1 /* 2 * WPA Supplicant - IEEE 802.11r - Fast BSS Transition 3 * Copyright (c) 2006-2018, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/aes_wrap.h" 13 #include "crypto/sha384.h" 14 #include "crypto/random.h" 15 #include "common/ieee802_11_defs.h" 16 #include "common/ieee802_11_common.h" 17 #include "common/ocv.h" 18 #include "drivers/driver.h" 19 #include "wpa.h" 20 #include "wpa_i.h" 21 #include "pmksa_cache.h" 22 23 #ifdef CONFIG_IEEE80211R 24 25 int wpa_derive_ptk_ft(struct wpa_sm *sm, const unsigned char *src_addr, 26 const struct wpa_eapol_key *key, struct wpa_ptk *ptk) 27 { 28 u8 ptk_name[WPA_PMK_NAME_LEN]; 29 const u8 *anonce = key->key_nonce; 30 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt); 31 const u8 *mpmk; 32 size_t mpmk_len; 33 34 if (sm->xxkey_len > 0) { 35 mpmk = sm->xxkey; 36 mpmk_len = sm->xxkey_len; 37 } else if (sm->cur_pmksa) { 38 mpmk = sm->cur_pmksa->pmk; 39 mpmk_len = sm->cur_pmksa->pmk_len; 40 } else { 41 wpa_printf(MSG_DEBUG, "FT: XXKey not available for key " 42 "derivation"); 43 return -1; 44 } 45 46 sm->pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN; 47 if (wpa_derive_pmk_r0(mpmk, mpmk_len, sm->ssid, 48 sm->ssid_len, sm->mobility_domain, 49 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr, 50 sm->pmk_r0, sm->pmk_r0_name, use_sha384) < 0) 51 return -1; 52 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", sm->pmk_r0, sm->pmk_r0_len); 53 wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", 54 sm->pmk_r0_name, WPA_PMK_NAME_LEN); 55 sm->pmk_r1_len = sm->pmk_r0_len; 56 if (wpa_derive_pmk_r1(sm->pmk_r0, sm->pmk_r0_len, sm->pmk_r0_name, 57 sm->r1kh_id, sm->own_addr, sm->pmk_r1, 58 sm->pmk_r1_name) < 0) 59 return -1; 60 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", sm->pmk_r1, sm->pmk_r1_len); 61 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", sm->pmk_r1_name, 62 WPA_PMK_NAME_LEN); 63 return wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->pmk_r1_len, sm->snonce, anonce, 64 sm->own_addr, sm->bssid, sm->pmk_r1_name, ptk, 65 ptk_name, sm->key_mgmt, sm->pairwise_cipher); 66 } 67 68 69 /** 70 * wpa_sm_set_ft_params - Set FT (IEEE 802.11r) parameters 71 * @sm: Pointer to WPA state machine data from wpa_sm_init() 72 * @ies: Association Response IEs or %NULL to clear FT parameters 73 * @ies_len: Length of ies buffer in octets 74 * Returns: 0 on success, -1 on failure 75 */ 76 int wpa_sm_set_ft_params(struct wpa_sm *sm, const u8 *ies, size_t ies_len) 77 { 78 struct wpa_ft_ies ft; 79 int use_sha384; 80 81 if (sm == NULL) 82 return 0; 83 84 use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt); 85 if (wpa_ft_parse_ies(ies, ies_len, &ft, use_sha384) < 0) 86 return -1; 87 88 if (ft.mdie && ft.mdie_len < MOBILITY_DOMAIN_ID_LEN + 1) 89 return -1; 90 91 if (ft.mdie) { 92 wpa_hexdump(MSG_DEBUG, "FT: Mobility domain", 93 ft.mdie, MOBILITY_DOMAIN_ID_LEN); 94 os_memcpy(sm->mobility_domain, ft.mdie, 95 MOBILITY_DOMAIN_ID_LEN); 96 sm->mdie_ft_capab = ft.mdie[MOBILITY_DOMAIN_ID_LEN]; 97 wpa_printf(MSG_DEBUG, "FT: Capability and Policy: 0x%02x", 98 sm->mdie_ft_capab); 99 } else 100 os_memset(sm->mobility_domain, 0, MOBILITY_DOMAIN_ID_LEN); 101 102 if (ft.r0kh_id) { 103 wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID", 104 ft.r0kh_id, ft.r0kh_id_len); 105 os_memcpy(sm->r0kh_id, ft.r0kh_id, ft.r0kh_id_len); 106 sm->r0kh_id_len = ft.r0kh_id_len; 107 } else { 108 /* FIX: When should R0KH-ID be cleared? We need to keep the 109 * old R0KH-ID in order to be able to use this during FT. */ 110 /* 111 * os_memset(sm->r0kh_id, 0, FT_R0KH_ID_LEN); 112 * sm->r0kh_id_len = 0; 113 */ 114 } 115 116 if (ft.r1kh_id) { 117 wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", 118 ft.r1kh_id, FT_R1KH_ID_LEN); 119 os_memcpy(sm->r1kh_id, ft.r1kh_id, FT_R1KH_ID_LEN); 120 } else 121 os_memset(sm->r1kh_id, 0, FT_R1KH_ID_LEN); 122 123 os_free(sm->assoc_resp_ies); 124 sm->assoc_resp_ies = os_malloc(ft.mdie_len + 2 + ft.ftie_len + 2); 125 if (sm->assoc_resp_ies) { 126 u8 *pos = sm->assoc_resp_ies; 127 if (ft.mdie) { 128 os_memcpy(pos, ft.mdie - 2, ft.mdie_len + 2); 129 pos += ft.mdie_len + 2; 130 } 131 if (ft.ftie) { 132 os_memcpy(pos, ft.ftie - 2, ft.ftie_len + 2); 133 pos += ft.ftie_len + 2; 134 } 135 sm->assoc_resp_ies_len = pos - sm->assoc_resp_ies; 136 wpa_hexdump(MSG_DEBUG, "FT: Stored MDIE and FTIE from " 137 "(Re)Association Response", 138 sm->assoc_resp_ies, sm->assoc_resp_ies_len); 139 } 140 141 return 0; 142 } 143 144 145 /** 146 * wpa_ft_gen_req_ies - Generate FT (IEEE 802.11r) IEs for Auth/ReAssoc Request 147 * @sm: Pointer to WPA state machine data from wpa_sm_init() 148 * @len: Buffer for returning the length of the IEs 149 * @anonce: ANonce or %NULL if not yet available 150 * @pmk_name: PMKR0Name or PMKR1Name to be added into the RSN IE PMKID List 151 * @kck: 128-bit KCK for MIC or %NULL if no MIC is used 152 * @kck_len: KCK length in octets 153 * @target_ap: Target AP address 154 * @ric_ies: Optional IE(s), e.g., WMM TSPEC(s), for RIC-Request or %NULL 155 * @ric_ies_len: Length of ric_ies buffer in octets 156 * @ap_mdie: Mobility Domain IE from the target AP 157 * Returns: Pointer to buffer with IEs or %NULL on failure 158 * 159 * Caller is responsible for freeing the returned buffer with os_free(); 160 */ 161 static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len, 162 const u8 *anonce, const u8 *pmk_name, 163 const u8 *kck, size_t kck_len, 164 const u8 *target_ap, 165 const u8 *ric_ies, size_t ric_ies_len, 166 const u8 *ap_mdie) 167 { 168 size_t buf_len; 169 u8 *buf, *pos, *ftie_len, *ftie_pos, *fte_mic, *elem_count; 170 struct rsn_mdie *mdie; 171 struct rsn_ie_hdr *rsnie; 172 u16 capab; 173 int mdie_len; 174 175 sm->ft_completed = 0; 176 sm->ft_reassoc_completed = 0; 177 178 buf_len = 2 + sizeof(struct rsn_mdie) + 2 + 179 sizeof(struct rsn_ftie_sha384) + 180 2 + sm->r0kh_id_len + ric_ies_len + 100; 181 buf = os_zalloc(buf_len); 182 if (buf == NULL) 183 return NULL; 184 pos = buf; 185 186 /* RSNIE[PMKR0Name/PMKR1Name] */ 187 rsnie = (struct rsn_ie_hdr *) pos; 188 rsnie->elem_id = WLAN_EID_RSN; 189 WPA_PUT_LE16(rsnie->version, RSN_VERSION); 190 pos = (u8 *) (rsnie + 1); 191 192 /* Group Suite Selector */ 193 if (!wpa_cipher_valid_group(sm->group_cipher)) { 194 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)", 195 sm->group_cipher); 196 os_free(buf); 197 return NULL; 198 } 199 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, 200 sm->group_cipher)); 201 pos += RSN_SELECTOR_LEN; 202 203 /* Pairwise Suite Count */ 204 WPA_PUT_LE16(pos, 1); 205 pos += 2; 206 207 /* Pairwise Suite List */ 208 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) { 209 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)", 210 sm->pairwise_cipher); 211 os_free(buf); 212 return NULL; 213 } 214 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN, 215 sm->pairwise_cipher)); 216 pos += RSN_SELECTOR_LEN; 217 218 /* Authenticated Key Management Suite Count */ 219 WPA_PUT_LE16(pos, 1); 220 pos += 2; 221 222 /* Authenticated Key Management Suite List */ 223 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) 224 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X); 225 #ifdef CONFIG_SHA384 226 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X_SHA384) 227 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384); 228 #endif /* CONFIG_SHA384 */ 229 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_PSK) 230 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK); 231 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE) 232 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE); 233 #ifdef CONFIG_FILS 234 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA256) 235 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256); 236 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_FILS_SHA384) 237 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384); 238 #endif /* CONFIG_FILS */ 239 else { 240 wpa_printf(MSG_WARNING, "FT: Invalid key management type (%d)", 241 sm->key_mgmt); 242 os_free(buf); 243 return NULL; 244 } 245 pos += RSN_SELECTOR_LEN; 246 247 /* RSN Capabilities */ 248 capab = 0; 249 #ifdef CONFIG_IEEE80211W 250 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC || 251 sm->mgmt_group_cipher == WPA_CIPHER_BIP_GMAC_128 || 252 sm->mgmt_group_cipher == WPA_CIPHER_BIP_GMAC_256 || 253 sm->mgmt_group_cipher == WPA_CIPHER_BIP_CMAC_256) 254 capab |= WPA_CAPABILITY_MFPC; 255 #endif /* CONFIG_IEEE80211W */ 256 if (sm->ocv) 257 capab |= WPA_CAPABILITY_OCVC; 258 WPA_PUT_LE16(pos, capab); 259 pos += 2; 260 261 /* PMKID Count */ 262 WPA_PUT_LE16(pos, 1); 263 pos += 2; 264 265 /* PMKID List [PMKR0Name/PMKR1Name] */ 266 os_memcpy(pos, pmk_name, WPA_PMK_NAME_LEN); 267 pos += WPA_PMK_NAME_LEN; 268 269 #ifdef CONFIG_IEEE80211W 270 /* Management Group Cipher Suite */ 271 switch (sm->mgmt_group_cipher) { 272 case WPA_CIPHER_AES_128_CMAC: 273 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC); 274 pos += RSN_SELECTOR_LEN; 275 break; 276 case WPA_CIPHER_BIP_GMAC_128: 277 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_BIP_GMAC_128); 278 pos += RSN_SELECTOR_LEN; 279 break; 280 case WPA_CIPHER_BIP_GMAC_256: 281 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_BIP_GMAC_256); 282 pos += RSN_SELECTOR_LEN; 283 break; 284 case WPA_CIPHER_BIP_CMAC_256: 285 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_BIP_CMAC_256); 286 pos += RSN_SELECTOR_LEN; 287 break; 288 } 289 #endif /* CONFIG_IEEE80211W */ 290 291 rsnie->len = (pos - (u8 *) rsnie) - 2; 292 293 /* MDIE */ 294 mdie_len = wpa_ft_add_mdie(sm, pos, buf_len - (pos - buf), ap_mdie); 295 if (mdie_len <= 0) { 296 os_free(buf); 297 return NULL; 298 } 299 mdie = (struct rsn_mdie *) (pos + 2); 300 pos += mdie_len; 301 302 /* FTIE[SNonce, [R1KH-ID,] R0KH-ID ] */ 303 ftie_pos = pos; 304 *pos++ = WLAN_EID_FAST_BSS_TRANSITION; 305 ftie_len = pos++; 306 if (wpa_key_mgmt_sha384(sm->key_mgmt)) { 307 struct rsn_ftie_sha384 *ftie; 308 309 ftie = (struct rsn_ftie_sha384 *) pos; 310 fte_mic = ftie->mic; 311 elem_count = &ftie->mic_control[1]; 312 pos += sizeof(*ftie); 313 os_memcpy(ftie->snonce, sm->snonce, WPA_NONCE_LEN); 314 if (anonce) 315 os_memcpy(ftie->anonce, anonce, WPA_NONCE_LEN); 316 } else { 317 struct rsn_ftie *ftie; 318 319 ftie = (struct rsn_ftie *) pos; 320 fte_mic = ftie->mic; 321 elem_count = &ftie->mic_control[1]; 322 pos += sizeof(*ftie); 323 os_memcpy(ftie->snonce, sm->snonce, WPA_NONCE_LEN); 324 if (anonce) 325 os_memcpy(ftie->anonce, anonce, WPA_NONCE_LEN); 326 } 327 if (kck) { 328 /* R1KH-ID sub-element in third FT message */ 329 *pos++ = FTIE_SUBELEM_R1KH_ID; 330 *pos++ = FT_R1KH_ID_LEN; 331 os_memcpy(pos, sm->r1kh_id, FT_R1KH_ID_LEN); 332 pos += FT_R1KH_ID_LEN; 333 } 334 /* R0KH-ID sub-element */ 335 *pos++ = FTIE_SUBELEM_R0KH_ID; 336 *pos++ = sm->r0kh_id_len; 337 os_memcpy(pos, sm->r0kh_id, sm->r0kh_id_len); 338 pos += sm->r0kh_id_len; 339 #ifdef CONFIG_OCV 340 if (kck && wpa_sm_ocv_enabled(sm)) { 341 /* OCI sub-element in the third FT message */ 342 struct wpa_channel_info ci; 343 344 if (wpa_sm_channel_info(sm, &ci) != 0) { 345 wpa_printf(MSG_WARNING, 346 "Failed to get channel info for OCI element in FTE"); 347 os_free(buf); 348 return NULL; 349 } 350 351 *pos++ = FTIE_SUBELEM_OCI; 352 *pos++ = OCV_OCI_LEN; 353 if (ocv_insert_oci(&ci, &pos) < 0) { 354 os_free(buf); 355 return NULL; 356 } 357 } 358 #endif /* CONFIG_OCV */ 359 *ftie_len = pos - ftie_len - 1; 360 361 if (ric_ies) { 362 /* RIC Request */ 363 os_memcpy(pos, ric_ies, ric_ies_len); 364 pos += ric_ies_len; 365 } 366 367 if (kck) { 368 /* 369 * IEEE Std 802.11r-2008, 11A.8.4 370 * MIC shall be calculated over: 371 * non-AP STA MAC address 372 * Target AP MAC address 373 * Transaction seq number (5 for ReassocReq, 3 otherwise) 374 * RSN IE 375 * MDIE 376 * FTIE (with MIC field set to 0) 377 * RIC-Request (if present) 378 */ 379 /* Information element count */ 380 *elem_count = 3 + ieee802_11_ie_count(ric_ies, ric_ies_len); 381 if (wpa_ft_mic(kck, kck_len, sm->own_addr, target_ap, 5, 382 ((u8 *) mdie) - 2, 2 + sizeof(*mdie), 383 ftie_pos, 2 + *ftie_len, 384 (u8 *) rsnie, 2 + rsnie->len, ric_ies, 385 ric_ies_len, fte_mic) < 0) { 386 wpa_printf(MSG_INFO, "FT: Failed to calculate MIC"); 387 os_free(buf); 388 return NULL; 389 } 390 } 391 392 *len = pos - buf; 393 394 return buf; 395 } 396 397 398 static int wpa_ft_install_ptk(struct wpa_sm *sm, const u8 *bssid) 399 { 400 int keylen; 401 enum wpa_alg alg; 402 u8 null_rsc[6] = { 0, 0, 0, 0, 0, 0 }; 403 404 wpa_printf(MSG_DEBUG, "FT: Installing PTK to the driver."); 405 406 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) { 407 wpa_printf(MSG_WARNING, "FT: Unsupported pairwise cipher %d", 408 sm->pairwise_cipher); 409 return -1; 410 } 411 412 alg = wpa_cipher_to_alg(sm->pairwise_cipher); 413 keylen = wpa_cipher_key_len(sm->pairwise_cipher); 414 415 if (wpa_sm_set_key(sm, alg, bssid, 0, 1, null_rsc, 416 sizeof(null_rsc), (u8 *) sm->ptk.tk, keylen) < 0) { 417 wpa_printf(MSG_WARNING, "FT: Failed to set PTK to the driver"); 418 return -1; 419 } 420 421 return 0; 422 } 423 424 425 /** 426 * wpa_ft_prepare_auth_request - Generate over-the-air auth request 427 * @sm: Pointer to WPA state machine data from wpa_sm_init() 428 * @mdie: Target AP MDIE 429 * Returns: 0 on success, -1 on failure 430 */ 431 int wpa_ft_prepare_auth_request(struct wpa_sm *sm, const u8 *mdie) 432 { 433 u8 *ft_ies; 434 size_t ft_ies_len; 435 436 /* Generate a new SNonce */ 437 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) { 438 wpa_printf(MSG_INFO, "FT: Failed to generate a new SNonce"); 439 return -1; 440 } 441 442 ft_ies = wpa_ft_gen_req_ies(sm, &ft_ies_len, NULL, sm->pmk_r0_name, 443 NULL, 0, sm->bssid, NULL, 0, mdie); 444 if (ft_ies) { 445 wpa_sm_update_ft_ies(sm, sm->mobility_domain, 446 ft_ies, ft_ies_len); 447 os_free(ft_ies); 448 } 449 450 return 0; 451 } 452 453 454 int wpa_ft_add_mdie(struct wpa_sm *sm, u8 *buf, size_t buf_len, 455 const u8 *ap_mdie) 456 { 457 u8 *pos = buf; 458 struct rsn_mdie *mdie; 459 460 if (buf_len < 2 + sizeof(*mdie)) { 461 wpa_printf(MSG_INFO, 462 "FT: Failed to add MDIE: short buffer, length=%zu", 463 buf_len); 464 return 0; 465 } 466 467 *pos++ = WLAN_EID_MOBILITY_DOMAIN; 468 *pos++ = sizeof(*mdie); 469 mdie = (struct rsn_mdie *) pos; 470 os_memcpy(mdie->mobility_domain, sm->mobility_domain, 471 MOBILITY_DOMAIN_ID_LEN); 472 mdie->ft_capab = ap_mdie && ap_mdie[1] >= 3 ? ap_mdie[4] : 473 sm->mdie_ft_capab; 474 475 return 2 + sizeof(*mdie); 476 } 477 478 479 const u8 * wpa_sm_get_ft_md(struct wpa_sm *sm) 480 { 481 return sm->mobility_domain; 482 } 483 484 485 int wpa_ft_process_response(struct wpa_sm *sm, const u8 *ies, size_t ies_len, 486 int ft_action, const u8 *target_ap, 487 const u8 *ric_ies, size_t ric_ies_len) 488 { 489 u8 *ft_ies; 490 size_t ft_ies_len; 491 struct wpa_ft_ies parse; 492 struct rsn_mdie *mdie; 493 u8 ptk_name[WPA_PMK_NAME_LEN]; 494 int ret; 495 const u8 *bssid; 496 const u8 *kck; 497 size_t kck_len; 498 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt); 499 const u8 *anonce, *snonce; 500 501 wpa_hexdump(MSG_DEBUG, "FT: Response IEs", ies, ies_len); 502 wpa_hexdump(MSG_DEBUG, "FT: RIC IEs", ric_ies, ric_ies_len); 503 504 if (ft_action) { 505 if (!sm->over_the_ds_in_progress) { 506 wpa_printf(MSG_DEBUG, "FT: No over-the-DS in progress " 507 "- drop FT Action Response"); 508 return -1; 509 } 510 511 if (os_memcmp(target_ap, sm->target_ap, ETH_ALEN) != 0) { 512 wpa_printf(MSG_DEBUG, "FT: No over-the-DS in progress " 513 "with this Target AP - drop FT Action " 514 "Response"); 515 return -1; 516 } 517 } 518 519 if (!wpa_key_mgmt_ft(sm->key_mgmt)) { 520 wpa_printf(MSG_DEBUG, "FT: Reject FT IEs since FT is not " 521 "enabled for this connection"); 522 return -1; 523 } 524 525 if (wpa_ft_parse_ies(ies, ies_len, &parse, use_sha384) < 0) { 526 wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); 527 return -1; 528 } 529 530 mdie = (struct rsn_mdie *) parse.mdie; 531 if (mdie == NULL || parse.mdie_len < sizeof(*mdie) || 532 os_memcmp(mdie->mobility_domain, sm->mobility_domain, 533 MOBILITY_DOMAIN_ID_LEN) != 0) { 534 wpa_printf(MSG_DEBUG, "FT: Invalid MDIE"); 535 return -1; 536 } 537 538 if (use_sha384) { 539 struct rsn_ftie_sha384 *ftie; 540 541 ftie = (struct rsn_ftie_sha384 *) parse.ftie; 542 if (!ftie || parse.ftie_len < sizeof(*ftie)) { 543 wpa_printf(MSG_DEBUG, "FT: Invalid FTIE"); 544 return -1; 545 } 546 547 anonce = ftie->anonce; 548 snonce = ftie->snonce; 549 } else { 550 struct rsn_ftie *ftie; 551 552 ftie = (struct rsn_ftie *) parse.ftie; 553 if (!ftie || parse.ftie_len < sizeof(*ftie)) { 554 wpa_printf(MSG_DEBUG, "FT: Invalid FTIE"); 555 return -1; 556 } 557 558 anonce = ftie->anonce; 559 snonce = ftie->snonce; 560 } 561 562 if (os_memcmp(snonce, sm->snonce, WPA_NONCE_LEN) != 0) { 563 wpa_printf(MSG_DEBUG, "FT: SNonce mismatch in FTIE"); 564 wpa_hexdump(MSG_DEBUG, "FT: Received SNonce", 565 snonce, WPA_NONCE_LEN); 566 wpa_hexdump(MSG_DEBUG, "FT: Expected SNonce", 567 sm->snonce, WPA_NONCE_LEN); 568 return -1; 569 } 570 571 if (parse.r0kh_id == NULL) { 572 wpa_printf(MSG_DEBUG, "FT: No R0KH-ID subelem in FTIE"); 573 return -1; 574 } 575 576 if (parse.r0kh_id_len != sm->r0kh_id_len || 577 os_memcmp_const(parse.r0kh_id, sm->r0kh_id, parse.r0kh_id_len) != 0) 578 { 579 wpa_printf(MSG_DEBUG, "FT: R0KH-ID in FTIE did not match with " 580 "the current R0KH-ID"); 581 wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID in FTIE", 582 parse.r0kh_id, parse.r0kh_id_len); 583 wpa_hexdump(MSG_DEBUG, "FT: The current R0KH-ID", 584 sm->r0kh_id, sm->r0kh_id_len); 585 return -1; 586 } 587 588 if (parse.r1kh_id == NULL) { 589 wpa_printf(MSG_DEBUG, "FT: No R1KH-ID subelem in FTIE"); 590 return -1; 591 } 592 593 if (parse.rsn_pmkid == NULL || 594 os_memcmp_const(parse.rsn_pmkid, sm->pmk_r0_name, WPA_PMK_NAME_LEN)) 595 { 596 wpa_printf(MSG_DEBUG, "FT: No matching PMKR0Name (PMKID) in " 597 "RSNIE"); 598 return -1; 599 } 600 601 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN); 602 wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", sm->r1kh_id, FT_R1KH_ID_LEN); 603 wpa_hexdump(MSG_DEBUG, "FT: SNonce", sm->snonce, WPA_NONCE_LEN); 604 wpa_hexdump(MSG_DEBUG, "FT: ANonce", anonce, WPA_NONCE_LEN); 605 os_memcpy(sm->anonce, anonce, WPA_NONCE_LEN); 606 if (wpa_derive_pmk_r1(sm->pmk_r0, sm->pmk_r0_len, sm->pmk_r0_name, 607 sm->r1kh_id, sm->own_addr, sm->pmk_r1, 608 sm->pmk_r1_name) < 0) 609 return -1; 610 sm->pmk_r1_len = sm->pmk_r0_len; 611 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", sm->pmk_r1, sm->pmk_r1_len); 612 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", 613 sm->pmk_r1_name, WPA_PMK_NAME_LEN); 614 615 bssid = target_ap; 616 if (wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->pmk_r1_len, sm->snonce, 617 anonce, sm->own_addr, bssid, 618 sm->pmk_r1_name, &sm->ptk, ptk_name, sm->key_mgmt, 619 sm->pairwise_cipher) < 0) 620 return -1; 621 622 if (wpa_key_mgmt_fils(sm->key_mgmt)) { 623 kck = sm->ptk.kck2; 624 kck_len = sm->ptk.kck2_len; 625 } else { 626 kck = sm->ptk.kck; 627 kck_len = sm->ptk.kck_len; 628 } 629 ft_ies = wpa_ft_gen_req_ies(sm, &ft_ies_len, anonce, 630 sm->pmk_r1_name, 631 kck, kck_len, bssid, 632 ric_ies, ric_ies_len, 633 parse.mdie ? parse.mdie - 2 : NULL); 634 if (ft_ies) { 635 wpa_sm_update_ft_ies(sm, sm->mobility_domain, 636 ft_ies, ft_ies_len); 637 os_free(ft_ies); 638 } 639 640 wpa_sm_mark_authenticated(sm, bssid); 641 ret = wpa_ft_install_ptk(sm, bssid); 642 if (ret) { 643 /* 644 * Some drivers do not support key configuration when we are 645 * not associated with the target AP. Work around this by 646 * trying again after the following reassociation gets 647 * completed. 648 */ 649 wpa_printf(MSG_DEBUG, "FT: Failed to set PTK prior to " 650 "association - try again after reassociation"); 651 sm->set_ptk_after_assoc = 1; 652 } else 653 sm->set_ptk_after_assoc = 0; 654 655 sm->ft_completed = 1; 656 if (ft_action) { 657 /* 658 * The caller is expected trigger re-association with the 659 * Target AP. 660 */ 661 os_memcpy(sm->bssid, target_ap, ETH_ALEN); 662 } 663 664 return 0; 665 } 666 667 668 int wpa_ft_is_completed(struct wpa_sm *sm) 669 { 670 if (sm == NULL) 671 return 0; 672 673 if (!wpa_key_mgmt_ft(sm->key_mgmt)) 674 return 0; 675 676 return sm->ft_completed; 677 } 678 679 680 void wpa_reset_ft_completed(struct wpa_sm *sm) 681 { 682 if (sm != NULL) 683 sm->ft_completed = 0; 684 } 685 686 687 static int wpa_ft_process_gtk_subelem(struct wpa_sm *sm, const u8 *gtk_elem, 688 size_t gtk_elem_len) 689 { 690 u8 gtk[32]; 691 int keyidx; 692 enum wpa_alg alg; 693 size_t gtk_len, keylen, rsc_len; 694 const u8 *kek; 695 size_t kek_len; 696 697 if (wpa_key_mgmt_fils(sm->key_mgmt)) { 698 kek = sm->ptk.kek2; 699 kek_len = sm->ptk.kek2_len; 700 } else { 701 kek = sm->ptk.kek; 702 kek_len = sm->ptk.kek_len; 703 } 704 705 if (gtk_elem == NULL) { 706 wpa_printf(MSG_DEBUG, "FT: No GTK included in FTIE"); 707 return 0; 708 } 709 710 wpa_hexdump_key(MSG_DEBUG, "FT: Received GTK in Reassoc Resp", 711 gtk_elem, gtk_elem_len); 712 713 if (gtk_elem_len < 11 + 24 || (gtk_elem_len - 11) % 8 || 714 gtk_elem_len - 19 > sizeof(gtk)) { 715 wpa_printf(MSG_DEBUG, "FT: Invalid GTK sub-elem " 716 "length %lu", (unsigned long) gtk_elem_len); 717 return -1; 718 } 719 gtk_len = gtk_elem_len - 19; 720 if (aes_unwrap(kek, kek_len, gtk_len / 8, gtk_elem + 11, gtk)) { 721 wpa_printf(MSG_WARNING, "FT: AES unwrap failed - could not " 722 "decrypt GTK"); 723 return -1; 724 } 725 726 keylen = wpa_cipher_key_len(sm->group_cipher); 727 rsc_len = wpa_cipher_rsc_len(sm->group_cipher); 728 alg = wpa_cipher_to_alg(sm->group_cipher); 729 if (alg == WPA_ALG_NONE) { 730 wpa_printf(MSG_WARNING, "WPA: Unsupported Group Cipher %d", 731 sm->group_cipher); 732 return -1; 733 } 734 735 if (gtk_len < keylen) { 736 wpa_printf(MSG_DEBUG, "FT: Too short GTK in FTIE"); 737 return -1; 738 } 739 740 /* Key Info[2] | Key Length[1] | RSC[8] | Key[5..32]. */ 741 742 keyidx = WPA_GET_LE16(gtk_elem) & 0x03; 743 744 if (gtk_elem[2] != keylen) { 745 wpa_printf(MSG_DEBUG, "FT: GTK length mismatch: received %d " 746 "negotiated %lu", 747 gtk_elem[2], (unsigned long) keylen); 748 return -1; 749 } 750 751 wpa_hexdump_key(MSG_DEBUG, "FT: GTK from Reassoc Resp", gtk, keylen); 752 if (sm->group_cipher == WPA_CIPHER_TKIP) { 753 /* Swap Tx/Rx keys for Michael MIC */ 754 u8 tmp[8]; 755 os_memcpy(tmp, gtk + 16, 8); 756 os_memcpy(gtk + 16, gtk + 24, 8); 757 os_memcpy(gtk + 24, tmp, 8); 758 } 759 if (wpa_sm_set_key(sm, alg, broadcast_ether_addr, keyidx, 0, 760 gtk_elem + 3, rsc_len, gtk, keylen) < 0) { 761 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the " 762 "driver."); 763 return -1; 764 } 765 766 return 0; 767 } 768 769 770 #ifdef CONFIG_IEEE80211W 771 static int wpa_ft_process_igtk_subelem(struct wpa_sm *sm, const u8 *igtk_elem, 772 size_t igtk_elem_len) 773 { 774 u8 igtk[WPA_IGTK_MAX_LEN]; 775 size_t igtk_len; 776 u16 keyidx; 777 const u8 *kek; 778 size_t kek_len; 779 780 if (wpa_key_mgmt_fils(sm->key_mgmt)) { 781 kek = sm->ptk.kek2; 782 kek_len = sm->ptk.kek2_len; 783 } else { 784 kek = sm->ptk.kek; 785 kek_len = sm->ptk.kek_len; 786 } 787 788 if (sm->mgmt_group_cipher != WPA_CIPHER_AES_128_CMAC && 789 sm->mgmt_group_cipher != WPA_CIPHER_BIP_GMAC_128 && 790 sm->mgmt_group_cipher != WPA_CIPHER_BIP_GMAC_256 && 791 sm->mgmt_group_cipher != WPA_CIPHER_BIP_CMAC_256) 792 return 0; 793 794 if (igtk_elem == NULL) { 795 wpa_printf(MSG_DEBUG, "FT: No IGTK included in FTIE"); 796 return 0; 797 } 798 799 wpa_hexdump_key(MSG_DEBUG, "FT: Received IGTK in Reassoc Resp", 800 igtk_elem, igtk_elem_len); 801 802 igtk_len = wpa_cipher_key_len(sm->mgmt_group_cipher); 803 if (igtk_elem_len != 2 + 6 + 1 + igtk_len + 8) { 804 wpa_printf(MSG_DEBUG, "FT: Invalid IGTK sub-elem " 805 "length %lu", (unsigned long) igtk_elem_len); 806 return -1; 807 } 808 if (igtk_elem[8] != igtk_len) { 809 wpa_printf(MSG_DEBUG, "FT: Invalid IGTK sub-elem Key Length " 810 "%d", igtk_elem[8]); 811 return -1; 812 } 813 814 if (aes_unwrap(kek, kek_len, igtk_len / 8, igtk_elem + 9, igtk)) { 815 wpa_printf(MSG_WARNING, "FT: AES unwrap failed - could not " 816 "decrypt IGTK"); 817 return -1; 818 } 819 820 /* KeyID[2] | IPN[6] | Key Length[1] | Key[16+8] */ 821 822 keyidx = WPA_GET_LE16(igtk_elem); 823 824 wpa_hexdump_key(MSG_DEBUG, "FT: IGTK from Reassoc Resp", igtk, 825 igtk_len); 826 if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher), 827 broadcast_ether_addr, keyidx, 0, 828 igtk_elem + 2, 6, igtk, igtk_len) < 0) { 829 wpa_printf(MSG_WARNING, "WPA: Failed to set IGTK to the " 830 "driver."); 831 forced_memzero(igtk, sizeof(igtk)); 832 return -1; 833 } 834 forced_memzero(igtk, sizeof(igtk)); 835 836 return 0; 837 } 838 #endif /* CONFIG_IEEE80211W */ 839 840 841 int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, 842 size_t ies_len, const u8 *src_addr) 843 { 844 struct wpa_ft_ies parse; 845 struct rsn_mdie *mdie; 846 unsigned int count; 847 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN]; 848 const u8 *kck; 849 size_t kck_len; 850 int use_sha384 = wpa_key_mgmt_sha384(sm->key_mgmt); 851 const u8 *anonce, *snonce, *fte_mic; 852 u8 fte_elem_count; 853 854 wpa_hexdump(MSG_DEBUG, "FT: Response IEs", ies, ies_len); 855 856 if (!wpa_key_mgmt_ft(sm->key_mgmt)) { 857 wpa_printf(MSG_DEBUG, "FT: Reject FT IEs since FT is not " 858 "enabled for this connection"); 859 return -1; 860 } 861 862 if (sm->ft_reassoc_completed) { 863 wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission"); 864 return 0; 865 } 866 867 if (wpa_ft_parse_ies(ies, ies_len, &parse, use_sha384) < 0) { 868 wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs"); 869 return -1; 870 } 871 872 mdie = (struct rsn_mdie *) parse.mdie; 873 if (mdie == NULL || parse.mdie_len < sizeof(*mdie) || 874 os_memcmp(mdie->mobility_domain, sm->mobility_domain, 875 MOBILITY_DOMAIN_ID_LEN) != 0) { 876 wpa_printf(MSG_DEBUG, "FT: Invalid MDIE"); 877 return -1; 878 } 879 880 if (use_sha384) { 881 struct rsn_ftie_sha384 *ftie; 882 883 ftie = (struct rsn_ftie_sha384 *) parse.ftie; 884 if (!ftie || parse.ftie_len < sizeof(*ftie)) { 885 wpa_printf(MSG_DEBUG, "FT: Invalid FTIE"); 886 return -1; 887 } 888 889 anonce = ftie->anonce; 890 snonce = ftie->snonce; 891 fte_elem_count = ftie->mic_control[1]; 892 fte_mic = ftie->mic; 893 } else { 894 struct rsn_ftie *ftie; 895 896 ftie = (struct rsn_ftie *) parse.ftie; 897 if (!ftie || parse.ftie_len < sizeof(*ftie)) { 898 wpa_printf(MSG_DEBUG, "FT: Invalid FTIE"); 899 return -1; 900 } 901 902 anonce = ftie->anonce; 903 snonce = ftie->snonce; 904 fte_elem_count = ftie->mic_control[1]; 905 fte_mic = ftie->mic; 906 } 907 908 if (os_memcmp(snonce, sm->snonce, WPA_NONCE_LEN) != 0) { 909 wpa_printf(MSG_DEBUG, "FT: SNonce mismatch in FTIE"); 910 wpa_hexdump(MSG_DEBUG, "FT: Received SNonce", 911 snonce, WPA_NONCE_LEN); 912 wpa_hexdump(MSG_DEBUG, "FT: Expected SNonce", 913 sm->snonce, WPA_NONCE_LEN); 914 return -1; 915 } 916 917 if (os_memcmp(anonce, sm->anonce, WPA_NONCE_LEN) != 0) { 918 wpa_printf(MSG_DEBUG, "FT: ANonce mismatch in FTIE"); 919 wpa_hexdump(MSG_DEBUG, "FT: Received ANonce", 920 anonce, WPA_NONCE_LEN); 921 wpa_hexdump(MSG_DEBUG, "FT: Expected ANonce", 922 sm->anonce, WPA_NONCE_LEN); 923 return -1; 924 } 925 926 if (parse.r0kh_id == NULL) { 927 wpa_printf(MSG_DEBUG, "FT: No R0KH-ID subelem in FTIE"); 928 return -1; 929 } 930 931 if (parse.r0kh_id_len != sm->r0kh_id_len || 932 os_memcmp_const(parse.r0kh_id, sm->r0kh_id, parse.r0kh_id_len) != 0) 933 { 934 wpa_printf(MSG_DEBUG, "FT: R0KH-ID in FTIE did not match with " 935 "the current R0KH-ID"); 936 wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID in FTIE", 937 parse.r0kh_id, parse.r0kh_id_len); 938 wpa_hexdump(MSG_DEBUG, "FT: The current R0KH-ID", 939 sm->r0kh_id, sm->r0kh_id_len); 940 return -1; 941 } 942 943 if (parse.r1kh_id == NULL) { 944 wpa_printf(MSG_DEBUG, "FT: No R1KH-ID subelem in FTIE"); 945 return -1; 946 } 947 948 if (os_memcmp_const(parse.r1kh_id, sm->r1kh_id, FT_R1KH_ID_LEN) != 0) { 949 wpa_printf(MSG_DEBUG, "FT: Unknown R1KH-ID used in " 950 "ReassocResp"); 951 return -1; 952 } 953 954 if (parse.rsn_pmkid == NULL || 955 os_memcmp_const(parse.rsn_pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN)) 956 { 957 wpa_printf(MSG_DEBUG, "FT: No matching PMKR1Name (PMKID) in " 958 "RSNIE (pmkid=%d)", !!parse.rsn_pmkid); 959 return -1; 960 } 961 962 count = 3; 963 if (parse.ric) 964 count += ieee802_11_ie_count(parse.ric, parse.ric_len); 965 if (fte_elem_count != count) { 966 wpa_printf(MSG_DEBUG, "FT: Unexpected IE count in MIC " 967 "Control: received %u expected %u", 968 fte_elem_count, count); 969 return -1; 970 } 971 972 if (wpa_key_mgmt_fils(sm->key_mgmt)) { 973 kck = sm->ptk.kck2; 974 kck_len = sm->ptk.kck2_len; 975 } else { 976 kck = sm->ptk.kck; 977 kck_len = sm->ptk.kck_len; 978 } 979 980 if (wpa_ft_mic(kck, kck_len, sm->own_addr, src_addr, 6, 981 parse.mdie - 2, parse.mdie_len + 2, 982 parse.ftie - 2, parse.ftie_len + 2, 983 parse.rsn - 2, parse.rsn_len + 2, 984 parse.ric, parse.ric_len, 985 mic) < 0) { 986 wpa_printf(MSG_DEBUG, "FT: Failed to calculate MIC"); 987 return -1; 988 } 989 990 if (os_memcmp_const(mic, fte_mic, 16) != 0) { 991 wpa_printf(MSG_DEBUG, "FT: Invalid MIC in FTIE"); 992 wpa_hexdump(MSG_MSGDUMP, "FT: Received MIC", fte_mic, 16); 993 wpa_hexdump(MSG_MSGDUMP, "FT: Calculated MIC", mic, 16); 994 return -1; 995 } 996 997 #ifdef CONFIG_OCV 998 if (wpa_sm_ocv_enabled(sm)) { 999 struct wpa_channel_info ci; 1000 1001 if (wpa_sm_channel_info(sm, &ci) != 0) { 1002 wpa_printf(MSG_WARNING, 1003 "Failed to get channel info to validate received OCI in (Re)Assoc Response"); 1004 return -1; 1005 } 1006 1007 if (ocv_verify_tx_params(parse.oci, parse.oci_len, &ci, 1008 channel_width_to_int(ci.chanwidth), 1009 ci.seg1_idx) != 0) { 1010 wpa_printf(MSG_WARNING, "%s", ocv_errorstr); 1011 return -1; 1012 } 1013 } 1014 #endif /* CONFIG_OCV */ 1015 1016 sm->ft_reassoc_completed = 1; 1017 1018 if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0) 1019 return -1; 1020 1021 #ifdef CONFIG_IEEE80211W 1022 if (wpa_ft_process_igtk_subelem(sm, parse.igtk, parse.igtk_len) < 0) 1023 return -1; 1024 #endif /* CONFIG_IEEE80211W */ 1025 1026 if (sm->set_ptk_after_assoc) { 1027 wpa_printf(MSG_DEBUG, "FT: Try to set PTK again now that we " 1028 "are associated"); 1029 if (wpa_ft_install_ptk(sm, src_addr) < 0) 1030 return -1; 1031 sm->set_ptk_after_assoc = 0; 1032 } 1033 1034 if (parse.ric) { 1035 wpa_hexdump(MSG_MSGDUMP, "FT: RIC Response", 1036 parse.ric, parse.ric_len); 1037 /* TODO: parse response and inform driver about results when 1038 * using wpa_supplicant SME */ 1039 } 1040 1041 wpa_printf(MSG_DEBUG, "FT: Completed successfully"); 1042 1043 return 0; 1044 } 1045 1046 1047 /** 1048 * wpa_ft_start_over_ds - Generate over-the-DS auth request 1049 * @sm: Pointer to WPA state machine data from wpa_sm_init() 1050 * @target_ap: Target AP Address 1051 * @mdie: Mobility Domain IE from the target AP 1052 * Returns: 0 on success, -1 on failure 1053 */ 1054 int wpa_ft_start_over_ds(struct wpa_sm *sm, const u8 *target_ap, 1055 const u8 *mdie) 1056 { 1057 u8 *ft_ies; 1058 size_t ft_ies_len; 1059 1060 wpa_printf(MSG_DEBUG, "FT: Request over-the-DS with " MACSTR, 1061 MAC2STR(target_ap)); 1062 1063 /* Generate a new SNonce */ 1064 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) { 1065 wpa_printf(MSG_INFO, "FT: Failed to generate a new SNonce"); 1066 return -1; 1067 } 1068 1069 ft_ies = wpa_ft_gen_req_ies(sm, &ft_ies_len, NULL, sm->pmk_r0_name, 1070 NULL, 0, target_ap, NULL, 0, mdie); 1071 if (ft_ies) { 1072 sm->over_the_ds_in_progress = 1; 1073 os_memcpy(sm->target_ap, target_ap, ETH_ALEN); 1074 wpa_sm_send_ft_action(sm, 1, target_ap, ft_ies, ft_ies_len); 1075 os_free(ft_ies); 1076 } 1077 1078 return 0; 1079 } 1080 1081 #endif /* CONFIG_IEEE80211R */ 1082