1 /*
2  * PASN responder processing
3  *
4  * Copyright (C) 2019, Intel Corporation
5  * Copyright (C) 2022, Qualcomm Innovation Center, Inc.
6  *
7  * This software may be distributed under the terms of the BSD license.
8  * See README for more details.
9  */
10 
11 #include "utils/includes.h"
12 
13 #include "utils/common.h"
14 #include "common/wpa_common.h"
15 #include "common/sae.h"
16 #include "common/ieee802_11_common.h"
17 #include "common/ieee802_11_defs.h"
18 #include "crypto/sha384.h"
19 #include "crypto/sha256.h"
20 #include "crypto/random.h"
21 #include "crypto/crypto.h"
22 #include "ap/hostapd.h"
23 #include "ap/comeback_token.h"
24 #include "ap/ieee802_1x.h"
25 #include "ap/pmksa_cache_auth.h"
26 #include "pasn_common.h"
27 
28 
pasn_responder_pmksa_cache_init(void)29 struct rsn_pmksa_cache * pasn_responder_pmksa_cache_init(void)
30 {
31 	return pmksa_cache_auth_init(NULL, NULL);
32 }
33 
34 
pasn_responder_pmksa_cache_deinit(struct rsn_pmksa_cache * pmksa)35 void pasn_responder_pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa)
36 {
37 	return pmksa_cache_auth_deinit(pmksa);
38 }
39 
40 
pasn_responder_pmksa_cache_add(struct rsn_pmksa_cache * pmksa,const u8 * own_addr,const u8 * bssid,const u8 * pmk,size_t pmk_len,const u8 * pmkid)41 int pasn_responder_pmksa_cache_add(struct rsn_pmksa_cache *pmksa,
42 				   const u8 *own_addr, const u8 *bssid,
43 				   const u8 *pmk, size_t pmk_len,
44 				   const u8 *pmkid)
45 {
46 	if (pmksa_cache_auth_add(pmksa, pmk, pmk_len, pmkid, NULL, 0, own_addr,
47 				 bssid, 0, NULL, WPA_KEY_MGMT_SAE))
48 		return 0;
49 	return -1;
50 }
51 
52 
pasn_responder_pmksa_cache_get(struct rsn_pmksa_cache * pmksa,const u8 * bssid,u8 * pmkid,u8 * pmk,size_t * pmk_len)53 int pasn_responder_pmksa_cache_get(struct rsn_pmksa_cache *pmksa,
54 				   const u8 *bssid, u8 *pmkid, u8 *pmk,
55 				   size_t *pmk_len)
56 {
57 	struct rsn_pmksa_cache_entry *entry;
58 
59 	entry = pmksa_cache_auth_get(pmksa, bssid, NULL);
60 	if (entry) {
61 		os_memcpy(pmkid, entry->pmkid, PMKID_LEN);
62 		os_memcpy(pmk, entry->pmk, entry->pmk_len);
63 		*pmk_len = entry->pmk_len;
64 		return 0;
65 	}
66 	return -1;
67 }
68 
69 
pasn_responder_pmksa_cache_remove(struct rsn_pmksa_cache * pmksa,const u8 * bssid)70 void pasn_responder_pmksa_cache_remove(struct rsn_pmksa_cache *pmksa,
71 				       const u8 *bssid)
72 {
73 	struct rsn_pmksa_cache_entry *entry;
74 
75 	entry = pmksa_cache_auth_get(pmksa, bssid, NULL);
76 	if (!entry)
77 		return;
78 
79 	pmksa_cache_free_entry(pmksa, entry);
80 }
81 
82 
pasn_responder_pmksa_cache_flush(struct rsn_pmksa_cache * pmksa)83 void pasn_responder_pmksa_cache_flush(struct rsn_pmksa_cache *pmksa)
84 {
85 	return pmksa_cache_auth_flush(pmksa);
86 }
87 
88 
pasn_set_responder_pmksa(struct pasn_data * pasn,struct rsn_pmksa_cache * pmksa)89 void pasn_set_responder_pmksa(struct pasn_data *pasn,
90 			      struct rsn_pmksa_cache *pmksa)
91 {
92 	if (pasn)
93 		pasn->pmksa = pmksa;
94 }
95 
96 
97 #ifdef CONFIG_PASN
98 #ifdef CONFIG_SAE
99 
pasn_wd_handle_sae_commit(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,struct wpabuf * wd)100 static int pasn_wd_handle_sae_commit(struct pasn_data *pasn,
101 				     const u8 *own_addr, const u8 *peer_addr,
102 				     struct wpabuf *wd)
103 {
104 	const u8 *data;
105 	size_t buf_len;
106 	u16 res, alg, seq, status;
107 	int groups[] = { pasn->group, 0 };
108 	int ret;
109 
110 	if (!wd)
111 		return -1;
112 
113 	data = wpabuf_head_u8(wd);
114 	buf_len = wpabuf_len(wd);
115 
116 	if (buf_len < 6) {
117 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
118 			   buf_len);
119 		return -1;
120 	}
121 
122 	alg = WPA_GET_LE16(data);
123 	seq = WPA_GET_LE16(data + 2);
124 	status = WPA_GET_LE16(data + 4);
125 
126 	wpa_printf(MSG_DEBUG, "PASN: SAE commit: alg=%u, seq=%u, status=%u",
127 		   alg, seq, status);
128 
129 	if (alg != WLAN_AUTH_SAE || seq != 1 ||
130 	    status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
131 		wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE commit");
132 		return -1;
133 	}
134 
135 	sae_clear_data(&pasn->sae);
136 	pasn->sae.state = SAE_NOTHING;
137 
138 	ret = sae_set_group(&pasn->sae, pasn->group);
139 	if (ret) {
140 		wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
141 		return -1;
142 	}
143 
144 	if (!pasn->password || !pasn->pt) {
145 		wpa_printf(MSG_DEBUG, "PASN: No SAE PT found");
146 		return -1;
147 	}
148 
149 	ret = sae_prepare_commit_pt(&pasn->sae, pasn->pt, own_addr, peer_addr,
150 				    NULL, NULL);
151 	if (ret) {
152 		wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
153 		return -1;
154 	}
155 
156 	res = sae_parse_commit(&pasn->sae, data + 6, buf_len - 6, NULL, NULL,
157 			       groups, 0, NULL);
158 	if (res != WLAN_STATUS_SUCCESS) {
159 		wpa_printf(MSG_DEBUG, "PASN: Failed parsing SAE commit");
160 		return -1;
161 	}
162 
163 	/* Process the commit message and derive the PMK */
164 	ret = sae_process_commit(&pasn->sae);
165 	if (ret) {
166 		wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
167 		return -1;
168 	}
169 
170 	pasn->sae.state = SAE_COMMITTED;
171 
172 	return 0;
173 }
174 
175 
pasn_wd_handle_sae_confirm(struct pasn_data * pasn,const u8 * peer_addr,struct wpabuf * wd)176 static int pasn_wd_handle_sae_confirm(struct pasn_data *pasn,
177 				      const u8 *peer_addr, struct wpabuf *wd)
178 {
179 	const u8 *data;
180 	size_t buf_len;
181 	u16 res, alg, seq, status;
182 
183 	if (!wd)
184 		return -1;
185 
186 	data = wpabuf_head_u8(wd);
187 	buf_len = wpabuf_len(wd);
188 
189 	if (buf_len < 6) {
190 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
191 			   buf_len);
192 		return -1;
193 	}
194 
195 	alg = WPA_GET_LE16(data);
196 	seq = WPA_GET_LE16(data + 2);
197 	status = WPA_GET_LE16(data + 4);
198 
199 	wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
200 		   alg, seq, status);
201 
202 	if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
203 		wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
204 		return -1;
205 	}
206 
207 	res = sae_check_confirm(&pasn->sae, data + 6, buf_len - 6, NULL);
208 	if (res != WLAN_STATUS_SUCCESS) {
209 		wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
210 		return -1;
211 	}
212 
213 	pasn->sae.state = SAE_ACCEPTED;
214 
215 	/*
216 	 * TODO: Based on on IEEE P802.11az/D2.6, the PMKSA derived with
217 	 * PASN/SAE should only be allowed with future PASN only. For now do not
218 	 * restrict this only for PASN.
219 	 */
220 	if (pasn->disable_pmksa_caching)
221 		return 0;
222 
223 	wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE",
224 			pasn->sae.pmk, pasn->sae.pmk_len);
225 	if (!pasn->sae.akmp)
226 		pasn->sae.akmp = WPA_KEY_MGMT_SAE;
227 
228 	pmksa_cache_auth_add(pasn->pmksa, pasn->sae.pmk, pasn->sae.pmk_len,
229 			     pasn->sae.pmkid, NULL, 0, pasn->own_addr,
230 			     peer_addr, 0, NULL, pasn->sae.akmp);
231 	return 0;
232 }
233 
234 
pasn_get_sae_wd(struct pasn_data * pasn)235 static struct wpabuf * pasn_get_sae_wd(struct pasn_data *pasn)
236 {
237 	struct wpabuf *buf = NULL;
238 	u8 *len_ptr;
239 	size_t len;
240 
241 	/* Need to add the entire Authentication frame body */
242 	buf = wpabuf_alloc(8 + SAE_COMMIT_MAX_LEN + 8 + SAE_CONFIRM_MAX_LEN);
243 	if (!buf) {
244 		wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
245 		return NULL;
246 	}
247 
248 	/* Need to add the entire authentication frame body for the commit */
249 	len_ptr = wpabuf_put(buf, 2);
250 	wpabuf_put_le16(buf, WLAN_AUTH_SAE);
251 	wpabuf_put_le16(buf, 1);
252 	wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
253 
254 	/* Write the actual commit and update the length accordingly */
255 	sae_write_commit(&pasn->sae, buf, NULL, NULL);
256 	len = wpabuf_len(buf);
257 	WPA_PUT_LE16(len_ptr, len - 2);
258 
259 	/* Need to add the entire Authentication frame body for the confirm */
260 	len_ptr = wpabuf_put(buf, 2);
261 	wpabuf_put_le16(buf, WLAN_AUTH_SAE);
262 	wpabuf_put_le16(buf, 2);
263 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
264 
265 	sae_write_confirm(&pasn->sae, buf);
266 	WPA_PUT_LE16(len_ptr, wpabuf_len(buf) - len - 2);
267 
268 	pasn->sae.state = SAE_CONFIRMED;
269 
270 	return buf;
271 }
272 
273 #endif /* CONFIG_SAE */
274 
275 
276 #ifdef CONFIG_FILS
277 
pasn_get_fils_wd(struct pasn_data * pasn)278 static struct wpabuf * pasn_get_fils_wd(struct pasn_data *pasn)
279 {
280 	struct pasn_fils *fils = &pasn->fils;
281 	struct wpabuf *buf = NULL;
282 
283 	if (!fils->erp_resp) {
284 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing erp_resp");
285 		return NULL;
286 	}
287 
288 	buf = wpabuf_alloc(1500);
289 	if (!buf)
290 		return NULL;
291 
292 	/* Add the authentication algorithm */
293 	wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
294 
295 	/* Authentication Transaction seq# */
296 	wpabuf_put_le16(buf, 2);
297 
298 	/* Status Code */
299 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
300 
301 	/* Own RSNE */
302 	wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
303 
304 	/* FILS Nonce */
305 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
306 	wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
307 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
308 	wpabuf_put_data(buf, fils->anonce, FILS_NONCE_LEN);
309 
310 	/* FILS Session */
311 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
312 	wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
313 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
314 	wpabuf_put_data(buf, fils->session, FILS_SESSION_LEN);
315 
316 	/* Wrapped Data */
317 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
318 	wpabuf_put_u8(buf, 1 + wpabuf_len(fils->erp_resp));
319 	wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
320 	wpabuf_put_buf(buf, fils->erp_resp);
321 
322 	return buf;
323 }
324 
325 #endif /* CONFIG_FILS */
326 
pasn_get_wrapped_data(struct pasn_data * pasn)327 static struct wpabuf * pasn_get_wrapped_data(struct pasn_data *pasn)
328 {
329 	switch (pasn->akmp) {
330 	case WPA_KEY_MGMT_PASN:
331 		/* no wrapped data */
332 		return NULL;
333 	case WPA_KEY_MGMT_SAE:
334 #ifdef CONFIG_SAE
335 		return pasn_get_sae_wd(pasn);
336 #else /* CONFIG_SAE */
337 		wpa_printf(MSG_ERROR,
338 			   "PASN: SAE: Cannot derive wrapped data");
339 		return NULL;
340 #endif /* CONFIG_SAE */
341 	case WPA_KEY_MGMT_FILS_SHA256:
342 	case WPA_KEY_MGMT_FILS_SHA384:
343 #ifdef CONFIG_FILS
344 		return pasn_get_fils_wd(pasn);
345 #endif /* CONFIG_FILS */
346 		/* fall through */
347 	case WPA_KEY_MGMT_FT_PSK:
348 	case WPA_KEY_MGMT_FT_IEEE8021X:
349 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
350 	default:
351 		wpa_printf(MSG_ERROR,
352 			   "PASN: TODO: Wrapped data for akmp=0x%x",
353 			   pasn->akmp);
354 		return NULL;
355 	}
356 }
357 
358 
359 static int
pasn_derive_keys(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * cached_pmk,size_t cached_pmk_len,struct wpa_pasn_params_data * pasn_data,struct wpabuf * wrapped_data,struct wpabuf * secret)360 pasn_derive_keys(struct pasn_data *pasn,
361 		 const u8 *own_addr, const u8 *peer_addr,
362 		 const u8 *cached_pmk, size_t cached_pmk_len,
363 		 struct wpa_pasn_params_data *pasn_data,
364 		 struct wpabuf *wrapped_data,
365 		 struct wpabuf *secret)
366 {
367 	static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
368 	u8 pmk[PMK_LEN_MAX];
369 	u8 pmk_len;
370 	int ret;
371 
372 	os_memset(pmk, 0, sizeof(pmk));
373 	pmk_len = 0;
374 
375 	if (!cached_pmk || !cached_pmk_len)
376 		wpa_printf(MSG_DEBUG, "PASN: No valid PMKSA entry");
377 
378 	if (pasn->akmp == WPA_KEY_MGMT_PASN) {
379 		wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
380 
381 		pmk_len = WPA_PASN_PMK_LEN;
382 		os_memcpy(pmk, pasn_default_pmk, sizeof(pasn_default_pmk));
383 	} else if (cached_pmk && cached_pmk_len) {
384 		wpa_printf(MSG_DEBUG, "PASN: Using PMKSA entry");
385 
386 		pmk_len = cached_pmk_len;
387 		os_memcpy(pmk, cached_pmk, cached_pmk_len);
388 	} else {
389 		switch (pasn->akmp) {
390 #ifdef CONFIG_SAE
391 		case WPA_KEY_MGMT_SAE:
392 			if (pasn->sae.state == SAE_COMMITTED) {
393 				pmk_len = PMK_LEN;
394 				os_memcpy(pmk, pasn->sae.pmk, PMK_LEN);
395 				break;
396 			}
397 #endif /* CONFIG_SAE */
398 			/* fall through */
399 		default:
400 			/* TODO: Derive PMK based on wrapped data */
401 			wpa_printf(MSG_DEBUG,
402 				   "PASN: Missing PMK derivation");
403 			return -1;
404 		}
405 	}
406 
407 	pasn->pmk_len = pmk_len;
408 	os_memcpy(pasn->pmk, pmk, pmk_len);
409 	ret = pasn_pmk_to_ptk(pmk, pmk_len, peer_addr, own_addr,
410 			      wpabuf_head(secret), wpabuf_len(secret),
411 			      &pasn->ptk, pasn->akmp,
412 			      pasn->cipher, pasn->kdk_len, pasn->kek_len);
413 	if (ret) {
414 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
415 		return -1;
416 	}
417 
418 	if (pasn->secure_ltf) {
419 		ret = wpa_ltf_keyseed(&pasn->ptk, pasn->akmp,
420 				      pasn->cipher);
421 		if (ret) {
422 			wpa_printf(MSG_DEBUG,
423 				   "PASN: Failed to derive LTF keyseed");
424 			return -1;
425 		}
426 	}
427 
428 	wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
429 	return 0;
430 }
431 
432 
handle_auth_pasn_comeback(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,u16 group)433 static void handle_auth_pasn_comeback(struct pasn_data *pasn,
434 				      const u8 *own_addr, const u8 *peer_addr,
435 				      u16 group)
436 {
437 	struct wpabuf *buf, *comeback;
438 	int ret;
439 
440 	wpa_printf(MSG_DEBUG,
441 		   "PASN: Building comeback frame 2. Comeback after=%u",
442 		   pasn->comeback_after);
443 
444 	buf = wpabuf_alloc(1500);
445 	if (!buf)
446 		return;
447 
448 	wpa_pasn_build_auth_header(buf, pasn->bssid, own_addr, peer_addr, 2,
449 				   WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY);
450 
451 	/*
452 	 * Do not include the group as a part of the token since it is not going
453 	 * to be used.
454 	 */
455 	comeback = auth_build_token_req(&pasn->last_comeback_key_update,
456 					pasn->comeback_key, pasn->comeback_idx,
457 					pasn->comeback_pending_idx,
458 					sizeof(u16) * COMEBACK_PENDING_IDX_SIZE,
459 					0, peer_addr, 0);
460 	if (!comeback) {
461 		wpa_printf(MSG_DEBUG,
462 			   "PASN: Failed sending auth with comeback");
463 		wpabuf_free(buf);
464 		return;
465 	}
466 
467 	wpa_pasn_add_parameter_ie(buf, group,
468 				  WPA_PASN_WRAPPED_DATA_NO,
469 				  NULL, 0, comeback,
470 				  pasn->comeback_after);
471 	wpabuf_free(comeback);
472 
473 	wpa_printf(MSG_DEBUG,
474 		   "PASN: comeback: STA=" MACSTR, MAC2STR(peer_addr));
475 
476 	ret = pasn->send_mgmt(pasn->cb_ctx, wpabuf_head_u8(buf),
477 			      wpabuf_len(buf), 0, pasn->freq, 0);
478 	if (ret)
479 		wpa_printf(MSG_INFO, "PASN: Failed to send comeback frame 2");
480 
481 	wpabuf_free(buf);
482 }
483 
484 
handle_auth_pasn_resp(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,struct rsn_pmksa_cache_entry * pmksa,u16 status)485 int handle_auth_pasn_resp(struct pasn_data *pasn, const u8 *own_addr,
486 			  const u8 *peer_addr,
487 			  struct rsn_pmksa_cache_entry *pmksa, u16 status)
488 {
489 	struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
490 	struct wpabuf *rsn_buf = NULL;
491 	u8 mic[WPA_PASN_MAX_MIC_LEN];
492 	u8 mic_len;
493 	u8 *ptr;
494 	const u8 *frame, *data, *rsn_ie, *rsnxe_ie;
495 	u8 *data_buf = NULL;
496 	size_t frame_len, data_len;
497 	int ret;
498 	const u8 *pmkid = NULL;
499 
500 	wpa_printf(MSG_DEBUG, "PASN: Building frame 2: status=%u", status);
501 
502 	buf = wpabuf_alloc(1500);
503 	if (!buf)
504 		goto fail;
505 
506 	wpa_pasn_build_auth_header(buf, pasn->bssid, own_addr, peer_addr, 2,
507 				   status);
508 
509 	if (status != WLAN_STATUS_SUCCESS)
510 		goto done;
511 
512 	if (pmksa && pasn->custom_pmkid_valid)
513 		pmkid = pasn->custom_pmkid;
514 	else if (pmksa) {
515 		pmkid = pmksa->pmkid;
516 #ifdef CONFIG_SAE
517 	} else if (pasn->akmp == WPA_KEY_MGMT_SAE) {
518 		wpa_printf(MSG_DEBUG, "PASN: Use SAE PMKID");
519 		pmkid = pasn->sae.pmkid;
520 #endif /* CONFIG_SAE */
521 #ifdef CONFIG_FILS
522 	} else if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
523 		   pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
524 		wpa_printf(MSG_DEBUG, "PASN: Use FILS ERP PMKID");
525 		pmkid = pasn->fils.erp_pmkid;
526 #endif /* CONFIG_FILS */
527 	}
528 
529 	if (wpa_pasn_add_rsne(buf, pmkid,
530 			      pasn->akmp, pasn->cipher) < 0)
531 		goto fail;
532 
533 	/* No need to derive PMK if PMKSA is given */
534 	if (!pmksa)
535 		wrapped_data_buf = pasn_get_wrapped_data(pasn);
536 	else
537 		pasn->wrapped_data_format = WPA_PASN_WRAPPED_DATA_NO;
538 
539 	/* Get public key */
540 	pubkey = crypto_ecdh_get_pubkey(pasn->ecdh, 0);
541 	pubkey = wpabuf_zeropad(pubkey,
542 				crypto_ecdh_prime_len(pasn->ecdh));
543 	if (!pubkey) {
544 		wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
545 		goto fail;
546 	}
547 
548 	wpa_pasn_add_parameter_ie(buf, pasn->group,
549 				  pasn->wrapped_data_format,
550 				  pubkey, true, NULL, 0);
551 
552 	if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
553 		goto fail;
554 
555 	wpabuf_free(wrapped_data_buf);
556 	wrapped_data_buf = NULL;
557 	wpabuf_free(pubkey);
558 	pubkey = NULL;
559 
560 	/* Add RSNXE if needed */
561 	rsnxe_ie = pasn->rsnxe_ie;
562 	if (rsnxe_ie)
563 		wpabuf_put_data(buf, rsnxe_ie, 2 + rsnxe_ie[1]);
564 
565 	if (pasn->prepare_data_element && pasn->cb_ctx)
566 		pasn->prepare_data_element(pasn->cb_ctx, peer_addr);
567 
568 	wpa_pasn_add_extra_ies(buf, pasn->extra_ies, pasn->extra_ies_len);
569 
570 	/* Add the mic */
571 	mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
572 	wpabuf_put_u8(buf, WLAN_EID_MIC);
573 	wpabuf_put_u8(buf, mic_len);
574 	ptr = wpabuf_put(buf, mic_len);
575 
576 	os_memset(ptr, 0, mic_len);
577 
578 	frame = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
579 	frame_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
580 
581 	if (pasn->rsn_ie && pasn->rsn_ie_len) {
582 		rsn_ie = pasn->rsn_ie;
583 	} else {
584 		/*
585 		 * Note: when pasn->rsn_ie is NULL, it is likely that Beacon
586 		 * frame RSNE is not initialized. This is possible in case of
587 		 * PASN authentication used for Wi-Fi Aware for which Beacon
588 		 * frame RSNE and RSNXE are same as RSNE and RSNXE in the
589 		 * Authentication frame.
590 		 */
591 		rsn_buf = wpabuf_alloc(500);
592 		if (!rsn_buf)
593 			goto fail;
594 
595 		if (wpa_pasn_add_rsne(rsn_buf, pmkid,
596 				      pasn->akmp, pasn->cipher) < 0)
597 			goto fail;
598 
599 		rsn_ie = wpabuf_head_u8(rsn_buf);
600 	}
601 
602 	/*
603 	 * Note: wpa_auth_get_wpa_ie() might return not only the RSNE but also
604 	 * MDE, etc. Thus, do not use the returned length but instead use the
605 	 * length specified in the IE header.
606 	 */
607 	data_len = rsn_ie[1] + 2;
608 	if (rsnxe_ie) {
609 		data_buf = os_zalloc(rsn_ie[1] + 2 + rsnxe_ie[1] + 2);
610 		if (!data_buf)
611 			goto fail;
612 
613 		os_memcpy(data_buf, rsn_ie, rsn_ie[1] + 2);
614 		os_memcpy(data_buf + rsn_ie[1] + 2, rsnxe_ie, rsnxe_ie[1] + 2);
615 		data_len += rsnxe_ie[1] + 2;
616 		data = data_buf;
617 	} else {
618 		data = rsn_ie;
619 	}
620 
621 	ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
622 		       own_addr, peer_addr, data, data_len,
623 		       frame, frame_len, mic);
624 	os_free(data_buf);
625 	if (ret) {
626 		wpa_printf(MSG_DEBUG, "PASN: Frame 3: Failed MIC calculation");
627 		goto fail;
628 	}
629 
630 #ifdef CONFIG_TESTING_OPTIONS
631 	if (pasn->corrupt_mic) {
632 		wpa_printf(MSG_DEBUG, "PASN: frame 2: Corrupt MIC");
633 		mic[0] = ~mic[0];
634 	}
635 #endif /* CONFIG_TESTING_OPTIONS */
636 
637 	os_memcpy(ptr, mic, mic_len);
638 
639 done:
640 	wpa_printf(MSG_DEBUG,
641 		   "PASN: Building frame 2: success; resp STA=" MACSTR,
642 		   MAC2STR(peer_addr));
643 	wpabuf_free(pasn->frame);
644 	pasn->frame = NULL;
645 
646 	ret = pasn->send_mgmt(pasn->cb_ctx, wpabuf_head_u8(buf),
647 			      wpabuf_len(buf), 0, pasn->freq, 0);
648 	if (ret)
649 		wpa_printf(MSG_INFO, "send_auth_reply: Send failed");
650 
651 	wpabuf_free(rsn_buf);
652 	pasn->frame = buf;
653 	return ret;
654 fail:
655 	wpabuf_free(wrapped_data_buf);
656 	wpabuf_free(pubkey);
657 	wpabuf_free(rsn_buf);
658 	wpabuf_free(buf);
659 	return -1;
660 }
661 
662 
handle_auth_pasn_1(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const struct ieee80211_mgmt * mgmt,size_t len,bool reject)663 int handle_auth_pasn_1(struct pasn_data *pasn,
664 		       const u8 *own_addr, const u8 *peer_addr,
665 		       const struct ieee80211_mgmt *mgmt, size_t len,
666 		       bool reject)
667 {
668 	struct ieee802_11_elems elems;
669 	struct wpa_ie_data rsn_data;
670 	struct wpa_pasn_params_data pasn_params;
671 	struct rsn_pmksa_cache_entry *pmksa = NULL;
672 	const u8 *cached_pmk = NULL;
673 	size_t cached_pmk_len = 0;
674 	struct wpabuf *wrapped_data = NULL, *secret = NULL;
675 	const int *groups = pasn->pasn_groups;
676 	static const int default_groups[] = { 19, 0 };
677 	u16 status = WLAN_STATUS_SUCCESS;
678 	int ret, inc_y;
679 	bool derive_keys;
680 	u32 i;
681 
682 	if (!groups)
683 		groups = default_groups;
684 
685 	if (reject) {
686 		wpa_printf(MSG_DEBUG, "PASN: Received Rejection");
687 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
688 		goto send_resp;
689 	}
690 
691 	if (ieee802_11_parse_elems(mgmt->u.auth.variable,
692 				   len - offsetof(struct ieee80211_mgmt,
693 						  u.auth.variable),
694 				   &elems, 0) == ParseFailed) {
695 		wpa_printf(MSG_DEBUG,
696 			   "PASN: Failed parsing Authentication frame");
697 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
698 		goto send_resp;
699 	}
700 
701 	if (!elems.rsn_ie) {
702 		wpa_printf(MSG_DEBUG, "PASN: No RSNE");
703 		status = WLAN_STATUS_INVALID_RSNIE;
704 		goto send_resp;
705 	}
706 
707 	ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
708 				   &rsn_data);
709 	if (ret) {
710 		wpa_printf(MSG_DEBUG, "PASN: Failed parsing RSNE");
711 		status = WLAN_STATUS_INVALID_RSNIE;
712 		goto send_resp;
713 	}
714 
715 	ret = wpa_pasn_validate_rsne(&rsn_data);
716 	if (ret) {
717 		wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
718 		status = WLAN_STATUS_INVALID_RSNIE;
719 		goto send_resp;
720 	}
721 
722 	if (!(rsn_data.key_mgmt & pasn->wpa_key_mgmt) ||
723 	    !(rsn_data.pairwise_cipher & pasn->rsn_pairwise)) {
724 		wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
725 		status = WLAN_STATUS_INVALID_RSNIE;
726 		goto send_resp;
727 	}
728 
729 	pasn->akmp = rsn_data.key_mgmt;
730 	pasn->cipher = rsn_data.pairwise_cipher;
731 
732 	if (pasn->derive_kdk &&
733 	    ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
734 				      WLAN_RSNX_CAPAB_SECURE_LTF))
735 		pasn->secure_ltf = true;
736 
737 	if (pasn->derive_kdk)
738 		pasn->kdk_len = WPA_KDK_MAX_LEN;
739 	else
740 		pasn->kdk_len = 0;
741 
742 	wpa_printf(MSG_DEBUG, "PASN: kdk_len=%zu", pasn->kdk_len);
743 
744 	if (!ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
745 				       WLAN_RSNX_CAPAB_KEK_IN_PASN)) {
746 		pasn->kek_len = 0;
747 		pasn->derive_kek = false;
748 	}
749 
750 	wpa_printf(MSG_DEBUG, "PASN: kek_len=%zu", pasn->kek_len);
751 
752 	if (!elems.pasn_params || !elems.pasn_params_len) {
753 		wpa_printf(MSG_DEBUG,
754 			   "PASN: No PASN Parameters element found");
755 		status = WLAN_STATUS_INVALID_PARAMETERS;
756 		goto send_resp;
757 	}
758 
759 	ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
760 					  elems.pasn_params_len + 3,
761 					  false, &pasn_params);
762 	if (ret) {
763 		wpa_printf(MSG_DEBUG,
764 			   "PASN: Failed validation of PASN Parameters IE");
765 		status = WLAN_STATUS_INVALID_PARAMETERS;
766 		goto send_resp;
767 	}
768 
769 	for (i = 0; groups[i] > 0 && groups[i] != pasn_params.group; i++)
770 		;
771 
772 	if (!pasn_params.group || groups[i] != pasn_params.group) {
773 		wpa_printf(MSG_DEBUG, "PASN: Requested group=%hu not allowed",
774 			   pasn_params.group);
775 		status = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
776 		goto send_resp;
777 	}
778 
779 	if (!pasn_params.pubkey || !pasn_params.pubkey_len) {
780 		wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
781 		status = WLAN_STATUS_INVALID_PARAMETERS;
782 		goto send_resp;
783 	}
784 
785 	if (pasn_params.comeback) {
786 		wpa_printf(MSG_DEBUG, "PASN: Checking peer comeback token");
787 
788 		ret = check_comeback_token(pasn->comeback_key,
789 					   pasn->comeback_pending_idx,
790 					   peer_addr,
791 					   pasn_params.comeback,
792 					   pasn_params.comeback_len);
793 
794 		if (ret) {
795 			wpa_printf(MSG_DEBUG, "PASN: Invalid comeback token");
796 			status = WLAN_STATUS_INVALID_PARAMETERS;
797 			goto send_resp;
798 		}
799 	} else if (pasn->use_anti_clogging) {
800 		wpa_printf(MSG_DEBUG, "PASN: Respond with comeback");
801 		handle_auth_pasn_comeback(pasn, own_addr, peer_addr,
802 					  pasn_params.group);
803 		return -1;
804 	}
805 
806 	pasn->ecdh = crypto_ecdh_init(pasn_params.group);
807 	if (!pasn->ecdh) {
808 		wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
809 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
810 		goto send_resp;
811 	}
812 
813 	pasn->group = pasn_params.group;
814 
815 	if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) {
816 		inc_y = 1;
817 	} else if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 ||
818 		   pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) {
819 		inc_y = 0;
820 	} else {
821 		wpa_printf(MSG_DEBUG,
822 			   "PASN: Invalid first octet in pubkey=0x%x",
823 			   pasn_params.pubkey[0]);
824 		status = WLAN_STATUS_INVALID_PUBLIC_KEY;
825 		goto send_resp;
826 	}
827 
828 	secret = crypto_ecdh_set_peerkey(pasn->ecdh, inc_y,
829 					 pasn_params.pubkey + 1,
830 					 pasn_params.pubkey_len - 1);
831 	if (!secret) {
832 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
833 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
834 		goto send_resp;
835 	}
836 
837 	if (!pasn->noauth && pasn->akmp == WPA_KEY_MGMT_PASN) {
838 		wpa_printf(MSG_DEBUG, "PASN: Refuse PASN-UNAUTH");
839 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
840 		goto send_resp;
841 	}
842 
843 	derive_keys = true;
844 	if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
845 		wrapped_data = ieee802_11_defrag(elems.wrapped_data,
846 						 elems.wrapped_data_len, true);
847 		if (!wrapped_data) {
848 			wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
849 			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
850 			goto send_resp;
851 		}
852 
853 #ifdef CONFIG_SAE
854 		if (pasn->akmp == WPA_KEY_MGMT_SAE) {
855 			ret = pasn_wd_handle_sae_commit(pasn, own_addr,
856 							peer_addr,
857 							wrapped_data);
858 			if (ret) {
859 				wpa_printf(MSG_DEBUG,
860 					   "PASN: Failed processing SAE commit");
861 				status = WLAN_STATUS_UNSPECIFIED_FAILURE;
862 				goto send_resp;
863 			}
864 		}
865 #endif /* CONFIG_SAE */
866 #ifdef CONFIG_FILS
867 		if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
868 		    pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
869 			if (!pasn->fils_wd_valid) {
870 				wpa_printf(MSG_DEBUG,
871 					   "PASN: Invalid FILS wrapped data");
872 				status = WLAN_STATUS_UNSPECIFIED_FAILURE;
873 				goto send_resp;
874 			}
875 
876 			wpa_printf(MSG_DEBUG,
877 				   "PASN: FILS: Pending AS response");
878 
879 			/*
880 			 * With PASN/FILS, keys can be derived only after a
881 			 * response from the AS is processed.
882 			 */
883 			derive_keys = false;
884 		}
885 #endif /* CONFIG_FILS */
886 	}
887 
888 	pasn->wrapped_data_format = pasn_params.wrapped_data_format;
889 
890 	ret = pasn_auth_frame_hash(pasn->akmp, pasn->cipher,
891 				   ((const u8 *) mgmt) + IEEE80211_HDRLEN,
892 				   len - IEEE80211_HDRLEN, pasn->hash);
893 	if (ret) {
894 		wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
895 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
896 		goto send_resp;
897 	}
898 
899 	if (!derive_keys) {
900 		wpa_printf(MSG_DEBUG, "PASN: Storing secret");
901 		pasn->secret = secret;
902 		wpabuf_free(wrapped_data);
903 		return 0;
904 	}
905 
906 	if (rsn_data.num_pmkid) {
907 		if (wpa_key_mgmt_ft(pasn->akmp)) {
908 #ifdef CONFIG_IEEE80211R_AP
909 			wpa_printf(MSG_DEBUG, "PASN: FT: Fetch PMK-R1");
910 
911 			if (!pasn->pmk_r1_len) {
912 				wpa_printf(MSG_DEBUG,
913 					   "PASN: FT: Failed getting PMK-R1");
914 				status = WLAN_STATUS_UNSPECIFIED_FAILURE;
915 				goto send_resp;
916 			}
917 			cached_pmk = pasn->pmk_r1;
918 			cached_pmk_len = pasn->pmk_r1_len;
919 #else /* CONFIG_IEEE80211R_AP */
920 			wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
921 			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
922 			goto send_resp;
923 #endif /* CONFIG_IEEE80211R_AP */
924 		} else {
925 			wpa_printf(MSG_DEBUG, "PASN: Try to find PMKSA entry");
926 
927 			if (pasn->pmksa) {
928 				const u8 *pmkid = NULL;
929 
930 				if (pasn->custom_pmkid_valid) {
931 					ret = pasn->validate_custom_pmkid(
932 						pasn->cb_ctx, peer_addr,
933 						rsn_data.pmkid);
934 					if (ret) {
935 						wpa_printf(MSG_DEBUG,
936 							   "PASN: Failed custom PMKID validation");
937 						status = WLAN_STATUS_UNSPECIFIED_FAILURE;
938 						goto send_resp;
939 					}
940 				} else {
941 					pmkid = rsn_data.pmkid;
942 				}
943 
944 				pmksa = pmksa_cache_auth_get(pasn->pmksa,
945 							     peer_addr,
946 							     pmkid);
947 				if (pmksa) {
948 					cached_pmk = pmksa->pmk;
949 					cached_pmk_len = pmksa->pmk_len;
950 				}
951 			}
952 		}
953 	} else {
954 		wpa_printf(MSG_DEBUG, "PASN: No PMKID specified");
955 	}
956 
957 	ret = pasn_derive_keys(pasn, own_addr, peer_addr,
958 			       cached_pmk, cached_pmk_len,
959 			       &pasn_params, wrapped_data, secret);
960 	if (ret) {
961 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive keys");
962 		status = WLAN_STATUS_PASN_BASE_AKMP_FAILED;
963 		goto send_resp;
964 	}
965 
966 	ret = pasn_auth_frame_hash(pasn->akmp, pasn->cipher,
967 				   ((const u8 *) mgmt) + IEEE80211_HDRLEN,
968 				   len - IEEE80211_HDRLEN, pasn->hash);
969 	if (ret) {
970 		wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
971 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
972 	}
973 
974 send_resp:
975 	ret = handle_auth_pasn_resp(pasn, own_addr, peer_addr, pmksa, status);
976 	if (ret) {
977 		wpa_printf(MSG_DEBUG, "PASN: Failed to send response");
978 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
979 	} else {
980 		wpa_printf(MSG_DEBUG,
981 			   "PASN: Success handling transaction == 1");
982 	}
983 
984 	wpabuf_free(secret);
985 	wpabuf_free(wrapped_data);
986 
987 	if (status != WLAN_STATUS_SUCCESS)
988 		return -1;
989 
990 	return 0;
991 }
992 
993 
handle_auth_pasn_3(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const struct ieee80211_mgmt * mgmt,size_t len)994 int handle_auth_pasn_3(struct pasn_data *pasn, const u8 *own_addr,
995 		       const u8 *peer_addr,
996 		       const struct ieee80211_mgmt *mgmt, size_t len)
997 {
998 	struct ieee802_11_elems elems;
999 	struct wpa_pasn_params_data pasn_params;
1000 	struct wpabuf *wrapped_data = NULL;
1001 	u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
1002 	u8 mic_len;
1003 	int ret;
1004 	u8 *copy = NULL;
1005 	size_t copy_len, mic_offset;
1006 
1007 	if (ieee802_11_parse_elems(mgmt->u.auth.variable,
1008 				   len - offsetof(struct ieee80211_mgmt,
1009 						  u.auth.variable),
1010 				   &elems, 0) == ParseFailed) {
1011 		wpa_printf(MSG_DEBUG,
1012 			   "PASN: Failed parsing Authentication frame");
1013 		goto fail;
1014 	}
1015 
1016 	/* Check that the MIC IE exists. Save it and zero out the memory. */
1017 	mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
1018 	if (!elems.mic || elems.mic_len != mic_len) {
1019 		wpa_printf(MSG_DEBUG,
1020 			   "PASN: Invalid MIC. Expecting len=%u", mic_len);
1021 		goto fail;
1022 	}
1023 	os_memcpy(mic, elems.mic, mic_len);
1024 
1025 	if (!elems.pasn_params || !elems.pasn_params_len) {
1026 		wpa_printf(MSG_DEBUG,
1027 			   "PASN: No PASN Parameters element found");
1028 		goto fail;
1029 	}
1030 
1031 	ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
1032 					  elems.pasn_params_len + 3,
1033 					  false, &pasn_params);
1034 	if (ret) {
1035 		wpa_printf(MSG_DEBUG,
1036 			   "PASN: Failed validation of PASN Parameters IE");
1037 		goto fail;
1038 	}
1039 
1040 	if (pasn_params.pubkey || pasn_params.pubkey_len) {
1041 		wpa_printf(MSG_DEBUG,
1042 			   "PASN: Public key should not be included");
1043 		goto fail;
1044 	}
1045 
1046 	/* Verify the MIC */
1047 	copy_len = len - offsetof(struct ieee80211_mgmt, u.auth);
1048 	mic_offset = elems.mic - (const u8 *) &mgmt->u.auth;
1049 	copy_len = len - offsetof(struct ieee80211_mgmt, u.auth);
1050 	if (mic_offset + mic_len > copy_len)
1051 		goto fail;
1052 	copy = os_memdup(&mgmt->u.auth, copy_len);
1053 	if (!copy)
1054 		goto fail;
1055 	os_memset(copy + mic_offset, 0, mic_len);
1056 	ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
1057 		       peer_addr, own_addr,
1058 		       pasn->hash, mic_len * 2,
1059 		       copy, copy_len, out_mic);
1060 	os_free(copy);
1061 	copy = NULL;
1062 
1063 	wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
1064 	if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
1065 		wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
1066 		goto fail;
1067 	}
1068 
1069 	if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
1070 		wrapped_data = ieee802_11_defrag(elems.wrapped_data,
1071 						 elems.wrapped_data_len,
1072 						 true);
1073 
1074 		if (!wrapped_data) {
1075 			wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
1076 			goto fail;
1077 		}
1078 
1079 #ifdef CONFIG_SAE
1080 		if (pasn->akmp == WPA_KEY_MGMT_SAE) {
1081 			ret = pasn_wd_handle_sae_confirm(pasn, peer_addr,
1082 							 wrapped_data);
1083 			if (ret) {
1084 				wpa_printf(MSG_DEBUG,
1085 					   "PASN: Failed processing SAE confirm");
1086 				wpabuf_free(wrapped_data);
1087 				goto fail;
1088 			}
1089 		}
1090 #endif /* CONFIG_SAE */
1091 #ifdef CONFIG_FILS
1092 		if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
1093 		    pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
1094 			if (wrapped_data) {
1095 				wpa_printf(MSG_DEBUG,
1096 					   "PASN: FILS: Ignore wrapped data");
1097 			}
1098 		}
1099 #endif /* CONFIG_FILS */
1100 		wpabuf_free(wrapped_data);
1101 	}
1102 
1103 	if (pasn_parse_encrypted_data(pasn, (const u8 *) mgmt, len) < 0) {
1104 		wpa_printf(MSG_DEBUG, "PASN: Encrypted data processing failed");
1105 		goto fail;
1106 	}
1107 
1108 	wpa_printf(MSG_INFO,
1109 		   "PASN: Success handling transaction == 3. Store PTK");
1110 	return 0;
1111 
1112 fail:
1113 	os_free(copy);
1114 	return -1;
1115 }
1116 
1117 #endif /* CONFIG_PASN */
1118