From 5db997e34317df40b6248239ff50fa4075ca4208 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 2 Apr 2017 22:38:48 +0300
Subject: [PATCH] FILS: Add FTE into FILS Authentication frame from AP when
 using FILS+FT

MDE was already added with RSNE, but FTE needed to be added to the FILS
Authentication frame for the FT initial mobility domain association
using FILS authentication case.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/ap/ieee802_11.c | 21 ++++++++++++++++-----
 src/ap/wpa_auth.c   | 12 ++++++++++++
 src/ap/wpa_auth.h   |  2 ++
 3 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index ec7332957..9a864a01a 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1140,9 +1140,6 @@ static void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
 	if (resp != WLAN_STATUS_SUCCESS)
 		goto fail;
 
-	/* TODO: MDE when using FILS+FT */
-	/* TODO: FTE when using FILS+FT */
-
 	if (!elems.fils_nonce) {
 		wpa_printf(MSG_DEBUG, "FILS: No FILS Nonce field");
 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
@@ -1305,8 +1302,22 @@ static void handle_auth_fils_finish(struct hostapd_data *hapd,
 	/* RSNE */
 	wpabuf_put_data(data, ie, ielen);
 
-	/* TODO: MDE when using FILS+FT */
-	/* TODO: FTE when using FILS+FT */
+	/* MDE when using FILS+FT (already included in ie,ielen with RSNE) */
+
+#ifdef CONFIG_IEEE80211R_AP
+	if (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm))) {
+		/* FTE[R1KH-ID,R0KH-ID] when using FILS+FT */
+		int res;
+
+		res = wpa_auth_write_fte(hapd->wpa_auth, wpabuf_put(data, 0),
+					 wpabuf_tailroom(data));
+		if (res < 0) {
+			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
+			goto fail;
+		}
+		wpabuf_put(data, res);
+	}
+#endif /* CONFIG_IEEE80211R_AP */
 
 	/* FILS Nonce */
 	wpabuf_put_u8(data, WLAN_EID_EXTENSION); /* Element ID */
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index c91affcfa..d7e3d2238 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -4272,4 +4272,16 @@ wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
 	return idata.pmksa;
 }
 
+
+#ifdef CONFIG_IEEE80211R_AP
+int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, u8 *buf, size_t len)
+{
+	struct wpa_auth_config *conf = &wpa_auth->conf;
+
+	return wpa_write_ftie(conf, conf->r0_key_holder,
+			      conf->r0_key_holder_len,
+			      NULL, NULL, buf, len, NULL, 0);
+}
+#endif /* CONFIG_IEEE80211R_AP */
+
 #endif /* CONFIG_FILS */
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 20d8eeccf..6793fecc0 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -375,4 +375,6 @@ int fils_encrypt_assoc(struct wpa_state_machine *sm, u8 *buf,
 		       const struct wpabuf *hlp);
 int fils_set_tk(struct wpa_state_machine *sm);
 
+int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, u8 *buf, size_t len);
+
 #endif /* WPA_AUTH_H */
-- 
2.39.2