xref: /freebsd/contrib/wpa/src/pasn/pasn_initiator.c (revision 95eb4b873b6a8b527c5bd78d7191975dfca38998)
1 /*
2  * PASN initiator processing
3  *
4  * Copyright (C) 2019, Intel Corporation
5  * Copyright (C) 2022, Qualcomm Innovation Center, Inc.
6  *
7  * This software may be distributed under the terms of the BSD license.
8  * See README for more details.
9  */
10 
11 #include "utils/includes.h"
12 
13 #include "utils/common.h"
14 #include "common/wpa_common.h"
15 #include "common/sae.h"
16 #include "common/ieee802_11_common.h"
17 #include "common/ieee802_11_defs.h"
18 #include "common/dragonfly.h"
19 #include "crypto/sha384.h"
20 #include "crypto/crypto.h"
21 #include "crypto/random.h"
22 #include "eap_common/eap_defs.h"
23 #include "eapol_supp/eapol_supp_sm.h"
24 #include "rsn_supp/wpa.h"
25 #include "rsn_supp/pmksa_cache.h"
26 #include "pasn_common.h"
27 
28 
29 void pasn_set_initiator_pmksa(struct pasn_data *pasn,
30 			      struct rsn_pmksa_cache *pmksa)
31 {
32 	if (pasn)
33 		pasn->pmksa = pmksa;
34 }
35 
36 
37 #ifdef CONFIG_SAE
38 
39 static struct wpabuf * wpas_pasn_wd_sae_commit(struct pasn_data *pasn)
40 {
41 	struct wpabuf *buf = NULL;
42 	int ret;
43 
44 	ret = sae_set_group(&pasn->sae, pasn->group);
45 	if (ret) {
46 		wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
47 		return NULL;
48 	}
49 
50 	ret = sae_prepare_commit_pt(&pasn->sae, pasn->pt,
51 				    pasn->own_addr, pasn->peer_addr,
52 				    NULL, NULL);
53 	if (ret) {
54 		wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
55 		return NULL;
56 	}
57 
58 	/* Need to add the entire Authentication frame body */
59 	buf = wpabuf_alloc(6 + SAE_COMMIT_MAX_LEN);
60 	if (!buf) {
61 		wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
62 		return NULL;
63 	}
64 
65 	wpabuf_put_le16(buf, WLAN_AUTH_SAE);
66 	wpabuf_put_le16(buf, 1);
67 	wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
68 
69 	sae_write_commit(&pasn->sae, buf, NULL, 0);
70 	pasn->sae.state = SAE_COMMITTED;
71 
72 	return buf;
73 }
74 
75 
76 static int wpas_pasn_wd_sae_rx(struct pasn_data *pasn, struct wpabuf *wd)
77 {
78 	const u8 *data;
79 	size_t buf_len;
80 	u16 len, res, alg, seq, status;
81 	int groups[] = { pasn->group, 0 };
82 	int ret;
83 
84 	if (!wd)
85 		return -1;
86 
87 	data = wpabuf_head_u8(wd);
88 	buf_len = wpabuf_len(wd);
89 
90 	/* first handle the commit message */
91 	if (buf_len < 2) {
92 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short (commit)");
93 		return -1;
94 	}
95 
96 	len = WPA_GET_LE16(data);
97 	if (len < 6 || buf_len - 2 < len) {
98 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short for commit");
99 		return -1;
100 	}
101 
102 	buf_len -= 2;
103 	data += 2;
104 
105 	alg = WPA_GET_LE16(data);
106 	seq = WPA_GET_LE16(data + 2);
107 	status = WPA_GET_LE16(data + 4);
108 
109 	wpa_printf(MSG_DEBUG, "PASN: SAE: commit: alg=%u, seq=%u, status=%u",
110 		   alg, seq, status);
111 
112 	if (alg != WLAN_AUTH_SAE || seq != 1 ||
113 	    status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
114 		wpa_printf(MSG_DEBUG, "PASN: SAE: dropping peer commit");
115 		return -1;
116 	}
117 
118 	res = sae_parse_commit(&pasn->sae, data + 6, len - 6, NULL, 0, groups,
119 			       1, NULL);
120 	if (res != WLAN_STATUS_SUCCESS) {
121 		wpa_printf(MSG_DEBUG, "PASN: SAE failed parsing commit");
122 		return -1;
123 	}
124 
125 	/* Process the commit message and derive the PMK */
126 	ret = sae_process_commit(&pasn->sae);
127 	if (ret) {
128 		wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
129 		return -1;
130 	}
131 
132 	buf_len -= len;
133 	data += len;
134 
135 	/* Handle the confirm message */
136 	if (buf_len < 2) {
137 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short (confirm)");
138 		return -1;
139 	}
140 
141 	len = WPA_GET_LE16(data);
142 	if (len < 6 || buf_len - 2 < len) {
143 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short for confirm");
144 		return -1;
145 	}
146 
147 	buf_len -= 2;
148 	data += 2;
149 
150 	alg = WPA_GET_LE16(data);
151 	seq = WPA_GET_LE16(data + 2);
152 	status = WPA_GET_LE16(data + 4);
153 
154 	wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
155 		   alg, seq, status);
156 
157 	if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
158 		wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
159 		return -1;
160 	}
161 
162 	res = sae_check_confirm(&pasn->sae, data + 6, len - 6, NULL);
163 	if (res != WLAN_STATUS_SUCCESS) {
164 		wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
165 		return -1;
166 	}
167 
168 	wpa_printf(MSG_DEBUG, "PASN: SAE completed successfully");
169 	pasn->sae.state = SAE_ACCEPTED;
170 
171 	return 0;
172 }
173 
174 
175 static struct wpabuf * wpas_pasn_wd_sae_confirm(struct pasn_data *pasn)
176 {
177 	struct wpabuf *buf = NULL;
178 
179 	/* Need to add the entire authentication frame body */
180 	buf = wpabuf_alloc(6 + SAE_CONFIRM_MAX_LEN);
181 	if (!buf) {
182 		wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
183 		return NULL;
184 	}
185 
186 	wpabuf_put_le16(buf, WLAN_AUTH_SAE);
187 	wpabuf_put_le16(buf, 2);
188 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
189 
190 	sae_write_confirm(&pasn->sae, buf);
191 	pasn->sae.state = SAE_CONFIRMED;
192 
193 	return buf;
194 }
195 
196 #endif /* CONFIG_SAE */
197 
198 
199 #ifdef CONFIG_FILS
200 
201 static struct wpabuf * wpas_pasn_fils_build_auth(struct pasn_data *pasn)
202 {
203 	struct wpabuf *buf = NULL;
204 	struct wpabuf *erp_msg;
205 	int ret;
206 
207 	erp_msg = eapol_sm_build_erp_reauth_start(pasn->eapol);
208 	if (!erp_msg) {
209 		wpa_printf(MSG_DEBUG,
210 			   "PASN: FILS: ERP EAP-Initiate/Re-auth unavailable");
211 		return NULL;
212 	}
213 
214 	if (random_get_bytes(pasn->fils.nonce, FILS_NONCE_LEN) < 0 ||
215 	    random_get_bytes(pasn->fils.session, FILS_SESSION_LEN) < 0)
216 		goto fail;
217 
218 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", pasn->fils.nonce,
219 		    FILS_NONCE_LEN);
220 
221 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", pasn->fils.session,
222 		    FILS_SESSION_LEN);
223 
224 	buf = wpabuf_alloc(1500);
225 	if (!buf)
226 		goto fail;
227 
228 	/* Add the authentication algorithm */
229 	wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
230 
231 	/* Authentication Transaction seq# */
232 	wpabuf_put_le16(buf, 1);
233 
234 	/* Status Code */
235 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
236 
237 	/* Own RSNE */
238 	wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
239 
240 	/* FILS Nonce */
241 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
242 	wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
243 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
244 	wpabuf_put_data(buf, pasn->fils.nonce, FILS_NONCE_LEN);
245 
246 	/* FILS Session */
247 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
248 	wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
249 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
250 	wpabuf_put_data(buf, pasn->fils.session, FILS_SESSION_LEN);
251 
252 	/* Wrapped Data (ERP) */
253 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
254 	wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg));
255 	wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
256 	wpabuf_put_buf(buf, erp_msg);
257 
258 	/*
259 	 * Calculate pending PMKID here so that we do not need to maintain a
260 	 * copy of the EAP-Initiate/Reauth message.
261 	 */
262 	ret = fils_pmkid_erp(pasn->akmp, wpabuf_head(erp_msg),
263 			     wpabuf_len(erp_msg),
264 			     pasn->fils.erp_pmkid);
265 	if (ret) {
266 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ERP PMKID");
267 		goto fail;
268 	}
269 
270 	wpabuf_free(erp_msg);
271 	erp_msg = NULL;
272 
273 	wpa_hexdump_buf(MSG_DEBUG, "PASN: FILS: Authentication frame", buf);
274 	return buf;
275 fail:
276 	wpabuf_free(erp_msg);
277 	wpabuf_free(buf);
278 	return NULL;
279 }
280 
281 
282 static struct wpabuf * wpas_pasn_wd_fils_auth(struct pasn_data *pasn)
283 {
284 	wpa_printf(MSG_DEBUG, "PASN: FILS: wrapped data - completed=%u",
285 		   pasn->fils.completed);
286 
287 	/* Nothing to add as we are done */
288 	if (pasn->fils.completed)
289 		return NULL;
290 
291 	if (!pasn->fils_eapol) {
292 		wpa_printf(MSG_DEBUG,
293 			   "PASN: FILS: Missing Indication IE or PFS");
294 		return NULL;
295 	}
296 
297 	return wpas_pasn_fils_build_auth(pasn);
298 }
299 
300 
301 static int wpas_pasn_wd_fils_rx(struct pasn_data *pasn, struct wpabuf *wd)
302 {
303 	struct ieee802_11_elems elems;
304 	struct wpa_ie_data rsne_data;
305 	u8 rmsk[ERP_MAX_KEY_LEN];
306 	size_t rmsk_len;
307 	u8 anonce[FILS_NONCE_LEN];
308 	const u8 *data;
309 	size_t buf_len;
310 	struct wpabuf *fils_wd = NULL;
311 	u16 alg, seq, status;
312 	int ret;
313 
314 	if (!wd)
315 		return -1;
316 
317 	data = wpabuf_head(wd);
318 	buf_len = wpabuf_len(wd);
319 
320 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: Authentication frame len=%zu",
321 		    data, buf_len);
322 
323 	/* first handle the header */
324 	if (buf_len < 6) {
325 		wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short");
326 		return -1;
327 	}
328 
329 	alg = WPA_GET_LE16(data);
330 	seq = WPA_GET_LE16(data + 2);
331 	status = WPA_GET_LE16(data + 4);
332 
333 	wpa_printf(MSG_DEBUG, "PASN: FILS: commit: alg=%u, seq=%u, status=%u",
334 		   alg, seq, status);
335 
336 	if (alg != WLAN_AUTH_FILS_SK || seq != 2 ||
337 	    status != WLAN_STATUS_SUCCESS) {
338 		wpa_printf(MSG_DEBUG,
339 			   "PASN: FILS: Dropping peer authentication");
340 		return -1;
341 	}
342 
343 	data += 6;
344 	buf_len -= 6;
345 
346 	if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
347 		wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
348 		return -1;
349 	}
350 
351 	if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
352 	    !elems.wrapped_data) {
353 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
354 		return -1;
355 	}
356 
357 	ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
358 			       &rsne_data);
359 	if (ret) {
360 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RSNE");
361 		return -1;
362 	}
363 
364 	ret = wpa_pasn_validate_rsne(&rsne_data);
365 	if (ret) {
366 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
367 		return -1;
368 	}
369 
370 	if (rsne_data.num_pmkid) {
371 		wpa_printf(MSG_DEBUG,
372 			   "PASN: FILS: Not expecting PMKID in RSNE");
373 		return -1;
374 	}
375 
376 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: ANonce", elems.fils_nonce,
377 		    FILS_NONCE_LEN);
378 	os_memcpy(anonce, elems.fils_nonce, FILS_NONCE_LEN);
379 
380 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: FILS Session", elems.fils_session,
381 		    FILS_SESSION_LEN);
382 
383 	if (os_memcmp(pasn->fils.session, elems.fils_session,
384 		      FILS_SESSION_LEN)) {
385 		wpa_printf(MSG_DEBUG, "PASN: FILS: Session mismatch");
386 		return -1;
387 	}
388 
389 	fils_wd = ieee802_11_defrag(elems.wrapped_data, elems.wrapped_data_len,
390 				    true);
391 
392 	if (!fils_wd) {
393 		wpa_printf(MSG_DEBUG,
394 			   "PASN: FILS: Failed getting wrapped data");
395 		return -1;
396 	}
397 
398 	eapol_sm_process_erp_finish(pasn->eapol, wpabuf_head(fils_wd),
399 				    wpabuf_len(fils_wd));
400 
401 	wpabuf_free(fils_wd);
402 	fils_wd = NULL;
403 
404 	if (eapol_sm_failed(pasn->eapol)) {
405 		wpa_printf(MSG_DEBUG, "PASN: FILS: ERP finish failed");
406 		return -1;
407 	}
408 
409 	rmsk_len = ERP_MAX_KEY_LEN;
410 	ret = eapol_sm_get_key(pasn->eapol, rmsk, rmsk_len);
411 
412 	if (ret == PMK_LEN) {
413 		rmsk_len = PMK_LEN;
414 		ret = eapol_sm_get_key(pasn->eapol, rmsk, rmsk_len);
415 	}
416 
417 	if (ret) {
418 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed getting RMSK");
419 		return -1;
420 	}
421 
422 	ret = fils_rmsk_to_pmk(pasn->akmp, rmsk, rmsk_len,
423 			       pasn->fils.nonce, anonce, NULL, 0,
424 			       pasn->pmk, &pasn->pmk_len);
425 
426 	forced_memzero(rmsk, sizeof(rmsk));
427 
428 	if (ret) {
429 		wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PMK");
430 		return -1;
431 	}
432 
433 	wpa_hexdump(MSG_DEBUG, "PASN: FILS: PMKID", pasn->fils.erp_pmkid,
434 		    PMKID_LEN);
435 
436 	wpa_printf(MSG_DEBUG, "PASN: FILS: ERP processing succeeded");
437 
438 	pasn->pmksa_entry = pmksa_cache_add(pasn->pmksa, pasn->pmk,
439 					    pasn->pmk_len, pasn->fils.erp_pmkid,
440 					    NULL, 0, pasn->peer_addr,
441 					    pasn->own_addr, NULL,
442 					    pasn->akmp, 0);
443 
444 	pasn->fils.completed = true;
445 	return 0;
446 }
447 
448 #endif /* CONFIG_FILS */
449 
450 
451 static struct wpabuf * wpas_pasn_get_wrapped_data(struct pasn_data *pasn)
452 {
453 	if (pasn->using_pmksa)
454 		return NULL;
455 
456 	switch (pasn->akmp) {
457 	case WPA_KEY_MGMT_PASN:
458 		/* no wrapped data */
459 		return NULL;
460 	case WPA_KEY_MGMT_SAE:
461 #ifdef CONFIG_SAE
462 		if (pasn->trans_seq == 0)
463 			return wpas_pasn_wd_sae_commit(pasn);
464 		if (pasn->trans_seq == 2)
465 			return wpas_pasn_wd_sae_confirm(pasn);
466 #endif /* CONFIG_SAE */
467 		wpa_printf(MSG_ERROR,
468 			   "PASN: SAE: Cannot derive wrapped data");
469 		return NULL;
470 	case WPA_KEY_MGMT_FILS_SHA256:
471 	case WPA_KEY_MGMT_FILS_SHA384:
472 #ifdef CONFIG_FILS
473 		return wpas_pasn_wd_fils_auth(pasn);
474 #endif /* CONFIG_FILS */
475 	case WPA_KEY_MGMT_FT_PSK:
476 	case WPA_KEY_MGMT_FT_IEEE8021X:
477 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
478 		/*
479 		 * Wrapped data with these AKMs is optional and is only needed
480 		 * for further validation of FT security parameters. For now do
481 		 * not use them.
482 		 */
483 		return NULL;
484 	default:
485 		wpa_printf(MSG_ERROR,
486 			   "PASN: TODO: Wrapped data for akmp=0x%x",
487 			   pasn->akmp);
488 		return NULL;
489 	}
490 }
491 
492 
493 static u8 wpas_pasn_get_wrapped_data_format(struct pasn_data *pasn)
494 {
495 	if (pasn->using_pmksa)
496 		return WPA_PASN_WRAPPED_DATA_NO;
497 
498 	/* Note: Valid AKMP is expected to already be validated */
499 	switch (pasn->akmp) {
500 	case WPA_KEY_MGMT_SAE:
501 		return WPA_PASN_WRAPPED_DATA_SAE;
502 	case WPA_KEY_MGMT_FILS_SHA256:
503 	case WPA_KEY_MGMT_FILS_SHA384:
504 		return WPA_PASN_WRAPPED_DATA_FILS_SK;
505 	case WPA_KEY_MGMT_FT_PSK:
506 	case WPA_KEY_MGMT_FT_IEEE8021X:
507 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
508 		/*
509 		 * Wrapped data with these AKMs is optional and is only needed
510 		 * for further validation of FT security parameters. For now do
511 		 * not use them.
512 		 */
513 		return WPA_PASN_WRAPPED_DATA_NO;
514 	case WPA_KEY_MGMT_PASN:
515 	default:
516 		return WPA_PASN_WRAPPED_DATA_NO;
517 	}
518 }
519 
520 
521 static struct wpabuf * wpas_pasn_build_auth_1(struct pasn_data *pasn,
522 					      const struct wpabuf *comeback,
523 					      bool verify)
524 {
525 	struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
526 	const u8 *pmkid;
527 	u8 wrapped_data;
528 	int ret;
529 
530 	wpa_printf(MSG_DEBUG, "PASN: Building frame 1");
531 
532 	if (pasn->trans_seq)
533 		return NULL;
534 
535 	buf = wpabuf_alloc(1500);
536 	if (!buf)
537 		goto fail;
538 
539 	/* Get public key */
540 	pubkey = crypto_ecdh_get_pubkey(pasn->ecdh, 0);
541 	pubkey = wpabuf_zeropad(pubkey, crypto_ecdh_prime_len(pasn->ecdh));
542 	if (!pubkey) {
543 		wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
544 		goto fail;
545 	}
546 
547 	wrapped_data = wpas_pasn_get_wrapped_data_format(pasn);
548 
549 	wpa_pasn_build_auth_header(buf, pasn->bssid,
550 				   pasn->own_addr, pasn->peer_addr,
551 				   pasn->trans_seq + 1, WLAN_STATUS_SUCCESS);
552 
553 	pmkid = NULL;
554 	if (wpa_key_mgmt_ft(pasn->akmp)) {
555 #ifdef CONFIG_IEEE80211R
556 		pmkid = pasn->pmk_r1_name;
557 #else /* CONFIG_IEEE80211R */
558 		goto fail;
559 #endif /* CONFIG_IEEE80211R */
560 	} else if (wrapped_data != WPA_PASN_WRAPPED_DATA_NO) {
561 		struct rsn_pmksa_cache_entry *pmksa;
562 
563 		pmksa = pmksa_cache_get(pasn->pmksa, pasn->peer_addr,
564 					pasn->own_addr, NULL, NULL, pasn->akmp);
565 		if (pmksa && pasn->custom_pmkid_valid)
566 			pmkid = pasn->custom_pmkid;
567 		else if (pmksa)
568 			pmkid = pmksa->pmkid;
569 
570 		/*
571 		 * Note: Even when PMKSA is available, also add wrapped data as
572 		 * it is possible that the PMKID is no longer valid at the AP.
573 		 */
574 		if (!verify)
575 			wrapped_data_buf = wpas_pasn_get_wrapped_data(pasn);
576 	}
577 
578 	if (wpa_pasn_add_rsne(buf, pmkid, pasn->akmp, pasn->cipher) < 0)
579 		goto fail;
580 
581 	if (!wrapped_data_buf)
582 		wrapped_data = WPA_PASN_WRAPPED_DATA_NO;
583 
584 	wpa_pasn_add_parameter_ie(buf, pasn->group, wrapped_data,
585 				  pubkey, true, comeback, -1);
586 
587 	if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
588 		goto fail;
589 
590 	wpa_pasn_add_rsnxe(buf, pasn->rsnxe_capab);
591 
592 	wpa_pasn_add_extra_ies(buf, pasn->extra_ies, pasn->extra_ies_len);
593 
594 	ret = pasn_auth_frame_hash(pasn->akmp, pasn->cipher,
595 				   wpabuf_head_u8(buf) + IEEE80211_HDRLEN,
596 				   wpabuf_len(buf) - IEEE80211_HDRLEN,
597 				   pasn->hash);
598 	if (ret) {
599 		wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
600 		goto fail;
601 	}
602 
603 	pasn->trans_seq++;
604 
605 	wpabuf_free(wrapped_data_buf);
606 	wpabuf_free(pubkey);
607 
608 	wpa_printf(MSG_DEBUG, "PASN: Frame 1: Success");
609 	return buf;
610 fail:
611 	pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
612 	wpabuf_free(wrapped_data_buf);
613 	wpabuf_free(pubkey);
614 	wpabuf_free(buf);
615 	return NULL;
616 }
617 
618 
619 static struct wpabuf * wpas_pasn_build_auth_3(struct pasn_data *pasn)
620 {
621 	struct wpabuf *buf, *wrapped_data_buf = NULL;
622 	u8 mic[WPA_PASN_MAX_MIC_LEN];
623 	u8 mic_len, data_len;
624 	const u8 *data;
625 	u8 *ptr;
626 	u8 wrapped_data;
627 	int ret;
628 
629 	wpa_printf(MSG_DEBUG, "PASN: Building frame 3");
630 
631 	if (pasn->trans_seq != 2)
632 		return NULL;
633 
634 	buf = wpabuf_alloc(1500);
635 	if (!buf)
636 		goto fail;
637 
638 	wrapped_data = wpas_pasn_get_wrapped_data_format(pasn);
639 
640 	wpa_pasn_build_auth_header(buf, pasn->bssid,
641 				   pasn->own_addr, pasn->peer_addr,
642 				   pasn->trans_seq + 1, WLAN_STATUS_SUCCESS);
643 
644 	wrapped_data_buf = wpas_pasn_get_wrapped_data(pasn);
645 
646 	if (!wrapped_data_buf)
647 		wrapped_data = WPA_PASN_WRAPPED_DATA_NO;
648 
649 	wpa_pasn_add_parameter_ie(buf, pasn->group, wrapped_data,
650 				  NULL, false, NULL, -1);
651 
652 	if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
653 		goto fail;
654 	wpabuf_free(wrapped_data_buf);
655 	wrapped_data_buf = NULL;
656 
657 	/* Add the MIC */
658 	mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
659 	wpabuf_put_u8(buf, WLAN_EID_MIC);
660 	wpabuf_put_u8(buf, mic_len);
661 	ptr = wpabuf_put(buf, mic_len);
662 
663 	os_memset(ptr, 0, mic_len);
664 
665 	data = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
666 	data_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
667 
668 	ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
669 		       pasn->own_addr, pasn->peer_addr,
670 		       pasn->hash, mic_len * 2, data, data_len, mic);
671 	if (ret) {
672 		wpa_printf(MSG_DEBUG, "PASN: frame 3: Failed MIC calculation");
673 		goto fail;
674 	}
675 
676 #ifdef CONFIG_TESTING_OPTIONS
677 	if (pasn->corrupt_mic) {
678 		wpa_printf(MSG_DEBUG, "PASN: frame 3: Corrupt MIC");
679 		mic[0] = ~mic[0];
680 	}
681 #endif /* CONFIG_TESTING_OPTIONS */
682 
683 	os_memcpy(ptr, mic, mic_len);
684 
685 	pasn->trans_seq++;
686 
687 	wpa_printf(MSG_DEBUG, "PASN: frame 3: Success");
688 	return buf;
689 fail:
690 	pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
691 	wpabuf_free(wrapped_data_buf);
692 	wpabuf_free(buf);
693 	return NULL;
694 }
695 
696 
697 void wpa_pasn_reset(struct pasn_data *pasn)
698 {
699 	wpa_printf(MSG_DEBUG, "PASN: Reset");
700 
701 	crypto_ecdh_deinit(pasn->ecdh);
702 	pasn->ecdh = NULL;
703 
704 
705 	pasn->akmp = 0;
706 	pasn->cipher = 0;
707 	pasn->group = 0;
708 	pasn->trans_seq = 0;
709 	pasn->pmk_len = 0;
710 	pasn->using_pmksa = false;
711 
712 	forced_memzero(pasn->pmk, sizeof(pasn->pmk));
713 	forced_memzero(&pasn->ptk, sizeof(pasn->ptk));
714 	forced_memzero(&pasn->hash, sizeof(pasn->hash));
715 
716 	wpabuf_free(pasn->beacon_rsne_rsnxe);
717 	pasn->beacon_rsne_rsnxe = NULL;
718 
719 	wpabuf_free(pasn->comeback);
720 	pasn->comeback = NULL;
721 	pasn->comeback_after = 0;
722 
723 #ifdef CONFIG_SAE
724 	sae_clear_data(&pasn->sae);
725 	if (pasn->pt) {
726 		sae_deinit_pt(pasn->pt);
727 		pasn->pt = NULL;
728 	}
729 #endif /* CONFIG_SAE */
730 
731 #ifdef CONFIG_FILS
732 	pasn->fils_eapol = false;
733 	os_memset(&pasn->fils, 0, sizeof(pasn->fils));
734 #endif /* CONFIG_FILS*/
735 
736 #ifdef CONFIG_IEEE80211R
737 	forced_memzero(pasn->pmk_r1, sizeof(pasn->pmk_r1));
738 	pasn->pmk_r1_len = 0;
739 	os_memset(pasn->pmk_r1_name, 0, sizeof(pasn->pmk_r1_name));
740 #endif /* CONFIG_IEEE80211R */
741 	pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
742 	pasn->pmksa_entry = NULL;
743 #ifdef CONFIG_TESTING_OPTIONS
744 	pasn->corrupt_mic = 0;
745 #endif /* CONFIG_TESTING_OPTIONS */
746 	pasn->network_id = 0;
747 	pasn->derive_kdk = false;
748 	pasn->rsn_ie = NULL;
749 	pasn->rsn_ie_len = 0;
750 	pasn->rsnxe_ie = NULL;
751 	pasn->custom_pmkid_valid = false;
752 
753 	if (pasn->extra_ies) {
754 		os_free((u8 *) pasn->extra_ies);
755 		pasn->extra_ies = NULL;
756 	}
757 }
758 
759 
760 static int wpas_pasn_set_pmk(struct pasn_data *pasn,
761 			     struct wpa_ie_data *rsn_data,
762 			     struct wpa_pasn_params_data *pasn_data,
763 			     struct wpabuf *wrapped_data)
764 {
765 	static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
766 
767 	os_memset(pasn->pmk, 0, sizeof(pasn->pmk));
768 	pasn->pmk_len = 0;
769 
770 	if (pasn->akmp == WPA_KEY_MGMT_PASN) {
771 		wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
772 
773 		pasn->pmk_len = WPA_PASN_PMK_LEN;
774 		os_memcpy(pasn->pmk, pasn_default_pmk,
775 			  sizeof(pasn_default_pmk));
776 		return 0;
777 	}
778 
779 	if (wpa_key_mgmt_ft(pasn->akmp)) {
780 #ifdef CONFIG_IEEE80211R
781 		wpa_printf(MSG_DEBUG, "PASN: FT: Using PMK-R1");
782 		pasn->pmk_len = pasn->pmk_r1_len;
783 		os_memcpy(pasn->pmk, pasn->pmk_r1, pasn->pmk_r1_len);
784 		pasn->using_pmksa = true;
785 		return 0;
786 #else /* CONFIG_IEEE80211R */
787 		wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
788 		return -1;
789 #endif /* CONFIG_IEEE80211R */
790 	}
791 
792 	if (rsn_data->num_pmkid) {
793 		int ret;
794 		struct rsn_pmksa_cache_entry *pmksa;
795 		const u8 *pmkid = NULL;
796 
797 		if (pasn->custom_pmkid_valid) {
798 			ret = pasn->validate_custom_pmkid(pasn->cb_ctx,
799 							  pasn->peer_addr,
800 							  rsn_data->pmkid);
801 			if (ret) {
802 				wpa_printf(MSG_DEBUG,
803 					   "PASN: Failed custom PMKID validation");
804 				return -1;
805 			}
806 		} else {
807 			pmkid = rsn_data->pmkid;
808 		}
809 
810 		pmksa = pmksa_cache_get(pasn->pmksa, pasn->peer_addr,
811 					pasn->own_addr,
812 					pmkid, NULL, pasn->akmp);
813 		if (pmksa) {
814 			wpa_printf(MSG_DEBUG, "PASN: Using PMKSA");
815 
816 			pasn->pmk_len = pmksa->pmk_len;
817 			os_memcpy(pasn->pmk, pmksa->pmk, pmksa->pmk_len);
818 			pasn->using_pmksa = true;
819 
820 			return 0;
821 		}
822 	}
823 
824 #ifdef CONFIG_SAE
825 	if (pasn->akmp == WPA_KEY_MGMT_SAE) {
826 		int ret;
827 
828 		ret = wpas_pasn_wd_sae_rx(pasn, wrapped_data);
829 		if (ret) {
830 			wpa_printf(MSG_DEBUG,
831 				   "PASN: Failed processing SAE wrapped data");
832 			pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
833 			return -1;
834 		}
835 
836 		wpa_printf(MSG_DEBUG, "PASN: Success deriving PMK with SAE");
837 		pasn->pmk_len = PMK_LEN;
838 		os_memcpy(pasn->pmk, pasn->sae.pmk, PMK_LEN);
839 
840 		pasn->pmksa_entry = pmksa_cache_add(pasn->pmksa, pasn->pmk,
841 						    pasn->pmk_len,
842 						    pasn->sae.pmkid,
843 						    NULL, 0, pasn->peer_addr,
844 						    pasn->own_addr, NULL,
845 						    pasn->akmp, 0);
846 		return 0;
847 	}
848 #endif /* CONFIG_SAE */
849 
850 #ifdef CONFIG_FILS
851 	if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
852 	    pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
853 		int ret;
854 
855 		ret = wpas_pasn_wd_fils_rx(pasn, wrapped_data);
856 		if (ret) {
857 			wpa_printf(MSG_DEBUG,
858 				   "PASN: Failed processing FILS wrapped data");
859 			pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
860 			return -1;
861 		}
862 
863 		return 0;
864 	}
865 #endif	/* CONFIG_FILS */
866 
867 	/* TODO: Derive PMK based on wrapped data */
868 	wpa_printf(MSG_DEBUG, "PASN: Missing implementation to derive PMK");
869 	pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
870 	return -1;
871 }
872 
873 
874 static int wpas_pasn_send_auth_1(struct pasn_data *pasn, const u8 *own_addr,
875 				 const u8 *peer_addr, const u8 *bssid, int akmp,
876 				 int cipher, u16 group, int freq,
877 				 const u8 *beacon_rsne, u8 beacon_rsne_len,
878 				 const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
879 				 const struct wpabuf *comeback, bool verify)
880 {
881 	struct wpabuf *frame;
882 	int ret;
883 
884 	pasn->ecdh = crypto_ecdh_init(group);
885 	if (!pasn->ecdh) {
886 		wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
887 		goto fail;
888 	}
889 
890 	if (beacon_rsne && beacon_rsne_len) {
891 		pasn->beacon_rsne_rsnxe = wpabuf_alloc(beacon_rsne_len +
892 						       beacon_rsnxe_len);
893 		if (!pasn->beacon_rsne_rsnxe) {
894 			wpa_printf(MSG_DEBUG,
895 				   "PASN: Failed storing beacon RSNE/RSNXE");
896 			goto fail;
897 		}
898 
899 		wpabuf_put_data(pasn->beacon_rsne_rsnxe, beacon_rsne,
900 				beacon_rsne_len);
901 		if (beacon_rsnxe && beacon_rsnxe_len)
902 			wpabuf_put_data(pasn->beacon_rsne_rsnxe, beacon_rsnxe,
903 					beacon_rsnxe_len);
904 	}
905 
906 	pasn->akmp = akmp;
907 	pasn->cipher = cipher;
908 	pasn->group = group;
909 	pasn->freq = freq;
910 
911 	os_memcpy(pasn->own_addr, own_addr, ETH_ALEN);
912 	os_memcpy(pasn->peer_addr, peer_addr, ETH_ALEN);
913 	os_memcpy(pasn->bssid, bssid, ETH_ALEN);
914 
915 	wpa_printf(MSG_DEBUG,
916 		   "PASN: Init%s: " MACSTR " akmp=0x%x, cipher=0x%x, group=%u",
917 		   verify ? " (verify)" : "",
918 		   MAC2STR(pasn->peer_addr), pasn->akmp, pasn->cipher,
919 		   pasn->group);
920 
921 	frame = wpas_pasn_build_auth_1(pasn, comeback, verify);
922 	if (!frame) {
923 		wpa_printf(MSG_DEBUG, "PASN: Failed building 1st auth frame");
924 		goto fail;
925 	}
926 
927 	ret = pasn->send_mgmt(pasn->cb_ctx,
928 			      wpabuf_head(frame), wpabuf_len(frame), 0,
929 			      pasn->freq, 1000);
930 
931 	wpabuf_free(frame);
932 	if (ret) {
933 		wpa_printf(MSG_DEBUG, "PASN: Failed sending 1st auth frame");
934 		goto fail;
935 	}
936 
937 	return 0;
938 
939 fail:
940 	return -1;
941 }
942 
943 
944 int wpas_pasn_start(struct pasn_data *pasn, const u8 *own_addr,
945 		    const u8 *peer_addr, const u8 *bssid,
946 		    int akmp, int cipher, u16 group,
947 		    int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
948 		    const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
949 		    const struct wpabuf *comeback)
950 {
951 	/* TODO: Currently support only ECC groups */
952 	if (!dragonfly_suitable_group(group, 1)) {
953 		wpa_printf(MSG_DEBUG,
954 			   "PASN: Reject unsuitable group %u", group);
955 		return -1;
956 	}
957 
958 	switch (akmp) {
959 	case WPA_KEY_MGMT_PASN:
960 		break;
961 #ifdef CONFIG_SAE
962 	case WPA_KEY_MGMT_SAE:
963 
964 		if (beacon_rsnxe &&
965 		    !ieee802_11_rsnx_capab(beacon_rsnxe,
966 					   WLAN_RSNX_CAPAB_SAE_H2E)) {
967 			wpa_printf(MSG_DEBUG,
968 				   "PASN: AP does not support SAE H2E");
969 			return -1;
970 		}
971 
972 		pasn->sae.state = SAE_NOTHING;
973 		pasn->sae.send_confirm = 0;
974 		break;
975 #endif /* CONFIG_SAE */
976 #ifdef CONFIG_FILS
977 	case WPA_KEY_MGMT_FILS_SHA256:
978 	case WPA_KEY_MGMT_FILS_SHA384:
979 		break;
980 #endif /* CONFIG_FILS */
981 #ifdef CONFIG_IEEE80211R
982 	case WPA_KEY_MGMT_FT_PSK:
983 	case WPA_KEY_MGMT_FT_IEEE8021X:
984 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
985 		break;
986 #endif /* CONFIG_IEEE80211R */
987 	default:
988 		wpa_printf(MSG_ERROR, "PASN: Unsupported AKMP=0x%x", akmp);
989 		return -1;
990 	}
991 
992 	return wpas_pasn_send_auth_1(pasn, own_addr, peer_addr, bssid, akmp,
993 				     cipher, group,
994 				     freq, beacon_rsne, beacon_rsne_len,
995 				     beacon_rsnxe, beacon_rsnxe_len, comeback,
996 				     false);
997 }
998 
999 /*
1000  * Wi-Fi Aware uses PASN handshake to authenticate peer devices.
1001  * Devices can simply verify each other for subsequent sessions using
1002  * pairing verification procedure.
1003  *
1004  * In pairing verification, Wi-Fi aware devices use PASN authentication
1005  * frames with a custom PMKID and Wi-Fi Aware R4 specific verification IEs.
1006  * It does not use wrapped data in the Authentication frames. This function
1007  * provides support to construct PASN Authentication frames for pairing
1008  * verification.
1009  */
1010 int wpa_pasn_verify(struct pasn_data *pasn, const u8 *own_addr,
1011 		    const u8 *peer_addr, const u8 *bssid,
1012 		    int akmp, int cipher, u16 group,
1013 		    int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
1014 		    const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
1015 		    const struct wpabuf *comeback)
1016 {
1017 	return wpas_pasn_send_auth_1(pasn, own_addr, peer_addr, bssid, akmp,
1018 				     cipher, group, freq, beacon_rsne,
1019 				     beacon_rsne_len, beacon_rsnxe,
1020 				     beacon_rsnxe_len, comeback, true);
1021 }
1022 
1023 
1024 static bool is_pasn_auth_frame(struct pasn_data *pasn,
1025 			       const struct ieee80211_mgmt *mgmt,
1026 			       size_t len, bool rx)
1027 {
1028 	u16 fc;
1029 
1030 	if (!mgmt || len < offsetof(struct ieee80211_mgmt, u.auth.variable))
1031 		return false;
1032 
1033 	/* Not an Authentication frame; do nothing */
1034 	fc = le_to_host16(mgmt->frame_control);
1035 	if (WLAN_FC_GET_TYPE(fc) != WLAN_FC_TYPE_MGMT ||
1036 	    WLAN_FC_GET_STYPE(fc) != WLAN_FC_STYPE_AUTH)
1037 		return false;
1038 
1039 	/* Not our frame; do nothing */
1040 	if (!ether_addr_equal(mgmt->bssid, pasn->bssid))
1041 		return false;
1042 
1043 	if (rx && (!ether_addr_equal(mgmt->da, pasn->own_addr) ||
1044 		   !ether_addr_equal(mgmt->sa, pasn->peer_addr)))
1045 		return false;
1046 
1047 	if (!rx && (!ether_addr_equal(mgmt->sa, pasn->own_addr) ||
1048 		    !ether_addr_equal(mgmt->da, pasn->peer_addr)))
1049 		return false;
1050 
1051 	/* Not PASN; do nothing */
1052 	if (mgmt->u.auth.auth_alg != host_to_le16(WLAN_AUTH_PASN))
1053 		return false;
1054 
1055 	return true;
1056 }
1057 
1058 
1059 int wpa_pasn_auth_rx(struct pasn_data *pasn, const u8 *data, size_t len,
1060 		     struct wpa_pasn_params_data *pasn_params)
1061 
1062 {
1063 	struct ieee802_11_elems elems;
1064 	struct wpa_ie_data rsn_data;
1065 	const struct ieee80211_mgmt *mgmt =
1066 		(const struct ieee80211_mgmt *) data;
1067 	struct wpabuf *wrapped_data = NULL, *secret = NULL, *frame = NULL;
1068 	u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
1069 	u8 mic_len;
1070 	u16 status;
1071 	int ret, inc_y;
1072 	u8 *copy = NULL;
1073 	size_t mic_offset, copy_len;
1074 
1075 	if (!is_pasn_auth_frame(pasn, mgmt, len, true))
1076 		return -2;
1077 
1078 	if (mgmt->u.auth.auth_transaction !=
1079 	    host_to_le16(pasn->trans_seq + 1)) {
1080 		wpa_printf(MSG_DEBUG,
1081 			   "PASN: RX: Invalid transaction sequence: (%u != %u)",
1082 			   le_to_host16(mgmt->u.auth.auth_transaction),
1083 			   pasn->trans_seq + 1);
1084 		return -3;
1085 	}
1086 
1087 	status = le_to_host16(mgmt->u.auth.status_code);
1088 
1089 	if (status != WLAN_STATUS_SUCCESS &&
1090 	    status != WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
1091 		wpa_printf(MSG_DEBUG,
1092 			   "PASN: Authentication rejected - status=%u", status);
1093 		goto fail;
1094 	}
1095 
1096 	if (ieee802_11_parse_elems(mgmt->u.auth.variable,
1097 				   len - offsetof(struct ieee80211_mgmt,
1098 						  u.auth.variable),
1099 				   &elems, 0) == ParseFailed) {
1100 		wpa_printf(MSG_DEBUG,
1101 			   "PASN: Failed parsing Authentication frame");
1102 		goto fail;
1103 	}
1104 
1105 	/* Check that the MIC IE exists. Save it and zero out the memory */
1106 	mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
1107 	if (status == WLAN_STATUS_SUCCESS) {
1108 		if (!elems.mic || elems.mic_len != mic_len) {
1109 			wpa_printf(MSG_DEBUG,
1110 				   "PASN: Invalid MIC. Expecting len=%u",
1111 				   mic_len);
1112 			goto fail;
1113 		}
1114 		os_memcpy(mic, elems.mic, mic_len);
1115 	}
1116 
1117 	if (!elems.pasn_params || !elems.pasn_params_len) {
1118 		wpa_printf(MSG_DEBUG,
1119 			   "PASN: Missing PASN Parameters IE");
1120 		goto fail;
1121 	}
1122 
1123 	if (!pasn_params) {
1124 		wpa_printf(MSG_DEBUG, "PASN: pasn_params == NULL");
1125 		goto fail;
1126 	}
1127 
1128 	ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
1129 					  elems.pasn_params_len + 3,
1130 					  true, pasn_params);
1131 	if (ret) {
1132 		wpa_printf(MSG_DEBUG,
1133 			   "PASN: Failed validation PASN of Parameters IE");
1134 		goto fail;
1135 	}
1136 
1137 	if (status == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
1138 		wpa_printf(MSG_DEBUG,
1139 			   "PASN: Authentication temporarily rejected");
1140 
1141 		if (pasn_params->comeback && pasn_params->comeback_len) {
1142 			wpa_printf(MSG_DEBUG,
1143 				   "PASN: Comeback token available. After=%u",
1144 				   pasn_params->after);
1145 
1146 			if (!pasn_params->after)
1147 				return 1;
1148 
1149 			pasn->comeback = wpabuf_alloc_copy(
1150 				pasn_params->comeback,
1151 				pasn_params->comeback_len);
1152 			if (pasn->comeback)
1153 				pasn->comeback_after = pasn_params->after;
1154 		}
1155 
1156 		pasn->status = status;
1157 		goto fail;
1158 	}
1159 
1160 	if (!elems.rsn_ie) {
1161 		wpa_printf(MSG_DEBUG, "PASN: Missing RSNE");
1162 		goto fail;
1163 	}
1164 
1165 	ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1166 			       &rsn_data);
1167 	if (ret) {
1168 		wpa_printf(MSG_DEBUG, "PASN: Failed parsing RSNE");
1169 		goto fail;
1170 	}
1171 
1172 	ret = wpa_pasn_validate_rsne(&rsn_data);
1173 	if (ret) {
1174 		wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
1175 		goto fail;
1176 	}
1177 
1178 	if (pasn->akmp != rsn_data.key_mgmt ||
1179 	    pasn->cipher != rsn_data.pairwise_cipher) {
1180 		wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
1181 		goto fail;
1182 	}
1183 
1184 	if (pasn->group != pasn_params->group) {
1185 		wpa_printf(MSG_DEBUG, "PASN: Mismatch in group");
1186 		goto fail;
1187 	}
1188 
1189 	if (!pasn_params->pubkey || !pasn_params->pubkey_len) {
1190 		wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
1191 		goto fail;
1192 	}
1193 
1194 	if (pasn_params->pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) {
1195 		inc_y = 1;
1196 	} else if (pasn_params->pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 ||
1197 		   pasn_params->pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) {
1198 		inc_y = 0;
1199 	} else {
1200 		wpa_printf(MSG_DEBUG,
1201 			   "PASN: Invalid first octet in pubkey=0x%x",
1202 			   pasn_params->pubkey[0]);
1203 		goto fail;
1204 	}
1205 
1206 	secret = crypto_ecdh_set_peerkey(pasn->ecdh, inc_y,
1207 					 pasn_params->pubkey + 1,
1208 					 pasn_params->pubkey_len - 1);
1209 
1210 	if (!secret) {
1211 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
1212 		goto fail;
1213 	}
1214 
1215 	if (pasn_params->wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
1216 		wrapped_data = ieee802_11_defrag(elems.wrapped_data,
1217 						 elems.wrapped_data_len,
1218 						 true);
1219 
1220 		if (!wrapped_data) {
1221 			wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
1222 			goto fail;
1223 		}
1224 	}
1225 
1226 	ret = wpas_pasn_set_pmk(pasn, &rsn_data, pasn_params, wrapped_data);
1227 	if (ret) {
1228 		wpa_printf(MSG_DEBUG, "PASN: Failed to set PMK");
1229 		goto fail;
1230 	}
1231 
1232 	ret = pasn_pmk_to_ptk(pasn->pmk, pasn->pmk_len,
1233 			      pasn->own_addr, pasn->peer_addr,
1234 			      wpabuf_head(secret), wpabuf_len(secret),
1235 			      &pasn->ptk, pasn->akmp, pasn->cipher,
1236 			      pasn->kdk_len);
1237 	if (ret) {
1238 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
1239 		goto fail;
1240 	}
1241 
1242 	if (pasn->secure_ltf) {
1243 		ret = wpa_ltf_keyseed(&pasn->ptk, pasn->akmp, pasn->cipher);
1244 		if (ret) {
1245 			wpa_printf(MSG_DEBUG,
1246 				   "PASN: Failed to derive LTF keyseed");
1247 			goto fail;
1248 		}
1249 	}
1250 
1251 	wpabuf_free(wrapped_data);
1252 	wrapped_data = NULL;
1253 	wpabuf_free(secret);
1254 	secret = NULL;
1255 
1256 	/* Use a copy of the message since we need to clear the MIC field */
1257 	if (!elems.mic)
1258 		goto fail;
1259 	mic_offset = elems.mic - (const u8 *) &mgmt->u.auth;
1260 	copy_len = len - offsetof(struct ieee80211_mgmt, u.auth);
1261 	if (mic_offset + mic_len > copy_len)
1262 		goto fail;
1263 	copy = os_memdup(&mgmt->u.auth, copy_len);
1264 	if (!copy)
1265 		goto fail;
1266 	os_memset(copy + mic_offset, 0, mic_len);
1267 
1268 	if (pasn->beacon_rsne_rsnxe) {
1269 		/* Verify the MIC */
1270 		ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
1271 			       pasn->peer_addr, pasn->own_addr,
1272 			       wpabuf_head(pasn->beacon_rsne_rsnxe),
1273 			       wpabuf_len(pasn->beacon_rsne_rsnxe),
1274 			       copy, copy_len, out_mic);
1275 	} else {
1276 		u8 *rsne_rsnxe;
1277 		size_t rsne_rsnxe_len = 0;
1278 
1279 		/*
1280 		 * Note: When Beacon rsne_rsnxe is not initialized, it is likely
1281 		 * that this is for Wi-Fi Aware using PASN handshake for which
1282 		 * Beacon RSNE/RSNXE are same as RSNE/RSNXE in the
1283 		 * Authentication frame
1284 		 */
1285 		if (elems.rsn_ie && elems.rsn_ie_len)
1286 			rsne_rsnxe_len += elems.rsn_ie_len + 2;
1287 		if (elems.rsnxe && elems.rsnxe_len)
1288 			rsne_rsnxe_len += elems.rsnxe_len + 2;
1289 
1290 		rsne_rsnxe = os_zalloc(rsne_rsnxe_len);
1291 		if (!rsne_rsnxe)
1292 			goto fail;
1293 
1294 		if (elems.rsn_ie && elems.rsn_ie_len)
1295 			os_memcpy(rsne_rsnxe, elems.rsn_ie - 2,
1296 				  elems.rsn_ie_len + 2);
1297 		if (elems.rsnxe && elems.rsnxe_len)
1298 			os_memcpy(rsne_rsnxe + elems.rsn_ie_len + 2,
1299 				  elems.rsnxe - 2, elems.rsnxe_len + 2);
1300 
1301 		wpa_hexdump_key(MSG_DEBUG, "PASN: RSN + RSNXE buf",
1302 				rsne_rsnxe, rsne_rsnxe_len);
1303 
1304 		/* Verify the MIC */
1305 		ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
1306 			       pasn->peer_addr, pasn->own_addr,
1307 			       rsne_rsnxe,
1308 			       rsne_rsnxe_len,
1309 			       copy, copy_len, out_mic);
1310 
1311 		os_free(rsne_rsnxe);
1312 	}
1313 	os_free(copy);
1314 	copy = NULL;
1315 
1316 	wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
1317 	if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
1318 		wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
1319 		goto fail;
1320 	}
1321 
1322 	pasn->trans_seq++;
1323 
1324 	wpa_printf(MSG_DEBUG, "PASN: Success verifying Authentication frame");
1325 
1326 	frame = wpas_pasn_build_auth_3(pasn);
1327 	if (!frame) {
1328 		wpa_printf(MSG_DEBUG, "PASN: Failed building 3rd auth frame");
1329 		goto fail;
1330 	}
1331 
1332 	ret = pasn->send_mgmt(pasn->cb_ctx,
1333 			      wpabuf_head(frame), wpabuf_len(frame), 0,
1334 			      pasn->freq, 100);
1335 	wpabuf_free(frame);
1336 	if (ret) {
1337 		wpa_printf(MSG_DEBUG, "PASN: Failed sending 3st auth frame");
1338 		goto fail;
1339 	}
1340 
1341 	wpa_printf(MSG_DEBUG, "PASN: Success sending last frame. Store PTK");
1342 
1343 	pasn->status = WLAN_STATUS_SUCCESS;
1344 
1345 	return 0;
1346 fail:
1347 	wpa_printf(MSG_DEBUG, "PASN: Failed RX processing - terminating");
1348 	wpabuf_free(wrapped_data);
1349 	wpabuf_free(secret);
1350 	os_free(copy);
1351 
1352 	/*
1353 	 * TODO: In case of an error the standard allows to silently drop
1354 	 * the frame and terminate the authentication exchange. However, better
1355 	 * reply to the AP with an error status.
1356 	 */
1357 	if (status == WLAN_STATUS_SUCCESS)
1358 		pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1359 	else
1360 		pasn->status = status;
1361 
1362 	return -1;
1363 }
1364 
1365 
1366 int wpa_pasn_auth_tx_status(struct pasn_data *pasn,
1367 			    const u8 *data, size_t data_len, u8 acked)
1368 
1369 {
1370 	const struct ieee80211_mgmt *mgmt =
1371 		(const struct ieee80211_mgmt *) data;
1372 
1373 	wpa_printf(MSG_DEBUG, "PASN: auth_tx_status: acked=%u", acked);
1374 
1375 	if (!is_pasn_auth_frame(pasn, mgmt, data_len, false))
1376 		return -1;
1377 
1378 	if (mgmt->u.auth.auth_transaction != host_to_le16(pasn->trans_seq)) {
1379 		wpa_printf(MSG_ERROR,
1380 			   "PASN: Invalid transaction sequence: (%u != %u)",
1381 			   pasn->trans_seq,
1382 			   le_to_host16(mgmt->u.auth.auth_transaction));
1383 		return 0;
1384 	}
1385 
1386 	wpa_printf(MSG_ERROR,
1387 		   "PASN: auth with trans_seq=%u, acked=%u", pasn->trans_seq,
1388 		   acked);
1389 
1390 	/*
1391 	 * Even if the frame was not acked, do not treat this is an error, and
1392 	 * try to complete the flow, relying on the PASN timeout callback to
1393 	 * clean up.
1394 	 */
1395 	if (pasn->trans_seq == 3) {
1396 		wpa_printf(MSG_DEBUG, "PASN: auth complete with: " MACSTR,
1397 			   MAC2STR(pasn->peer_addr));
1398 		/*
1399 		 * Either frame was not ACKed or it was ACKed but the trans_seq
1400 		 * != 1, i.e., not expecting an RX frame, so we are done.
1401 		 */
1402 		return 1;
1403 	}
1404 
1405 	return 0;
1406 }
1407