Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / 6c0da2bb83f6915d8260912362692d1a742e057b / . / wpa_supplicant / mesh_rsn.c
blob: e6ae7c38b45ec2223b598a20eaaf714316e5e20b [file] [log] [blame]
Dmitry Shmidt6c0da2b2015-01-05 13:08:17 -0800[diff] [blame^]1/*
2 * WPA Supplicant - Mesh RSN routines
3 * Copyright (c) 2013-2014, cozybit, Inc. All rights reserved.
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "utils/includes.h"
10
11#include "utils/common.h"
12#include "utils/eloop.h"
13#include "crypto/sha256.h"
14#include "crypto/random.h"
15#include "crypto/aes.h"
16#include "crypto/aes_siv.h"
17#include "rsn_supp/wpa.h"
18#include "ap/hostapd.h"
19#include "ap/wpa_auth.h"
20#include "ap/sta_info.h"
21#include "wpa_supplicant_i.h"
22#include "driver_i.h"
23#include "wpas_glue.h"
24#include "mesh_mpm.h"
25#include "mesh_rsn.h"
26
27#define MESH_AUTH_TIMEOUT 10
28#define MESH_AUTH_RETRY 3
29
30void mesh_auth_timer(void *eloop_ctx, void *user_data)
31{
32 struct wpa_supplicant *wpa_s = eloop_ctx;
33 struct sta_info *sta = user_data;
34
35 if (sta->sae->state != SAE_ACCEPTED) {
36 wpa_printf(MSG_DEBUG, "AUTH: Re-authenticate with " MACSTR
37 " (attempt %d) ",
38 MAC2STR(sta->addr), sta->sae_auth_retry);
39 if (sta->sae_auth_retry < MESH_AUTH_RETRY) {
40 mesh_rsn_auth_sae_sta(wpa_s, sta);
41 } else {
42 /* block the STA if exceeded the number of attempts */
43 sta->plink_state = PLINK_BLOCKED;
44 sta->sae->state = SAE_NOTHING;
45 }
46 sta->sae_auth_retry++;
47 }
48}
49
50
51static void auth_logger(void *ctx, const u8 *addr, logger_level level,
52 const char *txt)
53{
54 if (addr)
55 wpa_printf(MSG_DEBUG, "AUTH: " MACSTR " - %s",
56 MAC2STR(addr), txt);
57 else
58 wpa_printf(MSG_DEBUG, "AUTH: %s", txt);
59}
60
61
62static const u8 *auth_get_psk(void *ctx, const u8 *addr,
63 const u8 *p2p_dev_addr, const u8 *prev_psk)
64{
65 struct mesh_rsn *mesh_rsn = ctx;
66 struct hostapd_data *hapd = mesh_rsn->wpa_s->ifmsh->bss[0];
67 struct sta_info *sta = ap_get_sta(hapd, addr);
68
69 wpa_printf(MSG_DEBUG, "AUTH: %s (addr=" MACSTR " prev_psk=%p)",
70 __func__, MAC2STR(addr), prev_psk);
71
72 if (sta && sta->auth_alg == WLAN_AUTH_SAE) {
73 if (!sta->sae || prev_psk)
74 return NULL;
75 return sta->sae->pmk;
76 }
77
78 return NULL;
79}
80
81
82static int auth_set_key(void *ctx, int vlan_id, enum wpa_alg alg,
83 const u8 *addr, int idx, u8 *key, size_t key_len)
84{
85 struct mesh_rsn *mesh_rsn = ctx;
86 u8 seq[6];
87
88 os_memset(seq, 0, sizeof(seq));
89
90 if (addr) {
91 wpa_printf(MSG_DEBUG, "AUTH: %s(alg=%d addr=" MACSTR
92 " key_idx=%d)",
93 __func__, alg, MAC2STR(addr), idx);
94 } else {
95 wpa_printf(MSG_DEBUG, "AUTH: %s(alg=%d key_idx=%d)",
96 __func__, alg, idx);
97 }
98 wpa_hexdump_key(MSG_DEBUG, "AUTH: set_key - key", key, key_len);
99
100 return wpa_drv_set_key(mesh_rsn->wpa_s, alg, addr, idx,
101 1, seq, 6, key, key_len);
102}
103
104
105static int auth_start_ampe(void *ctx, const u8 *addr)
106{
107 struct mesh_rsn *mesh_rsn = ctx;
108 struct hostapd_data *hapd;
109 struct sta_info *sta;
110
111 if (mesh_rsn->wpa_s->current_ssid->mode != WPAS_MODE_MESH)
112 return -1;
113
114 hapd = mesh_rsn->wpa_s->ifmsh->bss[0];
115 sta = ap_get_sta(hapd, addr);
116 if (sta)
117 eloop_cancel_timeout(mesh_auth_timer, mesh_rsn->wpa_s, sta);
118
119 mesh_mpm_auth_peer(mesh_rsn->wpa_s, addr);
120 return 0;
121}
122
123
124static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr)
125{
126 struct wpa_auth_config conf;
127 struct wpa_auth_callbacks cb;
128 u8 seq[6] = {};
129
130 wpa_printf(MSG_DEBUG, "AUTH: Initializing group state machine");
131
132 os_memset(&conf, 0, sizeof(conf));
133 conf.wpa = 2;
134 conf.wpa_key_mgmt = WPA_KEY_MGMT_SAE;
135 conf.wpa_pairwise = WPA_CIPHER_CCMP;
136 conf.rsn_pairwise = WPA_CIPHER_CCMP;
137 conf.wpa_group = WPA_CIPHER_CCMP;
138 conf.eapol_version = 0;
139 conf.wpa_group_rekey = -1;
140
141 os_memset(&cb, 0, sizeof(cb));
142 cb.ctx = rsn;
143 cb.logger = auth_logger;
144 cb.get_psk = auth_get_psk;
145 cb.set_key = auth_set_key;
146 cb.start_ampe = auth_start_ampe;
147
148 rsn->auth = wpa_init(addr, &conf, &cb);
149 if (rsn->auth == NULL) {
150 wpa_printf(MSG_DEBUG, "AUTH: wpa_init() failed");
151 return -1;
152 }
153
154 /* TODO: support rekeying */
155 if (random_get_bytes(rsn->mgtk, 16) < 0) {
156 wpa_deinit(rsn->auth);
157 return -1;
158 }
159
160 /* group mgmt */
161 wpa_drv_set_key(rsn->wpa_s, WPA_ALG_IGTK, NULL, 4, 1,
162 seq, sizeof(seq), rsn->mgtk, sizeof(rsn->mgtk));
163
164 /* group privacy / data frames */
165 wpa_drv_set_key(rsn->wpa_s, WPA_ALG_CCMP, NULL, 1, 1,
166 seq, sizeof(seq), rsn->mgtk, sizeof(rsn->mgtk));
167
168 return 0;
169}
170
171
172static void mesh_rsn_deinit(struct mesh_rsn *rsn)
173{
174 os_memset(rsn->mgtk, 0, sizeof(rsn->mgtk));
175 wpa_deinit(rsn->auth);
176}
177
178
179struct mesh_rsn *mesh_rsn_auth_init(struct wpa_supplicant *wpa_s,
180 struct mesh_conf *conf)
181{
182 struct mesh_rsn *mesh_rsn;
183 struct hostapd_data *bss = wpa_s->ifmsh->bss[0];
184 const u8 *ie;
185 size_t ie_len;
186
187 mesh_rsn = os_zalloc(sizeof(*mesh_rsn));
188 if (mesh_rsn == NULL)
189 return NULL;
190 mesh_rsn->wpa_s = wpa_s;
191
192 if (__mesh_rsn_auth_init(mesh_rsn, wpa_s->own_addr) < 0) {
193 mesh_rsn_deinit(mesh_rsn);
194 return NULL;
195 }
196
197 bss->wpa_auth = mesh_rsn->auth;
198
199 ie = wpa_auth_get_wpa_ie(mesh_rsn->auth, &ie_len);
200 conf->ies = (u8 *) ie;
201 conf->ie_len = ie_len;
202
203 wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid);
204
205 return mesh_rsn;
206}
207
208
209static int index_within_array(const int *array, int idx)
210{
211 int i;
212
213 for (i = 0; i < idx; i++) {
214 if (array[i] == -1)
215 return 0;
216 }
217
218 return 1;
219}
220
221
222static int mesh_rsn_sae_group(struct wpa_supplicant *wpa_s,
223 struct sae_data *sae)
224{
225 int *groups = wpa_s->ifmsh->bss[0]->conf->sae_groups;
226
227 /* Configuration may have changed, so validate current index */
228 if (!index_within_array(groups, wpa_s->mesh_rsn->sae_group_index))
229 return -1;
230
231 for (;;) {
232 int group = groups[wpa_s->mesh_rsn->sae_group_index];
233
234 if (group <= 0)
235 break;
236 if (sae_set_group(sae, group) == 0) {
237 wpa_dbg(wpa_s, MSG_DEBUG, "SME: Selected SAE group %d",
238 sae->group);
239 return 0;
240 }
241 wpa_s->mesh_rsn->sae_group_index++;
242 }
243
244 return -1;
245}
246
247
248struct wpabuf *
249mesh_rsn_build_sae_commit(struct wpa_supplicant *wpa_s,
250 struct wpa_ssid *ssid, struct sta_info *sta)
251{
252 struct wpabuf *buf;
253 int len;
254
255 if (ssid->passphrase == NULL) {
256 wpa_msg(wpa_s, MSG_DEBUG, "SAE: No password available");
257 return NULL;
258 }
259
260 if (mesh_rsn_sae_group(wpa_s, sta->sae) < 0) {
261 wpa_msg(wpa_s, MSG_DEBUG, "SAE: Failed to select group");
262 return NULL;
263 }
264
265 if (sae_prepare_commit(wpa_s->own_addr, sta->addr,
266 (u8 *) ssid->passphrase,
267 os_strlen(ssid->passphrase), sta->sae) < 0) {
268 wpa_msg(wpa_s, MSG_DEBUG, "SAE: Could not pick PWE");
269 return NULL;
270 }
271
272 len = wpa_s->mesh_rsn->sae_token ?
273 wpabuf_len(wpa_s->mesh_rsn->sae_token) : 0;
274 buf = wpabuf_alloc(4 + SAE_COMMIT_MAX_LEN + len);
275 if (buf == NULL)
276 return NULL;
277
278 sae_write_commit(sta->sae, buf, wpa_s->mesh_rsn->sae_token);
279
280 return buf;
281}
282
283
284static void mesh_rsn_send_auth(struct wpa_supplicant *wpa_s,
285 const u8 *dst, const u8 *src,
286 u16 auth_transaction, u16 resp,
287 struct wpabuf *data)
288{
289 struct ieee80211_mgmt *auth;
290 u8 *buf;
291 size_t len, ielen = 0;
292
293 if (data)
294 ielen = wpabuf_len(data);
295 len = IEEE80211_HDRLEN + sizeof(auth->u.auth) + ielen;
296 buf = os_zalloc(len);
297 if (buf == NULL)
298 return;
299
300 auth = (struct ieee80211_mgmt *) buf;
301 auth->frame_control = IEEE80211_FC(WLAN_FC_TYPE_MGMT,
302 WLAN_FC_STYPE_AUTH);
303 os_memcpy(auth->da, dst, ETH_ALEN);
304 os_memcpy(auth->sa, src, ETH_ALEN);
305 os_memcpy(auth->bssid, src, ETH_ALEN);
306
307 auth->u.auth.auth_alg = host_to_le16(WLAN_AUTH_SAE);
308 auth->u.auth.auth_transaction = host_to_le16(auth_transaction);
309 auth->u.auth.status_code = host_to_le16(resp);
310
311 if (data)
312 os_memcpy(auth->u.auth.variable, wpabuf_head(data), ielen);
313
314 wpa_msg(wpa_s, MSG_DEBUG, "authentication frame: STA=" MACSTR
315 " auth_transaction=%d resp=%d (IE len=%lu)",
316 MAC2STR(dst), auth_transaction, resp, (unsigned long) ielen);
317 if (wpa_drv_send_mlme(wpa_s, buf, len, 0) < 0)
318 wpa_printf(MSG_INFO, "send_auth_reply: send_mlme failed: %s",
319 strerror(errno));
320
321 os_free(buf);
322}
323
324
325/* initiate new SAE authentication with sta */
326int mesh_rsn_auth_sae_sta(struct wpa_supplicant *wpa_s,
327 struct sta_info *sta)
328{
329 struct wpa_ssid *ssid = wpa_s->current_ssid;
330 struct wpabuf *buf;
331 unsigned int rnd;
332
333 if (!ssid) {
334 wpa_msg(wpa_s, MSG_DEBUG,
335 "AUTH: No current_ssid known to initiate new SAE");
336 return -1;
337 }
338
339 if (!sta->sae) {
340 sta->sae = os_zalloc(sizeof(*sta->sae));
341 if (sta->sae == NULL)
342 return -1;
343 }
344
345 buf = mesh_rsn_build_sae_commit(wpa_s, ssid, sta);
346 if (!buf)
347 return -1;
348
349 wpa_msg(wpa_s, MSG_DEBUG,
350 "AUTH: started authentication with SAE peer: " MACSTR,
351 MAC2STR(sta->addr));
352
353 sta->sae->state = SAE_COMMITTED;
354 wpa_supplicant_set_state(wpa_s, WPA_AUTHENTICATING);
355
356 mesh_rsn_send_auth(wpa_s, sta->addr, wpa_s->own_addr,
357 1, WLAN_STATUS_SUCCESS, buf);
358
359 rnd = rand() % MESH_AUTH_TIMEOUT;
360 eloop_register_timeout(MESH_AUTH_TIMEOUT + rnd, 0, mesh_auth_timer,
361 wpa_s, sta);
362 wpabuf_free(buf);
363
364 return 0;
365}
366
367
368void mesh_rsn_get_pmkid(struct mesh_rsn *rsn, struct sta_info *sta, u8 *pmkid)
369{
370 /* don't expect wpa auth to cache the pmkid for now */
371 rsn_pmkid(sta->sae->pmk, PMK_LEN, rsn->wpa_s->own_addr,
372 sta->addr, pmkid,
373 wpa_key_mgmt_sha256(wpa_auth_sta_key_mgmt(sta->wpa_sm)));
374}
375
376
377static void
378mesh_rsn_derive_aek(struct mesh_rsn *rsn, struct sta_info *sta)
379{
380 u8 *myaddr = rsn->wpa_s->own_addr;
381 u8 *peer = sta->addr;
382 u8 *addr1 = peer, *addr2 = myaddr;
383 u8 context[AES_BLOCK_SIZE];
384
385 /* SAE */
386 RSN_SELECTOR_PUT(context, wpa_cipher_to_suite(0, WPA_CIPHER_GCMP));
387
388 if (os_memcmp(myaddr, peer, ETH_ALEN) < 0) {
389 addr1 = myaddr;
390 addr2 = peer;
391 }
392 os_memcpy(context + 4, addr1, ETH_ALEN);
393 os_memcpy(context + 10, addr2, ETH_ALEN);
394
395 sha256_prf(sta->sae->pmk, sizeof(sta->sae->pmk), "AEK Derivation",
396 context, sizeof(context), sta->aek, sizeof(sta->aek));
397}
398
399
400/* derive mesh temporal key from pmk */
401int mesh_rsn_derive_mtk(struct wpa_supplicant *wpa_s, struct sta_info *sta)
402{
403 u8 *ptr;
404 u8 *min, *max;
405 u16 min_lid, max_lid;
406 size_t nonce_len = sizeof(sta->my_nonce);
407 size_t lid_len = sizeof(sta->my_lid);
408 u8 *myaddr = wpa_s->own_addr;
409 u8 *peer = sta->addr;
410 /* 2 nonces, 2 linkids, akm suite, 2 mac addrs */
411 u8 context[64 + 4 + 4 + 12];
412
413 ptr = context;
414 if (os_memcmp(sta->my_nonce, sta->peer_nonce, nonce_len) < 0) {
415 min = sta->my_nonce;
416 max = sta->peer_nonce;
417 } else {
418 min = sta->peer_nonce;
419 max = sta->my_nonce;
420 }
421 os_memcpy(ptr, min, nonce_len);
422 os_memcpy(ptr + nonce_len, max, nonce_len);
423 ptr += 2 * nonce_len;
424
425 if (sta->my_lid < sta->peer_lid) {
426 min_lid = host_to_le16(sta->my_lid);
427 max_lid = host_to_le16(sta->peer_lid);
428 } else {
429 min_lid = host_to_le16(sta->peer_lid);
430 max_lid = host_to_le16(sta->my_lid);
431 }
432 os_memcpy(ptr, &min_lid, lid_len);
433 os_memcpy(ptr + lid_len, &max_lid, lid_len);
434 ptr += 2 * lid_len;
435
436 /* SAE */
437 RSN_SELECTOR_PUT(ptr, wpa_cipher_to_suite(0, WPA_CIPHER_GCMP));
438 ptr += 4;
439
440 if (os_memcmp(myaddr, peer, ETH_ALEN) < 0) {
441 min = myaddr;
442 max = peer;
443 } else {
444 min = peer;
445 max = myaddr;
446 }
447 os_memcpy(ptr, min, ETH_ALEN);
448 os_memcpy(ptr + ETH_ALEN, max, ETH_ALEN);
449
450 sha256_prf(sta->sae->pmk, sizeof(sta->sae->pmk),
451 "Temporal Key Derivation", context, sizeof(context),
452 sta->mtk, sizeof(sta->mtk));
453 return 0;
454}
455
456
457void mesh_rsn_init_ampe_sta(struct wpa_supplicant *wpa_s, struct sta_info *sta)
458{
459 if (random_get_bytes(sta->my_nonce, 32) < 0) {
460 wpa_printf(MSG_INFO, "mesh: Failed to derive random nonce");
461 /* TODO: How to handle this more cleanly? */
462 }
463 os_memset(sta->peer_nonce, 0, 32);
464 mesh_rsn_derive_aek(wpa_s->mesh_rsn, sta);
465}
466
467
468/* insert AMPE and encrypted MIC at @ie.
469 * @mesh_rsn: mesh RSN context
470 * @sta: STA we're sending to
471 * @cat: pointer to category code in frame header.
472 * @buf: wpabuf to add encrypted AMPE and MIC to.
473 * */
474int mesh_rsn_protect_frame(struct mesh_rsn *rsn, struct sta_info *sta,
475 const u8 *cat, struct wpabuf *buf)
476{
477 struct ieee80211_ampe_ie *ampe;
478 u8 const *ie = wpabuf_head_u8(buf) + wpabuf_len(buf);
479 u8 *ampe_ie = NULL, *mic_ie = NULL, *mic_payload;
480 const u8 *aad[] = { rsn->wpa_s->own_addr, sta->addr, cat };
481 const size_t aad_len[] = { ETH_ALEN, ETH_ALEN, ie - cat };
482 int ret = 0;
483
484 if (AES_BLOCK_SIZE + 2 + sizeof(*ampe) + 2 > wpabuf_tailroom(buf)) {
485 wpa_printf(MSG_ERROR, "protect frame: buffer too small");
486 return -EINVAL;
487 }
488
489 ampe_ie = os_zalloc(2 + sizeof(*ampe));
490 if (!ampe_ie) {
491 wpa_printf(MSG_ERROR, "protect frame: out of memory");
492 return -ENOMEM;
493 }
494
495 mic_ie = os_zalloc(2 + AES_BLOCK_SIZE);
496 if (!mic_ie) {
497 wpa_printf(MSG_ERROR, "protect frame: out of memory");
498 ret = -ENOMEM;
499 goto free;
500 }
501
502 /* IE: AMPE */
503 ampe_ie[0] = WLAN_EID_AMPE;
504 ampe_ie[1] = sizeof(*ampe);
505 ampe = (struct ieee80211_ampe_ie *) (ampe_ie + 2);
506
507 RSN_SELECTOR_PUT(ampe->selected_pairwise_suite,
508 wpa_cipher_to_suite(WPA_PROTO_RSN, WPA_CIPHER_CCMP));
509 os_memcpy(ampe->local_nonce, sta->my_nonce, 32);
510 os_memcpy(ampe->peer_nonce, sta->peer_nonce, 32);
511 /* incomplete: see 13.5.4 */
512 /* TODO: static mgtk for now since we don't support rekeying! */
513 os_memcpy(ampe->mgtk, rsn->mgtk, 16);
514 /* TODO: Populate Key RSC */
515 /* expire in 13 decades or so */
516 os_memset(ampe->key_expiration, 0xff, 4);
517
518 /* IE: MIC */
519 mic_ie[0] = WLAN_EID_MIC;
520 mic_ie[1] = AES_BLOCK_SIZE;
521 wpabuf_put_data(buf, mic_ie, 2);
522 /* MIC field is output ciphertext */
523
524 /* encrypt after MIC */
525 mic_payload = (u8 *) wpabuf_put(buf, 2 + sizeof(*ampe) +
526 AES_BLOCK_SIZE);
527
528 if (aes_siv_encrypt(sta->aek, ampe_ie, 2 + sizeof(*ampe), 3,
529 aad, aad_len, mic_payload)) {
530 wpa_printf(MSG_ERROR, "protect frame: failed to encrypt");
531 ret = -ENOMEM;
532 goto free;
533 }
534
535free:
536 os_free(ampe_ie);
537 os_free(mic_ie);
538
539 return ret;
540}
541
542
543int mesh_rsn_process_ampe(struct wpa_supplicant *wpa_s, struct sta_info *sta,
544 struct ieee802_11_elems *elems, const u8 *cat,
545 const u8 *start, size_t elems_len)
546{
547 int ret = 0;
548 struct ieee80211_ampe_ie *ampe;
549 u8 null_nonce[32] = {};
550 u8 ampe_eid;
551 u8 ampe_ie_len;
552 u8 *ampe_buf, *crypt = NULL;
553 size_t crypt_len;
554 const u8 *aad[] = { sta->addr, wpa_s->own_addr, cat };
555 const size_t aad_len[] = { ETH_ALEN, ETH_ALEN,
556 (elems->mic - 2) - cat };
557
558 if (!elems->mic || elems->mic_len < AES_BLOCK_SIZE) {
559 wpa_msg(wpa_s, MSG_DEBUG, "Mesh RSN: missing mic ie");
560 return -1;
561 }
562
563 ampe_buf = (u8 *) elems->mic + elems->mic_len;
564 if ((int) elems_len < ampe_buf - start)
565 return -1;
566
567 crypt_len = elems_len - (elems->mic - start);
568 if (crypt_len < 2) {
569 wpa_msg(wpa_s, MSG_DEBUG, "Mesh RSN: missing ampe ie");
570 return -1;
571 }
572
573 /* crypt is modified by siv_decrypt */
574 crypt = os_zalloc(crypt_len);
575 if (!crypt) {
576 wpa_printf(MSG_ERROR, "Mesh RSN: out of memory");
577 ret = -ENOMEM;
578 goto free;
579 }
580
581 os_memcpy(crypt, elems->mic, crypt_len);
582
583 if (aes_siv_decrypt(sta->aek, crypt, crypt_len, 3,
584 aad, aad_len, ampe_buf)) {
585 wpa_printf(MSG_ERROR, "Mesh RSN: frame verification failed!");
586 ret = -1;
587 goto free;
588 }
589
590 ampe_eid = *ampe_buf++;
591 ampe_ie_len = *ampe_buf++;
592
593 if (ampe_eid != WLAN_EID_AMPE ||
594 ampe_ie_len < sizeof(struct ieee80211_ampe_ie)) {
595 wpa_msg(wpa_s, MSG_DEBUG, "Mesh RSN: invalid ampe ie");
596 ret = -1;
597 goto free;
598 }
599
600 ampe = (struct ieee80211_ampe_ie *) ampe_buf;
601 if (os_memcmp(ampe->peer_nonce, null_nonce, 32) != 0 &&
602 os_memcmp(ampe->peer_nonce, sta->my_nonce, 32) != 0) {
603 wpa_msg(wpa_s, MSG_DEBUG, "Mesh RSN: invalid peer nonce");
604 ret = -1;
605 goto free;
606 }
607 os_memcpy(sta->peer_nonce, ampe->local_nonce,
608 sizeof(ampe->local_nonce));
609 os_memcpy(sta->mgtk, ampe->mgtk, sizeof(ampe->mgtk));
610
611 /* todo parse mgtk expiration */
612free:
613 os_free(crypt);
614 return ret;
615}