1 /*
2 * WPA Supplicant - IEEE 802.11r - Fast BSS Transition
3 * Copyright (c) 2006-2018, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/aes_wrap.h"
13 #include "crypto/random.h"
14 #include "common/ieee802_11_defs.h"
15 #include "common/ieee802_11_common.h"
16 #include "wpa.h"
17 #include "wpa_i.h"
18
19 #ifdef CONFIG_IEEE80211R
20
21 #define DEFAULT_KEK_LEN 16
22
wpa_derive_ptk_ft(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,struct wpa_ptk * ptk)23 int wpa_derive_ptk_ft(struct wpa_sm *sm, const unsigned char *src_addr,
24 const struct wpa_eapol_key *key, struct wpa_ptk *ptk)
25 {
26 u8 ptk_name[WPA_PMK_NAME_LEN];
27 const u8 *anonce = key->key_nonce;
28
29 if (sm->xxkey_len == 0) {
30 wpa_printf(MSG_DEBUG, "FT: XXKey not available for key "
31 "derivation");
32 return -1;
33 }
34
35 wpa_hexdump_key(MSG_DEBUG, "FT: xxkey", sm->xxkey, sm->xxkey_len);
36 wpa_hexdump_key(MSG_DEBUG, "FT: ssid", sm->ssid, sm->ssid_len);
37 wpa_hexdump_key(MSG_DEBUG, "FT: r0kh_id", sm->r0kh_id, sm->r0kh_id_len);
38 wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, sm->ssid,
39 sm->ssid_len, sm->mobility_domain,
40 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
41 sm->pmk_r0, sm->pmk_r0_name);
42 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", sm->pmk_r0, PMK_LEN);
43 wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name",
44 sm->pmk_r0_name, WPA_PMK_NAME_LEN);
45 wpa_derive_pmk_r1(sm->pmk_r0, sm->pmk_r0_name, sm->r1kh_id,
46 sm->own_addr, sm->pmk_r1, sm->pmk_r1_name);
47 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", sm->pmk_r1, PMK_LEN);
48 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", sm->pmk_r1_name,
49 WPA_PMK_NAME_LEN);
50 return wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->snonce, anonce, sm->own_addr,
51 sm->bssid, sm->pmk_r1_name, ptk, ptk_name,
52 sm->key_mgmt, sm->pairwise_cipher);
53 }
54
55
56 /**
57 * wpa_sm_set_ft_params - Set FT (IEEE 802.11r) parameters
58 * @sm: Pointer to WPA state machine data from wpa_sm_init()
59 * @ies: Association Response IEs or %NULL to clear FT parameters
60 * @ies_len: Length of ies buffer in octets
61 * Returns: 0 on success, -1 on failure
62 */
wpa_sm_set_ft_params(struct wpa_sm * sm,const u8 * ies,size_t ies_len)63 int wpa_sm_set_ft_params(struct wpa_sm *sm, const u8 *ies, size_t ies_len)
64 {
65 struct wpa_ft_ies ft;
66
67 if (sm == NULL)
68 return 0;
69
70 if (!get_ie(ies, ies_len, WLAN_EID_MOBILITY_DOMAIN)) {
71 os_free(sm->assoc_resp_ies);
72 sm->assoc_resp_ies = NULL;
73 sm->assoc_resp_ies_len = 0;
74 os_memset(sm->mobility_domain, 0, MOBILITY_DOMAIN_ID_LEN);
75 os_memset(sm->r0kh_id, 0, FT_R0KH_ID_MAX_LEN);
76 sm->r0kh_id_len = 0;
77 os_memset(sm->r1kh_id, 0, FT_R1KH_ID_LEN);
78 sm->ft_protocol = 0;
79 return 0;
80 }
81
82 if (wpa_ft_parse_ies(ies, ies_len, &ft) < 0)
83 return -1;
84
85 if (ft.mdie_len < MOBILITY_DOMAIN_ID_LEN + 1)
86 return -1;
87
88 wpa_hexdump(MSG_DEBUG, "FT: Mobility domain",
89 ft.mdie, MOBILITY_DOMAIN_ID_LEN);
90 os_memcpy(sm->mobility_domain, ft.mdie, MOBILITY_DOMAIN_ID_LEN);
91 sm->mdie_ft_capab = ft.mdie[MOBILITY_DOMAIN_ID_LEN];
92 wpa_printf(MSG_DEBUG, "FT: Capability and Policy: 0x%02x",
93 sm->mdie_ft_capab);
94
95 if (ft.r0kh_id) {
96 wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID",
97 ft.r0kh_id, ft.r0kh_id_len);
98 os_memcpy(sm->r0kh_id, ft.r0kh_id, ft.r0kh_id_len);
99 sm->r0kh_id_len = ft.r0kh_id_len;
100 } else {
101 /* FIX: When should R0KH-ID be cleared? We need to keep the
102 * old R0KH-ID in order to be able to use this during FT. */
103 /*
104 * os_memset(sm->r0kh_id, 0, FT_R0KH_ID_LEN);
105 * sm->r0kh_id_len = 0;
106 */
107 }
108
109 if (ft.r1kh_id) {
110 wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID",
111 ft.r1kh_id, FT_R1KH_ID_LEN);
112 os_memcpy(sm->r1kh_id, ft.r1kh_id, FT_R1KH_ID_LEN);
113 } else
114 os_memset(sm->r1kh_id, 0, FT_R1KH_ID_LEN);
115
116 os_free(sm->assoc_resp_ies);
117 sm->assoc_resp_ies = os_malloc(ft.mdie_len + 2 + ft.ftie_len + 2);
118 if (sm->assoc_resp_ies) {
119 u8 *pos = sm->assoc_resp_ies;
120
121 os_memcpy(pos, ft.mdie - 2, ft.mdie_len + 2);
122 pos += ft.mdie_len + 2;
123
124 if (ft.ftie) {
125 os_memcpy(pos, ft.ftie - 2, ft.ftie_len + 2);
126 pos += ft.ftie_len + 2;
127 }
128 sm->assoc_resp_ies_len = pos - sm->assoc_resp_ies;
129 wpa_hexdump(MSG_DEBUG, "FT: Stored MDIE and FTIE from "
130 "(Re)Association Response",
131 sm->assoc_resp_ies, sm->assoc_resp_ies_len);
132 }
133
134 return 0;
135 }
136
137 /**
138 * wpa_ft_gen_req_ies - Generate FT (IEEE 802.11r) IEs for Auth/ReAssoc Request
139 * @sm: Pointer to WPA state machine data from wpa_sm_init()
140 * @len: Buffer for returning the length of the IEs
141 * @anonce: ANonce or %NULL if not yet available
142 * @pmk_name: PMKR0Name or PMKR1Name to be added into the RSN IE PMKID List
143 * @kck: 128-bit KCK for MIC or %NULL if no MIC is used
144 * @kck_len: KCK length in octet
145 * @target_ap: Target AP address
146 * @ric_ies: Optional IE(s), e.g., WMM TSPEC(s), for RIC-Request or %NULL
147 * @ric_ies_len: Length of ric_ies buffer in octets
148 * @ap_mdie: Mobility Domain IE from the target AP
149 * Returns: Pointer to buffer with IEs or %NULL on failure
150 *
151 * Caller is responsible for freeing the returned buffer with os_free();
152 */
wpa_ft_gen_req_ies(struct wpa_sm * sm,size_t * len,const u8 * anonce,const u8 * pmk_name,const u8 * kck,size_t kck_len,const u8 * target_ap,const u8 * ric_ies,size_t ric_ies_len,const u8 * ap_mdie)153 static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
154 const u8 *anonce, const u8 *pmk_name,
155 const u8 *kck, size_t kck_len,
156 const u8 *target_ap,
157 const u8 *ric_ies, size_t ric_ies_len,
158 const u8 *ap_mdie)
159 {
160 size_t buf_len;
161 u8 *buf, *pos, *ftie_len, *ftie_pos;
162 struct rsn_mdie *mdie;
163 struct rsn_ftie *ftie;
164 struct rsn_ie_hdr *rsnie;
165 int mdie_len;
166 u16 capab;
167
168 sm->ft_completed = 0;
169
170 buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
171 2 + sm->r0kh_id_len + ric_ies_len + 100;
172 buf = os_zalloc(buf_len);
173 if (buf == NULL)
174 return NULL;
175 pos = buf;
176
177 /* RSNIE[PMKR0Name/PMKR1Name] */
178 rsnie = (struct rsn_ie_hdr *) pos;
179 rsnie->elem_id = WLAN_EID_RSN;
180 WPA_PUT_LE16(rsnie->version, RSN_VERSION);
181 pos = (u8 *) (rsnie + 1);
182
183 /* Group Suite Selector */
184 if (sm->group_cipher != WPA_CIPHER_CCMP &&
185 sm->group_cipher != WPA_CIPHER_GCMP &&
186 sm->group_cipher != WPA_CIPHER_TKIP) {
187 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
188 sm->group_cipher);
189 os_free(buf);
190 return NULL;
191 }
192 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
193 sm->group_cipher));
194 pos += RSN_SELECTOR_LEN;
195
196 /* Pairwise Suite Count */
197 WPA_PUT_LE16(pos, 1);
198 pos += 2;
199
200 /* Pairwise Suite List */
201 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
202 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
203 sm->pairwise_cipher);
204 os_free(buf);
205 return NULL;
206 }
207 RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
208 sm->pairwise_cipher));
209 pos += RSN_SELECTOR_LEN;
210
211 /* Authenticated Key Management Suite Count */
212 WPA_PUT_LE16(pos, 1);
213 pos += 2;
214
215 /* Authenticated Key Management Suite List */
216 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X)
217 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X);
218 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_PSK)
219 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK);
220 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_SAE)
221 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE);
222 else {
223 wpa_printf(MSG_WARNING, "FT: Invalid key management type (%d)",
224 sm->key_mgmt);
225 os_free(buf);
226 return NULL;
227 }
228 pos += RSN_SELECTOR_LEN;
229
230 /* RSN Capabilities */
231 capab = 0;
232 #ifdef CONFIG_IEEE80211W
233 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC)
234 capab |= WPA_CAPABILITY_MFPC;
235 #endif /* CONFIG_IEEE80211W */
236 WPA_PUT_LE16(pos, capab);
237 pos += 2;
238
239 /* PMKID Count */
240 WPA_PUT_LE16(pos, 1);
241 pos += 2;
242
243 /* PMKID List [PMKR0Name/PMKR1Name] */
244 os_memcpy(pos, pmk_name, WPA_PMK_NAME_LEN);
245 pos += WPA_PMK_NAME_LEN;
246
247 #ifdef CONFIG_IEEE80211W
248 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
249 /* Management Group Cipher Suite */
250 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
251 pos += RSN_SELECTOR_LEN;
252 }
253 #endif /* CONFIG_IEEE80211W */
254
255 rsnie->len = (pos - (u8 *) rsnie) - 2;
256
257 /* MDIE */
258 mdie_len = wpa_ft_add_mdie(sm, pos, buf_len - (pos - buf), ap_mdie);
259 if (mdie_len <= 0) {
260 os_free(buf);
261 return NULL;
262 }
263 mdie = (struct rsn_mdie *) (pos + 2);
264 pos += mdie_len;
265
266 /* FTIE[SNonce, [R1KH-ID,] R0KH-ID ] */
267 ftie_pos = pos;
268 *pos++ = WLAN_EID_FAST_BSS_TRANSITION;
269 ftie_len = pos++;
270 ftie = (struct rsn_ftie *) pos;
271 pos += sizeof(*ftie);
272 os_memcpy(ftie->snonce, sm->snonce, WPA_NONCE_LEN);
273 if (anonce)
274 os_memcpy(ftie->anonce, anonce, WPA_NONCE_LEN);
275 if (kck) {
276 /* R1KH-ID sub-element in third FT message */
277 *pos++ = FTIE_SUBELEM_R1KH_ID;
278 *pos++ = FT_R1KH_ID_LEN;
279 os_memcpy(pos, sm->r1kh_id, FT_R1KH_ID_LEN);
280 pos += FT_R1KH_ID_LEN;
281 }
282 /* R0KH-ID sub-element */
283 *pos++ = FTIE_SUBELEM_R0KH_ID;
284 *pos++ = sm->r0kh_id_len;
285 os_memcpy(pos, sm->r0kh_id, sm->r0kh_id_len);
286 pos += sm->r0kh_id_len;
287 *ftie_len = pos - ftie_len - 1;
288
289 if (ric_ies) {
290 /* RIC Request */
291 os_memcpy(pos, ric_ies, ric_ies_len);
292 pos += ric_ies_len;
293 }
294
295 if (kck) {
296 /*
297 * IEEE Std 802.11r-2008, 11A.8.4
298 * MIC shall be calculated over:
299 * non-AP STA MAC address
300 * Target AP MAC address
301 * Transaction seq number (5 for ReassocReq, 3 otherwise)
302 * RSN IE
303 * MDIE
304 * FTIE (with MIC field set to 0)
305 * RIC-Request (if present)
306 */
307 /* Information element count */
308 ftie->mic_control[1] = 3 + ieee802_11_ie_count(ric_ies,
309 ric_ies_len);
310 if (wpa_ft_mic(kck, kck_len, sm->own_addr, target_ap, 5,
311 ((u8 *) mdie) - 2, 2 + sizeof(*mdie),
312 ftie_pos, 2 + *ftie_len,
313 (u8 *) rsnie, 2 + rsnie->len, ric_ies,
314 ric_ies_len, ftie->mic) < 0) {
315 wpa_printf(MSG_INFO, "FT: Failed to calculate MIC");
316 os_free(buf);
317 return NULL;
318 }
319 }
320
321 *len = pos - buf;
322
323 return buf;
324 }
325
326
wpa_ft_install_ptk(struct wpa_sm * sm,const u8 * bssid)327 static int wpa_ft_install_ptk(struct wpa_sm *sm, const u8 *bssid)
328 {
329 int keylen;
330 enum wpa_alg alg;
331 u8 null_rsc[6] = { 0, 0, 0, 0, 0, 0 };
332
333 wpa_printf(MSG_DEBUG, "FT: Installing PTK to the driver.");
334
335 if (!wpa_cipher_valid_pairwise(sm->pairwise_cipher)) {
336 wpa_printf(MSG_WARNING, "FT: Unsupported pairwise cipher %d",
337 sm->pairwise_cipher);
338 return -1;
339 }
340
341 alg = wpa_cipher_to_alg(sm->pairwise_cipher);
342 keylen = wpa_cipher_key_len(sm->pairwise_cipher);
343
344 if (wpa_sm_set_key(&(sm->install_ptk), alg, (u8 *)bssid, 0, 1, null_rsc,
345 sizeof(null_rsc), (u8 *) sm->ptk.tk, keylen, KEY_FLAG_PAIRWISE) < 0) {
346 wpa_printf(MSG_WARNING, "FT: Failed to set PTK to the driver");
347 return -1;
348 }
349
350 return 0;
351 }
352
353
354 /**
355 * wpa_ft_prepare_auth_request - Generate over-the-air auth request
356 * @sm: Pointer to WPA state machine data from wpa_sm_init()
357 * @mdie: Target AP MDIE
358 * Returns: 0 on success, -1 on failure
359 */
wpa_ft_prepare_auth_request(struct wpa_sm * sm,const u8 * mdie)360 int wpa_ft_prepare_auth_request(struct wpa_sm *sm, const u8 *mdie)
361 {
362 u8 *ft_ies;
363 size_t ft_ies_len;
364
365 /* Generate a new SNonce */
366 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
367 wpa_printf(MSG_INFO, "FT: Failed to generate a new SNonce");
368 return -1;
369 }
370
371 ft_ies = wpa_ft_gen_req_ies(sm, &ft_ies_len, NULL, sm->pmk_r0_name,
372 NULL, 0, sm->bssid, NULL, 0, mdie);
373 if (ft_ies) {
374 wpa_sm_update_ft_ies(sm, sm->mobility_domain,
375 ft_ies, ft_ies_len, true);
376 os_free(ft_ies);
377 }
378
379 return 0;
380 }
381
382
wpa_ft_add_mdie(struct wpa_sm * sm,u8 * buf,size_t buf_len,const u8 * ap_mdie)383 int wpa_ft_add_mdie(struct wpa_sm *sm, u8 *buf, size_t buf_len,
384 const u8 *ap_mdie)
385 {
386 u8 *pos = buf;
387 struct rsn_mdie *mdie;
388
389 if (buf_len < 2 + sizeof(*mdie)) {
390 wpa_printf(MSG_INFO,
391 "FT: Failed to add MDIE: short buffer, length=%zu",
392 buf_len);
393 return 0;
394 }
395
396 *pos++ = WLAN_EID_MOBILITY_DOMAIN;
397 *pos++ = sizeof(*mdie);
398 mdie = (struct rsn_mdie *) pos;
399 os_memcpy(mdie->mobility_domain, sm->mobility_domain,
400 MOBILITY_DOMAIN_ID_LEN);
401 mdie->ft_capab = ap_mdie && ap_mdie[1] >= 3 ? ap_mdie[4] :
402 sm->mdie_ft_capab;
403
404 return 2 + sizeof(*mdie);
405 }
406
407
wpa_sm_get_ft_md(struct wpa_sm * sm)408 const u8 * wpa_sm_get_ft_md(struct wpa_sm *sm)
409 {
410 return sm->mobility_domain;
411 }
412
413
wpa_ft_process_response(struct wpa_sm * sm,const u8 * ies,size_t ies_len,int ft_action,const u8 * target_ap,const u8 * ric_ies,size_t ric_ies_len)414 int wpa_ft_process_response(struct wpa_sm *sm, const u8 *ies, size_t ies_len,
415 int ft_action, const u8 *target_ap,
416 const u8 *ric_ies, size_t ric_ies_len)
417 {
418 u8 *ft_ies;
419 size_t ft_ies_len;
420 struct wpa_ft_ies parse;
421 struct rsn_mdie *mdie;
422 struct rsn_ftie *ftie;
423 u8 ptk_name[WPA_PMK_NAME_LEN];
424 int ret;
425 const u8 *bssid;
426
427 wpa_hexdump(MSG_DEBUG, "FT: Response IEs", ies, ies_len);
428 wpa_hexdump(MSG_DEBUG, "FT: RIC IEs", ric_ies, ric_ies_len);
429
430 if (ft_action) {
431 if (!sm->over_the_ds_in_progress) {
432 wpa_printf(MSG_DEBUG, "FT: No over-the-DS in progress "
433 "- drop FT Action Response");
434 return -1;
435 }
436
437 if (os_memcmp(target_ap, sm->target_ap, ETH_ALEN) != 0) {
438 wpa_printf(MSG_DEBUG, "FT: No over-the-DS in progress "
439 "with this Target AP - drop FT Action "
440 "Response");
441 return -1;
442 }
443 }
444
445 if (!wpa_key_mgmt_ft(sm->key_mgmt)) {
446 wpa_printf(MSG_DEBUG, "FT: Reject FT IEs since FT is not "
447 "enabled for this connection");
448 return -1;
449 }
450
451 if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
452 wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
453 return -1;
454 }
455
456 mdie = (struct rsn_mdie *) parse.mdie;
457 if (mdie == NULL || parse.mdie_len < sizeof(*mdie) ||
458 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
459 MOBILITY_DOMAIN_ID_LEN) != 0) {
460 wpa_printf(MSG_DEBUG, "FT: Invalid MDIE");
461 return -1;
462 }
463
464 ftie = (struct rsn_ftie *) parse.ftie;
465 if (ftie == NULL || parse.ftie_len < sizeof(*ftie)) {
466 wpa_printf(MSG_DEBUG, "FT: Invalid FTIE");
467 return -1;
468 }
469
470 if (os_memcmp(ftie->snonce, sm->snonce, WPA_NONCE_LEN) != 0) {
471 wpa_printf(MSG_DEBUG, "FT: SNonce mismatch in FTIE");
472 wpa_hexdump(MSG_DEBUG, "FT: Received SNonce",
473 ftie->snonce, WPA_NONCE_LEN);
474 wpa_hexdump(MSG_DEBUG, "FT: Expected SNonce",
475 sm->snonce, WPA_NONCE_LEN);
476 return -1;
477 }
478
479 if (parse.r0kh_id == NULL) {
480 wpa_printf(MSG_DEBUG, "FT: No R0KH-ID subelem in FTIE");
481 return -1;
482 }
483
484 if (parse.r0kh_id_len != sm->r0kh_id_len ||
485 os_memcmp_const(parse.r0kh_id, sm->r0kh_id, parse.r0kh_id_len) != 0)
486 {
487 wpa_printf(MSG_DEBUG, "FT: R0KH-ID in FTIE did not match with "
488 "the current R0KH-ID");
489 wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID in FTIE",
490 parse.r0kh_id, parse.r0kh_id_len);
491 wpa_hexdump(MSG_DEBUG, "FT: The current R0KH-ID",
492 sm->r0kh_id, sm->r0kh_id_len);
493 return -1;
494 }
495
496 if (parse.r1kh_id == NULL) {
497 wpa_printf(MSG_DEBUG, "FT: No R1KH-ID subelem in FTIE");
498 return -1;
499 }
500
501 if (parse.rsn_pmkid == NULL ||
502 os_memcmp_const(parse.rsn_pmkid, sm->pmk_r0_name, WPA_PMK_NAME_LEN))
503 {
504 wpa_printf(MSG_DEBUG, "FT: No matching PMKR0Name (PMKID) in "
505 "RSNIE");
506 return -1;
507 }
508
509 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
510 wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", sm->r1kh_id, FT_R1KH_ID_LEN);
511 wpa_hexdump(MSG_DEBUG, "FT: SNonce", sm->snonce, WPA_NONCE_LEN);
512 wpa_hexdump(MSG_DEBUG, "FT: ANonce", ftie->anonce, WPA_NONCE_LEN);
513 os_memcpy(sm->anonce, ftie->anonce, WPA_NONCE_LEN);
514 wpa_derive_pmk_r1(sm->pmk_r0, sm->pmk_r0_name, sm->r1kh_id,
515 sm->own_addr, sm->pmk_r1, sm->pmk_r1_name);
516 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", sm->pmk_r1, PMK_LEN);
517 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name",
518 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
519
520 bssid = target_ap;
521
522 if (wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->snonce, ftie->anonce,
523 sm->own_addr, bssid, sm->pmk_r1_name, &sm->ptk,
524 ptk_name, sm->key_mgmt, sm->pairwise_cipher) < 0)
525 return -1;
526
527 ft_ies = wpa_ft_gen_req_ies(sm, &ft_ies_len, ftie->anonce,
528 sm->pmk_r1_name,
529 sm->ptk.kck, sm->ptk.kck_len, bssid,
530 ric_ies, ric_ies_len,
531 parse.mdie ? parse.mdie - 2 : NULL);
532 if (ft_ies) {
533 wpa_sm_update_ft_ies(sm, sm->mobility_domain,
534 ft_ies, ft_ies_len, false);
535 os_free(ft_ies);
536 }
537
538 wpa_sm_mark_authenticated(sm, bssid);
539 ret = wpa_ft_install_ptk(sm, bssid);
540 if (ret) {
541 /*
542 * Some drivers do not support key configuration when we are
543 * not associated with the target AP. Work around this by
544 * trying again after the following reassociation gets
545 * completed.
546 */
547 wpa_printf(MSG_DEBUG, "FT: Failed to set PTK prior to "
548 "association - try again after reassociation");
549 sm->set_ptk_after_assoc = 1;
550 } else
551 sm->set_ptk_after_assoc = 0;
552
553 sm->ft_completed = 1;
554 if (ft_action) {
555 /*
556 * The caller is expected trigger re-association with the
557 * Target AP.
558 */
559 os_memcpy(sm->bssid, target_ap, ETH_ALEN);
560 }
561
562 return 0;
563 }
564
565
wpa_ft_is_completed(struct wpa_sm * sm)566 int wpa_ft_is_completed(struct wpa_sm *sm)
567 {
568 if (sm == NULL)
569 return 0;
570
571 if (!wpa_key_mgmt_ft(sm->key_mgmt))
572 return 0;
573
574 return sm->ft_completed;
575 }
576
577
wpa_reset_ft_completed(struct wpa_sm * sm)578 void wpa_reset_ft_completed(struct wpa_sm *sm)
579 {
580 if (sm != NULL)
581 sm->ft_completed = 0;
582 }
583
584
wpa_ft_process_gtk_subelem(struct wpa_sm * sm,const u8 * gtk_elem,size_t gtk_elem_len)585 static int wpa_ft_process_gtk_subelem(struct wpa_sm *sm, const u8 *gtk_elem,
586 size_t gtk_elem_len)
587 {
588 u8 gtk[32];
589 int keyidx;
590 enum wpa_alg alg;
591 size_t gtk_len, keylen, rsc_len;
592
593 if (gtk_elem == NULL) {
594 wpa_printf(MSG_DEBUG, "FT: No GTK included in FTIE");
595 return 0;
596 }
597
598 wpa_hexdump_key(MSG_DEBUG, "FT: Received GTK in Reassoc Resp",
599 gtk_elem, gtk_elem_len);
600
601 if (gtk_elem_len < 11 + 24 || (gtk_elem_len - 11) % 8 ||
602 gtk_elem_len - 19 > sizeof(gtk)) {
603 wpa_printf(MSG_DEBUG, "FT: Invalid GTK sub-elem "
604 "length %lu", (unsigned long) gtk_elem_len);
605 return -1;
606 }
607 gtk_len = gtk_elem_len - 19;
608 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, gtk_len / 8, gtk_elem + 11, gtk)) {
609 wpa_printf(MSG_WARNING, "FT: AES unwrap failed - could not "
610 "decrypt GTK");
611 return -1;
612 }
613
614 keylen = wpa_cipher_key_len(sm->group_cipher);
615 rsc_len = wpa_cipher_rsc_len(sm->group_cipher);
616 alg = wpa_cipher_to_alg(sm->group_cipher);
617 if (alg == WIFI_WPA_ALG_NONE) {
618 wpa_printf(MSG_WARNING, "WPA: Unsupported Group Cipher %d",
619 sm->group_cipher);
620 return -1;
621 }
622
623 if (gtk_len < keylen) {
624 wpa_printf(MSG_DEBUG, "FT: Too short GTK in FTIE");
625 return -1;
626 }
627
628 /* Key Info[2] | Key Length[1] | RSC[8] | Key[5..32]. */
629
630 keyidx = WPA_GET_LE16(gtk_elem) & 0x03;
631
632 if (gtk_elem[2] != keylen) {
633 wpa_printf(MSG_DEBUG, "FT: GTK length mismatch: received %d "
634 "negotiated %lu",
635 gtk_elem[2], (unsigned long) keylen);
636 return -1;
637 }
638
639 wpa_hexdump_key(MSG_DEBUG, "FT: GTK from Reassoc Resp", gtk, keylen);
640 if (sm->group_cipher == WPA_CIPHER_TKIP) {
641 /* Swap Tx/Rx keys for Michael MIC */
642 u8 tmp[8];
643 os_memcpy(tmp, gtk + 16, 8);
644 os_memcpy(gtk + 16, gtk + 24, 8);
645 os_memcpy(gtk + 24, tmp, 8);
646 }
647 if (wpa_sm_set_key(&(sm->install_gtk), alg, sm->bssid, keyidx, 0,
648 (u8 *)(gtk_elem + 3), rsc_len, gtk, keylen, KEY_FLAG_GROUP | KEY_FLAG_RX) < 0) {
649 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the "
650 "driver.");
651 return -1;
652 }
653
654 return 0;
655 }
656
657
658 #ifdef CONFIG_IEEE80211W
wpa_ft_process_igtk_subelem(struct wpa_sm * sm,const u8 * igtk_elem,size_t igtk_elem_len)659 static int wpa_ft_process_igtk_subelem(struct wpa_sm *sm, const u8 *igtk_elem,
660 size_t igtk_elem_len)
661 {
662 u8 igtk[WPA_IGTK_LEN];
663
664 if (sm->mgmt_group_cipher != WPA_CIPHER_AES_128_CMAC)
665 return 0;
666
667 if (igtk_elem == NULL) {
668 wpa_printf(MSG_DEBUG, "FT: No IGTK included in FTIE");
669 return 0;
670 }
671
672 wpa_hexdump_key(MSG_DEBUG, "FT: Received IGTK in Reassoc Resp",
673 igtk_elem, igtk_elem_len);
674
675 if (igtk_elem_len != 2 + 6 + 1 + WPA_IGTK_LEN + 8) {
676 wpa_printf(MSG_DEBUG, "FT: Invalid IGTK sub-elem "
677 "length %lu", (unsigned long) igtk_elem_len);
678 return -1;
679 }
680 if (igtk_elem[8] != WPA_IGTK_LEN) {
681 wpa_printf(MSG_DEBUG, "FT: Invalid IGTK sub-elem Key Length "
682 "%d", igtk_elem[8]);
683 return -1;
684 }
685
686 if (aes_unwrap(sm->ptk.kek, sm->ptk.kek_len, WPA_IGTK_LEN / 8,
687 igtk_elem + 9, igtk)) {
688 wpa_printf(MSG_WARNING, "FT: AES unwrap failed - could not "
689 "decrypt IGTK");
690 return -1;
691 }
692
693 /* KeyID[2] | IPN[6] | Key Length[1] | Key[16+8] */
694
695 wpa_hexdump_key(MSG_DEBUG, "FT: IGTK from Reassoc Resp", igtk,
696 WPA_IGTK_LEN);
697 #ifdef ESP_SUPPLICANT
698 if (esp_wifi_set_igtk_internal(WIFI_IF_STA, (wifi_wpa_igtk_t *)igtk) < 0) {
699 #else
700 keyidx = WPA_GET_LE16(igtk_elem);
701 if (wpa_sm_set_key(&(sm->install_gtk), WIFI_WPA_ALG_IGTK, sm->bssid, keyidx, 0,
702 (u8 *)(igtk_elem + 2), 6, igtk, WPA_IGTK_LEN, sm->key_entry_valid) < 0) {
703 #endif
704 wpa_printf(MSG_WARNING, "WPA: Failed to set IGTK to the "
705 "driver.");
706 return -1;
707 }
708
709 return 0;
710 }
711 #endif /* CONFIG_IEEE80211W */
712
713
714 int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
715 size_t ies_len, const u8 *src_addr)
716 {
717 struct wpa_ft_ies parse;
718 struct rsn_mdie *mdie;
719 struct rsn_ftie *ftie;
720 unsigned int count;
721 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
722
723 wpa_hexdump(MSG_DEBUG, "FT: Response IEs", ies, ies_len);
724
725 if (!wpa_key_mgmt_ft(sm->key_mgmt)) {
726 wpa_printf(MSG_DEBUG, "FT: Reject FT IEs since FT is not "
727 "enabled for this connection");
728 return -1;
729 }
730
731 if (sm->ft_reassoc_completed) {
732 wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
733 return 0;
734 }
735
736 if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
737 wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
738 return -1;
739 }
740
741 mdie = (struct rsn_mdie *) parse.mdie;
742 if (mdie == NULL || parse.mdie_len < sizeof(*mdie) ||
743 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
744 MOBILITY_DOMAIN_ID_LEN) != 0) {
745 wpa_printf(MSG_DEBUG, "FT: Invalid MDIE");
746 return -1;
747 }
748
749 ftie = (struct rsn_ftie *) parse.ftie;
750 if (ftie == NULL || parse.ftie_len < sizeof(*ftie)) {
751 wpa_printf(MSG_DEBUG, "FT: Invalid FTIE");
752 return -1;
753 }
754
755 if (os_memcmp(ftie->snonce, sm->snonce, WPA_NONCE_LEN) != 0) {
756 wpa_printf(MSG_DEBUG, "FT: SNonce mismatch in FTIE");
757 wpa_hexdump(MSG_DEBUG, "FT: Received SNonce",
758 ftie->snonce, WPA_NONCE_LEN);
759 wpa_hexdump(MSG_DEBUG, "FT: Expected SNonce",
760 sm->snonce, WPA_NONCE_LEN);
761 return -1;
762 }
763
764 if (os_memcmp(ftie->anonce, sm->anonce, WPA_NONCE_LEN) != 0) {
765 wpa_printf(MSG_DEBUG, "FT: ANonce mismatch in FTIE");
766 wpa_hexdump(MSG_DEBUG, "FT: Received ANonce",
767 ftie->anonce, WPA_NONCE_LEN);
768 wpa_hexdump(MSG_DEBUG, "FT: Expected ANonce",
769 sm->anonce, WPA_NONCE_LEN);
770 return -1;
771 }
772
773 if (parse.r0kh_id == NULL) {
774 wpa_printf(MSG_DEBUG, "FT: No R0KH-ID subelem in FTIE");
775 return -1;
776 }
777
778 if (parse.r0kh_id_len != sm->r0kh_id_len ||
779 os_memcmp_const(parse.r0kh_id, sm->r0kh_id, parse.r0kh_id_len) != 0)
780 {
781 wpa_printf(MSG_DEBUG, "FT: R0KH-ID in FTIE did not match with "
782 "the current R0KH-ID");
783 wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID in FTIE",
784 parse.r0kh_id, parse.r0kh_id_len);
785 wpa_hexdump(MSG_DEBUG, "FT: The current R0KH-ID",
786 sm->r0kh_id, sm->r0kh_id_len);
787 return -1;
788 }
789
790 if (parse.r1kh_id == NULL) {
791 wpa_printf(MSG_DEBUG, "FT: No R1KH-ID subelem in FTIE");
792 return -1;
793 }
794
795 if (os_memcmp_const(parse.r1kh_id, sm->r1kh_id, FT_R1KH_ID_LEN) != 0) {
796 wpa_printf(MSG_DEBUG, "FT: Unknown R1KH-ID used in "
797 "ReassocResp");
798 return -1;
799 }
800
801 if (parse.rsn_pmkid == NULL ||
802 os_memcmp_const(parse.rsn_pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN))
803 {
804 wpa_printf(MSG_DEBUG, "FT: No matching PMKR1Name (PMKID) in "
805 "RSNIE (pmkid=%d)", !!parse.rsn_pmkid);
806 return -1;
807 }
808
809 count = 3;
810 if (parse.ric)
811 count += ieee802_11_ie_count(parse.ric, parse.ric_len);
812 if (ftie->mic_control[1] != count) {
813 wpa_printf(MSG_DEBUG, "FT: Unexpected IE count in MIC "
814 "Control: received %u expected %u",
815 ftie->mic_control[1], count);
816 return -1;
817 }
818
819 if (wpa_ft_mic(sm->ptk.kck, sm->ptk.kck_len, sm->own_addr, src_addr, 6,
820 parse.mdie - 2, parse.mdie_len + 2,
821 parse.ftie - 2, parse.ftie_len + 2,
822 parse.rsn - 2, parse.rsn_len + 2,
823 parse.ric, parse.ric_len,
824 mic) < 0) {
825 wpa_printf(MSG_DEBUG, "FT: Failed to calculate MIC");
826 return -1;
827 }
828
829 if (os_memcmp_const(mic, ftie->mic, 16) != 0) {
830 wpa_printf(MSG_DEBUG, "FT: Invalid MIC in FTIE");
831 wpa_hexdump(MSG_MSGDUMP, "FT: Received MIC", ftie->mic, 16);
832 wpa_hexdump(MSG_MSGDUMP, "FT: Calculated MIC", mic, 16);
833 return -1;
834 }
835
836 sm->ft_reassoc_completed = 1;
837 if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
838 return -1;
839
840 #ifdef CONFIG_IEEE80211W
841 if (wpa_ft_process_igtk_subelem(sm, parse.igtk, parse.igtk_len) < 0)
842 return -1;
843 #endif /* CONFIG_IEEE80211W */
844
845 if (sm->set_ptk_after_assoc) {
846 wpa_printf(MSG_DEBUG, "FT: Try to set PTK again now that we "
847 "are associated");
848 if (wpa_ft_install_ptk(sm, src_addr) < 0)
849 return -1;
850 sm->set_ptk_after_assoc = 0;
851 }
852
853 if (parse.ric) {
854 wpa_hexdump(MSG_MSGDUMP, "FT: RIC Response",
855 parse.ric, parse.ric_len);
856 /* TODO: parse response and inform driver about results when
857 * using wpa_supplicant SME */
858 }
859
860 wpa_printf(MSG_DEBUG, "FT: Completed successfully");
861
862 return 0;
863 }
864
865
866 /**
867 * wpa_ft_start_over_ds - Generate over-the-DS auth request
868 * @sm: Pointer to WPA state machine data from wpa_sm_init()
869 * @target_ap: Target AP Address
870 * @mdie: Mobility Domain IE from the target AP
871 * Returns: 0 on success, -1 on failure
872 */
873 int wpa_ft_start_over_ds(struct wpa_sm *sm, const u8 *target_ap,
874 const u8 *mdie)
875 {
876 u8 *ft_ies;
877 size_t ft_ies_len;
878
879 wpa_printf(MSG_DEBUG, "FT: Request over-the-DS with " MACSTR,
880 MAC2STR(target_ap));
881
882 /* Generate a new SNonce */
883 if (random_get_bytes(sm->snonce, WPA_NONCE_LEN)) {
884 wpa_printf(MSG_INFO, "FT: Failed to generate a new SNonce");
885 return -1;
886 }
887
888 ft_ies = wpa_ft_gen_req_ies(sm, &ft_ies_len, NULL, sm->pmk_r0_name,
889 NULL, 0, target_ap, NULL, 0, mdie);
890 if (ft_ies) {
891 sm->over_the_ds_in_progress = 1;
892 os_memcpy(sm->target_ap, target_ap, ETH_ALEN);
893 wpa_sm_send_ft_action(sm, 1, target_ap, ft_ies, ft_ies_len);
894 os_free(ft_ies);
895 }
896
897 return 0;
898 }
899
900 #endif /* CONFIG_IEEE80211R */
901
