From c5e1603e6d99c974a437f4cb0a43af091b62a0da Mon Sep 17 00:00:00 2001 From: Kapil Gupta Date: Thu, 28 Mar 2024 15:16:49 +0530 Subject: [PATCH 1/3] fix(wifi): Fix encryption/decryption issue for mgmt packets * Fix issues related to mgmt packets encryption in GCMP * Fix issue of wrong decryption of mgmt packets when PMF is enabled * Fix softAP bug in handling of SAE Reauthentication * Fix send mgmt err when eapol process * Fix data len not correct in he actions --- components/esp_rom/esp32c2/ld/esp32c2.rom.ld | 6 +++--- components/esp_wifi/lib | 2 +- .../wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h | 2 +- components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c | 4 ++-- components/wpa_supplicant/src/ap/ap_config.h | 4 ++-- components/wpa_supplicant/src/ap/wpa_auth.c | 3 ++- components/wpa_supplicant/src/crypto/ccmp.c | 2 +- components/wpa_supplicant/src/utils/common.h | 4 ++++ 8 files changed, 16 insertions(+), 11 deletions(-) diff --git a/components/esp_rom/esp32c2/ld/esp32c2.rom.ld b/components/esp_rom/esp32c2/ld/esp32c2.rom.ld index 1cca514d9d..76b08d255d 100644 --- a/components/esp_rom/esp32c2/ld/esp32c2.rom.ld +++ b/components/esp_rom/esp32c2/ld/esp32c2.rom.ld @@ -1865,8 +1865,8 @@ ieee80211_decap = 0x40001ffc; ieee80211_set_tx_pti = 0x40002000; wifi_is_started = 0x40002004; ieee80211_gettid = 0x40002008; -ieee80211_ccmp_decrypt = 0x4000200c; -ieee80211_ccmp_encrypt = 0x40002010; +/* ieee80211_ccmp_decrypt = 0x4000200c; */ +/* ieee80211_ccmp_encrypt = 0x40002010; */ ccmp_encap = 0x40002014; ccmp_decap = 0x40002018; tkip_encap = 0x4000201c; @@ -1920,7 +1920,7 @@ ieee80211_crypto_aes_128_cmac_encrypt = 0x40002100; ieee80211_alloc_tx_buf = 0x40002108; /* ieee80211_output_do = 0x4000210c; */ /* ieee80211_send_nulldata = 0x40002110; */ -ieee80211_setup_robust_mgmtframe = 0x40002114; +/* ieee80211_setup_robust_mgmtframe = 0x40002114; */ ieee80211_encap_null_data = 0x4000211c; ieee80211_send_deauth = 0x40002120; ieee80211_alloc_deauth = 0x40002124; diff --git a/components/esp_wifi/lib b/components/esp_wifi/lib index ab60139bde..46e6b0eedc 160000 --- a/components/esp_wifi/lib +++ b/components/esp_wifi/lib @@ -1 +1 @@ -Subproject commit ab60139bde6fdc0ec7c5c768ee96fa1b3add4adf +Subproject commit 46e6b0eedc1425739a555393806d5c4712199805 diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h b/components/wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h index bb85023406..795692de74 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h +++ b/components/wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h @@ -124,7 +124,7 @@ struct wpa_funcs { bool (*wpa_sta_in_4way_handshake)(void); void *(*wpa_ap_init)(void); bool (*wpa_ap_deinit)(void *data); - bool (*wpa_ap_join)(void **sm, u8 *bssid, u8 *wpa_ie, u8 wpa_ie_len, u8* rsnxe, u8 rsnxe_len, bool *pmf_enable, int subtype); + bool (*wpa_ap_join)(void **sm, u8 *bssid, u8 *wpa_ie, u8 wpa_ie_len, u8* rsnxe, u8 rsnxe_len, bool *pmf_enable, int subtype, uint8_t *pairwise_cipher); bool (*wpa_ap_remove)(u8 *bssid); uint8_t *(*wpa_ap_get_wpa_ie)(uint8_t *len); bool (*wpa_ap_rx_eapol)(void *hapd_data, void *sm, u8 *data, size_t data_len); diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c b/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c index 10244b2f45..ba7b6a0c03 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c @@ -309,7 +309,7 @@ static int check_n_add_wps_sta(struct hostapd_data *hapd, struct sta_info *sta_i } #endif -static bool hostap_sta_join(void **sta, u8 *bssid, u8 *wpa_ie, u8 wpa_ie_len,u8 *rsnxe, u8 rsnxe_len, bool *pmf_enable, int subtype) +static bool hostap_sta_join(void **sta, u8 *bssid, u8 *wpa_ie, u8 wpa_ie_len, u8 *rsnxe, u8 rsnxe_len, bool *pmf_enable, int subtype, uint8_t *pairwise_cipher) { struct sta_info *sta_info = NULL; struct hostapd_data *hapd = hostapd_get_hapd_data(); @@ -370,7 +370,7 @@ process_old_sta: goto fail; } #endif - if (wpa_ap_join(sta_info, bssid, wpa_ie, wpa_ie_len, rsnxe, rsnxe_len, pmf_enable, subtype)) { + if (wpa_ap_join(sta_info, bssid, wpa_ie, wpa_ie_len, rsnxe, rsnxe_len, pmf_enable, subtype, pairwise_cipher)) { goto done; } else { goto fail; diff --git a/components/wpa_supplicant/src/ap/ap_config.h b/components/wpa_supplicant/src/ap/ap_config.h index 3d6d6af94c..486d802a11 100644 --- a/components/wpa_supplicant/src/ap/ap_config.h +++ b/components/wpa_supplicant/src/ap/ap_config.h @@ -338,7 +338,7 @@ struct hostapd_config { char country[3]; /* first two octets: country code as described in * ISO/IEC 3166-1. Third octet: * ' ' (ascii 32): all environments - * 'O': Outdoor environemnt only + * 'O': Outdoor environment only * 'I': Indoor environment only */ @@ -384,7 +384,7 @@ int hostapd_setup_wpa_psk(struct hostapd_bss_config *conf); struct sta_info; bool wpa_ap_join(struct sta_info *sta, uint8_t *bssid, uint8_t *wpa_ie, uint8_t wpa_ie_len,uint8_t *rsnxe, uint8_t rsnxe_len, - bool *pmf_enable, int subtype); + bool *pmf_enable, int subtype, uint8_t *pairwise_cipher); bool wpa_ap_remove(u8* bssid); #endif /* HOSTAPD_CONFIG_H */ diff --git a/components/wpa_supplicant/src/ap/wpa_auth.c b/components/wpa_supplicant/src/ap/wpa_auth.c index c77ab940ce..24def33584 100644 --- a/components/wpa_supplicant/src/ap/wpa_auth.c +++ b/components/wpa_supplicant/src/ap/wpa_auth.c @@ -2560,7 +2560,7 @@ void wpa_deinit(struct wpa_authenticator *wpa_auth) #ifdef CONFIG_ESP_WIFI_SOFTAP_SUPPORT bool wpa_ap_join(struct sta_info *sta, uint8_t *bssid, uint8_t *wpa_ie, uint8_t wpa_ie_len, uint8_t *rsnxe, uint8_t rsnxe_len, - bool *pmf_enable, int subtype) + bool *pmf_enable, int subtype, uint8_t *pairwise_cipher) { struct hostapd_data *hapd = (struct hostapd_data*)esp_wifi_get_hostap_private_internal(); enum wpa_validate_result status_code = WPA_IE_OK; @@ -2611,6 +2611,7 @@ send_resp: //Check whether AP uses Management Frame Protection for this connection *pmf_enable = wpa_auth_uses_mfp(sta->wpa_sm); + *pairwise_cipher = GET_BIT_POSITION(sta->wpa_sm->pairwise); } wpa_auth_sta_associated(hapd->wpa_auth, sta->wpa_sm); diff --git a/components/wpa_supplicant/src/crypto/ccmp.c b/components/wpa_supplicant/src/crypto/ccmp.c index 0842e9d361..9b1cfa0e9d 100644 --- a/components/wpa_supplicant/src/crypto/ccmp.c +++ b/components/wpa_supplicant/src/crypto/ccmp.c @@ -222,7 +222,7 @@ u8 * ccmp_encrypt(const u8 *tk, u8 *frame, size_t len, size_t hdrlen, wpa_hexdump(MSG_MSGDUMP, "CCMP AAD", aad, aad_len); wpa_hexdump(MSG_MSGDUMP, "CCMP nonce", nonce, 13); - if (aes_ccm_ae(tk, 16, nonce, 8, frame + hdrlen, plen, aad, aad_len, + if (aes_ccm_ae(tk, 16, nonce, 8, frame + hdrlen + 8, plen, aad, aad_len, pos, pos + plen) < 0) { wpa_printf(MSG_ERROR, "aes ccm ae failed"); os_free(crypt); diff --git a/components/wpa_supplicant/src/utils/common.h b/components/wpa_supplicant/src/utils/common.h index efd34a3f02..6447728f1b 100644 --- a/components/wpa_supplicant/src/utils/common.h +++ b/components/wpa_supplicant/src/utils/common.h @@ -335,6 +335,10 @@ void perror(const char *s); #define BIT(x) (1U << (x)) #endif +#ifndef GET_BIT_POSITION +#define GET_BIT_POSITION(value) (__builtin_ffs(value) - 1) +#endif + /* * Definitions for sparse validation * (http://kernel.org/pub/linux/kernel/people/josh/sparse/) From 9d637316a9ab6efb3db9700795f7d5728633e46f Mon Sep 17 00:00:00 2001 From: Sarvesh Bodakhe Date: Tue, 2 Apr 2024 02:01:33 +0530 Subject: [PATCH 2/3] fix(wifi): Add bugfix to avoid RSNXE and KDE mismatch during 4-way-handshake --- components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c | 1 + components/wpa_supplicant/src/rsn_supp/wpa.c | 1 + 2 files changed, 2 insertions(+) diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c b/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c index ba7b6a0c03..70b8e50c0a 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c @@ -331,6 +331,7 @@ static bool hostap_sta_join(void **sta, u8 *bssid, u8 *wpa_ie, u8 wpa_ie_len, u8 #endif /* CONFIG_SAE */ if (!esp_wifi_ap_is_sta_sae_reauth_node(bssid)) { ap_free_sta(hapd, old_sta); + *sta = NULL; } #ifdef CONFIG_SAE else if (old_sta && old_sta->lock) { diff --git a/components/wpa_supplicant/src/rsn_supp/wpa.c b/components/wpa_supplicant/src/rsn_supp/wpa.c index ba7ae482f4..29c06bef6f 100644 --- a/components/wpa_supplicant/src/rsn_supp/wpa.c +++ b/components/wpa_supplicant/src/rsn_supp/wpa.c @@ -2356,6 +2356,7 @@ int wpa_set_bss(char *macddr, char * bssid, u8 pairwise_cipher, u8 group_cipher, sm->ap_notify_completed_rsne = esp_wifi_sta_is_ap_notify_completed_rsne_internal(); sm->use_ext_key_id = (sm->proto == WPA_PROTO_WPA); pmksa_cache_clear_current(sm); + sm->sae_pwe = esp_wifi_get_config_sae_pwe_h2e_internal(WIFI_IF_STA); struct rsn_pmksa_cache_entry *pmksa = NULL; if (use_pmk_cache) { From 967eda03d0eb805b0d068b0c4d1a485859116355 Mon Sep 17 00:00:00 2001 From: Kapil Gupta Date: Fri, 19 Apr 2024 19:40:07 +0530 Subject: [PATCH 3/3] fix(esp_wifi): Correct action frame type in send_mgmt_frame API --- components/wpa_supplicant/esp_supplicant/src/esp_common.c | 2 +- components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_common.c b/components/wpa_supplicant/esp_supplicant/src/esp_common.c index 0f9e8f540c..0c74341c57 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_common.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_common.c @@ -797,7 +797,7 @@ int wpa_drv_send_action(struct wpa_supplicant *wpa_s, } req->ifx = WIFI_IF_STA; - req->subtype = WLAN_FC_STYPE_ACTION; + req->subtype = (WLAN_FC_STYPE_ACTION << 4); req->data_len = data_len; os_memcpy(req->data, data, req->data_len); diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c b/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c index ff4207fc2b..ba2dd596a6 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c @@ -624,7 +624,7 @@ int esp_send_sae_auth_reply(struct hostapd_data *hapd, os_memcpy(&((uint16_t *)req->data)[3], ies, ies_len - 3 * sizeof(uint16_t)); req->ifx = WIFI_IF_AP; - req->subtype = WLAN_FC_STYPE_AUTH; + req->subtype = (WLAN_FC_STYPE_AUTH << 4); req->data_len = ies_len; os_memcpy(req->da, bssid, ETH_ALEN);