1/* 2 * WPA Supplicant - Mesh RSN routines 3 * Copyright (c) 2013-2014, cozybit, Inc. All rights reserved. 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "crypto/sha256.h" 14#include "crypto/random.h" 15#include "crypto/aes.h" 16#include "crypto/aes_siv.h" 17#include "rsn_supp/wpa.h" 18#include "ap/hostapd.h" 19#include "ap/wpa_auth.h" 20#include "ap/sta_info.h" 21#include "ap/ieee802_11.h" 22#include "wpa_supplicant_i.h" 23#include "driver_i.h" 24#include "wpas_glue.h" 25#include "mesh_mpm.h" 26#include "mesh_rsn.h" 27 28#define MESH_AUTH_TIMEOUT 10 29#define MESH_AUTH_RETRY 3 30 31void mesh_auth_timer(void *eloop_ctx, void *user_data) 32{ 33 struct wpa_supplicant *wpa_s = eloop_ctx; 34 struct sta_info *sta = user_data; 35 struct hostapd_data *hapd; 36 37 if (sta->sae->state != SAE_ACCEPTED) { 38 wpa_printf(MSG_DEBUG, "AUTH: Re-authenticate with " MACSTR 39 " (attempt %d) ", 40 MAC2STR(sta->addr), sta->sae_auth_retry); 41 wpa_msg(wpa_s, MSG_INFO, MESH_SAE_AUTH_FAILURE "addr=" MACSTR, 42 MAC2STR(sta->addr)); 43 if (sta->sae_auth_retry < MESH_AUTH_RETRY) { 44 mesh_rsn_auth_sae_sta(wpa_s, sta); 45 } else { 46 hapd = wpa_s->ifmsh->bss[0]; 47 48 if (sta->sae_auth_retry > MESH_AUTH_RETRY) { 49 ap_free_sta(hapd, sta); 50 return; 51 } 52 53 /* block the STA if exceeded the number of attempts */ 54 wpa_mesh_set_plink_state(wpa_s, sta, PLINK_BLOCKED); 55 sta->sae->state = SAE_NOTHING; 56 wpa_msg(wpa_s, MSG_INFO, MESH_SAE_AUTH_BLOCKED "addr=" 57 MACSTR " duration=%d", 58 MAC2STR(sta->addr), 59 hapd->conf->ap_max_inactivity); 60 } 61 sta->sae_auth_retry++; 62 } 63} 64 65 66static void auth_logger(void *ctx, const u8 *addr, logger_level level, 67 const char *txt) 68{ 69 if (addr) 70 wpa_printf(MSG_DEBUG, "AUTH: " MACSTR " - %s", 71 MAC2STR(addr), txt); 72 else 73 wpa_printf(MSG_DEBUG, "AUTH: %s", txt); 74} 75 76 77static const u8 *auth_get_psk(void *ctx, const u8 *addr, 78 const u8 *p2p_dev_addr, const u8 *prev_psk, 79 size_t *psk_len, int *vlan_id) 80{ 81 struct mesh_rsn *mesh_rsn = ctx; 82 struct hostapd_data *hapd = mesh_rsn->wpa_s->ifmsh->bss[0]; 83 struct sta_info *sta = ap_get_sta(hapd, addr); 84 85 if (psk_len) 86 *psk_len = PMK_LEN; 87 if (vlan_id) 88 *vlan_id = 0; 89 wpa_printf(MSG_DEBUG, "AUTH: %s (addr=" MACSTR " prev_psk=%p)", 90 __func__, MAC2STR(addr), prev_psk); 91 92 if (sta && sta->auth_alg == WLAN_AUTH_SAE) { 93 if (!sta->sae || prev_psk) 94 return NULL; 95 return sta->sae->pmk; 96 } 97 98 return NULL; 99} 100 101 102static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg, 103 const u8 *addr, int idx, u8 *key, size_t key_len, 104 enum key_flag key_flag) 105{ 106 struct mesh_rsn *mesh_rsn = ctx; 107 u8 seq[6]; 108 109 os_memset(seq, 0, sizeof(seq)); 110 111 if (addr) { 112 wpa_printf(MSG_DEBUG, "AUTH: %s(alg=%d addr=" MACSTR 113 " key_idx=%d)", 114 __func__, alg, MAC2STR(addr), idx); 115 } else { 116 wpa_printf(MSG_DEBUG, "AUTH: %s(alg=%d key_idx=%d)", 117 __func__, alg, idx); 118 } 119 wpa_hexdump_key(MSG_DEBUG, "AUTH: set_key - key", key, key_len); 120 121 return wpa_drv_set_key(mesh_rsn->wpa_s, alg, addr, idx, 122 1, seq, 6, key, key_len, key_flag); 123} 124 125 126static int auth_start_ampe(void *ctx, const u8 *addr) 127{ 128 struct mesh_rsn *mesh_rsn = ctx; 129 struct hostapd_data *hapd; 130 struct sta_info *sta; 131 132 if (mesh_rsn->wpa_s->current_ssid->mode != WPAS_MODE_MESH) 133 return -1; 134 135 hapd = mesh_rsn->wpa_s->ifmsh->bss[0]; 136 sta = ap_get_sta(hapd, addr); 137 if (sta) 138 eloop_cancel_timeout(mesh_auth_timer, mesh_rsn->wpa_s, sta); 139 140 mesh_mpm_auth_peer(mesh_rsn->wpa_s, addr); 141 return 0; 142} 143 144 145static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr, 146 enum mfp_options ieee80211w, int ocv) 147{ 148 struct wpa_auth_config conf; 149 static const struct wpa_auth_callbacks cb = { 150 .logger = auth_logger, 151 .get_psk = auth_get_psk, 152 .set_key = auth_set_key, 153 .start_ampe = auth_start_ampe, 154 }; 155 u8 seq[6] = {}; 156 157 wpa_printf(MSG_DEBUG, "AUTH: Initializing group state machine"); 158 159 os_memset(&conf, 0, sizeof(conf)); 160 conf.wpa = WPA_PROTO_RSN; 161 conf.wpa_key_mgmt = WPA_KEY_MGMT_SAE; 162 conf.wpa_pairwise = rsn->pairwise_cipher; 163 conf.rsn_pairwise = rsn->pairwise_cipher; 164 conf.wpa_group = rsn->group_cipher; 165 conf.eapol_version = 0; 166 conf.wpa_group_rekey = -1; 167 conf.wpa_group_update_count = 4; 168 conf.wpa_pairwise_update_count = 4; 169 conf.ieee80211w = ieee80211w; 170 if (ieee80211w != NO_MGMT_FRAME_PROTECTION) 171 conf.group_mgmt_cipher = rsn->mgmt_group_cipher; 172#ifdef CONFIG_OCV 173 conf.ocv = ocv; 174#endif /* CONFIG_OCV */ 175 176 rsn->auth = wpa_init(addr, &conf, &cb, rsn); 177 if (rsn->auth == NULL) { 178 wpa_printf(MSG_DEBUG, "AUTH: wpa_init() failed"); 179 return -1; 180 } 181 182 /* TODO: support rekeying */ 183 rsn->mgtk_len = wpa_cipher_key_len(conf.wpa_group); 184 if (random_get_bytes(rsn->mgtk, rsn->mgtk_len) < 0) 185 return -1; 186 rsn->mgtk_key_id = 1; 187 188 if (ieee80211w != NO_MGMT_FRAME_PROTECTION) { 189 rsn->igtk_len = wpa_cipher_key_len(conf.group_mgmt_cipher); 190 if (random_get_bytes(rsn->igtk, rsn->igtk_len) < 0) 191 return -1; 192 rsn->igtk_key_id = 4; 193 194 /* group mgmt */ 195 wpa_hexdump_key(MSG_DEBUG, "mesh: Own TX IGTK", 196 rsn->igtk, rsn->igtk_len); 197 wpa_drv_set_key(rsn->wpa_s, 198 wpa_cipher_to_alg(rsn->mgmt_group_cipher), 199 broadcast_ether_addr, 200 rsn->igtk_key_id, 1, 201 seq, sizeof(seq), rsn->igtk, rsn->igtk_len, 202 KEY_FLAG_GROUP_TX_DEFAULT); 203 } 204 205 /* group privacy / data frames */ 206 wpa_hexdump_key(MSG_DEBUG, "mesh: Own TX MGTK", 207 rsn->mgtk, rsn->mgtk_len); 208 wpa_drv_set_key(rsn->wpa_s, wpa_cipher_to_alg(rsn->group_cipher), 209 broadcast_ether_addr, 210 rsn->mgtk_key_id, 1, seq, sizeof(seq), 211 rsn->mgtk, rsn->mgtk_len, KEY_FLAG_GROUP_TX_DEFAULT); 212 213 return 0; 214} 215 216 217static void mesh_rsn_deinit(struct mesh_rsn *rsn) 218{ 219 os_memset(rsn->mgtk, 0, sizeof(rsn->mgtk)); 220 rsn->mgtk_len = 0; 221 os_memset(rsn->igtk, 0, sizeof(rsn->igtk)); 222 rsn->igtk_len = 0; 223 if (rsn->auth) 224 wpa_deinit(rsn->auth); 225} 226 227 228struct mesh_rsn *mesh_rsn_auth_init(struct wpa_supplicant *wpa_s, 229 struct mesh_conf *conf) 230{ 231 struct mesh_rsn *mesh_rsn; 232 struct hostapd_data *bss = wpa_s->ifmsh->bss[0]; 233 const u8 *ie; 234 size_t ie_len; 235#ifdef CONFIG_PMKSA_CACHE_EXTERNAL 236 struct external_pmksa_cache *entry; 237#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */ 238 239 mesh_rsn = os_zalloc(sizeof(*mesh_rsn)); 240 if (mesh_rsn == NULL) 241 return NULL; 242 mesh_rsn->wpa_s = wpa_s; 243 mesh_rsn->pairwise_cipher = conf->pairwise_cipher; 244 mesh_rsn->group_cipher = conf->group_cipher; 245 mesh_rsn->mgmt_group_cipher = conf->mgmt_group_cipher; 246 247 if (__mesh_rsn_auth_init(mesh_rsn, wpa_s->own_addr, 248 conf->ieee80211w, conf->ocv) < 0) { 249 mesh_rsn_deinit(mesh_rsn); 250 os_free(mesh_rsn); 251 return NULL; 252 } 253 254 bss->wpa_auth = mesh_rsn->auth; 255 256#ifdef CONFIG_PMKSA_CACHE_EXTERNAL 257 while ((entry = dl_list_last(&wpa_s->mesh_external_pmksa_cache, 258 struct external_pmksa_cache, 259 list)) != NULL) { 260 int ret; 261 262 ret = wpa_auth_pmksa_add_entry(bss->wpa_auth, 263 entry->pmksa_cache); 264 dl_list_del(&entry->list); 265 os_free(entry); 266 267 if (ret < 0) 268 return NULL; 269 } 270#endif /* CONFIG_PMKSA_CACHE_EXTERNAL */ 271 272 ie = wpa_auth_get_wpa_ie(mesh_rsn->auth, &ie_len); 273 conf->rsn_ie = (u8 *) ie; 274 conf->rsn_ie_len = ie_len; 275 276 wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid); 277 278 return mesh_rsn; 279} 280 281 282static int index_within_array(const int *array, int idx) 283{ 284 int i; 285 286 for (i = 0; i < idx; i++) { 287 if (array[i] == -1) 288 return 0; 289 } 290 291 return 1; 292} 293 294 295static int mesh_rsn_sae_group(struct wpa_supplicant *wpa_s, 296 struct sae_data *sae) 297{ 298 int *groups = wpa_s->ifmsh->bss[0]->conf->sae_groups; 299 300 /* Configuration may have changed, so validate current index */ 301 if (!index_within_array(groups, wpa_s->mesh_rsn->sae_group_index)) 302 return -1; 303 304 for (;;) { 305 int group = groups[wpa_s->mesh_rsn->sae_group_index]; 306 307 if (group <= 0) 308 break; 309 if (sae_set_group(sae, group) == 0) { 310 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d", 311 sae->group); 312 return 0; 313 } 314 wpa_s->mesh_rsn->sae_group_index++; 315 } 316 317 return -1; 318} 319 320 321static int mesh_rsn_build_sae_commit(struct wpa_supplicant *wpa_s, 322 struct wpa_ssid *ssid, 323 struct sta_info *sta) 324{ 325 const char *password; 326 327 password = ssid->sae_password; 328 if (!password) 329 password = ssid->passphrase; 330 if (!password) { 331 wpa_msg(wpa_s, MSG_DEBUG, "SAE: No password available"); 332 return -1; 333 } 334 335 if (mesh_rsn_sae_group(wpa_s, sta->sae) < 0) { 336 wpa_msg(wpa_s, MSG_DEBUG, "SAE: Failed to select group"); 337 return -1; 338 } 339 340 if (sta->sae->tmp && !sta->sae->tmp->pw_id && ssid->sae_password_id) { 341 sta->sae->tmp->pw_id = os_strdup(ssid->sae_password_id); 342 if (!sta->sae->tmp->pw_id) 343 return -1; 344 } 345 return sae_prepare_commit(wpa_s->own_addr, sta->addr, 346 (u8 *) password, os_strlen(password), 347 sta->sae); 348} 349 350 351/* initiate new SAE authentication with sta */ 352int mesh_rsn_auth_sae_sta(struct wpa_supplicant *wpa_s, 353 struct sta_info *sta) 354{ 355 struct hostapd_data *hapd = wpa_s->ifmsh->bss[0]; 356 struct wpa_ssid *ssid = wpa_s->current_ssid; 357 struct rsn_pmksa_cache_entry *pmksa; 358 unsigned int rnd; 359 int ret; 360 361 if (!ssid) { 362 wpa_msg(wpa_s, MSG_DEBUG, 363 "AUTH: No current_ssid known to initiate new SAE"); 364 return -1; 365 } 366 367 if (!sta->sae) { 368 sta->sae = os_zalloc(sizeof(*sta->sae)); 369 if (sta->sae == NULL) 370 return -1; 371 } 372 373 pmksa = wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr, NULL); 374 if (pmksa) { 375 if (!sta->wpa_sm) 376 sta->wpa_sm = wpa_auth_sta_init(hapd->wpa_auth, 377 sta->addr, NULL); 378 if (!sta->wpa_sm) { 379 wpa_printf(MSG_ERROR, 380 "mesh: Failed to initialize RSN state machine"); 381 return -1; 382 } 383 384 wpa_printf(MSG_DEBUG, 385 "AUTH: Mesh PMKSA cache entry found for " MACSTR 386 " - try to use PMKSA caching instead of new SAE authentication", 387 MAC2STR(sta->addr)); 388 wpa_auth_pmksa_set_to_sm(pmksa, sta->wpa_sm, hapd->wpa_auth, 389 sta->sae->pmkid, sta->sae->pmk); 390 sae_accept_sta(hapd, sta); 391 sta->mesh_sae_pmksa_caching = 1; 392 return 0; 393 } 394 sta->mesh_sae_pmksa_caching = 0; 395 396 if (mesh_rsn_build_sae_commit(wpa_s, ssid, sta)) 397 return -1; 398 399 wpa_msg(wpa_s, MSG_DEBUG, 400 "AUTH: started authentication with SAE peer: " MACSTR, 401 MAC2STR(sta->addr)); 402 403 ret = auth_sae_init_committed(hapd, sta); 404 if (ret) 405 return ret; 406 407 eloop_cancel_timeout(mesh_auth_timer, wpa_s, sta); 408 rnd = rand() % MESH_AUTH_TIMEOUT; 409 eloop_register_timeout(MESH_AUTH_TIMEOUT + rnd, 0, mesh_auth_timer, 410 wpa_s, sta); 411 return 0; 412} 413 414 415void mesh_rsn_get_pmkid(struct mesh_rsn *rsn, struct sta_info *sta, u8 *pmkid) 416{ 417 os_memcpy(pmkid, sta->sae->pmkid, SAE_PMKID_LEN); 418} 419 420 421static void 422mesh_rsn_derive_aek(struct mesh_rsn *rsn, struct sta_info *sta) 423{ 424 u8 *myaddr = rsn->wpa_s->own_addr; 425 u8 *peer = sta->addr; 426 u8 *addr1, *addr2; 427 u8 context[RSN_SELECTOR_LEN + 2 * ETH_ALEN], *ptr = context; 428 429 /* 430 * AEK = KDF-Hash-256(PMK, "AEK Derivation", Selected AKM Suite || 431 * min(localMAC, peerMAC) || max(localMAC, peerMAC)) 432 */ 433 /* Selected AKM Suite: SAE */ 434 RSN_SELECTOR_PUT(ptr, RSN_AUTH_KEY_MGMT_SAE); 435 ptr += RSN_SELECTOR_LEN; 436 437 if (os_memcmp(myaddr, peer, ETH_ALEN) < 0) { 438 addr1 = myaddr; 439 addr2 = peer; 440 } else { 441 addr1 = peer; 442 addr2 = myaddr; 443 } 444 os_memcpy(ptr, addr1, ETH_ALEN); 445 ptr += ETH_ALEN; 446 os_memcpy(ptr, addr2, ETH_ALEN); 447 448 sha256_prf(sta->sae->pmk, sizeof(sta->sae->pmk), "AEK Derivation", 449 context, sizeof(context), sta->aek, sizeof(sta->aek)); 450} 451 452 453/* derive mesh temporal key from pmk */ 454int mesh_rsn_derive_mtk(struct wpa_supplicant *wpa_s, struct sta_info *sta) 455{ 456 u8 *ptr; 457 u8 *min, *max; 458 u8 *myaddr = wpa_s->own_addr; 459 u8 *peer = sta->addr; 460 u8 context[2 * WPA_NONCE_LEN + 2 * 2 + RSN_SELECTOR_LEN + 2 * ETH_ALEN]; 461 462 /* 463 * MTK = KDF-Hash-Length(PMK, "Temporal Key Derivation", min(localNonce, 464 * peerNonce) || max(localNonce, peerNonce) || min(localLinkID, 465 * peerLinkID) || max(localLinkID, peerLinkID) || Selected AKM Suite || 466 * min(localMAC, peerMAC) || max(localMAC, peerMAC)) 467 */ 468 ptr = context; 469 if (os_memcmp(sta->my_nonce, sta->peer_nonce, WPA_NONCE_LEN) < 0) { 470 min = sta->my_nonce; 471 max = sta->peer_nonce; 472 } else { 473 min = sta->peer_nonce; 474 max = sta->my_nonce; 475 } 476 os_memcpy(ptr, min, WPA_NONCE_LEN); 477 ptr += WPA_NONCE_LEN; 478 os_memcpy(ptr, max, WPA_NONCE_LEN); 479 ptr += WPA_NONCE_LEN; 480 481 if (sta->my_lid < sta->peer_lid) { 482 WPA_PUT_LE16(ptr, sta->my_lid); 483 ptr += 2; 484 WPA_PUT_LE16(ptr, sta->peer_lid); 485 ptr += 2; 486 } else { 487 WPA_PUT_LE16(ptr, sta->peer_lid); 488 ptr += 2; 489 WPA_PUT_LE16(ptr, sta->my_lid); 490 ptr += 2; 491 } 492 493 /* Selected AKM Suite: SAE */ 494 RSN_SELECTOR_PUT(ptr, RSN_AUTH_KEY_MGMT_SAE); 495 ptr += RSN_SELECTOR_LEN; 496 497 if (os_memcmp(myaddr, peer, ETH_ALEN) < 0) { 498 min = myaddr; 499 max = peer; 500 } else { 501 min = peer; 502 max = myaddr; 503 } 504 os_memcpy(ptr, min, ETH_ALEN); 505 ptr += ETH_ALEN; 506 os_memcpy(ptr, max, ETH_ALEN); 507 508 sta->mtk_len = wpa_cipher_key_len(wpa_s->mesh_rsn->pairwise_cipher); 509 sha256_prf(sta->sae->pmk, SAE_PMK_LEN, 510 "Temporal Key Derivation", context, sizeof(context), 511 sta->mtk, sta->mtk_len); 512 return 0; 513} 514 515 516void mesh_rsn_init_ampe_sta(struct wpa_supplicant *wpa_s, struct sta_info *sta) 517{ 518 if (random_get_bytes(sta->my_nonce, WPA_NONCE_LEN) < 0) { 519 wpa_printf(MSG_INFO, "mesh: Failed to derive random nonce"); 520 /* TODO: How to handle this more cleanly? */ 521 } 522 os_memset(sta->peer_nonce, 0, WPA_NONCE_LEN); 523 mesh_rsn_derive_aek(wpa_s->mesh_rsn, sta); 524} 525 526 527/* insert AMPE and encrypted MIC at @ie. 528 * @mesh_rsn: mesh RSN context 529 * @sta: STA we're sending to 530 * @cat: pointer to category code in frame header. 531 * @buf: wpabuf to add encrypted AMPE and MIC to. 532 * */ 533int mesh_rsn_protect_frame(struct mesh_rsn *rsn, struct sta_info *sta, 534 const u8 *cat, struct wpabuf *buf) 535{ 536 struct ieee80211_ampe_ie *ampe; 537 u8 const *ie = wpabuf_head_u8(buf) + wpabuf_len(buf); 538 u8 *ampe_ie, *pos, *mic_payload; 539 const u8 *aad[] = { rsn->wpa_s->own_addr, sta->addr, cat }; 540 const size_t aad_len[] = { ETH_ALEN, ETH_ALEN, ie - cat }; 541 int ret = 0; 542 size_t len; 543 544 len = sizeof(*ampe); 545 if (cat[1] == PLINK_OPEN) 546 len += rsn->mgtk_len + WPA_KEY_RSC_LEN + 4; 547 if (cat[1] == PLINK_OPEN && rsn->igtk_len) 548 len += 2 + 6 + rsn->igtk_len; 549 550 if (2 + AES_BLOCK_SIZE + 2 + len > wpabuf_tailroom(buf)) { 551 wpa_printf(MSG_ERROR, "protect frame: buffer too small"); 552 return -EINVAL; 553 } 554 555 ampe_ie = os_zalloc(2 + len); 556 if (!ampe_ie) { 557 wpa_printf(MSG_ERROR, "protect frame: out of memory"); 558 return -ENOMEM; 559 } 560 561 /* IE: AMPE */ 562 ampe_ie[0] = WLAN_EID_AMPE; 563 ampe_ie[1] = len; 564 ampe = (struct ieee80211_ampe_ie *) (ampe_ie + 2); 565 566 RSN_SELECTOR_PUT(ampe->selected_pairwise_suite, 567 RSN_CIPHER_SUITE_CCMP); 568 os_memcpy(ampe->local_nonce, sta->my_nonce, WPA_NONCE_LEN); 569 os_memcpy(ampe->peer_nonce, sta->peer_nonce, WPA_NONCE_LEN); 570 571 pos = (u8 *) (ampe + 1); 572 if (cat[1] != PLINK_OPEN) 573 goto skip_keys; 574 575 /* TODO: Key Replay Counter[8] optionally for 576 * Mesh Group Key Inform/Acknowledge frames */ 577 578 /* TODO: static mgtk for now since we don't support rekeying! */ 579 /* 580 * GTKdata[variable]: 581 * MGTK[variable] || Key RSC[8] || GTKExpirationTime[4] 582 */ 583 os_memcpy(pos, rsn->mgtk, rsn->mgtk_len); 584 pos += rsn->mgtk_len; 585 wpa_drv_get_seqnum(rsn->wpa_s, NULL, rsn->mgtk_key_id, pos); 586 pos += WPA_KEY_RSC_LEN; 587 /* Use fixed GTKExpirationTime for now */ 588 WPA_PUT_LE32(pos, 0xffffffff); 589 pos += 4; 590 591 /* 592 * IGTKdata[variable]: 593 * Key ID[2], IPN[6], IGTK[variable] 594 */ 595 if (rsn->igtk_len) { 596 WPA_PUT_LE16(pos, rsn->igtk_key_id); 597 pos += 2; 598 wpa_drv_get_seqnum(rsn->wpa_s, NULL, rsn->igtk_key_id, pos); 599 pos += 6; 600 os_memcpy(pos, rsn->igtk, rsn->igtk_len); 601 } 602 603skip_keys: 604 wpa_hexdump_key(MSG_DEBUG, "mesh: Plaintext AMPE element", 605 ampe_ie, 2 + len); 606 607 /* IE: MIC */ 608 wpabuf_put_u8(buf, WLAN_EID_MIC); 609 wpabuf_put_u8(buf, AES_BLOCK_SIZE); 610 /* MIC field is output ciphertext */ 611 612 /* encrypt after MIC */ 613 mic_payload = wpabuf_put(buf, 2 + len + AES_BLOCK_SIZE); 614 615 if (aes_siv_encrypt(sta->aek, sizeof(sta->aek), ampe_ie, 2 + len, 3, 616 aad, aad_len, mic_payload)) { 617 wpa_printf(MSG_ERROR, "protect frame: failed to encrypt"); 618 ret = -ENOMEM; 619 } 620 621 os_free(ampe_ie); 622 623 return ret; 624} 625 626 627int mesh_rsn_process_ampe(struct wpa_supplicant *wpa_s, struct sta_info *sta, 628 struct ieee802_11_elems *elems, const u8 *cat, 629 const u8 *chosen_pmk, 630 const u8 *start, size_t elems_len) 631{ 632 int ret = 0; 633 struct ieee80211_ampe_ie *ampe; 634 u8 null_nonce[WPA_NONCE_LEN] = {}; 635 u8 ampe_eid; 636 u8 ampe_ie_len; 637 u8 *ampe_buf, *crypt = NULL, *pos, *end; 638 size_t crypt_len; 639 const u8 *aad[] = { sta->addr, wpa_s->own_addr, cat }; 640 const size_t aad_len[] = { ETH_ALEN, ETH_ALEN, 641 elems->mic ? (elems->mic - 2) - cat : 0 }; 642 size_t key_len; 643 644 if (!sta->sae) { 645 struct hostapd_data *hapd = wpa_s->ifmsh->bss[0]; 646 647 if (!wpa_auth_pmksa_get(hapd->wpa_auth, sta->addr, NULL)) { 648 wpa_printf(MSG_INFO, 649 "Mesh RSN: SAE is not prepared yet"); 650 return -1; 651 } 652 mesh_rsn_auth_sae_sta(wpa_s, sta); 653 } 654 655 if (chosen_pmk && 656 (!sta->sae || 657 os_memcmp(chosen_pmk, sta->sae->pmkid, PMKID_LEN) != 0)) { 658 wpa_msg(wpa_s, MSG_DEBUG, 659 "Mesh RSN: Invalid PMKID (Chosen PMK did not match calculated PMKID)"); 660 return -1; 661 } 662 663 if (!elems->mic || elems->mic_len < AES_BLOCK_SIZE) { 664 wpa_msg(wpa_s, MSG_DEBUG, "Mesh RSN: missing mic ie"); 665 return -1; 666 } 667 668 ampe_buf = (u8 *) elems->mic + elems->mic_len; 669 if ((int) elems_len < ampe_buf - start) 670 return -1; 671 672 crypt_len = elems_len - (elems->mic - start); 673 if (crypt_len < 2 + AES_BLOCK_SIZE) { 674 wpa_msg(wpa_s, MSG_DEBUG, "Mesh RSN: missing ampe ie"); 675 return -1; 676 } 677 678 /* crypt is modified by siv_decrypt */ 679 crypt = os_zalloc(crypt_len); 680 if (!crypt) { 681 wpa_printf(MSG_ERROR, "Mesh RSN: out of memory"); 682 ret = -ENOMEM; 683 goto free; 684 } 685 686 os_memcpy(crypt, elems->mic, crypt_len); 687 688 if (aes_siv_decrypt(sta->aek, sizeof(sta->aek), crypt, crypt_len, 3, 689 aad, aad_len, ampe_buf)) { 690 wpa_printf(MSG_ERROR, "Mesh RSN: frame verification failed!"); 691 ret = -2; 692 goto free; 693 } 694 695 crypt_len -= AES_BLOCK_SIZE; 696 wpa_hexdump_key(MSG_DEBUG, "mesh: Decrypted AMPE element", 697 ampe_buf, crypt_len); 698 699 ampe_eid = *ampe_buf++; 700 ampe_ie_len = *ampe_buf++; 701 702 if (ampe_eid != WLAN_EID_AMPE || 703 (size_t) 2 + ampe_ie_len > crypt_len || 704 ampe_ie_len < sizeof(struct ieee80211_ampe_ie)) { 705 wpa_msg(wpa_s, MSG_DEBUG, "Mesh RSN: invalid ampe ie"); 706 ret = -1; 707 goto free; 708 } 709 710 ampe = (struct ieee80211_ampe_ie *) ampe_buf; 711 pos = (u8 *) (ampe + 1); 712 end = ampe_buf + ampe_ie_len; 713 if (os_memcmp(ampe->peer_nonce, null_nonce, WPA_NONCE_LEN) != 0 && 714 os_memcmp(ampe->peer_nonce, sta->my_nonce, WPA_NONCE_LEN) != 0) { 715 wpa_msg(wpa_s, MSG_DEBUG, "Mesh RSN: invalid peer nonce"); 716 ret = -1; 717 goto free; 718 } 719 os_memcpy(sta->peer_nonce, ampe->local_nonce, 720 sizeof(ampe->local_nonce)); 721 722 /* TODO: Key Replay Counter[8] in Mesh Group Key Inform/Acknowledge 723 * frames */ 724 725 /* 726 * GTKdata shall not be included in Mesh Peering Confirm. While the 727 * standard does not state the same about IGTKdata, that same constraint 728 * needs to apply for it. It makes no sense to include the keys in Mesh 729 * Peering Close frames either, so while the standard does not seem to 730 * have a shall statement for these, they are described without 731 * mentioning GTKdata. 732 * 733 * An earlier implementation used to add GTKdata to both Mesh Peering 734 * Open and Mesh Peering Confirm frames, so ignore the possibly present 735 * GTKdata frame without rejecting the frame as a backwards 736 * compatibility mechanism. 737 */ 738 if (cat[1] != PLINK_OPEN) { 739 if (end > pos) { 740 wpa_hexdump_key(MSG_DEBUG, 741 "mesh: Ignore unexpected GTKdata(etc.) fields in the end of AMPE element in Mesh Peering Confirm/Close", 742 pos, end - pos); 743 } 744 goto free; 745 } 746 747 /* 748 * GTKdata[variable]: 749 * MGTK[variable] || Key RSC[8] || GTKExpirationTime[4] 750 */ 751 sta->mgtk_key_id = 1; /* FIX: Where to get Key ID? */ 752 key_len = wpa_cipher_key_len(wpa_s->mesh_rsn->group_cipher); 753 if ((int) key_len + WPA_KEY_RSC_LEN + 4 > end - pos) { 754 wpa_dbg(wpa_s, MSG_DEBUG, "mesh: Truncated AMPE element"); 755 ret = -1; 756 goto free; 757 } 758 sta->mgtk_len = key_len; 759 os_memcpy(sta->mgtk, pos, sta->mgtk_len); 760 wpa_hexdump_key(MSG_DEBUG, "mesh: GTKdata - MGTK", 761 sta->mgtk, sta->mgtk_len); 762 pos += sta->mgtk_len; 763 wpa_hexdump(MSG_DEBUG, "mesh: GTKdata - MGTK - Key RSC", 764 pos, WPA_KEY_RSC_LEN); 765 os_memcpy(sta->mgtk_rsc, pos, sizeof(sta->mgtk_rsc)); 766 pos += WPA_KEY_RSC_LEN; 767 wpa_printf(MSG_DEBUG, 768 "mesh: GTKdata - MGTK - GTKExpirationTime: %u seconds", 769 WPA_GET_LE32(pos)); 770 pos += 4; 771 772 /* 773 * IGTKdata[variable]: 774 * Key ID[2], IPN[6], IGTK[variable] 775 */ 776 key_len = wpa_cipher_key_len(wpa_s->mesh_rsn->mgmt_group_cipher); 777 if (end - pos >= (int) (2 + 6 + key_len)) { 778 sta->igtk_key_id = WPA_GET_LE16(pos); 779 wpa_printf(MSG_DEBUG, "mesh: IGTKdata - Key ID %u", 780 sta->igtk_key_id); 781 pos += 2; 782 os_memcpy(sta->igtk_rsc, pos, sizeof(sta->igtk_rsc)); 783 wpa_hexdump(MSG_DEBUG, "mesh: IGTKdata - IPN", 784 sta->igtk_rsc, sizeof(sta->igtk_rsc)); 785 pos += 6; 786 os_memcpy(sta->igtk, pos, key_len); 787 sta->igtk_len = key_len; 788 wpa_hexdump_key(MSG_DEBUG, "mesh: IGTKdata - IGTK", 789 sta->igtk, sta->igtk_len); 790 } 791 792free: 793 os_free(crypt); 794 return ret; 795} 796