if (wpa_key_mgmt_ft(sm->key_mgmt)) {
int res;
- /* Add PMKR1Name into RSN IE (PMKID-List) */
- rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN);
+ /*
+ * Add PMKR1Name into RSN IE (PMKID-List) and add MDIE and
+ * FTIE from (Re)Association Response.
+ */
+ rsn_ie_buf = os_malloc(wpa_ie_len + 2 + 2 + PMKID_LEN +
+ sm->assoc_resp_ies_len);
if (rsn_ie_buf == NULL)
return -1;
os_memcpy(rsn_ie_buf, wpa_ie, wpa_ie_len);
os_free(rsn_ie_buf);
return -1;
}
+ wpa_ie_len += res;
+
+ if (sm->assoc_resp_ies) {
+ os_memcpy(rsn_ie_buf + wpa_ie_len, sm->assoc_resp_ies,
+ sm->assoc_resp_ies_len);
+ wpa_ie_len += sm->assoc_resp_ies_len;
+ }
wpa_ie = rsn_ie_buf;
- wpa_ie_len += res;
}
#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_IEEE80211R
if (wpa_key_mgmt_ft(sm->key_mgmt)) {
/* Prepare for the next transition */
- wpa_ft_prepare_auth_request(sm);
+ wpa_ft_prepare_auth_request(sm, NULL);
}
#endif /* CONFIG_IEEE80211R */
}
}
+#ifdef CONFIG_IEEE80211R
+
+static int ft_validate_mdie(struct wpa_sm *sm,
+ const unsigned char *src_addr,
+ struct wpa_eapol_ie_parse *ie,
+ const u8 *assoc_resp_mdie)
+{
+ struct rsn_mdie *mdie;
+
+ mdie = (struct rsn_mdie *) (ie->mdie + 2);
+ if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
+ os_memcmp(mdie->mobility_domain, sm->mobility_domain,
+ MOBILITY_DOMAIN_ID_LEN) != 0) {
+ wpa_printf(MSG_DEBUG, "FT: MDIE in msg 3/4 did not "
+ "match with the current mobility domain");
+ return -1;
+ }
+
+ if (assoc_resp_mdie &&
+ (assoc_resp_mdie[1] != ie->mdie[1] ||
+ os_memcmp(assoc_resp_mdie, ie->mdie, 2 + ie->mdie[1]) != 0)) {
+ wpa_printf(MSG_DEBUG, "FT: MDIE mismatch");
+ wpa_hexdump(MSG_DEBUG, "FT: MDIE in EAPOL-Key msg 3/4",
+ ie->mdie, 2 + ie->mdie[1]);
+ wpa_hexdump(MSG_DEBUG, "FT: MDIE in (Re)Association Response",
+ assoc_resp_mdie, 2 + assoc_resp_mdie[1]);
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static int ft_validate_ftie(struct wpa_sm *sm,
+ const unsigned char *src_addr,
+ struct wpa_eapol_ie_parse *ie,
+ const u8 *assoc_resp_ftie)
+{
+ if (ie->ftie == NULL) {
+ wpa_printf(MSG_DEBUG, "FT: No FTIE in EAPOL-Key msg 3/4");
+ return -1;
+ }
+
+ if (assoc_resp_ftie == NULL)
+ return 0;
+
+ if (assoc_resp_ftie[1] != ie->ftie[1] ||
+ os_memcmp(assoc_resp_ftie, ie->ftie, 2 + ie->ftie[1]) != 0) {
+ wpa_printf(MSG_DEBUG, "FT: FTIE mismatch");
+ wpa_hexdump(MSG_DEBUG, "FT: FTIE in EAPOL-Key msg 3/4",
+ ie->ftie, 2 + ie->ftie[1]);
+ wpa_hexdump(MSG_DEBUG, "FT: FTIE in (Re)Association Response",
+ assoc_resp_ftie, 2 + assoc_resp_ftie[1]);
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static int ft_validate_rsnie(struct wpa_sm *sm,
+ const unsigned char *src_addr,
+ struct wpa_eapol_ie_parse *ie)
+{
+ struct wpa_ie_data rsn;
+
+ if (!ie->rsn_ie)
+ return 0;
+
+ /*
+ * Verify that PMKR1Name from EAPOL-Key message 3/4
+ * matches with the value we derived.
+ */
+ if (wpa_parse_wpa_ie_rsn(ie->rsn_ie, ie->rsn_ie_len, &rsn) < 0 ||
+ rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
+ wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
+ "FT 4-way handshake message 3/4");
+ return -1;
+ }
+
+ if (os_memcmp(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) != 0) {
+ wpa_printf(MSG_DEBUG, "FT: PMKR1Name mismatch in "
+ "FT 4-way handshake message 3/4");
+ wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from Authenticator",
+ rsn.pmkid, WPA_PMK_NAME_LEN);
+ wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
+ sm->pmk_r1_name, WPA_PMK_NAME_LEN);
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static int wpa_supplicant_validate_ie_ft(struct wpa_sm *sm,
+ const unsigned char *src_addr,
+ struct wpa_eapol_ie_parse *ie)
+{
+ const u8 *pos, *end, *mdie = NULL, *ftie = NULL;
+
+ if (sm->assoc_resp_ies) {
+ pos = sm->assoc_resp_ies;
+ end = pos + sm->assoc_resp_ies_len;
+ while (pos + 2 < end) {
+ if (pos + 2 + pos[1] > end)
+ break;
+ switch (*pos) {
+ case WLAN_EID_MOBILITY_DOMAIN:
+ mdie = pos;
+ break;
+ case WLAN_EID_FAST_BSS_TRANSITION:
+ ftie = pos;
+ break;
+ }
+ pos += 2 + pos[1];
+ }
+ }
+
+ if (ft_validate_mdie(sm, src_addr, ie, mdie) < 0 ||
+ ft_validate_ftie(sm, src_addr, ie, ftie) < 0 ||
+ ft_validate_rsnie(sm, src_addr, ie) < 0)
+ return -1;
+
+ return 0;
+}
+
+#endif /* CONFIG_IEEE80211R */
+
+
static int wpa_supplicant_validate_ie(struct wpa_sm *sm,
const unsigned char *src_addr,
struct wpa_eapol_ie_parse *ie)
}
#ifdef CONFIG_IEEE80211R
- if (wpa_key_mgmt_ft(sm->key_mgmt)) {
- struct rsn_mdie *mdie;
- /* TODO: verify that full MDIE matches with the one from scan
- * results, not only mobility domain */
- mdie = (struct rsn_mdie *) (ie->mdie + 2);
- if (ie->mdie == NULL || ie->mdie_len < 2 + sizeof(*mdie) ||
- os_memcmp(mdie->mobility_domain, sm->mobility_domain,
- MOBILITY_DOMAIN_ID_LEN) != 0) {
- wpa_printf(MSG_DEBUG, "FT: MDIE in msg 3/4 did not "
- "match with the current mobility domain");
- return -1;
- }
- }
+ if (wpa_key_mgmt_ft(sm->key_mgmt) &&
+ wpa_supplicant_validate_ie_ft(sm, src_addr, ie) < 0)
+ return -1;
#endif /* CONFIG_IEEE80211R */
return 0;
if (wpa_supplicant_validate_ie(sm, sm->bssid, &ie) < 0)
goto failed;
-#ifdef CONFIG_IEEE80211R
- if (wpa_key_mgmt_ft(sm->key_mgmt) && ie.rsn_ie) {
- struct wpa_ie_data rsn;
- /*
- * Verify that PMKR1Name from EAPOL-Key message 3/4 matches
- * with the value we derived.
- */
- if (wpa_parse_wpa_ie_rsn(ie.rsn_ie, ie.rsn_ie_len, &rsn) < 0 ||
- rsn.num_pmkid != 1 || rsn.pmkid == NULL) {
- wpa_printf(MSG_DEBUG, "FT: No PMKR1Name in "
- "FT 4-way handshake message 3/4");
- return;
- }
-
- if (os_memcmp(rsn.pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN) !=
- 0) {
- wpa_printf(MSG_DEBUG, "FT: PMKR1Name mismatch in "
- "FT 4-way handshake message 3/4");
- wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name from "
- "Authenticator",
- rsn.pmkid, WPA_PMK_NAME_LEN);
- wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
- sm->pmk_r1_name, WPA_PMK_NAME_LEN);
- return;
- }
- }
-#endif /* CONFIG_IEEE80211R */
-
if (os_memcmp(sm->anonce, key->key_nonce, WPA_NONCE_LEN) != 0) {
wpa_printf(MSG_WARNING, "WPA: ANonce from message 1 of 4-Way "
"Handshake differs from 3 of 4-Way Handshake - drop"
os_free(sm->ap_rsn_ie);
os_free(sm->ctx);
peerkey_deinit(sm);
+#ifdef CONFIG_IEEE80211R
+ os_free(sm->assoc_resp_ies);
+#endif /* CONFIG_IEEE80211R */
os_free(sm);
}
wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
/* Prepare for the next transition */
- wpa_ft_prepare_auth_request(sm);
+ wpa_ft_prepare_auth_request(sm, NULL);
clear_ptk = 0;
}