1 /*
2 * PASN initiator processing
3 *
4 * Copyright (C) 2019, Intel Corporation
5 * Copyright (C) 2022, Qualcomm Innovation Center, Inc.
6 *
7 * This software may be distributed under the terms of the BSD license.
8 * See README for more details.
9 */
10
11 #include "utils/includes.h"
12
13 #include "utils/common.h"
14 #include "common/wpa_common.h"
15 #include "common/sae.h"
16 #include "common/ieee802_11_common.h"
17 #include "common/ieee802_11_defs.h"
18 #include "common/dragonfly.h"
19 #include "crypto/sha384.h"
20 #include "crypto/crypto.h"
21 #include "crypto/random.h"
22 #include "eap_common/eap_defs.h"
23 #include "eapol_supp/eapol_supp_sm.h"
24 #include "rsn_supp/wpa.h"
25 #include "rsn_supp/pmksa_cache.h"
26 #include "pasn_common.h"
27
28
pasn_initiator_pmksa_cache_init(void)29 struct rsn_pmksa_cache * pasn_initiator_pmksa_cache_init(void)
30 {
31 return pmksa_cache_init(NULL, NULL, NULL, NULL, NULL);
32 }
33
34
pasn_initiator_pmksa_cache_deinit(struct rsn_pmksa_cache * pmksa)35 void pasn_initiator_pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa)
36 {
37 return pmksa_cache_deinit(pmksa);
38 }
39
40
pasn_initiator_pmksa_cache_add(struct rsn_pmksa_cache * pmksa,const u8 * own_addr,const u8 * bssid,u8 * pmk,size_t pmk_len,u8 * pmkid)41 int pasn_initiator_pmksa_cache_add(struct rsn_pmksa_cache *pmksa,
42 const u8 *own_addr, const u8 *bssid, u8 *pmk,
43 size_t pmk_len, u8 *pmkid)
44 {
45 if (pmksa_cache_add(pmksa, pmk, pmk_len, pmkid, NULL, 0, bssid,
46 own_addr, NULL, WPA_KEY_MGMT_SAE, 0))
47 return 0;
48 return -1;
49 }
50
51
pasn_initiator_pmksa_cache_remove(struct rsn_pmksa_cache * pmksa,const u8 * bssid)52 void pasn_initiator_pmksa_cache_remove(struct rsn_pmksa_cache *pmksa,
53 const u8 *bssid)
54 {
55 struct rsn_pmksa_cache_entry *entry;
56
57 entry = pmksa_cache_get(pmksa, bssid, NULL, NULL, NULL, 0);
58 if (!entry)
59 return;
60
61 pmksa_cache_remove(pmksa, entry);
62 }
63
64
pasn_initiator_pmksa_cache_get(struct rsn_pmksa_cache * pmksa,const u8 * bssid,u8 * pmkid,u8 * pmk,size_t * pmk_len)65 int pasn_initiator_pmksa_cache_get(struct rsn_pmksa_cache *pmksa,
66 const u8 *bssid, u8 *pmkid, u8 *pmk,
67 size_t *pmk_len)
68 {
69 struct rsn_pmksa_cache_entry *entry;
70
71 entry = pmksa_cache_get(pmksa, bssid, NULL, NULL, NULL, 0);
72 if (entry) {
73 os_memcpy(pmkid, entry->pmkid, PMKID_LEN);
74 os_memcpy(pmk, entry->pmk, entry->pmk_len);
75 *pmk_len = entry->pmk_len;
76 return 0;
77 }
78 return -1;
79 }
80
81
pasn_initiator_pmksa_cache_flush(struct rsn_pmksa_cache * pmksa)82 void pasn_initiator_pmksa_cache_flush(struct rsn_pmksa_cache *pmksa)
83 {
84 return pmksa_cache_flush(pmksa, NULL, NULL, 0, false);
85 }
86
87
pasn_set_initiator_pmksa(struct pasn_data * pasn,struct rsn_pmksa_cache * pmksa)88 void pasn_set_initiator_pmksa(struct pasn_data *pasn,
89 struct rsn_pmksa_cache *pmksa)
90 {
91 if (pasn)
92 pasn->pmksa = pmksa;
93 }
94
95
96 #ifdef CONFIG_SAE
97
wpas_pasn_wd_sae_commit(struct pasn_data * pasn)98 static struct wpabuf * wpas_pasn_wd_sae_commit(struct pasn_data *pasn)
99 {
100 struct wpabuf *buf = NULL;
101 int ret;
102
103 ret = sae_set_group(&pasn->sae, pasn->group);
104 if (ret) {
105 wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
106 return NULL;
107 }
108
109 ret = sae_prepare_commit_pt(&pasn->sae, pasn->pt,
110 pasn->own_addr, pasn->peer_addr,
111 NULL, NULL);
112 if (ret) {
113 wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
114 return NULL;
115 }
116
117 /* Need to add the entire Authentication frame body */
118 buf = wpabuf_alloc(6 + SAE_COMMIT_MAX_LEN);
119 if (!buf) {
120 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
121 return NULL;
122 }
123
124 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
125 wpabuf_put_le16(buf, 1);
126 wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
127
128 sae_write_commit(&pasn->sae, buf, NULL, 0);
129 pasn->sae.state = SAE_COMMITTED;
130
131 return buf;
132 }
133
134
wpas_pasn_wd_sae_rx(struct pasn_data * pasn,struct wpabuf * wd)135 static int wpas_pasn_wd_sae_rx(struct pasn_data *pasn, struct wpabuf *wd)
136 {
137 const u8 *data;
138 size_t buf_len;
139 u16 len, res, alg, seq, status;
140 int groups[] = { pasn->group, 0 };
141 int ret;
142
143 if (!wd)
144 return -1;
145
146 data = wpabuf_head_u8(wd);
147 buf_len = wpabuf_len(wd);
148
149 /* first handle the commit message */
150 if (buf_len < 2) {
151 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short (commit)");
152 return -1;
153 }
154
155 len = WPA_GET_LE16(data);
156 if (len < 6 || buf_len - 2 < len) {
157 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short for commit");
158 return -1;
159 }
160
161 buf_len -= 2;
162 data += 2;
163
164 alg = WPA_GET_LE16(data);
165 seq = WPA_GET_LE16(data + 2);
166 status = WPA_GET_LE16(data + 4);
167
168 wpa_printf(MSG_DEBUG, "PASN: SAE: commit: alg=%u, seq=%u, status=%u",
169 alg, seq, status);
170
171 if (alg != WLAN_AUTH_SAE || seq != 1 ||
172 status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
173 wpa_printf(MSG_DEBUG, "PASN: SAE: dropping peer commit");
174 return -1;
175 }
176
177 res = sae_parse_commit(&pasn->sae, data + 6, len - 6, NULL, 0, groups,
178 1, NULL);
179 if (res != WLAN_STATUS_SUCCESS) {
180 wpa_printf(MSG_DEBUG, "PASN: SAE failed parsing commit");
181 return -1;
182 }
183
184 /* Process the commit message and derive the PMK */
185 ret = sae_process_commit(&pasn->sae);
186 if (ret) {
187 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
188 return -1;
189 }
190
191 buf_len -= len;
192 data += len;
193
194 /* Handle the confirm message */
195 if (buf_len < 2) {
196 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short (confirm)");
197 return -1;
198 }
199
200 len = WPA_GET_LE16(data);
201 if (len < 6 || buf_len - 2 < len) {
202 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short for confirm");
203 return -1;
204 }
205
206 buf_len -= 2;
207 data += 2;
208
209 alg = WPA_GET_LE16(data);
210 seq = WPA_GET_LE16(data + 2);
211 status = WPA_GET_LE16(data + 4);
212
213 wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
214 alg, seq, status);
215
216 if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
217 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
218 return -1;
219 }
220
221 res = sae_check_confirm(&pasn->sae, data + 6, len - 6, NULL);
222 if (res != WLAN_STATUS_SUCCESS) {
223 wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
224 return -1;
225 }
226
227 wpa_printf(MSG_DEBUG, "PASN: SAE completed successfully");
228 pasn->sae.state = SAE_ACCEPTED;
229
230 return 0;
231 }
232
233
wpas_pasn_wd_sae_confirm(struct pasn_data * pasn)234 static struct wpabuf * wpas_pasn_wd_sae_confirm(struct pasn_data *pasn)
235 {
236 struct wpabuf *buf = NULL;
237
238 /* Need to add the entire authentication frame body */
239 buf = wpabuf_alloc(6 + SAE_CONFIRM_MAX_LEN);
240 if (!buf) {
241 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
242 return NULL;
243 }
244
245 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
246 wpabuf_put_le16(buf, 2);
247 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
248
249 sae_write_confirm(&pasn->sae, buf);
250 pasn->sae.state = SAE_CONFIRMED;
251
252 return buf;
253 }
254
255 #endif /* CONFIG_SAE */
256
257
258 #ifdef CONFIG_FILS
259
wpas_pasn_fils_build_auth(struct pasn_data * pasn)260 static struct wpabuf * wpas_pasn_fils_build_auth(struct pasn_data *pasn)
261 {
262 struct wpabuf *buf = NULL;
263 struct wpabuf *erp_msg;
264 int ret;
265
266 erp_msg = eapol_sm_build_erp_reauth_start(pasn->eapol);
267 if (!erp_msg) {
268 wpa_printf(MSG_DEBUG,
269 "PASN: FILS: ERP EAP-Initiate/Re-auth unavailable");
270 return NULL;
271 }
272
273 if (random_get_bytes(pasn->fils.nonce, FILS_NONCE_LEN) < 0 ||
274 random_get_bytes(pasn->fils.session, FILS_SESSION_LEN) < 0)
275 goto fail;
276
277 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", pasn->fils.nonce,
278 FILS_NONCE_LEN);
279
280 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", pasn->fils.session,
281 FILS_SESSION_LEN);
282
283 buf = wpabuf_alloc(1500);
284 if (!buf)
285 goto fail;
286
287 /* Add the authentication algorithm */
288 wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
289
290 /* Authentication Transaction seq# */
291 wpabuf_put_le16(buf, 1);
292
293 /* Status Code */
294 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
295
296 /* Own RSNE */
297 wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
298
299 /* FILS Nonce */
300 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
301 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
302 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
303 wpabuf_put_data(buf, pasn->fils.nonce, FILS_NONCE_LEN);
304
305 /* FILS Session */
306 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
307 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
308 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
309 wpabuf_put_data(buf, pasn->fils.session, FILS_SESSION_LEN);
310
311 /* Wrapped Data (ERP) */
312 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
313 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg));
314 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
315 wpabuf_put_buf(buf, erp_msg);
316
317 /*
318 * Calculate pending PMKID here so that we do not need to maintain a
319 * copy of the EAP-Initiate/Reauth message.
320 */
321 ret = fils_pmkid_erp(pasn->akmp, wpabuf_head(erp_msg),
322 wpabuf_len(erp_msg),
323 pasn->fils.erp_pmkid);
324 if (ret) {
325 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ERP PMKID");
326 goto fail;
327 }
328
329 wpabuf_free(erp_msg);
330 erp_msg = NULL;
331
332 wpa_hexdump_buf(MSG_DEBUG, "PASN: FILS: Authentication frame", buf);
333 return buf;
334 fail:
335 wpabuf_free(erp_msg);
336 wpabuf_free(buf);
337 return NULL;
338 }
339
340
wpas_pasn_wd_fils_auth(struct pasn_data * pasn)341 static struct wpabuf * wpas_pasn_wd_fils_auth(struct pasn_data *pasn)
342 {
343 wpa_printf(MSG_DEBUG, "PASN: FILS: wrapped data - completed=%u",
344 pasn->fils.completed);
345
346 /* Nothing to add as we are done */
347 if (pasn->fils.completed)
348 return NULL;
349
350 if (!pasn->fils_eapol) {
351 wpa_printf(MSG_DEBUG,
352 "PASN: FILS: Missing Indication IE or PFS");
353 return NULL;
354 }
355
356 return wpas_pasn_fils_build_auth(pasn);
357 }
358
359
wpas_pasn_wd_fils_rx(struct pasn_data * pasn,struct wpabuf * wd)360 static int wpas_pasn_wd_fils_rx(struct pasn_data *pasn, struct wpabuf *wd)
361 {
362 struct ieee802_11_elems elems;
363 struct wpa_ie_data rsne_data;
364 u8 rmsk[ERP_MAX_KEY_LEN];
365 size_t rmsk_len;
366 u8 anonce[FILS_NONCE_LEN];
367 const u8 *data;
368 size_t buf_len;
369 struct wpabuf *fils_wd = NULL;
370 u16 alg, seq, status;
371 int ret;
372
373 if (!wd)
374 return -1;
375
376 data = wpabuf_head(wd);
377 buf_len = wpabuf_len(wd);
378
379 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Authentication frame len=%zu",
380 data, buf_len);
381
382 /* first handle the header */
383 if (buf_len < 6) {
384 wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short");
385 return -1;
386 }
387
388 alg = WPA_GET_LE16(data);
389 seq = WPA_GET_LE16(data + 2);
390 status = WPA_GET_LE16(data + 4);
391
392 wpa_printf(MSG_DEBUG, "PASN: FILS: commit: alg=%u, seq=%u, status=%u",
393 alg, seq, status);
394
395 if (alg != WLAN_AUTH_FILS_SK || seq != 2 ||
396 status != WLAN_STATUS_SUCCESS) {
397 wpa_printf(MSG_DEBUG,
398 "PASN: FILS: Dropping peer authentication");
399 return -1;
400 }
401
402 data += 6;
403 buf_len -= 6;
404
405 if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
406 wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
407 return -1;
408 }
409
410 if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
411 !elems.wrapped_data) {
412 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
413 return -1;
414 }
415
416 ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
417 &rsne_data);
418 if (ret) {
419 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RSNE");
420 return -1;
421 }
422
423 ret = wpa_pasn_validate_rsne(&rsne_data);
424 if (ret) {
425 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
426 return -1;
427 }
428
429 if (rsne_data.num_pmkid) {
430 wpa_printf(MSG_DEBUG,
431 "PASN: FILS: Not expecting PMKID in RSNE");
432 return -1;
433 }
434
435 wpa_hexdump(MSG_DEBUG, "PASN: FILS: ANonce", elems.fils_nonce,
436 FILS_NONCE_LEN);
437 os_memcpy(anonce, elems.fils_nonce, FILS_NONCE_LEN);
438
439 wpa_hexdump(MSG_DEBUG, "PASN: FILS: FILS Session", elems.fils_session,
440 FILS_SESSION_LEN);
441
442 if (os_memcmp(pasn->fils.session, elems.fils_session,
443 FILS_SESSION_LEN)) {
444 wpa_printf(MSG_DEBUG, "PASN: FILS: Session mismatch");
445 return -1;
446 }
447
448 fils_wd = ieee802_11_defrag(elems.wrapped_data, elems.wrapped_data_len,
449 true);
450
451 if (!fils_wd) {
452 wpa_printf(MSG_DEBUG,
453 "PASN: FILS: Failed getting wrapped data");
454 return -1;
455 }
456
457 eapol_sm_process_erp_finish(pasn->eapol, wpabuf_head(fils_wd),
458 wpabuf_len(fils_wd));
459
460 wpabuf_free(fils_wd);
461 fils_wd = NULL;
462
463 if (eapol_sm_failed(pasn->eapol)) {
464 wpa_printf(MSG_DEBUG, "PASN: FILS: ERP finish failed");
465 return -1;
466 }
467
468 rmsk_len = ERP_MAX_KEY_LEN;
469 ret = eapol_sm_get_key(pasn->eapol, rmsk, rmsk_len);
470
471 if (ret == PMK_LEN) {
472 rmsk_len = PMK_LEN;
473 ret = eapol_sm_get_key(pasn->eapol, rmsk, rmsk_len);
474 }
475
476 if (ret) {
477 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed getting RMSK");
478 return -1;
479 }
480
481 ret = fils_rmsk_to_pmk(pasn->akmp, rmsk, rmsk_len,
482 pasn->fils.nonce, anonce, NULL, 0,
483 pasn->pmk, &pasn->pmk_len);
484
485 forced_memzero(rmsk, sizeof(rmsk));
486
487 if (ret) {
488 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PMK");
489 return -1;
490 }
491
492 wpa_hexdump(MSG_DEBUG, "PASN: FILS: PMKID", pasn->fils.erp_pmkid,
493 PMKID_LEN);
494
495 wpa_printf(MSG_DEBUG, "PASN: FILS: ERP processing succeeded");
496
497 pasn->pmksa_entry = pmksa_cache_add(pasn->pmksa, pasn->pmk,
498 pasn->pmk_len, pasn->fils.erp_pmkid,
499 NULL, 0, pasn->peer_addr,
500 pasn->own_addr, NULL,
501 pasn->akmp, 0);
502
503 pasn->fils.completed = true;
504 return 0;
505 }
506
507 #endif /* CONFIG_FILS */
508
509
wpas_pasn_get_wrapped_data(struct pasn_data * pasn)510 static struct wpabuf * wpas_pasn_get_wrapped_data(struct pasn_data *pasn)
511 {
512 if (pasn->using_pmksa)
513 return NULL;
514
515 switch (pasn->akmp) {
516 case WPA_KEY_MGMT_PASN:
517 /* no wrapped data */
518 return NULL;
519 case WPA_KEY_MGMT_SAE:
520 #ifdef CONFIG_SAE
521 if (pasn->trans_seq == 0)
522 return wpas_pasn_wd_sae_commit(pasn);
523 if (pasn->trans_seq == 2)
524 return wpas_pasn_wd_sae_confirm(pasn);
525 #endif /* CONFIG_SAE */
526 wpa_printf(MSG_ERROR,
527 "PASN: SAE: Cannot derive wrapped data");
528 return NULL;
529 case WPA_KEY_MGMT_FILS_SHA256:
530 case WPA_KEY_MGMT_FILS_SHA384:
531 #ifdef CONFIG_FILS
532 return wpas_pasn_wd_fils_auth(pasn);
533 #endif /* CONFIG_FILS */
534 case WPA_KEY_MGMT_FT_PSK:
535 case WPA_KEY_MGMT_FT_IEEE8021X:
536 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
537 /*
538 * Wrapped data with these AKMs is optional and is only needed
539 * for further validation of FT security parameters. For now do
540 * not use them.
541 */
542 return NULL;
543 default:
544 wpa_printf(MSG_ERROR,
545 "PASN: TODO: Wrapped data for akmp=0x%x",
546 pasn->akmp);
547 return NULL;
548 }
549 }
550
551
wpas_pasn_get_wrapped_data_format(struct pasn_data * pasn)552 static u8 wpas_pasn_get_wrapped_data_format(struct pasn_data *pasn)
553 {
554 if (pasn->using_pmksa)
555 return WPA_PASN_WRAPPED_DATA_NO;
556
557 /* Note: Valid AKMP is expected to already be validated */
558 switch (pasn->akmp) {
559 case WPA_KEY_MGMT_SAE:
560 return WPA_PASN_WRAPPED_DATA_SAE;
561 case WPA_KEY_MGMT_FILS_SHA256:
562 case WPA_KEY_MGMT_FILS_SHA384:
563 return WPA_PASN_WRAPPED_DATA_FILS_SK;
564 case WPA_KEY_MGMT_FT_PSK:
565 case WPA_KEY_MGMT_FT_IEEE8021X:
566 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
567 /*
568 * Wrapped data with these AKMs is optional and is only needed
569 * for further validation of FT security parameters. For now do
570 * not use them.
571 */
572 return WPA_PASN_WRAPPED_DATA_NO;
573 case WPA_KEY_MGMT_PASN:
574 default:
575 return WPA_PASN_WRAPPED_DATA_NO;
576 }
577 }
578
579
wpas_pasn_build_auth_1(struct pasn_data * pasn,const struct wpabuf * comeback,bool verify)580 static struct wpabuf * wpas_pasn_build_auth_1(struct pasn_data *pasn,
581 const struct wpabuf *comeback,
582 bool verify)
583 {
584 struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
585 const u8 *pmkid;
586 u8 wrapped_data;
587 int ret;
588
589 wpa_printf(MSG_DEBUG, "PASN: Building frame 1");
590
591 if (pasn->trans_seq)
592 return NULL;
593
594 buf = wpabuf_alloc(1500);
595 if (!buf)
596 goto fail;
597
598 /* Get public key */
599 pubkey = crypto_ecdh_get_pubkey(pasn->ecdh, 0);
600 pubkey = wpabuf_zeropad(pubkey, crypto_ecdh_prime_len(pasn->ecdh));
601 if (!pubkey) {
602 wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
603 goto fail;
604 }
605
606 wrapped_data = wpas_pasn_get_wrapped_data_format(pasn);
607
608 wpa_pasn_build_auth_header(buf, pasn->bssid,
609 pasn->own_addr, pasn->peer_addr,
610 pasn->trans_seq + 1, WLAN_STATUS_SUCCESS);
611
612 pmkid = NULL;
613 if (wpa_key_mgmt_ft(pasn->akmp)) {
614 #ifdef CONFIG_IEEE80211R
615 pmkid = pasn->pmk_r1_name;
616 #else /* CONFIG_IEEE80211R */
617 goto fail;
618 #endif /* CONFIG_IEEE80211R */
619 } else if (wrapped_data != WPA_PASN_WRAPPED_DATA_NO) {
620 struct rsn_pmksa_cache_entry *pmksa;
621
622 pmksa = pmksa_cache_get(pasn->pmksa, pasn->peer_addr,
623 pasn->own_addr, NULL, NULL, pasn->akmp);
624 if (pmksa && pasn->custom_pmkid_valid)
625 pmkid = pasn->custom_pmkid;
626 else if (pmksa)
627 pmkid = pmksa->pmkid;
628
629 /*
630 * Note: Even when PMKSA is available, also add wrapped data as
631 * it is possible that the PMKID is no longer valid at the AP.
632 */
633 if (!verify)
634 wrapped_data_buf = wpas_pasn_get_wrapped_data(pasn);
635 }
636
637 if (wpa_pasn_add_rsne(buf, pmkid, pasn->akmp, pasn->cipher) < 0)
638 goto fail;
639
640 if (!wrapped_data_buf)
641 wrapped_data = WPA_PASN_WRAPPED_DATA_NO;
642
643 wpa_pasn_add_parameter_ie(buf, pasn->group, wrapped_data,
644 pubkey, true, comeback, -1);
645
646 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
647 goto fail;
648
649 if (pasn->rsnxe_ie)
650 wpabuf_put_data(buf, pasn->rsnxe_ie, 2 + pasn->rsnxe_ie[1]);
651 else
652 wpa_pasn_add_rsnxe(buf, pasn->rsnxe_capab);
653
654 wpa_pasn_add_extra_ies(buf, pasn->extra_ies, pasn->extra_ies_len);
655
656 ret = pasn_auth_frame_hash(pasn->akmp, pasn->cipher,
657 wpabuf_head_u8(buf) + IEEE80211_HDRLEN,
658 wpabuf_len(buf) - IEEE80211_HDRLEN,
659 pasn->hash);
660 if (ret) {
661 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
662 goto fail;
663 }
664
665 pasn->trans_seq++;
666
667 wpabuf_free(wrapped_data_buf);
668 wpabuf_free(pubkey);
669
670 wpa_printf(MSG_DEBUG, "PASN: Frame 1: Success");
671 return buf;
672 fail:
673 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
674 wpabuf_free(wrapped_data_buf);
675 wpabuf_free(pubkey);
676 wpabuf_free(buf);
677 return NULL;
678 }
679
680
wpas_pasn_build_auth_3(struct pasn_data * pasn)681 static struct wpabuf * wpas_pasn_build_auth_3(struct pasn_data *pasn)
682 {
683 struct wpabuf *buf, *wrapped_data_buf = NULL;
684 u8 mic[WPA_PASN_MAX_MIC_LEN];
685 u8 mic_len, data_len;
686 const u8 *data;
687 u8 *ptr;
688 u8 wrapped_data;
689 int ret;
690
691 wpa_printf(MSG_DEBUG, "PASN: Building frame 3");
692
693 if (pasn->trans_seq != 2)
694 return NULL;
695
696 buf = wpabuf_alloc(1500);
697 if (!buf)
698 goto fail;
699
700 wrapped_data = wpas_pasn_get_wrapped_data_format(pasn);
701
702 wpa_pasn_build_auth_header(buf, pasn->bssid,
703 pasn->own_addr, pasn->peer_addr,
704 pasn->trans_seq + 1, WLAN_STATUS_SUCCESS);
705
706 wrapped_data_buf = wpas_pasn_get_wrapped_data(pasn);
707
708 if (!wrapped_data_buf)
709 wrapped_data = WPA_PASN_WRAPPED_DATA_NO;
710
711 wpa_pasn_add_parameter_ie(buf, pasn->group, wrapped_data,
712 NULL, false, NULL, -1);
713
714 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
715 goto fail;
716 wpabuf_free(wrapped_data_buf);
717 wrapped_data_buf = NULL;
718
719 /* Add the MIC */
720 mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
721 wpabuf_put_u8(buf, WLAN_EID_MIC);
722 wpabuf_put_u8(buf, mic_len);
723 ptr = wpabuf_put(buf, mic_len);
724
725 os_memset(ptr, 0, mic_len);
726
727 data = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
728 data_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
729
730 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
731 pasn->own_addr, pasn->peer_addr,
732 pasn->hash, mic_len * 2, data, data_len, mic);
733 if (ret) {
734 wpa_printf(MSG_DEBUG, "PASN: frame 3: Failed MIC calculation");
735 goto fail;
736 }
737
738 #ifdef CONFIG_TESTING_OPTIONS
739 if (pasn->corrupt_mic) {
740 wpa_printf(MSG_DEBUG, "PASN: frame 3: Corrupt MIC");
741 mic[0] = ~mic[0];
742 }
743 #endif /* CONFIG_TESTING_OPTIONS */
744
745 os_memcpy(ptr, mic, mic_len);
746
747 pasn->trans_seq++;
748
749 wpa_printf(MSG_DEBUG, "PASN: frame 3: Success");
750 return buf;
751 fail:
752 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
753 wpabuf_free(wrapped_data_buf);
754 wpabuf_free(buf);
755 return NULL;
756 }
757
758
wpa_pasn_reset(struct pasn_data * pasn)759 void wpa_pasn_reset(struct pasn_data *pasn)
760 {
761 wpa_printf(MSG_DEBUG, "PASN: Reset");
762
763 crypto_ecdh_deinit(pasn->ecdh);
764 pasn->ecdh = NULL;
765
766
767 pasn->akmp = 0;
768 pasn->cipher = 0;
769 pasn->group = 0;
770 pasn->trans_seq = 0;
771 pasn->pmk_len = 0;
772 pasn->using_pmksa = false;
773
774 forced_memzero(pasn->pmk, sizeof(pasn->pmk));
775 forced_memzero(&pasn->ptk, sizeof(pasn->ptk));
776 forced_memzero(&pasn->hash, sizeof(pasn->hash));
777
778 wpabuf_free(pasn->beacon_rsne_rsnxe);
779 pasn->beacon_rsne_rsnxe = NULL;
780
781 wpabuf_free(pasn->comeback);
782 pasn->comeback = NULL;
783 pasn->comeback_after = 0;
784
785 #ifdef CONFIG_SAE
786 sae_clear_data(&pasn->sae);
787 if (pasn->pt) {
788 sae_deinit_pt(pasn->pt);
789 pasn->pt = NULL;
790 }
791 #endif /* CONFIG_SAE */
792
793 #ifdef CONFIG_FILS
794 pasn->fils_eapol = false;
795 os_memset(&pasn->fils, 0, sizeof(pasn->fils));
796 #endif /* CONFIG_FILS*/
797
798 #ifdef CONFIG_IEEE80211R
799 forced_memzero(pasn->pmk_r1, sizeof(pasn->pmk_r1));
800 pasn->pmk_r1_len = 0;
801 os_memset(pasn->pmk_r1_name, 0, sizeof(pasn->pmk_r1_name));
802 #endif /* CONFIG_IEEE80211R */
803 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
804 pasn->pmksa_entry = NULL;
805 #ifdef CONFIG_TESTING_OPTIONS
806 pasn->corrupt_mic = 0;
807 #endif /* CONFIG_TESTING_OPTIONS */
808 pasn->network_id = 0;
809 pasn->derive_kdk = false;
810 pasn->rsn_ie = NULL;
811 pasn->rsn_ie_len = 0;
812 os_free(pasn->rsnxe_ie);
813 pasn->rsnxe_ie = NULL;
814 pasn->custom_pmkid_valid = false;
815
816 if (pasn->extra_ies) {
817 os_free((u8 *) pasn->extra_ies);
818 pasn->extra_ies = NULL;
819 }
820 }
821
822
wpas_pasn_set_pmk(struct pasn_data * pasn,struct wpa_ie_data * rsn_data,struct wpa_pasn_params_data * pasn_data,struct wpabuf * wrapped_data)823 static int wpas_pasn_set_pmk(struct pasn_data *pasn,
824 struct wpa_ie_data *rsn_data,
825 struct wpa_pasn_params_data *pasn_data,
826 struct wpabuf *wrapped_data)
827 {
828 static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
829
830 os_memset(pasn->pmk, 0, sizeof(pasn->pmk));
831 pasn->pmk_len = 0;
832
833 if (pasn->akmp == WPA_KEY_MGMT_PASN) {
834 wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
835
836 pasn->pmk_len = WPA_PASN_PMK_LEN;
837 os_memcpy(pasn->pmk, pasn_default_pmk,
838 sizeof(pasn_default_pmk));
839 return 0;
840 }
841
842 if (wpa_key_mgmt_ft(pasn->akmp)) {
843 #ifdef CONFIG_IEEE80211R
844 wpa_printf(MSG_DEBUG, "PASN: FT: Using PMK-R1");
845 pasn->pmk_len = pasn->pmk_r1_len;
846 os_memcpy(pasn->pmk, pasn->pmk_r1, pasn->pmk_r1_len);
847 pasn->using_pmksa = true;
848 return 0;
849 #else /* CONFIG_IEEE80211R */
850 wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
851 return -1;
852 #endif /* CONFIG_IEEE80211R */
853 }
854
855 if (rsn_data->num_pmkid) {
856 int ret;
857 struct rsn_pmksa_cache_entry *pmksa;
858 const u8 *pmkid = NULL;
859
860 if (pasn->custom_pmkid_valid) {
861 ret = pasn->validate_custom_pmkid(pasn->cb_ctx,
862 pasn->peer_addr,
863 rsn_data->pmkid);
864 if (ret) {
865 wpa_printf(MSG_DEBUG,
866 "PASN: Failed custom PMKID validation");
867 return -1;
868 }
869 } else {
870 pmkid = rsn_data->pmkid;
871 }
872
873 pmksa = pmksa_cache_get(pasn->pmksa, pasn->peer_addr,
874 pasn->own_addr,
875 pmkid, NULL, pasn->akmp);
876 if (pmksa) {
877 wpa_printf(MSG_DEBUG, "PASN: Using PMKSA");
878
879 pasn->pmk_len = pmksa->pmk_len;
880 os_memcpy(pasn->pmk, pmksa->pmk, pmksa->pmk_len);
881 pasn->using_pmksa = true;
882
883 return 0;
884 }
885 }
886
887 #ifdef CONFIG_SAE
888 if (pasn->akmp == WPA_KEY_MGMT_SAE) {
889 int ret;
890
891 ret = wpas_pasn_wd_sae_rx(pasn, wrapped_data);
892 if (ret) {
893 wpa_printf(MSG_DEBUG,
894 "PASN: Failed processing SAE wrapped data");
895 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
896 return -1;
897 }
898
899 wpa_printf(MSG_DEBUG, "PASN: Success deriving PMK with SAE");
900 pasn->pmk_len = PMK_LEN;
901 os_memcpy(pasn->pmk, pasn->sae.pmk, PMK_LEN);
902
903 pasn->pmksa_entry = pmksa_cache_add(pasn->pmksa, pasn->pmk,
904 pasn->pmk_len,
905 pasn->sae.pmkid,
906 NULL, 0, pasn->peer_addr,
907 pasn->own_addr, NULL,
908 pasn->akmp, 0);
909 return 0;
910 }
911 #endif /* CONFIG_SAE */
912
913 #ifdef CONFIG_FILS
914 if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
915 pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
916 int ret;
917
918 ret = wpas_pasn_wd_fils_rx(pasn, wrapped_data);
919 if (ret) {
920 wpa_printf(MSG_DEBUG,
921 "PASN: Failed processing FILS wrapped data");
922 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
923 return -1;
924 }
925
926 return 0;
927 }
928 #endif /* CONFIG_FILS */
929
930 /* TODO: Derive PMK based on wrapped data */
931 wpa_printf(MSG_DEBUG, "PASN: Missing implementation to derive PMK");
932 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
933 return -1;
934 }
935
936
wpas_pasn_send_auth_1(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * bssid,int akmp,int cipher,u16 group,int freq,const u8 * beacon_rsne,u8 beacon_rsne_len,const u8 * beacon_rsnxe,u8 beacon_rsnxe_len,const struct wpabuf * comeback,bool verify)937 static int wpas_pasn_send_auth_1(struct pasn_data *pasn, const u8 *own_addr,
938 const u8 *peer_addr, const u8 *bssid, int akmp,
939 int cipher, u16 group, int freq,
940 const u8 *beacon_rsne, u8 beacon_rsne_len,
941 const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
942 const struct wpabuf *comeback, bool verify)
943 {
944 struct wpabuf *frame;
945 int ret;
946
947 pasn->ecdh = crypto_ecdh_init(group);
948 if (!pasn->ecdh) {
949 wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
950 goto fail;
951 }
952
953 if (beacon_rsne && beacon_rsne_len) {
954 pasn->beacon_rsne_rsnxe = wpabuf_alloc(beacon_rsne_len +
955 beacon_rsnxe_len);
956 if (!pasn->beacon_rsne_rsnxe) {
957 wpa_printf(MSG_DEBUG,
958 "PASN: Failed storing beacon RSNE/RSNXE");
959 goto fail;
960 }
961
962 wpabuf_put_data(pasn->beacon_rsne_rsnxe, beacon_rsne,
963 beacon_rsne_len);
964 if (beacon_rsnxe && beacon_rsnxe_len)
965 wpabuf_put_data(pasn->beacon_rsne_rsnxe, beacon_rsnxe,
966 beacon_rsnxe_len);
967 }
968
969 pasn->akmp = akmp;
970 pasn->cipher = cipher;
971 pasn->group = group;
972 pasn->freq = freq;
973
974 os_memcpy(pasn->own_addr, own_addr, ETH_ALEN);
975 os_memcpy(pasn->peer_addr, peer_addr, ETH_ALEN);
976 os_memcpy(pasn->bssid, bssid, ETH_ALEN);
977
978 wpa_printf(MSG_DEBUG,
979 "PASN: Init%s: " MACSTR " akmp=0x%x, cipher=0x%x, group=%u",
980 verify ? " (verify)" : "",
981 MAC2STR(pasn->peer_addr), pasn->akmp, pasn->cipher,
982 pasn->group);
983
984 frame = wpas_pasn_build_auth_1(pasn, comeback, verify);
985 if (!frame) {
986 wpa_printf(MSG_DEBUG, "PASN: Failed building 1st auth frame");
987 goto fail;
988 }
989
990 ret = pasn->send_mgmt(pasn->cb_ctx,
991 wpabuf_head(frame), wpabuf_len(frame), 0,
992 pasn->freq, 1000);
993
994 wpabuf_free(frame);
995 if (ret) {
996 wpa_printf(MSG_DEBUG, "PASN: Failed sending 1st auth frame");
997 goto fail;
998 }
999
1000 return 0;
1001
1002 fail:
1003 return -1;
1004 }
1005
1006
wpas_pasn_start(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * bssid,int akmp,int cipher,u16 group,int freq,const u8 * beacon_rsne,u8 beacon_rsne_len,const u8 * beacon_rsnxe,u8 beacon_rsnxe_len,const struct wpabuf * comeback)1007 int wpas_pasn_start(struct pasn_data *pasn, const u8 *own_addr,
1008 const u8 *peer_addr, const u8 *bssid,
1009 int akmp, int cipher, u16 group,
1010 int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
1011 const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
1012 const struct wpabuf *comeback)
1013 {
1014 /* TODO: Currently support only ECC groups */
1015 if (!dragonfly_suitable_group(group, 1)) {
1016 wpa_printf(MSG_DEBUG,
1017 "PASN: Reject unsuitable group %u", group);
1018 return -1;
1019 }
1020
1021 switch (akmp) {
1022 case WPA_KEY_MGMT_PASN:
1023 break;
1024 #ifdef CONFIG_SAE
1025 case WPA_KEY_MGMT_SAE:
1026
1027 if (beacon_rsnxe &&
1028 !ieee802_11_rsnx_capab(beacon_rsnxe,
1029 WLAN_RSNX_CAPAB_SAE_H2E)) {
1030 wpa_printf(MSG_DEBUG,
1031 "PASN: AP does not support SAE H2E");
1032 return -1;
1033 }
1034
1035 pasn->sae.state = SAE_NOTHING;
1036 pasn->sae.send_confirm = 0;
1037 break;
1038 #endif /* CONFIG_SAE */
1039 #ifdef CONFIG_FILS
1040 case WPA_KEY_MGMT_FILS_SHA256:
1041 case WPA_KEY_MGMT_FILS_SHA384:
1042 break;
1043 #endif /* CONFIG_FILS */
1044 #ifdef CONFIG_IEEE80211R
1045 case WPA_KEY_MGMT_FT_PSK:
1046 case WPA_KEY_MGMT_FT_IEEE8021X:
1047 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
1048 break;
1049 #endif /* CONFIG_IEEE80211R */
1050 default:
1051 wpa_printf(MSG_ERROR, "PASN: Unsupported AKMP=0x%x", akmp);
1052 return -1;
1053 }
1054
1055 return wpas_pasn_send_auth_1(pasn, own_addr, peer_addr, bssid, akmp,
1056 cipher, group,
1057 freq, beacon_rsne, beacon_rsne_len,
1058 beacon_rsnxe, beacon_rsnxe_len, comeback,
1059 false);
1060 }
1061
1062 /*
1063 * Wi-Fi Aware uses PASN handshake to authenticate peer devices.
1064 * Devices can simply verify each other for subsequent sessions using
1065 * pairing verification procedure.
1066 *
1067 * In pairing verification, Wi-Fi aware devices use PASN authentication
1068 * frames with a custom PMKID and Wi-Fi Aware R4 specific verification IEs.
1069 * It does not use wrapped data in the Authentication frames. This function
1070 * provides support to construct PASN Authentication frames for pairing
1071 * verification.
1072 */
wpa_pasn_verify(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * bssid,int akmp,int cipher,u16 group,int freq,const u8 * beacon_rsne,u8 beacon_rsne_len,const u8 * beacon_rsnxe,u8 beacon_rsnxe_len,const struct wpabuf * comeback)1073 int wpa_pasn_verify(struct pasn_data *pasn, const u8 *own_addr,
1074 const u8 *peer_addr, const u8 *bssid,
1075 int akmp, int cipher, u16 group,
1076 int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
1077 const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
1078 const struct wpabuf *comeback)
1079 {
1080 return wpas_pasn_send_auth_1(pasn, own_addr, peer_addr, bssid, akmp,
1081 cipher, group, freq, beacon_rsne,
1082 beacon_rsne_len, beacon_rsnxe,
1083 beacon_rsnxe_len, comeback, true);
1084 }
1085
1086
is_pasn_auth_frame(struct pasn_data * pasn,const struct ieee80211_mgmt * mgmt,size_t len,bool rx)1087 static bool is_pasn_auth_frame(struct pasn_data *pasn,
1088 const struct ieee80211_mgmt *mgmt,
1089 size_t len, bool rx)
1090 {
1091 u16 fc;
1092
1093 if (!mgmt || len < offsetof(struct ieee80211_mgmt, u.auth.variable))
1094 return false;
1095
1096 /* Not an Authentication frame; do nothing */
1097 fc = le_to_host16(mgmt->frame_control);
1098 if (WLAN_FC_GET_TYPE(fc) != WLAN_FC_TYPE_MGMT ||
1099 WLAN_FC_GET_STYPE(fc) != WLAN_FC_STYPE_AUTH)
1100 return false;
1101
1102 /* Not our frame; do nothing */
1103 if (!ether_addr_equal(mgmt->bssid, pasn->bssid))
1104 return false;
1105
1106 if (rx && (!ether_addr_equal(mgmt->da, pasn->own_addr) ||
1107 !ether_addr_equal(mgmt->sa, pasn->peer_addr)))
1108 return false;
1109
1110 if (!rx && (!ether_addr_equal(mgmt->sa, pasn->own_addr) ||
1111 !ether_addr_equal(mgmt->da, pasn->peer_addr)))
1112 return false;
1113
1114 /* Not PASN; do nothing */
1115 if (mgmt->u.auth.auth_alg != host_to_le16(WLAN_AUTH_PASN))
1116 return false;
1117
1118 return true;
1119 }
1120
1121
wpa_pasn_auth_rx(struct pasn_data * pasn,const u8 * data,size_t len,struct wpa_pasn_params_data * pasn_params)1122 int wpa_pasn_auth_rx(struct pasn_data *pasn, const u8 *data, size_t len,
1123 struct wpa_pasn_params_data *pasn_params)
1124
1125 {
1126 struct ieee802_11_elems elems;
1127 struct wpa_ie_data rsn_data;
1128 const struct ieee80211_mgmt *mgmt =
1129 (const struct ieee80211_mgmt *) data;
1130 struct wpabuf *wrapped_data = NULL, *secret = NULL, *frame = NULL;
1131 u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
1132 u8 mic_len;
1133 u16 status;
1134 int ret, inc_y;
1135 u8 *copy = NULL;
1136 size_t mic_offset, copy_len;
1137
1138 if (!is_pasn_auth_frame(pasn, mgmt, len, true))
1139 return -2;
1140
1141 if (mgmt->u.auth.auth_transaction !=
1142 host_to_le16(pasn->trans_seq + 1)) {
1143 wpa_printf(MSG_DEBUG,
1144 "PASN: RX: Invalid transaction sequence: (%u != %u)",
1145 le_to_host16(mgmt->u.auth.auth_transaction),
1146 pasn->trans_seq + 1);
1147 return -3;
1148 }
1149
1150 status = le_to_host16(mgmt->u.auth.status_code);
1151
1152 if (status != WLAN_STATUS_SUCCESS &&
1153 status != WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
1154 wpa_printf(MSG_DEBUG,
1155 "PASN: Authentication rejected - status=%u", status);
1156 goto fail;
1157 }
1158
1159 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
1160 len - offsetof(struct ieee80211_mgmt,
1161 u.auth.variable),
1162 &elems, 0) == ParseFailed) {
1163 wpa_printf(MSG_DEBUG,
1164 "PASN: Failed parsing Authentication frame");
1165 goto fail;
1166 }
1167
1168 /* Check that the MIC IE exists. Save it and zero out the memory */
1169 mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
1170 if (status == WLAN_STATUS_SUCCESS) {
1171 if (!elems.mic || elems.mic_len != mic_len) {
1172 wpa_printf(MSG_DEBUG,
1173 "PASN: Invalid MIC. Expecting len=%u",
1174 mic_len);
1175 goto fail;
1176 }
1177 os_memcpy(mic, elems.mic, mic_len);
1178 }
1179
1180 if (!elems.pasn_params || !elems.pasn_params_len) {
1181 wpa_printf(MSG_DEBUG,
1182 "PASN: Missing PASN Parameters IE");
1183 goto fail;
1184 }
1185
1186 if (!pasn_params) {
1187 wpa_printf(MSG_DEBUG, "PASN: pasn_params == NULL");
1188 goto fail;
1189 }
1190
1191 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
1192 elems.pasn_params_len + 3,
1193 true, pasn_params);
1194 if (ret) {
1195 wpa_printf(MSG_DEBUG,
1196 "PASN: Failed validation PASN of Parameters IE");
1197 goto fail;
1198 }
1199
1200 if (status == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
1201 wpa_printf(MSG_DEBUG,
1202 "PASN: Authentication temporarily rejected");
1203
1204 if (pasn_params->comeback && pasn_params->comeback_len) {
1205 wpa_printf(MSG_DEBUG,
1206 "PASN: Comeback token available. After=%u",
1207 pasn_params->after);
1208
1209 if (!pasn_params->after)
1210 return 1;
1211
1212 pasn->comeback = wpabuf_alloc_copy(
1213 pasn_params->comeback,
1214 pasn_params->comeback_len);
1215 if (pasn->comeback)
1216 pasn->comeback_after = pasn_params->after;
1217 }
1218
1219 pasn->status = status;
1220 goto fail;
1221 }
1222
1223 if (!elems.rsn_ie) {
1224 wpa_printf(MSG_DEBUG, "PASN: Missing RSNE");
1225 goto fail;
1226 }
1227
1228 ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1229 &rsn_data);
1230 if (ret) {
1231 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RSNE");
1232 goto fail;
1233 }
1234
1235 ret = wpa_pasn_validate_rsne(&rsn_data);
1236 if (ret) {
1237 wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
1238 goto fail;
1239 }
1240
1241 if (pasn->akmp != rsn_data.key_mgmt ||
1242 pasn->cipher != rsn_data.pairwise_cipher) {
1243 wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
1244 goto fail;
1245 }
1246
1247 if (pasn->group != pasn_params->group) {
1248 wpa_printf(MSG_DEBUG, "PASN: Mismatch in group");
1249 goto fail;
1250 }
1251
1252 if (!pasn_params->pubkey || !pasn_params->pubkey_len) {
1253 wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
1254 goto fail;
1255 }
1256
1257 if (pasn_params->pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) {
1258 inc_y = 1;
1259 } else if (pasn_params->pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 ||
1260 pasn_params->pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) {
1261 inc_y = 0;
1262 } else {
1263 wpa_printf(MSG_DEBUG,
1264 "PASN: Invalid first octet in pubkey=0x%x",
1265 pasn_params->pubkey[0]);
1266 goto fail;
1267 }
1268
1269 secret = crypto_ecdh_set_peerkey(pasn->ecdh, inc_y,
1270 pasn_params->pubkey + 1,
1271 pasn_params->pubkey_len - 1);
1272
1273 if (!secret) {
1274 wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
1275 goto fail;
1276 }
1277
1278 if (pasn_params->wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
1279 wrapped_data = ieee802_11_defrag(elems.wrapped_data,
1280 elems.wrapped_data_len,
1281 true);
1282
1283 if (!wrapped_data) {
1284 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
1285 goto fail;
1286 }
1287 }
1288
1289 ret = wpas_pasn_set_pmk(pasn, &rsn_data, pasn_params, wrapped_data);
1290 if (ret) {
1291 wpa_printf(MSG_DEBUG, "PASN: Failed to set PMK");
1292 goto fail;
1293 }
1294
1295 ret = pasn_pmk_to_ptk(pasn->pmk, pasn->pmk_len,
1296 pasn->own_addr, pasn->peer_addr,
1297 wpabuf_head(secret), wpabuf_len(secret),
1298 &pasn->ptk, pasn->akmp, pasn->cipher,
1299 pasn->kdk_len, pasn->kek_len);
1300 if (ret) {
1301 wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
1302 goto fail;
1303 }
1304
1305 if (pasn->secure_ltf) {
1306 ret = wpa_ltf_keyseed(&pasn->ptk, pasn->akmp, pasn->cipher);
1307 if (ret) {
1308 wpa_printf(MSG_DEBUG,
1309 "PASN: Failed to derive LTF keyseed");
1310 goto fail;
1311 }
1312 }
1313
1314 wpabuf_free(wrapped_data);
1315 wrapped_data = NULL;
1316 wpabuf_free(secret);
1317 secret = NULL;
1318
1319 /* Use a copy of the message since we need to clear the MIC field */
1320 if (!elems.mic)
1321 goto fail;
1322 mic_offset = elems.mic - (const u8 *) &mgmt->u.auth;
1323 copy_len = len - offsetof(struct ieee80211_mgmt, u.auth);
1324 if (mic_offset + mic_len > copy_len)
1325 goto fail;
1326 copy = os_memdup(&mgmt->u.auth, copy_len);
1327 if (!copy)
1328 goto fail;
1329 os_memset(copy + mic_offset, 0, mic_len);
1330
1331 if (pasn->beacon_rsne_rsnxe) {
1332 /* Verify the MIC */
1333 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
1334 pasn->peer_addr, pasn->own_addr,
1335 wpabuf_head(pasn->beacon_rsne_rsnxe),
1336 wpabuf_len(pasn->beacon_rsne_rsnxe),
1337 copy, copy_len, out_mic);
1338 } else {
1339 u8 *rsne_rsnxe;
1340 size_t rsne_rsnxe_len = 0;
1341
1342 /*
1343 * Note: When Beacon rsne_rsnxe is not initialized, it is likely
1344 * that this is for Wi-Fi Aware using PASN handshake for which
1345 * Beacon RSNE/RSNXE are same as RSNE/RSNXE in the
1346 * Authentication frame
1347 */
1348 if (elems.rsn_ie && elems.rsn_ie_len)
1349 rsne_rsnxe_len += elems.rsn_ie_len + 2;
1350 if (elems.rsnxe && elems.rsnxe_len)
1351 rsne_rsnxe_len += elems.rsnxe_len + 2;
1352
1353 rsne_rsnxe = os_zalloc(rsne_rsnxe_len);
1354 if (!rsne_rsnxe)
1355 goto fail;
1356
1357 if (elems.rsn_ie && elems.rsn_ie_len)
1358 os_memcpy(rsne_rsnxe, elems.rsn_ie - 2,
1359 elems.rsn_ie_len + 2);
1360 if (elems.rsnxe && elems.rsnxe_len)
1361 os_memcpy(rsne_rsnxe + elems.rsn_ie_len + 2,
1362 elems.rsnxe - 2, elems.rsnxe_len + 2);
1363
1364 wpa_hexdump_key(MSG_DEBUG, "PASN: RSN + RSNXE buf",
1365 rsne_rsnxe, rsne_rsnxe_len);
1366
1367 /* Verify the MIC */
1368 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
1369 pasn->peer_addr, pasn->own_addr,
1370 rsne_rsnxe,
1371 rsne_rsnxe_len,
1372 copy, copy_len, out_mic);
1373
1374 os_free(rsne_rsnxe);
1375 }
1376 os_free(copy);
1377 copy = NULL;
1378
1379 wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
1380 if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
1381 wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
1382 goto fail;
1383 }
1384
1385 pasn->trans_seq++;
1386
1387 wpa_printf(MSG_DEBUG, "PASN: Success verifying Authentication frame");
1388
1389 frame = wpas_pasn_build_auth_3(pasn);
1390 if (!frame) {
1391 wpa_printf(MSG_DEBUG, "PASN: Failed building 3rd auth frame");
1392 goto fail;
1393 }
1394
1395 ret = pasn->send_mgmt(pasn->cb_ctx,
1396 wpabuf_head(frame), wpabuf_len(frame), 0,
1397 pasn->freq, 100);
1398 wpabuf_free(frame);
1399 if (ret) {
1400 wpa_printf(MSG_DEBUG, "PASN: Failed sending 3st auth frame");
1401 goto fail;
1402 }
1403
1404 wpa_printf(MSG_DEBUG, "PASN: Success sending last frame. Store PTK");
1405
1406 pasn->status = WLAN_STATUS_SUCCESS;
1407
1408 return 0;
1409 fail:
1410 wpa_printf(MSG_DEBUG, "PASN: Failed RX processing - terminating");
1411 wpabuf_free(wrapped_data);
1412 wpabuf_free(secret);
1413 os_free(copy);
1414
1415 /*
1416 * TODO: In case of an error the standard allows to silently drop
1417 * the frame and terminate the authentication exchange. However, better
1418 * reply to the AP with an error status.
1419 */
1420 if (status == WLAN_STATUS_SUCCESS)
1421 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1422 else
1423 pasn->status = status;
1424
1425 return -1;
1426 }
1427
1428
wpa_pasn_auth_tx_status(struct pasn_data * pasn,const u8 * data,size_t data_len,u8 acked)1429 int wpa_pasn_auth_tx_status(struct pasn_data *pasn,
1430 const u8 *data, size_t data_len, u8 acked)
1431
1432 {
1433 const struct ieee80211_mgmt *mgmt =
1434 (const struct ieee80211_mgmt *) data;
1435
1436 wpa_printf(MSG_DEBUG, "PASN: auth_tx_status: acked=%u", acked);
1437
1438 if (!is_pasn_auth_frame(pasn, mgmt, data_len, false))
1439 return -1;
1440
1441 if (mgmt->u.auth.auth_transaction != host_to_le16(pasn->trans_seq)) {
1442 wpa_printf(MSG_ERROR,
1443 "PASN: Invalid transaction sequence: (%u != %u)",
1444 pasn->trans_seq,
1445 le_to_host16(mgmt->u.auth.auth_transaction));
1446 return 0;
1447 }
1448
1449 wpa_printf(MSG_ERROR,
1450 "PASN: auth with trans_seq=%u, acked=%u", pasn->trans_seq,
1451 acked);
1452
1453 /*
1454 * Even if the frame was not acked, do not treat this is an error, and
1455 * try to complete the flow, relying on the PASN timeout callback to
1456 * clean up.
1457 */
1458 if (pasn->trans_seq == 3) {
1459 wpa_printf(MSG_DEBUG, "PASN: auth complete with: " MACSTR,
1460 MAC2STR(pasn->peer_addr));
1461 /*
1462 * Either frame was not ACKed or it was ACKed but the trans_seq
1463 * != 1, i.e., not expecting an RX frame, so we are done.
1464 */
1465 return 1;
1466 }
1467
1468 return 0;
1469 }
1470