FILS
1092 if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
1093 pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
1094 if (wrapped_data) {
1095 wpa_printf(MSG_DEBUG,
1096 "PASN: FILS: Ignore wrapped data");
1097 }
1098 }
1099 #endif /* CONFIG_FILS */
1100 wpabuf_free(wrapped_data);
1101 }
1102
1103 if (pasn_parse_encrypted_data(pasn, (const u8 *) mgmt, len) < 0) {
1104 wpa_printf(MSG_DEBUG, "PASN: Encrypted data processing failed");
1105 goto fail;
1106 }
1107
1108 wpa_printf(MSG_INFO,
1109 "PASN: Success handling transaction == 3. Store PTK");
1110 return 0;
1111
1112 fail:
1113 os_free(copy);
1114 return -1;
1115 }
1116
1117 #endif /* CONFIG_PASN */
1118