Lines Matching full:auth
42 void dpp_auth_fail(struct dpp_authentication *auth, const char *txt) in dpp_auth_fail() argument
44 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_FAIL "%s", txt); in dpp_auth_fail()
580 static int dpp_channel_intersect(struct dpp_authentication *auth, in dpp_channel_intersect() argument
584 struct dpp_bootstrap_info *peer_bi = auth->peer_bi; in dpp_channel_intersect()
589 if (freq_included(auth->freq, auth->num_freq, freq)) in dpp_channel_intersect()
592 auth->freq[auth->num_freq++] = freq; in dpp_channel_intersect()
594 if (!auth->num_freq) { in dpp_channel_intersect()
599 auth->curr_freq = auth->freq[0]; in dpp_channel_intersect()
604 static int dpp_channel_local_list(struct dpp_authentication *auth, in dpp_channel_local_list() argument
612 auth->num_freq = 0; in dpp_channel_local_list()
615 auth->freq[0] = 2412; in dpp_channel_local_list()
616 auth->freq[1] = 2437; in dpp_channel_local_list()
617 auth->freq[2] = 2462; in dpp_channel_local_list()
618 auth->num_freq = 3; in dpp_channel_local_list()
630 if (freq_included(auth->freq, auth->num_freq, freq)) in dpp_channel_local_list()
632 auth->freq[auth->num_freq++] = freq; in dpp_channel_local_list()
633 if (auth->num_freq == DPP_BOOTSTRAP_MAX_FREQ) { in dpp_channel_local_list()
640 return auth->num_freq == 0 ? -1 : 0; in dpp_channel_local_list()
644 int dpp_prepare_channel_list(struct dpp_authentication *auth, in dpp_prepare_channel_list() argument
655 auth->num_freq = 1; in dpp_prepare_channel_list()
656 auth->freq[0] = neg_freq; in dpp_prepare_channel_list()
657 auth->curr_freq = neg_freq; in dpp_prepare_channel_list()
661 if (auth->peer_bi->num_freq > 0) in dpp_prepare_channel_list()
662 res = dpp_channel_intersect(auth, own_modes, num_modes); in dpp_prepare_channel_list()
664 res = dpp_channel_local_list(auth, own_modes, num_modes); in dpp_prepare_channel_list()
670 freq_to_start(auth->freq, auth->num_freq, 2462); in dpp_prepare_channel_list()
671 freq_to_start(auth->freq, auth->num_freq, 2412); in dpp_prepare_channel_list()
672 freq_to_start(auth->freq, auth->num_freq, 2437); in dpp_prepare_channel_list()
674 auth->freq_idx = 0; in dpp_prepare_channel_list()
675 auth->curr_freq = auth->freq[0]; in dpp_prepare_channel_list()
679 for (i = 0; i < auth->num_freq; i++) { in dpp_prepare_channel_list()
680 res = os_snprintf(pos, end - pos, " %u", auth->freq[i]); in dpp_prepare_channel_list()
771 struct dpp_authentication *auth; in dpp_alloc_auth() local
773 auth = os_zalloc(sizeof(*auth)); in dpp_alloc_auth()
774 if (!auth) in dpp_alloc_auth()
776 auth->global = dpp; in dpp_alloc_auth()
777 auth->msg_ctx = msg_ctx; in dpp_alloc_auth()
778 auth->conf_resp_status = 255; in dpp_alloc_auth()
779 return auth; in dpp_alloc_auth()
783 static struct wpabuf * dpp_build_conf_req_attr(struct dpp_authentication *auth, in dpp_build_conf_req_attr() argument
797 nonce_len = auth->curve->nonce_len; in dpp_build_conf_req_attr()
798 if (random_get_bytes(auth->e_nonce, nonce_len)) { in dpp_build_conf_req_attr()
802 wpa_hexdump(MSG_DEBUG, "DPP: E-nonce", auth->e_nonce, nonce_len); in dpp_build_conf_req_attr()
809 if (auth->waiting_new_key) { in dpp_build_conf_req_attr()
810 pe = crypto_ec_key_get_pubkey_point(auth->own_protocol_key, 0); in dpp_build_conf_req_attr()
815 if (dpp_derive_auth_i(auth, auth_i) < 0) in dpp_build_conf_req_attr()
817 clear_len += 4 + auth->curve->hash_len; in dpp_build_conf_req_attr()
839 wpabuf_put_data(clear, auth->e_nonce, nonce_len - 1); in dpp_build_conf_req_attr()
851 wpabuf_put_data(clear, auth->e_nonce, nonce_len); in dpp_build_conf_req_attr()
868 if (auth->waiting_new_key) { in dpp_build_conf_req_attr()
871 wpabuf_put_le16(clear, auth->curve->hash_len); in dpp_build_conf_req_attr()
872 wpabuf_put_data(clear, auth_i, auth->curve->hash_len); in dpp_build_conf_req_attr()
891 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len, in dpp_build_conf_req_attr()
942 struct wpabuf * dpp_build_conf_req(struct dpp_authentication *auth, in dpp_build_conf_req() argument
947 conf_req = dpp_build_conf_req_attr(auth, json); in dpp_build_conf_req()
969 struct wpabuf * dpp_build_conf_req_helper(struct dpp_authentication *auth, in dpp_build_conf_req_helper() argument
1000 if (auth->csr) { in dpp_build_conf_req_helper()
1003 csr = base64_encode_no_lf(wpabuf_head(auth->csr), in dpp_build_conf_req_helper()
1004 wpabuf_len(auth->csr), &csr_len); in dpp_build_conf_req_helper()
1044 buf = dpp_build_conf_req(auth, wpabuf_head(json)); in dpp_build_conf_req_helper()
1161 static int dpp_configuration_parse_helper(struct dpp_authentication *auth, in dpp_configuration_parse_helper() argument
1189 auth->provision_configurator = 1; in dpp_configuration_parse_helper()
1310 auth->conf_sta = conf_sta; in dpp_configuration_parse_helper()
1311 auth->conf_ap = conf_ap; in dpp_configuration_parse_helper()
1313 if (!auth->conf_sta) in dpp_configuration_parse_helper()
1314 auth->conf_sta = conf_sta; in dpp_configuration_parse_helper()
1316 auth->conf2_sta = conf_sta; in dpp_configuration_parse_helper()
1317 if (!auth->conf_ap) in dpp_configuration_parse_helper()
1318 auth->conf_ap = conf_ap; in dpp_configuration_parse_helper()
1320 auth->conf2_ap = conf_ap; in dpp_configuration_parse_helper()
1333 static int dpp_configuration_parse(struct dpp_authentication *auth, in dpp_configuration_parse() argument
1343 return dpp_configuration_parse_helper(auth, cmd, 0); in dpp_configuration_parse()
1351 res = dpp_configuration_parse_helper(auth, tmp, 0); in dpp_configuration_parse()
1355 res = dpp_configuration_parse_helper(auth, cmd + len, 1); in dpp_configuration_parse()
1360 dpp_configuration_free(auth->conf_sta); in dpp_configuration_parse()
1361 dpp_configuration_free(auth->conf2_sta); in dpp_configuration_parse()
1362 dpp_configuration_free(auth->conf_ap); in dpp_configuration_parse()
1363 dpp_configuration_free(auth->conf2_ap); in dpp_configuration_parse()
1385 int dpp_set_configurator(struct dpp_authentication *auth, const char *cmd) in dpp_set_configurator() argument
1391 if (!cmd || auth->configurator_set) in dpp_set_configurator()
1393 auth->configurator_set = 1; in dpp_set_configurator()
1410 auth->configurator_set = 0; in dpp_set_configurator()
1411 auth->use_config_query = true; in dpp_set_configurator()
1417 if (!auth->conf && pos) { in dpp_set_configurator()
1419 auth->conf = dpp_configurator_get_id(auth->global, atoi(pos)); in dpp_set_configurator()
1420 if (!auth->conf) { in dpp_set_configurator()
1430 auth->send_conn_status = atoi(pos); in dpp_set_configurator()
1436 auth->akm_use_selector = atoi(pos); in dpp_set_configurator()
1439 if (dpp_configuration_parse(auth, cmd) < 0) { in dpp_set_configurator()
1440 wpa_msg(auth->msg_ctx, MSG_INFO, in dpp_set_configurator()
1451 void dpp_auth_deinit(struct dpp_authentication *auth) in dpp_auth_deinit() argument
1455 if (!auth) in dpp_auth_deinit()
1457 dpp_configuration_free(auth->conf_ap); in dpp_auth_deinit()
1458 dpp_configuration_free(auth->conf2_ap); in dpp_auth_deinit()
1459 dpp_configuration_free(auth->conf_sta); in dpp_auth_deinit()
1460 dpp_configuration_free(auth->conf2_sta); in dpp_auth_deinit()
1461 crypto_ec_key_deinit(auth->own_protocol_key); in dpp_auth_deinit()
1462 crypto_ec_key_deinit(auth->peer_protocol_key); in dpp_auth_deinit()
1463 crypto_ec_key_deinit(auth->reconfig_old_protocol_key); in dpp_auth_deinit()
1464 wpabuf_free(auth->req_msg); in dpp_auth_deinit()
1465 wpabuf_free(auth->resp_msg); in dpp_auth_deinit()
1466 wpabuf_free(auth->conf_req); in dpp_auth_deinit()
1467 wpabuf_free(auth->reconfig_req_msg); in dpp_auth_deinit()
1468 wpabuf_free(auth->reconfig_resp_msg); in dpp_auth_deinit()
1469 for (i = 0; i < auth->num_conf_obj; i++) { in dpp_auth_deinit()
1470 struct dpp_config_obj *conf = &auth->conf_obj[i]; in dpp_auth_deinit()
1481 dpp_free_asymmetric_key(auth->conf_key_pkg); in dpp_auth_deinit()
1482 os_free(auth->csrattrs); in dpp_auth_deinit()
1483 wpabuf_free(auth->csr); in dpp_auth_deinit()
1484 wpabuf_free(auth->priv_key); in dpp_auth_deinit()
1485 wpabuf_free(auth->cacert); in dpp_auth_deinit()
1486 wpabuf_free(auth->certbag); in dpp_auth_deinit()
1487 os_free(auth->trusted_eap_server_name); in dpp_auth_deinit()
1488 wpabuf_free(auth->conf_resp_tcp); in dpp_auth_deinit()
1490 wpabuf_free(auth->net_access_key); in dpp_auth_deinit()
1491 dpp_bootstrap_info_free(auth->tmp_own_bi); in dpp_auth_deinit()
1492 if (auth->tmp_peer_bi) { in dpp_auth_deinit()
1493 dl_list_del(&auth->tmp_peer_bi->list); in dpp_auth_deinit()
1494 dpp_bootstrap_info_free(auth->tmp_peer_bi); in dpp_auth_deinit()
1496 os_free(auth->e_name); in dpp_auth_deinit()
1497 os_free(auth->e_mud_url); in dpp_auth_deinit()
1498 os_free(auth->e_band_support); in dpp_auth_deinit()
1500 os_free(auth->config_obj_override); in dpp_auth_deinit()
1501 os_free(auth->discovery_override); in dpp_auth_deinit()
1502 os_free(auth->groups_override); in dpp_auth_deinit()
1504 bin_clear_free(auth, sizeof(*auth)); in dpp_auth_deinit()
1509 dpp_build_conf_start(struct dpp_authentication *auth, in dpp_build_conf_start() argument
1515 if (auth->discovery_override) in dpp_build_conf_start()
1516 tailroom += os_strlen(auth->discovery_override); in dpp_build_conf_start()
1526 if (auth->discovery_override) { in dpp_build_conf_start()
1528 auth->discovery_override); in dpp_build_conf_start()
1530 wpabuf_put_str(buf, auth->discovery_override); in dpp_build_conf_start()
1536 if (((!conf->ssid_charset || auth->peer_version < 2) && in dpp_build_conf_start()
1539 ((conf->ssid_charset && auth->peer_version >= 2) && in dpp_build_conf_start()
1651 dpp_build_conf_obj_dpp(struct dpp_authentication *auth, in dpp_build_conf_obj_dpp() argument
1665 if (!auth->conf) { in dpp_build_conf_obj_dpp()
1670 curve = auth->conf->curve; in dpp_build_conf_obj_dpp()
1672 !dpp_supports_curve(curve->name, auth->peer_bi)) { in dpp_build_conf_obj_dpp()
1678 if (auth->new_curve && auth->new_key_received) in dpp_build_conf_obj_dpp()
1679 nak_curve = auth->new_curve; in dpp_build_conf_obj_dpp()
1681 nak_curve = auth->curve; in dpp_build_conf_obj_dpp()
1682 if (!dpp_supports_curve(nak_curve->name, auth->peer_bi)) { in dpp_build_conf_obj_dpp()
1690 if (dpp_akm_ver2(akm) && auth->peer_version < 2) { in dpp_build_conf_obj_dpp()
1697 if (auth->groups_override) in dpp_build_conf_obj_dpp()
1698 extra_len += os_strlen(auth->groups_override); in dpp_build_conf_obj_dpp()
1709 if (auth->groups_override) { in dpp_build_conf_obj_dpp()
1711 if (auth->groups_override) { in dpp_build_conf_obj_dpp()
1714 auth->groups_override); in dpp_build_conf_obj_dpp()
1716 wpabuf_put_str(dppcon, auth->groups_override); in dpp_build_conf_obj_dpp()
1735 if (!auth->peer_protocol_key) { in dpp_build_conf_obj_dpp()
1741 if (auth->conf->net_access_key_curve && in dpp_build_conf_obj_dpp()
1742 auth->curve != auth->conf->net_access_key_curve && in dpp_build_conf_obj_dpp()
1743 !auth->new_key_received) { in dpp_build_conf_obj_dpp()
1744 if (!dpp_supports_curve(auth->conf->net_access_key_curve->name, in dpp_build_conf_obj_dpp()
1745 auth->peer_bi)) { in dpp_build_conf_obj_dpp()
1748 auth->conf->net_access_key_curve->name); in dpp_build_conf_obj_dpp()
1753 auth->curve->name, in dpp_build_conf_obj_dpp()
1754 auth->conf->net_access_key_curve->name, in dpp_build_conf_obj_dpp()
1755 auth->waiting_new_key ? in dpp_build_conf_obj_dpp()
1758 if (auth->waiting_new_key) in dpp_build_conf_obj_dpp()
1759 auth->waiting_new_key = false; /* failed */ in dpp_build_conf_obj_dpp()
1761 auth->waiting_new_key = true; in dpp_build_conf_obj_dpp()
1765 if (dpp_build_jwk(dppcon, "netAccessKey", auth->peer_protocol_key, NULL, in dpp_build_conf_obj_dpp()
1788 json_add_int(dppcon, "version", auth->peer_version); in dpp_build_conf_obj_dpp()
1794 signed_conn = dpp_sign_connector(auth->conf, dppcon); in dpp_build_conf_obj_dpp()
1800 tailroom += 2 * curve->prime_len * 4 / 3 + os_strlen(auth->conf->kid); in dpp_build_conf_obj_dpp()
1805 if (auth->certbag) in dpp_build_conf_obj_dpp()
1806 tailroom += 2 * wpabuf_len(auth->certbag); in dpp_build_conf_obj_dpp()
1807 if (auth->cacert) in dpp_build_conf_obj_dpp()
1808 tailroom += 2 * wpabuf_len(auth->cacert); in dpp_build_conf_obj_dpp()
1809 if (auth->trusted_eap_server_name) in dpp_build_conf_obj_dpp()
1810 tailroom += os_strlen(auth->trusted_eap_server_name); in dpp_build_conf_obj_dpp()
1816 buf = dpp_build_conf_start(auth, conf, tailroom); in dpp_build_conf_obj_dpp()
1820 if (auth->akm_use_selector && dpp_akm_ver2(akm)) in dpp_build_conf_obj_dpp()
1833 if (!auth->certbag) in dpp_build_conf_obj_dpp()
1835 json_add_base64(buf, "certBag", wpabuf_head(auth->certbag), in dpp_build_conf_obj_dpp()
1836 wpabuf_len(auth->certbag)); in dpp_build_conf_obj_dpp()
1837 if (auth->cacert) { in dpp_build_conf_obj_dpp()
1840 wpabuf_head(auth->cacert), in dpp_build_conf_obj_dpp()
1841 wpabuf_len(auth->cacert)); in dpp_build_conf_obj_dpp()
1843 if (auth->trusted_eap_server_name) { in dpp_build_conf_obj_dpp()
1846 auth->trusted_eap_server_name); in dpp_build_conf_obj_dpp()
1859 if (dpp_build_jwk(buf, "csign", auth->conf->csign, auth->conf->kid, in dpp_build_conf_obj_dpp()
1865 if (auth->peer_version >= 2 && auth->conf->pp_key) { in dpp_build_conf_obj_dpp()
1867 if (dpp_build_jwk(buf, "ppKey", auth->conf->pp_key, NULL, in dpp_build_conf_obj_dpp()
1887 if (!auth->conf->net_access_key_curve) { in dpp_build_conf_obj_dpp()
1896 auth->conf->net_access_key_curve = nak_curve; in dpp_build_conf_obj_dpp()
1913 dpp_build_conf_obj_legacy(struct dpp_authentication *auth, in dpp_build_conf_obj_legacy() argument
1923 buf = dpp_build_conf_start(auth, conf, len); in dpp_build_conf_obj_legacy()
1927 if (auth->akm_use_selector && dpp_akm_ver2(conf->akm)) in dpp_build_conf_obj_legacy()
1950 static int dpp_get_peer_bi_id(struct dpp_authentication *auth) in dpp_get_peer_bi_id() argument
1954 if (auth->peer_bi) in dpp_get_peer_bi_id()
1955 return auth->peer_bi->id; in dpp_get_peer_bi_id()
1956 if (auth->tmp_peer_bi) in dpp_get_peer_bi_id()
1957 return auth->tmp_peer_bi->id; in dpp_get_peer_bi_id()
1962 bi->id = dpp_next_id(auth->global); in dpp_get_peer_bi_id()
1963 dl_list_add(&auth->global->bootstrap, &bi->list); in dpp_get_peer_bi_id()
1964 auth->tmp_peer_bi = bi; in dpp_get_peer_bi_id()
1970 dpp_build_conf_obj(struct dpp_authentication *auth, enum dpp_netrole netrole, in dpp_build_conf_obj() argument
1976 if (auth->config_obj_override) { in dpp_build_conf_obj()
1980 return wpabuf_alloc_copy(auth->config_obj_override, in dpp_build_conf_obj()
1981 os_strlen(auth->config_obj_override)); in dpp_build_conf_obj()
1987 conf = auth->conf_sta; in dpp_build_conf_obj()
1989 conf = auth->conf_ap; in dpp_build_conf_obj()
1992 conf = auth->conf2_sta; in dpp_build_conf_obj()
1994 conf = auth->conf2_ap; in dpp_build_conf_obj()
1998 if (auth->use_config_query) { in dpp_build_conf_obj()
2002 auth->waiting_config = true; in dpp_build_conf_obj()
2003 dpp_get_peer_bi_id(auth); in dpp_build_conf_obj()
2014 if (!auth->conf) { in dpp_build_conf_obj()
2019 if (!cert_req && !auth->certbag) { in dpp_build_conf_obj()
2024 return dpp_build_conf_obj_dpp(auth, conf); in dpp_build_conf_obj()
2026 if (dpp_akm_dpp(conf->akm) || (auth->peer_version >= 2 && auth->conf)) in dpp_build_conf_obj()
2027 return dpp_build_conf_obj_dpp(auth, conf); in dpp_build_conf_obj()
2028 return dpp_build_conf_obj_legacy(auth, conf); in dpp_build_conf_obj()
2033 dpp_build_conf_resp(struct dpp_authentication *auth, const u8 *e_nonce, in dpp_build_conf_resp() argument
2044 if (auth->force_conf_resp_status != DPP_STATUS_OK) { in dpp_build_conf_resp()
2045 status = auth->force_conf_resp_status; in dpp_build_conf_resp()
2051 env_data = dpp_build_enveloped_data(auth); in dpp_build_conf_resp()
2054 conf = dpp_build_conf_obj(auth, netrole, 0, cert_req); in dpp_build_conf_resp()
2059 conf2 = dpp_build_conf_obj(auth, netrole, 1, cert_req); in dpp_build_conf_resp()
2063 if (!conf && auth->waiting_config) in dpp_build_conf_resp()
2067 else if (!cert_req && netrole == DPP_NETROLE_STA && auth->conf_sta && in dpp_build_conf_resp()
2068 auth->conf_sta->akm == DPP_AKM_DOT1X && !auth->waiting_csr) in dpp_build_conf_resp()
2071 else if (auth->waiting_new_key) in dpp_build_conf_resp()
2077 auth->conf_resp_status = status; in dpp_build_conf_resp()
2087 if (auth->peer_version >= 2 && auth->send_conn_status && in dpp_build_conf_resp()
2090 if (status == DPP_STATUS_CSR_NEEDED && auth->conf_sta && in dpp_build_conf_resp()
2091 auth->conf_sta->csrattrs) in dpp_build_conf_resp()
2092 clear_len += 4 + os_strlen(auth->conf_sta->csrattrs); in dpp_build_conf_resp()
2101 auth->conf->net_access_key_curve->name); in dpp_build_conf_resp()
2102 new_pc = dpp_gen_keypair(auth->conf->net_access_key_curve); in dpp_build_conf_resp()
2112 crypto_ec_key_deinit(auth->own_protocol_key); in dpp_build_conf_resp()
2113 auth->own_protocol_key = new_pc; in dpp_build_conf_resp()
2114 auth->new_curve = auth->conf->net_access_key_curve; in dpp_build_conf_resp()
2165 if (auth->peer_version >= 2 && conf2) { in dpp_build_conf_resp()
2179 if (auth->peer_version >= 2 && auth->send_conn_status && in dpp_build_conf_resp()
2186 if (status == DPP_STATUS_CSR_NEEDED && auth->conf_sta && in dpp_build_conf_resp()
2187 auth->conf_sta->csrattrs) { in dpp_build_conf_resp()
2188 auth->waiting_csr = true; in dpp_build_conf_resp()
2191 wpabuf_put_le16(clear, os_strlen(auth->conf_sta->csrattrs)); in dpp_build_conf_resp()
2192 wpabuf_put_str(clear, auth->conf_sta->csrattrs); in dpp_build_conf_resp()
2196 if (status == DPP_STATUS_NEW_KEY_NEEDED && auth->conf && in dpp_build_conf_resp()
2197 auth->conf->net_access_key_curve) { in dpp_build_conf_resp()
2198 u16 ike_group = auth->conf->net_access_key_curve->ike_group; in dpp_build_conf_resp()
2244 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len, in dpp_build_conf_resp()
2277 dpp_conf_req_rx(struct dpp_authentication *auth, const u8 *attr_start, in dpp_conf_req_rx() argument
2302 dpp_auth_fail(auth, "Invalid attribute in config request"); in dpp_conf_req_rx()
2309 dpp_auth_fail(auth, in dpp_conf_req_rx()
2320 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len, in dpp_conf_req_rx()
2323 dpp_auth_fail(auth, "AES-SIV decryption failed"); in dpp_conf_req_rx()
2330 dpp_auth_fail(auth, "Invalid attribute in unwrapped data"); in dpp_conf_req_rx()
2337 if (!e_nonce || e_nonce_len != auth->curve->nonce_len) { in dpp_conf_req_rx()
2338 dpp_auth_fail(auth, in dpp_conf_req_rx()
2343 os_memcpy(auth->e_nonce, e_nonce, e_nonce_len); in dpp_conf_req_rx()
2348 if (i_proto && !auth->waiting_new_key) { in dpp_conf_req_rx()
2349 dpp_auth_fail(auth, in dpp_conf_req_rx()
2362 pe = dpp_set_pubkey_point(auth->own_protocol_key, in dpp_conf_req_rx()
2365 dpp_auth_fail(auth, in dpp_conf_req_rx()
2370 crypto_ec_key_deinit(auth->peer_protocol_key); in dpp_conf_req_rx()
2371 auth->peer_protocol_key = pe; in dpp_conf_req_rx()
2372 auth->new_key_received = true; in dpp_conf_req_rx()
2373 auth->waiting_new_key = false; in dpp_conf_req_rx()
2375 if (dpp_derive_auth_i(auth, auth_i) < 0) in dpp_conf_req_rx()
2381 dpp_auth_fail(auth, in dpp_conf_req_rx()
2385 if (rx_auth_i_len != auth->curve->hash_len || in dpp_conf_req_rx()
2386 os_memcmp(rx_auth_i, auth_i, auth->curve->hash_len) != 0) { in dpp_conf_req_rx()
2387 dpp_auth_fail(auth, in dpp_conf_req_rx()
2389 wpa_hexdump(MSG_DEBUG, "DPP: Received Auth-I", in dpp_conf_req_rx()
2391 wpa_hexdump(MSG_DEBUG, "DPP: Derived Auth-I'", in dpp_conf_req_rx()
2392 auth_i, auth->curve->hash_len); in dpp_conf_req_rx()
2402 dpp_auth_fail(auth, in dpp_conf_req_rx()
2411 dpp_auth_fail(auth, "Could not parse Config Attributes"); in dpp_conf_req_rx()
2417 dpp_auth_fail(auth, "No Config Attributes - name"); in dpp_conf_req_rx()
2421 os_free(auth->e_name); in dpp_conf_req_rx()
2422 auth->e_name = os_strdup(token->string); in dpp_conf_req_rx()
2426 dpp_auth_fail(auth, "No Config Attributes - wi-fi_tech"); in dpp_conf_req_rx()
2433 dpp_auth_fail(auth, "Unsupported wi-fi_tech"); in dpp_conf_req_rx()
2439 dpp_auth_fail(auth, "No Config Attributes - netRole"); in dpp_conf_req_rx()
2452 dpp_auth_fail(auth, "Unsupported netRole"); in dpp_conf_req_rx()
2455 auth->e_netrole = netrole; in dpp_conf_req_rx()
2460 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_MUD_URL "%s", in dpp_conf_req_rx()
2462 os_free(auth->e_mud_url); in dpp_conf_req_rx()
2463 auth->e_mud_url = os_strdup(token->string); in dpp_conf_req_rx()
2499 os_free(auth->e_band_support); in dpp_conf_req_rx()
2500 auth->e_band_support = opclass; in dpp_conf_req_rx()
2501 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_BAND_SUPPORT "%s", in dpp_conf_req_rx()
2512 if (dpp_validate_csr(auth, cert_req) < 0) { in dpp_conf_req_rx()
2514 auth->force_conf_resp_status = DPP_STATUS_CSR_BAD; in dpp_conf_req_rx()
2518 id = dpp_get_peer_bi_id(auth); in dpp_conf_req_rx()
2528 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_CSR "peer=%d csr=%s", in dpp_conf_req_rx()
2531 auth->waiting_csr = false; in dpp_conf_req_rx()
2532 auth->waiting_cert = true; in dpp_conf_req_rx()
2538 resp = dpp_build_conf_resp(auth, e_nonce, e_nonce_len, netrole, in dpp_conf_req_rx()
2749 static int dpp_parse_connector(struct dpp_authentication *auth, in dpp_parse_connector() argument
2805 &auth->net_access_key_expiry)) { in dpp_parse_connector()
2823 if (crypto_ec_key_cmp(key, auth->own_protocol_key)) { in dpp_parse_connector()
2827 if (auth->ignore_netaccesskey_mismatch) { in dpp_parse_connector()
2874 static void dpp_copy_netaccesskey(struct dpp_authentication *auth, in dpp_copy_netaccesskey() argument
2880 own_key = auth->own_protocol_key; in dpp_copy_netaccesskey()
2882 if (auth->reconfig_connector_key == DPP_CONFIG_REUSEKEY && in dpp_copy_netaccesskey()
2883 auth->reconfig_old_protocol_key) in dpp_copy_netaccesskey()
2884 own_key = auth->reconfig_old_protocol_key; in dpp_copy_netaccesskey()
2891 wpabuf_free(auth->net_access_key); in dpp_copy_netaccesskey()
2892 auth->net_access_key = net_access_key; in dpp_copy_netaccesskey()
2896 static int dpp_parse_cred_dpp(struct dpp_authentication *auth, in dpp_parse_cred_dpp() argument
2966 if (dpp_parse_connector(auth, conf, in dpp_parse_cred_dpp()
2978 if (dpp_akm_dpp(conf->akm) || auth->peer_version >= 2) in dpp_parse_cred_dpp()
2979 dpp_copy_netaccesskey(auth, conf); in dpp_parse_cred_dpp()
2991 static int dpp_parse_cred_dot1x(struct dpp_authentication *auth, in dpp_parse_cred_dot1x() argument
2999 dpp_auth_fail(auth, "No entCreds in JSON"); in dpp_parse_cred_dot1x()
3005 dpp_auth_fail(auth, "No certBag in JSON"); in dpp_parse_cred_dot1x()
3011 dpp_auth_fail(auth, "No certificates in certBag"); in dpp_parse_cred_dot1x()
3025 dpp_auth_fail(auth, in dpp_parse_cred_dot1x()
3149 static int dpp_parse_conf_obj(struct dpp_authentication *auth, in dpp_parse_conf_obj() argument
3162 dpp_auth_fail(auth, "JSON root is not an object"); in dpp_parse_conf_obj()
3168 dpp_auth_fail(auth, "No wi-fi_tech string value found"); in dpp_parse_conf_obj()
3174 dpp_auth_fail(auth, "Unsupported wi-fi_tech value"); in dpp_parse_conf_obj()
3180 dpp_auth_fail(auth, "No discovery object in JSON"); in dpp_parse_conf_obj()
3189 dpp_auth_fail(auth, "Too long discovery::ssid64 value"); in dpp_parse_conf_obj()
3195 dpp_auth_fail(auth, in dpp_parse_conf_obj()
3202 dpp_auth_fail(auth, in dpp_parse_conf_obj()
3208 if (auth->num_conf_obj == DPP_MAX_CONF_OBJ) { in dpp_parse_conf_obj()
3214 conf = &auth->conf_obj[auth->num_conf_obj++]; in dpp_parse_conf_obj()
3233 dpp_auth_fail(auth, "No cred object in JSON"); in dpp_parse_conf_obj()
3239 dpp_auth_fail(auth, "No cred::akm string value found"); in dpp_parse_conf_obj()
3245 if (legacy && auth->peer_version >= 2) { in dpp_parse_conf_obj()
3258 (auth->peer_version >= 2 && dpp_akm_legacy(conf->akm))) { in dpp_parse_conf_obj()
3259 if (dpp_parse_cred_dpp(auth, conf, cred) < 0) in dpp_parse_conf_obj()
3263 if (dpp_parse_cred_dot1x(auth, conf, cred) < 0 || in dpp_parse_conf_obj()
3264 dpp_parse_cred_dpp(auth, conf, cred) < 0) in dpp_parse_conf_obj()
3270 dpp_auth_fail(auth, "Unsupported akm"); in dpp_parse_conf_obj()
3297 int dpp_conf_resp_rx(struct dpp_authentication *auth, in dpp_conf_resp_rx() argument
3310 auth->conf_resp_status = 255; in dpp_conf_resp_rx()
3313 dpp_auth_fail(auth, "Invalid attribute in config response"); in dpp_conf_resp_rx()
3321 dpp_auth_fail(auth, in dpp_conf_resp_rx()
3337 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len, in dpp_conf_resp_rx()
3340 dpp_auth_fail(auth, "AES-SIV decryption failed"); in dpp_conf_resp_rx()
3347 dpp_auth_fail(auth, "Invalid attribute in unwrapped data"); in dpp_conf_resp_rx()
3354 if (!e_nonce || e_nonce_len != auth->curve->nonce_len) { in dpp_conf_resp_rx()
3355 dpp_auth_fail(auth, in dpp_conf_resp_rx()
3360 if (os_memcmp(e_nonce, auth->e_nonce, e_nonce_len) != 0) { in dpp_conf_resp_rx()
3361 dpp_auth_fail(auth, "Enrollee Nonce mismatch"); in dpp_conf_resp_rx()
3368 dpp_auth_fail(auth, in dpp_conf_resp_rx()
3372 auth->conf_resp_status = status[0]; in dpp_conf_resp_rx()
3384 dpp_auth_fail(auth, in dpp_conf_resp_rx()
3389 os_free(auth->csrattrs); in dpp_conf_resp_rx()
3390 auth->csrattrs = csrattrs; in dpp_conf_resp_rx()
3391 auth->csrattrs_len = csrattrs_len; in dpp_conf_resp_rx()
3409 dpp_auth_fail(auth, in dpp_conf_resp_rx()
3420 dpp_auth_fail(auth, in dpp_conf_resp_rx()
3427 dpp_auth_fail(auth, in dpp_conf_resp_rx()
3432 crypto_ec_key_deinit(auth->own_protocol_key); in dpp_conf_resp_rx()
3433 auth->own_protocol_key = new_pe; in dpp_conf_resp_rx()
3434 auth->new_curve = curve; in dpp_conf_resp_rx()
3440 dpp_auth_fail(auth, in dpp_conf_resp_rx()
3449 dpp_auth_fail(auth, "Invalid Responder Protocol Key (Pc)"); in dpp_conf_resp_rx()
3454 crypto_ec_key_deinit(auth->peer_protocol_key); in dpp_conf_resp_rx()
3455 auth->peer_protocol_key = pc; in dpp_conf_resp_rx()
3457 auth->waiting_new_key = true; in dpp_conf_resp_rx()
3463 dpp_auth_fail(auth, "Configurator rejected configuration"); in dpp_conf_resp_rx()
3471 dpp_conf_resp_env_data(auth, env_data, env_data_len) < 0) in dpp_conf_resp_rx()
3478 dpp_auth_fail(auth, in dpp_conf_resp_rx()
3485 if (dpp_parse_conf_obj(auth, conf_obj, conf_obj_len) < 0) in dpp_conf_resp_rx()
3498 auth->conn_status_requested = 1; in dpp_conf_resp_rx()
3512 enum dpp_status_error dpp_conf_result_rx(struct dpp_authentication *auth, in dpp_conf_result_rx() argument
3527 dpp_auth_fail(auth, in dpp_conf_result_rx()
3548 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len, in dpp_conf_result_rx()
3551 dpp_auth_fail(auth, "AES-SIV decryption failed"); in dpp_conf_result_rx()
3558 dpp_auth_fail(auth, "Invalid attribute in unwrapped data"); in dpp_conf_result_rx()
3565 if (!e_nonce || e_nonce_len != auth->curve->nonce_len) { in dpp_conf_result_rx()
3566 dpp_auth_fail(auth, in dpp_conf_result_rx()
3571 if (os_memcmp(e_nonce, auth->e_nonce, e_nonce_len) != 0) { in dpp_conf_result_rx()
3572 dpp_auth_fail(auth, "Enrollee Nonce mismatch"); in dpp_conf_result_rx()
3574 auth->e_nonce, e_nonce_len); in dpp_conf_result_rx()
3581 dpp_auth_fail(auth, in dpp_conf_result_rx()
3594 struct wpabuf * dpp_build_conf_result(struct dpp_authentication *auth, in dpp_build_conf_result() argument
3603 nonce_len = auth->curve->nonce_len; in dpp_build_conf_result()
3617 wpabuf_put_data(clear, auth->e_nonce, nonce_len); in dpp_build_conf_result()
3635 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len, in dpp_build_conf_result()
3663 enum dpp_status_error dpp_conn_status_result_rx(struct dpp_authentication *auth, in dpp_conn_status_result_rx() argument
3686 dpp_auth_fail(auth, in dpp_conn_status_result_rx()
3707 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len, in dpp_conn_status_result_rx()
3710 dpp_auth_fail(auth, "AES-SIV decryption failed"); in dpp_conn_status_result_rx()
3717 dpp_auth_fail(auth, "Invalid attribute in unwrapped data"); in dpp_conn_status_result_rx()
3724 if (!e_nonce || e_nonce_len != auth->curve->nonce_len) { in dpp_conn_status_result_rx()
3725 dpp_auth_fail(auth, in dpp_conn_status_result_rx()
3730 if (os_memcmp(e_nonce, auth->e_nonce, e_nonce_len) != 0) { in dpp_conn_status_result_rx()
3731 dpp_auth_fail(auth, "Enrollee Nonce mismatch"); in dpp_conn_status_result_rx()
3733 auth->e_nonce, e_nonce_len); in dpp_conn_status_result_rx()
3740 dpp_auth_fail(auth, in dpp_conn_status_result_rx()
3749 dpp_auth_fail(auth, "Could not parse connStatus"); in dpp_conn_status_result_rx()
3767 dpp_auth_fail(auth, "No connStatus - result"); in dpp_conn_status_result_rx()
3810 struct wpabuf * dpp_build_conn_status_result(struct dpp_authentication *auth, in dpp_build_conn_status_result() argument
3825 nonce_len = auth->curve->nonce_len; in dpp_build_conn_status_result()
3836 wpabuf_put_data(clear, auth->e_nonce, nonce_len); in dpp_build_conn_status_result()
3859 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len, in dpp_build_conn_status_result()
3982 int dpp_configurator_own_config(struct dpp_authentication *auth, in dpp_configurator_own_config() argument
3988 if (!auth->conf) { in dpp_configurator_own_config()
3993 auth->curve = dpp_get_curve_name(curve); in dpp_configurator_own_config()
3994 if (!auth->curve) { in dpp_configurator_own_config()
4001 auth->curve->name); in dpp_configurator_own_config()
4003 auth->own_protocol_key = dpp_gen_keypair(auth->curve); in dpp_configurator_own_config()
4004 if (!auth->own_protocol_key) in dpp_configurator_own_config()
4006 dpp_copy_netaccesskey(auth, &auth->conf_obj[0]); in dpp_configurator_own_config()
4007 auth->peer_protocol_key = auth->own_protocol_key; in dpp_configurator_own_config()
4008 dpp_copy_csign(&auth->conf_obj[0], auth->conf->csign); in dpp_configurator_own_config()
4010 conf_obj = dpp_build_conf_obj(auth, ap, 0, NULL); in dpp_configurator_own_config()
4012 wpabuf_free(auth->conf_obj[0].c_sign_key); in dpp_configurator_own_config()
4013 auth->conf_obj[0].c_sign_key = NULL; in dpp_configurator_own_config()
4016 ret = dpp_parse_conf_obj(auth, wpabuf_head(conf_obj), in dpp_configurator_own_config()
4020 auth->peer_protocol_key = NULL; in dpp_configurator_own_config()
5046 void dpp_notify_auth_success(struct dpp_authentication *auth, int initiator) in dpp_notify_auth_success() argument
5051 if (auth->peer_protocol_key) { in dpp_notify_auth_success()
5052 dpp_get_pubkey_hash(auth->peer_protocol_key, hash); in dpp_notify_auth_success()
5057 wpa_msg(auth->msg_ctx, MSG_INFO, in dpp_notify_auth_success()
5059 initiator, hex, auth->own_bi ? (int) auth->own_bi->id : -1, in dpp_notify_auth_success()
5060 auth->peer_bi ? (int) auth->peer_bi->id : -1); in dpp_notify_auth_success()