Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / a04bd250fff00c837f5bdccd28528853295da1e5 / . / wpa_supplicant / pasn_supplicant.c
blob: dc21b6a3c32959a53e201a08982e4f81858f66a6 [file] [log] [blame]
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1/*
2 * wpa_supplicant - PASN processing
3 *
4 * Copyright (C) 2019 Intel Corporation
5 *
6 * This software may be distributed under the terms of the BSD license.
7 * See README for more details.
8 */
9
10#include "includes.h"
11
12#include "common/ieee802_11_defs.h"
13#include "common/ieee802_11_common.h"
14#include "common/dragonfly.h"
15#include "common/ptksa_cache.h"
16#include "utils/eloop.h"
17#include "drivers/driver.h"
18#include "crypto/crypto.h"
19#include "crypto/random.h"
20#include "eap_common/eap_defs.h"
21#include "rsn_supp/wpa.h"
22#include "rsn_supp/pmksa_cache.h"
23#include "wpa_supplicant_i.h"
24#include "driver_i.h"
25#include "bss.h"
26#include "config.h"
27
28static const int dot11RSNAConfigPMKLifetime = 43200;
29
30struct wpa_pasn_auth_work {
31 u8 bssid[ETH_ALEN];
32 int akmp;
33 int cipher;
34 u16 group;
35 int network_id;
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]36 struct wpabuf *comeback;
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]37};
38
39
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]40static void wpas_pasn_free_auth_work(struct wpa_pasn_auth_work *awork)
41{
42 wpabuf_free(awork->comeback);
43 awork->comeback = NULL;
44 os_free(awork);
45}
46
47
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]48static void wpas_pasn_auth_work_timeout(void *eloop_ctx, void *timeout_ctx)
49{
50 struct wpa_supplicant *wpa_s = eloop_ctx;
51
52 wpa_printf(MSG_DEBUG, "PASN: Auth work timeout - stopping auth");
53
54 wpas_pasn_auth_stop(wpa_s);
55}
56
57
58static void wpas_pasn_cancel_auth_work(struct wpa_supplicant *wpa_s)
59{
60 wpa_printf(MSG_DEBUG, "PASN: Cancel pasn-start-auth work");
61
62 /* Remove pending/started work */
63 radio_remove_works(wpa_s, "pasn-start-auth", 0);
64}
65
66
67static void wpas_pasn_auth_status(struct wpa_supplicant *wpa_s, const u8 *bssid,
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]68 int akmp, int cipher, u8 status,
69 struct wpabuf *comeback,
70 u16 comeback_after)
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]71{
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]72 if (comeback) {
73 size_t comeback_len = wpabuf_len(comeback);
74 size_t buflen = comeback_len * 2 + 1;
75 char *comeback_txt = os_malloc(buflen);
76
77 if (comeback_txt) {
78 wpa_snprintf_hex(comeback_txt, buflen,
79 wpabuf_head(comeback), comeback_len);
80
81 wpa_msg(wpa_s, MSG_INFO, PASN_AUTH_STATUS MACSTR
82 " akmp=%s, status=%u comeback_after=%u comeback=%s",
83 MAC2STR(bssid),
84 wpa_key_mgmt_txt(akmp, WPA_PROTO_RSN),
85 status, comeback_after, comeback_txt);
86
87 os_free(comeback_txt);
88 return;
89 }
90 }
91
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]92 wpa_msg(wpa_s, MSG_INFO,
93 PASN_AUTH_STATUS MACSTR " akmp=%s, status=%u",
94 MAC2STR(bssid), wpa_key_mgmt_txt(akmp, WPA_PROTO_RSN),
95 status);
96}
97
98
99#ifdef CONFIG_SAE
100
101static struct wpabuf * wpas_pasn_wd_sae_commit(struct wpa_supplicant *wpa_s)
102{
103 struct wpas_pasn *pasn = &wpa_s->pasn;
104 struct wpabuf *buf = NULL;
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]105 int ret;
106
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]107 ret = sae_set_group(&pasn->sae, pasn->group);
108 if (ret) {
109 wpa_printf(MSG_DEBUG, "PASN: Failed to set SAE group");
110 return NULL;
111 }
112
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]113 ret = sae_prepare_commit_pt(&pasn->sae, pasn->ssid->pt,
114 wpa_s->own_addr, pasn->bssid,
115 NULL, NULL);
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]116 if (ret) {
117 wpa_printf(MSG_DEBUG, "PASN: Failed to prepare SAE commit");
118 return NULL;
119 }
120
121 /* Need to add the entire Authentication frame body */
122 buf = wpabuf_alloc(6 + SAE_COMMIT_MAX_LEN);
123 if (!buf) {
124 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
125 return NULL;
126 }
127
128 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
129 wpabuf_put_le16(buf, 1);
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]130 wpabuf_put_le16(buf, WLAN_STATUS_SAE_HASH_TO_ELEMENT);
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]131
132 sae_write_commit(&pasn->sae, buf, NULL, 0);
133 pasn->sae.state = SAE_COMMITTED;
134
135 return buf;
136}
137
138
139static int wpas_pasn_wd_sae_rx(struct wpa_supplicant *wpa_s, struct wpabuf *wd)
140{
141 struct wpas_pasn *pasn = &wpa_s->pasn;
142 const u8 *data;
143 size_t buf_len;
144 u16 len, res, alg, seq, status;
145 int groups[] = { pasn->group, 0 };
146 int ret;
147
148 if (!wd)
149 return -1;
150
151 data = wpabuf_head_u8(wd);
152 buf_len = wpabuf_len(wd);
153
154 /* first handle the commit message */
155 if (buf_len < 2) {
156 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short (commit)");
157 return -1;
158 }
159
160 len = WPA_GET_LE16(data);
161 if (len < 6 || buf_len - 2 < len) {
162 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short for commit");
163 return -1;
164 }
165
166 buf_len -= 2;
167 data += 2;
168
169 alg = WPA_GET_LE16(data);
170 seq = WPA_GET_LE16(data + 2);
171 status = WPA_GET_LE16(data + 4);
172
173 wpa_printf(MSG_DEBUG, "PASN: SAE: commit: alg=%u, seq=%u, status=%u",
174 alg, seq, status);
175
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]176 if (alg != WLAN_AUTH_SAE || seq != 1 ||
177 status != WLAN_STATUS_SAE_HASH_TO_ELEMENT) {
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]178 wpa_printf(MSG_DEBUG, "PASN: SAE: dropping peer commit");
179 return -1;
180 }
181
182 res = sae_parse_commit(&pasn->sae, data + 6, len - 6, NULL, 0, groups,
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]183 1);
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]184 if (res != WLAN_STATUS_SUCCESS) {
185 wpa_printf(MSG_DEBUG, "PASN: SAE failed parsing commit");
186 return -1;
187 }
188
189 /* Process the commit message and derive the PMK */
190 ret = sae_process_commit(&pasn->sae);
191 if (ret) {
192 wpa_printf(MSG_DEBUG, "SAE: Failed to process peer commit");
193 return -1;
194 }
195
196 buf_len -= len;
197 data += len;
198
199 /* Handle the confirm message */
200 if (buf_len < 2) {
201 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short (confirm)");
202 return -1;
203 }
204
205 len = WPA_GET_LE16(data);
206 if (len < 6 || buf_len - 2 < len) {
207 wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short for confirm");
208 return -1;
209 }
210
211 buf_len -= 2;
212 data += 2;
213
214 alg = WPA_GET_LE16(data);
215 seq = WPA_GET_LE16(data + 2);
216 status = WPA_GET_LE16(data + 4);
217
218 wpa_printf(MSG_DEBUG, "PASN: SAE confirm: alg=%u, seq=%u, status=%u",
219 alg, seq, status);
220
221 if (alg != WLAN_AUTH_SAE || seq != 2 || status != WLAN_STATUS_SUCCESS) {
222 wpa_printf(MSG_DEBUG, "PASN: Dropping peer SAE confirm");
223 return -1;
224 }
225
226 res = sae_check_confirm(&pasn->sae, data + 6, len - 6);
227 if (res != WLAN_STATUS_SUCCESS) {
228 wpa_printf(MSG_DEBUG, "PASN: SAE failed checking confirm");
229 return -1;
230 }
231
232 wpa_printf(MSG_DEBUG, "PASN: SAE completed successfully");
233 pasn->sae.state = SAE_ACCEPTED;
234
235 return 0;
236}
237
238
239static struct wpabuf * wpas_pasn_wd_sae_confirm(struct wpa_supplicant *wpa_s)
240{
241 struct wpas_pasn *pasn = &wpa_s->pasn;
242 struct wpabuf *buf = NULL;
243
244 /* Need to add the entire authentication frame body */
245 buf = wpabuf_alloc(6 + SAE_CONFIRM_MAX_LEN);
246 if (!buf) {
247 wpa_printf(MSG_DEBUG, "PASN: Failed to allocate SAE buffer");
248 return NULL;
249 }
250
251 wpabuf_put_le16(buf, WLAN_AUTH_SAE);
252 wpabuf_put_le16(buf, 2);
253 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
254
255 sae_write_confirm(&pasn->sae, buf);
256 pasn->sae.state = SAE_CONFIRMED;
257
258 return buf;
259}
260
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]261
262static int wpas_pasn_sae_setup_pt(struct wpa_supplicant *wpa_s,
263 struct wpa_ssid *ssid, int group)
264{
265 const char *password = ssid->sae_password;
266 int groups[2] = { group, 0 };
267
268 if (!password)
269 password = ssid->passphrase;
270
271 if (!password) {
272 wpa_printf(MSG_DEBUG, "PASN: SAE without a password");
273 return -1;
274 }
275
276 if (ssid->pt)
277 return 0; /* PT already derived */
278
279 ssid->pt = sae_derive_pt(groups, ssid->ssid, ssid->ssid_len,
280 (const u8 *) password, os_strlen(password),
281 ssid->sae_password_id);
282
283 return ssid->pt ? 0 : -1;
284}
285
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]286#endif /* CONFIG_SAE */
287
288
289#ifdef CONFIG_FILS
290
291static struct wpabuf * wpas_pasn_fils_build_auth(struct wpa_supplicant *wpa_s)
292{
293 struct wpas_pasn *pasn = &wpa_s->pasn;
294 struct wpabuf *buf = NULL;
295 struct wpabuf *erp_msg;
296 int ret;
297
298 erp_msg = eapol_sm_build_erp_reauth_start(wpa_s->eapol);
299 if (!erp_msg) {
300 wpa_printf(MSG_DEBUG,
301 "PASN: FILS: ERP EAP-Initiate/Re-auth unavailable");
302 return NULL;
303 }
304
305 if (random_get_bytes(pasn->fils.nonce, FILS_NONCE_LEN) < 0 ||
306 random_get_bytes(pasn->fils.session, FILS_SESSION_LEN) < 0)
307 goto fail;
308
309 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Nonce", pasn->fils.nonce,
310 FILS_NONCE_LEN);
311
312 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Session", pasn->fils.session,
313 FILS_SESSION_LEN);
314
315 buf = wpabuf_alloc(1500);
316 if (!buf)
317 goto fail;
318
319 /* Add the authentication algorithm */
320 wpabuf_put_le16(buf, WLAN_AUTH_FILS_SK);
321
322 /* Authentication Transaction seq# */
323 wpabuf_put_le16(buf, 1);
324
325 /* Status Code */
326 wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
327
328 /* Own RSNE */
329 wpa_pasn_add_rsne(buf, NULL, pasn->akmp, pasn->cipher);
330
331 /* FILS Nonce */
332 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
333 wpabuf_put_u8(buf, 1 + FILS_NONCE_LEN);
334 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_NONCE);
335 wpabuf_put_data(buf, pasn->fils.nonce, FILS_NONCE_LEN);
336
337 /* FILS Session */
338 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
339 wpabuf_put_u8(buf, 1 + FILS_SESSION_LEN);
340 wpabuf_put_u8(buf, WLAN_EID_EXT_FILS_SESSION);
341 wpabuf_put_data(buf, pasn->fils.session, FILS_SESSION_LEN);
342
343 /* Wrapped Data (ERP) */
344 wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
345 wpabuf_put_u8(buf, 1 + wpabuf_len(erp_msg));
346 wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
347 wpabuf_put_buf(buf, erp_msg);
348
349 /*
350 * Calculate pending PMKID here so that we do not need to maintain a
351 * copy of the EAP-Initiate/Reauth message.
352 */
353 ret = fils_pmkid_erp(pasn->akmp, wpabuf_head(erp_msg),
354 wpabuf_len(erp_msg),
355 pasn->fils.erp_pmkid);
356 if (ret) {
357 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to get ERP PMKID");
358 goto fail;
359 }
360
361 wpabuf_free(erp_msg);
362 erp_msg = NULL;
363
364 wpa_hexdump_buf(MSG_DEBUG, "PASN: FILS: Authentication frame", buf);
365 return buf;
366fail:
367 wpabuf_free(erp_msg);
368 wpabuf_free(buf);
369 return NULL;
370}
371
372
373static void wpas_pasn_initiate_eapol(struct wpa_supplicant *wpa_s)
374{
375 struct wpas_pasn *pasn = &wpa_s->pasn;
376 struct eapol_config eapol_conf;
377 struct wpa_ssid *ssid = pasn->ssid;
378
379 wpa_printf(MSG_DEBUG, "PASN: FILS: Initiating EAPOL");
380
381 eapol_sm_notify_eap_success(wpa_s->eapol, false);
382 eapol_sm_notify_eap_fail(wpa_s->eapol, false);
383 eapol_sm_notify_portControl(wpa_s->eapol, Auto);
384
385 os_memset(&eapol_conf, 0, sizeof(eapol_conf));
386 eapol_conf.fast_reauth = wpa_s->conf->fast_reauth;
387 eapol_conf.workaround = ssid->eap_workaround;
388
389 eapol_sm_notify_config(wpa_s->eapol, &ssid->eap, &eapol_conf);
390}
391
392
393static struct wpabuf * wpas_pasn_wd_fils_auth(struct wpa_supplicant *wpa_s)
394{
395 struct wpas_pasn *pasn = &wpa_s->pasn;
396 struct wpa_bss *bss;
397 const u8 *indic;
398 u16 fils_info;
399
400 wpa_printf(MSG_DEBUG, "PASN: FILS: wrapped data - completed=%u",
401 pasn->fils.completed);
402
403 /* Nothing to add as we are done */
404 if (pasn->fils.completed)
405 return NULL;
406
407 if (!pasn->ssid) {
408 wpa_printf(MSG_DEBUG, "PASN: FILS: No network block");
409 return NULL;
410 }
411
412 bss = wpa_bss_get_bssid(wpa_s, pasn->bssid);
413 if (!bss) {
414 wpa_printf(MSG_DEBUG, "PASN: FILS: BSS not found");
415 return NULL;
416 }
417
418 indic = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION);
419 if (!indic || indic[1] < 2) {
420 wpa_printf(MSG_DEBUG, "PASN: Missing FILS Indication IE");
421 return NULL;
422 }
423
424 fils_info = WPA_GET_LE16(indic + 2);
425 if (!(fils_info & BIT(9))) {
426 wpa_printf(MSG_DEBUG,
427 "PASN: FILS auth without PFS not supported");
428 return NULL;
429 }
430
431 wpas_pasn_initiate_eapol(wpa_s);
432
433 return wpas_pasn_fils_build_auth(wpa_s);
434}
435
436
437static int wpas_pasn_wd_fils_rx(struct wpa_supplicant *wpa_s, struct wpabuf *wd)
438{
439 struct wpas_pasn *pasn = &wpa_s->pasn;
440 struct ieee802_11_elems elems;
441 struct wpa_ie_data rsne_data;
442 u8 rmsk[ERP_MAX_KEY_LEN];
443 size_t rmsk_len;
444 u8 anonce[FILS_NONCE_LEN];
445 const u8 *data;
446 size_t buf_len;
447 struct wpabuf *fils_wd = NULL;
448 u16 alg, seq, status;
449 int ret;
450
451 if (!wd)
452 return -1;
453
454 data = wpabuf_head(wd);
455 buf_len = wpabuf_len(wd);
456
457 wpa_hexdump(MSG_DEBUG, "PASN: FILS: Authentication frame len=%zu",
458 data, buf_len);
459
460 /* first handle the header */
461 if (buf_len < 6) {
462 wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short");
463 return -1;
464 }
465
466 alg = WPA_GET_LE16(data);
467 seq = WPA_GET_LE16(data + 2);
468 status = WPA_GET_LE16(data + 4);
469
470 wpa_printf(MSG_DEBUG, "PASN: FILS: commit: alg=%u, seq=%u, status=%u",
471 alg, seq, status);
472
473 if (alg != WLAN_AUTH_FILS_SK || seq != 2 ||
474 status != WLAN_STATUS_SUCCESS) {
475 wpa_printf(MSG_DEBUG,
476 "PASN: FILS: Dropping peer authentication");
477 return -1;
478 }
479
480 data += 6;
481 buf_len -= 6;
482
483 if (ieee802_11_parse_elems(data, buf_len, &elems, 1) == ParseFailed) {
484 wpa_printf(MSG_DEBUG, "PASN: FILS: Could not parse elements");
485 return -1;
486 }
487
488 if (!elems.rsn_ie || !elems.fils_nonce || !elems.fils_nonce ||
489 !elems.wrapped_data) {
490 wpa_printf(MSG_DEBUG, "PASN: FILS: Missing IEs");
491 return -1;
492 }
493
494 ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
495 &rsne_data);
496 if (ret) {
497 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed parsing RNSE");
498 return -1;
499 }
500
501 ret = wpa_pasn_validate_rsne(&rsne_data);
502 if (ret) {
503 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed validating RSNE");
504 return -1;
505 }
506
507 if (rsne_data.num_pmkid) {
508 wpa_printf(MSG_DEBUG,
509 "PASN: FILS: Not expecting PMKID in RSNE");
510 return -1;
511 }
512
513 wpa_hexdump(MSG_DEBUG, "PASN: FILS: ANonce", elems.fils_nonce,
514 FILS_NONCE_LEN);
515 os_memcpy(anonce, elems.fils_nonce, FILS_NONCE_LEN);
516
517 wpa_hexdump(MSG_DEBUG, "PASN: FILS: FILS Session", elems.fils_session,
518 FILS_SESSION_LEN);
519
520 if (os_memcmp(pasn->fils.session, elems.fils_session,
521 FILS_SESSION_LEN)) {
522 wpa_printf(MSG_DEBUG, "PASN: FILS: Session mismatch");
523 return -1;
524 }
525
526 fils_wd = ieee802_11_defrag(&elems, WLAN_EID_EXTENSION,
527 WLAN_EID_EXT_WRAPPED_DATA);
528
529 if (!fils_wd) {
530 wpa_printf(MSG_DEBUG,
531 "PASN: FILS: Failed getting wrapped data");
532 return -1;
533 }
534
535 eapol_sm_process_erp_finish(wpa_s->eapol, wpabuf_head(fils_wd),
536 wpabuf_len(fils_wd));
537
538 wpabuf_free(fils_wd);
539 fils_wd = NULL;
540
541 if (eapol_sm_failed(wpa_s->eapol)) {
542 wpa_printf(MSG_DEBUG, "PASN: FILS: ERP finish failed");
543 return -1;
544 }
545
546 rmsk_len = ERP_MAX_KEY_LEN;
547 ret = eapol_sm_get_key(wpa_s->eapol, rmsk, rmsk_len);
548
549 if (ret == PMK_LEN) {
550 rmsk_len = PMK_LEN;
551 ret = eapol_sm_get_key(wpa_s->eapol, rmsk, rmsk_len);
552 }
553
554 if (ret) {
555 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed getting RMSK");
556 return -1;
557 }
558
559 ret = fils_rmsk_to_pmk(pasn->akmp, rmsk, rmsk_len,
560 pasn->fils.nonce, anonce, NULL, 0,
561 pasn->pmk, &pasn->pmk_len);
562
563 forced_memzero(rmsk, sizeof(rmsk));
564
565 if (ret) {
566 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PMK");
567 return -1;
568 }
569
570 wpa_hexdump(MSG_DEBUG, "PASN: FILS: PMKID", pasn->fils.erp_pmkid,
571 PMKID_LEN);
572
573 wpa_printf(MSG_DEBUG, "PASN: FILS: ERP processing succeeded");
574
575 wpa_pasn_pmksa_cache_add(wpa_s->wpa, pasn->pmk,
576 pasn->pmk_len, pasn->fils.erp_pmkid,
577 pasn->bssid, pasn->akmp);
578
579 pasn->fils.completed = true;
580 return 0;
581}
582
583#endif /* CONFIG_FILS */
584
585
586static struct wpabuf * wpas_pasn_get_wrapped_data(struct wpa_supplicant *wpa_s)
587{
588 struct wpas_pasn *pasn = &wpa_s->pasn;
589
590 if (pasn->using_pmksa)
591 return NULL;
592
593 switch (pasn->akmp) {
594 case WPA_KEY_MGMT_PASN:
595 /* no wrapped data */
596 return NULL;
597 case WPA_KEY_MGMT_SAE:
598#ifdef CONFIG_SAE
599 if (pasn->trans_seq == 0)
600 return wpas_pasn_wd_sae_commit(wpa_s);
601 if (pasn->trans_seq == 2)
602 return wpas_pasn_wd_sae_confirm(wpa_s);
603#endif /* CONFIG_SAE */
604 wpa_printf(MSG_ERROR,
605 "PASN: SAE: Cannot derive wrapped data");
606 return NULL;
607 case WPA_KEY_MGMT_FILS_SHA256:
608 case WPA_KEY_MGMT_FILS_SHA384:
609#ifdef CONFIG_FILS
610 return wpas_pasn_wd_fils_auth(wpa_s);
611#endif /* CONFIG_FILS */
612 case WPA_KEY_MGMT_FT_PSK:
613 case WPA_KEY_MGMT_FT_IEEE8021X:
614 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
615 /*
616 * Wrapped data with these AKMs is optional and is only needed
617 * for further validation of FT security parameters. For now do
618 * not use them.
619 */
620 return NULL;
621 default:
622 wpa_printf(MSG_ERROR,
623 "PASN: TODO: Wrapped data for akmp=0x%x",
624 pasn->akmp);
625 return NULL;
626 }
627}
628
629
630static u8 wpas_pasn_get_wrapped_data_format(struct wpas_pasn *pasn)
631{
632 if (pasn->using_pmksa)
633 return WPA_PASN_WRAPPED_DATA_NO;
634
635 /* Note: Valid AKMP is expected to already be validated */
636 switch (pasn->akmp) {
637 case WPA_KEY_MGMT_SAE:
638 return WPA_PASN_WRAPPED_DATA_SAE;
639 case WPA_KEY_MGMT_FILS_SHA256:
640 case WPA_KEY_MGMT_FILS_SHA384:
641 return WPA_PASN_WRAPPED_DATA_FILS_SK;
642 case WPA_KEY_MGMT_FT_PSK:
643 case WPA_KEY_MGMT_FT_IEEE8021X:
644 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
645 /*
646 * Wrapped data with these AKMs is optional and is only needed
647 * for further validation of FT security parameters. For now do
648 * not use them.
649 */
650 return WPA_PASN_WRAPPED_DATA_NO;
651 case WPA_KEY_MGMT_PASN:
652 default:
653 return WPA_PASN_WRAPPED_DATA_NO;
654 }
655}
656
657
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]658static struct wpabuf * wpas_pasn_build_auth_1(struct wpa_supplicant *wpa_s,
659 const struct wpabuf *comeback)
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]660{
661 struct wpas_pasn *pasn = &wpa_s->pasn;
662 struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
663 const u8 *pmkid;
664 u8 wrapped_data;
665 int ret;
666 u16 capab;
667
668 wpa_printf(MSG_DEBUG, "PASN: Building frame 1");
669
670 if (pasn->trans_seq)
671 return NULL;
672
673 buf = wpabuf_alloc(1500);
674 if (!buf)
675 goto fail;
676
677 /* Get public key */
678 pubkey = crypto_ecdh_get_pubkey(pasn->ecdh, 0);
679 pubkey = wpabuf_zeropad(pubkey, crypto_ecdh_prime_len(pasn->ecdh));
680 if (!pubkey) {
681 wpa_printf(MSG_DEBUG, "PASN: Failed to get pubkey");
682 goto fail;
683 }
684
685 wrapped_data = wpas_pasn_get_wrapped_data_format(pasn);
686
687 wpa_pasn_build_auth_header(buf, pasn->bssid,
688 wpa_s->own_addr, pasn->bssid,
689 pasn->trans_seq + 1, WLAN_STATUS_SUCCESS);
690
691 pmkid = NULL;
692 if (wpa_key_mgmt_ft(pasn->akmp)) {
693 ret = wpa_pasn_ft_derive_pmk_r1(wpa_s->wpa, pasn->akmp,
694 pasn->bssid,
695 pasn->pmk_r1,
696 &pasn->pmk_r1_len,
697 pasn->pmk_r1_name);
698 if (ret) {
699 wpa_printf(MSG_DEBUG,
700 "PASN: FT: Failed to derive keys");
701 goto fail;
702 }
703
704 pmkid = pasn->pmk_r1_name;
705 } else if (wrapped_data != WPA_PASN_WRAPPED_DATA_NO) {
706 struct rsn_pmksa_cache_entry *pmksa;
707
708 pmksa = wpa_sm_pmksa_cache_get(wpa_s->wpa, pasn->bssid,
709 NULL, NULL, pasn->akmp);
710 if (pmksa)
711 pmkid = pmksa->pmkid;
712
713 /*
714 * Note: Even when PMKSA is available, also add wrapped data as
715 * it is possible that the PMKID is no longer valid at the AP.
716 */
717 wrapped_data_buf = wpas_pasn_get_wrapped_data(wpa_s);
718 }
719
720 if (wpa_pasn_add_rsne(buf, pmkid, pasn->akmp, pasn->cipher) < 0)
721 goto fail;
722
723 if (!wrapped_data_buf)
724 wrapped_data = WPA_PASN_WRAPPED_DATA_NO;
725
726 wpa_pasn_add_parameter_ie(buf, pasn->group, wrapped_data,
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]727 pubkey, true, comeback, -1);
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]728
729 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
730 goto fail;
731
732 /* Add own RNSXE */
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]733 capab = 0;
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]734 capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E);
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]735 if (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF)
736 capab |= BIT(WLAN_RSNX_CAPAB_SECURE_LTF);
737 if (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_RTT)
738 capab |= BIT(WLAN_RSNX_CAPAB_SECURE_RTT);
739 if (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_PROT_RANGE_NEG)
740 capab |= BIT(WLAN_RSNX_CAPAB_PROT_RANGE_NEG);
741 wpa_pasn_add_rsnxe(buf, capab);
742
743 ret = pasn_auth_frame_hash(pasn->akmp, pasn->cipher,
744 wpabuf_head_u8(buf) + IEEE80211_HDRLEN,
745 wpabuf_len(buf) - IEEE80211_HDRLEN,
746 pasn->hash);
747 if (ret) {
748 wpa_printf(MSG_DEBUG, "PASN: Failed to compute hash");
749 goto fail;
750 }
751
752 pasn->trans_seq++;
753
754 wpabuf_free(wrapped_data_buf);
755 wpabuf_free(pubkey);
756
757 wpa_printf(MSG_DEBUG, "PASN: Frame 1: Success");
758 return buf;
759fail:
760 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
761 wpabuf_free(wrapped_data_buf);
762 wpabuf_free(pubkey);
763 wpabuf_free(buf);
764 return NULL;
765}
766
767
768static struct wpabuf * wpas_pasn_build_auth_3(struct wpa_supplicant *wpa_s)
769{
770 struct wpas_pasn *pasn = &wpa_s->pasn;
771 struct wpabuf *buf, *wrapped_data_buf = NULL;
772 u8 mic[WPA_PASN_MAX_MIC_LEN];
773 u8 mic_len, data_len;
774 const u8 *data;
775 u8 *ptr;
776 u8 wrapped_data;
777 int ret;
778
779 wpa_printf(MSG_DEBUG, "PASN: Building frame 3");
780
781 if (pasn->trans_seq != 2)
782 return NULL;
783
784 buf = wpabuf_alloc(1500);
785 if (!buf)
786 goto fail;
787
788 wrapped_data = wpas_pasn_get_wrapped_data_format(pasn);
789
790 wpa_pasn_build_auth_header(buf, pasn->bssid,
791 wpa_s->own_addr, pasn->bssid,
792 pasn->trans_seq + 1, WLAN_STATUS_SUCCESS);
793
794 wrapped_data_buf = wpas_pasn_get_wrapped_data(wpa_s);
795
796 if (!wrapped_data_buf)
797 wrapped_data = WPA_PASN_WRAPPED_DATA_NO;
798
799 wpa_pasn_add_parameter_ie(buf, pasn->group, wrapped_data,
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]800 NULL, false, NULL, -1);
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]801
802 if (wpa_pasn_add_wrapped_data(buf, wrapped_data_buf) < 0)
803 goto fail;
804 wpabuf_free(wrapped_data_buf);
805 wrapped_data_buf = NULL;
806
807 /* Add the MIC */
808 mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
809 wpabuf_put_u8(buf, WLAN_EID_MIC);
810 wpabuf_put_u8(buf, mic_len);
811 ptr = wpabuf_put(buf, mic_len);
812
813 os_memset(ptr, 0, mic_len);
814
815 data = wpabuf_head_u8(buf) + IEEE80211_HDRLEN;
816 data_len = wpabuf_len(buf) - IEEE80211_HDRLEN;
817
818 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
819 wpa_s->own_addr, pasn->bssid,
820 pasn->hash, mic_len * 2, data, data_len, mic);
821 if (ret) {
822 wpa_printf(MSG_DEBUG, "PASN: frame 3: Failed MIC calculation");
823 goto fail;
824 }
825
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]826#ifdef CONFIG_TESTING_OPTIONS
827 if (wpa_s->conf->pasn_corrupt_mic) {
828 wpa_printf(MSG_DEBUG, "PASN: frame 3: Corrupt MIC");
829 mic[0] = ~mic[0];
830 }
831#endif /* CONFIG_TESTING_OPTIONS */
832
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]833 os_memcpy(ptr, mic, mic_len);
834
835 pasn->trans_seq++;
836
837 wpa_printf(MSG_DEBUG, "PASN: frame 3: Success");
838 return buf;
839fail:
840 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
841 wpabuf_free(wrapped_data_buf);
842 wpabuf_free(buf);
843 return NULL;
844}
845
846
847static void wpas_pasn_reset(struct wpa_supplicant *wpa_s)
848{
849 struct wpas_pasn *pasn = &wpa_s->pasn;
850
851 wpa_printf(MSG_DEBUG, "PASN: Reset");
852
853 crypto_ecdh_deinit(pasn->ecdh);
854 pasn->ecdh = NULL;
855
856 wpas_pasn_cancel_auth_work(wpa_s);
857 wpa_s->pasn_auth_work = NULL;
858
859 eloop_cancel_timeout(wpas_pasn_auth_work_timeout, wpa_s, NULL);
860
861 pasn->akmp = 0;
862 pasn->cipher = 0;
863 pasn->group = 0;
864 pasn->trans_seq = 0;
865 pasn->pmk_len = 0;
866 pasn->using_pmksa = false;
867
868 forced_memzero(pasn->pmk, sizeof(pasn->pmk));
869 forced_memzero(&pasn->ptk, sizeof(pasn->ptk));
870 forced_memzero(&pasn->hash, sizeof(pasn->hash));
871
872 wpabuf_free(pasn->beacon_rsne_rsnxe);
873 pasn->beacon_rsne_rsnxe = NULL;
874
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]875 wpabuf_free(pasn->comeback);
876 pasn->comeback = NULL;
877 pasn->comeback_after = 0;
878
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]879#ifdef CONFIG_SAE
880 sae_clear_data(&pasn->sae);
881#endif /* CONFIG_SAE */
882
883#ifdef CONFIG_FILS
884 os_memset(&pasn->fils, 0, sizeof(pasn->fils));
885#endif /* CONFIG_FILS*/
886
887#ifdef CONFIG_IEEE80211R
888 forced_memzero(pasn->pmk_r1, sizeof(pasn->pmk_r1));
889 pasn->pmk_r1_len = 0;
890 os_memset(pasn->pmk_r1_name, 0, sizeof(pasn->pmk_r1_name));
891#endif /* CONFIG_IEEE80211R */
892 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
893}
894
895
896static int wpas_pasn_set_pmk(struct wpa_supplicant *wpa_s,
897 struct wpa_ie_data *rsn_data,
898 struct wpa_pasn_params_data *pasn_data,
899 struct wpabuf *wrapped_data)
900{
901 static const u8 pasn_default_pmk[] = {'P', 'M', 'K', 'z'};
902 struct wpas_pasn *pasn = &wpa_s->pasn;
903
904 os_memset(pasn->pmk, 0, sizeof(pasn->pmk));
905 pasn->pmk_len = 0;
906
907 if (pasn->akmp == WPA_KEY_MGMT_PASN) {
908 wpa_printf(MSG_DEBUG, "PASN: Using default PMK");
909
910 pasn->pmk_len = WPA_PASN_PMK_LEN;
911 os_memcpy(pasn->pmk, pasn_default_pmk,
912 sizeof(pasn_default_pmk));
913 return 0;
914 }
915
916 if (wpa_key_mgmt_ft(pasn->akmp)) {
917#ifdef CONFIG_IEEE80211R
918 wpa_printf(MSG_DEBUG, "PASN: FT: Using PMK-R1");
919 pasn->pmk_len = pasn->pmk_r1_len;
920 os_memcpy(pasn->pmk, pasn->pmk_r1, pasn->pmk_r1_len);
921 pasn->using_pmksa = true;
922 return 0;
923#else /* CONFIG_IEEE80211R */
924 wpa_printf(MSG_DEBUG, "PASN: FT: Not supported");
925 return -1;
926#endif /* CONFIG_IEEE80211R */
927 }
928
929 if (rsn_data->num_pmkid) {
930 struct rsn_pmksa_cache_entry *pmksa;
931
932 pmksa = wpa_sm_pmksa_cache_get(wpa_s->wpa, pasn->bssid,
933 rsn_data->pmkid, NULL,
934 pasn->akmp);
935 if (pmksa) {
936 wpa_printf(MSG_DEBUG, "PASN: Using PMKSA");
937
938 pasn->pmk_len = pmksa->pmk_len;
939 os_memcpy(pasn->pmk, pmksa->pmk, pmksa->pmk_len);
940 pasn->using_pmksa = true;
941
942 return 0;
943 }
944 }
945
946#ifdef CONFIG_SAE
947 if (pasn->akmp == WPA_KEY_MGMT_SAE) {
948 int ret;
949
950 ret = wpas_pasn_wd_sae_rx(wpa_s, wrapped_data);
951 if (ret) {
952 wpa_printf(MSG_DEBUG,
953 "PASN: Failed processing SAE wrapped data");
954 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
955 return -1;
956 }
957
958 wpa_printf(MSG_DEBUG, "PASN: Success deriving PMK with SAE");
959 pasn->pmk_len = PMK_LEN;
960 os_memcpy(pasn->pmk, pasn->sae.pmk, PMK_LEN);
961
962 wpa_pasn_pmksa_cache_add(wpa_s->wpa, pasn->pmk,
963 pasn->pmk_len, pasn->sae.pmkid,
964 pasn->bssid, pasn->akmp);
965 return 0;
966 }
967#endif /* CONFIG_SAE */
968
969#ifdef CONFIG_FILS
970 if (pasn->akmp == WPA_KEY_MGMT_FILS_SHA256 ||
971 pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) {
972 int ret;
973
974 ret = wpas_pasn_wd_fils_rx(wpa_s, wrapped_data);
975 if (ret) {
976 wpa_printf(MSG_DEBUG,
977 "PASN: Failed processing FILS wrapped data");
978 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
979 return -1;
980 }
981
982 return 0;
983 }
984#endif /* CONFIG_FILS */
985
986 /* TODO: Derive PMK based on wrapped data */
987 wpa_printf(MSG_DEBUG, "PASN: Missing implementation to derive PMK");
988 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
989 return -1;
990}
991
992
993static int wpas_pasn_start(struct wpa_supplicant *wpa_s, const u8 *bssid,
994 int akmp, int cipher, u16 group, int freq,
995 const u8 *beacon_rsne, u8 beacon_rsne_len,
996 const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]997 int network_id, struct wpabuf *comeback)
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]998{
999 struct wpas_pasn *pasn = &wpa_s->pasn;
1000 struct wpa_ssid *ssid = NULL;
1001 struct wpabuf *frame;
1002 int ret;
Sunil Ravia04bd252022-05-02 22:54:18 -0700[diff] [blame^]1003 bool derive_kdk;
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1004
1005 /* TODO: Currently support only ECC groups */
1006 if (!dragonfly_suitable_group(group, 1)) {
1007 wpa_printf(MSG_DEBUG,
1008 "PASN: Reject unsuitable group %u", group);
1009 return -1;
1010 }
1011
1012 ssid = wpa_config_get_network(wpa_s->conf, network_id);
1013
1014 switch (akmp) {
1015 case WPA_KEY_MGMT_PASN:
1016 break;
1017#ifdef CONFIG_SAE
1018 case WPA_KEY_MGMT_SAE:
1019 if (!ssid) {
1020 wpa_printf(MSG_DEBUG,
1021 "PASN: No network profile found for SAE");
1022 return -1;
1023 }
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1024
1025 if (!ieee802_11_rsnx_capab(beacon_rsnxe,
1026 WLAN_RSNX_CAPAB_SAE_H2E)) {
1027 wpa_printf(MSG_DEBUG,
1028 "PASN: AP does not support SAE H2E");
1029 return -1;
1030 }
1031
1032 if (wpas_pasn_sae_setup_pt(wpa_s, ssid, group) < 0) {
1033 wpa_printf(MSG_DEBUG,
1034 "PASN: Failed to derive PT");
1035 return -1;
1036 }
1037
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1038 pasn->sae.state = SAE_NOTHING;
1039 pasn->sae.send_confirm = 0;
1040 pasn->ssid = ssid;
1041 break;
1042#endif /* CONFIG_SAE */
1043#ifdef CONFIG_FILS
1044 case WPA_KEY_MGMT_FILS_SHA256:
1045 case WPA_KEY_MGMT_FILS_SHA384:
1046 pasn->ssid = ssid;
1047 break;
1048#endif /* CONFIG_FILS */
1049#ifdef CONFIG_IEEE80211R
1050 case WPA_KEY_MGMT_FT_PSK:
1051 case WPA_KEY_MGMT_FT_IEEE8021X:
1052 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
1053 break;
1054#endif /* CONFIG_IEEE80211R */
1055 default:
1056 wpa_printf(MSG_ERROR, "PASN: Unsupported AKMP=0x%x", akmp);
1057 return -1;
1058 }
1059
1060 pasn->ecdh = crypto_ecdh_init(group);
1061 if (!pasn->ecdh) {
1062 wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
1063 goto fail;
1064 }
1065
1066 pasn->beacon_rsne_rsnxe = wpabuf_alloc(beacon_rsne_len +
1067 beacon_rsnxe_len);
1068 if (!pasn->beacon_rsne_rsnxe) {
1069 wpa_printf(MSG_DEBUG, "PASN: Failed storing beacon RSNE/RSNXE");
1070 goto fail;
1071 }
1072
1073 wpabuf_put_data(pasn->beacon_rsne_rsnxe, beacon_rsne, beacon_rsne_len);
1074 if (beacon_rsnxe && beacon_rsnxe_len)
1075 wpabuf_put_data(pasn->beacon_rsne_rsnxe, beacon_rsnxe,
1076 beacon_rsnxe_len);
1077
1078 pasn->akmp = akmp;
1079 pasn->cipher = cipher;
1080 pasn->group = group;
1081 pasn->freq = freq;
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1082
Sunil Ravia04bd252022-05-02 22:54:18 -0700[diff] [blame^]1083 derive_kdk = (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF) &&
1084 ieee802_11_rsnx_capab(beacon_rsnxe,
1085 WLAN_RSNX_CAPAB_SECURE_LTF);
1086#ifdef CONFIG_TESTING_OPTIONS
1087 if (!derive_kdk)
1088 derive_kdk = wpa_s->conf->force_kdk_derivation;
1089#endif /* CONFIG_TESTING_OPTIONS */
1090 if (derive_kdk)
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1091 pasn->kdk_len = WPA_KDK_MAX_LEN;
1092 else
1093 pasn->kdk_len = 0;
1094 wpa_printf(MSG_DEBUG, "PASN: kdk_len=%zu", pasn->kdk_len);
1095
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1096 os_memcpy(pasn->bssid, bssid, ETH_ALEN);
1097
1098 wpa_printf(MSG_DEBUG,
1099 "PASN: Init: " MACSTR " akmp=0x%x, cipher=0x%x, group=%u",
1100 MAC2STR(pasn->bssid), pasn->akmp, pasn->cipher,
1101 pasn->group);
1102
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1103 frame = wpas_pasn_build_auth_1(wpa_s, comeback);
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1104 if (!frame) {
1105 wpa_printf(MSG_DEBUG, "PASN: Failed building 1st auth frame");
1106 goto fail;
1107 }
1108
1109 ret = wpa_drv_send_mlme(wpa_s, wpabuf_head(frame), wpabuf_len(frame), 0,
1110 pasn->freq, 1000);
1111
1112 wpabuf_free(frame);
1113 if (ret) {
1114 wpa_printf(MSG_DEBUG, "PASN: Failed sending 1st auth frame");
1115 goto fail;
1116 }
1117
1118 eloop_register_timeout(2, 0, wpas_pasn_auth_work_timeout, wpa_s, NULL);
1119 return 0;
1120
1121fail:
1122 return -1;
1123}
1124
1125
1126static struct wpa_bss * wpas_pasn_allowed(struct wpa_supplicant *wpa_s,
1127 const u8 *bssid, int akmp, int cipher)
1128{
1129 struct wpa_bss *bss;
1130 const u8 *rsne;
1131 struct wpa_ie_data rsne_data;
1132 int ret;
1133
1134 if (os_memcmp(wpa_s->bssid, bssid, ETH_ALEN) == 0) {
1135 wpa_printf(MSG_DEBUG,
1136 "PASN: Not doing authentication with current BSS");
1137 return NULL;
1138 }
1139
1140 bss = wpa_bss_get_bssid(wpa_s, bssid);
1141 if (!bss) {
1142 wpa_printf(MSG_DEBUG, "PASN: BSS not found");
1143 return NULL;
1144 }
1145
1146 rsne = wpa_bss_get_ie(bss, WLAN_EID_RSN);
1147 if (!rsne) {
1148 wpa_printf(MSG_DEBUG, "PASN: BSS without RSNE");
1149 return NULL;
1150 }
1151
1152 ret = wpa_parse_wpa_ie(rsne, *(rsne + 1) + 2, &rsne_data);
1153 if (ret) {
1154 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RSNE data");
1155 return NULL;
1156 }
1157
1158 if (!(rsne_data.key_mgmt & akmp) ||
1159 !(rsne_data.pairwise_cipher & cipher)) {
1160 wpa_printf(MSG_DEBUG,
1161 "PASN: AP does not support requested AKMP or cipher");
1162 return NULL;
1163 }
1164
1165 return bss;
1166}
1167
1168
1169static void wpas_pasn_auth_start_cb(struct wpa_radio_work *work, int deinit)
1170{
1171 struct wpa_supplicant *wpa_s = work->wpa_s;
1172 struct wpa_pasn_auth_work *awork = work->ctx;
1173 struct wpa_bss *bss;
1174 const u8 *rsne, *rsnxe;
1175 int ret;
1176
1177 wpa_printf(MSG_DEBUG, "PASN: auth_start_cb: deinit=%d", deinit);
1178
1179 if (deinit) {
1180 if (work->started) {
1181 eloop_cancel_timeout(wpas_pasn_auth_work_timeout,
1182 wpa_s, NULL);
1183 wpa_s->pasn_auth_work = NULL;
1184 }
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1185
1186 wpas_pasn_free_auth_work(awork);
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1187 return;
1188 }
1189
1190 /*
1191 * It is possible that by the time the callback is called, the PASN
1192 * authentication is not allowed, e.g., a connection with the AP was
1193 * established.
1194 */
1195 bss = wpas_pasn_allowed(wpa_s, awork->bssid, awork->akmp,
1196 awork->cipher);
1197 if (!bss) {
1198 wpa_printf(MSG_DEBUG, "PASN: auth_start_cb: Not allowed");
1199 goto fail;
1200 }
1201
1202 rsne = wpa_bss_get_ie(bss, WLAN_EID_RSN);
1203 if (!rsne) {
1204 wpa_printf(MSG_DEBUG, "PASN: BSS without RSNE");
1205 goto fail;
1206 }
1207
1208 rsnxe = wpa_bss_get_ie(bss, WLAN_EID_RSNX);
1209
1210 ret = wpas_pasn_start(wpa_s, awork->bssid, awork->akmp, awork->cipher,
1211 awork->group, bss->freq, rsne, *(rsne + 1) + 2,
1212 rsnxe, rsnxe ? *(rsnxe + 1) + 2 : 0,
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1213 awork->network_id, awork->comeback);
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1214 if (ret) {
1215 wpa_printf(MSG_DEBUG,
1216 "PASN: Failed to start PASN authentication");
1217 goto fail;
1218 }
1219
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1220 /* comeback token is no longer needed at this stage */
1221 wpabuf_free(awork->comeback);
1222 awork->comeback = NULL;
1223
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1224 wpa_s->pasn_auth_work = work;
1225 return;
1226fail:
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1227 wpas_pasn_free_auth_work(awork);
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1228 work->ctx = NULL;
1229 radio_work_done(work);
1230}
1231
1232
1233int wpas_pasn_auth_start(struct wpa_supplicant *wpa_s, const u8 *bssid,
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1234 int akmp, int cipher, u16 group, int network_id,
1235 const u8 *comeback, size_t comeback_len)
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1236{
1237 struct wpa_pasn_auth_work *awork;
1238 struct wpa_bss *bss;
1239
1240 wpa_printf(MSG_DEBUG, "PASN: Start: " MACSTR " akmp=0x%x, cipher=0x%x",
1241 MAC2STR(bssid), akmp, cipher);
1242
1243 /*
1244 * TODO: Consider modifying the offchannel logic to handle additional
1245 * Management frames other then Action frames. For now allow PASN only
1246 * with drivers that support off-channel TX.
1247 */
1248 if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_OFFCHANNEL_TX)) {
1249 wpa_printf(MSG_DEBUG,
1250 "PASN: Driver does not support offchannel TX");
1251 return -1;
1252 }
1253
1254 if (radio_work_pending(wpa_s, "pasn-start-auth")) {
1255 wpa_printf(MSG_DEBUG,
1256 "PASN: send_auth: Work is already pending");
1257 return -1;
1258 }
1259
1260 if (wpa_s->pasn_auth_work) {
1261 wpa_printf(MSG_DEBUG, "PASN: send_auth: Already in progress");
1262 return -1;
1263 }
1264
1265 bss = wpas_pasn_allowed(wpa_s, bssid, akmp, cipher);
1266 if (!bss)
1267 return -1;
1268
1269 wpas_pasn_reset(wpa_s);
1270
1271 awork = os_zalloc(sizeof(*awork));
1272 if (!awork)
1273 return -1;
1274
1275 os_memcpy(awork->bssid, bssid, ETH_ALEN);
1276 awork->akmp = akmp;
1277 awork->cipher = cipher;
1278 awork->group = group;
1279 awork->network_id = network_id;
1280
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1281 if (comeback && comeback_len) {
1282 awork->comeback = wpabuf_alloc_copy(comeback, comeback_len);
1283 if (!awork->comeback) {
1284 wpas_pasn_free_auth_work(awork);
1285 return -1;
1286 }
1287 }
1288
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1289 if (radio_add_work(wpa_s, bss->freq, "pasn-start-auth", 1,
1290 wpas_pasn_auth_start_cb, awork) < 0) {
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1291 wpas_pasn_free_auth_work(awork);
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1292 return -1;
1293 }
1294
1295 wpa_printf(MSG_DEBUG, "PASN: Auth work successfully added");
1296 return 0;
1297}
1298
1299
1300void wpas_pasn_auth_stop(struct wpa_supplicant *wpa_s)
1301{
1302 struct wpas_pasn *pasn = &wpa_s->pasn;
1303
1304 if (!wpa_s->pasn.ecdh)
1305 return;
1306
1307 wpa_printf(MSG_DEBUG, "PASN: Stopping authentication");
1308
1309 wpas_pasn_auth_status(wpa_s, pasn->bssid, pasn->akmp, pasn->cipher,
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1310 pasn->status, pasn->comeback,
1311 pasn->comeback_after);
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1312
1313 wpas_pasn_reset(wpa_s);
1314}
1315
1316
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1317static int wpas_pasn_immediate_retry(struct wpa_supplicant *wpa_s,
1318 struct wpas_pasn *pasn,
1319 struct wpa_pasn_params_data *params)
1320{
1321 int akmp = pasn->akmp;
1322 int cipher = pasn->cipher;
1323 u16 group = pasn->group;
1324 u8 bssid[ETH_ALEN];
1325 int network_id = pasn->ssid ? pasn->ssid->id : 0;
1326
1327 wpa_printf(MSG_DEBUG, "PASN: Immediate retry");
1328 os_memcpy(bssid, pasn->bssid, ETH_ALEN);
1329 wpas_pasn_reset(wpa_s);
1330
1331 return wpas_pasn_auth_start(wpa_s, bssid, akmp, cipher, group,
1332 network_id,
1333 params->comeback, params->comeback_len);
1334}
1335
1336
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1337int wpas_pasn_auth_rx(struct wpa_supplicant *wpa_s,
1338 const struct ieee80211_mgmt *mgmt, size_t len)
1339{
1340 struct wpas_pasn *pasn = &wpa_s->pasn;
1341 struct ieee802_11_elems elems;
1342 struct wpa_ie_data rsn_data;
1343 struct wpa_pasn_params_data pasn_params;
1344 struct wpabuf *wrapped_data = NULL, *secret = NULL, *frame = NULL;
1345 u8 mic[WPA_PASN_MAX_MIC_LEN], out_mic[WPA_PASN_MAX_MIC_LEN];
1346 u8 mic_len;
1347 u16 status;
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1348 int ret, inc_y;
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1349 u16 fc = host_to_le16((WLAN_FC_TYPE_MGMT << 2) |
1350 (WLAN_FC_STYPE_AUTH << 4));
1351
1352 if (!wpa_s->pasn_auth_work || !mgmt ||
1353 len < offsetof(struct ieee80211_mgmt, u.auth.variable))
1354 return -2;
1355
1356 /* Not an Authentication frame; do nothing */
1357 if ((mgmt->frame_control & fc) != fc)
1358 return -2;
1359
1360 /* Not our frame; do nothing */
1361 if (os_memcmp(mgmt->da, wpa_s->own_addr, ETH_ALEN) != 0 ||
1362 os_memcmp(mgmt->sa, pasn->bssid, ETH_ALEN) != 0 ||
1363 os_memcmp(mgmt->bssid, pasn->bssid, ETH_ALEN) != 0)
1364 return -2;
1365
1366 /* Not PASN; do nothing */
1367 if (mgmt->u.auth.auth_alg != host_to_le16(WLAN_AUTH_PASN))
1368 return -2;
1369
1370 if (mgmt->u.auth.auth_transaction !=
1371 host_to_le16(pasn->trans_seq + 1)) {
1372 wpa_printf(MSG_DEBUG,
1373 "PASN: RX: Invalid transaction sequence: (%u != %u)",
1374 le_to_host16(mgmt->u.auth.auth_transaction),
1375 pasn->trans_seq + 1);
1376 return -1;
1377 }
1378
1379 status = le_to_host16(mgmt->u.auth.status_code);
1380
1381 if (status != WLAN_STATUS_SUCCESS &&
1382 status != WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
1383 wpa_printf(MSG_DEBUG,
1384 "PASN: Authentication rejected - status=%u", status);
1385 pasn->status = status;
1386 wpas_pasn_auth_stop(wpa_s);
1387 return -1;
1388 }
1389
1390 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
1391 len - offsetof(struct ieee80211_mgmt,
1392 u.auth.variable),
1393 &elems, 0) == ParseFailed) {
1394 wpa_printf(MSG_DEBUG,
1395 "PASN: Failed parsing Authentication frame");
1396 goto fail;
1397 }
1398
1399 /* Check that the MIC IE exists. Save it and zero out the memory */
1400 mic_len = pasn_mic_len(pasn->akmp, pasn->cipher);
1401 if (status == WLAN_STATUS_SUCCESS) {
1402 if (!elems.mic || elems.mic_len != mic_len) {
1403 wpa_printf(MSG_DEBUG,
1404 "PASN: Invalid MIC. Expecting len=%u",
1405 mic_len);
1406 goto fail;
1407 } else {
1408 os_memcpy(mic, elems.mic, mic_len);
1409 /* TODO: Clean this up.. Should not be modifying the
1410 * received message buffer. */
1411 os_memset((u8 *) elems.mic, 0, mic_len);
1412 }
1413 }
1414
1415 if (!elems.pasn_params || !elems.pasn_params_len) {
1416 wpa_printf(MSG_DEBUG,
1417 "PASN: Missing PASN Parameters IE");
1418 goto fail;
1419 }
1420
1421 ret = wpa_pasn_parse_parameter_ie(elems.pasn_params - 3,
1422 elems.pasn_params_len + 3,
1423 true, &pasn_params);
1424 if (ret) {
1425 wpa_printf(MSG_DEBUG,
1426 "PASN: Failed validation PASN of Parameters IE");
1427 goto fail;
1428 }
1429
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1430 if (status == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
1431 wpa_printf(MSG_DEBUG,
1432 "PASN: Authentication temporarily rejected");
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1433
1434 if (pasn_params.comeback && pasn_params.comeback_len) {
1435 wpa_printf(MSG_DEBUG,
1436 "PASN: Comeback token available. After=%u",
1437 pasn_params.after);
1438
1439 if (!pasn_params.after)
1440 return wpas_pasn_immediate_retry(wpa_s, pasn,
1441 &pasn_params);
1442
1443 pasn->comeback = wpabuf_alloc_copy(
1444 pasn_params.comeback, pasn_params.comeback_len);
1445 if (pasn->comeback)
1446 pasn->comeback_after = pasn_params.after;
1447 }
1448
1449 pasn->status = status;
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1450 goto fail;
1451 }
1452
1453 ret = wpa_parse_wpa_ie(elems.rsn_ie - 2, elems.rsn_ie_len + 2,
1454 &rsn_data);
1455 if (ret) {
1456 wpa_printf(MSG_DEBUG, "PASN: Failed parsing RNSE");
1457 goto fail;
1458 }
1459
1460 ret = wpa_pasn_validate_rsne(&rsn_data);
1461 if (ret) {
1462 wpa_printf(MSG_DEBUG, "PASN: Failed validating RSNE");
1463 goto fail;
1464 }
1465
1466 if (pasn->akmp != rsn_data.key_mgmt ||
1467 pasn->cipher != rsn_data.pairwise_cipher) {
1468 wpa_printf(MSG_DEBUG, "PASN: Mismatch in AKMP/cipher");
1469 goto fail;
1470 }
1471
1472 if (pasn->group != pasn_params.group) {
1473 wpa_printf(MSG_DEBUG, "PASN: Mismatch in group");
1474 goto fail;
1475 }
1476
1477 if (!pasn_params.pubkey || !pasn_params.pubkey_len) {
1478 wpa_printf(MSG_DEBUG, "PASN: Invalid public key");
1479 goto fail;
1480 }
1481
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1482 if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_UNCOMPRESSED) {
1483 inc_y = 1;
1484 } else if (pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_0 ||
1485 pasn_params.pubkey[0] == WPA_PASN_PUBKEY_COMPRESSED_1) {
1486 inc_y = 0;
1487 } else {
1488 wpa_printf(MSG_DEBUG,
1489 "PASN: Invalid first octet in pubkey=0x%x",
1490 pasn_params.pubkey[0]);
1491 goto fail;
1492 }
1493
1494 secret = crypto_ecdh_set_peerkey(pasn->ecdh, inc_y,
1495 pasn_params.pubkey + 1,
1496 pasn_params.pubkey_len - 1);
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1497
1498 if (!secret) {
1499 wpa_printf(MSG_DEBUG, "PASN: Failed to derive shared secret");
1500 goto fail;
1501 }
1502
1503 if (pasn_params.wrapped_data_format != WPA_PASN_WRAPPED_DATA_NO) {
1504 wrapped_data = ieee802_11_defrag(&elems,
1505 WLAN_EID_EXTENSION,
1506 WLAN_EID_EXT_WRAPPED_DATA);
1507
1508 if (!wrapped_data) {
1509 wpa_printf(MSG_DEBUG, "PASN: Missing wrapped data");
1510 goto fail;
1511 }
1512 }
1513
1514 ret = wpas_pasn_set_pmk(wpa_s, &rsn_data, &pasn_params, wrapped_data);
1515 if (ret) {
1516 wpa_printf(MSG_DEBUG, "PASN: Failed to set PMK");
1517 goto fail;
1518 }
1519
1520 ret = pasn_pmk_to_ptk(pasn->pmk, pasn->pmk_len,
1521 wpa_s->own_addr, pasn->bssid,
1522 wpabuf_head(secret), wpabuf_len(secret),
1523 &pasn->ptk, pasn->akmp, pasn->cipher,
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1524 pasn->kdk_len);
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1525 if (ret) {
1526 wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
1527 goto fail;
1528 }
1529
1530 wpabuf_free(wrapped_data);
1531 wrapped_data = NULL;
1532 wpabuf_free(secret);
1533 secret = NULL;
1534
1535 /* Verify the MIC */
1536 ret = pasn_mic(pasn->ptk.kck, pasn->akmp, pasn->cipher,
1537 pasn->bssid, wpa_s->own_addr,
1538 wpabuf_head(pasn->beacon_rsne_rsnxe),
1539 wpabuf_len(pasn->beacon_rsne_rsnxe),
1540 (u8 *) &mgmt->u.auth,
1541 len - offsetof(struct ieee80211_mgmt, u.auth),
1542 out_mic);
1543
1544 wpa_hexdump_key(MSG_DEBUG, "PASN: Frame MIC", mic, mic_len);
1545 if (ret || os_memcmp(mic, out_mic, mic_len) != 0) {
1546 wpa_printf(MSG_DEBUG, "PASN: Failed MIC verification");
1547 goto fail;
1548 }
1549
1550 pasn->trans_seq++;
1551
1552 wpa_printf(MSG_DEBUG, "PASN: Success verifying Authentication frame");
1553
1554 frame = wpas_pasn_build_auth_3(wpa_s);
1555 if (!frame) {
1556 wpa_printf(MSG_DEBUG, "PASN: Failed building 3rd auth frame");
1557 goto fail;
1558 }
1559
1560 ret = wpa_drv_send_mlme(wpa_s, wpabuf_head(frame), wpabuf_len(frame), 0,
1561 pasn->freq, 100);
1562 wpabuf_free(frame);
1563 if (ret) {
1564 wpa_printf(MSG_DEBUG, "PASN: Failed sending 3st auth frame");
1565 goto fail;
1566 }
1567
1568 wpa_printf(MSG_DEBUG, "PASN: Success sending last frame. Store PTK");
1569
1570 ptksa_cache_add(wpa_s->ptksa, pasn->bssid, pasn->cipher,
1571 dot11RSNAConfigPMKLifetime, &pasn->ptk);
1572
1573 forced_memzero(&pasn->ptk, sizeof(pasn->ptk));
1574
1575 pasn->status = WLAN_STATUS_SUCCESS;
1576 return 0;
1577fail:
1578 wpa_printf(MSG_DEBUG, "PASN: Failed RX processing - terminating");
1579 wpabuf_free(wrapped_data);
1580 wpabuf_free(secret);
1581
1582 /*
1583 * TODO: In case of an error the standard allows to silently drop
1584 * the frame and terminate the authentication exchange. However, better
1585 * reply to the AP with an error status.
1586 */
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1587 if (status == WLAN_STATUS_SUCCESS)
1588 pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE;
1589 else
1590 pasn->status = status;
1591
Hai Shalom60840252021-02-19 19:02:11 -0800[diff] [blame]1592 wpas_pasn_auth_stop(wpa_s);
1593 return -1;
1594}
1595
1596
1597int wpas_pasn_auth_tx_status(struct wpa_supplicant *wpa_s,
1598 const u8 *data, size_t data_len, u8 acked)
1599
1600{
1601 struct wpas_pasn *pasn = &wpa_s->pasn;
1602 const struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) data;
1603 u16 fc = host_to_le16((WLAN_FC_TYPE_MGMT << 2) |
1604 (WLAN_FC_STYPE_AUTH << 4));
1605
1606 wpa_printf(MSG_DEBUG, "PASN: auth_tx_status: acked=%u", acked);
1607
1608 if (!wpa_s->pasn_auth_work) {
1609 wpa_printf(MSG_DEBUG,
1610 "PASN: auth_tx_status: no work in progress");
1611 return -1;
1612 }
1613
1614 if (!mgmt ||
1615 data_len < offsetof(struct ieee80211_mgmt, u.auth.variable))
1616 return -1;
1617
1618 /* Not an authentication frame; do nothing */
1619 if ((mgmt->frame_control & fc) != fc)
1620 return -1;
1621
1622 /* Not our frame; do nothing */
1623 if (os_memcmp(mgmt->da, pasn->bssid, ETH_ALEN) ||
1624 os_memcmp(mgmt->sa, wpa_s->own_addr, ETH_ALEN) ||
1625 os_memcmp(mgmt->bssid, pasn->bssid, ETH_ALEN))
1626 return -1;
1627
1628 /* Not PASN; do nothing */
1629 if (mgmt->u.auth.auth_alg != host_to_le16(WLAN_AUTH_PASN))
1630 return -1;
1631
1632 if (mgmt->u.auth.auth_transaction != host_to_le16(pasn->trans_seq)) {
1633 wpa_printf(MSG_ERROR,
1634 "PASN: Invalid transaction sequence: (%u != %u)",
1635 pasn->trans_seq,
1636 le_to_host16(mgmt->u.auth.auth_transaction));
1637 return 0;
1638 }
1639
1640 wpa_printf(MSG_ERROR,
1641 "PASN: auth with trans_seq=%u, acked=%u", pasn->trans_seq,
1642 acked);
1643
1644 /*
1645 * Even if the frame was not acked, do not treat this is an error, and
1646 * try to complete the flow, relying on the PASN timeout callback to
1647 * clean up.
1648 */
1649 if (pasn->trans_seq == 3) {
1650 wpa_printf(MSG_DEBUG, "PASN: auth complete with: " MACSTR,
1651 MAC2STR(pasn->bssid));
1652 /*
1653 * Either frame was not ACKed or it was ACKed but the trans_seq
1654 * != 1, i.e., not expecting an RX frame, so we are done.
1655 */
1656 wpas_pasn_auth_stop(wpa_s);
1657 }
1658
1659 return 0;
1660}
Hai Shaloma20dcd72022-02-04 13:43:00 -0800[diff] [blame]1661
1662
1663int wpas_pasn_deauthenticate(struct wpa_supplicant *wpa_s, const u8 *bssid)
1664{
1665 struct wpa_bss *bss;
1666 struct wpabuf *buf;
1667 struct ieee80211_mgmt *deauth;
1668 int ret;
1669
1670 if (os_memcmp(wpa_s->bssid, bssid, ETH_ALEN) == 0) {
1671 wpa_printf(MSG_DEBUG,
1672 "PASN: Cannot deauthenticate from current BSS");
1673 return -1;
1674 }
1675
1676 wpa_printf(MSG_DEBUG, "PASN: deauth: Flushing all PTKSA entries for "
1677 MACSTR, MAC2STR(bssid));
1678 ptksa_cache_flush(wpa_s->ptksa, bssid, WPA_CIPHER_NONE);
1679
1680 bss = wpa_bss_get_bssid(wpa_s, bssid);
1681 if (!bss) {
1682 wpa_printf(MSG_DEBUG, "PASN: deauth: BSS not found");
1683 return -1;
1684 }
1685
1686 buf = wpabuf_alloc(64);
1687 if (!buf) {
1688 wpa_printf(MSG_DEBUG, "PASN: deauth: Failed wpabuf allocate");
1689 return -1;
1690 }
1691
1692 deauth = wpabuf_put(buf, offsetof(struct ieee80211_mgmt,
1693 u.deauth.variable));
1694
1695 deauth->frame_control = host_to_le16((WLAN_FC_TYPE_MGMT << 2) |
1696 (WLAN_FC_STYPE_DEAUTH << 4));
1697
1698 os_memcpy(deauth->da, bssid, ETH_ALEN);
1699 os_memcpy(deauth->sa, wpa_s->own_addr, ETH_ALEN);
1700 os_memcpy(deauth->bssid, bssid, ETH_ALEN);
1701 deauth->u.deauth.reason_code =
1702 host_to_le16(WLAN_REASON_PREV_AUTH_NOT_VALID);
1703
1704 /*
1705 * Since we do not expect any response from the AP, implement the
1706 * Deauthentication frame transmission using direct call to the driver
1707 * without a radio work.
1708 */
1709 ret = wpa_drv_send_mlme(wpa_s, wpabuf_head(buf), wpabuf_len(buf), 1,
1710 bss->freq, 0);
1711
1712 wpabuf_free(buf);
1713 wpa_printf(MSG_DEBUG, "PASN: deauth: send_mlme ret=%d", ret);
1714
1715 return ret;
1716}