From de4b73a36abeb637645037f4852e64570eb7c33c Mon Sep 17 00:00:00 2001 From: Vinay Gannevaram Date: Sun, 18 Sep 2022 19:04:54 +0530 Subject: [PATCH] PASN: Remove wpa_s dependency for FILS wrapped data To avoid reuse without struct wpa_supplicant, add new parameters to struct wpas_pasn for FILS. Signed-off-by: Jouni Malinen --- wpa_supplicant/pasn_supplicant.c | 98 +++++++++++++++++-------------- wpa_supplicant/wpa_supplicant_i.h | 6 ++ 2 files changed, 61 insertions(+), 43 deletions(-) diff --git a/wpa_supplicant/pasn_supplicant.c b/wpa_supplicant/pasn_supplicant.c index bfdc2f3a1..fe9ba5539 100644 --- a/wpa_supplicant/pasn_supplicant.c +++ b/wpa_supplicant/pasn_supplicant.c @@ -563,14 +563,13 @@ static void wpas_pasn_delete_peers(struct wpa_supplicant *wpa_s, #ifdef CONFIG_FILS -static struct wpabuf * wpas_pasn_fils_build_auth(struct wpa_supplicant *wpa_s) +static struct wpabuf * wpas_pasn_fils_build_auth(struct wpas_pasn *pasn) { - struct wpas_pasn *pasn = &wpa_s->pasn; struct wpabuf *buf = NULL; struct wpabuf *erp_msg; int ret; - erp_msg = eapol_sm_build_erp_reauth_start(wpa_s->eapol); + erp_msg = eapol_sm_build_erp_reauth_start(pasn->eapol); if (!erp_msg) { wpa_printf(MSG_DEBUG, "PASN: FILS: ERP EAP-Initiate/Re-auth unavailable"); @@ -645,33 +644,27 @@ fail: } -static void wpas_pasn_initiate_eapol(struct wpa_supplicant *wpa_s) +static void wpas_pasn_initiate_eapol(struct wpas_pasn *pasn) { - struct wpas_pasn *pasn = &wpa_s->pasn; struct eapol_config eapol_conf; struct wpa_ssid *ssid = pasn->ssid; wpa_printf(MSG_DEBUG, "PASN: FILS: Initiating EAPOL"); - eapol_sm_notify_eap_success(wpa_s->eapol, false); - eapol_sm_notify_eap_fail(wpa_s->eapol, false); - eapol_sm_notify_portControl(wpa_s->eapol, Auto); + eapol_sm_notify_eap_success(pasn->eapol, false); + eapol_sm_notify_eap_fail(pasn->eapol, false); + eapol_sm_notify_portControl(pasn->eapol, Auto); os_memset(&eapol_conf, 0, sizeof(eapol_conf)); - eapol_conf.fast_reauth = wpa_s->conf->fast_reauth; + eapol_conf.fast_reauth = pasn->fast_reauth; eapol_conf.workaround = ssid->eap_workaround; - eapol_sm_notify_config(wpa_s->eapol, &ssid->eap, &eapol_conf); + eapol_sm_notify_config(pasn->eapol, &ssid->eap, &eapol_conf); } -static struct wpabuf * wpas_pasn_wd_fils_auth(struct wpa_supplicant *wpa_s) +static struct wpabuf * wpas_pasn_wd_fils_auth(struct wpas_pasn *pasn) { - struct wpas_pasn *pasn = &wpa_s->pasn; - struct wpa_bss *bss; - const u8 *indic; - u16 fils_info; - wpa_printf(MSG_DEBUG, "PASN: FILS: wrapped data - completed=%u", pasn->fils.completed); @@ -684,34 +677,20 @@ static struct wpabuf * wpas_pasn_wd_fils_auth(struct wpa_supplicant *wpa_s) return NULL; } - bss = wpa_bss_get_bssid(wpa_s, pasn->bssid); - if (!bss) { - wpa_printf(MSG_DEBUG, "PASN: FILS: BSS not found"); - return NULL; - } - - indic = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION); - if (!indic || indic[1] < 2) { - wpa_printf(MSG_DEBUG, "PASN: Missing FILS Indication IE"); - return NULL; - } - - fils_info = WPA_GET_LE16(indic + 2); - if (!(fils_info & BIT(9))) { + if (!pasn->fils_eapol) { wpa_printf(MSG_DEBUG, - "PASN: FILS auth without PFS not supported"); + "PASN: FILS: Missing Indication IE or PFS"); return NULL; } - wpas_pasn_initiate_eapol(wpa_s); + wpas_pasn_initiate_eapol(pasn); - return wpas_pasn_fils_build_auth(wpa_s); + return wpas_pasn_fils_build_auth(pasn); } -static int wpas_pasn_wd_fils_rx(struct wpa_supplicant *wpa_s, struct wpabuf *wd) +static int wpas_pasn_wd_fils_rx(struct wpas_pasn *pasn, struct wpabuf *wd) { - struct wpas_pasn *pasn = &wpa_s->pasn; struct ieee802_11_elems elems; struct wpa_ie_data rsne_data; u8 rmsk[ERP_MAX_KEY_LEN]; @@ -807,23 +786,23 @@ static int wpas_pasn_wd_fils_rx(struct wpa_supplicant *wpa_s, struct wpabuf *wd) return -1; } - eapol_sm_process_erp_finish(wpa_s->eapol, wpabuf_head(fils_wd), + eapol_sm_process_erp_finish(pasn->eapol, wpabuf_head(fils_wd), wpabuf_len(fils_wd)); wpabuf_free(fils_wd); fils_wd = NULL; - if (eapol_sm_failed(wpa_s->eapol)) { + if (eapol_sm_failed(pasn->eapol)) { wpa_printf(MSG_DEBUG, "PASN: FILS: ERP finish failed"); return -1; } rmsk_len = ERP_MAX_KEY_LEN; - ret = eapol_sm_get_key(wpa_s->eapol, rmsk, rmsk_len); + ret = eapol_sm_get_key(pasn->eapol, rmsk, rmsk_len); if (ret == PMK_LEN) { rmsk_len = PMK_LEN; - ret = eapol_sm_get_key(wpa_s->eapol, rmsk, rmsk_len); + ret = eapol_sm_get_key(pasn->eapol, rmsk, rmsk_len); } if (ret) { @@ -884,7 +863,7 @@ static struct wpabuf * wpas_pasn_get_wrapped_data(struct wpa_supplicant *wpa_s) case WPA_KEY_MGMT_FILS_SHA256: case WPA_KEY_MGMT_FILS_SHA384: #ifdef CONFIG_FILS - return wpas_pasn_wd_fils_auth(wpa_s); + return wpas_pasn_wd_fils_auth(pasn); #endif /* CONFIG_FILS */ case WPA_KEY_MGMT_FT_PSK: case WPA_KEY_MGMT_FT_IEEE8021X: @@ -1105,7 +1084,7 @@ static struct wpabuf * wpas_pasn_build_auth_3(struct wpa_supplicant *wpa_s) } #ifdef CONFIG_TESTING_OPTIONS - if (wpa_s->conf->pasn_corrupt_mic) { + if (pasn->corrupt_mic) { wpa_printf(MSG_DEBUG, "PASN: frame 3: Corrupt MIC"); mic[0] = ~mic[0]; } @@ -1156,6 +1135,7 @@ static void wpa_pasn_reset(struct wpas_pasn *pasn) #endif /* CONFIG_SAE */ #ifdef CONFIG_FILS + pasn->fils_eapol = false; os_memset(&pasn->fils, 0, sizeof(pasn->fils)); #endif /* CONFIG_FILS*/ @@ -1166,6 +1146,9 @@ static void wpa_pasn_reset(struct wpas_pasn *pasn) #endif /* CONFIG_IEEE80211R */ pasn->status = WLAN_STATUS_UNSPECIFIED_FAILURE; pasn->pmksa_entry = NULL; +#ifdef CONFIG_TESTING_OPTIONS + pasn->corrupt_mic = 0; +#endif /* CONFIG_TESTING_OPTIONS */ } @@ -1262,7 +1245,7 @@ static int wpas_pasn_set_pmk(struct wpa_supplicant *wpa_s, pasn->akmp == WPA_KEY_MGMT_FILS_SHA384) { int ret; - ret = wpas_pasn_wd_fils_rx(wpa_s, wrapped_data); + ret = wpas_pasn_wd_fils_rx(pasn, wrapped_data); if (ret) { wpa_printf(MSG_DEBUG, "PASN: Failed processing FILS wrapped data"); @@ -1468,8 +1451,11 @@ static void wpas_pasn_auth_start_cb(struct wpa_radio_work *work, int deinit) { struct wpa_supplicant *wpa_s = work->wpa_s; struct wpa_pasn_auth_work *awork = work->ctx; + struct wpas_pasn *pasn = &wpa_s->pasn; struct wpa_bss *bss; const u8 *rsne, *rsnxe; + const u8 *indic; + u16 fils_info; int ret; wpa_printf(MSG_DEBUG, "PASN: auth_start_cb: deinit=%d", deinit); @@ -1505,7 +1491,33 @@ static void wpas_pasn_auth_start_cb(struct wpa_radio_work *work, int deinit) rsnxe = wpa_bss_get_ie(bss, WLAN_EID_RSNX); - wpa_s->pasn.pmksa = wpa_sm_get_pmksa_cache(wpa_s->wpa); +#ifdef CONFIG_TESTING_OPTIONS + pasn->corrupt_mic = wpa_s->conf->pasn_corrupt_mic; +#endif /* CONFIG_TESTING_OPTIONS */ + +#ifdef CONFIG_FILS + /* Prepare needed information for wpas_pasn_wd_fils_auth(). */ + if (awork->akmp == WPA_KEY_MGMT_FILS_SHA256 || + awork->akmp == WPA_KEY_MGMT_FILS_SHA384) { + indic = wpa_bss_get_ie(bss, WLAN_EID_FILS_INDICATION); + if (!indic || indic[1] < 2) { + wpa_printf(MSG_DEBUG, + "PASN: Missing FILS Indication IE"); + } else { + fils_info = WPA_GET_LE16(indic + 2); + if ((fils_info & BIT(9))) { + pasn->eapol = wpa_s->eapol; + pasn->fils_eapol = true; + } else { + wpa_printf(MSG_DEBUG, + "PASN: FILS auth without PFS not supported"); + } + } + pasn->fast_reauth = wpa_s->conf->fast_reauth; + } +#endif /* CONFIG_FILS */ + + pasn->pmksa = wpa_sm_get_pmksa_cache(wpa_s->wpa); ret = wpas_pasn_start(wpa_s, awork->own_addr, awork->bssid, awork->akmp, awork->cipher, awork->group, bss->freq, diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h index 0fb2ebedd..ad3539ab7 100644 --- a/wpa_supplicant/wpa_supplicant_i.h +++ b/wpa_supplicant/wpa_supplicant_i.h @@ -582,6 +582,7 @@ struct wpas_pasn { struct wpa_ssid *ssid; #ifdef CONFIG_FILS + bool fils_eapol; struct pasn_fils fils; #endif /* CONFIG_FILS */ @@ -592,6 +593,11 @@ struct wpas_pasn { #endif /* CONFIG_IEEE80211R */ struct rsn_pmksa_cache *pmksa; struct rsn_pmksa_cache_entry *pmksa_entry; + struct eapol_sm *eapol; + int fast_reauth; +#ifdef CONFIG_TESTING_OPTIONS + int corrupt_mic; +#endif /* CONFIG_TESTING_OPTIONS */ }; #endif /* CONFIG_PASN */