1 /*
2 * PASN initiator processing
3 *
4 * Copyright (C) 2019, Intel Corporation
5 * Copyright (C) 2022, Qualcomm Innovation Center, Inc.
6 *
7 * This software may be distributed under the terms of the BSD license.
8 * See README for more details.
9 */
10
11 #include "utils/includes.h"
12
13 #include "utils/common.h"
14 #include "common/wpa_common.h"
15 #include "common/sae.h"
16 #include "common/ieee802_11_common.h"
17 #include "common/ieee802_11_defs.h"
18 #include "common/dragonfly.h"
19 #include "crypto/sha384.h"
20 #include "crypto/crypto.h"
21 #include "crypto/random.h"
22 #include "eap_common/eap_defs.h"
23 #include "eapol_supp/eapol_supp_sm.h"
24 #include "rsn_supp/wpa.h"
25 #include "rsn_supp/pmksa_cache.h"
26 #include "pasn_common.h"
27
28
29 #ifdef CONFIG_SAE
30
wpas_pasn_wd_sae_commit(struct pasn_data * pasn)31 static struct wpabuf * wpas_pasn_wd_sae_commit(struct pasn_data *pasn)
32 {
33 struct wpabuf *buf = NULL;
34 int ret;
35
36 ret = sae_set_group(&pasn->sae, pasn->group);
37 if (ret) {
38 wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
39 return NULL;
40 }
41
42 ret = sae_prepare_commit_pt(&pasn->sae, pasn->pt,
43 pasn->own_addr, pasn->peer_addr,
44 NULL, NULL);
45 if (ret) {
46 wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
47 return NULL;
48 }
49
50 /* Need to add the entire Authentication frame body */
51 buf = wpabuf_alloc(6 + SAE_COMMIT_MAX_LEN);
52 if (!buf) {
53 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
54 return NULL;
55 }
56
57 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
58 wpabuf_put_le16(buf, 1);
59 wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
60
61 sae_write_commit(&pasn->sae, buf, NULL, 0);
62 pasn->sae.state = SAE_COMMITTED;
63
64 return buf;
65 }
66
67
wpas_pasn_wd_sae_rx(struct pasn_data * pasn,struct wpabuf * wd)68 static int wpas_pasn_wd_sae_rx(struct pasn_data *pasn, struct wpabuf *wd)
69 {
70 const u8 *data;
71 size_t buf_len;
72 u16 len, res, alg, seq, status;
73 int groups[] = { pasn->group, 0 };
74 int ret;
75
76 if (!wd)
77 return -1;
78
79 data = wpabuf_head_u8(wd);
80 buf_len = wpabuf_len(wd);
81
82 /* first handle the commit message */
83 if (buf_len < 2) {
84 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short (commit)");
85 return -1;
86 }
87
88 len = WPA_GET_LE16(data);
89 if (len < 6 || buf_len - 2 < len) {
90 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short for commit");
91 return -1;
92 }
93
94 buf_len -= 2;
95 data += 2;
96
97 alg = WPA_GET_LE16(data);
98 seq = WPA_GET_LE16(data + 2);
99 status = WPA_GET_LE16(data + 4);
100
101 wpa_printf(MSG_DEBUG, "PASN: SAE: commit: alg=%u, seq=%u, status=%u",
102 alg, seq, status);
103
104 if (alg != WLAN_AUTH_SAE || seq != 1 ||
105 status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
106 wpa_printf(MSG_DEBUG, "PASN: SAE: dropping peer commit");
107 return -1;
108 }
109
110 res = sae_parse_commit(&pasn->sae, data + 6, len - 6, NULL, 0, groups,
111 1, NULL);
112 if (res != WLAN_STATUS_SUCCESS) {
113 wpa_printf(MSG_DEBUG, "PASN: SAE failed parsing commit");
114 return -1;
115 }
116
117 /* Process the commit message and derive the PMK */
118 ret = sae_process_commit(&pasn->sae);
119 if (ret) {
120 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
121 return -1;
122 }
123
124 buf_len -= len;
125 data += len;
126
127 /* Handle the confirm message */
128 if (buf_len < 2) {
129 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short (confirm)");
130 return -1;
131 }
132
133 len = WPA_GET_LE16(data);
134 if (len < 6 || buf_len - 2 < len) {
135 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short for confirm");
136 return -1;
137 }
138
139 buf_len -= 2;
140 data += 2;
141
142 alg = WPA_GET_LE16(data);
143 seq = WPA_GET_LE16(data + 2);
144 status = WPA_GET_LE16(data + 4);
145
146 wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
147 alg, seq, status);
148
149 if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
150 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
151 return -1;
152 }
153
154 res = sae_check_confirm(&pasn->sae, data + 6, len - 6, NULL);
155 if (res != WLAN_STATUS_SUCCESS) {
156 wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
157 return -1;
158 }
159
160 wpa_printf(MSG_DEBUG, "PASN: SAE completed successfully");
161 pasn->sae.state = SAE_ACCEPTED;
162
163 return 0;
164 }
165
166
wpas_pasn_wd_sae_confirm(struct pasn_data * pasn)167 static struct wpabuf * wpas_pasn_wd_sae_confirm(struct pasn_data *pasn)
168 {
169 struct wpabuf *buf = NULL;
170
171 /* Need to add the entire authentication frame body */
172 buf = wpabuf_alloc(6 + SAE_CONFIRM_MAX_LEN);
173 if (!buf) {
174 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
175 return NULL;
176 }
177
178 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
179 wpabuf_put_le16(buf, 2);
180 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
181
182 sae_write_confirm(&pasn->sae, buf);
183 pasn->sae.state = SAE_CONFIRMED;
184
185 return buf;
186 }
187
188 #endif /* CONFIG_SAE */
189
190
191 #ifdef CONFIG_FILS
192
wpas_pasn_fils_build_auth(struct pasn_data * pasn)193 static struct wpabuf * wpas_pasn_fils_build_auth(struct pasn_data *pasn)
194 {
195 struct wpabuf *buf = NULL;
196 struct wpabuf *erp_msg;
197 int ret;
198
199 erp_msg = eapol_sm_build_erp_reauth_start(pasn->eapol);
200 if (!erp_msg) {
201 wpa_printf(MSG_DEBUG,
202 "PASN: FILS: ERP EAP-Initiate/Re-auth unavailable");
203 return NULL;
204 }
205
206 if (random_get_bytes(pasn->fils.nonce, FILS_NONCE_LEN) < 0 ||
207 random_get_bytes(pasn->fils.session, FILS_SESSION_LEN) < 0)
208 goto fail;
209
210 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", pasn->fils.nonce,
211 FILS_NONCE_LEN);
212
213 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", pasn->fils.session,
214 FILS_SESSION_LEN);
215
216 buf = wpabuf_alloc(1500);
217 if (!buf)
218 goto fail;
219
220 /* Add the authentication algorithm */
221 wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
222
223 /* Authentication Transaction seq# */
224 wpabuf_put_le16(buf, 1);
225
226 /* Status Code */
227 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
228
229 /* Own RSNE */
230 wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
231
232 /* FILS Nonce */
233 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
234 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
235 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
236 wpabuf_put_data(buf, pasn->fils.nonce, FILS_NONCE_LEN);
237
238 /* FILS Session */
239 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
240 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
241 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
242 wpabuf_put_data(buf, pasn->fils.session, FILS_SESSION_LEN);
243
244 /* Wrapped Data (ERP) */
245 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
246 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg));
247 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
248 wpabuf_put_buf(buf, erp_msg);
249
250 /*
251 * Calculate pending PMKID here so that we do not need to maintain a
252 * copy of the EAP-Initiate/Reauth message.
253 */
254 ret = fils_pmkid_erp(pasn->akmp, wpabuf_head(erp_msg),
255 wpabuf_len(erp_msg),
256 pasn->fils.erp_pmkid);
257 if (ret) {
258 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ERP PMKID");
259 goto fail;
260 }
261
262 wpabuf_free(erp_msg);
263 erp_msg = NULL;
264
265 wpa_hexdump_buf(MSG_DEBUG, "PASN: FILS: Authentication frame", buf);
266 return buf;
267 fail:
268 wpabuf_free(erp_msg);
269 wpabuf_free(buf);
270 return NULL;
271 }
272
273
wpas_pasn_wd_fils_auth(struct pasn_data * pasn)274 static struct wpabuf * wpas_pasn_wd_fils_auth(struct pasn_data *pasn)
275 {
276 wpa_printf(MSG_DEBUG, "PASN: FILS: wrapped data - completed=%u",
277 pasn->fils.completed);
278
279 /* Nothing to add as we are done */
280 if (pasn->fils.completed)
281 return NULL;
282
283 if (!pasn->fils_eapol) {
284 wpa_printf(MSG_DEBUG,
285 "PASN: FILS: Missing Indication IE or PFS");
286 return NULL;
287 }
288
289 return wpas_pasn_fils_build_auth(pasn);
290 }
291
292
wpas_pasn_wd_fils_rx(struct pasn_data * pasn,struct wpabuf * wd)293 static int wpas_pasn_wd_fils_rx(struct pasn_data *pasn, struct wpabuf *wd)
294 {
295 struct ieee802_11_elems elems;
296 struct wpa_ie_data rsne_data;
297 u8 rmsk[ERP_MAX_KEY_LEN];
298 size_t rmsk_len;
299 u8 anonce[FILS_NONCE_LEN];
300 const u8 *data;
301 size_t buf_len;
302 struct wpabuf *fils_wd = NULL;
303 u16 alg, seq, status;
304 int ret;
305
306 if (!wd)
307 return -1;
308
309 data = wpabuf_head(wd);
310 buf_len = wpabuf_len(wd);
311
312 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Authentication frame len=%zu",
313 data, buf_len);
314
315 /* first handle the header */
316 if (buf_len < 6) {
317 wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short");
318 return -1;
319 }
320
321 alg = WPA_GET_LE16(data);
322 seq = WPA_GET_LE16(data + 2);
323 status = WPA_GET_LE16(data + 4);
324
325 wpa_printf(MSG_DEBUG, "PASN: FILS: commit: alg=%u, seq=%u, status=%u",
326 alg, seq, status);
327
328 if (alg != WLAN_AUTH_FILS_SK || seq != 2 ||
329 status != WLAN_STATUS_SUCCESS) {
330 wpa_printf(MSG_DEBUG,
331 "PASN: FILS: Dropping peer authentication");
332 return -1;
333 }
334
335 data += 6;
336 buf_len -= 6;
337
338 if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
339 wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
340 return -1;
341 }
342
343 if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
344 !elems.wrapped_data) {
345 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
346 return -1;
347 }
348
349 ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
350 &rsne_data);
351 if (ret) {
352 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RSNE");
353 return -1;
354 }
355
356 ret = wpa_pasn_validate_rsne(&rsne_data);
357 if (ret) {
358 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
359 return -1;
360 }
361
362 if (rsne_data.num_pmkid) {
363 wpa_printf(MSG_DEBUG,
364 "PASN: FILS: Not expecting PMKID in RSNE");
365 return -1;
366 }
367
368 wpa_hexdump(MSG_DEBUG, "PASN: FILS: ANonce", elems.fils_nonce,
369 FILS_NONCE_LEN);
370 os_memcpy(anonce, elems.fils_nonce, FILS_NONCE_LEN);
371
372 wpa_hexdump(MSG_DEBUG, "PASN: FILS: FILS Session", elems.fils_session,
373 FILS_SESSION_LEN);
374
375 if (os_memcmp(pasn->fils.session, elems.fils_session,
376 FILS_SESSION_LEN)) {
377 wpa_printf(MSG_DEBUG, "PASN: FILS: Session mismatch");
378 return -1;
379 }
380
381 fils_wd = ieee802_11_defrag(&elems, WLAN_EID_EXTENSION,
382 WLAN_EID_EXT_WRAPPED_DATA);
383
384 if (!fils_wd) {
385 wpa_printf(MSG_DEBUG,
386 "PASN: FILS: Failed getting wrapped data");
387 return -1;
388 }
389
390 eapol_sm_process_erp_finish(pasn->eapol, wpabuf_head(fils_wd),
391 wpabuf_len(fils_wd));
392
393 wpabuf_free(fils_wd);
394 fils_wd = NULL;
395
396 if (eapol_sm_failed(pasn->eapol)) {
397 wpa_printf(MSG_DEBUG, "PASN: FILS: ERP finish failed");
398 return -1;
399 }
400
401 rmsk_len = ERP_MAX_KEY_LEN;
402 ret = eapol_sm_get_key(pasn->eapol, rmsk, rmsk_len);
403
404 if (ret == PMK_LEN) {
405 rmsk_len = PMK_LEN;
406 ret = eapol_sm_get_key(pasn->eapol, rmsk, rmsk_len);
407 }
408
409 if (ret) {
410 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed getting RMSK");
411 return -1;
412 }
413
414 ret = fils_rmsk_to_pmk(pasn->akmp, rmsk, rmsk_len,
415 pasn->fils.nonce, anonce, NULL, 0,
416 pasn->pmk, &pasn->pmk_len);
417
418 forced_memzero(rmsk, sizeof(rmsk));
419
420 if (ret) {
421 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PMK");
422 return -1;
423 }
424
425 wpa_hexdump(MSG_DEBUG, "PASN: FILS: PMKID", pasn->fils.erp_pmkid,
426 PMKID_LEN);
427
428 wpa_printf(MSG_DEBUG, "PASN: FILS: ERP processing succeeded");
429
430 pasn->pmksa_entry = pmksa_cache_add(pasn->pmksa, pasn->pmk,
431 pasn->pmk_len, pasn->fils.erp_pmkid,
432 NULL, 0, pasn->peer_addr,
433 pasn->own_addr, NULL,
434 pasn->akmp, 0);
435
436 pasn->fils.completed = true;
437 return 0;
438 }
439
440 #endif /* CONFIG_FILS */
441
442
wpas_pasn_get_wrapped_data(struct pasn_data * pasn)443 static struct wpabuf * wpas_pasn_get_wrapped_data(struct pasn_data *pasn)
444 {
445 if (pasn->using_pmksa)
446 return NULL;
447
448 switch (pasn->akmp) {
449 case WPA_KEY_MGMT_PASN:
450 /* no wrapped data */
451 return NULL;
452 case WPA_KEY_MGMT_SAE:
453 #ifdef CONFIG_SAE
454 if (pasn->trans_seq == 0)
455 return wpas_pasn_wd_sae_commit(pasn);
456 if (pasn->trans_seq == 2)
457 return wpas_pasn_wd_sae_confirm(pasn);
458 #endif /* CONFIG_SAE */
459 wpa_printf(MSG_ERROR,
460 "PASN: SAE: Cannot derive wrapped data");
461 return NULL;
462 case WPA_KEY_MGMT_FILS_SHA256:
463 case WPA_KEY_MGMT_FILS_SHA384:
464 #ifdef CONFIG_FILS
465 return wpas_pasn_wd_fils_auth(pasn);
466 #endif /* CONFIG_FILS */
467 case WPA_KEY_MGMT_FT_PSK:
468 case WPA_KEY_MGMT_FT_IEEE8021X:
469 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
470 /*
471 * Wrapped data with these AKMs is optional and is only needed
472 * for further validation of FT security parameters. For now do
473 * not use them.
474 */
475 return NULL;
476 default:
477 wpa_printf(MSG_ERROR,
478 "PASN: TODO: Wrapped data for akmp=0x%x",
479 pasn->akmp);
480 return NULL;
481 }
482 }
483
484
wpas_pasn_get_wrapped_data_format(struct pasn_data * pasn)485 static u8 wpas_pasn_get_wrapped_data_format(struct pasn_data *pasn)
486 {
487 if (pasn->using_pmksa)
488 return WPA_PASN_WRAPPED_DATA_NO;
489
490 /* Note: Valid AKMP is expected to already be validated */
491 switch (pasn->akmp) {
492 case WPA_KEY_MGMT_SAE:
493 return WPA_PASN_WRAPPED_DATA_SAE;
494 case WPA_KEY_MGMT_FILS_SHA256:
495 case WPA_KEY_MGMT_FILS_SHA384:
496 return WPA_PASN_WRAPPED_DATA_FILS_SK;
497 case WPA_KEY_MGMT_FT_PSK:
498 case WPA_KEY_MGMT_FT_IEEE8021X:
499 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
500 /*
501 * Wrapped data with these AKMs is optional and is only needed
502 * for further validation of FT security parameters. For now do
503 * not use them.
504 */
505 return WPA_PASN_WRAPPED_DATA_NO;
506 case WPA_KEY_MGMT_PASN:
507 default:
508 return WPA_PASN_WRAPPED_DATA_NO;
509 }
510 }
511
512
wpas_pasn_build_auth_1(struct pasn_data * pasn,const struct wpabuf * comeback,bool verify)513 static struct wpabuf * wpas_pasn_build_auth_1(struct pasn_data *pasn,
514 const struct wpabuf *comeback,
515 bool verify)
516 {
517 struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
518 const u8 *pmkid;
519 u8 wrapped_data;
520 int ret;
521
522 wpa_printf(MSG_DEBUG, "PASN: Building frame 1");
523
524 if (pasn->trans_seq)
525 return NULL;
526
527 buf = wpabuf_alloc(1500);
528 if (!buf)
529 goto fail;
530
531 /* Get public key */
532 pubkey = crypto_ecdh_get_pubkey(pasn->ecdh, 0);
533 pubkey = wpabuf_zeropad(pubkey, crypto_ecdh_prime_len(pasn->ecdh));
534 if (!pubkey) {
535 wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
536 goto fail;
537 }
538
539 wrapped_data = wpas_pasn_get_wrapped_data_format(pasn);
540
541 wpa_pasn_build_auth_header(buf, pasn->bssid,
542 pasn->own_addr, pasn->peer_addr,
543 pasn->trans_seq + 1, WLAN_STATUS_SUCCESS);
544
545 pmkid = NULL;
546 if (wpa_key_mgmt_ft(pasn->akmp)) {
547 #ifdef CONFIG_IEEE80211R
548 pmkid = pasn->pmk_r1_name;
549 #else /* CONFIG_IEEE80211R */
550 goto fail;
551 #endif /* CONFIG_IEEE80211R */
552 } else if (wrapped_data != WPA_PASN_WRAPPED_DATA_NO) {
553 struct rsn_pmksa_cache_entry *pmksa;
554
555 pmksa = pmksa_cache_get(pasn->pmksa, pasn->peer_addr,
556 pasn->own_addr, NULL, NULL, pasn->akmp);
557 if (pmksa && pasn->custom_pmkid_valid)
558 pmkid = pasn->custom_pmkid;
559 else if (pmksa)
560 pmkid = pmksa->pmkid;
561
562 /*
563 * Note: Even when PMKSA is available, also add wrapped data as
564 * it is possible that the PMKID is no longer valid at the AP.
565 */
566 if (!verify)
567 wrapped_data_buf = wpas_pasn_get_wrapped_data(pasn);
568 }
569
570 if (wpa_pasn_add_rsne(buf, pmkid, pasn->akmp, pasn->cipher) < 0)
571 goto fail;
572
573 if (!wrapped_data_buf)
574 wrapped_data = WPA_PASN_WRAPPED_DATA_NO;
575
576 wpa_pasn_add_parameter_ie(buf, pasn->group, wrapped_data,
577 pubkey, true, comeback, -1);
578
579 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
580 goto fail;
581
582 wpa_pasn_add_rsnxe(buf, pasn->rsnxe_capab);
583
584 wpa_pasn_add_extra_ies(buf, pasn->extra_ies, pasn->extra_ies_len);
585
586 ret = pasn_auth_frame_hash(pasn->akmp, pasn->cipher,
587 wpabuf_head_u8(buf) + IEEE80211_HDRLEN,
588 wpabuf_len(buf) - IEEE80211_HDRLEN,
589 pasn->hash);
590 if (ret) {
591 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
592 goto fail;
593 }
594
595 pasn->trans_seq++;
596
597 wpabuf_free(wrapped_data_buf);
598 wpabuf_free(pubkey);
599
600 wpa_printf(MSG_DEBUG, "PASN: Frame 1: Success");
601 return buf;
602 fail:
603 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
604 wpabuf_free(wrapped_data_buf);
605 wpabuf_free(pubkey);
606 wpabuf_free(buf);
607 return NULL;
608 }
609
610
wpas_pasn_build_auth_3(struct pasn_data * pasn)611 static struct wpabuf * wpas_pasn_build_auth_3(struct pasn_data *pasn)
612 {
613 struct wpabuf *buf, *wrapped_data_buf = NULL;
614 u8 mic[WPA_PASN_MAX_MIC_LEN];
615 u8 mic_len, data_len;
616 const u8 *data;
617 u8 *ptr;
618 u8 wrapped_data;
619 int ret;
620
621 wpa_printf(MSG_DEBUG, "PASN: Building frame 3");
622
623 if (pasn->trans_seq != 2)
624 return NULL;
625
626 buf = wpabuf_alloc(1500);
627 if (!buf)
628 goto fail;
629
630 wrapped_data = wpas_pasn_get_wrapped_data_format(pasn);
631
632 wpa_pasn_build_auth_header(buf, pasn->bssid,
633 pasn->own_addr, pasn->peer_addr,
634 pasn->trans_seq + 1, WLAN_STATUS_SUCCESS);
635
636 wrapped_data_buf = wpas_pasn_get_wrapped_data(pasn);
637
638 if (!wrapped_data_buf)
639 wrapped_data = WPA_PASN_WRAPPED_DATA_NO;
640
641 wpa_pasn_add_parameter_ie(buf, pasn->group, wrapped_data,
642 NULL, false, NULL, -1);
643
644 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
645 goto fail;
646 wpabuf_free(wrapped_data_buf);
647 wrapped_data_buf = NULL;
648
649 /* Add the MIC */
650 mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
651 wpabuf_put_u8(buf, WLAN_EID_MIC);
652 wpabuf_put_u8(buf, mic_len);
653 ptr = wpabuf_put(buf, mic_len);
654
655 os_memset(ptr, 0, mic_len);
656
657 data = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
658 data_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
659
660 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
661 pasn->own_addr, pasn->peer_addr,
662 pasn->hash, mic_len * 2, data, data_len, mic);
663 if (ret) {
664 wpa_printf(MSG_DEBUG, "PASN: frame 3: Failed MIC calculation");
665 goto fail;
666 }
667
668 #ifdef CONFIG_TESTING_OPTIONS
669 if (pasn->corrupt_mic) {
670 wpa_printf(MSG_DEBUG, "PASN: frame 3: Corrupt MIC");
671 mic[0] = ~mic[0];
672 }
673 #endif /* CONFIG_TESTING_OPTIONS */
674
675 os_memcpy(ptr, mic, mic_len);
676
677 pasn->trans_seq++;
678
679 wpa_printf(MSG_DEBUG, "PASN: frame 3: Success");
680 return buf;
681 fail:
682 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
683 wpabuf_free(wrapped_data_buf);
684 wpabuf_free(buf);
685 return NULL;
686 }
687
688
wpa_pasn_reset(struct pasn_data * pasn)689 void wpa_pasn_reset(struct pasn_data *pasn)
690 {
691 wpa_printf(MSG_DEBUG, "PASN: Reset");
692
693 crypto_ecdh_deinit(pasn->ecdh);
694 pasn->ecdh = NULL;
695
696
697 pasn->akmp = 0;
698 pasn->cipher = 0;
699 pasn->group = 0;
700 pasn->trans_seq = 0;
701 pasn->pmk_len = 0;
702 pasn->using_pmksa = false;
703
704 forced_memzero(pasn->pmk, sizeof(pasn->pmk));
705 forced_memzero(&pasn->ptk, sizeof(pasn->ptk));
706 forced_memzero(&pasn->hash, sizeof(pasn->hash));
707
708 wpabuf_free(pasn->beacon_rsne_rsnxe);
709 pasn->beacon_rsne_rsnxe = NULL;
710
711 wpabuf_free(pasn->comeback);
712 pasn->comeback = NULL;
713 pasn->comeback_after = 0;
714
715 #ifdef CONFIG_SAE
716 sae_clear_data(&pasn->sae);
717 if (pasn->pt) {
718 sae_deinit_pt(pasn->pt);
719 pasn->pt = NULL;
720 }
721 #endif /* CONFIG_SAE */
722
723 #ifdef CONFIG_FILS
724 pasn->fils_eapol = false;
725 os_memset(&pasn->fils, 0, sizeof(pasn->fils));
726 #endif /* CONFIG_FILS*/
727
728 #ifdef CONFIG_IEEE80211R
729 forced_memzero(pasn->pmk_r1, sizeof(pasn->pmk_r1));
730 pasn->pmk_r1_len = 0;
731 os_memset(pasn->pmk_r1_name, 0, sizeof(pasn->pmk_r1_name));
732 #endif /* CONFIG_IEEE80211R */
733 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
734 pasn->pmksa_entry = NULL;
735 #ifdef CONFIG_TESTING_OPTIONS
736 pasn->corrupt_mic = 0;
737 #endif /* CONFIG_TESTING_OPTIONS */
738 pasn->network_id = 0;
739 pasn->derive_kdk = false;
740 pasn->rsn_ie = NULL;
741 pasn->rsn_ie_len = 0;
742 pasn->rsnxe_ie = NULL;
743 pasn->custom_pmkid_valid = false;
744 }
745
746
wpas_pasn_set_pmk(struct pasn_data * pasn,struct wpa_ie_data * rsn_data,struct wpa_pasn_params_data * pasn_data,struct wpabuf * wrapped_data)747 static int wpas_pasn_set_pmk(struct pasn_data *pasn,
748 struct wpa_ie_data *rsn_data,
749 struct wpa_pasn_params_data *pasn_data,
750 struct wpabuf *wrapped_data)
751 {
752 static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
753
754 os_memset(pasn->pmk, 0, sizeof(pasn->pmk));
755 pasn->pmk_len = 0;
756
757 if (pasn->akmp == WPA_KEY_MGMT_PASN) {
758 wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
759
760 pasn->pmk_len = WPA_PASN_PMK_LEN;
761 os_memcpy(pasn->pmk, pasn_default_pmk,
762 sizeof(pasn_default_pmk));
763 return 0;
764 }
765
766 if (wpa_key_mgmt_ft(pasn->akmp)) {
767 #ifdef CONFIG_IEEE80211R
768 wpa_printf(MSG_DEBUG, "PASN: FT: Using PMK-R1");
769 pasn->pmk_len = pasn->pmk_r1_len;
770 os_memcpy(pasn->pmk, pasn->pmk_r1, pasn->pmk_r1_len);
771 pasn->using_pmksa = true;
772 return 0;
773 #else /* CONFIG_IEEE80211R */
774 wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
775 return -1;
776 #endif /* CONFIG_IEEE80211R */
777 }
778
779 if (rsn_data->num_pmkid) {
780 int ret;
781 struct rsn_pmksa_cache_entry *pmksa;
782 const u8 *pmkid = NULL;
783
784 if (pasn->custom_pmkid_valid) {
785 ret = pasn->validate_custom_pmkid(pasn->cb_ctx,
786 pasn->peer_addr,
787 rsn_data->pmkid);
788 if (ret) {
789 wpa_printf(MSG_DEBUG,
790 "PASN: Failed custom PMKID validation");
791 return -1;
792 }
793 } else {
794 pmkid = rsn_data->pmkid;
795 }
796
797 pmksa = pmksa_cache_get(pasn->pmksa, pasn->peer_addr,
798 pasn->own_addr,
799 pmkid, NULL, pasn->akmp);
800 if (pmksa) {
801 wpa_printf(MSG_DEBUG, "PASN: Using PMKSA");
802
803 pasn->pmk_len = pmksa->pmk_len;
804 os_memcpy(pasn->pmk, pmksa->pmk, pmksa->pmk_len);
805 pasn->using_pmksa = true;
806
807 return 0;
808 }
809 }
810
811 #ifdef CONFIG_SAE
812 if (pasn->akmp == WPA_KEY_MGMT_SAE) {
813 int ret;
814
815 ret = wpas_pasn_wd_sae_rx(pasn, wrapped_data);
816 if (ret) {
817 wpa_printf(MSG_DEBUG,
818 "PASN: Failed processing SAE wrapped data");
819 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
820 return -1;
821 }
822
823 wpa_printf(MSG_DEBUG, "PASN: Success deriving PMK with SAE");
824 pasn->pmk_len = PMK_LEN;
825 os_memcpy(pasn->pmk, pasn->sae.pmk, PMK_LEN);
826
827 pasn->pmksa_entry = pmksa_cache_add(pasn->pmksa, pasn->pmk,
828 pasn->pmk_len,
829 pasn->sae.pmkid,
830 NULL, 0, pasn->peer_addr,
831 pasn->own_addr, NULL,
832 pasn->akmp, 0);
833 return 0;
834 }
835 #endif /* CONFIG_SAE */
836
837 #ifdef CONFIG_FILS
838 if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
839 pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
840 int ret;
841
842 ret = wpas_pasn_wd_fils_rx(pasn, wrapped_data);
843 if (ret) {
844 wpa_printf(MSG_DEBUG,
845 "PASN: Failed processing FILS wrapped data");
846 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
847 return -1;
848 }
849
850 return 0;
851 }
852 #endif /* CONFIG_FILS */
853
854 /* TODO: Derive PMK based on wrapped data */
855 wpa_printf(MSG_DEBUG, "PASN: Missing implementation to derive PMK");
856 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
857 return -1;
858 }
859
860
wpas_pasn_send_auth_1(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * bssid,int akmp,int cipher,u16 group,int freq,const u8 * beacon_rsne,u8 beacon_rsne_len,const u8 * beacon_rsnxe,u8 beacon_rsnxe_len,const struct wpabuf * comeback,bool verify)861 static int wpas_pasn_send_auth_1(struct pasn_data *pasn, const u8 *own_addr,
862 const u8 *peer_addr, const u8 *bssid, int akmp,
863 int cipher, u16 group, int freq,
864 const u8 *beacon_rsne, u8 beacon_rsne_len,
865 const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
866 const struct wpabuf *comeback, bool verify)
867 {
868 struct wpabuf *frame;
869 int ret;
870
871 pasn->ecdh = crypto_ecdh_init(group);
872 if (!pasn->ecdh) {
873 wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
874 goto fail;
875 }
876
877 if (beacon_rsne && beacon_rsne_len) {
878 pasn->beacon_rsne_rsnxe = wpabuf_alloc(beacon_rsne_len +
879 beacon_rsnxe_len);
880 if (!pasn->beacon_rsne_rsnxe) {
881 wpa_printf(MSG_DEBUG,
882 "PASN: Failed storing beacon RSNE/RSNXE");
883 goto fail;
884 }
885
886 wpabuf_put_data(pasn->beacon_rsne_rsnxe, beacon_rsne,
887 beacon_rsne_len);
888 if (beacon_rsnxe && beacon_rsnxe_len)
889 wpabuf_put_data(pasn->beacon_rsne_rsnxe, beacon_rsnxe,
890 beacon_rsnxe_len);
891 }
892
893 pasn->akmp = akmp;
894 pasn->cipher = cipher;
895 pasn->group = group;
896 pasn->freq = freq;
897
898 os_memcpy(pasn->own_addr, own_addr, ETH_ALEN);
899 os_memcpy(pasn->peer_addr, peer_addr, ETH_ALEN);
900 os_memcpy(pasn->bssid, bssid, ETH_ALEN);
901
902 wpa_printf(MSG_DEBUG,
903 "PASN: Init%s: " MACSTR " akmp=0x%x, cipher=0x%x, group=%u",
904 verify ? " (verify)" : "",
905 MAC2STR(pasn->peer_addr), pasn->akmp, pasn->cipher,
906 pasn->group);
907
908 frame = wpas_pasn_build_auth_1(pasn, comeback, verify);
909 if (!frame) {
910 wpa_printf(MSG_DEBUG, "PASN: Failed building 1st auth frame");
911 goto fail;
912 }
913
914 ret = pasn->send_mgmt(pasn->cb_ctx,
915 wpabuf_head(frame), wpabuf_len(frame), 0,
916 pasn->freq, 1000);
917
918 wpabuf_free(frame);
919 if (ret) {
920 wpa_printf(MSG_DEBUG, "PASN: Failed sending 1st auth frame");
921 goto fail;
922 }
923
924 return 0;
925
926 fail:
927 return -1;
928 }
929
930
wpas_pasn_start(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * bssid,int akmp,int cipher,u16 group,int freq,const u8 * beacon_rsne,u8 beacon_rsne_len,const u8 * beacon_rsnxe,u8 beacon_rsnxe_len,const struct wpabuf * comeback)931 int wpas_pasn_start(struct pasn_data *pasn, const u8 *own_addr,
932 const u8 *peer_addr, const u8 *bssid,
933 int akmp, int cipher, u16 group,
934 int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
935 const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
936 const struct wpabuf *comeback)
937 {
938 /* TODO: Currently support only ECC groups */
939 if (!dragonfly_suitable_group(group, 1)) {
940 wpa_printf(MSG_DEBUG,
941 "PASN: Reject unsuitable group %u", group);
942 return -1;
943 }
944
945 switch (akmp) {
946 case WPA_KEY_MGMT_PASN:
947 break;
948 #ifdef CONFIG_SAE
949 case WPA_KEY_MGMT_SAE:
950
951 if (beacon_rsnxe &&
952 !ieee802_11_rsnx_capab(beacon_rsnxe,
953 WLAN_RSNX_CAPAB_SAE_H2E)) {
954 wpa_printf(MSG_DEBUG,
955 "PASN: AP does not support SAE H2E");
956 return -1;
957 }
958
959 pasn->sae.state = SAE_NOTHING;
960 pasn->sae.send_confirm = 0;
961 break;
962 #endif /* CONFIG_SAE */
963 #ifdef CONFIG_FILS
964 case WPA_KEY_MGMT_FILS_SHA256:
965 case WPA_KEY_MGMT_FILS_SHA384:
966 break;
967 #endif /* CONFIG_FILS */
968 #ifdef CONFIG_IEEE80211R
969 case WPA_KEY_MGMT_FT_PSK:
970 case WPA_KEY_MGMT_FT_IEEE8021X:
971 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
972 break;
973 #endif /* CONFIG_IEEE80211R */
974 default:
975 wpa_printf(MSG_ERROR, "PASN: Unsupported AKMP=0x%x", akmp);
976 return -1;
977 }
978
979 return wpas_pasn_send_auth_1(pasn, own_addr, peer_addr, bssid, akmp,
980 cipher, group,
981 freq, beacon_rsne, beacon_rsne_len,
982 beacon_rsnxe, beacon_rsnxe_len, comeback,
983 false);
984 }
985
986 /*
987 * Wi-Fi Aware uses PASN handshake to authenticate peer devices.
988 * Devices can simply verify each other for subsequent sessions using
989 * pairing verification procedure.
990 *
991 * In pairing verification, Wi-Fi aware devices use PASN authentication
992 * frames with a custom PMKID and Wi-Fi Aware R4 specific verification IEs.
993 * It does not use wrapped data in the Authentication frames. This function
994 * provides support to construct PASN Authentication frames for pairing
995 * verification.
996 */
wpa_pasn_verify(struct pasn_data * pasn,const u8 * own_addr,const u8 * peer_addr,const u8 * bssid,int akmp,int cipher,u16 group,int freq,const u8 * beacon_rsne,u8 beacon_rsne_len,const u8 * beacon_rsnxe,u8 beacon_rsnxe_len,const struct wpabuf * comeback)997 int wpa_pasn_verify(struct pasn_data *pasn, const u8 *own_addr,
998 const u8 *peer_addr, const u8 *bssid,
999 int akmp, int cipher, u16 group,
1000 int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
1001 const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
1002 const struct wpabuf *comeback)
1003 {
1004 return wpas_pasn_send_auth_1(pasn, own_addr, peer_addr, bssid, akmp,
1005 cipher, group, freq, beacon_rsne,
1006 beacon_rsne_len, beacon_rsnxe,
1007 beacon_rsnxe_len, comeback, true);
1008 }
1009
1010
is_pasn_auth_frame(struct pasn_data * pasn,const struct ieee80211_mgmt * mgmt,size_t len,bool rx)1011 static bool is_pasn_auth_frame(struct pasn_data *pasn,
1012 const struct ieee80211_mgmt *mgmt,
1013 size_t len, bool rx)
1014 {
1015 u16 fc;
1016
1017 if (!mgmt || len < offsetof(struct ieee80211_mgmt, u.auth.variable))
1018 return false;
1019
1020 /* Not an Authentication frame; do nothing */
1021 fc = le_to_host16(mgmt->frame_control);
1022 if (WLAN_FC_GET_TYPE(fc) != WLAN_FC_TYPE_MGMT ||
1023 WLAN_FC_GET_STYPE(fc) != WLAN_FC_STYPE_AUTH)
1024 return false;
1025
1026 /* Not our frame; do nothing */
1027 if (os_memcmp(mgmt->bssid, pasn->bssid, ETH_ALEN) != 0)
1028 return false;
1029
1030 if (rx && (os_memcmp(mgmt->da, pasn->own_addr, ETH_ALEN) != 0 ||
1031 os_memcmp(mgmt->sa, pasn->peer_addr, ETH_ALEN) != 0))
1032 return false;
1033
1034 if (!rx && (os_memcmp(mgmt->sa, pasn->own_addr, ETH_ALEN) != 0 ||
1035 os_memcmp(mgmt->da, pasn->peer_addr, ETH_ALEN) != 0))
1036 return false;
1037
1038 /* Not PASN; do nothing */
1039 if (mgmt->u.auth.auth_alg != host_to_le16(WLAN_AUTH_PASN))
1040 return false;
1041
1042 return true;
1043 }
1044
1045
wpa_pasn_auth_rx(struct pasn_data * pasn,const u8 * data,size_t len,struct wpa_pasn_params_data * pasn_params)1046 int wpa_pasn_auth_rx(struct pasn_data *pasn, const u8 *data, size_t len,
1047 struct wpa_pasn_params_data *pasn_params)
1048
1049 {
1050 struct ieee802_11_elems elems;
1051 struct wpa_ie_data rsn_data;
1052 const struct ieee80211_mgmt *mgmt =
1053 (const struct ieee80211_mgmt *) data;
1054 struct wpabuf *wrapped_data = NULL, *secret = NULL, *frame = NULL;
1055 u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
1056 u8 mic_len;
1057 u16 status;
1058 int ret, inc_y;
1059 u8 *copy = NULL;
1060 size_t mic_offset, copy_len;
1061
1062 if (!is_pasn_auth_frame(pasn, mgmt, len, true))
1063 return -2;
1064
1065 if (mgmt->u.auth.auth_transaction !=
1066 host_to_le16(pasn->trans_seq + 1)) {
1067 wpa_printf(MSG_DEBUG,
1068 "PASN: RX: Invalid transaction sequence: (%u != %u)",
1069 le_to_host16(mgmt->u.auth.auth_transaction),
1070 pasn->trans_seq + 1);
1071 return -3;
1072 }
1073
1074 status = le_to_host16(mgmt->u.auth.status_code);
1075
1076 if (status != WLAN_STATUS_SUCCESS &&
1077 status != WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
1078 wpa_printf(MSG_DEBUG,
1079 "PASN: Authentication rejected - status=%u", status);
1080 goto fail;
1081 }
1082
1083 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
1084 len - offsetof(struct ieee80211_mgmt,
1085 u.auth.variable),
1086 &elems, 0) == ParseFailed) {
1087 wpa_printf(MSG_DEBUG,
1088 "PASN: Failed parsing Authentication frame");
1089 goto fail;
1090 }
1091
1092 /* Check that the MIC IE exists. Save it and zero out the memory */
1093 mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
1094 if (status == WLAN_STATUS_SUCCESS) {
1095 if (!elems.mic || elems.mic_len != mic_len) {
1096 wpa_printf(MSG_DEBUG,
1097 "PASN: Invalid MIC. Expecting len=%u",
1098 mic_len);
1099 goto fail;
1100 }
1101 os_memcpy(mic, elems.mic, mic_len);
1102 }
1103
1104 if (!elems.pasn_params || !elems.pasn_params_len) {
1105 wpa_printf(MSG_DEBUG,
1106 "PASN: Missing PASN Parameters IE");
1107 goto fail;
1108 }
1109
1110 if (!pasn_params) {
1111 wpa_printf(MSG_DEBUG, "PASN: pasn_params == NULL");
1112 goto fail;
1113 }
1114
1115 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
1116 elems.pasn_params_len + 3,
1117 true, pasn_params);
1118 if (ret) {
1119 wpa_printf(MSG_DEBUG,
1120 "PASN: Failed validation PASN of Parameters IE");
1121 goto fail;
1122 }
1123
1124 if (status == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
1125 wpa_printf(MSG_DEBUG,
1126 "PASN: Authentication temporarily rejected");
1127
1128 if (pasn_params->comeback && pasn_params->comeback_len) {
1129 wpa_printf(MSG_DEBUG,
1130 "PASN: Comeback token available. After=%u",
1131 pasn_params->after);
1132
1133 if (!pasn_params->after)
1134 return 1;
1135
1136 pasn->comeback = wpabuf_alloc_copy(
1137 pasn_params->comeback,
1138 pasn_params->comeback_len);
1139 if (pasn->comeback)
1140 pasn->comeback_after = pasn_params->after;
1141 }
1142
1143 pasn->status = status;
1144 goto fail;
1145 }
1146
1147 if (!elems.rsn_ie) {
1148 wpa_printf(MSG_DEBUG, "PASN: Missing RSNE");
1149 goto fail;
1150 }
1151
1152 ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1153 &rsn_data);
1154 if (ret) {
1155 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RSNE");
1156 goto fail;
1157 }
1158
1159 ret = wpa_pasn_validate_rsne(&rsn_data);
1160 if (ret) {
1161 wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
1162 goto fail;
1163 }
1164
1165 if (pasn->akmp != rsn_data.key_mgmt ||
1166 pasn->cipher != rsn_data.pairwise_cipher) {
1167 wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
1168 goto fail;
1169 }
1170
1171 if (pasn->group != pasn_params->group) {
1172 wpa_printf(MSG_DEBUG, "PASN: Mismatch in group");
1173 goto fail;
1174 }
1175
1176 if (!pasn_params->pubkey || !pasn_params->pubkey_len) {
1177 wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
1178 goto fail;
1179 }
1180
1181 if (pasn_params->pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) {
1182 inc_y = 1;
1183 } else if (pasn_params->pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 ||
1184 pasn_params->pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) {
1185 inc_y = 0;
1186 } else {
1187 wpa_printf(MSG_DEBUG,
1188 "PASN: Invalid first octet in pubkey=0x%x",
1189 pasn_params->pubkey[0]);
1190 goto fail;
1191 }
1192
1193 secret = crypto_ecdh_set_peerkey(pasn->ecdh, inc_y,
1194 pasn_params->pubkey + 1,
1195 pasn_params->pubkey_len - 1);
1196
1197 if (!secret) {
1198 wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
1199 goto fail;
1200 }
1201
1202 if (pasn_params->wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
1203 wrapped_data = ieee802_11_defrag(&elems,
1204 WLAN_EID_EXTENSION,
1205 WLAN_EID_EXT_WRAPPED_DATA);
1206
1207 if (!wrapped_data) {
1208 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
1209 goto fail;
1210 }
1211 }
1212
1213 ret = wpas_pasn_set_pmk(pasn, &rsn_data, pasn_params, wrapped_data);
1214 if (ret) {
1215 wpa_printf(MSG_DEBUG, "PASN: Failed to set PMK");
1216 goto fail;
1217 }
1218
1219 ret = pasn_pmk_to_ptk(pasn->pmk, pasn->pmk_len,
1220 pasn->own_addr, pasn->peer_addr,
1221 wpabuf_head(secret), wpabuf_len(secret),
1222 &pasn->ptk, pasn->akmp, pasn->cipher,
1223 pasn->kdk_len);
1224 if (ret) {
1225 wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
1226 goto fail;
1227 }
1228
1229 if (pasn->secure_ltf) {
1230 ret = wpa_ltf_keyseed(&pasn->ptk, pasn->akmp, pasn->cipher);
1231 if (ret) {
1232 wpa_printf(MSG_DEBUG,
1233 "PASN: Failed to derive LTF keyseed");
1234 goto fail;
1235 }
1236 }
1237
1238 wpabuf_free(wrapped_data);
1239 wrapped_data = NULL;
1240 wpabuf_free(secret);
1241 secret = NULL;
1242
1243 /* Use a copy of the message since we need to clear the MIC field */
1244 if (!elems.mic)
1245 goto fail;
1246 mic_offset = elems.mic - (const u8 *) &mgmt->u.auth;
1247 copy_len = len - offsetof(struct ieee80211_mgmt, u.auth);
1248 if (mic_offset + mic_len > copy_len)
1249 goto fail;
1250 copy = os_memdup(&mgmt->u.auth, copy_len);
1251 if (!copy)
1252 goto fail;
1253 os_memset(copy + mic_offset, 0, mic_len);
1254
1255 if (pasn->beacon_rsne_rsnxe) {
1256 /* Verify the MIC */
1257 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
1258 pasn->peer_addr, pasn->own_addr,
1259 wpabuf_head(pasn->beacon_rsne_rsnxe),
1260 wpabuf_len(pasn->beacon_rsne_rsnxe),
1261 copy, copy_len, out_mic);
1262 } else {
1263 u8 *rsne_rsnxe;
1264 size_t rsne_rsnxe_len = 0;
1265
1266 /*
1267 * Note: When Beacon rsne_rsnxe is not initialized, it is likely
1268 * that this is for Wi-Fi Aware using PASN handshake for which
1269 * Beacon RSNE/RSNXE are same as RSNE/RSNXE in the
1270 * Authentication frame
1271 */
1272 if (elems.rsn_ie && elems.rsn_ie_len)
1273 rsne_rsnxe_len += elems.rsn_ie_len + 2;
1274 if (elems.rsnxe && elems.rsnxe_len)
1275 rsne_rsnxe_len += elems.rsnxe_len + 2;
1276
1277 rsne_rsnxe = os_zalloc(rsne_rsnxe_len);
1278 if (!rsne_rsnxe)
1279 goto fail;
1280
1281 if (elems.rsn_ie && elems.rsn_ie_len)
1282 os_memcpy(rsne_rsnxe, elems.rsn_ie - 2,
1283 elems.rsn_ie_len + 2);
1284 if (elems.rsnxe && elems.rsnxe_len)
1285 os_memcpy(rsne_rsnxe + elems.rsn_ie_len + 2,
1286 elems.rsnxe - 2, elems.rsnxe_len + 2);
1287
1288 wpa_hexdump_key(MSG_DEBUG, "PASN: RSN + RSNXE buf",
1289 rsne_rsnxe, rsne_rsnxe_len);
1290
1291 /* Verify the MIC */
1292 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
1293 pasn->peer_addr, pasn->own_addr,
1294 rsne_rsnxe,
1295 rsne_rsnxe_len,
1296 copy, copy_len, out_mic);
1297
1298 os_free(rsne_rsnxe);
1299 }
1300 os_free(copy);
1301 copy = NULL;
1302
1303 wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
1304 if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
1305 wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
1306 goto fail;
1307 }
1308
1309 pasn->trans_seq++;
1310
1311 wpa_printf(MSG_DEBUG, "PASN: Success verifying Authentication frame");
1312
1313 frame = wpas_pasn_build_auth_3(pasn);
1314 if (!frame) {
1315 wpa_printf(MSG_DEBUG, "PASN: Failed building 3rd auth frame");
1316 goto fail;
1317 }
1318
1319 ret = pasn->send_mgmt(pasn->cb_ctx,
1320 wpabuf_head(frame), wpabuf_len(frame), 0,
1321 pasn->freq, 100);
1322 wpabuf_free(frame);
1323 if (ret) {
1324 wpa_printf(MSG_DEBUG, "PASN: Failed sending 3st auth frame");
1325 goto fail;
1326 }
1327
1328 wpa_printf(MSG_DEBUG, "PASN: Success sending last frame. Store PTK");
1329
1330 pasn->status = WLAN_STATUS_SUCCESS;
1331
1332 return 0;
1333 fail:
1334 wpa_printf(MSG_DEBUG, "PASN: Failed RX processing - terminating");
1335 wpabuf_free(wrapped_data);
1336 wpabuf_free(secret);
1337 os_free(copy);
1338
1339 /*
1340 * TODO: In case of an error the standard allows to silently drop
1341 * the frame and terminate the authentication exchange. However, better
1342 * reply to the AP with an error status.
1343 */
1344 if (status == WLAN_STATUS_SUCCESS)
1345 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1346 else
1347 pasn->status = status;
1348
1349 return -1;
1350 }
1351
1352
wpa_pasn_auth_tx_status(struct pasn_data * pasn,const u8 * data,size_t data_len,u8 acked)1353 int wpa_pasn_auth_tx_status(struct pasn_data *pasn,
1354 const u8 *data, size_t data_len, u8 acked)
1355
1356 {
1357 const struct ieee80211_mgmt *mgmt =
1358 (const struct ieee80211_mgmt *) data;
1359
1360 wpa_printf(MSG_DEBUG, "PASN: auth_tx_status: acked=%u", acked);
1361
1362 if (!is_pasn_auth_frame(pasn, mgmt, data_len, false))
1363 return -1;
1364
1365 if (mgmt->u.auth.auth_transaction != host_to_le16(pasn->trans_seq)) {
1366 wpa_printf(MSG_ERROR,
1367 "PASN: Invalid transaction sequence: (%u != %u)",
1368 pasn->trans_seq,
1369 le_to_host16(mgmt->u.auth.auth_transaction));
1370 return 0;
1371 }
1372
1373 wpa_printf(MSG_ERROR,
1374 "PASN: auth with trans_seq=%u, acked=%u", pasn->trans_seq,
1375 acked);
1376
1377 /*
1378 * Even if the frame was not acked, do not treat this is an error, and
1379 * try to complete the flow, relying on the PASN timeout callback to
1380 * clean up.
1381 */
1382 if (pasn->trans_seq == 3) {
1383 wpa_printf(MSG_DEBUG, "PASN: auth complete with: " MACSTR,
1384 MAC2STR(pasn->peer_addr));
1385 /*
1386 * Either frame was not ACKed or it was ACKed but the trans_seq
1387 * != 1, i.e., not expecting an RX frame, so we are done.
1388 */
1389 return 1;
1390 }
1391
1392 return 0;
1393 }
1394