FT: Fix sm->assoc_resp_ftie storing on the AP side

The FTIE from (Re)Association Response frame was copied before
calculating the MIC. This resulted in incorrect value being used when
comparing the EAPOL-Key msg 2/4 value in case PTK rekeying was used
after FT protocol run. Fix this by storing the element after the MIC
field has been filled in.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index eeaffbf635166d20767e38996c951c2bcf245d56..42242a54a2cbf758a89b7c8ebf97d7e2b744193c 100644 (file)
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -720,11 +720,6 @@ u8 * wpa_sm_write_assoc_resp_ies(struct wpa_state_machine *sm, u8 *pos,
        ftie_len = res;
        pos += res;
 
-       os_free(sm->assoc_resp_ftie);
-       sm->assoc_resp_ftie = os_malloc(ftie_len);
-       if (sm->assoc_resp_ftie)
-               os_memcpy(sm->assoc_resp_ftie, ftie, ftie_len);
-
        _ftie = (struct rsn_ftie *) (ftie + 2);
        if (auth_alg == WLAN_AUTH_FT)
                _ftie->mic_control[1] = 3; /* Information element count */
@@ -750,6 +745,11 @@ u8 * wpa_sm_write_assoc_resp_ies(struct wpa_state_machine *sm, u8 *pos,
                       _ftie->mic) < 0)
                wpa_printf(MSG_DEBUG, "FT: Failed to calculate MIC");
 
+       os_free(sm->assoc_resp_ftie);
+       sm->assoc_resp_ftie = os_malloc(ftie_len);
+       if (sm->assoc_resp_ftie)
+               os_memcpy(sm->assoc_resp_ftie, ftie, ftie_len);
+
        return pos;
 }