xref: /freebsd/contrib/wpa/src/pasn/pasn_responder.c (revision 5b56413d04e608379c9a306373554a8e4d321bc0)
1 /*
2  * PASN responder processing
3  *
4  * Copyright (C) 2019, Intel Corporation
5  * Copyright (C) 2022, Qualcomm Innovation Center, Inc.
6  *
7  * This software may be distributed under the terms of the BSD license.
8  * See README for more details.
9  */
10 
11 #include "utils/includes.h"
12 
13 #include "utils/common.h"
14 #include "common/wpa_common.h"
15 #include "common/sae.h"
16 #include "common/ieee802_11_common.h"
17 #include "common/ieee802_11_defs.h"
18 #include "crypto/sha384.h"
19 #include "crypto/sha256.h"
20 #include "crypto/random.h"
21 #include "crypto/crypto.h"
22 #include "ap/hostapd.h"
23 #include "ap/comeback_token.h"
24 #include "ap/ieee802_1x.h"
25 #include "ap/pmksa_cache_auth.h"
26 #include "pasn_common.h"
27 
28 
29 void pasn_set_responder_pmksa(struct pasn_data *pasn,
30 			      struct rsn_pmksa_cache *pmksa)
31 {
32 	if (pasn)
33 		pasn->pmksa = pmksa;
34 }
35 
36 
37 #ifdef CONFIG_PASN
38 #ifdef CONFIG_SAE
39 
40 static int pasn_wd_handle_sae_commit(struct pasn_data *pasn,
41 				     const u8 *own_addr, const u8 *peer_addr,
42 				     struct wpabuf *wd)
43 {
44 	const u8 *data;
45 	size_t buf_len;
46 	u16 res, alg, seq, status;
47 	int groups[] = { pasn->group, 0 };
48 	int ret;
49 
50 	if (!wd)
51 		return -1;
52 
53 	data = wpabuf_head_u8(wd);
54 	buf_len = wpabuf_len(wd);
55 
56 	if (buf_len < 6) {
57 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
58 			   buf_len);
59 		return -1;
60 	}
61 
62 	alg = WPA_GET_LE16(data);
63 	seq = WPA_GET_LE16(data + 2);
64 	status = WPA_GET_LE16(data + 4);
65 
66 	wpa_printf(MSG_DEBUG, "PASN: SAE commit: alg=%u, seq=%u, status=%u",
67 		   alg, seq, status);
68 
69 	if (alg != WLAN_AUTH_SAE || seq != 1 ||
70 	    status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
71 		wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE commit");
72 		return -1;
73 	}
74 
75 	sae_clear_data(&pasn->sae);
76 	pasn->sae.state = SAE_NOTHING;
77 
78 	ret = sae_set_group(&pasn->sae, pasn->group);
79 	if (ret) {
80 		wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
81 		return -1;
82 	}
83 
84 	if (!pasn->password || !pasn->pt) {
85 		wpa_printf(MSG_DEBUG, "PASN: No SAE PT found");
86 		return -1;
87 	}
88 
89 	ret = sae_prepare_commit_pt(&pasn->sae, pasn->pt, own_addr, peer_addr,
90 				    NULL, NULL);
91 	if (ret) {
92 		wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
93 		return -1;
94 	}
95 
96 	res = sae_parse_commit(&pasn->sae, data + 6, buf_len - 6, NULL, 0,
97 			       groups, 0, NULL);
98 	if (res != WLAN_STATUS_SUCCESS) {
99 		wpa_printf(MSG_DEBUG, "PASN: Failed parsing SAE commit");
100 		return -1;
101 	}
102 
103 	/* Process the commit message and derive the PMK */
104 	ret = sae_process_commit(&pasn->sae);
105 	if (ret) {
106 		wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
107 		return -1;
108 	}
109 
110 	pasn->sae.state = SAE_COMMITTED;
111 
112 	return 0;
113 }
114 
115 
116 static int pasn_wd_handle_sae_confirm(struct pasn_data *pasn,
117 				      const u8 *peer_addr, struct wpabuf *wd)
118 {
119 	const u8 *data;
120 	size_t buf_len;
121 	u16 res, alg, seq, status;
122 
123 	if (!wd)
124 		return -1;
125 
126 	data = wpabuf_head_u8(wd);
127 	buf_len = wpabuf_len(wd);
128 
129 	if (buf_len < 6) {
130 		wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%zu",
131 			   buf_len);
132 		return -1;
133 	}
134 
135 	alg = WPA_GET_LE16(data);
136 	seq = WPA_GET_LE16(data + 2);
137 	status = WPA_GET_LE16(data + 4);
138 
139 	wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
140 		   alg, seq, status);
141 
142 	if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
143 		wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
144 		return -1;
145 	}
146 
147 	res = sae_check_confirm(&pasn->sae, data + 6, buf_len - 6, NULL);
148 	if (res != WLAN_STATUS_SUCCESS) {
149 		wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
150 		return -1;
151 	}
152 
153 	pasn->sae.state = SAE_ACCEPTED;
154 
155 	/*
156 	 * TODO: Based on on IEEE P802.11az/D2.6, the PMKSA derived with
157 	 * PASN/SAE should only be allowed with future PASN only. For now do not
158 	 * restrict this only for PASN.
159 	 */
160 	if (pasn->disable_pmksa_caching)
161 		return 0;
162 
163 	wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE",
164 			pasn->sae.pmk, pasn->sae.pmk_len);
165 	if (!pasn->sae.akmp)
166 		pasn->sae.akmp = WPA_KEY_MGMT_SAE;
167 
168 	pmksa_cache_auth_add(pasn->pmksa, pasn->sae.pmk, pasn->sae.pmk_len,
169 			     pasn->sae.pmkid, NULL, 0, pasn->own_addr,
170 			     peer_addr, 0, NULL, pasn->sae.akmp);
171 	return 0;
172 }
173 
174 
175 static struct wpabuf * pasn_get_sae_wd(struct pasn_data *pasn)
176 {
177 	struct wpabuf *buf = NULL;
178 	u8 *len_ptr;
179 	size_t len;
180 
181 	/* Need to add the entire Authentication frame body */
182 	buf = wpabuf_alloc(8 + SAE_COMMIT_MAX_LEN + 8 + SAE_CONFIRM_MAX_LEN);
183 	if (!buf) {
184 		wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
185 		return NULL;
186 	}
187 
188 	/* Need to add the entire authentication frame body for the commit */
189 	len_ptr = wpabuf_put(buf, 2);
190 	wpabuf_put_le16(buf, WLAN_AUTH_SAE);
191 	wpabuf_put_le16(buf, 1);
192 	wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
193 
194 	/* Write the actual commit and update the length accordingly */
195 	sae_write_commit(&pasn->sae, buf, NULL, 0);
196 	len = wpabuf_len(buf);
197 	WPA_PUT_LE16(len_ptr, len - 2);
198 
199 	/* Need to add the entire Authentication frame body for the confirm */
200 	len_ptr = wpabuf_put(buf, 2);
201 	wpabuf_put_le16(buf, WLAN_AUTH_SAE);
202 	wpabuf_put_le16(buf, 2);
203 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
204 
205 	sae_write_confirm(&pasn->sae, buf);
206 	WPA_PUT_LE16(len_ptr, wpabuf_len(buf) - len - 2);
207 
208 	pasn->sae.state = SAE_CONFIRMED;
209 
210 	return buf;
211 }
212 
213 #endif /* CONFIG_SAE */
214 
215 
216 #ifdef CONFIG_FILS
217 
218 static struct wpabuf * pasn_get_fils_wd(struct pasn_data *pasn)
219 {
220 	struct pasn_fils *fils = &pasn->fils;
221 	struct wpabuf *buf = NULL;
222 
223 	if (!fils->erp_resp) {
224 		wpa_printf(MSG_DEBUG, "PASN: FILS: Missing erp_resp");
225 		return NULL;
226 	}
227 
228 	buf = wpabuf_alloc(1500);
229 	if (!buf)
230 		return NULL;
231 
232 	/* Add the authentication algorithm */
233 	wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
234 
235 	/* Authentication Transaction seq# */
236 	wpabuf_put_le16(buf, 2);
237 
238 	/* Status Code */
239 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
240 
241 	/* Own RSNE */
242 	wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
243 
244 	/* FILS Nonce */
245 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
246 	wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
247 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
248 	wpabuf_put_data(buf, fils->anonce, FILS_NONCE_LEN);
249 
250 	/* FILS Session */
251 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
252 	wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
253 	wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
254 	wpabuf_put_data(buf, fils->session, FILS_SESSION_LEN);
255 
256 	/* Wrapped Data */
257 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
258 	wpabuf_put_u8(buf, 1 + wpabuf_len(fils->erp_resp));
259 	wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
260 	wpabuf_put_buf(buf, fils->erp_resp);
261 
262 	return buf;
263 }
264 
265 #endif /* CONFIG_FILS */
266 
267 static struct wpabuf * pasn_get_wrapped_data(struct pasn_data *pasn)
268 {
269 	switch (pasn->akmp) {
270 	case WPA_KEY_MGMT_PASN:
271 		/* no wrapped data */
272 		return NULL;
273 	case WPA_KEY_MGMT_SAE:
274 #ifdef CONFIG_SAE
275 		return pasn_get_sae_wd(pasn);
276 #else /* CONFIG_SAE */
277 		wpa_printf(MSG_ERROR,
278 			   "PASN: SAE: Cannot derive wrapped data");
279 		return NULL;
280 #endif /* CONFIG_SAE */
281 	case WPA_KEY_MGMT_FILS_SHA256:
282 	case WPA_KEY_MGMT_FILS_SHA384:
283 #ifdef CONFIG_FILS
284 		return pasn_get_fils_wd(pasn);
285 #endif /* CONFIG_FILS */
286 		/* fall through */
287 	case WPA_KEY_MGMT_FT_PSK:
288 	case WPA_KEY_MGMT_FT_IEEE8021X:
289 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
290 	default:
291 		wpa_printf(MSG_ERROR,
292 			   "PASN: TODO: Wrapped data for akmp=0x%x",
293 			   pasn->akmp);
294 		return NULL;
295 	}
296 }
297 
298 
299 static int
300 pasn_derive_keys(struct pasn_data *pasn,
301 		 const u8 *own_addr, const u8 *peer_addr,
302 		 const u8 *cached_pmk, size_t cached_pmk_len,
303 		 struct wpa_pasn_params_data *pasn_data,
304 		 struct wpabuf *wrapped_data,
305 		 struct wpabuf *secret)
306 {
307 	static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
308 	u8 pmk[PMK_LEN_MAX];
309 	u8 pmk_len;
310 	int ret;
311 
312 	os_memset(pmk, 0, sizeof(pmk));
313 	pmk_len = 0;
314 
315 	if (!cached_pmk || !cached_pmk_len)
316 		wpa_printf(MSG_DEBUG, "PASN: No valid PMKSA entry");
317 
318 	if (pasn->akmp == WPA_KEY_MGMT_PASN) {
319 		wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
320 
321 		pmk_len = WPA_PASN_PMK_LEN;
322 		os_memcpy(pmk, pasn_default_pmk, sizeof(pasn_default_pmk));
323 	} else if (cached_pmk && cached_pmk_len) {
324 		wpa_printf(MSG_DEBUG, "PASN: Using PMKSA entry");
325 
326 		pmk_len = cached_pmk_len;
327 		os_memcpy(pmk, cached_pmk, cached_pmk_len);
328 	} else {
329 		switch (pasn->akmp) {
330 #ifdef CONFIG_SAE
331 		case WPA_KEY_MGMT_SAE:
332 			if (pasn->sae.state == SAE_COMMITTED) {
333 				pmk_len = PMK_LEN;
334 				os_memcpy(pmk, pasn->sae.pmk, PMK_LEN);
335 				break;
336 			}
337 #endif /* CONFIG_SAE */
338 			/* fall through */
339 		default:
340 			/* TODO: Derive PMK based on wrapped data */
341 			wpa_printf(MSG_DEBUG,
342 				   "PASN: Missing PMK derivation");
343 			return -1;
344 		}
345 	}
346 
347 	pasn->pmk_len = pmk_len;
348 	os_memcpy(pasn->pmk, pmk, pmk_len);
349 	ret = pasn_pmk_to_ptk(pmk, pmk_len, peer_addr, own_addr,
350 			      wpabuf_head(secret), wpabuf_len(secret),
351 			      &pasn->ptk, pasn->akmp,
352 			      pasn->cipher, pasn->kdk_len);
353 	if (ret) {
354 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
355 		return -1;
356 	}
357 
358 	if (pasn->secure_ltf) {
359 		ret = wpa_ltf_keyseed(&pasn->ptk, pasn->akmp,
360 				      pasn->cipher);
361 		if (ret) {
362 			wpa_printf(MSG_DEBUG,
363 				   "PASN: Failed to derive LTF keyseed");
364 			return -1;
365 		}
366 	}
367 
368 	wpa_printf(MSG_DEBUG, "PASN: PTK successfully derived");
369 	return 0;
370 }
371 
372 
373 static void handle_auth_pasn_comeback(struct pasn_data *pasn,
374 				      const u8 *own_addr, const u8 *peer_addr,
375 				      u16 group)
376 {
377 	struct wpabuf *buf, *comeback;
378 	int ret;
379 
380 	wpa_printf(MSG_DEBUG,
381 		   "PASN: Building comeback frame 2. Comeback after=%u",
382 		   pasn->comeback_after);
383 
384 	buf = wpabuf_alloc(1500);
385 	if (!buf)
386 		return;
387 
388 	wpa_pasn_build_auth_header(buf, pasn->bssid, own_addr, peer_addr, 2,
389 				   WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY);
390 
391 	/*
392 	 * Do not include the group as a part of the token since it is not going
393 	 * to be used.
394 	 */
395 	comeback = auth_build_token_req(&pasn->last_comeback_key_update,
396 					pasn->comeback_key, pasn->comeback_idx,
397 					pasn->comeback_pending_idx,
398 					sizeof(u16) * COMEBACK_PENDING_IDX_SIZE,
399 					0, peer_addr, 0);
400 	if (!comeback) {
401 		wpa_printf(MSG_DEBUG,
402 			   "PASN: Failed sending auth with comeback");
403 		wpabuf_free(buf);
404 		return;
405 	}
406 
407 	wpa_pasn_add_parameter_ie(buf, group,
408 				  WPA_PASN_WRAPPED_DATA_NO,
409 				  NULL, 0, comeback,
410 				  pasn->comeback_after);
411 	wpabuf_free(comeback);
412 
413 	wpa_printf(MSG_DEBUG,
414 		   "PASN: comeback: STA=" MACSTR, MAC2STR(peer_addr));
415 
416 	ret = pasn->send_mgmt(pasn->cb_ctx, wpabuf_head_u8(buf),
417 			      wpabuf_len(buf), 0, 0, 0);
418 	if (ret)
419 		wpa_printf(MSG_INFO, "PASN: Failed to send comeback frame 2");
420 
421 	wpabuf_free(buf);
422 }
423 
424 
425 int handle_auth_pasn_resp(struct pasn_data *pasn, const u8 *own_addr,
426 			  const u8 *peer_addr,
427 			  struct rsn_pmksa_cache_entry *pmksa, u16 status)
428 {
429 	struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
430 	struct wpabuf *rsn_buf = NULL;
431 	u8 mic[WPA_PASN_MAX_MIC_LEN];
432 	u8 mic_len;
433 	u8 *ptr;
434 	const u8 *frame, *data, *rsn_ie, *rsnxe_ie;
435 	u8 *data_buf = NULL;
436 	size_t frame_len, data_len;
437 	int ret;
438 	const u8 *pmkid = NULL;
439 
440 	wpa_printf(MSG_DEBUG, "PASN: Building frame 2: status=%u", status);
441 
442 	buf = wpabuf_alloc(1500);
443 	if (!buf)
444 		goto fail;
445 
446 	wpa_pasn_build_auth_header(buf, pasn->bssid, own_addr, peer_addr, 2,
447 				   status);
448 
449 	if (status != WLAN_STATUS_SUCCESS)
450 		goto done;
451 
452 	if (pmksa && pasn->custom_pmkid_valid)
453 		pmkid = pasn->custom_pmkid;
454 	else if (pmksa) {
455 		pmkid = pmksa->pmkid;
456 #ifdef CONFIG_SAE
457 	} else if (pasn->akmp == WPA_KEY_MGMT_SAE) {
458 		wpa_printf(MSG_DEBUG, "PASN: Use SAE PMKID");
459 		pmkid = pasn->sae.pmkid;
460 #endif /* CONFIG_SAE */
461 #ifdef CONFIG_FILS
462 	} else if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
463 		   pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
464 		wpa_printf(MSG_DEBUG, "PASN: Use FILS ERP PMKID");
465 		pmkid = pasn->fils.erp_pmkid;
466 #endif /* CONFIG_FILS */
467 	}
468 
469 	if (wpa_pasn_add_rsne(buf, pmkid,
470 			      pasn->akmp, pasn->cipher) < 0)
471 		goto fail;
472 
473 	/* No need to derive PMK if PMKSA is given */
474 	if (!pmksa)
475 		wrapped_data_buf = pasn_get_wrapped_data(pasn);
476 	else
477 		pasn->wrapped_data_format = WPA_PASN_WRAPPED_DATA_NO;
478 
479 	/* Get public key */
480 	pubkey = crypto_ecdh_get_pubkey(pasn->ecdh, 0);
481 	pubkey = wpabuf_zeropad(pubkey,
482 				crypto_ecdh_prime_len(pasn->ecdh));
483 	if (!pubkey) {
484 		wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
485 		goto fail;
486 	}
487 
488 	wpa_pasn_add_parameter_ie(buf, pasn->group,
489 				  pasn->wrapped_data_format,
490 				  pubkey, true, NULL, 0);
491 
492 	if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
493 		goto fail;
494 
495 	wpabuf_free(wrapped_data_buf);
496 	wrapped_data_buf = NULL;
497 	wpabuf_free(pubkey);
498 	pubkey = NULL;
499 
500 	/* Add RSNXE if needed */
501 	rsnxe_ie = pasn->rsnxe_ie;
502 	if (rsnxe_ie)
503 		wpabuf_put_data(buf, rsnxe_ie, 2 + rsnxe_ie[1]);
504 
505 	wpa_pasn_add_extra_ies(buf, pasn->extra_ies, pasn->extra_ies_len);
506 
507 	/* Add the mic */
508 	mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
509 	wpabuf_put_u8(buf, WLAN_EID_MIC);
510 	wpabuf_put_u8(buf, mic_len);
511 	ptr = wpabuf_put(buf, mic_len);
512 
513 	os_memset(ptr, 0, mic_len);
514 
515 	frame = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
516 	frame_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
517 
518 	if (pasn->rsn_ie && pasn->rsn_ie_len) {
519 		rsn_ie = pasn->rsn_ie;
520 	} else {
521 		/*
522 		 * Note: when pasn->rsn_ie is NULL, it is likely that Beacon
523 		 * frame RSNE is not initialized. This is possible in case of
524 		 * PASN authentication used for Wi-Fi Aware for which Beacon
525 		 * frame RSNE and RSNXE are same as RSNE and RSNXE in the
526 		 * Authentication frame.
527 		 */
528 		rsn_buf = wpabuf_alloc(500);
529 		if (!rsn_buf)
530 			goto fail;
531 
532 		if (wpa_pasn_add_rsne(rsn_buf, pmkid,
533 				      pasn->akmp, pasn->cipher) < 0)
534 			goto fail;
535 
536 		rsn_ie = wpabuf_head_u8(rsn_buf);
537 	}
538 
539 	/*
540 	 * Note: wpa_auth_get_wpa_ie() might return not only the RSNE but also
541 	 * MDE, etc. Thus, do not use the returned length but instead use the
542 	 * length specified in the IE header.
543 	 */
544 	data_len = rsn_ie[1] + 2;
545 	if (rsnxe_ie) {
546 		data_buf = os_zalloc(rsn_ie[1] + 2 + rsnxe_ie[1] + 2);
547 		if (!data_buf)
548 			goto fail;
549 
550 		os_memcpy(data_buf, rsn_ie, rsn_ie[1] + 2);
551 		os_memcpy(data_buf + rsn_ie[1] + 2, rsnxe_ie, rsnxe_ie[1] + 2);
552 		data_len += rsnxe_ie[1] + 2;
553 		data = data_buf;
554 	} else {
555 		data = rsn_ie;
556 	}
557 
558 	ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
559 		       own_addr, peer_addr, data, data_len,
560 		       frame, frame_len, mic);
561 	os_free(data_buf);
562 	if (ret) {
563 		wpa_printf(MSG_DEBUG, "PASN: Frame 3: Failed MIC calculation");
564 		goto fail;
565 	}
566 
567 #ifdef CONFIG_TESTING_OPTIONS
568 	if (pasn->corrupt_mic) {
569 		wpa_printf(MSG_DEBUG, "PASN: frame 2: Corrupt MIC");
570 		mic[0] = ~mic[0];
571 	}
572 #endif /* CONFIG_TESTING_OPTIONS */
573 
574 	os_memcpy(ptr, mic, mic_len);
575 
576 done:
577 	wpa_printf(MSG_DEBUG,
578 		   "PASN: Building frame 2: success; resp STA=" MACSTR,
579 		   MAC2STR(peer_addr));
580 
581 	ret = pasn->send_mgmt(pasn->cb_ctx, wpabuf_head_u8(buf),
582 			      wpabuf_len(buf), 0, 0, 0);
583 	if (ret)
584 		wpa_printf(MSG_INFO, "send_auth_reply: Send failed");
585 
586 	wpabuf_free(rsn_buf);
587 	wpabuf_free(buf);
588 	return ret;
589 fail:
590 	wpabuf_free(wrapped_data_buf);
591 	wpabuf_free(pubkey);
592 	wpabuf_free(rsn_buf);
593 	wpabuf_free(buf);
594 	return -1;
595 }
596 
597 
598 int handle_auth_pasn_1(struct pasn_data *pasn,
599 		       const u8 *own_addr, const u8 *peer_addr,
600 		       const struct ieee80211_mgmt *mgmt, size_t len)
601 {
602 	struct ieee802_11_elems elems;
603 	struct wpa_ie_data rsn_data;
604 	struct wpa_pasn_params_data pasn_params;
605 	struct rsn_pmksa_cache_entry *pmksa = NULL;
606 	const u8 *cached_pmk = NULL;
607 	size_t cached_pmk_len = 0;
608 	struct wpabuf *wrapped_data = NULL, *secret = NULL;
609 	const int *groups = pasn->pasn_groups;
610 	static const int default_groups[] = { 19, 0 };
611 	u16 status = WLAN_STATUS_SUCCESS;
612 	int ret, inc_y;
613 	bool derive_keys;
614 	u32 i;
615 
616 	if (!groups)
617 		groups = default_groups;
618 
619 	if (ieee802_11_parse_elems(mgmt->u.auth.variable,
620 				   len - offsetof(struct ieee80211_mgmt,
621 						  u.auth.variable),
622 				   &elems, 0) == ParseFailed) {
623 		wpa_printf(MSG_DEBUG,
624 			   "PASN: Failed parsing Authentication frame");
625 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
626 		goto send_resp;
627 	}
628 
629 	if (!elems.rsn_ie) {
630 		wpa_printf(MSG_DEBUG, "PASN: No RSNE");
631 		status = WLAN_STATUS_INVALID_RSNIE;
632 		goto send_resp;
633 	}
634 
635 	ret = wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
636 				   &rsn_data);
637 	if (ret) {
638 		wpa_printf(MSG_DEBUG, "PASN: Failed parsing RSNE");
639 		status = WLAN_STATUS_INVALID_RSNIE;
640 		goto send_resp;
641 	}
642 
643 	ret = wpa_pasn_validate_rsne(&rsn_data);
644 	if (ret) {
645 		wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
646 		status = WLAN_STATUS_INVALID_RSNIE;
647 		goto send_resp;
648 	}
649 
650 	if (!(rsn_data.key_mgmt & pasn->wpa_key_mgmt) ||
651 	    !(rsn_data.pairwise_cipher & pasn->rsn_pairwise)) {
652 		wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
653 		status = WLAN_STATUS_INVALID_RSNIE;
654 		goto send_resp;
655 	}
656 
657 	pasn->akmp = rsn_data.key_mgmt;
658 	pasn->cipher = rsn_data.pairwise_cipher;
659 
660 	if (pasn->derive_kdk &&
661 	    ieee802_11_rsnx_capab_len(elems.rsnxe, elems.rsnxe_len,
662 				      WLAN_RSNX_CAPAB_SECURE_LTF))
663 		pasn->secure_ltf = true;
664 
665 	if (pasn->derive_kdk)
666 		pasn->kdk_len = WPA_KDK_MAX_LEN;
667 	else
668 		pasn->kdk_len = 0;
669 
670 	wpa_printf(MSG_DEBUG, "PASN: kdk_len=%zu", pasn->kdk_len);
671 
672 	if (!elems.pasn_params || !elems.pasn_params_len) {
673 		wpa_printf(MSG_DEBUG,
674 			   "PASN: No PASN Parameters element found");
675 		status = WLAN_STATUS_INVALID_PARAMETERS;
676 		goto send_resp;
677 	}
678 
679 	ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
680 					  elems.pasn_params_len + 3,
681 					  false, &pasn_params);
682 	if (ret) {
683 		wpa_printf(MSG_DEBUG,
684 			   "PASN: Failed validation of PASN Parameters IE");
685 		status = WLAN_STATUS_INVALID_PARAMETERS;
686 		goto send_resp;
687 	}
688 
689 	for (i = 0; groups[i] > 0 && groups[i] != pasn_params.group; i++)
690 		;
691 
692 	if (!pasn_params.group || groups[i] != pasn_params.group) {
693 		wpa_printf(MSG_DEBUG, "PASN: Requested group=%hu not allowed",
694 			   pasn_params.group);
695 		status = WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED;
696 		goto send_resp;
697 	}
698 
699 	if (!pasn_params.pubkey || !pasn_params.pubkey_len) {
700 		wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
701 		status = WLAN_STATUS_INVALID_PARAMETERS;
702 		goto send_resp;
703 	}
704 
705 	if (pasn_params.comeback) {
706 		wpa_printf(MSG_DEBUG, "PASN: Checking peer comeback token");
707 
708 		ret = check_comeback_token(pasn->comeback_key,
709 					   pasn->comeback_pending_idx,
710 					   peer_addr,
711 					   pasn_params.comeback,
712 					   pasn_params.comeback_len);
713 
714 		if (ret) {
715 			wpa_printf(MSG_DEBUG, "PASN: Invalid comeback token");
716 			status = WLAN_STATUS_INVALID_PARAMETERS;
717 			goto send_resp;
718 		}
719 	} else if (pasn->use_anti_clogging) {
720 		wpa_printf(MSG_DEBUG, "PASN: Respond with comeback");
721 		handle_auth_pasn_comeback(pasn, own_addr, peer_addr,
722 					  pasn_params.group);
723 		return -1;
724 	}
725 
726 	pasn->ecdh = crypto_ecdh_init(pasn_params.group);
727 	if (!pasn->ecdh) {
728 		wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
729 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
730 		goto send_resp;
731 	}
732 
733 	pasn->group = pasn_params.group;
734 
735 	if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) {
736 		inc_y = 1;
737 	} else if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 ||
738 		   pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) {
739 		inc_y = 0;
740 	} else {
741 		wpa_printf(MSG_DEBUG,
742 			   "PASN: Invalid first octet in pubkey=0x%x",
743 			   pasn_params.pubkey[0]);
744 		status = WLAN_STATUS_INVALID_PUBLIC_KEY;
745 		goto send_resp;
746 	}
747 
748 	secret = crypto_ecdh_set_peerkey(pasn->ecdh, inc_y,
749 					 pasn_params.pubkey + 1,
750 					 pasn_params.pubkey_len - 1);
751 	if (!secret) {
752 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
753 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
754 		goto send_resp;
755 	}
756 
757 	if (!pasn->noauth && pasn->akmp == WPA_KEY_MGMT_PASN) {
758 		wpa_printf(MSG_DEBUG, "PASN: Refuse PASN-UNAUTH");
759 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
760 		goto send_resp;
761 	}
762 
763 	derive_keys = true;
764 	if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
765 		wrapped_data = ieee802_11_defrag(elems.wrapped_data,
766 						 elems.wrapped_data_len, true);
767 		if (!wrapped_data) {
768 			wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
769 			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
770 			goto send_resp;
771 		}
772 
773 #ifdef CONFIG_SAE
774 		if (pasn->akmp == WPA_KEY_MGMT_SAE) {
775 			ret = pasn_wd_handle_sae_commit(pasn, own_addr,
776 							peer_addr,
777 							wrapped_data);
778 			if (ret) {
779 				wpa_printf(MSG_DEBUG,
780 					   "PASN: Failed processing SAE commit");
781 				status = WLAN_STATUS_UNSPECIFIED_FAILURE;
782 				goto send_resp;
783 			}
784 		}
785 #endif /* CONFIG_SAE */
786 #ifdef CONFIG_FILS
787 		if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
788 		    pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
789 			if (!pasn->fils_wd_valid) {
790 				wpa_printf(MSG_DEBUG,
791 					   "PASN: Invalid FILS wrapped data");
792 				status = WLAN_STATUS_UNSPECIFIED_FAILURE;
793 				goto send_resp;
794 			}
795 
796 			wpa_printf(MSG_DEBUG,
797 				   "PASN: FILS: Pending AS response");
798 
799 			/*
800 			 * With PASN/FILS, keys can be derived only after a
801 			 * response from the AS is processed.
802 			 */
803 			derive_keys = false;
804 		}
805 #endif /* CONFIG_FILS */
806 	}
807 
808 	pasn->wrapped_data_format = pasn_params.wrapped_data_format;
809 
810 	ret = pasn_auth_frame_hash(pasn->akmp, pasn->cipher,
811 				   ((const u8 *) mgmt) + IEEE80211_HDRLEN,
812 				   len - IEEE80211_HDRLEN, pasn->hash);
813 	if (ret) {
814 		wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
815 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
816 		goto send_resp;
817 	}
818 
819 	if (!derive_keys) {
820 		wpa_printf(MSG_DEBUG, "PASN: Storing secret");
821 		pasn->secret = secret;
822 		wpabuf_free(wrapped_data);
823 		return 0;
824 	}
825 
826 	if (rsn_data.num_pmkid) {
827 		if (wpa_key_mgmt_ft(pasn->akmp)) {
828 #ifdef CONFIG_IEEE80211R_AP
829 			wpa_printf(MSG_DEBUG, "PASN: FT: Fetch PMK-R1");
830 
831 			if (!pasn->pmk_r1_len) {
832 				wpa_printf(MSG_DEBUG,
833 					   "PASN: FT: Failed getting PMK-R1");
834 				status = WLAN_STATUS_UNSPECIFIED_FAILURE;
835 				goto send_resp;
836 			}
837 			cached_pmk = pasn->pmk_r1;
838 			cached_pmk_len = pasn->pmk_r1_len;
839 #else /* CONFIG_IEEE80211R_AP */
840 			wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
841 			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
842 			goto send_resp;
843 #endif /* CONFIG_IEEE80211R_AP */
844 		} else {
845 			wpa_printf(MSG_DEBUG, "PASN: Try to find PMKSA entry");
846 
847 			if (pasn->pmksa) {
848 				const u8 *pmkid = NULL;
849 
850 				if (pasn->custom_pmkid_valid) {
851 					ret = pasn->validate_custom_pmkid(
852 						pasn->cb_ctx, peer_addr,
853 						rsn_data.pmkid);
854 					if (ret) {
855 						wpa_printf(MSG_DEBUG,
856 							   "PASN: Failed custom PMKID validation");
857 						status = WLAN_STATUS_UNSPECIFIED_FAILURE;
858 						goto send_resp;
859 					}
860 				} else {
861 					pmkid = rsn_data.pmkid;
862 				}
863 
864 				pmksa = pmksa_cache_auth_get(pasn->pmksa,
865 							     peer_addr,
866 							     pmkid);
867 				if (pmksa) {
868 					cached_pmk = pmksa->pmk;
869 					cached_pmk_len = pmksa->pmk_len;
870 				}
871 			}
872 		}
873 	} else {
874 		wpa_printf(MSG_DEBUG, "PASN: No PMKID specified");
875 	}
876 
877 	ret = pasn_derive_keys(pasn, own_addr, peer_addr,
878 			       cached_pmk, cached_pmk_len,
879 			       &pasn_params, wrapped_data, secret);
880 	if (ret) {
881 		wpa_printf(MSG_DEBUG, "PASN: Failed to derive keys");
882 		status = WLAN_STATUS_PASN_BASE_AKMP_FAILED;
883 		goto send_resp;
884 	}
885 
886 	ret = pasn_auth_frame_hash(pasn->akmp, pasn->cipher,
887 				   ((const u8 *) mgmt) + IEEE80211_HDRLEN,
888 				   len - IEEE80211_HDRLEN, pasn->hash);
889 	if (ret) {
890 		wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
891 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
892 	}
893 
894 send_resp:
895 	ret = handle_auth_pasn_resp(pasn, own_addr, peer_addr, pmksa, status);
896 	if (ret) {
897 		wpa_printf(MSG_DEBUG, "PASN: Failed to send response");
898 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
899 	} else {
900 		wpa_printf(MSG_DEBUG,
901 			   "PASN: Success handling transaction == 1");
902 	}
903 
904 	wpabuf_free(secret);
905 	wpabuf_free(wrapped_data);
906 
907 	if (status != WLAN_STATUS_SUCCESS)
908 		return -1;
909 
910 	return 0;
911 }
912 
913 
914 int handle_auth_pasn_3(struct pasn_data *pasn, const u8 *own_addr,
915 		       const u8 *peer_addr,
916 		       const struct ieee80211_mgmt *mgmt, size_t len)
917 {
918 	struct ieee802_11_elems elems;
919 	struct wpa_pasn_params_data pasn_params;
920 	struct wpabuf *wrapped_data = NULL;
921 	u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
922 	u8 mic_len;
923 	int ret;
924 	u8 *copy = NULL;
925 	size_t copy_len, mic_offset;
926 
927 	if (ieee802_11_parse_elems(mgmt->u.auth.variable,
928 				   len - offsetof(struct ieee80211_mgmt,
929 						  u.auth.variable),
930 				   &elems, 0) == ParseFailed) {
931 		wpa_printf(MSG_DEBUG,
932 			   "PASN: Failed parsing Authentication frame");
933 		goto fail;
934 	}
935 
936 	/* Check that the MIC IE exists. Save it and zero out the memory. */
937 	mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
938 	if (!elems.mic || elems.mic_len != mic_len) {
939 		wpa_printf(MSG_DEBUG,
940 			   "PASN: Invalid MIC. Expecting len=%u", mic_len);
941 		goto fail;
942 	}
943 	os_memcpy(mic, elems.mic, mic_len);
944 
945 	if (!elems.pasn_params || !elems.pasn_params_len) {
946 		wpa_printf(MSG_DEBUG,
947 			   "PASN: No PASN Parameters element found");
948 		goto fail;
949 	}
950 
951 	ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
952 					  elems.pasn_params_len + 3,
953 					  false, &pasn_params);
954 	if (ret) {
955 		wpa_printf(MSG_DEBUG,
956 			   "PASN: Failed validation of PASN Parameters IE");
957 		goto fail;
958 	}
959 
960 	if (pasn_params.pubkey || pasn_params.pubkey_len) {
961 		wpa_printf(MSG_DEBUG,
962 			   "PASN: Public key should not be included");
963 		goto fail;
964 	}
965 
966 	/* Verify the MIC */
967 	copy_len = len - offsetof(struct ieee80211_mgmt, u.auth);
968 	mic_offset = elems.mic - (const u8 *) &mgmt->u.auth;
969 	copy_len = len - offsetof(struct ieee80211_mgmt, u.auth);
970 	if (mic_offset + mic_len > copy_len)
971 		goto fail;
972 	copy = os_memdup(&mgmt->u.auth, copy_len);
973 	if (!copy)
974 		goto fail;
975 	os_memset(copy + mic_offset, 0, mic_len);
976 	ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
977 		       peer_addr, own_addr,
978 		       pasn->hash, mic_len * 2,
979 		       copy, copy_len, out_mic);
980 	os_free(copy);
981 	copy = NULL;
982 
983 	wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
984 	if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
985 		wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
986 		goto fail;
987 	}
988 
989 	if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
990 		wrapped_data = ieee802_11_defrag(elems.wrapped_data,
991 						 elems.wrapped_data_len,
992 						 true);
993 
994 		if (!wrapped_data) {
995 			wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
996 			goto fail;
997 		}
998 
999 #ifdef CONFIG_SAE
1000 		if (pasn->akmp == WPA_KEY_MGMT_SAE) {
1001 			ret = pasn_wd_handle_sae_confirm(pasn, peer_addr,
1002 							 wrapped_data);
1003 			if (ret) {
1004 				wpa_printf(MSG_DEBUG,
1005 					   "PASN: Failed processing SAE confirm");
1006 				wpabuf_free(wrapped_data);
1007 				goto fail;
1008 			}
1009 		}
1010 #endif /* CONFIG_SAE */
1011 #ifdef CONFIG_FILS
1012 		if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
1013 		    pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
1014 			if (wrapped_data) {
1015 				wpa_printf(MSG_DEBUG,
1016 					   "PASN: FILS: Ignore wrapped data");
1017 			}
1018 		}
1019 #endif /* CONFIG_FILS */
1020 		wpabuf_free(wrapped_data);
1021 	}
1022 
1023 	wpa_printf(MSG_INFO,
1024 		   "PASN: Success handling transaction == 3. Store PTK");
1025 	return 0;
1026 
1027 fail:
1028 	os_free(copy);
1029 	return -1;
1030 }
1031 
1032 #endif /* CONFIG_PASN */
1033