static struct wpabuf * wpas_pasn_build_auth_1(struct wpas_pasn *pasn,
- const struct wpabuf *comeback)
+ const struct wpabuf *comeback,
+ bool verify)
{
struct wpabuf *buf, *pubkey = NULL, *wrapped_data_buf = NULL;
const u8 *pmkid;
* Note: Even when PMKSA is available, also add wrapped data as
* it is possible that the PMKID is no longer valid at the AP.
*/
- wrapped_data_buf = wpas_pasn_get_wrapped_data(pasn);
+ if (!verify)
+ wrapped_data_buf = wpas_pasn_get_wrapped_data(pasn);
}
if (wpa_pasn_add_rsne(buf, pmkid, pasn->akmp, pasn->cipher) < 0)
}
-int wpas_pasn_start(struct wpas_pasn *pasn, const u8 *own_addr,
- const u8 *bssid, int akmp, int cipher, u16 group,
- int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
- const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
- const struct wpabuf *comeback)
+static int wpas_pasn_send_auth_1(struct wpas_pasn *pasn, const u8 *own_addr,
+ const u8 *bssid, int akmp, int cipher,
+ u16 group, int freq,
+ const u8 *beacon_rsne, u8 beacon_rsne_len,
+ const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
+ const struct wpabuf *comeback, bool verify)
{
struct wpabuf *frame;
int ret;
- /* TODO: Currently support only ECC groups */
- if (!dragonfly_suitable_group(group, 1)) {
- wpa_printf(MSG_DEBUG,
- "PASN: Reject unsuitable group %u", group);
- return -1;
- }
-
- switch (akmp) {
- case WPA_KEY_MGMT_PASN:
- break;
-#ifdef CONFIG_SAE
- case WPA_KEY_MGMT_SAE:
-
- if (beacon_rsnxe &&
- !ieee802_11_rsnx_capab(beacon_rsnxe,
- WLAN_RSNX_CAPAB_SAE_H2E)) {
- wpa_printf(MSG_DEBUG,
- "PASN: AP does not support SAE H2E");
- return -1;
- }
-
- pasn->sae.state = SAE_NOTHING;
- pasn->sae.send_confirm = 0;
- break;
-#endif /* CONFIG_SAE */
-#ifdef CONFIG_FILS
- case WPA_KEY_MGMT_FILS_SHA256:
- case WPA_KEY_MGMT_FILS_SHA384:
- break;
-#endif /* CONFIG_FILS */
-#ifdef CONFIG_IEEE80211R
- case WPA_KEY_MGMT_FT_PSK:
- case WPA_KEY_MGMT_FT_IEEE8021X:
- case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
- break;
-#endif /* CONFIG_IEEE80211R */
- default:
- wpa_printf(MSG_ERROR, "PASN: Unsupported AKMP=0x%x", akmp);
- return -1;
- }
-
pasn->ecdh = crypto_ecdh_init(group);
if (!pasn->ecdh) {
wpa_printf(MSG_DEBUG, "PASN: Failed to init ECDH");
os_memcpy(pasn->bssid, bssid, ETH_ALEN);
wpa_printf(MSG_DEBUG,
- "PASN: Init: " MACSTR " akmp=0x%x, cipher=0x%x, group=%u",
- MAC2STR(pasn->bssid), pasn->akmp, pasn->cipher,
- pasn->group);
+ "PASN: Init%s: " MACSTR " akmp=0x%x, cipher=0x%x, group=%u",
+ verify ? " (verify)" : "",
+ MAC2STR(pasn->bssid), pasn->akmp, pasn->cipher, pasn->group);
- frame = wpas_pasn_build_auth_1(pasn, comeback);
+ frame = wpas_pasn_build_auth_1(pasn, comeback, verify);
if (!frame) {
wpa_printf(MSG_DEBUG, "PASN: Failed building 1st auth frame");
goto fail;
}
+int wpas_pasn_start(struct wpas_pasn *pasn, const u8 *own_addr,
+ const u8 *bssid, int akmp, int cipher, u16 group,
+ int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
+ const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
+ const struct wpabuf *comeback)
+{
+ /* TODO: Currently support only ECC groups */
+ if (!dragonfly_suitable_group(group, 1)) {
+ wpa_printf(MSG_DEBUG,
+ "PASN: Reject unsuitable group %u", group);
+ return -1;
+ }
+
+ switch (akmp) {
+ case WPA_KEY_MGMT_PASN:
+ break;
+#ifdef CONFIG_SAE
+ case WPA_KEY_MGMT_SAE:
+
+ if (beacon_rsnxe &&
+ !ieee802_11_rsnx_capab(beacon_rsnxe,
+ WLAN_RSNX_CAPAB_SAE_H2E)) {
+ wpa_printf(MSG_DEBUG,
+ "PASN: AP does not support SAE H2E");
+ return -1;
+ }
+
+ pasn->sae.state = SAE_NOTHING;
+ pasn->sae.send_confirm = 0;
+ break;
+#endif /* CONFIG_SAE */
+#ifdef CONFIG_FILS
+ case WPA_KEY_MGMT_FILS_SHA256:
+ case WPA_KEY_MGMT_FILS_SHA384:
+ break;
+#endif /* CONFIG_FILS */
+#ifdef CONFIG_IEEE80211R
+ case WPA_KEY_MGMT_FT_PSK:
+ case WPA_KEY_MGMT_FT_IEEE8021X:
+ case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
+ break;
+#endif /* CONFIG_IEEE80211R */
+ default:
+ wpa_printf(MSG_ERROR, "PASN: Unsupported AKMP=0x%x", akmp);
+ return -1;
+ }
+
+ return wpas_pasn_send_auth_1(pasn, own_addr, bssid, akmp, cipher, group,
+ freq, beacon_rsne, beacon_rsne_len,
+ beacon_rsnxe, beacon_rsnxe_len, comeback,
+ false);
+}
+
+/*
+ * Wi-Fi Aware uses PASN handshake to authenticate peer devices.
+ * Devices can simply verify each other for subsequent sessions using
+ * pairing verification procedure.
+ *
+ * In pairing verification, Wi-Fi aware devices use PASN authentication
+ * frames with a custom PMKID and Wi-Fi Aware R4 specific verification IEs.
+ * It does not use wrapped data in the Authentication frames. This function
+ * provides support to construct PASN Authentication frames for pairing
+ * verification.
+ */
+int wpa_pasn_verify(struct wpas_pasn *pasn, const u8 *own_addr,
+ const u8 *bssid, int akmp, int cipher, u16 group,
+ int freq, const u8 *beacon_rsne, u8 beacon_rsne_len,
+ const u8 *beacon_rsnxe, u8 beacon_rsnxe_len,
+ const struct wpabuf *comeback)
+{
+ return wpas_pasn_send_auth_1(pasn, own_addr, bssid, akmp, cipher, group,
+ freq, beacon_rsne, beacon_rsne_len,
+ beacon_rsnxe, beacon_rsnxe_len, comeback,
+ true);
+}
+
+
int wpa_pasn_auth_rx(struct wpas_pasn *pasn, const u8 *data, size_t len,
struct wpa_pasn_params_data *pasn_params)
projects / thirdparty / hostap.git / commitdiff
