2 * WPA Supplicant - IEEE 802.11r - Fast BSS Transition
3 * Copyright (c) 2006-2018, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/aes_wrap.h"
13 #include "crypto/sha384.h"
14 #include "crypto/random.h"
15 #include "common/ieee802_11_defs.h"
16 #include "common/ieee802_11_common.h"
17 #include "common/ocv.h"
18 #include "drivers/driver.h"
22 #include "pmksa_cache.h"
24 #ifdef CONFIG_IEEE80211R
26 int wpa_derive_ptk_ft(struct wpa_sm
*sm
, const unsigned char *src_addr
,
27 const struct wpa_eapol_key
*key
, struct wpa_ptk
*ptk
)
29 u8 ptk_name
[WPA_PMK_NAME_LEN
];
30 const u8
*anonce
= key
->key_nonce
;
31 int use_sha384
= wpa_key_mgmt_sha384(sm
->key_mgmt
);
35 if (sm
->xxkey_len
> 0) {
37 mpmk_len
= sm
->xxkey_len
;
38 } else if (sm
->cur_pmksa
) {
39 mpmk
= sm
->cur_pmksa
->pmk
;
40 mpmk_len
= sm
->cur_pmksa
->pmk_len
;
42 wpa_printf(MSG_DEBUG
, "FT: XXKey not available for key "
47 sm
->pmk_r0_len
= use_sha384
? SHA384_MAC_LEN
: PMK_LEN
;
48 if (wpa_derive_pmk_r0(mpmk
, mpmk_len
, sm
->ssid
,
49 sm
->ssid_len
, sm
->mobility_domain
,
50 sm
->r0kh_id
, sm
->r0kh_id_len
, sm
->own_addr
,
51 sm
->pmk_r0
, sm
->pmk_r0_name
, use_sha384
) < 0)
53 wpa_hexdump_key(MSG_DEBUG
, "FT: PMK-R0", sm
->pmk_r0
, sm
->pmk_r0_len
);
54 wpa_hexdump(MSG_DEBUG
, "FT: PMKR0Name",
55 sm
->pmk_r0_name
, WPA_PMK_NAME_LEN
);
56 sm
->pmk_r1_len
= sm
->pmk_r0_len
;
57 if (wpa_derive_pmk_r1(sm
->pmk_r0
, sm
->pmk_r0_len
, sm
->pmk_r0_name
,
58 sm
->r1kh_id
, sm
->own_addr
, sm
->pmk_r1
,
61 wpa_hexdump_key(MSG_DEBUG
, "FT: PMK-R1", sm
->pmk_r1
, sm
->pmk_r1_len
);
62 wpa_hexdump(MSG_DEBUG
, "FT: PMKR1Name", sm
->pmk_r1_name
,
64 return wpa_pmk_r1_to_ptk(sm
->pmk_r1
, sm
->pmk_r1_len
, sm
->snonce
, anonce
,
65 sm
->own_addr
, sm
->bssid
, sm
->pmk_r1_name
, ptk
,
66 ptk_name
, sm
->key_mgmt
, sm
->pairwise_cipher
);
71 * wpa_sm_set_ft_params - Set FT (IEEE 802.11r) parameters
72 * @sm: Pointer to WPA state machine data from wpa_sm_init()
73 * @ies: Association Response IEs or %NULL to clear FT parameters
74 * @ies_len: Length of ies buffer in octets
75 * Returns: 0 on success, -1 on failure
77 int wpa_sm_set_ft_params(struct wpa_sm
*sm
, const u8
*ies
, size_t ies_len
)
85 if (!get_ie(ies
, ies_len
, WLAN_EID_MOBILITY_DOMAIN
)) {
86 os_free(sm
->assoc_resp_ies
);
87 sm
->assoc_resp_ies
= NULL
;
88 sm
->assoc_resp_ies_len
= 0;
89 os_memset(sm
->mobility_domain
, 0, MOBILITY_DOMAIN_ID_LEN
);
90 os_memset(sm
->r0kh_id
, 0, FT_R0KH_ID_MAX_LEN
);
92 os_memset(sm
->r1kh_id
, 0, FT_R1KH_ID_LEN
);
96 use_sha384
= wpa_key_mgmt_sha384(sm
->key_mgmt
);
97 if (wpa_ft_parse_ies(ies
, ies_len
, &ft
, use_sha384
) < 0)
100 if (ft
.mdie_len
< MOBILITY_DOMAIN_ID_LEN
+ 1)
103 wpa_hexdump(MSG_DEBUG
, "FT: Mobility domain",
104 ft
.mdie
, MOBILITY_DOMAIN_ID_LEN
);
105 os_memcpy(sm
->mobility_domain
, ft
.mdie
, MOBILITY_DOMAIN_ID_LEN
);
106 sm
->mdie_ft_capab
= ft
.mdie
[MOBILITY_DOMAIN_ID_LEN
];
107 wpa_printf(MSG_DEBUG
, "FT: Capability and Policy: 0x%02x",
111 wpa_hexdump(MSG_DEBUG
, "FT: R0KH-ID",
112 ft
.r0kh_id
, ft
.r0kh_id_len
);
113 os_memcpy(sm
->r0kh_id
, ft
.r0kh_id
, ft
.r0kh_id_len
);
114 sm
->r0kh_id_len
= ft
.r0kh_id_len
;
116 /* FIX: When should R0KH-ID be cleared? We need to keep the
117 * old R0KH-ID in order to be able to use this during FT. */
119 * os_memset(sm->r0kh_id, 0, FT_R0KH_ID_LEN);
120 * sm->r0kh_id_len = 0;
125 wpa_hexdump(MSG_DEBUG
, "FT: R1KH-ID",
126 ft
.r1kh_id
, FT_R1KH_ID_LEN
);
127 os_memcpy(sm
->r1kh_id
, ft
.r1kh_id
, FT_R1KH_ID_LEN
);
129 os_memset(sm
->r1kh_id
, 0, FT_R1KH_ID_LEN
);
131 os_free(sm
->assoc_resp_ies
);
132 sm
->assoc_resp_ies
= os_malloc(ft
.mdie_len
+ 2 + ft
.ftie_len
+ 2);
133 if (sm
->assoc_resp_ies
) {
134 u8
*pos
= sm
->assoc_resp_ies
;
136 os_memcpy(pos
, ft
.mdie
- 2, ft
.mdie_len
+ 2);
137 pos
+= ft
.mdie_len
+ 2;
140 os_memcpy(pos
, ft
.ftie
- 2, ft
.ftie_len
+ 2);
141 pos
+= ft
.ftie_len
+ 2;
143 sm
->assoc_resp_ies_len
= pos
- sm
->assoc_resp_ies
;
144 wpa_hexdump(MSG_DEBUG
, "FT: Stored MDIE and FTIE from "
145 "(Re)Association Response",
146 sm
->assoc_resp_ies
, sm
->assoc_resp_ies_len
);
154 * wpa_ft_gen_req_ies - Generate FT (IEEE 802.11r) IEs for Auth/ReAssoc Request
155 * @sm: Pointer to WPA state machine data from wpa_sm_init()
156 * @len: Buffer for returning the length of the IEs
157 * @anonce: ANonce or %NULL if not yet available
158 * @pmk_name: PMKR0Name or PMKR1Name to be added into the RSN IE PMKID List
159 * @kck: 128-bit KCK for MIC or %NULL if no MIC is used
160 * @kck_len: KCK length in octets
161 * @target_ap: Target AP address
162 * @ric_ies: Optional IE(s), e.g., WMM TSPEC(s), for RIC-Request or %NULL
163 * @ric_ies_len: Length of ric_ies buffer in octets
164 * @ap_mdie: Mobility Domain IE from the target AP
165 * Returns: Pointer to buffer with IEs or %NULL on failure
167 * Caller is responsible for freeing the returned buffer with os_free();
169 static u8
* wpa_ft_gen_req_ies(struct wpa_sm
*sm
, size_t *len
,
170 const u8
*anonce
, const u8
*pmk_name
,
171 const u8
*kck
, size_t kck_len
,
173 const u8
*ric_ies
, size_t ric_ies_len
,
177 u8
*buf
, *pos
, *ftie_len
, *ftie_pos
, *fte_mic
, *elem_count
;
178 struct rsn_mdie
*mdie
;
179 struct rsn_ie_hdr
*rsnie
;
186 sm
->ft_completed
= 0;
187 sm
->ft_reassoc_completed
= 0;
189 buf_len
= 2 + sizeof(struct rsn_mdie
) + 2 +
190 sizeof(struct rsn_ftie_sha384
) +
191 2 + sm
->r0kh_id_len
+ ric_ies_len
+ 100;
192 buf
= os_zalloc(buf_len
);
197 /* RSNIE[PMKR0Name/PMKR1Name] */
198 rsnie
= (struct rsn_ie_hdr
*) pos
;
199 rsnie
->elem_id
= WLAN_EID_RSN
;
200 WPA_PUT_LE16(rsnie
->version
, RSN_VERSION
);
201 pos
= (u8
*) (rsnie
+ 1);
203 /* Group Suite Selector */
204 if (!wpa_cipher_valid_group(sm
->group_cipher
)) {
205 wpa_printf(MSG_WARNING
, "FT: Invalid group cipher (%d)",
210 RSN_SELECTOR_PUT(pos
, wpa_cipher_to_suite(WPA_PROTO_RSN
,
212 pos
+= RSN_SELECTOR_LEN
;
214 /* Pairwise Suite Count */
215 WPA_PUT_LE16(pos
, 1);
218 /* Pairwise Suite List */
219 if (!wpa_cipher_valid_pairwise(sm
->pairwise_cipher
)) {
220 wpa_printf(MSG_WARNING
, "FT: Invalid pairwise cipher (%d)",
221 sm
->pairwise_cipher
);
225 RSN_SELECTOR_PUT(pos
, wpa_cipher_to_suite(WPA_PROTO_RSN
,
226 sm
->pairwise_cipher
));
227 pos
+= RSN_SELECTOR_LEN
;
229 /* Authenticated Key Management Suite Count */
230 WPA_PUT_LE16(pos
, 1);
233 /* Authenticated Key Management Suite List */
234 if (sm
->key_mgmt
== WPA_KEY_MGMT_FT_IEEE8021X
)
235 RSN_SELECTOR_PUT(pos
, RSN_AUTH_KEY_MGMT_FT_802_1X
);
237 else if (sm
->key_mgmt
== WPA_KEY_MGMT_FT_IEEE8021X_SHA384
)
238 RSN_SELECTOR_PUT(pos
, RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384
);
239 #endif /* CONFIG_SHA384 */
240 else if (sm
->key_mgmt
== WPA_KEY_MGMT_FT_PSK
)
241 RSN_SELECTOR_PUT(pos
, RSN_AUTH_KEY_MGMT_FT_PSK
);
242 else if (sm
->key_mgmt
== WPA_KEY_MGMT_FT_SAE
)
243 RSN_SELECTOR_PUT(pos
, RSN_AUTH_KEY_MGMT_FT_SAE
);
245 else if (sm
->key_mgmt
== WPA_KEY_MGMT_FT_FILS_SHA256
)
246 RSN_SELECTOR_PUT(pos
, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256
);
247 else if (sm
->key_mgmt
== WPA_KEY_MGMT_FT_FILS_SHA384
)
248 RSN_SELECTOR_PUT(pos
, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384
);
249 #endif /* CONFIG_FILS */
251 wpa_printf(MSG_WARNING
, "FT: Invalid key management type (%d)",
256 pos
+= RSN_SELECTOR_LEN
;
258 /* RSN Capabilities */
261 capab
|= WPA_CAPABILITY_MFPC
;
263 capab
|= WPA_CAPABILITY_MFPR
;
265 capab
|= WPA_CAPABILITY_OCVC
;
266 WPA_PUT_LE16(pos
, capab
);
270 WPA_PUT_LE16(pos
, 1);
273 /* PMKID List [PMKR0Name/PMKR1Name] */
274 os_memcpy(pos
, pmk_name
, WPA_PMK_NAME_LEN
);
275 pos
+= WPA_PMK_NAME_LEN
;
277 /* Management Group Cipher Suite */
278 switch (sm
->mgmt_group_cipher
) {
279 case WPA_CIPHER_AES_128_CMAC
:
280 RSN_SELECTOR_PUT(pos
, RSN_CIPHER_SUITE_AES_128_CMAC
);
281 pos
+= RSN_SELECTOR_LEN
;
283 case WPA_CIPHER_BIP_GMAC_128
:
284 RSN_SELECTOR_PUT(pos
, RSN_CIPHER_SUITE_BIP_GMAC_128
);
285 pos
+= RSN_SELECTOR_LEN
;
287 case WPA_CIPHER_BIP_GMAC_256
:
288 RSN_SELECTOR_PUT(pos
, RSN_CIPHER_SUITE_BIP_GMAC_256
);
289 pos
+= RSN_SELECTOR_LEN
;
291 case WPA_CIPHER_BIP_CMAC_256
:
292 RSN_SELECTOR_PUT(pos
, RSN_CIPHER_SUITE_BIP_CMAC_256
);
293 pos
+= RSN_SELECTOR_LEN
;
297 rsnie
->len
= (pos
- (u8
*) rsnie
) - 2;
300 mdie_len
= wpa_ft_add_mdie(sm
, pos
, buf_len
- (pos
- buf
), ap_mdie
);
305 mdie
= (struct rsn_mdie
*) (pos
+ 2);
308 /* FTIE[SNonce, [R1KH-ID,] R0KH-ID ] */
310 *pos
++ = WLAN_EID_FAST_BSS_TRANSITION
;
312 if (wpa_key_mgmt_sha384(sm
->key_mgmt
)) {
313 struct rsn_ftie_sha384
*ftie
;
315 ftie
= (struct rsn_ftie_sha384
*) pos
;
317 elem_count
= &ftie
->mic_control
[1];
318 pos
+= sizeof(*ftie
);
319 os_memcpy(ftie
->snonce
, sm
->snonce
, WPA_NONCE_LEN
);
321 os_memcpy(ftie
->anonce
, anonce
, WPA_NONCE_LEN
);
323 struct rsn_ftie
*ftie
;
325 ftie
= (struct rsn_ftie
*) pos
;
327 elem_count
= &ftie
->mic_control
[1];
328 pos
+= sizeof(*ftie
);
329 os_memcpy(ftie
->snonce
, sm
->snonce
, WPA_NONCE_LEN
);
331 os_memcpy(ftie
->anonce
, anonce
, WPA_NONCE_LEN
);
334 /* R1KH-ID sub-element in third FT message */
335 *pos
++ = FTIE_SUBELEM_R1KH_ID
;
336 *pos
++ = FT_R1KH_ID_LEN
;
337 os_memcpy(pos
, sm
->r1kh_id
, FT_R1KH_ID_LEN
);
338 pos
+= FT_R1KH_ID_LEN
;
340 /* R0KH-ID sub-element */
341 *pos
++ = FTIE_SUBELEM_R0KH_ID
;
342 *pos
++ = sm
->r0kh_id_len
;
343 os_memcpy(pos
, sm
->r0kh_id
, sm
->r0kh_id_len
);
344 pos
+= sm
->r0kh_id_len
;
346 if (kck
&& wpa_sm_ocv_enabled(sm
)) {
347 /* OCI sub-element in the third FT message */
348 struct wpa_channel_info ci
;
350 if (wpa_sm_channel_info(sm
, &ci
) != 0) {
351 wpa_printf(MSG_WARNING
,
352 "Failed to get channel info for OCI element in FTE");
357 *pos
++ = FTIE_SUBELEM_OCI
;
358 *pos
++ = OCV_OCI_LEN
;
359 if (ocv_insert_oci(&ci
, &pos
) < 0) {
364 #endif /* CONFIG_OCV */
365 *ftie_len
= pos
- ftie_len
- 1;
369 os_memcpy(pos
, ric_ies
, ric_ies_len
);
373 res
= wpa_gen_rsnxe(sm
, rsnxe
, sizeof(rsnxe
));
382 * IEEE Std 802.11r-2008, 11A.8.4
383 * MIC shall be calculated over:
384 * non-AP STA MAC address
385 * Target AP MAC address
386 * Transaction seq number (5 for ReassocReq, 3 otherwise)
389 * FTIE (with MIC field set to 0)
390 * RIC-Request (if present)
393 /* Information element count */
394 *elem_count
= 3 + ieee802_11_ie_count(ric_ies
, ric_ies_len
);
397 if (wpa_ft_mic(kck
, kck_len
, sm
->own_addr
, target_ap
, 5,
398 ((u8
*) mdie
) - 2, 2 + sizeof(*mdie
),
399 ftie_pos
, 2 + *ftie_len
,
400 (u8
*) rsnie
, 2 + rsnie
->len
, ric_ies
,
401 ric_ies_len
, rsnxe_len
? rsnxe
: NULL
, rsnxe_len
,
403 wpa_printf(MSG_INFO
, "FT: Failed to calculate MIC");
415 static int wpa_ft_install_ptk(struct wpa_sm
*sm
, const u8
*bssid
)
419 u8 null_rsc
[6] = { 0, 0, 0, 0, 0, 0 };
421 wpa_printf(MSG_DEBUG
, "FT: Installing PTK to the driver.");
423 if (!wpa_cipher_valid_pairwise(sm
->pairwise_cipher
)) {
424 wpa_printf(MSG_WARNING
, "FT: Unsupported pairwise cipher %d",
425 sm
->pairwise_cipher
);
429 alg
= wpa_cipher_to_alg(sm
->pairwise_cipher
);
430 keylen
= wpa_cipher_key_len(sm
->pairwise_cipher
);
432 if (wpa_sm_set_key(sm
, alg
, bssid
, 0, 1, null_rsc
, sizeof(null_rsc
),
433 (u8
*) sm
->ptk
.tk
, keylen
,
434 KEY_FLAG_PAIRWISE_RX_TX
) < 0) {
435 wpa_printf(MSG_WARNING
, "FT: Failed to set PTK to the driver");
444 * wpa_ft_prepare_auth_request - Generate over-the-air auth request
445 * @sm: Pointer to WPA state machine data from wpa_sm_init()
446 * @mdie: Target AP MDIE
447 * Returns: 0 on success, -1 on failure
449 int wpa_ft_prepare_auth_request(struct wpa_sm
*sm
, const u8
*mdie
)
454 /* Generate a new SNonce */
455 if (random_get_bytes(sm
->snonce
, WPA_NONCE_LEN
)) {
456 wpa_printf(MSG_INFO
, "FT: Failed to generate a new SNonce");
460 ft_ies
= wpa_ft_gen_req_ies(sm
, &ft_ies_len
, NULL
, sm
->pmk_r0_name
,
461 NULL
, 0, sm
->bssid
, NULL
, 0, mdie
);
463 wpa_sm_update_ft_ies(sm
, sm
->mobility_domain
,
472 int wpa_ft_add_mdie(struct wpa_sm
*sm
, u8
*buf
, size_t buf_len
,
476 struct rsn_mdie
*mdie
;
478 if (buf_len
< 2 + sizeof(*mdie
)) {
480 "FT: Failed to add MDIE: short buffer, length=%zu",
485 *pos
++ = WLAN_EID_MOBILITY_DOMAIN
;
486 *pos
++ = sizeof(*mdie
);
487 mdie
= (struct rsn_mdie
*) pos
;
488 os_memcpy(mdie
->mobility_domain
, sm
->mobility_domain
,
489 MOBILITY_DOMAIN_ID_LEN
);
490 mdie
->ft_capab
= ap_mdie
&& ap_mdie
[1] >= 3 ? ap_mdie
[4] :
493 return 2 + sizeof(*mdie
);
497 const u8
* wpa_sm_get_ft_md(struct wpa_sm
*sm
)
499 return sm
->mobility_domain
;
503 int wpa_ft_process_response(struct wpa_sm
*sm
, const u8
*ies
, size_t ies_len
,
504 int ft_action
, const u8
*target_ap
,
505 const u8
*ric_ies
, size_t ric_ies_len
)
509 struct wpa_ft_ies parse
;
510 struct rsn_mdie
*mdie
;
511 u8 ptk_name
[WPA_PMK_NAME_LEN
];
516 int use_sha384
= wpa_key_mgmt_sha384(sm
->key_mgmt
);
517 const u8
*anonce
, *snonce
;
519 wpa_hexdump(MSG_DEBUG
, "FT: Response IEs", ies
, ies_len
);
520 wpa_hexdump(MSG_DEBUG
, "FT: RIC IEs", ric_ies
, ric_ies_len
);
523 if (!sm
->over_the_ds_in_progress
) {
524 wpa_printf(MSG_DEBUG
, "FT: No over-the-DS in progress "
525 "- drop FT Action Response");
529 if (os_memcmp(target_ap
, sm
->target_ap
, ETH_ALEN
) != 0) {
530 wpa_printf(MSG_DEBUG
, "FT: No over-the-DS in progress "
531 "with this Target AP - drop FT Action "
537 if (!wpa_key_mgmt_ft(sm
->key_mgmt
)) {
538 wpa_printf(MSG_DEBUG
, "FT: Reject FT IEs since FT is not "
539 "enabled for this connection");
543 if (wpa_ft_parse_ies(ies
, ies_len
, &parse
, use_sha384
) < 0) {
544 wpa_printf(MSG_DEBUG
, "FT: Failed to parse IEs");
548 mdie
= (struct rsn_mdie
*) parse
.mdie
;
549 if (mdie
== NULL
|| parse
.mdie_len
< sizeof(*mdie
) ||
550 os_memcmp(mdie
->mobility_domain
, sm
->mobility_domain
,
551 MOBILITY_DOMAIN_ID_LEN
) != 0) {
552 wpa_printf(MSG_DEBUG
, "FT: Invalid MDIE");
557 struct rsn_ftie_sha384
*ftie
;
559 ftie
= (struct rsn_ftie_sha384
*) parse
.ftie
;
560 if (!ftie
|| parse
.ftie_len
< sizeof(*ftie
)) {
561 wpa_printf(MSG_DEBUG
, "FT: Invalid FTIE");
565 anonce
= ftie
->anonce
;
566 snonce
= ftie
->snonce
;
568 struct rsn_ftie
*ftie
;
570 ftie
= (struct rsn_ftie
*) parse
.ftie
;
571 if (!ftie
|| parse
.ftie_len
< sizeof(*ftie
)) {
572 wpa_printf(MSG_DEBUG
, "FT: Invalid FTIE");
576 anonce
= ftie
->anonce
;
577 snonce
= ftie
->snonce
;
580 if (os_memcmp(snonce
, sm
->snonce
, WPA_NONCE_LEN
) != 0) {
581 wpa_printf(MSG_DEBUG
, "FT: SNonce mismatch in FTIE");
582 wpa_hexdump(MSG_DEBUG
, "FT: Received SNonce",
583 snonce
, WPA_NONCE_LEN
);
584 wpa_hexdump(MSG_DEBUG
, "FT: Expected SNonce",
585 sm
->snonce
, WPA_NONCE_LEN
);
589 if (parse
.r0kh_id
== NULL
) {
590 wpa_printf(MSG_DEBUG
, "FT: No R0KH-ID subelem in FTIE");
594 if (parse
.r0kh_id_len
!= sm
->r0kh_id_len
||
595 os_memcmp_const(parse
.r0kh_id
, sm
->r0kh_id
, parse
.r0kh_id_len
) != 0)
597 wpa_printf(MSG_DEBUG
, "FT: R0KH-ID in FTIE did not match with "
598 "the current R0KH-ID");
599 wpa_hexdump(MSG_DEBUG
, "FT: R0KH-ID in FTIE",
600 parse
.r0kh_id
, parse
.r0kh_id_len
);
601 wpa_hexdump(MSG_DEBUG
, "FT: The current R0KH-ID",
602 sm
->r0kh_id
, sm
->r0kh_id_len
);
606 if (parse
.r1kh_id
== NULL
) {
607 wpa_printf(MSG_DEBUG
, "FT: No R1KH-ID subelem in FTIE");
611 if (parse
.rsn_pmkid
== NULL
||
612 os_memcmp_const(parse
.rsn_pmkid
, sm
->pmk_r0_name
, WPA_PMK_NAME_LEN
))
614 wpa_printf(MSG_DEBUG
, "FT: No matching PMKR0Name (PMKID) in "
619 if (sm
->mfp
== 2 && !(parse
.rsn_capab
& WPA_CAPABILITY_MFPC
)) {
621 "FT: Target AP does not support PMF, but local configuration requires that");
625 os_memcpy(sm
->r1kh_id
, parse
.r1kh_id
, FT_R1KH_ID_LEN
);
626 wpa_hexdump(MSG_DEBUG
, "FT: R1KH-ID", sm
->r1kh_id
, FT_R1KH_ID_LEN
);
627 wpa_hexdump(MSG_DEBUG
, "FT: SNonce", sm
->snonce
, WPA_NONCE_LEN
);
628 wpa_hexdump(MSG_DEBUG
, "FT: ANonce", anonce
, WPA_NONCE_LEN
);
629 os_memcpy(sm
->anonce
, anonce
, WPA_NONCE_LEN
);
630 if (wpa_derive_pmk_r1(sm
->pmk_r0
, sm
->pmk_r0_len
, sm
->pmk_r0_name
,
631 sm
->r1kh_id
, sm
->own_addr
, sm
->pmk_r1
,
632 sm
->pmk_r1_name
) < 0)
634 sm
->pmk_r1_len
= sm
->pmk_r0_len
;
635 wpa_hexdump_key(MSG_DEBUG
, "FT: PMK-R1", sm
->pmk_r1
, sm
->pmk_r1_len
);
636 wpa_hexdump(MSG_DEBUG
, "FT: PMKR1Name",
637 sm
->pmk_r1_name
, WPA_PMK_NAME_LEN
);
640 if (wpa_pmk_r1_to_ptk(sm
->pmk_r1
, sm
->pmk_r1_len
, sm
->snonce
,
641 anonce
, sm
->own_addr
, bssid
,
642 sm
->pmk_r1_name
, &sm
->ptk
, ptk_name
, sm
->key_mgmt
,
643 sm
->pairwise_cipher
) < 0)
646 if (wpa_key_mgmt_fils(sm
->key_mgmt
)) {
648 kck_len
= sm
->ptk
.kck2_len
;
651 kck_len
= sm
->ptk
.kck_len
;
653 ft_ies
= wpa_ft_gen_req_ies(sm
, &ft_ies_len
, anonce
,
656 ric_ies
, ric_ies_len
,
657 parse
.mdie
? parse
.mdie
- 2 : NULL
);
659 wpa_sm_update_ft_ies(sm
, sm
->mobility_domain
,
664 wpa_sm_mark_authenticated(sm
, bssid
);
665 ret
= wpa_ft_install_ptk(sm
, bssid
);
668 * Some drivers do not support key configuration when we are
669 * not associated with the target AP. Work around this by
670 * trying again after the following reassociation gets
673 wpa_printf(MSG_DEBUG
, "FT: Failed to set PTK prior to "
674 "association - try again after reassociation");
675 sm
->set_ptk_after_assoc
= 1;
677 sm
->set_ptk_after_assoc
= 0;
679 sm
->ft_completed
= 1;
682 * The caller is expected trigger re-association with the
685 os_memcpy(sm
->bssid
, target_ap
, ETH_ALEN
);
692 int wpa_ft_is_completed(struct wpa_sm
*sm
)
697 if (!wpa_key_mgmt_ft(sm
->key_mgmt
))
700 return sm
->ft_completed
;
704 void wpa_reset_ft_completed(struct wpa_sm
*sm
)
707 sm
->ft_completed
= 0;
711 static int wpa_ft_process_gtk_subelem(struct wpa_sm
*sm
, const u8
*gtk_elem
,
717 size_t gtk_len
, keylen
, rsc_len
;
721 if (wpa_key_mgmt_fils(sm
->key_mgmt
)) {
723 kek_len
= sm
->ptk
.kek2_len
;
726 kek_len
= sm
->ptk
.kek_len
;
729 if (gtk_elem
== NULL
) {
730 wpa_printf(MSG_DEBUG
, "FT: No GTK included in FTIE");
734 wpa_hexdump_key(MSG_DEBUG
, "FT: Received GTK in Reassoc Resp",
735 gtk_elem
, gtk_elem_len
);
737 if (gtk_elem_len
< 11 + 24 || (gtk_elem_len
- 11) % 8 ||
738 gtk_elem_len
- 19 > sizeof(gtk
)) {
739 wpa_printf(MSG_DEBUG
, "FT: Invalid GTK sub-elem "
740 "length %lu", (unsigned long) gtk_elem_len
);
743 gtk_len
= gtk_elem_len
- 19;
744 if (aes_unwrap(kek
, kek_len
, gtk_len
/ 8, gtk_elem
+ 11, gtk
)) {
745 wpa_printf(MSG_WARNING
, "FT: AES unwrap failed - could not "
750 keylen
= wpa_cipher_key_len(sm
->group_cipher
);
751 rsc_len
= wpa_cipher_rsc_len(sm
->group_cipher
);
752 alg
= wpa_cipher_to_alg(sm
->group_cipher
);
753 if (alg
== WPA_ALG_NONE
) {
754 wpa_printf(MSG_WARNING
, "WPA: Unsupported Group Cipher %d",
759 if (gtk_len
< keylen
) {
760 wpa_printf(MSG_DEBUG
, "FT: Too short GTK in FTIE");
764 /* Key Info[2] | Key Length[1] | RSC[8] | Key[5..32]. */
766 keyidx
= WPA_GET_LE16(gtk_elem
) & 0x03;
768 if (gtk_elem
[2] != keylen
) {
769 wpa_printf(MSG_DEBUG
, "FT: GTK length mismatch: received %d "
771 gtk_elem
[2], (unsigned long) keylen
);
775 wpa_hexdump_key(MSG_DEBUG
, "FT: GTK from Reassoc Resp", gtk
, keylen
);
776 if (sm
->group_cipher
== WPA_CIPHER_TKIP
) {
777 /* Swap Tx/Rx keys for Michael MIC */
779 os_memcpy(tmp
, gtk
+ 16, 8);
780 os_memcpy(gtk
+ 16, gtk
+ 24, 8);
781 os_memcpy(gtk
+ 24, tmp
, 8);
783 if (wpa_sm_set_key(sm
, alg
, broadcast_ether_addr
, keyidx
, 0,
784 gtk_elem
+ 3, rsc_len
, gtk
, keylen
,
785 KEY_FLAG_GROUP_RX
) < 0) {
786 wpa_printf(MSG_WARNING
, "WPA: Failed to set GTK to the "
795 static int wpa_ft_process_igtk_subelem(struct wpa_sm
*sm
, const u8
*igtk_elem
,
796 size_t igtk_elem_len
)
798 u8 igtk
[WPA_IGTK_MAX_LEN
];
804 if (wpa_key_mgmt_fils(sm
->key_mgmt
)) {
806 kek_len
= sm
->ptk
.kek2_len
;
809 kek_len
= sm
->ptk
.kek_len
;
812 if (sm
->mgmt_group_cipher
!= WPA_CIPHER_AES_128_CMAC
&&
813 sm
->mgmt_group_cipher
!= WPA_CIPHER_BIP_GMAC_128
&&
814 sm
->mgmt_group_cipher
!= WPA_CIPHER_BIP_GMAC_256
&&
815 sm
->mgmt_group_cipher
!= WPA_CIPHER_BIP_CMAC_256
)
818 if (igtk_elem
== NULL
) {
819 wpa_printf(MSG_DEBUG
, "FT: No IGTK included in FTIE");
823 wpa_hexdump_key(MSG_DEBUG
, "FT: Received IGTK in Reassoc Resp",
824 igtk_elem
, igtk_elem_len
);
826 igtk_len
= wpa_cipher_key_len(sm
->mgmt_group_cipher
);
827 if (igtk_elem_len
!= 2 + 6 + 1 + igtk_len
+ 8) {
828 wpa_printf(MSG_DEBUG
, "FT: Invalid IGTK sub-elem "
829 "length %lu", (unsigned long) igtk_elem_len
);
832 if (igtk_elem
[8] != igtk_len
) {
833 wpa_printf(MSG_DEBUG
, "FT: Invalid IGTK sub-elem Key Length "
838 if (aes_unwrap(kek
, kek_len
, igtk_len
/ 8, igtk_elem
+ 9, igtk
)) {
839 wpa_printf(MSG_WARNING
, "FT: AES unwrap failed - could not "
844 /* KeyID[2] | IPN[6] | Key Length[1] | Key[16+8] */
846 keyidx
= WPA_GET_LE16(igtk_elem
);
848 wpa_hexdump_key(MSG_DEBUG
, "FT: IGTK from Reassoc Resp", igtk
,
850 if (wpa_sm_set_key(sm
, wpa_cipher_to_alg(sm
->mgmt_group_cipher
),
851 broadcast_ether_addr
, keyidx
, 0,
852 igtk_elem
+ 2, 6, igtk
, igtk_len
,
853 KEY_FLAG_GROUP_RX
) < 0) {
854 wpa_printf(MSG_WARNING
, "WPA: Failed to set IGTK to the "
856 forced_memzero(igtk
, sizeof(igtk
));
859 forced_memzero(igtk
, sizeof(igtk
));
865 static int wpa_ft_process_bigtk_subelem(struct wpa_sm
*sm
, const u8
*bigtk_elem
,
866 size_t bigtk_elem_len
)
868 u8 bigtk
[WPA_BIGTK_MAX_LEN
];
874 if (!sm
->beacon_prot
|| !bigtk_elem
||
875 (sm
->mgmt_group_cipher
!= WPA_CIPHER_AES_128_CMAC
&&
876 sm
->mgmt_group_cipher
!= WPA_CIPHER_BIP_GMAC_128
&&
877 sm
->mgmt_group_cipher
!= WPA_CIPHER_BIP_GMAC_256
&&
878 sm
->mgmt_group_cipher
!= WPA_CIPHER_BIP_CMAC_256
))
881 if (wpa_key_mgmt_fils(sm
->key_mgmt
)) {
883 kek_len
= sm
->ptk
.kek2_len
;
886 kek_len
= sm
->ptk
.kek_len
;
889 wpa_hexdump_key(MSG_DEBUG
, "FT: Received BIGTK in Reassoc Resp",
890 bigtk_elem
, bigtk_elem_len
);
892 bigtk_len
= wpa_cipher_key_len(sm
->mgmt_group_cipher
);
893 if (bigtk_elem_len
!= 2 + 6 + 1 + bigtk_len
+ 8) {
894 wpa_printf(MSG_DEBUG
,
895 "FT: Invalid BIGTK sub-elem length %lu",
896 (unsigned long) bigtk_elem_len
);
899 if (bigtk_elem
[8] != bigtk_len
) {
900 wpa_printf(MSG_DEBUG
,
901 "FT: Invalid BIGTK sub-elem Key Length %d",
906 if (aes_unwrap(kek
, kek_len
, bigtk_len
/ 8, bigtk_elem
+ 9, bigtk
)) {
907 wpa_printf(MSG_WARNING
,
908 "FT: AES unwrap failed - could not decrypt BIGTK");
912 /* KeyID[2] | IPN[6] | Key Length[1] | Key[16+8] */
914 keyidx
= WPA_GET_LE16(bigtk_elem
);
916 wpa_hexdump_key(MSG_DEBUG
, "FT: BIGTK from Reassoc Resp", bigtk
,
918 if (wpa_sm_set_key(sm
, wpa_cipher_to_alg(sm
->mgmt_group_cipher
),
919 broadcast_ether_addr
, keyidx
, 0,
920 bigtk_elem
+ 2, 6, bigtk
, bigtk_len
,
921 KEY_FLAG_GROUP_RX
) < 0) {
922 wpa_printf(MSG_WARNING
,
923 "WPA: Failed to set BIGTK to the driver");
924 forced_memzero(bigtk
, sizeof(bigtk
));
927 forced_memzero(bigtk
, sizeof(bigtk
));
933 int wpa_ft_validate_reassoc_resp(struct wpa_sm
*sm
, const u8
*ies
,
934 size_t ies_len
, const u8
*src_addr
)
936 struct wpa_ft_ies parse
;
937 struct rsn_mdie
*mdie
;
939 u8 mic
[WPA_EAPOL_KEY_MIC_MAX_LEN
];
942 int use_sha384
= wpa_key_mgmt_sha384(sm
->key_mgmt
);
943 const u8
*anonce
, *snonce
, *fte_mic
;
946 wpa_hexdump(MSG_DEBUG
, "FT: Response IEs", ies
, ies_len
);
948 if (!wpa_key_mgmt_ft(sm
->key_mgmt
)) {
949 wpa_printf(MSG_DEBUG
, "FT: Reject FT IEs since FT is not "
950 "enabled for this connection");
954 if (sm
->ft_reassoc_completed
) {
955 wpa_printf(MSG_DEBUG
, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
959 if (wpa_ft_parse_ies(ies
, ies_len
, &parse
, use_sha384
) < 0) {
960 wpa_printf(MSG_DEBUG
, "FT: Failed to parse IEs");
964 mdie
= (struct rsn_mdie
*) parse
.mdie
;
965 if (mdie
== NULL
|| parse
.mdie_len
< sizeof(*mdie
) ||
966 os_memcmp(mdie
->mobility_domain
, sm
->mobility_domain
,
967 MOBILITY_DOMAIN_ID_LEN
) != 0) {
968 wpa_printf(MSG_DEBUG
, "FT: Invalid MDIE");
973 struct rsn_ftie_sha384
*ftie
;
975 ftie
= (struct rsn_ftie_sha384
*) parse
.ftie
;
976 if (!ftie
|| parse
.ftie_len
< sizeof(*ftie
)) {
977 wpa_printf(MSG_DEBUG
, "FT: Invalid FTIE");
981 anonce
= ftie
->anonce
;
982 snonce
= ftie
->snonce
;
983 fte_elem_count
= ftie
->mic_control
[1];
986 struct rsn_ftie
*ftie
;
988 ftie
= (struct rsn_ftie
*) parse
.ftie
;
989 if (!ftie
|| parse
.ftie_len
< sizeof(*ftie
)) {
990 wpa_printf(MSG_DEBUG
, "FT: Invalid FTIE");
994 anonce
= ftie
->anonce
;
995 snonce
= ftie
->snonce
;
996 fte_elem_count
= ftie
->mic_control
[1];
1000 if (os_memcmp(snonce
, sm
->snonce
, WPA_NONCE_LEN
) != 0) {
1001 wpa_printf(MSG_DEBUG
, "FT: SNonce mismatch in FTIE");
1002 wpa_hexdump(MSG_DEBUG
, "FT: Received SNonce",
1003 snonce
, WPA_NONCE_LEN
);
1004 wpa_hexdump(MSG_DEBUG
, "FT: Expected SNonce",
1005 sm
->snonce
, WPA_NONCE_LEN
);
1009 if (os_memcmp(anonce
, sm
->anonce
, WPA_NONCE_LEN
) != 0) {
1010 wpa_printf(MSG_DEBUG
, "FT: ANonce mismatch in FTIE");
1011 wpa_hexdump(MSG_DEBUG
, "FT: Received ANonce",
1012 anonce
, WPA_NONCE_LEN
);
1013 wpa_hexdump(MSG_DEBUG
, "FT: Expected ANonce",
1014 sm
->anonce
, WPA_NONCE_LEN
);
1018 if (parse
.r0kh_id
== NULL
) {
1019 wpa_printf(MSG_DEBUG
, "FT: No R0KH-ID subelem in FTIE");
1023 if (parse
.r0kh_id_len
!= sm
->r0kh_id_len
||
1024 os_memcmp_const(parse
.r0kh_id
, sm
->r0kh_id
, parse
.r0kh_id_len
) != 0)
1026 wpa_printf(MSG_DEBUG
, "FT: R0KH-ID in FTIE did not match with "
1027 "the current R0KH-ID");
1028 wpa_hexdump(MSG_DEBUG
, "FT: R0KH-ID in FTIE",
1029 parse
.r0kh_id
, parse
.r0kh_id_len
);
1030 wpa_hexdump(MSG_DEBUG
, "FT: The current R0KH-ID",
1031 sm
->r0kh_id
, sm
->r0kh_id_len
);
1035 if (parse
.r1kh_id
== NULL
) {
1036 wpa_printf(MSG_DEBUG
, "FT: No R1KH-ID subelem in FTIE");
1040 if (os_memcmp_const(parse
.r1kh_id
, sm
->r1kh_id
, FT_R1KH_ID_LEN
) != 0) {
1041 wpa_printf(MSG_DEBUG
, "FT: Unknown R1KH-ID used in "
1046 if (parse
.rsn_pmkid
== NULL
||
1047 os_memcmp_const(parse
.rsn_pmkid
, sm
->pmk_r1_name
, WPA_PMK_NAME_LEN
))
1049 wpa_printf(MSG_DEBUG
, "FT: No matching PMKR1Name (PMKID) in "
1050 "RSNIE (pmkid=%d)", !!parse
.rsn_pmkid
);
1056 count
+= ieee802_11_ie_count(parse
.ric
, parse
.ric_len
);
1059 if (fte_elem_count
!= count
) {
1060 wpa_printf(MSG_DEBUG
, "FT: Unexpected IE count in MIC "
1061 "Control: received %u expected %u",
1062 fte_elem_count
, count
);
1066 if (wpa_key_mgmt_fils(sm
->key_mgmt
)) {
1068 kck_len
= sm
->ptk
.kck2_len
;
1071 kck_len
= sm
->ptk
.kck_len
;
1074 if (wpa_ft_mic(kck
, kck_len
, sm
->own_addr
, src_addr
, 6,
1075 parse
.mdie
- 2, parse
.mdie_len
+ 2,
1076 parse
.ftie
- 2, parse
.ftie_len
+ 2,
1077 parse
.rsn
- 2, parse
.rsn_len
+ 2,
1078 parse
.ric
, parse
.ric_len
,
1079 parse
.rsnxe
? parse
.rsnxe
- 2 : NULL
,
1080 parse
.rsnxe
? parse
.rsnxe_len
+ 2 : 0,
1082 wpa_printf(MSG_DEBUG
, "FT: Failed to calculate MIC");
1086 if (os_memcmp_const(mic
, fte_mic
, 16) != 0) {
1087 wpa_printf(MSG_DEBUG
, "FT: Invalid MIC in FTIE");
1088 wpa_hexdump(MSG_MSGDUMP
, "FT: Received MIC", fte_mic
, 16);
1089 wpa_hexdump(MSG_MSGDUMP
, "FT: Calculated MIC", mic
, 16);
1093 if (!sm
->ap_rsn_ie
) {
1094 wpa_dbg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1095 "FT: No RSNE for this AP known - trying to get from scan results");
1096 if (wpa_sm_get_beacon_ie(sm
) < 0) {
1097 wpa_msg(sm
->ctx
->msg_ctx
, MSG_WARNING
,
1098 "FT: Could not find AP from the scan results");
1101 wpa_msg(sm
->ctx
->msg_ctx
, MSG_DEBUG
,
1102 "FT: Found the current AP from updated scan results");
1105 if (sm
->ap_rsn_ie
&&
1106 wpa_compare_rsn_ie(wpa_key_mgmt_ft(sm
->key_mgmt
),
1107 sm
->ap_rsn_ie
, sm
->ap_rsn_ie_len
,
1108 parse
.rsn
- 2, parse
.rsn_len
+ 2)) {
1109 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1110 "FT: RSNE mismatch between Beacon/ProbeResp and FT protocol Reassociation Response frame");
1111 wpa_hexdump(MSG_INFO
, "RSNE in Beacon/ProbeResp",
1112 sm
->ap_rsn_ie
, sm
->ap_rsn_ie_len
);
1113 wpa_hexdump(MSG_INFO
,
1114 "RSNE in FT protocol Reassociation Response frame",
1115 parse
.rsn
? parse
.rsn
- 2 : NULL
,
1116 parse
.rsn
? parse
.rsn_len
+ 2 : 0);
1120 if ((sm
->ap_rsnxe
&& !parse
.rsnxe
) ||
1121 (!sm
->ap_rsnxe
&& parse
.rsnxe
) ||
1122 (sm
->ap_rsnxe
&& parse
.rsnxe
&&
1123 (sm
->ap_rsnxe_len
!= 2 + parse
.rsnxe_len
||
1124 os_memcmp(sm
->ap_rsnxe
, parse
.rsnxe
- 2,
1125 sm
->ap_rsnxe_len
) != 0))) {
1126 wpa_msg(sm
->ctx
->msg_ctx
, MSG_INFO
,
1127 "FT: RSNXE mismatch between Beacon/ProbeResp and FT protocol Reassociation Response frame");
1128 wpa_hexdump(MSG_INFO
, "RSNXE in Beacon/ProbeResp",
1129 sm
->ap_rsnxe
, sm
->ap_rsnxe_len
);
1130 wpa_hexdump(MSG_INFO
,
1131 "RSNXE in FT protocol Reassociation Response frame",
1132 parse
.rsnxe
? parse
.rsnxe
- 2 : NULL
,
1133 parse
.rsnxe
? parse
.rsnxe_len
+ 2 : 0);
1138 if (wpa_sm_ocv_enabled(sm
)) {
1139 struct wpa_channel_info ci
;
1141 if (wpa_sm_channel_info(sm
, &ci
) != 0) {
1142 wpa_printf(MSG_WARNING
,
1143 "Failed to get channel info to validate received OCI in (Re)Assoc Response");
1147 if (ocv_verify_tx_params(parse
.oci
, parse
.oci_len
, &ci
,
1148 channel_width_to_int(ci
.chanwidth
),
1149 ci
.seg1_idx
) != 0) {
1150 wpa_printf(MSG_WARNING
, "%s", ocv_errorstr
);
1154 #endif /* CONFIG_OCV */
1156 sm
->ft_reassoc_completed
= 1;
1158 if (wpa_ft_process_gtk_subelem(sm
, parse
.gtk
, parse
.gtk_len
) < 0 ||
1159 wpa_ft_process_igtk_subelem(sm
, parse
.igtk
, parse
.igtk_len
) < 0 ||
1160 wpa_ft_process_bigtk_subelem(sm
, parse
.bigtk
, parse
.bigtk_len
) < 0)
1163 if (sm
->set_ptk_after_assoc
) {
1164 wpa_printf(MSG_DEBUG
, "FT: Try to set PTK again now that we "
1166 if (wpa_ft_install_ptk(sm
, src_addr
) < 0)
1168 sm
->set_ptk_after_assoc
= 0;
1172 wpa_hexdump(MSG_MSGDUMP
, "FT: RIC Response",
1173 parse
.ric
, parse
.ric_len
);
1174 /* TODO: parse response and inform driver about results when
1175 * using wpa_supplicant SME */
1178 wpa_printf(MSG_DEBUG
, "FT: Completed successfully");
1185 * wpa_ft_start_over_ds - Generate over-the-DS auth request
1186 * @sm: Pointer to WPA state machine data from wpa_sm_init()
1187 * @target_ap: Target AP Address
1188 * @mdie: Mobility Domain IE from the target AP
1189 * Returns: 0 on success, -1 on failure
1191 int wpa_ft_start_over_ds(struct wpa_sm
*sm
, const u8
*target_ap
,
1197 wpa_printf(MSG_DEBUG
, "FT: Request over-the-DS with " MACSTR
,
1198 MAC2STR(target_ap
));
1200 /* Generate a new SNonce */
1201 if (random_get_bytes(sm
->snonce
, WPA_NONCE_LEN
)) {
1202 wpa_printf(MSG_INFO
, "FT: Failed to generate a new SNonce");
1206 ft_ies
= wpa_ft_gen_req_ies(sm
, &ft_ies_len
, NULL
, sm
->pmk_r0_name
,
1207 NULL
, 0, target_ap
, NULL
, 0, mdie
);
1209 sm
->over_the_ds_in_progress
= 1;
1210 os_memcpy(sm
->target_ap
, target_ap
, ETH_ALEN
);
1211 wpa_sm_send_ft_action(sm
, 1, target_ap
, ft_ies
, ft_ies_len
);
1218 #endif /* CONFIG_IEEE80211R */