Lines Matching refs:auth
42 void dpp_auth_fail(struct dpp_authentication *auth, const char *txt)
44 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_FAIL "%s", txt);
491 static int dpp_channel_intersect(struct dpp_authentication *auth,
495 struct dpp_bootstrap_info *peer_bi = auth->peer_bi;
500 if (freq_included(auth->freq, auth->num_freq, freq))
503 auth->freq[auth->num_freq++] = freq;
505 if (!auth->num_freq) {
510 auth->curr_freq = auth->freq[0];
515 static int dpp_channel_local_list(struct dpp_authentication *auth,
523 auth->num_freq = 0;
526 auth->freq[0] = 2412;
527 auth->freq[1] = 2437;
528 auth->freq[2] = 2462;
529 auth->num_freq = 3;
541 if (freq_included(auth->freq, auth->num_freq, freq))
543 auth->freq[auth->num_freq++] = freq;
544 if (auth->num_freq == DPP_BOOTSTRAP_MAX_FREQ) {
551 return auth->num_freq == 0 ? -1 : 0;
555 int dpp_prepare_channel_list(struct dpp_authentication *auth,
566 auth->num_freq = 1;
567 auth->freq[0] = neg_freq;
568 auth->curr_freq = neg_freq;
572 if (auth->peer_bi->num_freq > 0)
573 res = dpp_channel_intersect(auth, own_modes, num_modes);
575 res = dpp_channel_local_list(auth, own_modes, num_modes);
581 freq_to_start(auth->freq, auth->num_freq, 2462);
582 freq_to_start(auth->freq, auth->num_freq, 2412);
583 freq_to_start(auth->freq, auth->num_freq, 2437);
585 auth->freq_idx = 0;
586 auth->curr_freq = auth->freq[0];
590 for (i = 0; i < auth->num_freq; i++) {
591 res = os_snprintf(pos, end - pos, " %u", auth->freq[i]);
645 struct dpp_authentication *auth;
647 auth = os_zalloc(sizeof(*auth));
648 if (!auth)
650 auth->global = dpp;
651 auth->msg_ctx = msg_ctx;
652 auth->conf_resp_status = 255;
653 return auth;
657 static struct wpabuf * dpp_build_conf_req_attr(struct dpp_authentication *auth,
668 nonce_len = auth->curve->nonce_len;
669 if (random_get_bytes(auth->e_nonce, nonce_len)) {
673 wpa_hexdump(MSG_DEBUG, "DPP: E-nonce", auth->e_nonce, nonce_len);
698 wpabuf_put_data(clear, auth->e_nonce, nonce_len - 1);
710 wpabuf_put_data(clear, auth->e_nonce, nonce_len);
735 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
784 struct wpabuf * dpp_build_conf_req(struct dpp_authentication *auth,
789 conf_req = dpp_build_conf_req_attr(auth, json);
811 struct wpabuf * dpp_build_conf_req_helper(struct dpp_authentication *auth,
838 if (auth->csr) {
841 csr = base64_encode_no_lf(wpabuf_head(auth->csr),
842 wpabuf_len(auth->csr), &csr_len);
880 buf = dpp_build_conf_req(auth, wpabuf_head(json));
994 static int dpp_configuration_parse_helper(struct dpp_authentication *auth,
1022 auth->provision_configurator = 1;
1120 auth->conf_sta = conf_sta;
1121 auth->conf_ap = conf_ap;
1123 auth->conf2_sta = conf_sta;
1124 auth->conf2_ap = conf_ap;
1137 static int dpp_configuration_parse(struct dpp_authentication *auth,
1147 return dpp_configuration_parse_helper(auth, cmd, 0);
1155 res = dpp_configuration_parse_helper(auth, cmd, 0);
1159 res = dpp_configuration_parse_helper(auth, cmd + len, 1);
1164 dpp_configuration_free(auth->conf_sta);
1165 dpp_configuration_free(auth->conf2_sta);
1166 dpp_configuration_free(auth->conf_ap);
1167 dpp_configuration_free(auth->conf2_ap);
1189 int dpp_set_configurator(struct dpp_authentication *auth, const char *cmd)
1195 if (!cmd || auth->configurator_set)
1197 auth->configurator_set = 1;
1214 if (!auth->conf && pos) {
1216 auth->conf = dpp_configurator_get_id(auth->global, atoi(pos));
1217 if (!auth->conf) {
1227 auth->send_conn_status = atoi(pos);
1233 auth->akm_use_selector = atoi(pos);
1236 if (dpp_configuration_parse(auth, cmd) < 0) {
1237 wpa_msg(auth->msg_ctx, MSG_INFO,
1248 void dpp_auth_deinit(struct dpp_authentication *auth)
1252 if (!auth)
1254 dpp_configuration_free(auth->conf_ap);
1255 dpp_configuration_free(auth->conf2_ap);
1256 dpp_configuration_free(auth->conf_sta);
1257 dpp_configuration_free(auth->conf2_sta);
1258 crypto_ec_key_deinit(auth->own_protocol_key);
1259 crypto_ec_key_deinit(auth->peer_protocol_key);
1260 crypto_ec_key_deinit(auth->reconfig_old_protocol_key);
1261 wpabuf_free(auth->req_msg);
1262 wpabuf_free(auth->resp_msg);
1263 wpabuf_free(auth->conf_req);
1264 wpabuf_free(auth->reconfig_req_msg);
1265 wpabuf_free(auth->reconfig_resp_msg);
1266 for (i = 0; i < auth->num_conf_obj; i++) {
1267 struct dpp_config_obj *conf = &auth->conf_obj[i];
1278 dpp_free_asymmetric_key(auth->conf_key_pkg);
1279 os_free(auth->csrattrs);
1280 wpabuf_free(auth->csr);
1281 wpabuf_free(auth->priv_key);
1282 wpabuf_free(auth->cacert);
1283 wpabuf_free(auth->certbag);
1284 os_free(auth->trusted_eap_server_name);
1285 wpabuf_free(auth->conf_resp_tcp);
1287 wpabuf_free(auth->net_access_key);
1288 dpp_bootstrap_info_free(auth->tmp_own_bi);
1289 if (auth->tmp_peer_bi) {
1290 dl_list_del(&auth->tmp_peer_bi->list);
1291 dpp_bootstrap_info_free(auth->tmp_peer_bi);
1294 os_free(auth->config_obj_override);
1295 os_free(auth->discovery_override);
1296 os_free(auth->groups_override);
1298 bin_clear_free(auth, sizeof(*auth));
1303 dpp_build_conf_start(struct dpp_authentication *auth,
1309 if (auth->discovery_override)
1310 tailroom += os_strlen(auth->discovery_override);
1320 if (auth->discovery_override) {
1322 auth->discovery_override);
1324 wpabuf_put_str(buf, auth->discovery_override);
1330 if (((!conf->ssid_charset || auth->peer_version < 2) &&
1333 ((conf->ssid_charset && auth->peer_version >= 2) &&
1419 dpp_build_conf_obj_dpp(struct dpp_authentication *auth,
1432 if (!auth->conf) {
1437 curve = auth->conf->curve;
1440 if (dpp_akm_ver2(akm) && auth->peer_version < 2) {
1447 if (auth->groups_override)
1448 extra_len += os_strlen(auth->groups_override);
1455 dppcon = wpabuf_alloc(extra_len + 2 * auth->curve->prime_len * 4 / 3);
1459 if (auth->groups_override) {
1461 if (auth->groups_override) {
1464 auth->groups_override);
1466 wpabuf_put_str(dppcon, auth->groups_override);
1485 if (!auth->peer_protocol_key ||
1486 dpp_build_jwk(dppcon, "netAccessKey", auth->peer_protocol_key, NULL,
1487 auth->curve) < 0) {
1509 json_add_int(dppcon, "version", auth->peer_version);
1515 signed_conn = dpp_sign_connector(auth->conf, dppcon);
1521 tailroom += 2 * curve->prime_len * 4 / 3 + os_strlen(auth->conf->kid);
1526 if (auth->certbag)
1527 tailroom += 2 * wpabuf_len(auth->certbag);
1528 if (auth->cacert)
1529 tailroom += 2 * wpabuf_len(auth->cacert);
1530 if (auth->trusted_eap_server_name)
1531 tailroom += os_strlen(auth->trusted_eap_server_name);
1534 buf = dpp_build_conf_start(auth, conf, tailroom);
1538 if (auth->akm_use_selector && dpp_akm_ver2(akm))
1551 if (!auth->certbag)
1553 json_add_base64(buf, "certBag", wpabuf_head(auth->certbag),
1554 wpabuf_len(auth->certbag));
1555 if (auth->cacert) {
1558 wpabuf_head(auth->cacert),
1559 wpabuf_len(auth->cacert));
1561 if (auth->trusted_eap_server_name) {
1564 auth->trusted_eap_server_name);
1577 if (dpp_build_jwk(buf, "csign", auth->conf->csign, auth->conf->kid,
1583 if (auth->peer_version >= 2 && auth->conf->pp_key) {
1585 if (dpp_build_jwk(buf, "ppKey", auth->conf->pp_key, NULL,
1612 dpp_build_conf_obj_legacy(struct dpp_authentication *auth,
1618 buf = dpp_build_conf_start(auth, conf, 1000);
1622 if (auth->akm_use_selector && dpp_akm_ver2(conf->akm))
1641 dpp_build_conf_obj(struct dpp_authentication *auth, enum dpp_netrole netrole,
1647 if (auth->config_obj_override) {
1651 return wpabuf_alloc_copy(auth->config_obj_override,
1652 os_strlen(auth->config_obj_override));
1658 conf = auth->conf_sta;
1660 conf = auth->conf_ap;
1663 conf = auth->conf2_sta;
1665 conf = auth->conf2_ap;
1676 if (!auth->conf) {
1681 if (!cert_req && !auth->certbag) {
1686 return dpp_build_conf_obj_dpp(auth, conf);
1688 if (dpp_akm_dpp(conf->akm) || (auth->peer_version >= 2 && auth->conf))
1689 return dpp_build_conf_obj_dpp(auth, conf);
1690 return dpp_build_conf_obj_legacy(auth, conf);
1695 dpp_build_conf_resp(struct dpp_authentication *auth, const u8 *e_nonce,
1706 if (auth->force_conf_resp_status != DPP_STATUS_OK) {
1707 status = auth->force_conf_resp_status;
1713 env_data = dpp_build_enveloped_data(auth);
1716 conf = dpp_build_conf_obj(auth, netrole, 0, cert_req);
1721 conf2 = dpp_build_conf_obj(auth, netrole, 1, cert_req);
1727 else if (!cert_req && netrole == DPP_NETROLE_STA && auth->conf_sta &&
1728 auth->conf_sta->akm == DPP_AKM_DOT1X && !auth->waiting_csr)
1733 auth->conf_resp_status = status;
1743 if (auth->peer_version >= 2 && auth->send_conn_status &&
1746 if (status == DPP_STATUS_CSR_NEEDED && auth->conf_sta &&
1747 auth->conf_sta->csrattrs)
1748 clear_len += 4 + os_strlen(auth->conf_sta->csrattrs);
1796 if (auth->peer_version >= 2 && conf2) {
1810 if (auth->peer_version >= 2 && auth->send_conn_status &&
1817 if (status == DPP_STATUS_CSR_NEEDED && auth->conf_sta &&
1818 auth->conf_sta->csrattrs) {
1819 auth->waiting_csr = true;
1822 wpabuf_put_le16(clear, os_strlen(auth->conf_sta->csrattrs));
1823 wpabuf_put_str(clear, auth->conf_sta->csrattrs);
1854 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
1886 dpp_conf_req_rx(struct dpp_authentication *auth, const u8 *attr_start,
1907 dpp_auth_fail(auth, "Invalid attribute in config request");
1914 dpp_auth_fail(auth,
1925 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
1928 dpp_auth_fail(auth, "AES-SIV decryption failed");
1935 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
1942 if (!e_nonce || e_nonce_len != auth->curve->nonce_len) {
1943 dpp_auth_fail(auth,
1948 os_memcpy(auth->e_nonce, e_nonce, e_nonce_len);
1954 dpp_auth_fail(auth,
1963 dpp_auth_fail(auth, "Could not parse Config Attributes");
1969 dpp_auth_fail(auth, "No Config Attributes - name");
1976 dpp_auth_fail(auth, "No Config Attributes - wi-fi_tech");
1983 dpp_auth_fail(auth, "Unsupported wi-fi_tech");
1989 dpp_auth_fail(auth, "No Config Attributes - netRole");
2002 dpp_auth_fail(auth, "Unsupported netRole");
2005 auth->e_netrole = netrole;
2010 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_MUD_URL "%s",
2048 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_BAND_SUPPORT "%s",
2059 if (dpp_validate_csr(auth, cert_req) < 0) {
2061 auth->force_conf_resp_status = DPP_STATUS_CSR_BAD;
2065 if (auth->peer_bi) {
2066 id = auth->peer_bi->id;
2067 } else if (auth->tmp_peer_bi) {
2068 id = auth->tmp_peer_bi->id;
2075 bi->id = dpp_next_id(auth->global);
2076 dl_list_add(&auth->global->bootstrap, &bi->list);
2077 auth->tmp_peer_bi = bi;
2087 wpa_msg(auth->msg_ctx, MSG_INFO, DPP_EVENT_CSR "peer=%d csr=%s",
2090 auth->waiting_csr = false;
2091 auth->waiting_cert = true;
2097 resp = dpp_build_conf_resp(auth, e_nonce, e_nonce_len, netrole,
2308 static int dpp_parse_connector(struct dpp_authentication *auth,
2364 &auth->net_access_key_expiry)) {
2382 if (crypto_ec_key_cmp(key, auth->own_protocol_key)) {
2386 if (auth->ignore_netaccesskey_mismatch) {
2433 static void dpp_copy_netaccesskey(struct dpp_authentication *auth,
2439 own_key = auth->own_protocol_key;
2441 if (auth->reconfig_connector_key == DPP_CONFIG_REUSEKEY &&
2442 auth->reconfig_old_protocol_key)
2443 own_key = auth->reconfig_old_protocol_key;
2450 wpabuf_free(auth->net_access_key);
2451 auth->net_access_key = net_access_key;
2455 static int dpp_parse_cred_dpp(struct dpp_authentication *auth,
2525 if (dpp_parse_connector(auth, conf,
2537 if (dpp_akm_dpp(conf->akm) || auth->peer_version >= 2)
2538 dpp_copy_netaccesskey(auth, conf);
2550 static int dpp_parse_cred_dot1x(struct dpp_authentication *auth,
2558 dpp_auth_fail(auth, "No entCreds in JSON");
2564 dpp_auth_fail(auth, "No certBag in JSON");
2570 dpp_auth_fail(auth, "No certificates in certBag");
2584 dpp_auth_fail(auth,
2708 static int dpp_parse_conf_obj(struct dpp_authentication *auth,
2721 dpp_auth_fail(auth, "JSON root is not an object");
2727 dpp_auth_fail(auth, "No wi-fi_tech string value found");
2733 dpp_auth_fail(auth, "Unsupported wi-fi_tech value");
2739 dpp_auth_fail(auth, "No discovery object in JSON");
2748 dpp_auth_fail(auth, "Too long discovery::ssid64 value");
2754 dpp_auth_fail(auth,
2761 dpp_auth_fail(auth,
2767 if (auth->num_conf_obj == DPP_MAX_CONF_OBJ) {
2773 conf = &auth->conf_obj[auth->num_conf_obj++];
2792 dpp_auth_fail(auth, "No cred object in JSON");
2798 dpp_auth_fail(auth, "No cred::akm string value found");
2804 if (legacy && auth->peer_version >= 2) {
2817 (auth->peer_version >= 2 && dpp_akm_legacy(conf->akm))) {
2818 if (dpp_parse_cred_dpp(auth, conf, cred) < 0)
2822 if (dpp_parse_cred_dot1x(auth, conf, cred) < 0 ||
2823 dpp_parse_cred_dpp(auth, conf, cred) < 0)
2829 dpp_auth_fail(auth, "Unsupported akm");
2856 int dpp_conf_resp_rx(struct dpp_authentication *auth,
2869 auth->conf_resp_status = 255;
2872 dpp_auth_fail(auth, "Invalid attribute in config response");
2880 dpp_auth_fail(auth,
2896 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
2899 dpp_auth_fail(auth, "AES-SIV decryption failed");
2906 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
2913 if (!e_nonce || e_nonce_len != auth->curve->nonce_len) {
2914 dpp_auth_fail(auth,
2919 if (os_memcmp(e_nonce, auth->e_nonce, e_nonce_len) != 0) {
2920 dpp_auth_fail(auth, "Enrollee Nonce mismatch");
2927 dpp_auth_fail(auth,
2931 auth->conf_resp_status = status[0];
2943 dpp_auth_fail(auth,
2948 os_free(auth->csrattrs);
2949 auth->csrattrs = csrattrs;
2950 auth->csrattrs_len = csrattrs_len;
2956 dpp_auth_fail(auth, "Configurator rejected configuration");
2964 dpp_conf_resp_env_data(auth, env_data, env_data_len) < 0)
2971 dpp_auth_fail(auth,
2978 if (dpp_parse_conf_obj(auth, conf_obj, conf_obj_len) < 0)
2991 auth->conn_status_requested = 1;
3005 enum dpp_status_error dpp_conf_result_rx(struct dpp_authentication *auth,
3020 dpp_auth_fail(auth,
3041 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
3044 dpp_auth_fail(auth, "AES-SIV decryption failed");
3051 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3058 if (!e_nonce || e_nonce_len != auth->curve->nonce_len) {
3059 dpp_auth_fail(auth,
3064 if (os_memcmp(e_nonce, auth->e_nonce, e_nonce_len) != 0) {
3065 dpp_auth_fail(auth, "Enrollee Nonce mismatch");
3067 auth->e_nonce, e_nonce_len);
3074 dpp_auth_fail(auth,
3087 struct wpabuf * dpp_build_conf_result(struct dpp_authentication *auth,
3096 nonce_len = auth->curve->nonce_len;
3110 wpabuf_put_data(clear, auth->e_nonce, nonce_len);
3128 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
3156 enum dpp_status_error dpp_conn_status_result_rx(struct dpp_authentication *auth,
3179 dpp_auth_fail(auth,
3200 if (aes_siv_decrypt(auth->ke, auth->curve->hash_len,
3203 dpp_auth_fail(auth, "AES-SIV decryption failed");
3210 dpp_auth_fail(auth, "Invalid attribute in unwrapped data");
3217 if (!e_nonce || e_nonce_len != auth->curve->nonce_len) {
3218 dpp_auth_fail(auth,
3223 if (os_memcmp(e_nonce, auth->e_nonce, e_nonce_len) != 0) {
3224 dpp_auth_fail(auth, "Enrollee Nonce mismatch");
3226 auth->e_nonce, e_nonce_len);
3233 dpp_auth_fail(auth,
3242 dpp_auth_fail(auth, "Could not parse connStatus");
3260 dpp_auth_fail(auth, "No connStatus - result");
3303 struct wpabuf * dpp_build_conn_status_result(struct dpp_authentication *auth,
3318 nonce_len = auth->curve->nonce_len;
3329 wpabuf_put_data(clear, auth->e_nonce, nonce_len);
3352 if (aes_siv_encrypt(auth->ke, auth->curve->hash_len,
3475 int dpp_configurator_own_config(struct dpp_authentication *auth,
3481 if (!auth->conf) {
3486 auth->curve = dpp_get_curve_name(curve);
3487 if (!auth->curve) {
3494 auth->curve->name);
3496 auth->own_protocol_key = dpp_gen_keypair(auth->curve);
3497 if (!auth->own_protocol_key)
3499 dpp_copy_netaccesskey(auth, &auth->conf_obj[0]);
3500 auth->peer_protocol_key = auth->own_protocol_key;
3501 dpp_copy_csign(&auth->conf_obj[0], auth->conf->csign);
3503 conf_obj = dpp_build_conf_obj(auth, ap, 0, NULL);
3505 wpabuf_free(auth->conf_obj[0].c_sign_key);
3506 auth->conf_obj[0].c_sign_key = NULL;
3509 ret = dpp_parse_conf_obj(auth, wpabuf_head(conf_obj),
3513 auth->peer_protocol_key = NULL;