1 /* 2 * WPA Supplicant - Mesh RSN routines 3 * Copyright (c) 2013-2014, cozybit, Inc. All rights reserved. 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "utils/eloop.h" 13 #include "crypto/sha256.h" 14 #include "crypto/random.h" 15 #include "crypto/aes.h" 16 #include "crypto/aes_siv.h" 17 #include "rsn_supp/wpa.h" 18 #include "ap/hostapd.h" 19 #include "ap/wpa_auth.h" 20 #include "ap/sta_info.h" 21 #include "ap/ieee802_11.h" 22 #include "wpa_supplicant_i.h" 23 #include "driver_i.h" 24 #include "wpas_glue.h" 25 #include "mesh_mpm.h" 26 #include "mesh_rsn.h" 27 28 #define MESH_AUTH_TIMEOUT 10 29 #define MESH_AUTH_RETRY 3 30 31 void mesh_auth_timer(void *eloop_ctx, void *user_data) 32 { 33 struct wpa_supplicant *wpa_s = eloop_ctx; 34 struct sta_info *sta = user_data; 35 struct hostapd_data *hapd; 36 37 if (sta->sae->state != SAE_ACCEPTED) { 38 wpa_printf(MSG_DEBUG, "AUTH: Re-authenticate with " MACSTR 39 " (attempt %d) ", 40 MAC2STR(sta->addr), sta->sae_auth_retry); 41 wpa_msg(wpa_s, MSG_INFO, MESH_SAE_AUTH_FAILURE "addr=" MACSTR, 42 MAC2STR(sta->addr)); 43 if (sta->sae_auth_retry < MESH_AUTH_RETRY) { 44 mesh_rsn_auth_sae_sta(wpa_s, sta); 45 } else { 46 hapd = wpa_s->ifmsh->bss[0]; 47 48 if (sta->sae_auth_retry > MESH_AUTH_RETRY) { 49 ap_free_sta(hapd, sta); 50 return; 51 } 52 53 /* block the STA if exceeded the number of attempts */ 54 wpa_mesh_set_plink_state(wpa_s, sta, PLINK_BLOCKED); 55 sta->sae->state = SAE_NOTHING; 56 wpa_msg(wpa_s, MSG_INFO, MESH_SAE_AUTH_BLOCKED "addr=" 57 MACSTR " duration=%d", 58 MAC2STR(sta->addr), 59 hapd->conf->ap_max_inactivity); 60 } 61 sta->sae_auth_retry++; 62 } 63 } 64 65 66 static void auth_logger(void *ctx, const u8 *addr, logger_level level, 67 const char *txt) 68 { 69 if (addr) 70 wpa_printf(MSG_DEBUG, "AUTH: " MACSTR " - %s", 71 MAC2STR(addr), txt); 72 else 73 wpa_printf(MSG_DEBUG, "AUTH: %s", txt); 74 } 75 76 77 static const u8 *auth_get_psk(void *ctx, const u8 *addr, 78 const u8 *p2p_dev_addr, const u8 *prev_psk, 79 size_t *psk_len, int *vlan_id) 80 { 81 struct mesh_rsn *mesh_rsn = ctx; 82 struct hostapd_data *hapd = mesh_rsn->wpa_s->ifmsh->bss[0]; 83 struct sta_info *sta = ap_get_sta(hapd, addr); 84 85 if (psk_len) 86 *psk_len = PMK_LEN; 87 if (vlan_id) 88 *vlan_id = 0; 89 wpa_printf(MSG_DEBUG, "AUTH: %s (addr=" MACSTR " prev_psk=%p)", 90 __func__, MAC2STR(addr), prev_psk); 91 92 if (sta && sta->auth_alg == WLAN_AUTH_SAE) { 93 if (!sta->sae || prev_psk) 94 return NULL; 95 return sta->sae->pmk; 96 } 97 98 return NULL; 99 } 100 101 102 static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg, 103 const u8 *addr, int idx, u8 *key, size_t key_len, 104 enum key_flag key_flag) 105 { 106 struct mesh_rsn *mesh_rsn = ctx; 107 u8 seq[6]; 108 109 os_memset(seq, 0, sizeof(seq)); 110 111 if (addr) { 112 wpa_printf(MSG_DEBUG, "AUTH: %s(alg=%d addr=" MACSTR 113 " key_idx=%d)", 114 __func__, alg, MAC2STR(addr), idx); 115 } else { 116 wpa_printf(MSG_DEBUG, "AUTH: %s(alg=%d key_idx=%d)", 117 __func__, alg, idx); 118 } 119 wpa_hexdump_key(MSG_DEBUG, "AUTH: set_key - key", key, key_len); 120 121 return wpa_drv_set_key(mesh_rsn->wpa_s, -1, alg, addr, idx, 122 1, seq, 6, key, key_len, key_flag); 123 } 124 125 126 static int auth_start_ampe(void *ctx, const u8 *addr) 127 { 128 struct mesh_rsn *mesh_rsn = ctx; 129 struct hostapd_data *hapd; 130 struct sta_info *sta; 131 132 if (mesh_rsn->wpa_s->current_ssid->mode != WPAS_MODE_MESH) 133 return -1; 134 135 hapd = mesh_rsn->wpa_s->ifmsh->bss[0]; 136 sta = ap_get_sta(hapd, addr); 137 if (sta) 138 eloop_cancel_timeout(mesh_auth_timer, mesh_rsn->wpa_s, sta); 139 140 mesh_mpm_auth_peer(mesh_rsn->wpa_s, addr); 141 return 0; 142 } 143 144 145 static int auth_for_each_sta( 146 void *ctx, int (*cb)(struct wpa_state_machine *sm, void *ctx), 147 void *cb_ctx) 148 { 149 struct mesh_rsn *rsn = ctx; 150 struct hostapd_data *hapd; 151 struct sta_info *sta; 152 153 hapd = rsn->wpa_s->ifmsh->bss[0]; 154 for (sta = hapd->sta_list; sta; sta = sta->next) { 155 if (sta->wpa_sm && cb(sta->wpa_sm, cb_ctx)) 156 return 1; 157 } 158 return 0; 159 } 160 161 162 static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr, 163 enum mfp_options ieee80211w, int ocv) 164 { 165 struct wpa_auth_config conf; 166 static const struct wpa_auth_callbacks cb = { 167 .logger = auth_logger, 168 .get_psk = auth_get_psk, 169 .set_key = auth_set_key, 170 .start_ampe = auth_start_ampe, 171 .for_each_sta = auth_for_each_sta, 172 }; 173 u8 seq[6] = {}; 174 175 wpa_printf(MSG_DEBUG, "AUTH: Initializing group state machine"); 176 177 os_memset(&conf, 0, sizeof(conf)); 178 conf.wpa = WPA_PROTO_RSN; 179 conf.wpa_key_mgmt = WPA_KEY_MGMT_SAE; 180 conf.wpa_pairwise = rsn->pairwise_cipher; 181 conf.rsn_pairwise = rsn->pairwise_cipher; 182 conf.wpa_group = rsn->group_cipher; 183 conf.eapol_version = 0; 184 conf.wpa_group_rekey = -1; 185 conf.wpa_group_update_count = 4; 186 conf.wpa_pairwise_update_count = 4; 187 conf.ieee80211w = ieee80211w; 188 if (ieee80211w != NO_MGMT_FRAME_PROTECTION) 189 conf.group_mgmt_cipher = rsn->mgmt_group_cipher; 190 #ifdef CONFIG_OCV 191 conf.ocv = ocv; 192 #endif /* CONFIG_OCV */ 193 194 rsn->auth = wpa_init(addr, &conf, &cb, rsn); 195 if (rsn->auth == NULL) { 196 wpa_printf(MSG_DEBUG, "AUTH: wpa_init() failed"); 197 return -1; 198 } 199 200 /* TODO: support rekeying */ 201 rsn->mgtk_len = wpa_cipher_key_len(conf.wpa_group); 202 if (random_get_bytes(rsn->mgtk, rsn->mgtk_len) < 0) 203 return -1; 204 rsn->mgtk_key_id = 1; 205 206 if (ieee80211w != NO_MGMT_FRAME_PROTECTION) { 207 rsn->igtk_len = wpa_cipher_key_len(conf.group_mgmt_cipher); 208 if (random_get_bytes(rsn->igtk, rsn->igtk_len) < 0) 209 return -1; 210 rsn->igtk_key_id = 4; 211 212 /* group mgmt */ 213 wpa_hexdump_key(MSG_DEBUG, "mesh: Own TX IGTK", 214 rsn->igtk, rsn->igtk_len); 215 wpa_drv_set_key(rsn->wpa_s, -1, 216 wpa_cipher_to_alg(rsn->mgmt_group_cipher), 217 broadcast_ether_addr, 218 rsn->igtk_key_id, 1, 219 seq, sizeof(seq), rsn->igtk, rsn->igtk_len, 220 KEY_FLAG_GROUP_TX_DEFAULT); 221 } 222 223 /* group privacy / data frames */ 224 wpa_hexdump_key(MSG_DEBUG, "mesh: Own TX MGTK", 225 rsn->mgtk, rsn->mgtk_len); 226 wpa_drv_set_key(rsn->wpa_s, -1, wpa_cipher_to_alg(rsn->group_cipher), 227 broadcast_ether_addr, 228 rsn->mgtk_key_id, 1, seq, sizeof(seq), 229 rsn->mgtk, rsn->mgtk_len, KEY_FLAG_GROUP_TX_DEFAULT); 230 231 return 0; 232 } 233 234 235 static void mesh_rsn_deinit(struct mesh_rsn *rsn) 236 { 237 os_memset(rsn->mgtk, 0, sizeof(rsn->mgtk)); 238 rsn->mgtk_len = 0; 239 os_memset(rsn->igtk, 0, sizeof(rsn->igtk)); 240 rsn->igtk_len = 0; 241 if (rsn->auth) 242 wpa_deinit(rsn->auth); 243 } 244 245 246 struct mesh_rsn *mesh_rsn_auth_init(struct wpa_supplicant *wpa_s, 247 struct mesh_conf *conf) 248 { 249 struct mesh_rsn *mesh_rsn; 250 struct hostapd_data *bss = wpa_s->ifmsh->bss[0]; 251 const u8 *ie; 252 size_t ie_len; 253 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL 254 struct external_pmksa_cache *entry; 255 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */ 256 257 mesh_rsn = os_zalloc(sizeof(*mesh_rsn)); 258 if (mesh_rsn == NULL) 259 return NULL; 260 mesh_rsn->wpa_s = wpa_s; 261 mesh_rsn->pairwise_cipher = conf->pairwise_cipher; 262 mesh_rsn->group_cipher = conf->group_cipher; 263 mesh_rsn->mgmt_group_cipher = conf->mgmt_group_cipher; 264 265 if (__mesh_rsn_auth_init(mesh_rsn, wpa_s->own_addr, 266 conf->ieee80211w, conf->ocv) < 0) { 267 mesh_rsn_deinit(mesh_rsn); 268 os_free(mesh_rsn); 269 return NULL; 270 } 271 272 bss->wpa_auth = mesh_rsn->auth; 273 274 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL 275 while ((entry = dl_list_last(&wpa_s->mesh_external_pmksa_cache, 276 struct external_pmksa_cache, 277 list)) != NULL) { 278 int ret; 279 280 ret = wpa_auth_pmksa_add_entry(bss->wpa_auth, 281 entry->pmksa_cache); 282 dl_list_del(&entry->list); 283 os_free(entry); 284 285 if (ret < 0) 286 return NULL; 287 } 288 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */ 289 290 ie = wpa_auth_get_wpa_ie(mesh_rsn->auth, &ie_len); 291 conf->rsn_ie = (u8 *) ie; 292 conf->rsn_ie_len = ie_len; 293 294 wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid); 295 296 return mesh_rsn; 297 } 298 299 300 static int index_within_array(const int *array, int idx) 301 { 302 int i; 303 304 for (i = 0; i < idx; i++) { 305 if (array[i] == -1) 306 return 0; 307 } 308 309 return 1; 310 } 311 312 313 static int mesh_rsn_sae_group(struct wpa_supplicant *wpa_s, 314 struct sae_data *sae) 315 { 316 int *groups = wpa_s->ifmsh->bss[0]->conf->sae_groups; 317 318 /* Configuration may have changed, so validate current index */ 319 if (!index_within_array(groups, wpa_s->mesh_rsn->sae_group_index)) 320 return -1; 321 322 for (;;) { 323 int group = groups[wpa_s->mesh_rsn->sae_group_index]; 324 325 if (group <= 0) 326 break; 327 if (sae_set_group(sae, group) == 0) { 328 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d", 329 sae->group); 330 return 0; 331 } 332 wpa_s->mesh_rsn->sae_group_index++; 333 } 334 335 return -1; 336 } 337 338 339 static int mesh_rsn_build_sae_commit(struct wpa_supplicant *wpa_s, 340 struct wpa_ssid *ssid, 341 struct sta_info *sta) 342 { 343 const char *password; 344 345 password = ssid->sae_password; 346 if (!password) 347 password = ssid->passphrase; 348 if (!password) { 349 wpa_msg(wpa_s, MSG_DEBUG, "SAE: No password available"); 350 return -1; 351 } 352 353 if (mesh_rsn_sae_group(wpa_s, sta->sae) < 0) { 354 wpa_msg(wpa_s, MSG_DEBUG, "SAE: Failed to select group"); 355 return -1; 356 } 357 358 if (sta->sae->tmp && !sta->sae->tmp->pw_id && ssid->sae_password_id) { 359 sta->sae->tmp->pw_id = os_strdup(ssid->sae_password_id); 360 if (!sta->sae->tmp->pw_id) 361 return -1; 362 } 363 return sae_prepare_commit(wpa_s->own_addr, sta->addr, 364 (u8 *) password, os_strlen(password), 365 sta->sae); 366 } 367 368 369 /* initiate new SAE authentication with sta */ 370 int mesh_rsn_auth_sae_sta(struct wpa_supplicant *wpa_s, 371 struct sta_info *sta) 372 { 373 struct hostapd_data *hapd = wpa_s->ifmsh->bss[0]; 374 struct wpa_ssid *ssid = wpa_s->current_ssid; 375 struct rsn_pmksa_cache_entry *pmksa; 376 unsigned int rnd; 377 int ret; 378 379 if (!ssid) { 380 wpa_msg(wpa_s, MSG_DEBUG, 381 "AUTH: No current_ssid known to initiate new SAE"); 382 return -1; 383 } 384 385 if (!sta->sae) { 386 sta->sae = os_zalloc(sizeof(*sta->sae)); 387 if (sta->sae == NULL) 388 return -1; 389 } 390 391 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr, NULL); 392 if (pmksa) { 393 if (!sta->wpa_sm) 394 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 395 sta->addr, NULL); 396 if (!sta->wpa_sm) { 397 wpa_printf(MSG_ERROR, 398 "mesh: Failed to initialize RSN state machine"); 399 return -1; 400 } 401 402 wpa_printf(MSG_DEBUG, 403 "AUTH: Mesh PMKSA cache entry found for " MACSTR 404 " - try to use PMKSA caching instead of new SAE authentication", 405 MAC2STR(sta->addr)); 406 wpa_auth_pmksa_set_to_sm(pmksa, sta->wpa_sm, hapd->wpa_auth, 407 sta->sae->pmkid, sta->sae->pmk, 408 &sta->sae->pmk_len); 409 sae_accept_sta(hapd, sta); 410 sta->mesh_sae_pmksa_caching = 1; 411 return 0; 412 } 413 sta->mesh_sae_pmksa_caching = 0; 414 415 if (mesh_rsn_build_sae_commit(wpa_s, ssid, sta)) 416 return -1; 417 418 wpa_msg(wpa_s, MSG_DEBUG, 419 "AUTH: started authentication with SAE peer: " MACSTR, 420 MAC2STR(sta->addr)); 421 422 ret = auth_sae_init_committed(hapd, sta); 423 if (ret) 424 return ret; 425 426 eloop_cancel_timeout(mesh_auth_timer, wpa_s, sta); 427 rnd = rand() % MESH_AUTH_TIMEOUT; 428 eloop_register_timeout(MESH_AUTH_TIMEOUT + rnd, 0, mesh_auth_timer, 429 wpa_s, sta); 430 return 0; 431 } 432 433 434 void mesh_rsn_get_pmkid(struct mesh_rsn *rsn, struct sta_info *sta, u8 *pmkid) 435 { 436 os_memcpy(pmkid, sta->sae->pmkid, SAE_PMKID_LEN); 437 } 438 439 440 static void 441 mesh_rsn_derive_aek(struct mesh_rsn *rsn, struct sta_info *sta) 442 { 443 u8 *myaddr = rsn->wpa_s->own_addr; 444 u8 *peer = sta->addr; 445 u8 *addr1, *addr2; 446 u8 context[RSN_SELECTOR_LEN + 2 * ETH_ALEN], *ptr = context; 447 448 /* 449 * AEK = KDF-Hash-256(PMK, "AEK Derivation", Selected AKM Suite || 450 * min(localMAC, peerMAC) || max(localMAC, peerMAC)) 451 */ 452 /* Selected AKM Suite: SAE */ 453 RSN_SELECTOR_PUT(ptr, RSN_AUTH_KEY_MGMT_SAE); 454 ptr += RSN_SELECTOR_LEN; 455 456 if (os_memcmp(myaddr, peer, ETH_ALEN) < 0) { 457 addr1 = myaddr; 458 addr2 = peer; 459 } else { 460 addr1 = peer; 461 addr2 = myaddr; 462 } 463 os_memcpy(ptr, addr1, ETH_ALEN); 464 ptr += ETH_ALEN; 465 os_memcpy(ptr, addr2, ETH_ALEN); 466 467 sha256_prf(sta->sae->pmk, sizeof(sta->sae->pmk), "AEK Derivation", 468 context, sizeof(context), sta->aek, sizeof(sta->aek)); 469 } 470 471 472 /* derive mesh temporal key from pmk */ 473 int mesh_rsn_derive_mtk(struct wpa_supplicant *wpa_s, struct sta_info *sta) 474 { 475 u8 *ptr; 476 u8 *min, *max; 477 u8 *myaddr = wpa_s->own_addr; 478 u8 *peer = sta->addr; 479 u8 context[2 * WPA_NONCE_LEN + 2 * 2 + RSN_SELECTOR_LEN + 2 * ETH_ALEN]; 480 481 /* 482 * MTK = KDF-Hash-Length(PMK, "Temporal Key Derivation", min(localNonce, 483 * peerNonce) || max(localNonce, peerNonce) || min(localLinkID, 484 * peerLinkID) || max(localLinkID, peerLinkID) || Selected AKM Suite || 485 * min(localMAC, peerMAC) || max(localMAC, peerMAC)) 486 */ 487 ptr = context; 488 if (os_memcmp(sta->my_nonce, sta->peer_nonce, WPA_NONCE_LEN) < 0) { 489 min = sta->my_nonce; 490 max = sta->peer_nonce; 491 } else { 492 min = sta->peer_nonce; 493 max = sta->my_nonce; 494 } 495 os_memcpy(ptr, min, WPA_NONCE_LEN); 496 ptr += WPA_NONCE_LEN; 497 os_memcpy(ptr, max, WPA_NONCE_LEN); 498 ptr += WPA_NONCE_LEN; 499 500 if (sta->my_lid < sta->peer_lid) { 501 WPA_PUT_LE16(ptr, sta->my_lid); 502 ptr += 2; 503 WPA_PUT_LE16(ptr, sta->peer_lid); 504 ptr += 2; 505 } else { 506 WPA_PUT_LE16(ptr, sta->peer_lid); 507 ptr += 2; 508 WPA_PUT_LE16(ptr, sta->my_lid); 509 ptr += 2; 510 } 511 512 /* Selected AKM Suite: SAE */ 513 RSN_SELECTOR_PUT(ptr, RSN_AUTH_KEY_MGMT_SAE); 514 ptr += RSN_SELECTOR_LEN; 515 516 if (os_memcmp(myaddr, peer, ETH_ALEN) < 0) { 517 min = myaddr; 518 max = peer; 519 } else { 520 min = peer; 521 max = myaddr; 522 } 523 os_memcpy(ptr, min, ETH_ALEN); 524 ptr += ETH_ALEN; 525 os_memcpy(ptr, max, ETH_ALEN); 526 527 sta->mtk_len = wpa_cipher_key_len(wpa_s->mesh_rsn->pairwise_cipher); 528 sha256_prf(sta->sae->pmk, SAE_PMK_LEN, 529 "Temporal Key Derivation", context, sizeof(context), 530 sta->mtk, sta->mtk_len); 531 return 0; 532 } 533 534 535 void mesh_rsn_init_ampe_sta(struct wpa_supplicant *wpa_s, struct sta_info *sta) 536 { 537 if (random_get_bytes(sta->my_nonce, WPA_NONCE_LEN) < 0) { 538 wpa_printf(MSG_INFO, "mesh: Failed to derive random nonce"); 539 /* TODO: How to handle this more cleanly? */ 540 } 541 os_memset(sta->peer_nonce, 0, WPA_NONCE_LEN); 542 mesh_rsn_derive_aek(wpa_s->mesh_rsn, sta); 543 } 544 545 546 /* insert AMPE and encrypted MIC at @ie. 547 * @mesh_rsn: mesh RSN context 548 * @sta: STA we're sending to 549 * @cat: pointer to category code in frame header. 550 * @buf: wpabuf to add encrypted AMPE and MIC to. 551 * */ 552 int mesh_rsn_protect_frame(struct mesh_rsn *rsn, struct sta_info *sta, 553 const u8 *cat, struct wpabuf *buf) 554 { 555 struct ieee80211_ampe_ie *ampe; 556 u8 const *ie = wpabuf_head_u8(buf) + wpabuf_len(buf); 557 u8 *ampe_ie, *pos, *mic_payload; 558 const u8 *aad[] = { rsn->wpa_s->own_addr, sta->addr, cat }; 559 const size_t aad_len[] = { ETH_ALEN, ETH_ALEN, ie - cat }; 560 int ret = 0; 561 size_t len; 562 563 len = sizeof(*ampe); 564 if (cat[1] == PLINK_OPEN) 565 len += rsn->mgtk_len + WPA_KEY_RSC_LEN + 4; 566 if (cat[1] == PLINK_OPEN && rsn->igtk_len) 567 len += 2 + 6 + rsn->igtk_len; 568 569 if (2 + AES_BLOCK_SIZE + 2 + len > wpabuf_tailroom(buf)) { 570 wpa_printf(MSG_ERROR, "protect frame: buffer too small"); 571 return -EINVAL; 572 } 573 574 ampe_ie = os_zalloc(2 + len); 575 if (!ampe_ie) { 576 wpa_printf(MSG_ERROR, "protect frame: out of memory"); 577 return -ENOMEM; 578 } 579 580 /* IE: AMPE */ 581 ampe_ie[0] = WLAN_EID_AMPE; 582 ampe_ie[1] = len; 583 ampe = (struct ieee80211_ampe_ie *) (ampe_ie + 2); 584 585 RSN_SELECTOR_PUT(ampe->selected_pairwise_suite, 586 RSN_CIPHER_SUITE_CCMP); 587 os_memcpy(ampe->local_nonce, sta->my_nonce, WPA_NONCE_LEN); 588 os_memcpy(ampe->peer_nonce, sta->peer_nonce, WPA_NONCE_LEN); 589 590 pos = (u8 *) (ampe + 1); 591 if (cat[1] != PLINK_OPEN) 592 goto skip_keys; 593 594 /* TODO: Key Replay Counter[8] optionally for 595 * Mesh Group Key Inform/Acknowledge frames */ 596 597 /* TODO: static mgtk for now since we don't support rekeying! */ 598 /* 599 * GTKdata[variable]: 600 * MGTK[variable] || Key RSC[8] || GTKExpirationTime[4] 601 */ 602 os_memcpy(pos, rsn->mgtk, rsn->mgtk_len); 603 pos += rsn->mgtk_len; 604 wpa_drv_get_seqnum(rsn->wpa_s, NULL, rsn->mgtk_key_id, pos); 605 pos += WPA_KEY_RSC_LEN; 606 /* Use fixed GTKExpirationTime for now */ 607 WPA_PUT_LE32(pos, 0xffffffff); 608 pos += 4; 609 610 /* 611 * IGTKdata[variable]: 612 * Key ID[2], IPN[6], IGTK[variable] 613 */ 614 if (rsn->igtk_len) { 615 WPA_PUT_LE16(pos, rsn->igtk_key_id); 616 pos += 2; 617 wpa_drv_get_seqnum(rsn->wpa_s, NULL, rsn->igtk_key_id, pos); 618 pos += 6; 619 os_memcpy(pos, rsn->igtk, rsn->igtk_len); 620 } 621 622 skip_keys: 623 wpa_hexdump_key(MSG_DEBUG, "mesh: Plaintext AMPE element", 624 ampe_ie, 2 + len); 625 626 /* IE: MIC */ 627 wpabuf_put_u8(buf, WLAN_EID_MIC); 628 wpabuf_put_u8(buf, AES_BLOCK_SIZE); 629 /* MIC field is output ciphertext */ 630 631 /* encrypt after MIC */ 632 mic_payload = wpabuf_put(buf, 2 + len + AES_BLOCK_SIZE); 633 634 if (aes_siv_encrypt(sta->aek, sizeof(sta->aek), ampe_ie, 2 + len, 3, 635 aad, aad_len, mic_payload)) { 636 wpa_printf(MSG_ERROR, "protect frame: failed to encrypt"); 637 ret = -ENOMEM; 638 } 639 640 os_free(ampe_ie); 641 642 return ret; 643 } 644 645 646 int mesh_rsn_process_ampe(struct wpa_supplicant *wpa_s, struct sta_info *sta, 647 struct ieee802_11_elems *elems, const u8 *cat, 648 const u8 *chosen_pmk, 649 const u8 *start, size_t elems_len) 650 { 651 int ret = 0; 652 struct ieee80211_ampe_ie *ampe; 653 u8 null_nonce[WPA_NONCE_LEN] = {}; 654 u8 ampe_eid; 655 u8 ampe_ie_len; 656 u8 *ampe_buf, *crypt = NULL, *pos, *end; 657 size_t crypt_len; 658 const u8 *aad[] = { sta->addr, wpa_s->own_addr, cat }; 659 const size_t aad_len[] = { ETH_ALEN, ETH_ALEN, 660 elems->mic ? (elems->mic - 2) - cat : 0 }; 661 size_t key_len; 662 663 if (!sta->sae) { 664 struct hostapd_data *hapd = wpa_s->ifmsh->bss[0]; 665 666 if (!wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr, NULL)) { 667 wpa_printf(MSG_INFO, 668 "Mesh RSN: SAE is not prepared yet"); 669 return -1; 670 } 671 mesh_rsn_auth_sae_sta(wpa_s, sta); 672 } 673 674 if (chosen_pmk && 675 (!sta->sae || 676 os_memcmp(chosen_pmk, sta->sae->pmkid, PMKID_LEN) != 0)) { 677 wpa_msg(wpa_s, MSG_DEBUG, 678 "Mesh RSN: Invalid PMKID (Chosen PMK did not match calculated PMKID)"); 679 return -1; 680 } 681 682 if (!elems->mic || elems->mic_len < AES_BLOCK_SIZE) { 683 wpa_msg(wpa_s, MSG_DEBUG, "Mesh RSN: missing mic ie"); 684 return -1; 685 } 686 687 ampe_buf = (u8 *) elems->mic + elems->mic_len; 688 if ((int) elems_len < ampe_buf - start) 689 return -1; 690 691 crypt_len = elems_len - (elems->mic - start); 692 if (crypt_len < 2 + AES_BLOCK_SIZE) { 693 wpa_msg(wpa_s, MSG_DEBUG, "Mesh RSN: missing ampe ie"); 694 return -1; 695 } 696 697 /* crypt is modified by siv_decrypt */ 698 crypt = os_zalloc(crypt_len); 699 if (!crypt) { 700 wpa_printf(MSG_ERROR, "Mesh RSN: out of memory"); 701 ret = -ENOMEM; 702 goto free; 703 } 704 705 os_memcpy(crypt, elems->mic, crypt_len); 706 707 if (aes_siv_decrypt(sta->aek, sizeof(sta->aek), crypt, crypt_len, 3, 708 aad, aad_len, ampe_buf)) { 709 wpa_printf(MSG_ERROR, "Mesh RSN: frame verification failed!"); 710 ret = -2; 711 goto free; 712 } 713 714 crypt_len -= AES_BLOCK_SIZE; 715 wpa_hexdump_key(MSG_DEBUG, "mesh: Decrypted AMPE element", 716 ampe_buf, crypt_len); 717 718 ampe_eid = *ampe_buf++; 719 ampe_ie_len = *ampe_buf++; 720 721 if (ampe_eid != WLAN_EID_AMPE || 722 (size_t) 2 + ampe_ie_len > crypt_len || 723 ampe_ie_len < sizeof(struct ieee80211_ampe_ie)) { 724 wpa_msg(wpa_s, MSG_DEBUG, "Mesh RSN: invalid ampe ie"); 725 ret = -1; 726 goto free; 727 } 728 729 ampe = (struct ieee80211_ampe_ie *) ampe_buf; 730 pos = (u8 *) (ampe + 1); 731 end = ampe_buf + ampe_ie_len; 732 if (os_memcmp(ampe->peer_nonce, null_nonce, WPA_NONCE_LEN) != 0 && 733 os_memcmp(ampe->peer_nonce, sta->my_nonce, WPA_NONCE_LEN) != 0) { 734 wpa_msg(wpa_s, MSG_DEBUG, "Mesh RSN: invalid peer nonce"); 735 ret = -1; 736 goto free; 737 } 738 os_memcpy(sta->peer_nonce, ampe->local_nonce, 739 sizeof(ampe->local_nonce)); 740 741 /* TODO: Key Replay Counter[8] in Mesh Group Key Inform/Acknowledge 742 * frames */ 743 744 /* 745 * GTKdata shall not be included in Mesh Peering Confirm. While the 746 * standard does not state the same about IGTKdata, that same constraint 747 * needs to apply for it. It makes no sense to include the keys in Mesh 748 * Peering Close frames either, so while the standard does not seem to 749 * have a shall statement for these, they are described without 750 * mentioning GTKdata. 751 * 752 * An earlier implementation used to add GTKdata to both Mesh Peering 753 * Open and Mesh Peering Confirm frames, so ignore the possibly present 754 * GTKdata frame without rejecting the frame as a backwards 755 * compatibility mechanism. 756 */ 757 if (cat[1] != PLINK_OPEN) { 758 if (end > pos) { 759 wpa_hexdump_key(MSG_DEBUG, 760 "mesh: Ignore unexpected GTKdata(etc.) fields in the end of AMPE element in Mesh Peering Confirm/Close", 761 pos, end - pos); 762 } 763 goto free; 764 } 765 766 /* 767 * GTKdata[variable]: 768 * MGTK[variable] || Key RSC[8] || GTKExpirationTime[4] 769 */ 770 sta->mgtk_key_id = 1; /* FIX: Where to get Key ID? */ 771 key_len = wpa_cipher_key_len(wpa_s->mesh_rsn->group_cipher); 772 if ((int) key_len + WPA_KEY_RSC_LEN + 4 > end - pos) { 773 wpa_dbg(wpa_s, MSG_DEBUG, "mesh: Truncated AMPE element"); 774 ret = -1; 775 goto free; 776 } 777 sta->mgtk_len = key_len; 778 os_memcpy(sta->mgtk, pos, sta->mgtk_len); 779 wpa_hexdump_key(MSG_DEBUG, "mesh: GTKdata - MGTK", 780 sta->mgtk, sta->mgtk_len); 781 pos += sta->mgtk_len; 782 wpa_hexdump(MSG_DEBUG, "mesh: GTKdata - MGTK - Key RSC", 783 pos, WPA_KEY_RSC_LEN); 784 os_memcpy(sta->mgtk_rsc, pos, sizeof(sta->mgtk_rsc)); 785 pos += WPA_KEY_RSC_LEN; 786 wpa_printf(MSG_DEBUG, 787 "mesh: GTKdata - MGTK - GTKExpirationTime: %u seconds", 788 WPA_GET_LE32(pos)); 789 pos += 4; 790 791 /* 792 * IGTKdata[variable]: 793 * Key ID[2], IPN[6], IGTK[variable] 794 */ 795 key_len = wpa_cipher_key_len(wpa_s->mesh_rsn->mgmt_group_cipher); 796 if (end - pos >= (int) (2 + 6 + key_len)) { 797 sta->igtk_key_id = WPA_GET_LE16(pos); 798 wpa_printf(MSG_DEBUG, "mesh: IGTKdata - Key ID %u", 799 sta->igtk_key_id); 800 pos += 2; 801 os_memcpy(sta->igtk_rsc, pos, sizeof(sta->igtk_rsc)); 802 wpa_hexdump(MSG_DEBUG, "mesh: IGTKdata - IPN", 803 sta->igtk_rsc, sizeof(sta->igtk_rsc)); 804 pos += 6; 805 os_memcpy(sta->igtk, pos, key_len); 806 sta->igtk_len = key_len; 807 wpa_hexdump_key(MSG_DEBUG, "mesh: IGTKdata - IGTK", 808 sta->igtk, sta->igtk_len); 809 } 810 811 free: 812 os_free(crypt); 813 return ret; 814 } 815