DPP: Report possible PKEX code mismatch in control interface
Indicate to upper layers if PKEX Commit-Reveal Request frame AES-SIV decryption fails. That is a likely sign of the PKEX code mismatch between the devices. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
d84c0cf46c
commit
219d4c9fcb
4 changed files with 25 additions and 10 deletions
|
@ -1047,7 +1047,8 @@ hostapd_dpp_rx_pkex_exchange_req(struct hostapd_data *hapd, const u8 *src,
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
hapd->dpp_pkex = dpp_pkex_rx_exchange_req(hapd->dpp_pkex_bi,
|
hapd->dpp_pkex = dpp_pkex_rx_exchange_req(hapd->msg_ctx,
|
||||||
|
hapd->dpp_pkex_bi,
|
||||||
hapd->own_addr, src,
|
hapd->own_addr, src,
|
||||||
hapd->dpp_pkex_identifier,
|
hapd->dpp_pkex_identifier,
|
||||||
hapd->dpp_pkex_code,
|
hapd->dpp_pkex_code,
|
||||||
|
@ -1452,7 +1453,8 @@ int hostapd_dpp_pkex_add(struct hostapd_data *hapd, const char *cmd)
|
||||||
|
|
||||||
wpa_printf(MSG_DEBUG, "DPP: Initiating PKEX");
|
wpa_printf(MSG_DEBUG, "DPP: Initiating PKEX");
|
||||||
dpp_pkex_free(hapd->dpp_pkex);
|
dpp_pkex_free(hapd->dpp_pkex);
|
||||||
hapd->dpp_pkex = dpp_pkex_init(own_bi, hapd->own_addr,
|
hapd->dpp_pkex = dpp_pkex_init(hapd->msg_ctx, own_bi,
|
||||||
|
hapd->own_addr,
|
||||||
hapd->dpp_pkex_identifier,
|
hapd->dpp_pkex_identifier,
|
||||||
hapd->dpp_pkex_code);
|
hapd->dpp_pkex_code);
|
||||||
if (!hapd->dpp_pkex)
|
if (!hapd->dpp_pkex)
|
||||||
|
|
|
@ -5577,7 +5577,13 @@ fail:
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
struct dpp_pkex * dpp_pkex_init(struct dpp_bootstrap_info *bi,
|
static void dpp_pkex_fail(struct dpp_pkex *pkex, const char *txt)
|
||||||
|
{
|
||||||
|
wpa_msg(pkex->msg_ctx, MSG_INFO, DPP_EVENT_FAIL "%s", txt);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
struct dpp_pkex * dpp_pkex_init(void *msg_ctx, struct dpp_bootstrap_info *bi,
|
||||||
const u8 *own_mac,
|
const u8 *own_mac,
|
||||||
const char *identifier,
|
const char *identifier,
|
||||||
const char *code)
|
const char *code)
|
||||||
|
@ -5587,6 +5593,7 @@ struct dpp_pkex * dpp_pkex_init(struct dpp_bootstrap_info *bi,
|
||||||
pkex = os_zalloc(sizeof(*pkex));
|
pkex = os_zalloc(sizeof(*pkex));
|
||||||
if (!pkex)
|
if (!pkex)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
pkex->msg_ctx = msg_ctx;
|
||||||
pkex->initiator = 1;
|
pkex->initiator = 1;
|
||||||
pkex->own_bi = bi;
|
pkex->own_bi = bi;
|
||||||
os_memcpy(pkex->own_mac, own_mac, ETH_ALEN);
|
os_memcpy(pkex->own_mac, own_mac, ETH_ALEN);
|
||||||
|
@ -5608,7 +5615,8 @@ fail:
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
struct dpp_pkex * dpp_pkex_rx_exchange_req(struct dpp_bootstrap_info *bi,
|
struct dpp_pkex * dpp_pkex_rx_exchange_req(void *msg_ctx,
|
||||||
|
struct dpp_bootstrap_info *bi,
|
||||||
const u8 *own_mac,
|
const u8 *own_mac,
|
||||||
const u8 *peer_mac,
|
const u8 *peer_mac,
|
||||||
const char *identifier,
|
const char *identifier,
|
||||||
|
@ -5698,6 +5706,7 @@ struct dpp_pkex * dpp_pkex_rx_exchange_req(struct dpp_bootstrap_info *bi,
|
||||||
pkex = os_zalloc(sizeof(*pkex));
|
pkex = os_zalloc(sizeof(*pkex));
|
||||||
if (!pkex)
|
if (!pkex)
|
||||||
goto fail;
|
goto fail;
|
||||||
|
pkex->msg_ctx = msg_ctx;
|
||||||
pkex->own_bi = bi;
|
pkex->own_bi = bi;
|
||||||
os_memcpy(pkex->own_mac, own_mac, ETH_ALEN);
|
os_memcpy(pkex->own_mac, own_mac, ETH_ALEN);
|
||||||
os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN);
|
os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN);
|
||||||
|
@ -6186,7 +6195,8 @@ struct wpabuf * dpp_pkex_rx_commit_reveal_req(struct dpp_pkex *pkex,
|
||||||
if (aes_siv_decrypt(pkex->z, curve->hash_len,
|
if (aes_siv_decrypt(pkex->z, curve->hash_len,
|
||||||
wrapped_data, wrapped_data_len,
|
wrapped_data, wrapped_data_len,
|
||||||
2, addr, len, unwrapped) < 0) {
|
2, addr, len, unwrapped) < 0) {
|
||||||
wpa_printf(MSG_DEBUG, "DPP: AES-SIV decryption failed");
|
dpp_pkex_fail(pkex,
|
||||||
|
"AES-SIV decryption failed - possible PKEX code mismatch");
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
|
wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
|
||||||
|
@ -6402,7 +6412,8 @@ int dpp_pkex_rx_commit_reveal_resp(struct dpp_pkex *pkex, const u8 *hdr,
|
||||||
if (aes_siv_decrypt(pkex->z, curve->hash_len,
|
if (aes_siv_decrypt(pkex->z, curve->hash_len,
|
||||||
wrapped_data, wrapped_data_len,
|
wrapped_data, wrapped_data_len,
|
||||||
2, addr, len, unwrapped) < 0) {
|
2, addr, len, unwrapped) < 0) {
|
||||||
wpa_printf(MSG_DEBUG, "DPP: AES-SIV decryption failed");
|
dpp_pkex_fail(pkex,
|
||||||
|
"AES-SIV decryption failed - possible PKEX code mismatch");
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
|
wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
|
||||||
|
|
|
@ -110,6 +110,7 @@ struct dpp_bootstrap_info {
|
||||||
};
|
};
|
||||||
|
|
||||||
struct dpp_pkex {
|
struct dpp_pkex {
|
||||||
|
void *msg_ctx;
|
||||||
unsigned int initiator:1;
|
unsigned int initiator:1;
|
||||||
unsigned int exchange_done:1;
|
unsigned int exchange_done:1;
|
||||||
struct dpp_bootstrap_info *own_bi;
|
struct dpp_bootstrap_info *own_bi;
|
||||||
|
@ -304,11 +305,12 @@ dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
|
||||||
const u8 *csign_key, size_t csign_key_len,
|
const u8 *csign_key, size_t csign_key_len,
|
||||||
const u8 *peer_connector, size_t peer_connector_len,
|
const u8 *peer_connector, size_t peer_connector_len,
|
||||||
os_time_t *expiry);
|
os_time_t *expiry);
|
||||||
struct dpp_pkex * dpp_pkex_init(struct dpp_bootstrap_info *bi,
|
struct dpp_pkex * dpp_pkex_init(void *msg_ctx, struct dpp_bootstrap_info *bi,
|
||||||
const u8 *own_mac,
|
const u8 *own_mac,
|
||||||
const char *identifier,
|
const char *identifier,
|
||||||
const char *code);
|
const char *code);
|
||||||
struct dpp_pkex * dpp_pkex_rx_exchange_req(struct dpp_bootstrap_info *bi,
|
struct dpp_pkex * dpp_pkex_rx_exchange_req(void *msg_ctx,
|
||||||
|
struct dpp_bootstrap_info *bi,
|
||||||
const u8 *own_mac,
|
const u8 *own_mac,
|
||||||
const u8 *peer_mac,
|
const u8 *peer_mac,
|
||||||
const char *identifier,
|
const char *identifier,
|
||||||
|
|
|
@ -1456,7 +1456,7 @@ wpas_dpp_rx_pkex_exchange_req(struct wpa_supplicant *wpa_s, const u8 *src,
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
wpa_s->dpp_pkex = dpp_pkex_rx_exchange_req(wpa_s->dpp_pkex_bi,
|
wpa_s->dpp_pkex = dpp_pkex_rx_exchange_req(wpa_s, wpa_s->dpp_pkex_bi,
|
||||||
wpa_s->own_addr, src,
|
wpa_s->own_addr, src,
|
||||||
wpa_s->dpp_pkex_identifier,
|
wpa_s->dpp_pkex_identifier,
|
||||||
wpa_s->dpp_pkex_code,
|
wpa_s->dpp_pkex_code,
|
||||||
|
@ -2020,7 +2020,7 @@ int wpas_dpp_pkex_add(struct wpa_supplicant *wpa_s, const char *cmd)
|
||||||
|
|
||||||
wpa_printf(MSG_DEBUG, "DPP: Initiating PKEX");
|
wpa_printf(MSG_DEBUG, "DPP: Initiating PKEX");
|
||||||
dpp_pkex_free(wpa_s->dpp_pkex);
|
dpp_pkex_free(wpa_s->dpp_pkex);
|
||||||
wpa_s->dpp_pkex = dpp_pkex_init(own_bi, wpa_s->own_addr,
|
wpa_s->dpp_pkex = dpp_pkex_init(wpa_s, own_bi, wpa_s->own_addr,
|
||||||
wpa_s->dpp_pkex_identifier,
|
wpa_s->dpp_pkex_identifier,
|
||||||
wpa_s->dpp_pkex_code);
|
wpa_s->dpp_pkex_code);
|
||||||
if (!wpa_s->dpp_pkex)
|
if (!wpa_s->dpp_pkex)
|
||||||
|
|
Loading…
Reference in a new issue