1 /*
2 * WPA Supplicant - IEEE 802.11r - Fast BSS Transition
3 * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15 #include "includes.h"
16
17 #include "common.h"
18 #include "crypto/aes_wrap.h"
19 #include "common/ieee802_11_defs.h"
20 #include "common/ieee802_11_common.h"
21 #include "wpa.h"
22 #include "wpa_i.h"
23 #include "wpa_ie.h"
24
25 #ifdef CONFIG_IEEE80211R
26
27 struct wpa_ft_ies {
28 const u8 *mdie;
29 size_t mdie_len;
30 const u8 *ftie;
31 size_t ftie_len;
32 const u8 *r1kh_id;
33 const u8 *gtk;
34 size_t gtk_len;
35 const u8 *r0kh_id;
36 size_t r0kh_id_len;
37 const u8 *rsn;
38 size_t rsn_len;
39 const u8 *rsn_pmkid;
40 const u8 *tie;
41 size_t tie_len;
42 const u8 *igtk;
43 size_t igtk_len;
44 const u8 *ric;
45 size_t ric_len;
46 };
47
48 static int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
49 struct wpa_ft_ies *parse);
50
51
wpa_derive_ptk_ft(struct wpa_sm * sm,const unsigned char * src_addr,const struct wpa_eapol_key * key,struct wpa_ptk * ptk,size_t ptk_len)52 int wpa_derive_ptk_ft(struct wpa_sm *sm, const unsigned char *src_addr,
53 const struct wpa_eapol_key *key,
54 struct wpa_ptk *ptk, size_t ptk_len)
55 {
56 u8 ptk_name[WPA_PMK_NAME_LEN];
57 const u8 *anonce = key->key_nonce;
58
59 if (sm->xxkey_len == 0) {
60 wpa_printf(MSG_DEBUG, "FT: XXKey not available for key "
61 "derivation");
62 return -1;
63 }
64
65 wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, sm->ssid,
66 sm->ssid_len, sm->mobility_domain,
67 sm->r0kh_id, sm->r0kh_id_len, sm->own_addr,
68 sm->pmk_r0, sm->pmk_r0_name);
69 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", sm->pmk_r0, PMK_LEN);
70 wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name",
71 sm->pmk_r0_name, WPA_PMK_NAME_LEN);
72 wpa_derive_pmk_r1(sm->pmk_r0, sm->pmk_r0_name, sm->r1kh_id,
73 sm->own_addr, sm->pmk_r1, sm->pmk_r1_name);
74 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", sm->pmk_r1, PMK_LEN);
75 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", sm->pmk_r1_name,
76 WPA_PMK_NAME_LEN);
77 wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->snonce, anonce, sm->own_addr,
78 sm->bssid, sm->pmk_r1_name,
79 (u8 *) ptk, ptk_len, ptk_name);
80 wpa_hexdump_key(MSG_DEBUG, "FT: PTK", (u8 *) ptk, ptk_len);
81 wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN);
82
83 return 0;
84 }
85
86
87 /**
88 * wpa_sm_set_ft_params - Set FT (IEEE 802.11r) parameters
89 * @sm: Pointer to WPA state machine data from wpa_sm_init()
90 * @ies: Association Response IEs or %NULL to clear FT parameters
91 * @ies_len: Length of ies buffer in octets
92 * Returns: 0 on success, -1 on failure
93 */
wpa_sm_set_ft_params(struct wpa_sm * sm,const u8 * ies,size_t ies_len)94 int wpa_sm_set_ft_params(struct wpa_sm *sm, const u8 *ies, size_t ies_len)
95 {
96 struct wpa_ft_ies ft;
97
98 if (sm == NULL)
99 return 0;
100
101 if (wpa_ft_parse_ies(ies, ies_len, &ft) < 0)
102 return -1;
103
104 if (ft.mdie && ft.mdie_len < MOBILITY_DOMAIN_ID_LEN + 1)
105 return -1;
106
107 if (ft.mdie) {
108 wpa_hexdump(MSG_DEBUG, "FT: Mobility domain",
109 ft.mdie, MOBILITY_DOMAIN_ID_LEN);
110 os_memcpy(sm->mobility_domain, ft.mdie,
111 MOBILITY_DOMAIN_ID_LEN);
112 sm->mdie_ft_capab = ft.mdie[MOBILITY_DOMAIN_ID_LEN];
113 wpa_printf(MSG_DEBUG, "FT: Capability and Policy: 0x%02x",
114 sm->mdie_ft_capab);
115 } else
116 os_memset(sm->mobility_domain, 0, MOBILITY_DOMAIN_ID_LEN);
117
118 if (ft.r0kh_id) {
119 wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID",
120 ft.r0kh_id, ft.r0kh_id_len);
121 os_memcpy(sm->r0kh_id, ft.r0kh_id, ft.r0kh_id_len);
122 sm->r0kh_id_len = ft.r0kh_id_len;
123 } else {
124 /* FIX: When should R0KH-ID be cleared? We need to keep the
125 * old R0KH-ID in order to be able to use this during FT. */
126 /*
127 * os_memset(sm->r0kh_id, 0, FT_R0KH_ID_LEN);
128 * sm->r0kh_id_len = 0;
129 */
130 }
131
132 if (ft.r1kh_id) {
133 wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID",
134 ft.r1kh_id, FT_R1KH_ID_LEN);
135 os_memcpy(sm->r1kh_id, ft.r1kh_id, FT_R1KH_ID_LEN);
136 } else
137 os_memset(sm->r1kh_id, 0, FT_R1KH_ID_LEN);
138
139 os_free(sm->assoc_resp_ies);
140 sm->assoc_resp_ies = os_malloc(ft.mdie_len + 2 + ft.ftie_len + 2);
141 if (sm->assoc_resp_ies) {
142 u8 *pos = sm->assoc_resp_ies;
143 if (ft.mdie) {
144 os_memcpy(pos, ft.mdie - 2, ft.mdie_len + 2);
145 pos += ft.mdie_len + 2;
146 }
147 if (ft.ftie) {
148 os_memcpy(pos, ft.ftie - 2, ft.ftie_len + 2);
149 pos += ft.ftie_len + 2;
150 }
151 sm->assoc_resp_ies_len = pos - sm->assoc_resp_ies;
152 wpa_hexdump(MSG_DEBUG, "FT: Stored MDIE and FTIE from "
153 "(Re)Association Response",
154 sm->assoc_resp_ies, sm->assoc_resp_ies_len);
155 }
156
157 return 0;
158 }
159
160
161 /**
162 * wpa_ft_gen_req_ies - Generate FT (IEEE 802.11r) IEs for Auth/ReAssoc Request
163 * @sm: Pointer to WPA state machine data from wpa_sm_init()
164 * @len: Buffer for returning the length of the IEs
165 * @anonce: ANonce or %NULL if not yet available
166 * @pmk_name: PMKR0Name or PMKR1Name to be added into the RSN IE PMKID List
167 * @kck: 128-bit KCK for MIC or %NULL if no MIC is used
168 * @target_ap: Target AP address
169 * @ric_ies: Optional IE(s), e.g., WMM TSPEC(s), for RIC-Request or %NULL
170 * @ric_ies_len: Length of ric_ies buffer in octets
171 * @ap_mdie: Mobility Domain IE from the target AP
172 * Returns: Pointer to buffer with IEs or %NULL on failure
173 *
174 * Caller is responsible for freeing the returned buffer with os_free();
175 */
wpa_ft_gen_req_ies(struct wpa_sm * sm,size_t * len,const u8 * anonce,const u8 * pmk_name,const u8 * kck,const u8 * target_ap,const u8 * ric_ies,size_t ric_ies_len,const u8 * ap_mdie)176 static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
177 const u8 *anonce, const u8 *pmk_name,
178 const u8 *kck, const u8 *target_ap,
179 const u8 *ric_ies, size_t ric_ies_len,
180 const u8 *ap_mdie)
181 {
182 size_t buf_len;
183 u8 *buf, *pos, *ftie_len, *ftie_pos;
184 struct rsn_mdie *mdie;
185 struct rsn_ftie *ftie;
186 struct rsn_ie_hdr *rsnie;
187 u16 capab;
188
189 sm->ft_completed = 0;
190
191 buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
192 2 + sm->r0kh_id_len + ric_ies_len + 100;
193 buf = os_zalloc(buf_len);
194 if (buf == NULL)
195 return NULL;
196 pos = buf;
197
198 /* RSNIE[PMKR0Name/PMKR1Name] */
199 rsnie = (struct rsn_ie_hdr *) pos;
200 rsnie->elem_id = WLAN_EID_RSN;
201 WPA_PUT_LE16(rsnie->version, RSN_VERSION);
202 pos = (u8 *) (rsnie + 1);
203
204 /* Group Suite Selector */
205 if (sm->group_cipher == WPA_CIPHER_CCMP)
206 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
207 else if (sm->group_cipher == WPA_CIPHER_TKIP)
208 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
209 else {
210 wpa_printf(MSG_WARNING, "FT: Invalid group cipher (%d)",
211 sm->group_cipher);
212 os_free(buf);
213 return NULL;
214 }
215 pos += RSN_SELECTOR_LEN;
216
217 /* Pairwise Suite Count */
218 WPA_PUT_LE16(pos, 1);
219 pos += 2;
220
221 /* Pairwise Suite List */
222 if (sm->pairwise_cipher == WPA_CIPHER_CCMP)
223 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
224 else if (sm->pairwise_cipher == WPA_CIPHER_TKIP)
225 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
226 else {
227 wpa_printf(MSG_WARNING, "FT: Invalid pairwise cipher (%d)",
228 sm->pairwise_cipher);
229 os_free(buf);
230 return NULL;
231 }
232 pos += RSN_SELECTOR_LEN;
233
234 /* Authenticated Key Management Suite Count */
235 WPA_PUT_LE16(pos, 1);
236 pos += 2;
237
238 /* Authenticated Key Management Suite List */
239 if (sm->key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X)
240 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X);
241 else if (sm->key_mgmt == WPA_KEY_MGMT_FT_PSK)
242 RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK);
243 else {
244 wpa_printf(MSG_WARNING, "FT: Invalid key management type (%d)",
245 sm->key_mgmt);
246 os_free(buf);
247 return NULL;
248 }
249 pos += RSN_SELECTOR_LEN;
250
251 /* RSN Capabilities */
252 capab = 0;
253 #ifdef CONFIG_IEEE80211W
254 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC)
255 capab |= WPA_CAPABILITY_MFPC;
256 #endif /* CONFIG_IEEE80211W */
257 WPA_PUT_LE16(pos, capab);
258 pos += 2;
259
260 /* PMKID Count */
261 WPA_PUT_LE16(pos, 1);
262 pos += 2;
263
264 /* PMKID List [PMKR0Name/PMKR1Name] */
265 os_memcpy(pos, pmk_name, WPA_PMK_NAME_LEN);
266 pos += WPA_PMK_NAME_LEN;
267
268 #ifdef CONFIG_IEEE80211W
269 if (sm->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
270 /* Management Group Cipher Suite */
271 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_AES_128_CMAC);
272 pos += RSN_SELECTOR_LEN;
273 }
274 #endif /* CONFIG_IEEE80211W */
275
276 rsnie->len = (pos - (u8 *) rsnie) - 2;
277
278 /* MDIE */
279 *pos++ = WLAN_EID_MOBILITY_DOMAIN;
280 *pos++ = sizeof(*mdie);
281 mdie = (struct rsn_mdie *) pos;
282 pos += sizeof(*mdie);
283 os_memcpy(mdie->mobility_domain, sm->mobility_domain,
284 MOBILITY_DOMAIN_ID_LEN);
285 mdie->ft_capab = ap_mdie && ap_mdie[1] >= 3 ? ap_mdie[4] :
286 sm->mdie_ft_capab;
287
288 /* FTIE[SNonce, [R1KH-ID,] R0KH-ID ] */
289 ftie_pos = pos;
290 *pos++ = WLAN_EID_FAST_BSS_TRANSITION;
291 ftie_len = pos++;
292 ftie = (struct rsn_ftie *) pos;
293 pos += sizeof(*ftie);
294 os_memcpy(ftie->snonce, sm->snonce, WPA_NONCE_LEN);
295 if (anonce)
296 os_memcpy(ftie->anonce, anonce, WPA_NONCE_LEN);
297 if (kck) {
298 /* R1KH-ID sub-element in third FT message */
299 *pos++ = FTIE_SUBELEM_R1KH_ID;
300 *pos++ = FT_R1KH_ID_LEN;
301 os_memcpy(pos, sm->r1kh_id, FT_R1KH_ID_LEN);
302 pos += FT_R1KH_ID_LEN;
303 }
304 /* R0KH-ID sub-element */
305 *pos++ = FTIE_SUBELEM_R0KH_ID;
306 *pos++ = sm->r0kh_id_len;
307 os_memcpy(pos, sm->r0kh_id, sm->r0kh_id_len);
308 pos += sm->r0kh_id_len;
309 *ftie_len = pos - ftie_len - 1;
310
311 if (ric_ies) {
312 /* RIC Request */
313 os_memcpy(pos, ric_ies, ric_ies_len);
314 pos += ric_ies_len;
315 }
316
317 if (kck) {
318 /*
319 * IEEE Std 802.11r-2008, 11A.8.4
320 * MIC shall be calculated over:
321 * non-AP STA MAC address
322 * Target AP MAC address
323 * Transaction seq number (5 for ReassocReq, 3 otherwise)
324 * RSN IE
325 * MDIE
326 * FTIE (with MIC field set to 0)
327 * RIC-Request (if present)
328 */
329 /* Information element count */
330 ftie->mic_control[1] = 3 + ieee802_11_ie_count(ric_ies,
331 ric_ies_len);
332 if (wpa_ft_mic(kck, sm->own_addr, target_ap, 5,
333 ((u8 *) mdie) - 2, 2 + sizeof(*mdie),
334 ftie_pos, 2 + *ftie_len,
335 (u8 *) rsnie, 2 + rsnie->len, ric_ies,
336 ric_ies_len, ftie->mic) < 0) {
337 wpa_printf(MSG_INFO, "FT: Failed to calculate MIC");
338 os_free(buf);
339 return NULL;
340 }
341 }
342
343 *len = pos - buf;
344
345 return buf;
346 }
347
348
wpa_ft_parse_ftie(const u8 * ie,size_t ie_len,struct wpa_ft_ies * parse)349 static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len,
350 struct wpa_ft_ies *parse)
351 {
352 const u8 *end, *pos;
353
354 parse->ftie = ie;
355 parse->ftie_len = ie_len;
356
357 pos = ie + sizeof(struct rsn_ftie);
358 end = ie + ie_len;
359
360 while (pos + 2 <= end && pos + 2 + pos[1] <= end) {
361 switch (pos[0]) {
362 case FTIE_SUBELEM_R1KH_ID:
363 if (pos[1] != FT_R1KH_ID_LEN) {
364 wpa_printf(MSG_DEBUG, "FT: Invalid R1KH-ID "
365 "length in FTIE: %d", pos[1]);
366 return -1;
367 }
368 parse->r1kh_id = pos + 2;
369 break;
370 case FTIE_SUBELEM_GTK:
371 parse->gtk = pos + 2;
372 parse->gtk_len = pos[1];
373 break;
374 case FTIE_SUBELEM_R0KH_ID:
375 if (pos[1] < 1 || pos[1] > FT_R0KH_ID_MAX_LEN) {
376 wpa_printf(MSG_DEBUG, "FT: Invalid R0KH-ID "
377 "length in FTIE: %d", pos[1]);
378 return -1;
379 }
380 parse->r0kh_id = pos + 2;
381 parse->r0kh_id_len = pos[1];
382 break;
383 #ifdef CONFIG_IEEE80211W
384 case FTIE_SUBELEM_IGTK:
385 parse->igtk = pos + 2;
386 parse->igtk_len = pos[1];
387 break;
388 #endif /* CONFIG_IEEE80211W */
389 }
390
391 pos += 2 + pos[1];
392 }
393
394 return 0;
395 }
396
397
wpa_ft_parse_ies(const u8 * ies,size_t ies_len,struct wpa_ft_ies * parse)398 static int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
399 struct wpa_ft_ies *parse)
400 {
401 const u8 *end, *pos;
402 struct wpa_ie_data data;
403 int ret;
404 const struct rsn_ftie *ftie;
405 int prot_ie_count = 0;
406
407 os_memset(parse, 0, sizeof(*parse));
408 if (ies == NULL)
409 return 0;
410
411 pos = ies;
412 end = ies + ies_len;
413 while (pos + 2 <= end && pos + 2 + pos[1] <= end) {
414 switch (pos[0]) {
415 case WLAN_EID_RSN:
416 parse->rsn = pos + 2;
417 parse->rsn_len = pos[1];
418 ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2,
419 parse->rsn_len + 2,
420 &data);
421 if (ret < 0) {
422 wpa_printf(MSG_DEBUG, "FT: Failed to parse "
423 "RSN IE: %d", ret);
424 return -1;
425 }
426 if (data.num_pmkid == 1 && data.pmkid)
427 parse->rsn_pmkid = data.pmkid;
428 break;
429 case WLAN_EID_MOBILITY_DOMAIN:
430 parse->mdie = pos + 2;
431 parse->mdie_len = pos[1];
432 break;
433 case WLAN_EID_FAST_BSS_TRANSITION:
434 if (pos[1] < sizeof(*ftie))
435 return -1;
436 ftie = (const struct rsn_ftie *) (pos + 2);
437 prot_ie_count = ftie->mic_control[1];
438 if (wpa_ft_parse_ftie(pos + 2, pos[1], parse) < 0)
439 return -1;
440 break;
441 case WLAN_EID_TIMEOUT_INTERVAL:
442 parse->tie = pos + 2;
443 parse->tie_len = pos[1];
444 break;
445 case WLAN_EID_RIC_DATA:
446 if (parse->ric == NULL)
447 parse->ric = pos;
448 }
449
450 pos += 2 + pos[1];
451 }
452
453 if (prot_ie_count == 0)
454 return 0; /* no MIC */
455
456 /*
457 * Check that the protected IE count matches with IEs included in the
458 * frame.
459 */
460 if (parse->rsn)
461 prot_ie_count--;
462 if (parse->mdie)
463 prot_ie_count--;
464 if (parse->ftie)
465 prot_ie_count--;
466 if (parse->tie)
467 prot_ie_count--;
468 if (prot_ie_count < 0) {
469 wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in "
470 "the protected IE count");
471 return -1;
472 }
473
474 if (prot_ie_count == 0 && parse->ric) {
475 wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not "
476 "included in protected IE count");
477 return -1;
478 }
479
480 /* Determine the end of the RIC IE(s) */
481 pos = parse->ric;
482 while (pos && pos + 2 <= end && pos + 2 + pos[1] <= end &&
483 prot_ie_count) {
484 prot_ie_count--;
485 pos += 2 + pos[1];
486 }
487 parse->ric_len = pos - parse->ric;
488 if (prot_ie_count) {
489 wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from "
490 "frame", (int) prot_ie_count);
491 return -1;
492 }
493
494 return 0;
495 }
496
497
wpa_ft_install_ptk(struct wpa_sm * sm,const u8 * bssid)498 static int wpa_ft_install_ptk(struct wpa_sm *sm, const u8 *bssid)
499 {
500 int keylen;
501 enum wpa_alg alg;
502 u8 null_rsc[6] = { 0, 0, 0, 0, 0, 0 };
503
504 wpa_printf(MSG_DEBUG, "FT: Installing PTK to the driver.");
505
506 switch (sm->pairwise_cipher) {
507 case WPA_CIPHER_CCMP:
508 alg = WPA_ALG_CCMP;
509 keylen = 16;
510 break;
511 case WPA_CIPHER_TKIP:
512 alg = WPA_ALG_TKIP;
513 keylen = 32;
514 break;
515 default:
516 wpa_printf(MSG_WARNING, "FT: Unsupported pairwise cipher %d",
517 sm->pairwise_cipher);
518 return -1;
519 }
520
521 if (wpa_sm_set_key(sm, alg, bssid, 0, 1, null_rsc,
522 sizeof(null_rsc), (u8 *) sm->ptk.tk1, keylen) < 0) {
523 wpa_printf(MSG_WARNING, "FT: Failed to set PTK to the driver");
524 return -1;
525 }
526
527 return 0;
528 }
529
530
531 /**
532 * wpa_ft_prepare_auth_request - Generate over-the-air auth request
533 * @sm: Pointer to WPA state machine data from wpa_sm_init()
534 * @mdie: Target AP MDIE
535 * Returns: 0 on success, -1 on failure
536 */
wpa_ft_prepare_auth_request(struct wpa_sm * sm,const u8 * mdie)537 int wpa_ft_prepare_auth_request(struct wpa_sm *sm, const u8 *mdie)
538 {
539 u8 *ft_ies;
540 size_t ft_ies_len;
541
542 /* Generate a new SNonce */
543 if (os_get_random(sm->snonce, WPA_NONCE_LEN)) {
544 wpa_printf(MSG_INFO, "FT: Failed to generate a new SNonce");
545 return -1;
546 }
547
548 ft_ies = wpa_ft_gen_req_ies(sm, &ft_ies_len, NULL, sm->pmk_r0_name,
549 NULL, sm->bssid, NULL, 0, mdie);
550 if (ft_ies) {
551 wpa_sm_update_ft_ies(sm, sm->mobility_domain,
552 ft_ies, ft_ies_len);
553 os_free(ft_ies);
554 }
555
556 return 0;
557 }
558
559
wpa_ft_process_response(struct wpa_sm * sm,const u8 * ies,size_t ies_len,int ft_action,const u8 * target_ap,const u8 * ric_ies,size_t ric_ies_len)560 int wpa_ft_process_response(struct wpa_sm *sm, const u8 *ies, size_t ies_len,
561 int ft_action, const u8 *target_ap,
562 const u8 *ric_ies, size_t ric_ies_len)
563 {
564 u8 *ft_ies;
565 size_t ft_ies_len, ptk_len;
566 struct wpa_ft_ies parse;
567 struct rsn_mdie *mdie;
568 struct rsn_ftie *ftie;
569 u8 ptk_name[WPA_PMK_NAME_LEN];
570 int ret;
571 const u8 *bssid;
572
573 wpa_hexdump(MSG_DEBUG, "FT: Response IEs", ies, ies_len);
574 wpa_hexdump(MSG_DEBUG, "FT: RIC IEs", ric_ies, ric_ies_len);
575
576 if (ft_action) {
577 if (!sm->over_the_ds_in_progress) {
578 wpa_printf(MSG_DEBUG, "FT: No over-the-DS in progress "
579 "- drop FT Action Response");
580 return -1;
581 }
582
583 if (os_memcmp(target_ap, sm->target_ap, ETH_ALEN) != 0) {
584 wpa_printf(MSG_DEBUG, "FT: No over-the-DS in progress "
585 "with this Target AP - drop FT Action "
586 "Response");
587 return -1;
588 }
589 }
590
591 if (sm->key_mgmt != WPA_KEY_MGMT_FT_IEEE8021X &&
592 sm->key_mgmt != WPA_KEY_MGMT_FT_PSK) {
593 wpa_printf(MSG_DEBUG, "FT: Reject FT IEs since FT is not "
594 "enabled for this connection");
595 return -1;
596 }
597
598 if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
599 wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
600 return -1;
601 }
602
603 mdie = (struct rsn_mdie *) parse.mdie;
604 if (mdie == NULL || parse.mdie_len < sizeof(*mdie) ||
605 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
606 MOBILITY_DOMAIN_ID_LEN) != 0) {
607 wpa_printf(MSG_DEBUG, "FT: Invalid MDIE");
608 return -1;
609 }
610
611 ftie = (struct rsn_ftie *) parse.ftie;
612 if (ftie == NULL || parse.ftie_len < sizeof(*ftie)) {
613 wpa_printf(MSG_DEBUG, "FT: Invalid FTIE");
614 return -1;
615 }
616
617 if (os_memcmp(ftie->snonce, sm->snonce, WPA_NONCE_LEN) != 0) {
618 wpa_printf(MSG_DEBUG, "FT: SNonce mismatch in FTIE");
619 wpa_hexdump(MSG_DEBUG, "FT: Received SNonce",
620 ftie->snonce, WPA_NONCE_LEN);
621 wpa_hexdump(MSG_DEBUG, "FT: Expected SNonce",
622 sm->snonce, WPA_NONCE_LEN);
623 return -1;
624 }
625
626 if (parse.r0kh_id == NULL) {
627 wpa_printf(MSG_DEBUG, "FT: No R0KH-ID subelem in FTIE");
628 return -1;
629 }
630
631 if (parse.r0kh_id_len != sm->r0kh_id_len ||
632 os_memcmp(parse.r0kh_id, sm->r0kh_id, parse.r0kh_id_len) != 0) {
633 wpa_printf(MSG_DEBUG, "FT: R0KH-ID in FTIE did not match with "
634 "the current R0KH-ID");
635 wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID in FTIE",
636 parse.r0kh_id, parse.r0kh_id_len);
637 wpa_hexdump(MSG_DEBUG, "FT: The current R0KH-ID",
638 sm->r0kh_id, sm->r0kh_id_len);
639 return -1;
640 }
641
642 if (parse.r1kh_id == NULL) {
643 wpa_printf(MSG_DEBUG, "FT: No R1KH-ID subelem in FTIE");
644 return -1;
645 }
646
647 if (parse.rsn_pmkid == NULL ||
648 os_memcmp(parse.rsn_pmkid, sm->pmk_r0_name, WPA_PMK_NAME_LEN)) {
649 wpa_printf(MSG_DEBUG, "FT: No matching PMKR0Name (PMKID) in "
650 "RSNIE");
651 return -1;
652 }
653
654 os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
655 wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", sm->r1kh_id, FT_R1KH_ID_LEN);
656 wpa_hexdump(MSG_DEBUG, "FT: SNonce", sm->snonce, WPA_NONCE_LEN);
657 wpa_hexdump(MSG_DEBUG, "FT: ANonce", ftie->anonce, WPA_NONCE_LEN);
658 os_memcpy(sm->anonce, ftie->anonce, WPA_NONCE_LEN);
659 wpa_derive_pmk_r1(sm->pmk_r0, sm->pmk_r0_name, sm->r1kh_id,
660 sm->own_addr, sm->pmk_r1, sm->pmk_r1_name);
661 wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", sm->pmk_r1, PMK_LEN);
662 wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name",
663 sm->pmk_r1_name, WPA_PMK_NAME_LEN);
664
665 bssid = target_ap;
666 ptk_len = sm->pairwise_cipher == WPA_CIPHER_CCMP ? 48 : 64;
667 wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->snonce, ftie->anonce, sm->own_addr,
668 bssid, sm->pmk_r1_name,
669 (u8 *) &sm->ptk, ptk_len, ptk_name);
670 wpa_hexdump_key(MSG_DEBUG, "FT: PTK",
671 (u8 *) &sm->ptk, ptk_len);
672 wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN);
673
674 ft_ies = wpa_ft_gen_req_ies(sm, &ft_ies_len, ftie->anonce,
675 sm->pmk_r1_name, sm->ptk.kck, bssid,
676 ric_ies, ric_ies_len,
677 parse.mdie ? parse.mdie - 2 : NULL);
678 if (ft_ies) {
679 wpa_sm_update_ft_ies(sm, sm->mobility_domain,
680 ft_ies, ft_ies_len);
681 os_free(ft_ies);
682 }
683
684 wpa_sm_mark_authenticated(sm, bssid);
685 ret = wpa_ft_install_ptk(sm, bssid);
686 if (ret) {
687 /*
688 * Some drivers do not support key configuration when we are
689 * not associated with the target AP. Work around this by
690 * trying again after the following reassociation gets
691 * completed.
692 */
693 wpa_printf(MSG_DEBUG, "FT: Failed to set PTK prior to "
694 "association - try again after reassociation");
695 sm->set_ptk_after_assoc = 1;
696 } else
697 sm->set_ptk_after_assoc = 0;
698
699 sm->ft_completed = 1;
700 if (ft_action) {
701 /*
702 * The caller is expected trigger re-association with the
703 * Target AP.
704 */
705 os_memcpy(sm->bssid, target_ap, ETH_ALEN);
706 }
707
708 return 0;
709 }
710
711
wpa_ft_is_completed(struct wpa_sm * sm)712 int wpa_ft_is_completed(struct wpa_sm *sm)
713 {
714 if (sm == NULL)
715 return 0;
716
717 if (sm->key_mgmt != WPA_KEY_MGMT_FT_IEEE8021X &&
718 sm->key_mgmt != WPA_KEY_MGMT_FT_PSK)
719 return 0;
720
721 return sm->ft_completed;
722 }
723
724
wpa_ft_process_gtk_subelem(struct wpa_sm * sm,const u8 * gtk_elem,size_t gtk_elem_len)725 static int wpa_ft_process_gtk_subelem(struct wpa_sm *sm, const u8 *gtk_elem,
726 size_t gtk_elem_len)
727 {
728 u8 gtk[32];
729 int keyidx;
730 enum wpa_alg alg;
731 size_t gtk_len, keylen, rsc_len;
732
733 if (gtk_elem == NULL) {
734 wpa_printf(MSG_DEBUG, "FT: No GTK included in FTIE");
735 return 0;
736 }
737
738 wpa_hexdump_key(MSG_DEBUG, "FT: Received GTK in Reassoc Resp",
739 gtk_elem, gtk_elem_len);
740
741 if (gtk_elem_len < 11 + 24 || (gtk_elem_len - 11) % 8 ||
742 gtk_elem_len - 19 > sizeof(gtk)) {
743 wpa_printf(MSG_DEBUG, "FT: Invalid GTK sub-elem "
744 "length %lu", (unsigned long) gtk_elem_len);
745 return -1;
746 }
747 gtk_len = gtk_elem_len - 19;
748 if (aes_unwrap(sm->ptk.kek, gtk_len / 8, gtk_elem + 11, gtk)) {
749 wpa_printf(MSG_WARNING, "FT: AES unwrap failed - could not "
750 "decrypt GTK");
751 return -1;
752 }
753
754 switch (sm->group_cipher) {
755 case WPA_CIPHER_CCMP:
756 keylen = 16;
757 rsc_len = 6;
758 alg = WPA_ALG_CCMP;
759 break;
760 case WPA_CIPHER_TKIP:
761 keylen = 32;
762 rsc_len = 6;
763 alg = WPA_ALG_TKIP;
764 break;
765 case WPA_CIPHER_WEP104:
766 keylen = 13;
767 rsc_len = 0;
768 alg = WPA_ALG_WEP;
769 break;
770 case WPA_CIPHER_WEP40:
771 keylen = 5;
772 rsc_len = 0;
773 alg = WPA_ALG_WEP;
774 break;
775 default:
776 wpa_printf(MSG_WARNING, "WPA: Unsupported Group Cipher %d",
777 sm->group_cipher);
778 return -1;
779 }
780
781 if (gtk_len < keylen) {
782 wpa_printf(MSG_DEBUG, "FT: Too short GTK in FTIE");
783 return -1;
784 }
785
786 /* Key Info[2] | Key Length[1] | RSC[8] | Key[5..32]. */
787
788 keyidx = WPA_GET_LE16(gtk_elem) & 0x03;
789
790 if (gtk_elem[2] != keylen) {
791 wpa_printf(MSG_DEBUG, "FT: GTK length mismatch: received %d "
792 "negotiated %lu",
793 gtk_elem[2], (unsigned long) keylen);
794 return -1;
795 }
796
797 wpa_hexdump_key(MSG_DEBUG, "FT: GTK from Reassoc Resp", gtk, keylen);
798 if (wpa_sm_set_key(sm, alg, (u8 *) "\xff\xff\xff\xff\xff\xff",
799 keyidx, 0, gtk_elem + 3, rsc_len, gtk, keylen) <
800 0) {
801 wpa_printf(MSG_WARNING, "WPA: Failed to set GTK to the "
802 "driver.");
803 return -1;
804 }
805
806 return 0;
807 }
808
809
810 #ifdef CONFIG_IEEE80211W
wpa_ft_process_igtk_subelem(struct wpa_sm * sm,const u8 * igtk_elem,size_t igtk_elem_len)811 static int wpa_ft_process_igtk_subelem(struct wpa_sm *sm, const u8 *igtk_elem,
812 size_t igtk_elem_len)
813 {
814 u8 igtk[WPA_IGTK_LEN];
815 u16 keyidx;
816
817 if (sm->mgmt_group_cipher != WPA_CIPHER_AES_128_CMAC)
818 return 0;
819
820 if (igtk_elem == NULL) {
821 wpa_printf(MSG_DEBUG, "FT: No IGTK included in FTIE");
822 return 0;
823 }
824
825 wpa_hexdump_key(MSG_DEBUG, "FT: Received IGTK in Reassoc Resp",
826 igtk_elem, igtk_elem_len);
827
828 if (igtk_elem_len != 2 + 6 + 1 + WPA_IGTK_LEN + 8) {
829 wpa_printf(MSG_DEBUG, "FT: Invalid IGTK sub-elem "
830 "length %lu", (unsigned long) igtk_elem_len);
831 return -1;
832 }
833 if (igtk_elem[8] != WPA_IGTK_LEN) {
834 wpa_printf(MSG_DEBUG, "FT: Invalid IGTK sub-elem Key Length "
835 "%d", igtk_elem[8]);
836 return -1;
837 }
838
839 if (aes_unwrap(sm->ptk.kek, WPA_IGTK_LEN / 8, igtk_elem + 9, igtk)) {
840 wpa_printf(MSG_WARNING, "FT: AES unwrap failed - could not "
841 "decrypt IGTK");
842 return -1;
843 }
844
845 /* KeyID[2] | IPN[6] | Key Length[1] | Key[16+8] */
846
847 keyidx = WPA_GET_LE16(igtk_elem);
848
849 wpa_hexdump_key(MSG_DEBUG, "FT: IGTK from Reassoc Resp", igtk,
850 WPA_IGTK_LEN);
851 if (wpa_sm_set_key(sm, WPA_ALG_IGTK, (u8 *) "\xff\xff\xff\xff\xff\xff",
852 keyidx, 0, igtk_elem + 2, 6, igtk, WPA_IGTK_LEN) <
853 0) {
854 wpa_printf(MSG_WARNING, "WPA: Failed to set IGTK to the "
855 "driver.");
856 return -1;
857 }
858
859 return 0;
860 }
861 #endif /* CONFIG_IEEE80211W */
862
863
wpa_ft_validate_reassoc_resp(struct wpa_sm * sm,const u8 * ies,size_t ies_len,const u8 * src_addr)864 int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
865 size_t ies_len, const u8 *src_addr)
866 {
867 struct wpa_ft_ies parse;
868 struct rsn_mdie *mdie;
869 struct rsn_ftie *ftie;
870 unsigned int count;
871 u8 mic[16];
872
873 wpa_hexdump(MSG_DEBUG, "FT: Response IEs", ies, ies_len);
874
875 if (sm->key_mgmt != WPA_KEY_MGMT_FT_IEEE8021X &&
876 sm->key_mgmt != WPA_KEY_MGMT_FT_PSK) {
877 wpa_printf(MSG_DEBUG, "FT: Reject FT IEs since FT is not "
878 "enabled for this connection");
879 return -1;
880 }
881
882 if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
883 wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
884 return -1;
885 }
886
887 mdie = (struct rsn_mdie *) parse.mdie;
888 if (mdie == NULL || parse.mdie_len < sizeof(*mdie) ||
889 os_memcmp(mdie->mobility_domain, sm->mobility_domain,
890 MOBILITY_DOMAIN_ID_LEN) != 0) {
891 wpa_printf(MSG_DEBUG, "FT: Invalid MDIE");
892 return -1;
893 }
894
895 ftie = (struct rsn_ftie *) parse.ftie;
896 if (ftie == NULL || parse.ftie_len < sizeof(*ftie)) {
897 wpa_printf(MSG_DEBUG, "FT: Invalid FTIE");
898 return -1;
899 }
900
901 if (os_memcmp(ftie->snonce, sm->snonce, WPA_NONCE_LEN) != 0) {
902 wpa_printf(MSG_DEBUG, "FT: SNonce mismatch in FTIE");
903 wpa_hexdump(MSG_DEBUG, "FT: Received SNonce",
904 ftie->snonce, WPA_NONCE_LEN);
905 wpa_hexdump(MSG_DEBUG, "FT: Expected SNonce",
906 sm->snonce, WPA_NONCE_LEN);
907 return -1;
908 }
909
910 if (os_memcmp(ftie->anonce, sm->anonce, WPA_NONCE_LEN) != 0) {
911 wpa_printf(MSG_DEBUG, "FT: ANonce mismatch in FTIE");
912 wpa_hexdump(MSG_DEBUG, "FT: Received ANonce",
913 ftie->anonce, WPA_NONCE_LEN);
914 wpa_hexdump(MSG_DEBUG, "FT: Expected ANonce",
915 sm->anonce, WPA_NONCE_LEN);
916 return -1;
917 }
918
919 if (parse.r0kh_id == NULL) {
920 wpa_printf(MSG_DEBUG, "FT: No R0KH-ID subelem in FTIE");
921 return -1;
922 }
923
924 if (parse.r0kh_id_len != sm->r0kh_id_len ||
925 os_memcmp(parse.r0kh_id, sm->r0kh_id, parse.r0kh_id_len) != 0) {
926 wpa_printf(MSG_DEBUG, "FT: R0KH-ID in FTIE did not match with "
927 "the current R0KH-ID");
928 wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID in FTIE",
929 parse.r0kh_id, parse.r0kh_id_len);
930 wpa_hexdump(MSG_DEBUG, "FT: The current R0KH-ID",
931 sm->r0kh_id, sm->r0kh_id_len);
932 return -1;
933 }
934
935 if (parse.r1kh_id == NULL) {
936 wpa_printf(MSG_DEBUG, "FT: No R1KH-ID subelem in FTIE");
937 return -1;
938 }
939
940 if (os_memcmp(parse.r1kh_id, sm->r1kh_id, FT_R1KH_ID_LEN) != 0) {
941 wpa_printf(MSG_DEBUG, "FT: Unknown R1KH-ID used in "
942 "ReassocResp");
943 return -1;
944 }
945
946 if (parse.rsn_pmkid == NULL ||
947 os_memcmp(parse.rsn_pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN)) {
948 wpa_printf(MSG_DEBUG, "FT: No matching PMKR1Name (PMKID) in "
949 "RSNIE (pmkid=%d)", !!parse.rsn_pmkid);
950 return -1;
951 }
952
953 count = 3;
954 if (parse.tie)
955 count++;
956 if (ftie->mic_control[1] != count) {
957 wpa_printf(MSG_DEBUG, "FT: Unexpected IE count in MIC "
958 "Control: received %u expected %u",
959 ftie->mic_control[1], count);
960 return -1;
961 }
962
963 if (wpa_ft_mic(sm->ptk.kck, sm->own_addr, src_addr, 6,
964 parse.mdie - 2, parse.mdie_len + 2,
965 parse.ftie - 2, parse.ftie_len + 2,
966 parse.rsn - 2, parse.rsn_len + 2,
967 parse.ric, parse.ric_len,
968 mic) < 0) {
969 wpa_printf(MSG_DEBUG, "FT: Failed to calculate MIC");
970 return -1;
971 }
972
973 if (os_memcmp(mic, ftie->mic, 16) != 0) {
974 wpa_printf(MSG_DEBUG, "FT: Invalid MIC in FTIE");
975 wpa_hexdump(MSG_MSGDUMP, "FT: Received MIC", ftie->mic, 16);
976 wpa_hexdump(MSG_MSGDUMP, "FT: Calculated MIC", mic, 16);
977 return -1;
978 }
979
980 if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
981 return -1;
982
983 #ifdef CONFIG_IEEE80211W
984 if (wpa_ft_process_igtk_subelem(sm, parse.igtk, parse.igtk_len) < 0)
985 return -1;
986 #endif /* CONFIG_IEEE80211W */
987
988 if (sm->set_ptk_after_assoc) {
989 wpa_printf(MSG_DEBUG, "FT: Try to set PTK again now that we "
990 "are associated");
991 if (wpa_ft_install_ptk(sm, src_addr) < 0)
992 return -1;
993 sm->set_ptk_after_assoc = 0;
994 }
995
996 if (parse.ric) {
997 wpa_hexdump(MSG_MSGDUMP, "FT: RIC Response",
998 parse.ric, parse.ric_len);
999 /* TODO: parse response and inform driver about results */
1000 }
1001
1002 return 0;
1003 }
1004
1005
1006 /**
1007 * wpa_ft_start_over_ds - Generate over-the-DS auth request
1008 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1009 * @target_ap: Target AP Address
1010 * @mdie: Mobility Domain IE from the target AP
1011 * Returns: 0 on success, -1 on failure
1012 */
wpa_ft_start_over_ds(struct wpa_sm * sm,const u8 * target_ap,const u8 * mdie)1013 int wpa_ft_start_over_ds(struct wpa_sm *sm, const u8 *target_ap,
1014 const u8 *mdie)
1015 {
1016 u8 *ft_ies;
1017 size_t ft_ies_len;
1018
1019 wpa_printf(MSG_DEBUG, "FT: Request over-the-DS with " MACSTR,
1020 MAC2STR(target_ap));
1021
1022 /* Generate a new SNonce */
1023 if (os_get_random(sm->snonce, WPA_NONCE_LEN)) {
1024 wpa_printf(MSG_INFO, "FT: Failed to generate a new SNonce");
1025 return -1;
1026 }
1027
1028 ft_ies = wpa_ft_gen_req_ies(sm, &ft_ies_len, NULL, sm->pmk_r0_name,
1029 NULL, target_ap, NULL, 0, mdie);
1030 if (ft_ies) {
1031 sm->over_the_ds_in_progress = 1;
1032 os_memcpy(sm->target_ap, target_ap, ETH_ALEN);
1033 wpa_sm_send_ft_action(sm, 1, target_ap, ft_ies, ft_ies_len);
1034 os_free(ft_ies);
1035 }
1036
1037 return 0;
1038 }
1039
1040 #endif /* CONFIG_IEEE80211R */
1041