xref: /freebsd/contrib/wpa/src/rsn_supp/wpa_ft.c (revision 40a8ac8f62b535d30349faf28cf47106b7041b83)
1 /*
2  * WPA Supplicant - IEEE 802.11r - Fast BSS Transition
3  * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/aes_wrap.h"
13 #include "crypto/random.h"
14 #include "common/ieee802_11_defs.h"
15 #include "common/ieee802_11_common.h"
16 #include "wpa.h"
17 #include "wpa_i.h"
18 
19 #ifdef CONFIG_IEEE80211R
20 
21 int wpa_derive_ptk_ft(struct wpa_sm *sm, const unsigned char *src_addr,
22 		      const struct wpa_eapol_key *key,
23 		      struct wpa_ptk *ptk, size_t ptk_len)
24 {
25 	u8 ptk_name[WPA_PMK_NAME_LEN];
26 	const u8 *anonce = key->key_nonce;
27 
28 	if (sm->xxkey_len == 0) {
29 		wpa_printf(MSG_DEBUG, "FT: XXKey not available for key "
30 			   "derivation");
31 		return -1;
32 	}
33 
34 	wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, sm->ssid,
35 			  sm->ssid_len, sm->mobility_domain,
36 			  sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
37 			  sm->pmk_r0, sm->pmk_r0_name);
38 	wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", sm->pmk_r0, PMK_LEN);
39 	wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name",
40 		    sm->pmk_r0_name, WPA_PMK_NAME_LEN);
41 	wpa_derive_pmk_r1(sm->pmk_r0, sm->pmk_r0_name, sm->r1kh_id,
42 			  sm->own_addr, sm->pmk_r1, sm->pmk_r1_name);
43 	wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", sm->pmk_r1, PMK_LEN);
44 	wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", sm->pmk_r1_name,
45 		    WPA_PMK_NAME_LEN);
46 	wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->snonce, anonce, sm->own_addr,
47 			  sm->bssid, sm->pmk_r1_name,
48 			  (u8 *) ptk, ptk_len, ptk_name);
49 	wpa_hexdump_key(MSG_DEBUG, "FT: PTK", (u8 *) ptk, ptk_len);
50 	wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN);
51 
52 	return 0;
53 }
54 
55 
56 /**
57  * wpa_sm_set_ft_params - Set FT (IEEE 802.11r) parameters
58  * @sm: Pointer to WPA state machine data from wpa_sm_init()
59  * @ies: Association Response IEs or %NULL to clear FT parameters
60  * @ies_len: Length of ies buffer in octets
61  * Returns: 0 on success, -1 on failure
62  */
63 int wpa_sm_set_ft_params(struct wpa_sm *sm, const u8 *ies, size_t ies_len)
64 {
65 	struct wpa_ft_ies ft;
66 
67 	if (sm == NULL)
68 		return 0;
69 
70 	if (wpa_ft_parse_ies(ies, ies_len, &ft) < 0)
71 		return -1;
72 
73 	if (ft.mdie && ft.mdie_len < MOBILITY_DOMAIN_ID_LEN + 1)
74 		return -1;
75 
76 	if (ft.mdie) {
77 		wpa_hexdump(MSG_DEBUG, "FT: Mobility domain",
78 			    ft.mdie, MOBILITY_DOMAIN_ID_LEN);
79 		os_memcpy(sm->mobility_domain, ft.mdie,
80 			  MOBILITY_DOMAIN_ID_LEN);
81 		sm->mdie_ft_capab = ft.mdie[MOBILITY_DOMAIN_ID_LEN];
82 		wpa_printf(MSG_DEBUG, "FT: Capability and Policy: 0x%02x",
83 			   sm->mdie_ft_capab);
84 	} else
85 		os_memset(sm->mobility_domain, 0, MOBILITY_DOMAIN_ID_LEN);
86 
87 	if (ft.r0kh_id) {
88 		wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID",
89 			    ft.r0kh_id, ft.r0kh_id_len);
90 		os_memcpy(sm->r0kh_id, ft.r0kh_id, ft.r0kh_id_len);
91 		sm->r0kh_id_len = ft.r0kh_id_len;
92 	} else {
93 		/* FIX: When should R0KH-ID be cleared? We need to keep the
94 		 * old R0KH-ID in order to be able to use this during FT. */
95 		/*
96 		 * os_memset(sm->r0kh_id, 0, FT_R0KH_ID_LEN);
97 		 * sm->r0kh_id_len = 0;
98 		 */
99 	}
100 
101 	if (ft.r1kh_id) {
102 		wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID",
103 			    ft.r1kh_id, FT_R1KH_ID_LEN);
104 		os_memcpy(sm->r1kh_id, ft.r1kh_id, FT_R1KH_ID_LEN);
105 	} else
106 		os_memset(sm->r1kh_id, 0, FT_R1KH_ID_LEN);
107 
108 	os_free(sm->assoc_resp_ies);
109 	sm->assoc_resp_ies = os_malloc(ft.mdie_len + 2 + ft.ftie_len + 2);
110 	if (sm->assoc_resp_ies) {
111 		u8 *pos = sm->assoc_resp_ies;
112 		if (ft.mdie) {
113 			os_memcpy(pos, ft.mdie - 2, ft.mdie_len + 2);
114 			pos += ft.mdie_len + 2;
115 		}
116 		if (ft.ftie) {
117 			os_memcpy(pos, ft.ftie - 2, ft.ftie_len + 2);
118 			pos += ft.ftie_len + 2;
119 		}
120 		sm->assoc_resp_ies_len = pos - sm->assoc_resp_ies;
121 		wpa_hexdump(MSG_DEBUG, "FT: Stored MDIE and FTIE from "
122 			    "(Re)Association Response",
123 			    sm->assoc_resp_ies, sm->assoc_resp_ies_len);
124 	}
125 
126 	return 0;
127 }
128 
129 
130 /**
131  * wpa_ft_gen_req_ies - Generate FT (IEEE 802.11r) IEs for Auth/ReAssoc Request
132  * @sm: Pointer to WPA state machine data from wpa_sm_init()
133  * @len: Buffer for returning the length of the IEs
134  * @anonce: ANonce or %NULL if not yet available
135  * @pmk_name: PMKR0Name or PMKR1Name to be added into the RSN IE PMKID List
136  * @kck: 128-bit KCK for MIC or %NULL if no MIC is used
137  * @target_ap: Target AP address
138  * @ric_ies: Optional IE(s), e.g., WMM TSPEC(s), for RIC-Request or %NULL
139  * @ric_ies_len: Length of ric_ies buffer in octets
140  * @ap_mdie: Mobility Domain IE from the target AP
141  * Returns: Pointer to buffer with IEs or %NULL on failure
142  *
143  * Caller is responsible for freeing the returned buffer with os_free();
144  */
145 static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
146 			       const u8 *anonce, const u8 *pmk_name,
147 			       const u8 *kck, const u8 *target_ap,
148 			       const u8 *ric_ies, size_t ric_ies_len,
149 			       const u8 *ap_mdie)
150 {
151 	size_t buf_len;
152 	u8 *buf, *pos, *ftie_len, *ftie_pos;
153 	struct rsn_mdie *mdie;
154 	struct rsn_ftie *ftie;
155 	struct rsn_ie_hdr *rsnie;
156 	u16 capab;
157 
158 	sm->ft_completed = 0;
159 
160 	buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
161 		2 + sm->r0kh_id_len + ric_ies_len + 100;
162 	buf = os_zalloc(buf_len);
163 	if (buf == NULL)
164 		return NULL;
165 	pos = buf;
166 
167 	/* RSNIE[PMKR0Name/PMKR1Name] */
168 	rsnie = (struct rsn_ie_hdr *) pos;
169 	rsnie->elem_id = WLAN_EID_RSN;
170 	WPA_PUT_LE16(rsnie->version, RSN_VERSION);
171 	pos = (u8 *) (rsnie + 1);
172 
173 	/* Group Suite Selector */
174 	if (sm->group_cipher != WPA_CIPHER_CCMP &&
175 	    sm->group_cipher != WPA_CIPHER_GCMP &&
176 	    sm->group_cipher != WPA_CIPHER_TKIP) {
177 		wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
178 			   sm->group_cipher);
179 		os_free(buf);
180 		return NULL;
181 	}
182 	RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
183 						  sm->group_cipher));
184 	pos += RSN_SELECTOR_LEN;
185 
186 	/* Pairwise Suite Count */
187 	WPA_PUT_LE16(pos, 1);
188 	pos += 2;
189 
190 	/* Pairwise Suite List */
191 	if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
192 		wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
193 			   sm->pairwise_cipher);
194 		os_free(buf);
195 		return NULL;
196 	}
197 	RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
198 						  sm->pairwise_cipher));
199 	pos += RSN_SELECTOR_LEN;
200 
201 	/* Authenticated Key Management Suite Count */
202 	WPA_PUT_LE16(pos, 1);
203 	pos += 2;
204 
205 	/* Authenticated Key Management Suite List */
206 	if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X)
207 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X);
208 	else if (sm->key_mgmt == WPA_KEY_MGMT_FT_PSK)
209 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK);
210 	else {
211 		wpa_printf(MSG_WARNING, "FT: Invalid key management type (%d)",
212 			   sm->key_mgmt);
213 		os_free(buf);
214 		return NULL;
215 	}
216 	pos += RSN_SELECTOR_LEN;
217 
218 	/* RSN Capabilities */
219 	capab = 0;
220 #ifdef CONFIG_IEEE80211W
221 	if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC)
222 		capab |= WPA_CAPABILITY_MFPC;
223 #endif /* CONFIG_IEEE80211W */
224 	WPA_PUT_LE16(pos, capab);
225 	pos += 2;
226 
227 	/* PMKID Count */
228 	WPA_PUT_LE16(pos, 1);
229 	pos += 2;
230 
231 	/* PMKID List [PMKR0Name/PMKR1Name] */
232 	os_memcpy(pos, pmk_name, WPA_PMK_NAME_LEN);
233 	pos += WPA_PMK_NAME_LEN;
234 
235 #ifdef CONFIG_IEEE80211W
236 	if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
237 		/* Management Group Cipher Suite */
238 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
239 		pos += RSN_SELECTOR_LEN;
240 	}
241 #endif /* CONFIG_IEEE80211W */
242 
243 	rsnie->len = (pos - (u8 *) rsnie) - 2;
244 
245 	/* MDIE */
246 	*pos++ = WLAN_EID_MOBILITY_DOMAIN;
247 	*pos++ = sizeof(*mdie);
248 	mdie = (struct rsn_mdie *) pos;
249 	pos += sizeof(*mdie);
250 	os_memcpy(mdie->mobility_domain, sm->mobility_domain,
251 		  MOBILITY_DOMAIN_ID_LEN);
252 	mdie->ft_capab = ap_mdie && ap_mdie[1] >= 3 ? ap_mdie[4] :
253 		sm->mdie_ft_capab;
254 
255 	/* FTIE[SNonce, [R1KH-ID,] R0KH-ID ] */
256 	ftie_pos = pos;
257 	*pos++ = WLAN_EID_FAST_BSS_TRANSITION;
258 	ftie_len = pos++;
259 	ftie = (struct rsn_ftie *) pos;
260 	pos += sizeof(*ftie);
261 	os_memcpy(ftie->snonce, sm->snonce, WPA_NONCE_LEN);
262 	if (anonce)
263 		os_memcpy(ftie->anonce, anonce, WPA_NONCE_LEN);
264 	if (kck) {
265 		/* R1KH-ID sub-element in third FT message */
266 		*pos++ = FTIE_SUBELEM_R1KH_ID;
267 		*pos++ = FT_R1KH_ID_LEN;
268 		os_memcpy(pos, sm->r1kh_id, FT_R1KH_ID_LEN);
269 		pos += FT_R1KH_ID_LEN;
270 	}
271 	/* R0KH-ID sub-element */
272 	*pos++ = FTIE_SUBELEM_R0KH_ID;
273 	*pos++ = sm->r0kh_id_len;
274 	os_memcpy(pos, sm->r0kh_id, sm->r0kh_id_len);
275 	pos += sm->r0kh_id_len;
276 	*ftie_len = pos - ftie_len - 1;
277 
278 	if (ric_ies) {
279 		/* RIC Request */
280 		os_memcpy(pos, ric_ies, ric_ies_len);
281 		pos += ric_ies_len;
282 	}
283 
284 	if (kck) {
285 		/*
286 		 * IEEE Std 802.11r-2008, 11A.8.4
287 		 * MIC shall be calculated over:
288 		 * non-AP STA MAC address
289 		 * Target AP MAC address
290 		 * Transaction seq number (5 for ReassocReq, 3 otherwise)
291 		 * RSN IE
292 		 * MDIE
293 		 * FTIE (with MIC field set to 0)
294 		 * RIC-Request (if present)
295 		 */
296 		/* Information element count */
297 		ftie->mic_control[1] = 3 + ieee802_11_ie_count(ric_ies,
298 							       ric_ies_len);
299 		if (wpa_ft_mic(kck, sm->own_addr, target_ap, 5,
300 			       ((u8 *) mdie) - 2, 2 + sizeof(*mdie),
301 			       ftie_pos, 2 + *ftie_len,
302 			       (u8 *) rsnie, 2 + rsnie->len, ric_ies,
303 			       ric_ies_len, ftie->mic) < 0) {
304 			wpa_printf(MSG_INFO, "FT: Failed to calculate MIC");
305 			os_free(buf);
306 			return NULL;
307 		}
308 	}
309 
310 	*len = pos - buf;
311 
312 	return buf;
313 }
314 
315 
316 static int wpa_ft_install_ptk(struct wpa_sm *sm, const u8 *bssid)
317 {
318 	int keylen;
319 	enum wpa_alg alg;
320 	u8 null_rsc[6] = { 0, 0, 0, 0, 0, 0 };
321 
322 	wpa_printf(MSG_DEBUG, "FT: Installing PTK to the driver.");
323 
324 	if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
325 		wpa_printf(MSG_WARNING, "FT: Unsupported pairwise cipher %d",
326 			   sm->pairwise_cipher);
327 		return -1;
328 	}
329 
330 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
331 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
332 
333 	if (wpa_sm_set_key(sm, alg, bssid, 0, 1, null_rsc,
334 			   sizeof(null_rsc), (u8 *) sm->ptk.tk1, keylen) < 0) {
335 		wpa_printf(MSG_WARNING, "FT: Failed to set PTK to the driver");
336 		return -1;
337 	}
338 
339 	return 0;
340 }
341 
342 
343 /**
344  * wpa_ft_prepare_auth_request - Generate over-the-air auth request
345  * @sm: Pointer to WPA state machine data from wpa_sm_init()
346  * @mdie: Target AP MDIE
347  * Returns: 0 on success, -1 on failure
348  */
349 int wpa_ft_prepare_auth_request(struct wpa_sm *sm, const u8 *mdie)
350 {
351 	u8 *ft_ies;
352 	size_t ft_ies_len;
353 
354 	/* Generate a new SNonce */
355 	if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
356 		wpa_printf(MSG_INFO, "FT: Failed to generate a new SNonce");
357 		return -1;
358 	}
359 
360 	ft_ies = wpa_ft_gen_req_ies(sm, &ft_ies_len, NULL, sm->pmk_r0_name,
361 				    NULL, sm->bssid, NULL, 0, mdie);
362 	if (ft_ies) {
363 		wpa_sm_update_ft_ies(sm, sm->mobility_domain,
364 				     ft_ies, ft_ies_len);
365 		os_free(ft_ies);
366 	}
367 
368 	return 0;
369 }
370 
371 
372 int wpa_ft_process_response(struct wpa_sm *sm, const u8 *ies, size_t ies_len,
373 			    int ft_action, const u8 *target_ap,
374 			    const u8 *ric_ies, size_t ric_ies_len)
375 {
376 	u8 *ft_ies;
377 	size_t ft_ies_len, ptk_len;
378 	struct wpa_ft_ies parse;
379 	struct rsn_mdie *mdie;
380 	struct rsn_ftie *ftie;
381 	u8 ptk_name[WPA_PMK_NAME_LEN];
382 	int ret;
383 	const u8 *bssid;
384 
385 	wpa_hexdump(MSG_DEBUG, "FT: Response IEs", ies, ies_len);
386 	wpa_hexdump(MSG_DEBUG, "FT: RIC IEs", ric_ies, ric_ies_len);
387 
388 	if (ft_action) {
389 		if (!sm->over_the_ds_in_progress) {
390 			wpa_printf(MSG_DEBUG, "FT: No over-the-DS in progress "
391 				   "- drop FT Action Response");
392 			return -1;
393 		}
394 
395 		if (os_memcmp(target_ap, sm->target_ap, ETH_ALEN) != 0) {
396 			wpa_printf(MSG_DEBUG, "FT: No over-the-DS in progress "
397 				   "with this Target AP - drop FT Action "
398 				   "Response");
399 			return -1;
400 		}
401 	}
402 
403 	if (sm->key_mgmt != WPA_KEY_MGMT_FT_IEEE8021X &&
404 	    sm->key_mgmt != WPA_KEY_MGMT_FT_PSK) {
405 		wpa_printf(MSG_DEBUG, "FT: Reject FT IEs since FT is not "
406 			   "enabled for this connection");
407 		return -1;
408 	}
409 
410 	if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
411 		wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
412 		return -1;
413 	}
414 
415 	mdie = (struct rsn_mdie *) parse.mdie;
416 	if (mdie == NULL || parse.mdie_len < sizeof(*mdie) ||
417 	    os_memcmp(mdie->mobility_domain, sm->mobility_domain,
418 		      MOBILITY_DOMAIN_ID_LEN) != 0) {
419 		wpa_printf(MSG_DEBUG, "FT: Invalid MDIE");
420 		return -1;
421 	}
422 
423 	ftie = (struct rsn_ftie *) parse.ftie;
424 	if (ftie == NULL || parse.ftie_len < sizeof(*ftie)) {
425 		wpa_printf(MSG_DEBUG, "FT: Invalid FTIE");
426 		return -1;
427 	}
428 
429 	if (os_memcmp(ftie->snonce, sm->snonce, WPA_NONCE_LEN) != 0) {
430 		wpa_printf(MSG_DEBUG, "FT: SNonce mismatch in FTIE");
431 		wpa_hexdump(MSG_DEBUG, "FT: Received SNonce",
432 			    ftie->snonce, WPA_NONCE_LEN);
433 		wpa_hexdump(MSG_DEBUG, "FT: Expected SNonce",
434 			    sm->snonce, WPA_NONCE_LEN);
435 		return -1;
436 	}
437 
438 	if (parse.r0kh_id == NULL) {
439 		wpa_printf(MSG_DEBUG, "FT: No R0KH-ID subelem in FTIE");
440 		return -1;
441 	}
442 
443 	if (parse.r0kh_id_len != sm->r0kh_id_len ||
444 	    os_memcmp(parse.r0kh_id, sm->r0kh_id, parse.r0kh_id_len) != 0) {
445 		wpa_printf(MSG_DEBUG, "FT: R0KH-ID in FTIE did not match with "
446 			   "the current R0KH-ID");
447 		wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID in FTIE",
448 			    parse.r0kh_id, parse.r0kh_id_len);
449 		wpa_hexdump(MSG_DEBUG, "FT: The current R0KH-ID",
450 			    sm->r0kh_id, sm->r0kh_id_len);
451 		return -1;
452 	}
453 
454 	if (parse.r1kh_id == NULL) {
455 		wpa_printf(MSG_DEBUG, "FT: No R1KH-ID subelem in FTIE");
456 		return -1;
457 	}
458 
459 	if (parse.rsn_pmkid == NULL ||
460 	    os_memcmp(parse.rsn_pmkid, sm->pmk_r0_name, WPA_PMK_NAME_LEN)) {
461 		wpa_printf(MSG_DEBUG, "FT: No matching PMKR0Name (PMKID) in "
462 			   "RSNIE");
463 		return -1;
464 	}
465 
466 	os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
467 	wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", sm->r1kh_id, FT_R1KH_ID_LEN);
468 	wpa_hexdump(MSG_DEBUG, "FT: SNonce", sm->snonce, WPA_NONCE_LEN);
469 	wpa_hexdump(MSG_DEBUG, "FT: ANonce", ftie->anonce, WPA_NONCE_LEN);
470 	os_memcpy(sm->anonce, ftie->anonce, WPA_NONCE_LEN);
471 	wpa_derive_pmk_r1(sm->pmk_r0, sm->pmk_r0_name, sm->r1kh_id,
472 			  sm->own_addr, sm->pmk_r1, sm->pmk_r1_name);
473 	wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", sm->pmk_r1, PMK_LEN);
474 	wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name",
475 		    sm->pmk_r1_name, WPA_PMK_NAME_LEN);
476 
477 	bssid = target_ap;
478 	ptk_len = sm->pairwise_cipher != WPA_CIPHER_TKIP ? 48 : 64;
479 	wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->snonce, ftie->anonce, sm->own_addr,
480 			  bssid, sm->pmk_r1_name,
481 			  (u8 *) &sm->ptk, ptk_len, ptk_name);
482 	wpa_hexdump_key(MSG_DEBUG, "FT: PTK",
483 			(u8 *) &sm->ptk, ptk_len);
484 	wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN);
485 
486 	ft_ies = wpa_ft_gen_req_ies(sm, &ft_ies_len, ftie->anonce,
487 				    sm->pmk_r1_name, sm->ptk.kck, bssid,
488 				    ric_ies, ric_ies_len,
489 				    parse.mdie ? parse.mdie - 2 : NULL);
490 	if (ft_ies) {
491 		wpa_sm_update_ft_ies(sm, sm->mobility_domain,
492 				     ft_ies, ft_ies_len);
493 		os_free(ft_ies);
494 	}
495 
496 	wpa_sm_mark_authenticated(sm, bssid);
497 	ret = wpa_ft_install_ptk(sm, bssid);
498 	if (ret) {
499 		/*
500 		 * Some drivers do not support key configuration when we are
501 		 * not associated with the target AP. Work around this by
502 		 * trying again after the following reassociation gets
503 		 * completed.
504 		 */
505 		wpa_printf(MSG_DEBUG, "FT: Failed to set PTK prior to "
506 			   "association - try again after reassociation");
507 		sm->set_ptk_after_assoc = 1;
508 	} else
509 		sm->set_ptk_after_assoc = 0;
510 
511 	sm->ft_completed = 1;
512 	if (ft_action) {
513 		/*
514 		 * The caller is expected trigger re-association with the
515 		 * Target AP.
516 		 */
517 		os_memcpy(sm->bssid, target_ap, ETH_ALEN);
518 	}
519 
520 	return 0;
521 }
522 
523 
524 int wpa_ft_is_completed(struct wpa_sm *sm)
525 {
526 	if (sm == NULL)
527 		return 0;
528 
529 	if (sm->key_mgmt != WPA_KEY_MGMT_FT_IEEE8021X &&
530 	    sm->key_mgmt != WPA_KEY_MGMT_FT_PSK)
531 		return 0;
532 
533 	return sm->ft_completed;
534 }
535 
536 
537 static int wpa_ft_process_gtk_subelem(struct wpa_sm *sm, const u8 *gtk_elem,
538 				      size_t gtk_elem_len)
539 {
540 	u8 gtk[32];
541 	int keyidx;
542 	enum wpa_alg alg;
543 	size_t gtk_len, keylen, rsc_len;
544 
545 	if (gtk_elem == NULL) {
546 		wpa_printf(MSG_DEBUG, "FT: No GTK included in FTIE");
547 		return 0;
548 	}
549 
550 	wpa_hexdump_key(MSG_DEBUG, "FT: Received GTK in Reassoc Resp",
551 			gtk_elem, gtk_elem_len);
552 
553 	if (gtk_elem_len < 11 + 24 || (gtk_elem_len - 11) % 8 ||
554 	    gtk_elem_len - 19 > sizeof(gtk)) {
555 		wpa_printf(MSG_DEBUG, "FT: Invalid GTK sub-elem "
556 			   "length %lu", (unsigned long) gtk_elem_len);
557 		return -1;
558 	}
559 	gtk_len = gtk_elem_len - 19;
560 	if (aes_unwrap(sm->ptk.kek, gtk_len / 8, gtk_elem + 11, gtk)) {
561 		wpa_printf(MSG_WARNING, "FT: AES unwrap failed - could not "
562 			   "decrypt GTK");
563 		return -1;
564 	}
565 
566 	keylen = wpa_cipher_key_len(sm->group_cipher);
567 	rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
568 	alg = wpa_cipher_to_alg(sm->group_cipher);
569 	if (alg == WPA_ALG_NONE) {
570 		wpa_printf(MSG_WARNING, "WPA: Unsupported Group Cipher %d",
571 			   sm->group_cipher);
572 		return -1;
573 	}
574 
575 	if (gtk_len < keylen) {
576 		wpa_printf(MSG_DEBUG, "FT: Too short GTK in FTIE");
577 		return -1;
578 	}
579 
580 	/* Key Info[2] | Key Length[1] | RSC[8] | Key[5..32]. */
581 
582 	keyidx = WPA_GET_LE16(gtk_elem) & 0x03;
583 
584 	if (gtk_elem[2] != keylen) {
585 		wpa_printf(MSG_DEBUG, "FT: GTK length mismatch: received %d "
586 			   "negotiated %lu",
587 			   gtk_elem[2], (unsigned long) keylen);
588 		return -1;
589 	}
590 
591 	wpa_hexdump_key(MSG_DEBUG, "FT: GTK from Reassoc Resp", gtk, keylen);
592 	if (wpa_sm_set_key(sm, alg, broadcast_ether_addr, keyidx, 0,
593 			   gtk_elem + 3, rsc_len, gtk, keylen) < 0) {
594 		wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the "
595 			   "driver.");
596 		return -1;
597 	}
598 
599 	return 0;
600 }
601 
602 
603 #ifdef CONFIG_IEEE80211W
604 static int wpa_ft_process_igtk_subelem(struct wpa_sm *sm, const u8 *igtk_elem,
605 				       size_t igtk_elem_len)
606 {
607 	u8 igtk[WPA_IGTK_LEN];
608 	u16 keyidx;
609 
610 	if (sm->mgmt_group_cipher != WPA_CIPHER_AES_128_CMAC)
611 		return 0;
612 
613 	if (igtk_elem == NULL) {
614 		wpa_printf(MSG_DEBUG, "FT: No IGTK included in FTIE");
615 		return 0;
616 	}
617 
618 	wpa_hexdump_key(MSG_DEBUG, "FT: Received IGTK in Reassoc Resp",
619 			igtk_elem, igtk_elem_len);
620 
621 	if (igtk_elem_len != 2 + 6 + 1 + WPA_IGTK_LEN + 8) {
622 		wpa_printf(MSG_DEBUG, "FT: Invalid IGTK sub-elem "
623 			   "length %lu", (unsigned long) igtk_elem_len);
624 		return -1;
625 	}
626 	if (igtk_elem[8] != WPA_IGTK_LEN) {
627 		wpa_printf(MSG_DEBUG, "FT: Invalid IGTK sub-elem Key Length "
628 			   "%d", igtk_elem[8]);
629 		return -1;
630 	}
631 
632 	if (aes_unwrap(sm->ptk.kek, WPA_IGTK_LEN / 8, igtk_elem + 9, igtk)) {
633 		wpa_printf(MSG_WARNING, "FT: AES unwrap failed - could not "
634 			   "decrypt IGTK");
635 		return -1;
636 	}
637 
638 	/* KeyID[2] | IPN[6] | Key Length[1] | Key[16+8] */
639 
640 	keyidx = WPA_GET_LE16(igtk_elem);
641 
642 	wpa_hexdump_key(MSG_DEBUG, "FT: IGTK from Reassoc Resp", igtk,
643 			WPA_IGTK_LEN);
644 	if (wpa_sm_set_key(sm, WPA_ALG_IGTK, broadcast_ether_addr, keyidx, 0,
645 			   igtk_elem + 2, 6, igtk, WPA_IGTK_LEN) < 0) {
646 		wpa_printf(MSG_WARNING, "WPA: Failed to set IGTK to the "
647 			   "driver.");
648 		return -1;
649 	}
650 
651 	return 0;
652 }
653 #endif /* CONFIG_IEEE80211W */
654 
655 
656 int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
657 				 size_t ies_len, const u8 *src_addr)
658 {
659 	struct wpa_ft_ies parse;
660 	struct rsn_mdie *mdie;
661 	struct rsn_ftie *ftie;
662 	unsigned int count;
663 	u8 mic[16];
664 
665 	wpa_hexdump(MSG_DEBUG, "FT: Response IEs", ies, ies_len);
666 
667 	if (sm->key_mgmt != WPA_KEY_MGMT_FT_IEEE8021X &&
668 	    sm->key_mgmt != WPA_KEY_MGMT_FT_PSK) {
669 		wpa_printf(MSG_DEBUG, "FT: Reject FT IEs since FT is not "
670 			   "enabled for this connection");
671 		return -1;
672 	}
673 
674 	if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
675 		wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
676 		return -1;
677 	}
678 
679 	mdie = (struct rsn_mdie *) parse.mdie;
680 	if (mdie == NULL || parse.mdie_len < sizeof(*mdie) ||
681 	    os_memcmp(mdie->mobility_domain, sm->mobility_domain,
682 		      MOBILITY_DOMAIN_ID_LEN) != 0) {
683 		wpa_printf(MSG_DEBUG, "FT: Invalid MDIE");
684 		return -1;
685 	}
686 
687 	ftie = (struct rsn_ftie *) parse.ftie;
688 	if (ftie == NULL || parse.ftie_len < sizeof(*ftie)) {
689 		wpa_printf(MSG_DEBUG, "FT: Invalid FTIE");
690 		return -1;
691 	}
692 
693 	if (os_memcmp(ftie->snonce, sm->snonce, WPA_NONCE_LEN) != 0) {
694 		wpa_printf(MSG_DEBUG, "FT: SNonce mismatch in FTIE");
695 		wpa_hexdump(MSG_DEBUG, "FT: Received SNonce",
696 			    ftie->snonce, WPA_NONCE_LEN);
697 		wpa_hexdump(MSG_DEBUG, "FT: Expected SNonce",
698 			    sm->snonce, WPA_NONCE_LEN);
699 		return -1;
700 	}
701 
702 	if (os_memcmp(ftie->anonce, sm->anonce, WPA_NONCE_LEN) != 0) {
703 		wpa_printf(MSG_DEBUG, "FT: ANonce mismatch in FTIE");
704 		wpa_hexdump(MSG_DEBUG, "FT: Received ANonce",
705 			    ftie->anonce, WPA_NONCE_LEN);
706 		wpa_hexdump(MSG_DEBUG, "FT: Expected ANonce",
707 			    sm->anonce, WPA_NONCE_LEN);
708 		return -1;
709 	}
710 
711 	if (parse.r0kh_id == NULL) {
712 		wpa_printf(MSG_DEBUG, "FT: No R0KH-ID subelem in FTIE");
713 		return -1;
714 	}
715 
716 	if (parse.r0kh_id_len != sm->r0kh_id_len ||
717 	    os_memcmp(parse.r0kh_id, sm->r0kh_id, parse.r0kh_id_len) != 0) {
718 		wpa_printf(MSG_DEBUG, "FT: R0KH-ID in FTIE did not match with "
719 			   "the current R0KH-ID");
720 		wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID in FTIE",
721 			    parse.r0kh_id, parse.r0kh_id_len);
722 		wpa_hexdump(MSG_DEBUG, "FT: The current R0KH-ID",
723 			    sm->r0kh_id, sm->r0kh_id_len);
724 		return -1;
725 	}
726 
727 	if (parse.r1kh_id == NULL) {
728 		wpa_printf(MSG_DEBUG, "FT: No R1KH-ID subelem in FTIE");
729 		return -1;
730 	}
731 
732 	if (os_memcmp(parse.r1kh_id, sm->r1kh_id, FT_R1KH_ID_LEN) != 0) {
733 		wpa_printf(MSG_DEBUG, "FT: Unknown R1KH-ID used in "
734 			   "ReassocResp");
735 		return -1;
736 	}
737 
738 	if (parse.rsn_pmkid == NULL ||
739 	    os_memcmp(parse.rsn_pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN)) {
740 		wpa_printf(MSG_DEBUG, "FT: No matching PMKR1Name (PMKID) in "
741 			   "RSNIE (pmkid=%d)", !!parse.rsn_pmkid);
742 		return -1;
743 	}
744 
745 	count = 3;
746 	if (parse.ric)
747 		count += ieee802_11_ie_count(parse.ric, parse.ric_len);
748 	if (ftie->mic_control[1] != count) {
749 		wpa_printf(MSG_DEBUG, "FT: Unexpected IE count in MIC "
750 			   "Control: received %u expected %u",
751 			   ftie->mic_control[1], count);
752 		return -1;
753 	}
754 
755 	if (wpa_ft_mic(sm->ptk.kck, sm->own_addr, src_addr, 6,
756 		       parse.mdie - 2, parse.mdie_len + 2,
757 		       parse.ftie - 2, parse.ftie_len + 2,
758 		       parse.rsn - 2, parse.rsn_len + 2,
759 		       parse.ric, parse.ric_len,
760 		       mic) < 0) {
761 		wpa_printf(MSG_DEBUG, "FT: Failed to calculate MIC");
762 		return -1;
763 	}
764 
765 	if (os_memcmp(mic, ftie->mic, 16) != 0) {
766 		wpa_printf(MSG_DEBUG, "FT: Invalid MIC in FTIE");
767 		wpa_hexdump(MSG_MSGDUMP, "FT: Received MIC", ftie->mic, 16);
768 		wpa_hexdump(MSG_MSGDUMP, "FT: Calculated MIC", mic, 16);
769 		return -1;
770 	}
771 
772 	if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
773 		return -1;
774 
775 #ifdef CONFIG_IEEE80211W
776 	if (wpa_ft_process_igtk_subelem(sm, parse.igtk, parse.igtk_len) < 0)
777 		return -1;
778 #endif /* CONFIG_IEEE80211W */
779 
780 	if (sm->set_ptk_after_assoc) {
781 		wpa_printf(MSG_DEBUG, "FT: Try to set PTK again now that we "
782 			   "are associated");
783 		if (wpa_ft_install_ptk(sm, src_addr) < 0)
784 			return -1;
785 		sm->set_ptk_after_assoc = 0;
786 	}
787 
788 	if (parse.ric) {
789 		wpa_hexdump(MSG_MSGDUMP, "FT: RIC Response",
790 			    parse.ric, parse.ric_len);
791 		/* TODO: parse response and inform driver about results */
792 	}
793 
794 	return 0;
795 }
796 
797 
798 /**
799  * wpa_ft_start_over_ds - Generate over-the-DS auth request
800  * @sm: Pointer to WPA state machine data from wpa_sm_init()
801  * @target_ap: Target AP Address
802  * @mdie: Mobility Domain IE from the target AP
803  * Returns: 0 on success, -1 on failure
804  */
805 int wpa_ft_start_over_ds(struct wpa_sm *sm, const u8 *target_ap,
806 			 const u8 *mdie)
807 {
808 	u8 *ft_ies;
809 	size_t ft_ies_len;
810 
811 	wpa_printf(MSG_DEBUG, "FT: Request over-the-DS with " MACSTR,
812 		   MAC2STR(target_ap));
813 
814 	/* Generate a new SNonce */
815 	if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
816 		wpa_printf(MSG_INFO, "FT: Failed to generate a new SNonce");
817 		return -1;
818 	}
819 
820 	ft_ies = wpa_ft_gen_req_ies(sm, &ft_ies_len, NULL, sm->pmk_r0_name,
821 				    NULL, target_ap, NULL, 0, mdie);
822 	if (ft_ies) {
823 		sm->over_the_ds_in_progress = 1;
824 		os_memcpy(sm->target_ap, target_ap, ETH_ALEN);
825 		wpa_sm_send_ft_action(sm, 1, target_ap, ft_ies, ft_ies_len);
826 		os_free(ft_ies);
827 	}
828 
829 	return 0;
830 }
831 
832 #endif /* CONFIG_IEEE80211R */
833