FILS: Move Key Confirm element validation to a helper function

author Jeffin Mammen <jmammen@qti.qualcomm.com>

Fri, 21 Apr 2017 15:42:00 +0000 (18:42 +0300)

committer Jouni Malinen <j@w1.fi>

Sun, 23 Apr 2017 14:55:35 +0000 (17:55 +0300)
author Jeffin Mammen <jmammen@qti.qualcomm.com>
Fri, 21 Apr 2017 15:42:00 +0000 (18:42 +0300)
committer Jouni Malinen <j@w1.fi>
Sun, 23 Apr 2017 14:55:35 +0000 (17:55 +0300)
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c

index 6f67dadf17e51f65a829f1c8ebd492f771011619..c92aca06355b4fe321c30c6603d820e43b0aa674 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -2215,13 +2215,50 @@ const u8 * wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
  }
  
  
+int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
+                                 size_t ies_len)
+{
+       struct ieee802_11_elems elems;
+
+       if (ieee802_11_parse_elems(ies, ies_len, &elems, 1) == ParseFailed) {
+               wpa_printf(MSG_DEBUG,
+                          "FILS: Failed to parse decrypted elements");
+               return -1;
+       }
+
+       if (!elems.fils_key_confirm) {
+               wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
+               return -1;
+       }
+
+       if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
+               wpa_printf(MSG_DEBUG,
+                          "FILS: Unexpected Key-Auth length %d (expected %d)",
+                          elems.fils_key_confirm_len,
+                          (int) sm->fils_key_auth_len);
+               return -1;
+       }
+
+       if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
+                     sm->fils_key_auth_len) != 0) {
+               wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
+               wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
+                           elems.fils_key_confirm, elems.fils_key_confirm_len);
+               wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
+                           sm->fils_key_auth_sta, sm->fils_key_auth_len);
+               return -1;
+       }
+
+       return 0;
+}
+
+
  int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
                        const struct ieee80211_mgmt *mgmt, size_t frame_len,
                        u8 *pos, size_t left)
  {
         u16 fc, stype;
         const u8 *end, *ie_start, *ie, *session, *crypt;
-       struct ieee802_11_elems elems;
         const u8 *aad[5];
         size_t aad_len[5];
  
@@ -2295,31 +2332,8 @@ int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
         wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
                     pos, left - AES_BLOCK_SIZE);
  
-       if (ieee802_11_parse_elems(pos, left - AES_BLOCK_SIZE, &elems, 1) ==
-           ParseFailed) {
-               wpa_printf(MSG_DEBUG,
-                          "FILS: Failed to parse decrypted elements");
-               return -1;
-       }
-       if (!elems.fils_key_confirm) {
-               wpa_printf(MSG_DEBUG, "FILS: No FILS Key Confirm element");
-               return -1;
-       }
-       if (elems.fils_key_confirm_len != sm->fils_key_auth_len) {
-               wpa_printf(MSG_DEBUG,
-                          "FILS: Unexpected Key-Auth length %d (expected %d)",
-                          elems.fils_key_confirm_len,
-                          (int) sm->fils_key_auth_len);
-               return -1;
-       }
-       if (os_memcmp(elems.fils_key_confirm, sm->fils_key_auth_sta,
-                     sm->fils_key_auth_len) != 0) {
-               wpa_printf(MSG_DEBUG, "FILS: Key-Auth mismatch");
-               wpa_hexdump(MSG_DEBUG, "FILS: Received Key-Auth",
-                           elems.fils_key_confirm,
-                           elems.fils_key_confirm_len);
-               wpa_hexdump(MSG_DEBUG, "FILS: Expected Key-Auth",
-                           sm->fils_key_auth_sta, sm->fils_key_auth_len);
+       if (wpa_fils_validate_key_confirm(sm, pos, left - AES_BLOCK_SIZE) < 0) {
+               wpa_printf(MSG_DEBUG, "FILS: Key Confirm validation failed");
                 return -1;
         }
  
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h

index 3d5182b78d6db6f5d2429dd4769fecd1bb976837..384fa6c081c4a727eeb430a1e227446279dfc359 100644 (file)
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -377,6 +377,8 @@ int fils_set_tk(struct wpa_state_machine *sm);
  const u8 *  wpa_fils_validate_fils_session(struct wpa_state_machine *sm,
                                            const u8 *ies, size_t ies_len,
                                            const u8 *fils_session);
+int wpa_fils_validate_key_confirm(struct wpa_state_machine *sm, const u8 *ies,
+                                 size_t ies_len);
  
  int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, u8 *buf, size_t len);
  void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
author	Jeffin Mammen <jmammen@qti.qualcomm.com>
	Fri, 21 Apr 2017 15:42:00 +0000 (18:42 +0300)
committer	Jouni Malinen <j@w1.fi>
	Sun, 23 Apr 2017 14:55:35 +0000 (17:55 +0300)
src/ap/wpa_auth.c		patch \| blob \| blame \| history
src/ap/wpa_auth.h		patch \| blob \| blame \| history