DPP: Report possible PKEX code mismatch in control interface

Indicate to upper layers if PKEX Commit-Reveal Request frame AES-SIV
decryption fails. That is a likely sign of the PKEX code mismatch
between the devices.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2017-11-02 12:21:00 +02:00 committed by Jouni Malinen
parent d84c0cf46c
commit 219d4c9fcb
4 changed files with 25 additions and 10 deletions

View file

@ -1047,7 +1047,8 @@ hostapd_dpp_rx_pkex_exchange_req(struct hostapd_data *hapd, const u8 *src,
return; return;
} }
hapd->dpp_pkex = dpp_pkex_rx_exchange_req(hapd->dpp_pkex_bi, hapd->dpp_pkex = dpp_pkex_rx_exchange_req(hapd->msg_ctx,
hapd->dpp_pkex_bi,
hapd->own_addr, src, hapd->own_addr, src,
hapd->dpp_pkex_identifier, hapd->dpp_pkex_identifier,
hapd->dpp_pkex_code, hapd->dpp_pkex_code,
@ -1452,7 +1453,8 @@ int hostapd_dpp_pkex_add(struct hostapd_data *hapd, const char *cmd)
wpa_printf(MSG_DEBUG, "DPP: Initiating PKEX"); wpa_printf(MSG_DEBUG, "DPP: Initiating PKEX");
dpp_pkex_free(hapd->dpp_pkex); dpp_pkex_free(hapd->dpp_pkex);
hapd->dpp_pkex = dpp_pkex_init(own_bi, hapd->own_addr, hapd->dpp_pkex = dpp_pkex_init(hapd->msg_ctx, own_bi,
hapd->own_addr,
hapd->dpp_pkex_identifier, hapd->dpp_pkex_identifier,
hapd->dpp_pkex_code); hapd->dpp_pkex_code);
if (!hapd->dpp_pkex) if (!hapd->dpp_pkex)

View file

@ -5577,7 +5577,13 @@ fail:
} }
struct dpp_pkex * dpp_pkex_init(struct dpp_bootstrap_info *bi, static void dpp_pkex_fail(struct dpp_pkex *pkex, const char *txt)
{
wpa_msg(pkex->msg_ctx, MSG_INFO, DPP_EVENT_FAIL "%s", txt);
}
struct dpp_pkex * dpp_pkex_init(void *msg_ctx, struct dpp_bootstrap_info *bi,
const u8 *own_mac, const u8 *own_mac,
const char *identifier, const char *identifier,
const char *code) const char *code)
@ -5587,6 +5593,7 @@ struct dpp_pkex * dpp_pkex_init(struct dpp_bootstrap_info *bi,
pkex = os_zalloc(sizeof(*pkex)); pkex = os_zalloc(sizeof(*pkex));
if (!pkex) if (!pkex)
return NULL; return NULL;
pkex->msg_ctx = msg_ctx;
pkex->initiator = 1; pkex->initiator = 1;
pkex->own_bi = bi; pkex->own_bi = bi;
os_memcpy(pkex->own_mac, own_mac, ETH_ALEN); os_memcpy(pkex->own_mac, own_mac, ETH_ALEN);
@ -5608,7 +5615,8 @@ fail:
} }
struct dpp_pkex * dpp_pkex_rx_exchange_req(struct dpp_bootstrap_info *bi, struct dpp_pkex * dpp_pkex_rx_exchange_req(void *msg_ctx,
struct dpp_bootstrap_info *bi,
const u8 *own_mac, const u8 *own_mac,
const u8 *peer_mac, const u8 *peer_mac,
const char *identifier, const char *identifier,
@ -5698,6 +5706,7 @@ struct dpp_pkex * dpp_pkex_rx_exchange_req(struct dpp_bootstrap_info *bi,
pkex = os_zalloc(sizeof(*pkex)); pkex = os_zalloc(sizeof(*pkex));
if (!pkex) if (!pkex)
goto fail; goto fail;
pkex->msg_ctx = msg_ctx;
pkex->own_bi = bi; pkex->own_bi = bi;
os_memcpy(pkex->own_mac, own_mac, ETH_ALEN); os_memcpy(pkex->own_mac, own_mac, ETH_ALEN);
os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN); os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN);
@ -6186,7 +6195,8 @@ struct wpabuf * dpp_pkex_rx_commit_reveal_req(struct dpp_pkex *pkex,
if (aes_siv_decrypt(pkex->z, curve->hash_len, if (aes_siv_decrypt(pkex->z, curve->hash_len,
wrapped_data, wrapped_data_len, wrapped_data, wrapped_data_len,
2, addr, len, unwrapped) < 0) { 2, addr, len, unwrapped) < 0) {
wpa_printf(MSG_DEBUG, "DPP: AES-SIV decryption failed"); dpp_pkex_fail(pkex,
"AES-SIV decryption failed - possible PKEX code mismatch");
goto fail; goto fail;
} }
wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
@ -6402,7 +6412,8 @@ int dpp_pkex_rx_commit_reveal_resp(struct dpp_pkex *pkex, const u8 *hdr,
if (aes_siv_decrypt(pkex->z, curve->hash_len, if (aes_siv_decrypt(pkex->z, curve->hash_len,
wrapped_data, wrapped_data_len, wrapped_data, wrapped_data_len,
2, addr, len, unwrapped) < 0) { 2, addr, len, unwrapped) < 0) {
wpa_printf(MSG_DEBUG, "DPP: AES-SIV decryption failed"); dpp_pkex_fail(pkex,
"AES-SIV decryption failed - possible PKEX code mismatch");
goto fail; goto fail;
} }
wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext", wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",

View file

@ -110,6 +110,7 @@ struct dpp_bootstrap_info {
}; };
struct dpp_pkex { struct dpp_pkex {
void *msg_ctx;
unsigned int initiator:1; unsigned int initiator:1;
unsigned int exchange_done:1; unsigned int exchange_done:1;
struct dpp_bootstrap_info *own_bi; struct dpp_bootstrap_info *own_bi;
@ -304,11 +305,12 @@ dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
const u8 *csign_key, size_t csign_key_len, const u8 *csign_key, size_t csign_key_len,
const u8 *peer_connector, size_t peer_connector_len, const u8 *peer_connector, size_t peer_connector_len,
os_time_t *expiry); os_time_t *expiry);
struct dpp_pkex * dpp_pkex_init(struct dpp_bootstrap_info *bi, struct dpp_pkex * dpp_pkex_init(void *msg_ctx, struct dpp_bootstrap_info *bi,
const u8 *own_mac, const u8 *own_mac,
const char *identifier, const char *identifier,
const char *code); const char *code);
struct dpp_pkex * dpp_pkex_rx_exchange_req(struct dpp_bootstrap_info *bi, struct dpp_pkex * dpp_pkex_rx_exchange_req(void *msg_ctx,
struct dpp_bootstrap_info *bi,
const u8 *own_mac, const u8 *own_mac,
const u8 *peer_mac, const u8 *peer_mac,
const char *identifier, const char *identifier,

View file

@ -1456,7 +1456,7 @@ wpas_dpp_rx_pkex_exchange_req(struct wpa_supplicant *wpa_s, const u8 *src,
return; return;
} }
wpa_s->dpp_pkex = dpp_pkex_rx_exchange_req(wpa_s->dpp_pkex_bi, wpa_s->dpp_pkex = dpp_pkex_rx_exchange_req(wpa_s, wpa_s->dpp_pkex_bi,
wpa_s->own_addr, src, wpa_s->own_addr, src,
wpa_s->dpp_pkex_identifier, wpa_s->dpp_pkex_identifier,
wpa_s->dpp_pkex_code, wpa_s->dpp_pkex_code,
@ -2020,7 +2020,7 @@ int wpas_dpp_pkex_add(struct wpa_supplicant *wpa_s, const char *cmd)
wpa_printf(MSG_DEBUG, "DPP: Initiating PKEX"); wpa_printf(MSG_DEBUG, "DPP: Initiating PKEX");
dpp_pkex_free(wpa_s->dpp_pkex); dpp_pkex_free(wpa_s->dpp_pkex);
wpa_s->dpp_pkex = dpp_pkex_init(own_bi, wpa_s->own_addr, wpa_s->dpp_pkex = dpp_pkex_init(wpa_s, own_bi, wpa_s->own_addr,
wpa_s->dpp_pkex_identifier, wpa_s->dpp_pkex_identifier,
wpa_s->dpp_pkex_code); wpa_s->dpp_pkex_code);
if (!wpa_s->dpp_pkex) if (!wpa_s->dpp_pkex)