Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

DPP: Report possible PKEX code mismatch in control interface

Indicate to upper layers if PKEX Commit-Reveal Request frame AES-SIV
decryption fails. That is a likely sign of the PKEX code mismatch
between the devices.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen 7 years ago
parent
d84c0cf46c
commit
219d4c9fcb
4 changed files with 25 additions and 10 deletions
Split View Show Diff Stats
  1. 4 2
      src/ap/dpp_hostapd.c
  2. 15 4
      src/common/dpp.c
  3. 4 2
      src/common/dpp.h
  4. 2 2
      wpa_supplicant/dpp_supplicant.c

+ 4 - 2
src/ap/dpp_hostapd.c
View File 

@@ -1047,7 +1047,8 @@ hostapd_dpp_rx_pkex_exchange_req(struct hostapd_data *hapd, const u8 *src,
 
 		return;
 
 	}
 
 
-	hapd->dpp_pkex = dpp_pkex_rx_exchange_req(hapd->dpp_pkex_bi,
 
+	hapd->dpp_pkex = dpp_pkex_rx_exchange_req(hapd->msg_ctx,
 
+						  hapd->dpp_pkex_bi,
 
 						  hapd->own_addr, src,
 
 						  hapd->dpp_pkex_identifier,
 
 						  hapd->dpp_pkex_code,
 
@@ -1452,7 +1453,8 @@ int hostapd_dpp_pkex_add(struct hostapd_data *hapd, const char *cmd)
 
 
 		wpa_printf(MSG_DEBUG, "DPP: Initiating PKEX");
 
 		dpp_pkex_free(hapd->dpp_pkex);
 
-		hapd->dpp_pkex = dpp_pkex_init(own_bi, hapd->own_addr,
 
+		hapd->dpp_pkex = dpp_pkex_init(hapd->msg_ctx, own_bi,
 
+					       hapd->own_addr,
 
 					       hapd->dpp_pkex_identifier,
 
 					       hapd->dpp_pkex_code);
 
 		if (!hapd->dpp_pkex)

+ 15 - 4
src/common/dpp.c
View File 

@@ -5577,7 +5577,13 @@ fail:
 
 }
 
 
 
-struct dpp_pkex * dpp_pkex_init(struct dpp_bootstrap_info *bi,
 
+static void dpp_pkex_fail(struct dpp_pkex *pkex, const char *txt)
 
+{
 
+	wpa_msg(pkex->msg_ctx, MSG_INFO, DPP_EVENT_FAIL "%s", txt);
 
+}
 
+
 
+
 
+struct dpp_pkex * dpp_pkex_init(void *msg_ctx, struct dpp_bootstrap_info *bi,
 
 				const u8 *own_mac,
 
 				const char *identifier,
 
 				const char *code)
 
@@ -5587,6 +5593,7 @@ struct dpp_pkex * dpp_pkex_init(struct dpp_bootstrap_info *bi,
 
 	pkex = os_zalloc(sizeof(*pkex));
 
 	if (!pkex)
 
 		return NULL;
 
+	pkex->msg_ctx = msg_ctx;
 
 	pkex->initiator = 1;
 
 	pkex->own_bi = bi;
 
 	os_memcpy(pkex->own_mac, own_mac, ETH_ALEN);
 
@@ -5608,7 +5615,8 @@ fail:
 
 }
 
 
 
-struct dpp_pkex * dpp_pkex_rx_exchange_req(struct dpp_bootstrap_info *bi,
 
+struct dpp_pkex * dpp_pkex_rx_exchange_req(void *msg_ctx,
 
+					   struct dpp_bootstrap_info *bi,
 
 					   const u8 *own_mac,
 
 					   const u8 *peer_mac,
 
 					   const char *identifier,
 
@@ -5698,6 +5706,7 @@ struct dpp_pkex * dpp_pkex_rx_exchange_req(struct dpp_bootstrap_info *bi,
 
 	pkex = os_zalloc(sizeof(*pkex));
 
 	if (!pkex)
 
 		goto fail;
 
+	pkex->msg_ctx = msg_ctx;
 
 	pkex->own_bi = bi;
 
 	os_memcpy(pkex->own_mac, own_mac, ETH_ALEN);
 
 	os_memcpy(pkex->peer_mac, peer_mac, ETH_ALEN);
 
@@ -6186,7 +6195,8 @@ struct wpabuf * dpp_pkex_rx_commit_reveal_req(struct dpp_pkex *pkex,
 
 	if (aes_siv_decrypt(pkex->z, curve->hash_len,
 
 			    wrapped_data, wrapped_data_len,
 
 			    2, addr, len, unwrapped) < 0) {
 
-		wpa_printf(MSG_DEBUG, "DPP: AES-SIV decryption failed");
 
+		dpp_pkex_fail(pkex,
 
+			      "AES-SIV decryption failed - possible PKEX code mismatch");
 
 		goto fail;
 
 	}
 
 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",
 
@@ -6402,7 +6412,8 @@ int dpp_pkex_rx_commit_reveal_resp(struct dpp_pkex *pkex, const u8 *hdr,
 
 	if (aes_siv_decrypt(pkex->z, curve->hash_len,
 
 			    wrapped_data, wrapped_data_len,
 
 			    2, addr, len, unwrapped) < 0) {
 
-		wpa_printf(MSG_DEBUG, "DPP: AES-SIV decryption failed");
 
+		dpp_pkex_fail(pkex,
 
+			      "AES-SIV decryption failed - possible PKEX code mismatch");
 
 		goto fail;
 
 	}
 
 	wpa_hexdump(MSG_DEBUG, "DPP: AES-SIV cleartext",

+ 4 - 2
src/common/dpp.h
View File 

@@ -110,6 +110,7 @@ struct dpp_bootstrap_info {
 
 };
 
 
 struct dpp_pkex {
 
+	void *msg_ctx;
 
 	unsigned int initiator:1;
 
 	unsigned int exchange_done:1;
 
 	struct dpp_bootstrap_info *own_bi;
 
@@ -304,11 +305,12 @@ dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
 
 	       const u8 *csign_key, size_t csign_key_len,
 
 	       const u8 *peer_connector, size_t peer_connector_len,
 
 	       os_time_t *expiry);
 
-struct dpp_pkex * dpp_pkex_init(struct dpp_bootstrap_info *bi,
 
+struct dpp_pkex * dpp_pkex_init(void *msg_ctx, struct dpp_bootstrap_info *bi,
 
 				const u8 *own_mac,
 
 				const char *identifier,
 
 				const char *code);
 
-struct dpp_pkex * dpp_pkex_rx_exchange_req(struct dpp_bootstrap_info *bi,
 
+struct dpp_pkex * dpp_pkex_rx_exchange_req(void *msg_ctx,
 
+					   struct dpp_bootstrap_info *bi,
 
 					   const u8 *own_mac,
 
 					   const u8 *peer_mac,
 
 					   const char *identifier,

+ 2 - 2
wpa_supplicant/dpp_supplicant.c
View File 

@@ -1456,7 +1456,7 @@ wpas_dpp_rx_pkex_exchange_req(struct wpa_supplicant *wpa_s, const u8 *src,
 
 		return;
 
 	}
 
 
-	wpa_s->dpp_pkex = dpp_pkex_rx_exchange_req(wpa_s->dpp_pkex_bi,
 
+	wpa_s->dpp_pkex = dpp_pkex_rx_exchange_req(wpa_s, wpa_s->dpp_pkex_bi,
 
 						   wpa_s->own_addr, src,
 
 						   wpa_s->dpp_pkex_identifier,
 
 						   wpa_s->dpp_pkex_code,
 
@@ -2020,7 +2020,7 @@ int wpas_dpp_pkex_add(struct wpa_supplicant *wpa_s, const char *cmd)
 
 
 		wpa_printf(MSG_DEBUG, "DPP: Initiating PKEX");
 
 		dpp_pkex_free(wpa_s->dpp_pkex);
 
-		wpa_s->dpp_pkex = dpp_pkex_init(own_bi, wpa_s->own_addr,
 
+		wpa_s->dpp_pkex = dpp_pkex_init(wpa_s, own_bi, wpa_s->own_addr,
 
 						wpa_s->dpp_pkex_identifier,
 
 						wpa_s->dpp_pkex_code);
 
 		if (!wpa_s->dpp_pkex)