Lines Matching +full:common +full:- +full:auth
2 * wpa_supplicant - PASN processing
12 #include "common/ieee802_11_defs.h"
13 #include "common/ieee802_11_common.h"
14 #include "common/dragonfly.h"
15 #include "common/ptksa_cache.h"
53 wpabuf_free(awork->comeback); in wpas_pasn_free_auth_work()
54 awork->comeback = NULL; in wpas_pasn_free_auth_work()
63 wpa_printf(MSG_DEBUG, "PASN: Auth work timeout - stopping auth"); in wpas_pasn_auth_work_timeout()
73 wpa_printf(MSG_DEBUG, "PASN: Cancel pasn-start-auth work"); in wpas_pasn_cancel_auth_work()
76 radio_remove_works(wpa_s, "pasn-start-auth", 0); in wpas_pasn_cancel_auth_work()
118 const char *password = ssid->sae_password; in wpas_pasn_sae_derive_pt()
122 password = ssid->passphrase; in wpas_pasn_sae_derive_pt()
129 return sae_derive_pt(groups, ssid->ssid, ssid->ssid_len, in wpas_pasn_sae_derive_pt()
131 ssid->sae_password_id); in wpas_pasn_sae_derive_pt()
137 if (!ssid->sae_password && !ssid->passphrase) { in wpas_pasn_sae_setup_pt()
139 return -1; in wpas_pasn_sae_setup_pt()
142 if (ssid->pt) in wpas_pasn_sae_setup_pt()
145 ssid->pt = wpas_pasn_sae_derive_pt(ssid, group); in wpas_pasn_sae_setup_pt()
147 return ssid->pt ? 0 : -1; in wpas_pasn_sae_setup_pt()
165 const u8 *peer_addr = peer->peer_addr; in wpas_pasn_get_params_from_bss()
173 return -1; in wpas_pasn_get_params_from_bss()
180 return -1; in wpas_pasn_get_params_from_bss()
186 return -1; in wpas_pasn_get_params_from_bss()
191 ssid_str_len = bss->ssid_len; in wpas_pasn_get_params_from_bss()
192 ssid_str = bss->ssid; in wpas_pasn_get_params_from_bss()
195 for (ssid = wpa_s->conf->ssid; ssid; ssid = ssid->next) { in wpas_pasn_get_params_from_bss()
197 ssid_str_len == ssid->ssid_len && in wpas_pasn_get_params_from_bss()
198 os_memcmp(ssid_str, ssid->ssid, ssid_str_len) == 0) in wpas_pasn_get_params_from_bss()
203 network_id = ssid->id; in wpas_pasn_get_params_from_bss()
206 if (ssid && ssid->pairwise_cipher) in wpas_pasn_get_params_from_bss()
207 sel &= ssid->pairwise_cipher; in wpas_pasn_get_params_from_bss()
216 return -1; in wpas_pasn_get_params_from_bss()
220 if (ssid && ssid->key_mgmt) in wpas_pasn_get_params_from_bss()
221 sel &= ssid->key_mgmt; in wpas_pasn_get_params_from_bss()
226 if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) || !ssid) in wpas_pasn_get_params_from_bss()
231 if (!(wpa_s->drv_flags & (WPA_DRIVER_FLAGS_SME | in wpas_pasn_get_params_from_bss()
241 wpa_printf(MSG_DEBUG, "PASN: using KEY_MGMT FT/802.1X-SHA384"); in wpas_pasn_get_params_from_bss()
242 if (ssid && !ssid->ft_eap_pmksa_caching && in wpas_pasn_get_params_from_bss()
243 pmksa_cache_get_current(wpa_s->wpa)) { in wpas_pasn_get_params_from_bss()
249 pmksa_cache_clear_current(wpa_s->wpa); in wpas_pasn_get_params_from_bss()
270 wpa_printf(MSG_DEBUG, "PASN: using KEY_MGMT FILS-SHA384"); in wpas_pasn_get_params_from_bss()
273 wpa_printf(MSG_DEBUG, "PASN: using KEY_MGMT FILS-SHA256"); in wpas_pasn_get_params_from_bss()
280 if (ssid && !ssid->ft_eap_pmksa_caching && in wpas_pasn_get_params_from_bss()
281 pmksa_cache_get_current(wpa_s->wpa)) { in wpas_pasn_get_params_from_bss()
287 pmksa_cache_clear_current(wpa_s->wpa); in wpas_pasn_get_params_from_bss()
298 return -1; in wpas_pasn_get_params_from_bss()
301 peer->akmp = key_mgmt; in wpas_pasn_get_params_from_bss()
302 peer->cipher = pairwise_cipher; in wpas_pasn_get_params_from_bss()
303 peer->network_id = network_id; in wpas_pasn_get_params_from_bss()
304 peer->group = group; in wpas_pasn_get_params_from_bss()
316 entry = ptksa_cache_get(wpa_s->ptksa, peer_addr, cipher); in wpas_pasn_set_keys_from_cache()
320 return -1; in wpas_pasn_set_keys_from_cache()
323 if (!ether_addr_equal(entry->own_addr, own_addr)) { in wpas_pasn_set_keys_from_cache()
327 MAC2STR(own_addr), MAC2STR(entry->own_addr)); in wpas_pasn_set_keys_from_cache()
328 return -1; in wpas_pasn_set_keys_from_cache()
334 entry->ptk.tk_len, in wpas_pasn_set_keys_from_cache()
335 entry->ptk.tk, in wpas_pasn_set_keys_from_cache()
336 entry->ptk.ltf_keyseed_len, in wpas_pasn_set_keys_from_cache()
337 entry->ptk.ltf_keyseed, 0); in wpas_pasn_set_keys_from_cache()
352 while (wpa_s->pasn_count < pasn_params->num_peers) { in wpas_pasn_configure_next_peer()
353 peer = &pasn_params->peer[wpa_s->pasn_count]; in wpas_pasn_configure_next_peer()
355 if (ether_addr_equal(wpa_s->bssid, peer->peer_addr)) { in wpas_pasn_configure_next_peer()
358 peer->status = PASN_STATUS_FAILURE; in wpas_pasn_configure_next_peer()
359 wpa_s->pasn_count++; in wpas_pasn_configure_next_peer()
363 if (wpas_pasn_set_keys_from_cache(wpa_s, peer->own_addr, in wpas_pasn_configure_next_peer()
364 peer->peer_addr, in wpas_pasn_configure_next_peer()
365 peer->cipher, in wpas_pasn_configure_next_peer()
366 peer->akmp) == 0) { in wpas_pasn_configure_next_peer()
367 peer->status = PASN_STATUS_SUCCESS; in wpas_pasn_configure_next_peer()
368 wpa_s->pasn_count++; in wpas_pasn_configure_next_peer()
373 peer->status = PASN_STATUS_FAILURE; in wpas_pasn_configure_next_peer()
374 wpa_s->pasn_count++; in wpas_pasn_configure_next_peer()
378 if (wpas_pasn_auth_start(wpa_s, peer->own_addr, in wpas_pasn_configure_next_peer()
379 peer->peer_addr, peer->akmp, in wpas_pasn_configure_next_peer()
380 peer->cipher, peer->group, in wpas_pasn_configure_next_peer()
381 peer->network_id, in wpas_pasn_configure_next_peer()
383 peer->status = PASN_STATUS_FAILURE; in wpas_pasn_configure_next_peer()
384 wpa_s->pasn_count++; in wpas_pasn_configure_next_peer()
387 wpa_printf(MSG_DEBUG, "PASN: Sent PASN auth start for " MACSTR, in wpas_pasn_configure_next_peer()
388 MAC2STR(peer->peer_addr)); in wpas_pasn_configure_next_peer()
392 if (wpa_s->pasn_count == pasn_params->num_peers) { in wpas_pasn_configure_next_peer()
395 os_free(wpa_s->pasn_params); in wpas_pasn_configure_next_peer()
396 wpa_s->pasn_params = NULL; in wpas_pasn_configure_next_peer()
403 if (!wpa_s->pasn_params) in wpas_pasn_auth_work_done()
406 wpa_s->pasn_params->peer[wpa_s->pasn_count].status = status; in wpas_pasn_auth_work_done()
407 wpa_s->pasn_count++; in wpas_pasn_auth_work_done()
408 wpas_pasn_configure_next_peer(wpa_s, wpa_s->pasn_params); in wpas_pasn_auth_work_done()
421 for (i = 0; i < pasn_params->num_peers; i++) { in wpas_pasn_delete_peers()
422 peer = &pasn_params->peer[i]; in wpas_pasn_delete_peers()
423 ptksa_cache_flush(wpa_s->ptksa, peer->peer_addr, in wpas_pasn_delete_peers()
437 eapol_sm_notify_eap_success(pasn->eapol, false); in wpas_pasn_initiate_eapol()
438 eapol_sm_notify_eap_fail(pasn->eapol, false); in wpas_pasn_initiate_eapol()
439 eapol_sm_notify_portControl(pasn->eapol, Auto); in wpas_pasn_initiate_eapol()
442 eapol_conf.fast_reauth = pasn->fast_reauth; in wpas_pasn_initiate_eapol()
443 eapol_conf.workaround = ssid->eap_workaround; in wpas_pasn_initiate_eapol()
445 eapol_sm_notify_config(pasn->eapol, &ssid->eap, &eapol_conf); in wpas_pasn_initiate_eapol()
452 struct pasn_data *pasn = &wpa_s->pasn; in wpas_pasn_reset()
455 wpa_s->pasn_auth_work = NULL; in wpas_pasn_reset()
471 if (ether_addr_equal(wpa_s->bssid, peer_addr)) { in wpas_pasn_allowed()
508 struct wpa_supplicant *wpa_s = work->wpa_s; in wpas_pasn_auth_start_cb()
509 struct wpa_pasn_auth_work *awork = work->ctx; in wpas_pasn_auth_start_cb()
510 struct pasn_data *pasn = &wpa_s->pasn; in wpas_pasn_auth_start_cb()
525 if (work->started) { in wpas_pasn_auth_start_cb()
528 wpa_s->pasn_auth_work = NULL; in wpas_pasn_auth_start_cb()
540 bss = wpas_pasn_allowed(wpa_s, awork->peer_addr, awork->akmp, in wpas_pasn_auth_start_cb()
541 awork->cipher); in wpas_pasn_auth_start_cb()
555 derive_kdk = (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_STA) && in wpas_pasn_auth_start_cb()
560 derive_kdk = wpa_s->conf->force_kdk_derivation; in wpas_pasn_auth_start_cb()
567 wpa_printf(MSG_DEBUG, "PASN: kdk_len=%zu", pasn->kdk_len); in wpas_pasn_auth_start_cb()
569 if ((wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_STA) && in wpas_pasn_auth_start_cb()
571 pasn->secure_ltf = true; in wpas_pasn_auth_start_cb()
573 pasn->secure_ltf = false; in wpas_pasn_auth_start_cb()
576 pasn->corrupt_mic = wpa_s->conf->pasn_corrupt_mic; in wpas_pasn_auth_start_cb()
580 if (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF_STA) in wpas_pasn_auth_start_cb()
582 if (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_RTT_STA) in wpas_pasn_auth_start_cb()
584 if (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_PROT_RANGE_NEG_STA) in wpas_pasn_auth_start_cb()
588 ssid = wpa_config_get_network(wpa_s->conf, awork->network_id); in wpas_pasn_auth_start_cb()
591 if (awork->akmp == WPA_KEY_MGMT_SAE) { in wpas_pasn_auth_start_cb()
597 pasn_set_pt(pasn, wpas_pasn_sae_derive_pt(ssid, awork->group)); in wpas_pasn_auth_start_cb()
598 if (!pasn->pt) { in wpas_pasn_auth_start_cb()
602 pasn->network_id = ssid->id; in wpas_pasn_auth_start_cb()
608 if (awork->akmp == WPA_KEY_MGMT_FILS_SHA256 || in wpas_pasn_auth_start_cb()
609 awork->akmp == WPA_KEY_MGMT_FILS_SHA384) { in wpas_pasn_auth_start_cb()
619 pasn->eapol = wpa_s->eapol; in wpas_pasn_auth_start_cb()
620 pasn->network_id = ssid->id; in wpas_pasn_auth_start_cb()
622 pasn->fils_eapol = true; in wpas_pasn_auth_start_cb()
625 "PASN: FILS auth without PFS not supported"); in wpas_pasn_auth_start_cb()
628 pasn->fast_reauth = wpa_s->conf->fast_reauth; in wpas_pasn_auth_start_cb()
632 pasn_set_initiator_pmksa(pasn, wpa_sm_get_pmksa_cache(wpa_s->wpa)); in wpas_pasn_auth_start_cb()
634 if (wpa_key_mgmt_ft(awork->akmp)) { in wpas_pasn_auth_start_cb()
636 ret = wpa_pasn_ft_derive_pmk_r1(wpa_s->wpa, awork->akmp, in wpas_pasn_auth_start_cb()
637 awork->peer_addr, in wpas_pasn_auth_start_cb()
638 pasn->pmk_r1, in wpas_pasn_auth_start_cb()
639 &pasn->pmk_r1_len, in wpas_pasn_auth_start_cb()
640 pasn->pmk_r1_name); in wpas_pasn_auth_start_cb()
652 ret = wpas_pasn_start(pasn, awork->own_addr, awork->peer_addr, in wpas_pasn_auth_start_cb()
653 awork->peer_addr, awork->akmp, awork->cipher, in wpas_pasn_auth_start_cb()
654 awork->group, bss->freq, rsne, *(rsne + 1) + 2, in wpas_pasn_auth_start_cb()
656 awork->comeback); in wpas_pasn_auth_start_cb()
665 wpabuf_free(awork->comeback); in wpas_pasn_auth_start_cb()
666 awork->comeback = NULL; in wpas_pasn_auth_start_cb()
668 wpa_s->pasn_auth_work = work; in wpas_pasn_auth_start_cb()
672 work->ctx = NULL; in wpas_pasn_auth_start_cb()
691 * with drivers that support off-channel TX. in wpas_pasn_auth_start()
693 if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_OFFCHANNEL_TX)) { in wpas_pasn_auth_start()
696 return -1; in wpas_pasn_auth_start()
699 if (radio_work_pending(wpa_s, "pasn-start-auth")) { in wpas_pasn_auth_start()
702 return -1; in wpas_pasn_auth_start()
705 if (wpa_s->pasn_auth_work) { in wpas_pasn_auth_start()
707 return -1; in wpas_pasn_auth_start()
712 return -1; in wpas_pasn_auth_start()
718 return -1; in wpas_pasn_auth_start()
720 os_memcpy(awork->own_addr, own_addr, ETH_ALEN); in wpas_pasn_auth_start()
721 os_memcpy(awork->peer_addr, peer_addr, ETH_ALEN); in wpas_pasn_auth_start()
722 awork->akmp = akmp; in wpas_pasn_auth_start()
723 awork->cipher = cipher; in wpas_pasn_auth_start()
724 awork->group = group; in wpas_pasn_auth_start()
725 awork->network_id = network_id; in wpas_pasn_auth_start()
728 awork->comeback = wpabuf_alloc_copy(comeback, comeback_len); in wpas_pasn_auth_start()
729 if (!awork->comeback) { in wpas_pasn_auth_start()
731 return -1; in wpas_pasn_auth_start()
735 if (radio_add_work(wpa_s, bss->freq, "pasn-start-auth", 1, in wpas_pasn_auth_start()
738 return -1; in wpas_pasn_auth_start()
741 wpa_printf(MSG_DEBUG, "PASN: Auth work successfully added"); in wpas_pasn_auth_start()
748 struct pasn_data *pasn = &wpa_s->pasn; in wpas_pasn_auth_stop()
750 if (!wpa_s->pasn.ecdh) in wpas_pasn_auth_stop()
755 wpas_pasn_auth_status(wpa_s, pasn->peer_addr, pasn_get_akmp(pasn), in wpas_pasn_auth_stop()
757 pasn->status, pasn->comeback, in wpas_pasn_auth_stop()
758 pasn->comeback_after); in wpas_pasn_auth_stop()
770 u16 group = pasn->group; in wpas_pasn_immediate_retry()
775 os_memcpy(own_addr, pasn->own_addr, ETH_ALEN); in wpas_pasn_immediate_retry()
776 os_memcpy(peer_addr, pasn->peer_addr, ETH_ALEN); in wpas_pasn_immediate_retry()
780 group, pasn->network_id, in wpas_pasn_immediate_retry()
781 params->comeback, params->comeback_len); in wpas_pasn_immediate_retry()
787 struct wpa_supplicant *wpa_s = entry->ctx; in wpas_pasn_deauth_cb()
793 os_memcpy(own_addr, entry->own_addr, ETH_ALEN); in wpas_pasn_deauth_cb()
794 os_memcpy(peer_addr, entry->addr, ETH_ALEN); in wpas_pasn_deauth_cb()
802 struct pasn_data *pasn = &wpa_s->pasn; in wpas_pasn_auth_rx()
806 if (!wpa_s->pasn_auth_work) in wpas_pasn_auth_rx()
807 return -2; in wpas_pasn_auth_rx()
812 ptksa_cache_add(wpa_s->ptksa, pasn->own_addr, pasn->peer_addr, in wpas_pasn_auth_rx()
816 wpa_s->pasn_params ? wpas_pasn_deauth_cb : NULL, in wpas_pasn_auth_rx()
817 wpa_s->pasn_params ? wpa_s : NULL, in wpas_pasn_auth_rx()
820 if (pasn->pmksa_entry) in wpas_pasn_auth_rx()
821 wpa_sm_set_cur_pmksa(wpa_s->wpa, pasn->pmksa_entry); in wpas_pasn_auth_rx()
824 forced_memzero(pasn_get_ptk(pasn), sizeof(pasn->ptk)); in wpas_pasn_auth_rx()
826 if (ret == -1) { in wpas_pasn_auth_rx()
842 unsigned int i, num_peers = pasn_auth->num_peers; in wpas_pasn_auth_trigger()
844 if (wpa_s->pasn_params) { in wpas_pasn_auth_trigger()
852 "PASN: auth trigger: Invalid number of peers"); in wpas_pasn_auth_trigger()
856 wpa_s->pasn_params = os_zalloc(sizeof(struct pasn_auth)); in wpas_pasn_auth_trigger()
857 if (!wpa_s->pasn_params) { in wpas_pasn_auth_trigger()
859 "PASN: auth trigger: Failed to allocate a buffer"); in wpas_pasn_auth_trigger()
863 wpa_s->pasn_count = 0; in wpas_pasn_auth_trigger()
864 wpa_s->pasn_params->num_peers = num_peers; in wpas_pasn_auth_trigger()
867 dst = &wpa_s->pasn_params->peer[i]; in wpas_pasn_auth_trigger()
868 src = &pasn_auth->peer[i]; in wpas_pasn_auth_trigger()
869 os_memcpy(dst->own_addr, wpa_s->own_addr, ETH_ALEN); in wpas_pasn_auth_trigger()
870 os_memcpy(dst->peer_addr, src->peer_addr, ETH_ALEN); in wpas_pasn_auth_trigger()
871 dst->ltf_keyseed_required = src->ltf_keyseed_required; in wpas_pasn_auth_trigger()
872 dst->status = PASN_STATUS_SUCCESS; in wpas_pasn_auth_trigger()
874 if (!is_zero_ether_addr(src->own_addr)) { in wpas_pasn_auth_trigger()
875 os_memcpy(dst->own_addr, src->own_addr, ETH_ALEN); in wpas_pasn_auth_trigger()
877 MACSTR, MAC2STR(dst->own_addr)); in wpas_pasn_auth_trigger()
881 if (pasn_auth->action == PASN_ACTION_DELETE_SECURE_RANGING_CONTEXT) { in wpas_pasn_auth_trigger()
882 wpas_pasn_delete_peers(wpa_s, wpa_s->pasn_params); in wpas_pasn_auth_trigger()
883 os_free(wpa_s->pasn_params); in wpas_pasn_auth_trigger()
884 wpa_s->pasn_params = NULL; in wpas_pasn_auth_trigger()
885 } else if (pasn_auth->action == PASN_ACTION_AUTH) { in wpas_pasn_auth_trigger()
886 wpas_pasn_configure_next_peer(wpa_s, wpa_s->pasn_params); in wpas_pasn_auth_trigger()
895 struct pasn_data *pasn = &wpa_s->pasn; in wpas_pasn_auth_tx_status()
898 if (!wpa_s->pasn_auth_work) { in wpas_pasn_auth_tx_status()
901 return -1; in wpas_pasn_auth_tx_status()
908 if (!wpa_s->pasn_params) { in wpas_pasn_auth_tx_status()
913 wpas_pasn_set_keys_from_cache(wpa_s, pasn->own_addr, pasn->peer_addr, in wpas_pasn_auth_tx_status()
931 if (ether_addr_equal(wpa_s->bssid, peer_addr)) { in wpas_pasn_deauthenticate()
934 return -1; in wpas_pasn_deauthenticate()
942 ptksa_cache_flush(wpa_s->ptksa, peer_addr, WPA_CIPHER_NONE); in wpas_pasn_deauthenticate()
947 return -1; in wpas_pasn_deauthenticate()
953 return -1; in wpas_pasn_deauthenticate()
959 deauth->frame_control = host_to_le16((WLAN_FC_TYPE_MGMT << 2) | in wpas_pasn_deauthenticate()
962 os_memcpy(deauth->da, peer_addr, ETH_ALEN); in wpas_pasn_deauthenticate()
963 os_memcpy(deauth->sa, own_addr, ETH_ALEN); in wpas_pasn_deauthenticate()
964 os_memcpy(deauth->bssid, peer_addr, ETH_ALEN); in wpas_pasn_deauthenticate()
965 deauth->u.deauth.reason_code = in wpas_pasn_deauthenticate()
974 bss->freq, 0); in wpas_pasn_deauthenticate()