Home | History | Annotate | Download | only in ap
      1 /*
      2  * hostapd - IEEE 802.11r - Fast BSS Transition
      3  * Copyright (c) 2004-2015, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "utils/includes.h"
     10 
     11 #include "utils/common.h"
     12 #include "utils/eloop.h"
     13 #include "utils/list.h"
     14 #include "common/ieee802_11_defs.h"
     15 #include "common/ieee802_11_common.h"
     16 #include "crypto/aes.h"
     17 #include "crypto/aes_siv.h"
     18 #include "crypto/aes_wrap.h"
     19 #include "crypto/random.h"
     20 #include "ap_config.h"
     21 #include "ieee802_11.h"
     22 #include "wmm.h"
     23 #include "wpa_auth.h"
     24 #include "wpa_auth_i.h"
     25 
     26 
     27 #ifdef CONFIG_IEEE80211R_AP
     28 
     29 const unsigned int ftRRBseqTimeout = 10;
     30 const unsigned int ftRRBmaxQueueLen = 100;
     31 
     32 
     33 static int wpa_ft_send_rrb_auth_resp(struct wpa_state_machine *sm,
     34 				     const u8 *current_ap, const u8 *sta_addr,
     35 				     u16 status, const u8 *resp_ies,
     36 				     size_t resp_ies_len);
     37 static void ft_finish_pull(struct wpa_state_machine *sm);
     38 static void wpa_ft_expire_pull(void *eloop_ctx, void *timeout_ctx);
     39 static void wpa_ft_rrb_seq_timeout(void *eloop_ctx, void *timeout_ctx);
     40 
     41 struct tlv_list {
     42 	u16 type;
     43 	size_t len;
     44 	const u8 *data;
     45 };
     46 
     47 
     48 /**
     49  * wpa_ft_rrb_decrypt - Decrypt FT RRB message
     50  * @key: AES-SIV key for AEAD
     51  * @key_len: Length of key in octets
     52  * @enc: Pointer to encrypted TLVs
     53  * @enc_len: Length of encrypted TLVs in octets
     54  * @auth: Pointer to authenticated TLVs
     55  * @auth_len: Length of authenticated TLVs in octets
     56  * @src_addr: MAC address of the frame sender
     57  * @type: Vendor-specific subtype of the RRB frame (FT_PACKET_*)
     58  * @plain: Pointer to return the pointer to the allocated plaintext buffer;
     59  *	needs to be freed by the caller if not NULL;
     60  *	will only be returned on success
     61  * @plain_len: Pointer to return the length of the allocated plaintext buffer
     62  *	in octets
     63  * Returns: 0 on success, -1 on error
     64  */
     65 static int wpa_ft_rrb_decrypt(const u8 *key, const size_t key_len,
     66 			      const u8 *enc, const size_t enc_len,
     67 			      const u8 *auth, const size_t auth_len,
     68 			      const u8 *src_addr, u8 type,
     69 			      u8 **plain, size_t *plain_size)
     70 {
     71 	const u8 *ad[3] = { src_addr, auth, &type };
     72 	size_t ad_len[3] = { ETH_ALEN, auth_len, sizeof(type) };
     73 
     74 	wpa_hexdump_key(MSG_DEBUG, "FT(RRB): decrypt using key", key, key_len);
     75 
     76 	if (!key) { /* skip decryption */
     77 		*plain = os_memdup(enc, enc_len);
     78 		if (enc_len > 0 && !*plain)
     79 			goto err;
     80 
     81 		*plain_size = enc_len;
     82 
     83 		return 0;
     84 	}
     85 
     86 	*plain = NULL;
     87 
     88 	/* SIV overhead */
     89 	if (enc_len < AES_BLOCK_SIZE)
     90 		goto err;
     91 
     92 	*plain = os_zalloc(enc_len - AES_BLOCK_SIZE);
     93 	if (!*plain)
     94 		goto err;
     95 
     96 	if (aes_siv_decrypt(key, key_len, enc, enc_len, 3, ad, ad_len,
     97 			    *plain) < 0)
     98 		goto err;
     99 
    100 	*plain_size = enc_len - AES_BLOCK_SIZE;
    101 	wpa_hexdump_key(MSG_DEBUG, "FT(RRB): decrypted TLVs",
    102 			*plain, *plain_size);
    103 	return 0;
    104 err:
    105 	os_free(*plain);
    106 	*plain = NULL;
    107 	*plain_size = 0;
    108 
    109 	wpa_printf(MSG_ERROR, "FT(RRB): Failed to decrypt");
    110 
    111 	return -1;
    112 }
    113 
    114 
    115 /* get first tlv record in packet matching type
    116  * @data (decrypted) packet
    117  * @return 0 on success else -1
    118  */
    119 static int wpa_ft_rrb_get_tlv(const u8 *plain, size_t plain_len,
    120 			      u16 type, size_t *tlv_len, const u8 **tlv_data)
    121 {
    122 	const struct ft_rrb_tlv *f;
    123 	size_t left;
    124 	le16 type16;
    125 	size_t len;
    126 
    127 	left = plain_len;
    128 	type16 = host_to_le16(type);
    129 
    130 	while (left >= sizeof(*f)) {
    131 		f = (const struct ft_rrb_tlv *) plain;
    132 
    133 		left -= sizeof(*f);
    134 		plain += sizeof(*f);
    135 		len = le_to_host16(f->len);
    136 
    137 		if (left < len) {
    138 			wpa_printf(MSG_DEBUG, "FT: RRB message truncated");
    139 			break;
    140 		}
    141 
    142 		if (f->type == type16) {
    143 			*tlv_len = len;
    144 			*tlv_data = plain;
    145 			return 0;
    146 		}
    147 
    148 		left -= len;
    149 		plain += len;
    150 	}
    151 
    152 	return -1;
    153 }
    154 
    155 
    156 static void wpa_ft_rrb_dump(const u8 *plain, const size_t plain_len)
    157 {
    158 	const struct ft_rrb_tlv *f;
    159 	size_t left;
    160 	size_t len;
    161 
    162 	left = plain_len;
    163 
    164 	wpa_printf(MSG_DEBUG, "FT: RRB dump message");
    165 	while (left >= sizeof(*f)) {
    166 		f = (const struct ft_rrb_tlv *) plain;
    167 
    168 		left -= sizeof(*f);
    169 		plain += sizeof(*f);
    170 		len = le_to_host16(f->len);
    171 
    172 		wpa_printf(MSG_DEBUG, "FT: RRB TLV type = %d, len = %zu",
    173 			   le_to_host16(f->type), len);
    174 
    175 		if (left < len) {
    176 			wpa_printf(MSG_DEBUG,
    177 				   "FT: RRB message truncated: left %zu bytes, need %zu",
    178 				   left, len);
    179 			break;
    180 		}
    181 
    182 		wpa_hexdump(MSG_DEBUG, "FT: RRB TLV data", plain, len);
    183 
    184 		left -= len;
    185 		plain += len;
    186 	}
    187 
    188 	if (left > 0)
    189 		wpa_hexdump(MSG_DEBUG, "FT: RRB TLV padding", plain, left);
    190 
    191 	wpa_printf(MSG_DEBUG, "FT: RRB dump message end");
    192 }
    193 
    194 
    195 static size_t wpa_ft_tlv_len(const struct tlv_list *tlvs)
    196 {
    197 	size_t tlv_len = 0;
    198 	int i;
    199 
    200 	if (!tlvs)
    201 		return 0;
    202 
    203 	for (i = 0; tlvs[i].type != FT_RRB_LAST_EMPTY; i++) {
    204 		tlv_len += sizeof(struct ft_rrb_tlv);
    205 		tlv_len += tlvs[i].len;
    206 	}
    207 
    208 	return tlv_len;
    209 }
    210 
    211 
    212 static size_t wpa_ft_tlv_lin(const struct tlv_list *tlvs, u8 *start,
    213 			     u8 *endpos)
    214 {
    215 	int i;
    216 	size_t tlv_len;
    217 	struct ft_rrb_tlv *hdr;
    218 	u8 *pos;
    219 
    220 	if (!tlvs)
    221 		return 0;
    222 
    223 	tlv_len = 0;
    224 	pos = start;
    225 	for (i = 0; tlvs[i].type != FT_RRB_LAST_EMPTY; i++) {
    226 		if (tlv_len + sizeof(*hdr) > (size_t) (endpos - start))
    227 			return tlv_len;
    228 		tlv_len += sizeof(*hdr);
    229 		hdr = (struct ft_rrb_tlv *) pos;
    230 		hdr->type = host_to_le16(tlvs[i].type);
    231 		hdr->len = host_to_le16(tlvs[i].len);
    232 		pos = start + tlv_len;
    233 
    234 		if (tlv_len + tlvs[i].len > (size_t) (endpos - start))
    235 			return tlv_len;
    236 		tlv_len += tlvs[i].len;
    237 		os_memcpy(pos, tlvs[i].data, tlvs[i].len);
    238 		pos = start + tlv_len;
    239 	}
    240 
    241 	return tlv_len;
    242 }
    243 
    244 
    245 static int wpa_ft_rrb_lin(const struct tlv_list *tlvs1,
    246 			  const struct tlv_list *tlvs2,
    247 			  u8 **plain, size_t *plain_len)
    248 {
    249 	u8 *pos, *endpos;
    250 	size_t tlv_len;
    251 
    252 	tlv_len = wpa_ft_tlv_len(tlvs1);
    253 	tlv_len += wpa_ft_tlv_len(tlvs2);
    254 
    255 	*plain_len = tlv_len;
    256 	*plain = os_zalloc(tlv_len);
    257 	if (!*plain) {
    258 		wpa_printf(MSG_ERROR, "FT: Failed to allocate plaintext");
    259 		goto err;
    260 	}
    261 
    262 	pos = *plain;
    263 	endpos = *plain + tlv_len;
    264 	pos += wpa_ft_tlv_lin(tlvs1, pos, endpos);
    265 	pos += wpa_ft_tlv_lin(tlvs2, pos, endpos);
    266 
    267 	/* sanity check */
    268 	if (pos != endpos) {
    269 		wpa_printf(MSG_ERROR, "FT: Length error building RRB");
    270 		goto err;
    271 	}
    272 
    273 	return 0;
    274 
    275 err:
    276 	os_free(*plain);
    277 	*plain = NULL;
    278 	*plain_len = 0;
    279 	return -1;
    280 }
    281 
    282 
    283 static int wpa_ft_rrb_encrypt(const u8 *key, const size_t key_len,
    284 			      const u8 *plain, const size_t plain_len,
    285 			      const u8 *auth, const size_t auth_len,
    286 			      const u8 *src_addr, u8 type, u8 *enc)
    287 {
    288 	const u8 *ad[3] = { src_addr, auth, &type };
    289 	size_t ad_len[3] = { ETH_ALEN, auth_len, sizeof(type) };
    290 
    291 	wpa_hexdump_key(MSG_DEBUG, "FT(RRB): plaintext message",
    292 			plain, plain_len);
    293 	wpa_hexdump_key(MSG_DEBUG, "FT(RRB): encrypt using key", key, key_len);
    294 
    295 	if (!key) {
    296 		/* encryption not needed, return plaintext as packet */
    297 		os_memcpy(enc, plain, plain_len);
    298 	} else if (aes_siv_encrypt(key, key_len, plain, plain_len,
    299 				   3, ad, ad_len, enc) < 0) {
    300 		wpa_printf(MSG_ERROR, "FT: Failed to encrypt RRB-OUI message");
    301 		return -1;
    302 	}
    303 
    304 	return 0;
    305 }
    306 
    307 
    308 /**
    309  * wpa_ft_rrb_build - Build and encrypt an FT RRB message
    310  * @key: AES-SIV key for AEAD
    311  * @key_len: Length of key in octets
    312  * @tlvs_enc0: First set of to-be-encrypted TLVs
    313  * @tlvs_enc1: Second set of to-be-encrypted TLVs
    314  * @tlvs_auth: Set of to-be-authenticated TLVs
    315  * @src_addr: MAC address of the frame sender
    316  * @type: Vendor-specific subtype of the RRB frame (FT_PACKET_*)
    317  * @packet Pointer to return the pointer to the allocated packet buffer;
    318  *         needs to be freed by the caller if not null;
    319  *         will only be returned on success
    320  * @packet_len: Pointer to return the length of the allocated buffer in octets
    321  * Returns: 0 on success, -1 on error
    322  */
    323 static int wpa_ft_rrb_build(const u8 *key, const size_t key_len,
    324 			    const struct tlv_list *tlvs_enc0,
    325 			    const struct tlv_list *tlvs_enc1,
    326 			    const struct tlv_list *tlvs_auth,
    327 			    const u8 *src_addr, u8 type,
    328 			    u8 **packet, size_t *packet_len)
    329 {
    330 	u8 *plain = NULL, *auth = NULL, *pos;
    331 	size_t plain_len = 0, auth_len = 0;
    332 	int ret = -1;
    333 
    334 	if (wpa_ft_rrb_lin(tlvs_enc0, tlvs_enc1, &plain, &plain_len) < 0)
    335 		goto out;
    336 
    337 	if (wpa_ft_rrb_lin(tlvs_auth, NULL, &auth, &auth_len) < 0)
    338 		goto out;
    339 
    340 	*packet_len = sizeof(u16) + auth_len + plain_len;
    341 	if (key)
    342 		*packet_len += AES_BLOCK_SIZE;
    343 	*packet = os_zalloc(*packet_len);
    344 	if (!*packet)
    345 		goto out;
    346 
    347 	pos = *packet;
    348 	WPA_PUT_LE16(pos, auth_len);
    349 	pos += 2;
    350 	os_memcpy(pos, auth, auth_len);
    351 	pos += auth_len;
    352 	if (wpa_ft_rrb_encrypt(key, key_len, plain, plain_len, auth,
    353 			       auth_len, src_addr, type, pos) < 0)
    354 		goto out;
    355 
    356 	ret = 0;
    357 
    358 out:
    359 	bin_clear_free(plain, plain_len);
    360 	os_free(auth);
    361 
    362 	if (ret) {
    363 		wpa_printf(MSG_ERROR, "FT: Failed to build RRB-OUI message");
    364 		os_free(*packet);
    365 		*packet = NULL;
    366 		*packet_len = 0;
    367 	}
    368 
    369 	return ret;
    370 }
    371 
    372 
    373 #define RRB_GET_SRC(srcfield, type, field, txt, checklength) do { \
    374 	if (wpa_ft_rrb_get_tlv(srcfield, srcfield##_len, type, \
    375 				&f_##field##_len, &f_##field) < 0 || \
    376 	    (checklength > 0 && ((size_t) checklength) != f_##field##_len)) { \
    377 		wpa_printf(MSG_INFO, "FT: Missing required " #field \
    378 			   " in %s from " MACSTR, txt, MAC2STR(src_addr)); \
    379 		wpa_ft_rrb_dump(srcfield, srcfield##_len); \
    380 		goto out; \
    381 	} \
    382 } while (0)
    383 
    384 #define RRB_GET(type, field, txt, checklength) \
    385 	RRB_GET_SRC(plain, type, field, txt, checklength)
    386 #define RRB_GET_AUTH(type, field, txt, checklength) \
    387 	RRB_GET_SRC(auth, type, field, txt, checklength)
    388 
    389 #define RRB_GET_OPTIONAL_SRC(srcfield, type, field, txt, checklength) do { \
    390 	if (wpa_ft_rrb_get_tlv(srcfield, srcfield##_len, type, \
    391 				&f_##field##_len, &f_##field) < 0 || \
    392 	    (checklength > 0 && ((size_t) checklength) != f_##field##_len)) { \
    393 		wpa_printf(MSG_DEBUG, "FT: Missing optional " #field \
    394 			   " in %s from " MACSTR, txt, MAC2STR(src_addr)); \
    395 		f_##field##_len = 0; \
    396 		f_##field = NULL; \
    397 	} \
    398 } while (0)
    399 
    400 #define RRB_GET_OPTIONAL(type, field, txt, checklength) \
    401 	RRB_GET_OPTIONAL_SRC(plain, type, field, txt, checklength)
    402 #define RRB_GET_OPTIONAL_AUTH(type, field, txt, checklength) \
    403 	RRB_GET_OPTIONAL_SRC(auth, type, field, txt, checklength)
    404 
    405 static int wpa_ft_rrb_send(struct wpa_authenticator *wpa_auth, const u8 *dst,
    406 			   const u8 *data, size_t data_len)
    407 {
    408 	if (wpa_auth->cb->send_ether == NULL)
    409 		return -1;
    410 	wpa_printf(MSG_DEBUG, "FT: RRB send to " MACSTR, MAC2STR(dst));
    411 	return wpa_auth->cb->send_ether(wpa_auth->cb_ctx, dst, ETH_P_RRB,
    412 					data, data_len);
    413 }
    414 
    415 
    416 static int wpa_ft_rrb_oui_send(struct wpa_authenticator *wpa_auth,
    417 			       const u8 *dst, u8 oui_suffix,
    418 			       const u8 *data, size_t data_len)
    419 {
    420 	if (!wpa_auth->cb->send_oui)
    421 		return -1;
    422 	wpa_printf(MSG_DEBUG, "FT: RRB-OUI type %u send to " MACSTR,
    423 		   oui_suffix, MAC2STR(dst));
    424 	return wpa_auth->cb->send_oui(wpa_auth->cb_ctx, dst, oui_suffix, data,
    425 				      data_len);
    426 }
    427 
    428 
    429 static int wpa_ft_action_send(struct wpa_authenticator *wpa_auth,
    430 			      const u8 *dst, const u8 *data, size_t data_len)
    431 {
    432 	if (wpa_auth->cb->send_ft_action == NULL)
    433 		return -1;
    434 	return wpa_auth->cb->send_ft_action(wpa_auth->cb_ctx, dst,
    435 					    data, data_len);
    436 }
    437 
    438 
    439 static const u8 * wpa_ft_get_psk(struct wpa_authenticator *wpa_auth,
    440 				 const u8 *addr, const u8 *p2p_dev_addr,
    441 				 const u8 *prev_psk)
    442 {
    443 	if (wpa_auth->cb->get_psk == NULL)
    444 		return NULL;
    445 	return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
    446 				     prev_psk, NULL);
    447 }
    448 
    449 
    450 static struct wpa_state_machine *
    451 wpa_ft_add_sta(struct wpa_authenticator *wpa_auth, const u8 *sta_addr)
    452 {
    453 	if (wpa_auth->cb->add_sta == NULL)
    454 		return NULL;
    455 	return wpa_auth->cb->add_sta(wpa_auth->cb_ctx, sta_addr);
    456 }
    457 
    458 
    459 static int wpa_ft_add_tspec(struct wpa_authenticator *wpa_auth,
    460 			    const u8 *sta_addr,
    461 			    u8 *tspec_ie, size_t tspec_ielen)
    462 {
    463 	if (wpa_auth->cb->add_tspec == NULL) {
    464 		wpa_printf(MSG_DEBUG, "FT: add_tspec is not initialized");
    465 		return -1;
    466 	}
    467 	return wpa_auth->cb->add_tspec(wpa_auth->cb_ctx, sta_addr, tspec_ie,
    468 				       tspec_ielen);
    469 }
    470 
    471 
    472 int wpa_write_mdie(struct wpa_auth_config *conf, u8 *buf, size_t len)
    473 {
    474 	u8 *pos = buf;
    475 	u8 capab;
    476 	if (len < 2 + sizeof(struct rsn_mdie))
    477 		return -1;
    478 
    479 	*pos++ = WLAN_EID_MOBILITY_DOMAIN;
    480 	*pos++ = MOBILITY_DOMAIN_ID_LEN + 1;
    481 	os_memcpy(pos, conf->mobility_domain, MOBILITY_DOMAIN_ID_LEN);
    482 	pos += MOBILITY_DOMAIN_ID_LEN;
    483 	capab = 0;
    484 	if (conf->ft_over_ds)
    485 		capab |= RSN_FT_CAPAB_FT_OVER_DS;
    486 	*pos++ = capab;
    487 
    488 	return pos - buf;
    489 }
    490 
    491 
    492 int wpa_write_ftie(struct wpa_auth_config *conf, const u8 *r0kh_id,
    493 		   size_t r0kh_id_len,
    494 		   const u8 *anonce, const u8 *snonce,
    495 		   u8 *buf, size_t len, const u8 *subelem,
    496 		   size_t subelem_len)
    497 {
    498 	u8 *pos = buf, *ielen;
    499 	struct rsn_ftie *hdr;
    500 
    501 	if (len < 2 + sizeof(*hdr) + 2 + FT_R1KH_ID_LEN + 2 + r0kh_id_len +
    502 	    subelem_len)
    503 		return -1;
    504 
    505 	*pos++ = WLAN_EID_FAST_BSS_TRANSITION;
    506 	ielen = pos++;
    507 
    508 	hdr = (struct rsn_ftie *) pos;
    509 	os_memset(hdr, 0, sizeof(*hdr));
    510 	pos += sizeof(*hdr);
    511 	WPA_PUT_LE16(hdr->mic_control, 0);
    512 	if (anonce)
    513 		os_memcpy(hdr->anonce, anonce, WPA_NONCE_LEN);
    514 	if (snonce)
    515 		os_memcpy(hdr->snonce, snonce, WPA_NONCE_LEN);
    516 
    517 	/* Optional Parameters */
    518 	*pos++ = FTIE_SUBELEM_R1KH_ID;
    519 	*pos++ = FT_R1KH_ID_LEN;
    520 	os_memcpy(pos, conf->r1_key_holder, FT_R1KH_ID_LEN);
    521 	pos += FT_R1KH_ID_LEN;
    522 
    523 	if (r0kh_id) {
    524 		*pos++ = FTIE_SUBELEM_R0KH_ID;
    525 		*pos++ = r0kh_id_len;
    526 		os_memcpy(pos, r0kh_id, r0kh_id_len);
    527 		pos += r0kh_id_len;
    528 	}
    529 
    530 	if (subelem) {
    531 		os_memcpy(pos, subelem, subelem_len);
    532 		pos += subelem_len;
    533 	}
    534 
    535 	*ielen = pos - buf - 2;
    536 
    537 	return pos - buf;
    538 }
    539 
    540 
    541 /* A packet to be handled after seq response */
    542 struct ft_remote_item {
    543 	struct dl_list list;
    544 
    545 	u8 nonce[FT_RRB_NONCE_LEN];
    546 	struct os_reltime nonce_ts;
    547 
    548 	u8 src_addr[ETH_ALEN];
    549 	u8 *enc;
    550 	size_t enc_len;
    551 	u8 *auth;
    552 	size_t auth_len;
    553 	int (*cb)(struct wpa_authenticator *wpa_auth,
    554 		  const u8 *src_addr,
    555 		  const u8 *enc, size_t enc_len,
    556 		  const u8 *auth, size_t auth_len,
    557 		  int no_defer);
    558 };
    559 
    560 
    561 static void wpa_ft_rrb_seq_free(struct ft_remote_item *item)
    562 {
    563 	eloop_cancel_timeout(wpa_ft_rrb_seq_timeout, ELOOP_ALL_CTX, item);
    564 	dl_list_del(&item->list);
    565 	bin_clear_free(item->enc, item->enc_len);
    566 	os_free(item->auth);
    567 	os_free(item);
    568 }
    569 
    570 
    571 static void wpa_ft_rrb_seq_flush(struct wpa_authenticator *wpa_auth,
    572 				 struct ft_remote_seq *rkh_seq, int cb)
    573 {
    574 	struct ft_remote_item *item, *n;
    575 
    576 	dl_list_for_each_safe(item, n, &rkh_seq->rx.queue,
    577 			      struct ft_remote_item, list) {
    578 		if (cb && item->cb)
    579 			item->cb(wpa_auth, item->src_addr, item->enc,
    580 				 item->enc_len, item->auth, item->auth_len, 1);
    581 		wpa_ft_rrb_seq_free(item);
    582 	}
    583 }
    584 
    585 
    586 static void wpa_ft_rrb_seq_timeout(void *eloop_ctx, void *timeout_ctx)
    587 {
    588 	struct ft_remote_item *item = timeout_ctx;
    589 
    590 	wpa_ft_rrb_seq_free(item);
    591 }
    592 
    593 
    594 static int
    595 wpa_ft_rrb_seq_req(struct wpa_authenticator *wpa_auth,
    596 		   struct ft_remote_seq *rkh_seq, const u8 *src_addr,
    597 		   const u8 *f_r0kh_id, size_t f_r0kh_id_len,
    598 		   const u8 *f_r1kh_id, const u8 *key, size_t key_len,
    599 		   const u8 *enc, size_t enc_len,
    600 		   const u8 *auth, size_t auth_len,
    601 		   int (*cb)(struct wpa_authenticator *wpa_auth,
    602 			     const u8 *src_addr,
    603 			     const u8 *enc, size_t enc_len,
    604 			     const u8 *auth, size_t auth_len,
    605 			     int no_defer))
    606 {
    607 	struct ft_remote_item *item = NULL;
    608 	u8 *packet = NULL;
    609 	size_t packet_len;
    610 	struct tlv_list seq_req_auth[] = {
    611 		{ .type = FT_RRB_NONCE, .len = FT_RRB_NONCE_LEN,
    612 		  .data = NULL /* to be filled: item->nonce */ },
    613 		{ .type = FT_RRB_R0KH_ID, .len = f_r0kh_id_len,
    614 		  .data = f_r0kh_id },
    615 		{ .type = FT_RRB_R1KH_ID, .len = FT_R1KH_ID_LEN,
    616 		  .data = f_r1kh_id },
    617 		{ .type = FT_RRB_LAST_EMPTY, .len = 0, .data = NULL },
    618 	};
    619 
    620 	if (dl_list_len(&rkh_seq->rx.queue) >= ftRRBmaxQueueLen) {
    621 		wpa_printf(MSG_DEBUG, "FT: Sequence number queue too long");
    622 		goto err;
    623 	}
    624 
    625 	item = os_zalloc(sizeof(*item));
    626 	if (!item)
    627 		goto err;
    628 
    629 	os_memcpy(item->src_addr, src_addr, ETH_ALEN);
    630 	item->cb = cb;
    631 
    632 	if (random_get_bytes(item->nonce, FT_RRB_NONCE_LEN) < 0) {
    633 		wpa_printf(MSG_DEBUG, "FT: Seq num nonce: out of random bytes");
    634 		goto err;
    635 	}
    636 
    637 	if (os_get_reltime(&item->nonce_ts) < 0)
    638 		goto err;
    639 
    640 	if (enc && enc_len > 0) {
    641 		item->enc = os_memdup(enc, enc_len);
    642 		item->enc_len = enc_len;
    643 		if (!item->enc)
    644 			goto err;
    645 	}
    646 
    647 	if (auth && auth_len > 0) {
    648 		item->auth = os_memdup(auth, auth_len);
    649 		item->auth_len = auth_len;
    650 		if (!item->auth)
    651 			goto err;
    652 	}
    653 
    654 	eloop_register_timeout(ftRRBseqTimeout, 0, wpa_ft_rrb_seq_timeout,
    655 			       wpa_auth, item);
    656 
    657 	seq_req_auth[0].data = item->nonce;
    658 
    659 	if (wpa_ft_rrb_build(key, key_len, NULL, NULL, seq_req_auth,
    660 			     wpa_auth->addr, FT_PACKET_R0KH_R1KH_SEQ_REQ,
    661 			     &packet, &packet_len) < 0) {
    662 		item = NULL; /* some other seq resp might still accept this */
    663 		goto err;
    664 	}
    665 
    666 	dl_list_add(&rkh_seq->rx.queue, &item->list);
    667 
    668 	wpa_ft_rrb_oui_send(wpa_auth, src_addr, FT_PACKET_R0KH_R1KH_SEQ_REQ,
    669 			    packet, packet_len);
    670 
    671 	os_free(packet);
    672 
    673 	return 0;
    674 err:
    675 	wpa_printf(MSG_DEBUG, "FT: Failed to send sequence number request");
    676 	if (item) {
    677 		os_free(item->auth);
    678 		bin_clear_free(item->enc, item->enc_len);
    679 		os_free(item);
    680 	}
    681 
    682 	return -1;
    683 }
    684 
    685 
    686 #define FT_RRB_SEQ_OK    0
    687 #define FT_RRB_SEQ_DROP  1
    688 #define FT_RRB_SEQ_DEFER 2
    689 
    690 static int
    691 wpa_ft_rrb_seq_chk(struct ft_remote_seq *rkh_seq, const u8 *src_addr,
    692 		   const u8 *enc, size_t enc_len,
    693 		   const u8 *auth, size_t auth_len,
    694 		   const char *msgtype, int no_defer)
    695 {
    696 	const u8 *f_seq;
    697 	size_t f_seq_len;
    698 	const struct ft_rrb_seq *msg_both;
    699 	u32 msg_seq, msg_off, rkh_off;
    700 	struct os_reltime now;
    701 	unsigned int i;
    702 
    703 	RRB_GET_AUTH(FT_RRB_SEQ, seq, msgtype, sizeof(*msg_both));
    704 	wpa_hexdump(MSG_DEBUG, "FT: sequence number", f_seq, f_seq_len);
    705 	msg_both = (const struct ft_rrb_seq *) f_seq;
    706 
    707 	if (rkh_seq->rx.num_last == 0) {
    708 		/* first packet from remote */
    709 		goto defer;
    710 	}
    711 
    712 	if (le_to_host32(msg_both->dom) != rkh_seq->rx.dom) {
    713 		/* remote might have rebooted */
    714 		goto defer;
    715 	}
    716 
    717 	if (os_get_reltime(&now) == 0) {
    718 		u32 msg_ts_now_remote, msg_ts_off;
    719 		struct os_reltime now_remote;
    720 
    721 		os_reltime_sub(&now, &rkh_seq->rx.time_offset, &now_remote);
    722 		msg_ts_now_remote = now_remote.sec;
    723 		msg_ts_off = le_to_host32(msg_both->ts) -
    724 			(msg_ts_now_remote - ftRRBseqTimeout);
    725 		if (msg_ts_off > 2 * ftRRBseqTimeout)
    726 			goto defer;
    727 	}
    728 
    729 	msg_seq = le_to_host32(msg_both->seq);
    730 	rkh_off = rkh_seq->rx.last[rkh_seq->rx.offsetidx];
    731 	msg_off = msg_seq - rkh_off;
    732 	if (msg_off > 0xC0000000)
    733 		goto out; /* too old message, drop it */
    734 
    735 	if (msg_off <= 0x40000000) {
    736 		for (i = 0; i < rkh_seq->rx.num_last; i++) {
    737 			if (rkh_seq->rx.last[i] == msg_seq)
    738 				goto out; /* duplicate message, drop it */
    739 		}
    740 
    741 		return FT_RRB_SEQ_OK;
    742 	}
    743 
    744 defer:
    745 	if (no_defer)
    746 		goto out;
    747 
    748 	wpa_printf(MSG_DEBUG, "FT: Possibly invalid sequence number in %s from "
    749 		   MACSTR, msgtype, MAC2STR(src_addr));
    750 
    751 	return FT_RRB_SEQ_DEFER;
    752 out:
    753 	wpa_printf(MSG_DEBUG, "FT: Invalid sequence number in %s from " MACSTR,
    754 		   msgtype, MAC2STR(src_addr));
    755 
    756 	return FT_RRB_SEQ_DROP;
    757 }
    758 
    759 
    760 static void
    761 wpa_ft_rrb_seq_accept(struct wpa_authenticator *wpa_auth,
    762 		      struct ft_remote_seq *rkh_seq, const u8 *src_addr,
    763 		      const u8 *auth, size_t auth_len,
    764 		      const char *msgtype)
    765 {
    766 	const u8 *f_seq;
    767 	size_t f_seq_len;
    768 	const struct ft_rrb_seq *msg_both;
    769 	u32 msg_seq, msg_off, min_off, rkh_off;
    770 	int minidx = 0;
    771 	unsigned int i;
    772 
    773 	RRB_GET_AUTH(FT_RRB_SEQ, seq, msgtype, sizeof(*msg_both));
    774 	msg_both = (const struct ft_rrb_seq *) f_seq;
    775 
    776 	msg_seq = le_to_host32(msg_both->seq);
    777 
    778 	if (rkh_seq->rx.num_last < FT_REMOTE_SEQ_BACKLOG) {
    779 		rkh_seq->rx.last[rkh_seq->rx.num_last] = msg_seq;
    780 		rkh_seq->rx.num_last++;
    781 		return;
    782 	}
    783 
    784 	rkh_off = rkh_seq->rx.last[rkh_seq->rx.offsetidx];
    785 	for (i = 0; i < rkh_seq->rx.num_last; i++) {
    786 		msg_off = rkh_seq->rx.last[i] - rkh_off;
    787 		min_off = rkh_seq->rx.last[minidx] - rkh_off;
    788 		if (msg_off < min_off && i != rkh_seq->rx.offsetidx)
    789 			minidx = i;
    790 	}
    791 	rkh_seq->rx.last[rkh_seq->rx.offsetidx] = msg_seq;
    792 	rkh_seq->rx.offsetidx = minidx;
    793 
    794 	return;
    795 out:
    796 	/* RRB_GET_AUTH should never fail here as
    797 	 * wpa_ft_rrb_seq_chk() verified FT_RRB_SEQ presence. */
    798 	wpa_printf(MSG_ERROR, "FT: %s() failed", __func__);
    799 }
    800 
    801 
    802 static int wpa_ft_new_seq(struct ft_remote_seq *rkh_seq,
    803 			  struct ft_rrb_seq *f_seq)
    804 {
    805 	struct os_reltime now;
    806 
    807 	if (os_get_reltime(&now) < 0)
    808 		return -1;
    809 
    810 	if (!rkh_seq->tx.dom) {
    811 		if (random_get_bytes((u8 *) &rkh_seq->tx.seq,
    812 				     sizeof(rkh_seq->tx.seq))) {
    813 			wpa_printf(MSG_ERROR,
    814 				   "FT: Failed to get random data for sequence number initialization");
    815 			rkh_seq->tx.seq = now.usec;
    816 		}
    817 		if (random_get_bytes((u8 *) &rkh_seq->tx.dom,
    818 				     sizeof(rkh_seq->tx.dom))) {
    819 			wpa_printf(MSG_ERROR,
    820 				   "FT: Failed to get random data for sequence number initialization");
    821 			rkh_seq->tx.dom = now.usec;
    822 		}
    823 		rkh_seq->tx.dom |= 1;
    824 	}
    825 
    826 	f_seq->dom = host_to_le32(rkh_seq->tx.dom);
    827 	f_seq->seq = host_to_le32(rkh_seq->tx.seq);
    828 	f_seq->ts = host_to_le32(now.sec);
    829 
    830 	rkh_seq->tx.seq++;
    831 
    832 	return 0;
    833 }
    834 
    835 
    836 struct wpa_ft_pmk_r0_sa {
    837 	struct wpa_ft_pmk_r0_sa *next;
    838 	u8 pmk_r0[PMK_LEN];
    839 	u8 pmk_r0_name[WPA_PMK_NAME_LEN];
    840 	u8 spa[ETH_ALEN];
    841 	int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */
    842 	/* TODO: expiration, identity, radius_class, EAP type, VLAN ID */
    843 	int pmk_r1_pushed;
    844 };
    845 
    846 struct wpa_ft_pmk_r1_sa {
    847 	struct wpa_ft_pmk_r1_sa *next;
    848 	u8 pmk_r1[PMK_LEN];
    849 	u8 pmk_r1_name[WPA_PMK_NAME_LEN];
    850 	u8 spa[ETH_ALEN];
    851 	int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */
    852 	/* TODO: expiration, identity, radius_class, EAP type, VLAN ID */
    853 };
    854 
    855 struct wpa_ft_pmk_cache {
    856 	struct wpa_ft_pmk_r0_sa *pmk_r0;
    857 	struct wpa_ft_pmk_r1_sa *pmk_r1;
    858 };
    859 
    860 struct wpa_ft_pmk_cache * wpa_ft_pmk_cache_init(void)
    861 {
    862 	struct wpa_ft_pmk_cache *cache;
    863 
    864 	cache = os_zalloc(sizeof(*cache));
    865 
    866 	return cache;
    867 }
    868 
    869 
    870 void wpa_ft_pmk_cache_deinit(struct wpa_ft_pmk_cache *cache)
    871 {
    872 	struct wpa_ft_pmk_r0_sa *r0, *r0prev;
    873 	struct wpa_ft_pmk_r1_sa *r1, *r1prev;
    874 
    875 	r0 = cache->pmk_r0;
    876 	while (r0) {
    877 		r0prev = r0;
    878 		r0 = r0->next;
    879 		os_memset(r0prev->pmk_r0, 0, PMK_LEN);
    880 		os_free(r0prev);
    881 	}
    882 
    883 	r1 = cache->pmk_r1;
    884 	while (r1) {
    885 		r1prev = r1;
    886 		r1 = r1->next;
    887 		os_memset(r1prev->pmk_r1, 0, PMK_LEN);
    888 		os_free(r1prev);
    889 	}
    890 
    891 	os_free(cache);
    892 }
    893 
    894 
    895 int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth,
    896 			const u8 *spa, const u8 *pmk_r0,
    897 			const u8 *pmk_r0_name, int pairwise)
    898 {
    899 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
    900 	struct wpa_ft_pmk_r0_sa *r0;
    901 
    902 	/* TODO: add expiration and limit on number of entries in cache */
    903 
    904 	r0 = os_zalloc(sizeof(*r0));
    905 	if (r0 == NULL)
    906 		return -1;
    907 
    908 	os_memcpy(r0->pmk_r0, pmk_r0, PMK_LEN);
    909 	os_memcpy(r0->pmk_r0_name, pmk_r0_name, WPA_PMK_NAME_LEN);
    910 	os_memcpy(r0->spa, spa, ETH_ALEN);
    911 	r0->pairwise = pairwise;
    912 
    913 	r0->next = cache->pmk_r0;
    914 	cache->pmk_r0 = r0;
    915 
    916 	return 0;
    917 }
    918 
    919 
    920 static int wpa_ft_fetch_pmk_r0(struct wpa_authenticator *wpa_auth,
    921 			       const u8 *spa, const u8 *pmk_r0_name,
    922 			       const struct wpa_ft_pmk_r0_sa **r0_out)
    923 {
    924 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
    925 	struct wpa_ft_pmk_r0_sa *r0;
    926 
    927 	r0 = cache->pmk_r0;
    928 	while (r0) {
    929 		if (os_memcmp(r0->spa, spa, ETH_ALEN) == 0 &&
    930 		    os_memcmp_const(r0->pmk_r0_name, pmk_r0_name,
    931 				    WPA_PMK_NAME_LEN) == 0) {
    932 			*r0_out = r0;
    933 			return 0;
    934 		}
    935 
    936 		r0 = r0->next;
    937 	}
    938 
    939 	*r0_out = NULL;
    940 	return -1;
    941 }
    942 
    943 
    944 static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
    945 			       const u8 *spa, const u8 *pmk_r1,
    946 			       const u8 *pmk_r1_name, int pairwise)
    947 {
    948 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
    949 	struct wpa_ft_pmk_r1_sa *r1;
    950 
    951 	/* TODO: add expiration and limit on number of entries in cache */
    952 
    953 	r1 = os_zalloc(sizeof(*r1));
    954 	if (r1 == NULL)
    955 		return -1;
    956 
    957 	os_memcpy(r1->pmk_r1, pmk_r1, PMK_LEN);
    958 	os_memcpy(r1->pmk_r1_name, pmk_r1_name, WPA_PMK_NAME_LEN);
    959 	os_memcpy(r1->spa, spa, ETH_ALEN);
    960 	r1->pairwise = pairwise;
    961 
    962 	r1->next = cache->pmk_r1;
    963 	cache->pmk_r1 = r1;
    964 
    965 	return 0;
    966 }
    967 
    968 
    969 static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth,
    970 			       const u8 *spa, const u8 *pmk_r1_name,
    971 			       u8 *pmk_r1, int *pairwise)
    972 {
    973 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
    974 	struct wpa_ft_pmk_r1_sa *r1;
    975 
    976 	r1 = cache->pmk_r1;
    977 	while (r1) {
    978 		if (os_memcmp(r1->spa, spa, ETH_ALEN) == 0 &&
    979 		    os_memcmp_const(r1->pmk_r1_name, pmk_r1_name,
    980 				    WPA_PMK_NAME_LEN) == 0) {
    981 			os_memcpy(pmk_r1, r1->pmk_r1, PMK_LEN);
    982 			if (pairwise)
    983 				*pairwise = r1->pairwise;
    984 			return 0;
    985 		}
    986 
    987 		r1 = r1->next;
    988 	}
    989 
    990 	return -1;
    991 }
    992 
    993 
    994 static int wpa_ft_rrb_init_r0kh_seq(struct ft_remote_r0kh *r0kh)
    995 {
    996 	if (r0kh->seq)
    997 		return 0;
    998 
    999 	r0kh->seq = os_zalloc(sizeof(*r0kh->seq));
   1000 	if (!r0kh->seq) {
   1001 		wpa_printf(MSG_DEBUG, "FT: Failed to allocate r0kh->seq");
   1002 		return -1;
   1003 	}
   1004 
   1005 	dl_list_init(&r0kh->seq->rx.queue);
   1006 
   1007 	return 0;
   1008 }
   1009 
   1010 
   1011 static void wpa_ft_rrb_lookup_r0kh(struct wpa_authenticator *wpa_auth,
   1012 				   const u8 *f_r0kh_id, size_t f_r0kh_id_len,
   1013 				   struct ft_remote_r0kh **r0kh_out,
   1014 				   struct ft_remote_r0kh **r0kh_wildcard)
   1015 {
   1016 	struct ft_remote_r0kh *r0kh;
   1017 
   1018 	*r0kh_wildcard = NULL;
   1019 	*r0kh_out = NULL;
   1020 
   1021 	if (wpa_auth->conf.r0kh_list)
   1022 		r0kh = *wpa_auth->conf.r0kh_list;
   1023 	else
   1024 		r0kh = NULL;
   1025 	for (; r0kh; r0kh = r0kh->next) {
   1026 		if (r0kh->id_len == 1 && r0kh->id[0] == '*')
   1027 			*r0kh_wildcard = r0kh;
   1028 		if (f_r0kh_id && r0kh->id_len == f_r0kh_id_len &&
   1029 		    os_memcmp_const(f_r0kh_id, r0kh->id, f_r0kh_id_len) == 0)
   1030 			*r0kh_out = r0kh;
   1031 	}
   1032 
   1033 	if (!*r0kh_out && !*r0kh_wildcard)
   1034 		wpa_printf(MSG_DEBUG, "FT: No matching R0KH found");
   1035 
   1036 	if (*r0kh_out && wpa_ft_rrb_init_r0kh_seq(*r0kh_out) < 0)
   1037 		*r0kh_out = NULL;
   1038 }
   1039 
   1040 
   1041 static int wpa_ft_rrb_init_r1kh_seq(struct ft_remote_r1kh *r1kh)
   1042 {
   1043 	if (r1kh->seq)
   1044 		return 0;
   1045 
   1046 	r1kh->seq = os_zalloc(sizeof(*r1kh->seq));
   1047 	if (!r1kh->seq) {
   1048 		wpa_printf(MSG_DEBUG, "FT: Failed to allocate r1kh->seq");
   1049 		return -1;
   1050 	}
   1051 
   1052 	dl_list_init(&r1kh->seq->rx.queue);
   1053 
   1054 	return 0;
   1055 }
   1056 
   1057 
   1058 static void wpa_ft_rrb_lookup_r1kh(struct wpa_authenticator *wpa_auth,
   1059 				   const u8 *f_r1kh_id,
   1060 				   struct ft_remote_r1kh **r1kh_out,
   1061 				   struct ft_remote_r1kh **r1kh_wildcard)
   1062 {
   1063 	struct ft_remote_r1kh *r1kh;
   1064 
   1065 	*r1kh_wildcard = NULL;
   1066 	*r1kh_out = NULL;
   1067 
   1068 	if (wpa_auth->conf.r1kh_list)
   1069 		r1kh = *wpa_auth->conf.r1kh_list;
   1070 	else
   1071 		r1kh = NULL;
   1072 	for (; r1kh; r1kh = r1kh->next) {
   1073 		if (is_zero_ether_addr(r1kh->addr) &&
   1074 		    is_zero_ether_addr(r1kh->id))
   1075 			*r1kh_wildcard = r1kh;
   1076 		if (f_r1kh_id &&
   1077 		    os_memcmp_const(r1kh->id, f_r1kh_id, FT_R1KH_ID_LEN) == 0)
   1078 			*r1kh_out = r1kh;
   1079 	}
   1080 
   1081 	if (!*r1kh_out && !*r1kh_wildcard)
   1082 		wpa_printf(MSG_DEBUG, "FT: No matching R1KH found");
   1083 
   1084 	if (*r1kh_out && wpa_ft_rrb_init_r1kh_seq(*r1kh_out) < 0)
   1085 		*r1kh_out = NULL;
   1086 }
   1087 
   1088 
   1089 static int wpa_ft_rrb_check_r0kh(struct wpa_authenticator *wpa_auth,
   1090 				 const u8 *f_r0kh_id, size_t f_r0kh_id_len)
   1091 {
   1092 	if (f_r0kh_id_len != wpa_auth->conf.r0_key_holder_len ||
   1093 	    os_memcmp_const(f_r0kh_id, wpa_auth->conf.r0_key_holder,
   1094 			    f_r0kh_id_len) != 0)
   1095 		return -1;
   1096 
   1097 	return 0;
   1098 }
   1099 
   1100 
   1101 static int wpa_ft_rrb_check_r1kh(struct wpa_authenticator *wpa_auth,
   1102 				 const u8 *f_r1kh_id)
   1103 {
   1104 	if (os_memcmp_const(f_r1kh_id, wpa_auth->conf.r1_key_holder,
   1105 			    FT_R1KH_ID_LEN) != 0)
   1106 		return -1;
   1107 
   1108 	return 0;
   1109 }
   1110 
   1111 
   1112 static void wpa_ft_rrb_del_r0kh(void *eloop_ctx, void *timeout_ctx)
   1113 {
   1114 	struct wpa_authenticator *wpa_auth = eloop_ctx;
   1115 	struct ft_remote_r0kh *r0kh, *prev = NULL;
   1116 
   1117 	if (!wpa_auth->conf.r0kh_list)
   1118 		return;
   1119 
   1120 	for (r0kh = *wpa_auth->conf.r0kh_list; r0kh; r0kh = r0kh->next) {
   1121 		if (r0kh == timeout_ctx)
   1122 			break;
   1123 		prev = r0kh;
   1124 	}
   1125 	if (!r0kh)
   1126 		return;
   1127 	if (prev)
   1128 		prev->next = r0kh->next;
   1129 	else
   1130 		*wpa_auth->conf.r0kh_list = r0kh->next;
   1131 	if (r0kh->seq)
   1132 		wpa_ft_rrb_seq_flush(wpa_auth, r0kh->seq, 0);
   1133 	os_free(r0kh->seq);
   1134 	os_free(r0kh);
   1135 }
   1136 
   1137 
   1138 static void wpa_ft_rrb_r0kh_replenish(struct wpa_authenticator *wpa_auth,
   1139 				      struct ft_remote_r0kh *r0kh, int timeout)
   1140 {
   1141 	if (timeout > 0)
   1142 		eloop_replenish_timeout(timeout, 0, wpa_ft_rrb_del_r0kh,
   1143 					wpa_auth, r0kh);
   1144 }
   1145 
   1146 
   1147 static void wpa_ft_rrb_r0kh_timeout(struct wpa_authenticator *wpa_auth,
   1148 				    struct ft_remote_r0kh *r0kh, int timeout)
   1149 {
   1150 	eloop_cancel_timeout(wpa_ft_rrb_del_r0kh, wpa_auth, r0kh);
   1151 
   1152 	if (timeout > 0)
   1153 		eloop_register_timeout(timeout, 0, wpa_ft_rrb_del_r0kh,
   1154 				       wpa_auth, r0kh);
   1155 }
   1156 
   1157 
   1158 static struct ft_remote_r0kh *
   1159 wpa_ft_rrb_add_r0kh(struct wpa_authenticator *wpa_auth,
   1160 		    struct ft_remote_r0kh *r0kh_wildcard,
   1161 		    const u8 *src_addr, const u8 *r0kh_id, size_t id_len,
   1162 		    int timeout)
   1163 {
   1164 	struct ft_remote_r0kh *r0kh;
   1165 
   1166 	if (!wpa_auth->conf.r0kh_list)
   1167 		return NULL;
   1168 
   1169 	r0kh = os_zalloc(sizeof(*r0kh));
   1170 	if (!r0kh)
   1171 		return NULL;
   1172 
   1173 	if (src_addr)
   1174 		os_memcpy(r0kh->addr, src_addr, sizeof(r0kh->addr));
   1175 
   1176 	if (id_len > FT_R0KH_ID_MAX_LEN)
   1177 		id_len = FT_R0KH_ID_MAX_LEN;
   1178 	os_memcpy(r0kh->id, r0kh_id, id_len);
   1179 	r0kh->id_len = id_len;
   1180 
   1181 	os_memcpy(r0kh->key, r0kh_wildcard->key, sizeof(r0kh->key));
   1182 
   1183 	r0kh->next = *wpa_auth->conf.r0kh_list;
   1184 	*wpa_auth->conf.r0kh_list = r0kh;
   1185 
   1186 	if (timeout > 0)
   1187 		eloop_register_timeout(timeout, 0, wpa_ft_rrb_del_r0kh,
   1188 				       wpa_auth, r0kh);
   1189 
   1190 	if (wpa_ft_rrb_init_r0kh_seq(r0kh) < 0)
   1191 		return NULL;
   1192 
   1193 	return r0kh;
   1194 }
   1195 
   1196 
   1197 static void wpa_ft_rrb_del_r1kh(void *eloop_ctx, void *timeout_ctx)
   1198 {
   1199 	struct wpa_authenticator *wpa_auth = eloop_ctx;
   1200 	struct ft_remote_r1kh *r1kh, *prev = NULL;
   1201 
   1202 	if (!wpa_auth->conf.r1kh_list)
   1203 		return;
   1204 
   1205 	for (r1kh = *wpa_auth->conf.r1kh_list; r1kh; r1kh = r1kh->next) {
   1206 		if (r1kh == timeout_ctx)
   1207 			break;
   1208 		prev = r1kh;
   1209 	}
   1210 	if (!r1kh)
   1211 		return;
   1212 	if (prev)
   1213 		prev->next = r1kh->next;
   1214 	else
   1215 		*wpa_auth->conf.r1kh_list = r1kh->next;
   1216 	if (r1kh->seq)
   1217 		wpa_ft_rrb_seq_flush(wpa_auth, r1kh->seq, 0);
   1218 	os_free(r1kh->seq);
   1219 	os_free(r1kh);
   1220 }
   1221 
   1222 
   1223 static void wpa_ft_rrb_r1kh_replenish(struct wpa_authenticator *wpa_auth,
   1224 				      struct ft_remote_r1kh *r1kh, int timeout)
   1225 {
   1226 	if (timeout > 0)
   1227 		eloop_replenish_timeout(timeout, 0, wpa_ft_rrb_del_r1kh,
   1228 					wpa_auth, r1kh);
   1229 }
   1230 
   1231 
   1232 static struct ft_remote_r1kh *
   1233 wpa_ft_rrb_add_r1kh(struct wpa_authenticator *wpa_auth,
   1234 		    struct ft_remote_r1kh *r1kh_wildcard,
   1235 		    const u8 *src_addr, const u8 *r1kh_id, int timeout)
   1236 {
   1237 	struct ft_remote_r1kh *r1kh;
   1238 
   1239 	if (!wpa_auth->conf.r1kh_list)
   1240 		return NULL;
   1241 
   1242 	r1kh = os_zalloc(sizeof(*r1kh));
   1243 	if (!r1kh)
   1244 		return NULL;
   1245 
   1246 	os_memcpy(r1kh->addr, src_addr, sizeof(r1kh->addr));
   1247 	os_memcpy(r1kh->id, r1kh_id, sizeof(r1kh->id));
   1248 	os_memcpy(r1kh->key, r1kh_wildcard->key, sizeof(r1kh->key));
   1249 	r1kh->next = *wpa_auth->conf.r1kh_list;
   1250 	*wpa_auth->conf.r1kh_list = r1kh;
   1251 
   1252 	if (timeout > 0)
   1253 		eloop_register_timeout(timeout, 0, wpa_ft_rrb_del_r1kh,
   1254 				       wpa_auth, r1kh);
   1255 
   1256 	if (wpa_ft_rrb_init_r1kh_seq(r1kh) < 0)
   1257 		return NULL;
   1258 
   1259 	return r1kh;
   1260 }
   1261 
   1262 
   1263 void wpa_ft_sta_deinit(struct wpa_state_machine *sm)
   1264 {
   1265 	eloop_cancel_timeout(wpa_ft_expire_pull, sm, NULL);
   1266 }
   1267 
   1268 
   1269 static void wpa_ft_deinit_seq(struct wpa_authenticator *wpa_auth)
   1270 {
   1271 	struct ft_remote_r0kh *r0kh;
   1272 	struct ft_remote_r1kh *r1kh;
   1273 
   1274 	eloop_cancel_timeout(wpa_ft_rrb_seq_timeout, wpa_auth, ELOOP_ALL_CTX);
   1275 
   1276 	if (wpa_auth->conf.r0kh_list)
   1277 		r0kh = *wpa_auth->conf.r0kh_list;
   1278 	else
   1279 		r0kh = NULL;
   1280 	for (; r0kh; r0kh = r0kh->next) {
   1281 		if (!r0kh->seq)
   1282 			continue;
   1283 		wpa_ft_rrb_seq_flush(wpa_auth, r0kh->seq, 0);
   1284 		os_free(r0kh->seq);
   1285 		r0kh->seq = NULL;
   1286 	}
   1287 
   1288 	if (wpa_auth->conf.r1kh_list)
   1289 		r1kh = *wpa_auth->conf.r1kh_list;
   1290 	else
   1291 		r1kh = NULL;
   1292 	for (; r1kh; r1kh = r1kh->next) {
   1293 		if (!r1kh->seq)
   1294 			continue;
   1295 		wpa_ft_rrb_seq_flush(wpa_auth, r1kh->seq, 0);
   1296 		os_free(r1kh->seq);
   1297 		r1kh->seq = NULL;
   1298 	}
   1299 }
   1300 
   1301 
   1302 static void wpa_ft_deinit_rkh_tmp(struct wpa_authenticator *wpa_auth)
   1303 {
   1304 	struct ft_remote_r0kh *r0kh, *r0kh_next, *r0kh_prev = NULL;
   1305 	struct ft_remote_r1kh *r1kh, *r1kh_next, *r1kh_prev = NULL;
   1306 
   1307 	if (wpa_auth->conf.r0kh_list)
   1308 		r0kh = *wpa_auth->conf.r0kh_list;
   1309 	else
   1310 		r0kh = NULL;
   1311 	while (r0kh) {
   1312 		r0kh_next = r0kh->next;
   1313 		if (eloop_cancel_timeout(wpa_ft_rrb_del_r0kh, wpa_auth,
   1314 					 r0kh) > 0) {
   1315 			if (r0kh_prev)
   1316 				r0kh_prev->next = r0kh_next;
   1317 			else
   1318 				*wpa_auth->conf.r0kh_list = r0kh_next;
   1319 			os_free(r0kh);
   1320 		} else {
   1321 			r0kh_prev = r0kh;
   1322 		}
   1323 		r0kh = r0kh_next;
   1324 	}
   1325 
   1326 	if (wpa_auth->conf.r1kh_list)
   1327 		r1kh = *wpa_auth->conf.r1kh_list;
   1328 	else
   1329 		r1kh = NULL;
   1330 	while (r1kh) {
   1331 		r1kh_next = r1kh->next;
   1332 		if (eloop_cancel_timeout(wpa_ft_rrb_del_r1kh, wpa_auth,
   1333 					 r1kh) > 0) {
   1334 			if (r1kh_prev)
   1335 				r1kh_prev->next = r1kh_next;
   1336 			else
   1337 				*wpa_auth->conf.r1kh_list = r1kh_next;
   1338 			os_free(r1kh);
   1339 		} else {
   1340 			r1kh_prev = r1kh;
   1341 		}
   1342 		r1kh = r1kh_next;
   1343 	}
   1344 }
   1345 
   1346 
   1347 void wpa_ft_deinit(struct wpa_authenticator *wpa_auth)
   1348 {
   1349 	wpa_ft_deinit_seq(wpa_auth);
   1350 	wpa_ft_deinit_rkh_tmp(wpa_auth);
   1351 }
   1352 
   1353 
   1354 static void wpa_ft_block_r0kh(struct wpa_authenticator *wpa_auth,
   1355 			      const u8 *f_r0kh_id, size_t f_r0kh_id_len)
   1356 {
   1357 	struct ft_remote_r0kh *r0kh, *r0kh_wildcard;
   1358 
   1359 	if (!wpa_auth->conf.rkh_neg_timeout)
   1360 		return;
   1361 
   1362 	wpa_ft_rrb_lookup_r0kh(wpa_auth, f_r0kh_id, f_r0kh_id_len,
   1363 			       &r0kh, &r0kh_wildcard);
   1364 
   1365 	if (!r0kh_wildcard) {
   1366 		/* r0kh removed after neg_timeout and might need re-adding */
   1367 		return;
   1368 	}
   1369 
   1370 	wpa_hexdump(MSG_DEBUG, "FT: Blacklist R0KH-ID",
   1371 		    f_r0kh_id, f_r0kh_id_len);
   1372 
   1373 	if (r0kh) {
   1374 		wpa_ft_rrb_r0kh_timeout(wpa_auth, r0kh,
   1375 					wpa_auth->conf.rkh_neg_timeout);
   1376 		os_memset(r0kh->addr, 0, ETH_ALEN);
   1377 	} else
   1378 		wpa_ft_rrb_add_r0kh(wpa_auth, r0kh_wildcard, NULL, f_r0kh_id,
   1379 				    f_r0kh_id_len,
   1380 				    wpa_auth->conf.rkh_neg_timeout);
   1381 }
   1382 
   1383 
   1384 static void wpa_ft_expire_pull(void *eloop_ctx, void *timeout_ctx)
   1385 {
   1386 	struct wpa_state_machine *sm = eloop_ctx;
   1387 
   1388 	wpa_printf(MSG_DEBUG, "FT: Timeout pending pull request for " MACSTR,
   1389 		   MAC2STR(sm->addr));
   1390 	if (sm->ft_pending_pull_left_retries <= 0)
   1391 		wpa_ft_block_r0kh(sm->wpa_auth, sm->r0kh_id, sm->r0kh_id_len);
   1392 
   1393 	/* cancel multiple timeouts */
   1394 	eloop_cancel_timeout(wpa_ft_expire_pull, sm, NULL);
   1395 	ft_finish_pull(sm);
   1396 }
   1397 
   1398 
   1399 static int wpa_ft_pull_pmk_r1(struct wpa_state_machine *sm,
   1400 			      const u8 *ies, size_t ies_len,
   1401 			      const u8 *pmk_r0_name)
   1402 {
   1403 	struct ft_remote_r0kh *r0kh, *r0kh_wildcard;
   1404 	u8 *packet = NULL;
   1405 	const u8 *key, *f_r1kh_id = sm->wpa_auth->conf.r1_key_holder;
   1406 	size_t packet_len, key_len;
   1407 	struct ft_rrb_seq f_seq;
   1408 	int tsecs, tusecs, first;
   1409 	struct wpabuf *ft_pending_req_ies;
   1410 	int r0kh_timeout;
   1411 	struct tlv_list req_enc[] = {
   1412 		{ .type = FT_RRB_PMK_R0_NAME, .len = WPA_PMK_NAME_LEN,
   1413 		  .data = pmk_r0_name },
   1414 		{ .type = FT_RRB_S1KH_ID, .len = ETH_ALEN,
   1415 		  .data = sm->addr },
   1416 		{ .type = FT_RRB_LAST_EMPTY, .len = 0, .data = NULL },
   1417 	};
   1418 	struct tlv_list req_auth[] = {
   1419 		{ .type = FT_RRB_NONCE, .len = FT_RRB_NONCE_LEN,
   1420 		  .data = sm->ft_pending_pull_nonce },
   1421 		{ .type = FT_RRB_SEQ, .len = sizeof(f_seq),
   1422 		  .data = (u8 *) &f_seq },
   1423 		{ .type = FT_RRB_R0KH_ID, .len = sm->r0kh_id_len,
   1424 		  .data = sm->r0kh_id },
   1425 		{ .type = FT_RRB_R1KH_ID, .len = FT_R1KH_ID_LEN,
   1426 		  .data = f_r1kh_id },
   1427 		{ .type = FT_RRB_LAST_EMPTY, .len = 0, .data = NULL },
   1428 	};
   1429 
   1430 	if (sm->ft_pending_pull_left_retries <= 0)
   1431 		return -1;
   1432 	first = sm->ft_pending_pull_left_retries ==
   1433 		sm->wpa_auth->conf.rkh_pull_retries;
   1434 	sm->ft_pending_pull_left_retries--;
   1435 
   1436 	wpa_ft_rrb_lookup_r0kh(sm->wpa_auth, sm->r0kh_id, sm->r0kh_id_len,
   1437 			       &r0kh, &r0kh_wildcard);
   1438 
   1439 	/* Keep r0kh sufficiently long in the list for seq num check */
   1440 	r0kh_timeout = sm->wpa_auth->conf.rkh_pull_timeout / 1000 +
   1441 		1 + ftRRBseqTimeout;
   1442 	if (r0kh) {
   1443 		wpa_ft_rrb_r0kh_replenish(sm->wpa_auth, r0kh, r0kh_timeout);
   1444 	} else if (r0kh_wildcard) {
   1445 		wpa_printf(MSG_DEBUG, "FT: Using wildcard R0KH-ID");
   1446 		/* r0kh->addr: updated by SEQ_RESP and wpa_ft_expire_pull */
   1447 		r0kh = wpa_ft_rrb_add_r0kh(sm->wpa_auth, r0kh_wildcard,
   1448 					   r0kh_wildcard->addr,
   1449 					   sm->r0kh_id, sm->r0kh_id_len,
   1450 					   r0kh_timeout);
   1451 	}
   1452 	if (r0kh == NULL) {
   1453 		wpa_hexdump(MSG_DEBUG, "FT: Did not find R0KH-ID",
   1454 			    sm->r0kh_id, sm->r0kh_id_len);
   1455 		return -1;
   1456 	}
   1457 	if (is_zero_ether_addr(r0kh->addr)) {
   1458 		wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID is blacklisted",
   1459 			    sm->r0kh_id, sm->r0kh_id_len);
   1460 		return -1;
   1461 	}
   1462 
   1463 	key = r0kh->key;
   1464 	key_len = sizeof(r0kh->key);
   1465 
   1466 	wpa_printf(MSG_DEBUG, "FT: Send PMK-R1 pull request to remote R0KH "
   1467 		   "address " MACSTR, MAC2STR(r0kh->addr));
   1468 
   1469 	if (r0kh->seq->rx.num_last == 0) {
   1470 		/* A sequence request will be sent out anyway when pull
   1471 		 * response is received. Send it out now to avoid one RTT. */
   1472 		wpa_ft_rrb_seq_req(sm->wpa_auth, r0kh->seq, r0kh->addr,
   1473 				   r0kh->id, r0kh->id_len, f_r1kh_id, key,
   1474 				   key_len, NULL, 0, NULL, 0, NULL);
   1475 	}
   1476 
   1477 	if (first &&
   1478 	    random_get_bytes(sm->ft_pending_pull_nonce, FT_RRB_NONCE_LEN) < 0) {
   1479 		wpa_printf(MSG_DEBUG, "FT: Failed to get random data for "
   1480 			   "nonce");
   1481 		return -1;
   1482 	}
   1483 
   1484 	if (wpa_ft_new_seq(r0kh->seq, &f_seq) < 0) {
   1485 		wpa_printf(MSG_DEBUG, "FT: Failed to get seq num");
   1486 		return -1;
   1487 	}
   1488 
   1489 	if (wpa_ft_rrb_build(key, key_len, req_enc, NULL, req_auth,
   1490 			     sm->wpa_auth->addr, FT_PACKET_R0KH_R1KH_PULL,
   1491 			     &packet, &packet_len) < 0)
   1492 		return -1;
   1493 
   1494 	ft_pending_req_ies = wpabuf_alloc_copy(ies, ies_len);
   1495 	wpabuf_free(sm->ft_pending_req_ies);
   1496 	sm->ft_pending_req_ies = ft_pending_req_ies;
   1497 	if (!sm->ft_pending_req_ies) {
   1498 		os_free(packet);
   1499 		return -1;
   1500 	}
   1501 
   1502 	tsecs = sm->wpa_auth->conf.rkh_pull_timeout / 1000;
   1503 	tusecs = (sm->wpa_auth->conf.rkh_pull_timeout % 1000) * 1000;
   1504 	eloop_register_timeout(tsecs, tusecs, wpa_ft_expire_pull, sm, NULL);
   1505 
   1506 	wpa_ft_rrb_oui_send(sm->wpa_auth, r0kh->addr, FT_PACKET_R0KH_R1KH_PULL,
   1507 			    packet, packet_len);
   1508 
   1509 	os_free(packet);
   1510 
   1511 	return 0;
   1512 }
   1513 
   1514 
   1515 int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
   1516 			   struct wpa_ptk *ptk)
   1517 {
   1518 	u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN];
   1519 	u8 pmk_r1[PMK_LEN];
   1520 	u8 ptk_name[WPA_PMK_NAME_LEN];
   1521 	const u8 *mdid = sm->wpa_auth->conf.mobility_domain;
   1522 	const u8 *r0kh = sm->wpa_auth->conf.r0_key_holder;
   1523 	size_t r0kh_len = sm->wpa_auth->conf.r0_key_holder_len;
   1524 	const u8 *r1kh = sm->wpa_auth->conf.r1_key_holder;
   1525 	const u8 *ssid = sm->wpa_auth->conf.ssid;
   1526 	size_t ssid_len = sm->wpa_auth->conf.ssid_len;
   1527 	int psk_local = sm->wpa_auth->conf.ft_psk_generate_local;
   1528 
   1529 	if (sm->xxkey_len == 0) {
   1530 		wpa_printf(MSG_DEBUG, "FT: XXKey not available for key "
   1531 			   "derivation");
   1532 		return -1;
   1533 	}
   1534 
   1535 	if (wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, ssid, ssid_len, mdid,
   1536 			      r0kh, r0kh_len, sm->addr,
   1537 			      pmk_r0, pmk_r0_name) < 0)
   1538 		return -1;
   1539 	wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, PMK_LEN);
   1540 	wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN);
   1541 	if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
   1542 		wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name,
   1543 				    sm->pairwise);
   1544 
   1545 	if (wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, r1kh, sm->addr,
   1546 			      pmk_r1, sm->pmk_r1_name) < 0)
   1547 		return -1;
   1548 	wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, PMK_LEN);
   1549 	wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", sm->pmk_r1_name,
   1550 		    WPA_PMK_NAME_LEN);
   1551 	if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
   1552 		wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1,
   1553 				    sm->pmk_r1_name, sm->pairwise);
   1554 
   1555 	return wpa_pmk_r1_to_ptk(pmk_r1, sm->SNonce, sm->ANonce, sm->addr,
   1556 				 sm->wpa_auth->addr, sm->pmk_r1_name,
   1557 				 ptk, ptk_name, sm->wpa_key_mgmt, sm->pairwise);
   1558 }
   1559 
   1560 
   1561 static inline int wpa_auth_get_seqnum(struct wpa_authenticator *wpa_auth,
   1562 				      const u8 *addr, int idx, u8 *seq)
   1563 {
   1564 	if (wpa_auth->cb->get_seqnum == NULL)
   1565 		return -1;
   1566 	return wpa_auth->cb->get_seqnum(wpa_auth->cb_ctx, addr, idx, seq);
   1567 }
   1568 
   1569 
   1570 static u8 * wpa_ft_gtk_subelem(struct wpa_state_machine *sm, size_t *len)
   1571 {
   1572 	u8 *subelem;
   1573 	struct wpa_group *gsm = sm->group;
   1574 	size_t subelem_len, pad_len;
   1575 	const u8 *key;
   1576 	size_t key_len;
   1577 	u8 keybuf[32];
   1578 
   1579 	key_len = gsm->GTK_len;
   1580 	if (key_len > sizeof(keybuf))
   1581 		return NULL;
   1582 
   1583 	/*
   1584 	 * Pad key for AES Key Wrap if it is not multiple of 8 bytes or is less
   1585 	 * than 16 bytes.
   1586 	 */
   1587 	pad_len = key_len % 8;
   1588 	if (pad_len)
   1589 		pad_len = 8 - pad_len;
   1590 	if (key_len + pad_len < 16)
   1591 		pad_len += 8;
   1592 	if (pad_len && key_len < sizeof(keybuf)) {
   1593 		os_memcpy(keybuf, gsm->GTK[gsm->GN - 1], key_len);
   1594 		os_memset(keybuf + key_len, 0, pad_len);
   1595 		keybuf[key_len] = 0xdd;
   1596 		key_len += pad_len;
   1597 		key = keybuf;
   1598 	} else
   1599 		key = gsm->GTK[gsm->GN - 1];
   1600 
   1601 	/*
   1602 	 * Sub-elem ID[1] | Length[1] | Key Info[2] | Key Length[1] | RSC[8] |
   1603 	 * Key[5..32].
   1604 	 */
   1605 	subelem_len = 13 + key_len + 8;
   1606 	subelem = os_zalloc(subelem_len);
   1607 	if (subelem == NULL)
   1608 		return NULL;
   1609 
   1610 	subelem[0] = FTIE_SUBELEM_GTK;
   1611 	subelem[1] = 11 + key_len + 8;
   1612 	/* Key ID in B0-B1 of Key Info */
   1613 	WPA_PUT_LE16(&subelem[2], gsm->GN & 0x03);
   1614 	subelem[4] = gsm->GTK_len;
   1615 	wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN, subelem + 5);
   1616 	if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len, key_len / 8, key,
   1617 		     subelem + 13)) {
   1618 		os_free(subelem);
   1619 		return NULL;
   1620 	}
   1621 
   1622 	*len = subelem_len;
   1623 	return subelem;
   1624 }
   1625 
   1626 
   1627 #ifdef CONFIG_IEEE80211W
   1628 static u8 * wpa_ft_igtk_subelem(struct wpa_state_machine *sm, size_t *len)
   1629 {
   1630 	u8 *subelem, *pos;
   1631 	struct wpa_group *gsm = sm->group;
   1632 	size_t subelem_len;
   1633 
   1634 	/* Sub-elem ID[1] | Length[1] | KeyID[2] | IPN[6] | Key Length[1] |
   1635 	 * Key[16+8] */
   1636 	subelem_len = 1 + 1 + 2 + 6 + 1 + WPA_IGTK_LEN + 8;
   1637 	subelem = os_zalloc(subelem_len);
   1638 	if (subelem == NULL)
   1639 		return NULL;
   1640 
   1641 	pos = subelem;
   1642 	*pos++ = FTIE_SUBELEM_IGTK;
   1643 	*pos++ = subelem_len - 2;
   1644 	WPA_PUT_LE16(pos, gsm->GN_igtk);
   1645 	pos += 2;
   1646 	wpa_auth_get_seqnum(sm->wpa_auth, NULL, gsm->GN_igtk, pos);
   1647 	pos += 6;
   1648 	*pos++ = WPA_IGTK_LEN;
   1649 	if (aes_wrap(sm->PTK.kek, sm->PTK.kek_len, WPA_IGTK_LEN / 8,
   1650 		     gsm->IGTK[gsm->GN_igtk - 4], pos)) {
   1651 		os_free(subelem);
   1652 		return NULL;
   1653 	}
   1654 
   1655 	*len = subelem_len;
   1656 	return subelem;
   1657 }
   1658 #endif /* CONFIG_IEEE80211W */
   1659 
   1660 
   1661 static u8 * wpa_ft_process_rdie(struct wpa_state_machine *sm,
   1662 				u8 *pos, u8 *end, u8 id, u8 descr_count,
   1663 				const u8 *ies, size_t ies_len)
   1664 {
   1665 	struct ieee802_11_elems parse;
   1666 	struct rsn_rdie *rdie;
   1667 
   1668 	wpa_printf(MSG_DEBUG, "FT: Resource Request: id=%d descr_count=%d",
   1669 		   id, descr_count);
   1670 	wpa_hexdump(MSG_MSGDUMP, "FT: Resource descriptor IE(s)",
   1671 		    ies, ies_len);
   1672 
   1673 	if (end - pos < (int) sizeof(*rdie)) {
   1674 		wpa_printf(MSG_ERROR, "FT: Not enough room for response RDIE");
   1675 		return pos;
   1676 	}
   1677 
   1678 	*pos++ = WLAN_EID_RIC_DATA;
   1679 	*pos++ = sizeof(*rdie);
   1680 	rdie = (struct rsn_rdie *) pos;
   1681 	rdie->id = id;
   1682 	rdie->descr_count = 0;
   1683 	rdie->status_code = host_to_le16(WLAN_STATUS_SUCCESS);
   1684 	pos += sizeof(*rdie);
   1685 
   1686 	if (ieee802_11_parse_elems((u8 *) ies, ies_len, &parse, 1) ==
   1687 	    ParseFailed) {
   1688 		wpa_printf(MSG_DEBUG, "FT: Failed to parse request IEs");
   1689 		rdie->status_code =
   1690 			host_to_le16(WLAN_STATUS_UNSPECIFIED_FAILURE);
   1691 		return pos;
   1692 	}
   1693 
   1694 	if (parse.wmm_tspec) {
   1695 		struct wmm_tspec_element *tspec;
   1696 
   1697 		if (parse.wmm_tspec_len + 2 < (int) sizeof(*tspec)) {
   1698 			wpa_printf(MSG_DEBUG, "FT: Too short WMM TSPEC IE "
   1699 				   "(%d)", (int) parse.wmm_tspec_len);
   1700 			rdie->status_code =
   1701 				host_to_le16(WLAN_STATUS_UNSPECIFIED_FAILURE);
   1702 			return pos;
   1703 		}
   1704 		if (end - pos < (int) sizeof(*tspec)) {
   1705 			wpa_printf(MSG_ERROR, "FT: Not enough room for "
   1706 				   "response TSPEC");
   1707 			rdie->status_code =
   1708 				host_to_le16(WLAN_STATUS_UNSPECIFIED_FAILURE);
   1709 			return pos;
   1710 		}
   1711 		tspec = (struct wmm_tspec_element *) pos;
   1712 		os_memcpy(tspec, parse.wmm_tspec - 2, sizeof(*tspec));
   1713 	}
   1714 
   1715 #ifdef NEED_AP_MLME
   1716 	if (parse.wmm_tspec && sm->wpa_auth->conf.ap_mlme) {
   1717 		int res;
   1718 
   1719 		res = wmm_process_tspec((struct wmm_tspec_element *) pos);
   1720 		wpa_printf(MSG_DEBUG, "FT: ADDTS processing result: %d", res);
   1721 		if (res == WMM_ADDTS_STATUS_INVALID_PARAMETERS)
   1722 			rdie->status_code =
   1723 				host_to_le16(WLAN_STATUS_INVALID_PARAMETERS);
   1724 		else if (res == WMM_ADDTS_STATUS_REFUSED)
   1725 			rdie->status_code =
   1726 				host_to_le16(WLAN_STATUS_REQUEST_DECLINED);
   1727 		else {
   1728 			/* TSPEC accepted; include updated TSPEC in response */
   1729 			rdie->descr_count = 1;
   1730 			pos += sizeof(struct wmm_tspec_element);
   1731 		}
   1732 		return pos;
   1733 	}
   1734 #endif /* NEED_AP_MLME */
   1735 
   1736 	if (parse.wmm_tspec && !sm->wpa_auth->conf.ap_mlme) {
   1737 		int res;
   1738 
   1739 		res = wpa_ft_add_tspec(sm->wpa_auth, sm->addr, pos,
   1740 				       sizeof(struct wmm_tspec_element));
   1741 		if (res >= 0) {
   1742 			if (res)
   1743 				rdie->status_code = host_to_le16(res);
   1744 			else {
   1745 				/* TSPEC accepted; include updated TSPEC in
   1746 				 * response */
   1747 				rdie->descr_count = 1;
   1748 				pos += sizeof(struct wmm_tspec_element);
   1749 			}
   1750 			return pos;
   1751 		}
   1752 	}
   1753 
   1754 	wpa_printf(MSG_DEBUG, "FT: No supported resource requested");
   1755 	rdie->status_code = host_to_le16(WLAN_STATUS_UNSPECIFIED_FAILURE);
   1756 	return pos;
   1757 }
   1758 
   1759 
   1760 static u8 * wpa_ft_process_ric(struct wpa_state_machine *sm, u8 *pos, u8 *end,
   1761 			       const u8 *ric, size_t ric_len)
   1762 {
   1763 	const u8 *rpos, *start;
   1764 	const struct rsn_rdie *rdie;
   1765 
   1766 	wpa_hexdump(MSG_MSGDUMP, "FT: RIC Request", ric, ric_len);
   1767 
   1768 	rpos = ric;
   1769 	while (rpos + sizeof(*rdie) < ric + ric_len) {
   1770 		if (rpos[0] != WLAN_EID_RIC_DATA || rpos[1] < sizeof(*rdie) ||
   1771 		    rpos + 2 + rpos[1] > ric + ric_len)
   1772 			break;
   1773 		rdie = (const struct rsn_rdie *) (rpos + 2);
   1774 		rpos += 2 + rpos[1];
   1775 		start = rpos;
   1776 
   1777 		while (rpos + 2 <= ric + ric_len &&
   1778 		       rpos + 2 + rpos[1] <= ric + ric_len) {
   1779 			if (rpos[0] == WLAN_EID_RIC_DATA)
   1780 				break;
   1781 			rpos += 2 + rpos[1];
   1782 		}
   1783 		pos = wpa_ft_process_rdie(sm, pos, end, rdie->id,
   1784 					  rdie->descr_count,
   1785 					  start, rpos - start);
   1786 	}
   1787 
   1788 	return pos;
   1789 }
   1790 
   1791 
   1792 u8 * wpa_sm_write_assoc_resp_ies(struct wpa_state_machine *sm, u8 *pos,
   1793 				 size_t max_len, int auth_alg,
   1794 				 const u8 *req_ies, size_t req_ies_len)
   1795 {
   1796 	u8 *end, *mdie, *ftie, *rsnie = NULL, *r0kh_id, *subelem = NULL;
   1797 	size_t mdie_len, ftie_len, rsnie_len = 0, r0kh_id_len, subelem_len = 0;
   1798 	int res;
   1799 	struct wpa_auth_config *conf;
   1800 	struct rsn_ftie *_ftie;
   1801 	struct wpa_ft_ies parse;
   1802 	u8 *ric_start;
   1803 	u8 *anonce, *snonce;
   1804 
   1805 	if (sm == NULL)
   1806 		return pos;
   1807 
   1808 	conf = &sm->wpa_auth->conf;
   1809 
   1810 	if (!wpa_key_mgmt_ft(sm->wpa_key_mgmt))
   1811 		return pos;
   1812 
   1813 	end = pos + max_len;
   1814 
   1815 	if (auth_alg == WLAN_AUTH_FT) {
   1816 		/*
   1817 		 * RSN (only present if this is a Reassociation Response and
   1818 		 * part of a fast BSS transition)
   1819 		 */
   1820 		res = wpa_write_rsn_ie(conf, pos, end - pos, sm->pmk_r1_name);
   1821 		if (res < 0)
   1822 			return pos;
   1823 		rsnie = pos;
   1824 		rsnie_len = res;
   1825 		pos += res;
   1826 	}
   1827 
   1828 	/* Mobility Domain Information */
   1829 	res = wpa_write_mdie(conf, pos, end - pos);
   1830 	if (res < 0)
   1831 		return pos;
   1832 	mdie = pos;
   1833 	mdie_len = res;
   1834 	pos += res;
   1835 
   1836 	/* Fast BSS Transition Information */
   1837 	if (auth_alg == WLAN_AUTH_FT) {
   1838 		subelem = wpa_ft_gtk_subelem(sm, &subelem_len);
   1839 		r0kh_id = sm->r0kh_id;
   1840 		r0kh_id_len = sm->r0kh_id_len;
   1841 		anonce = sm->ANonce;
   1842 		snonce = sm->SNonce;
   1843 #ifdef CONFIG_IEEE80211W
   1844 		if (sm->mgmt_frame_prot) {
   1845 			u8 *igtk;
   1846 			size_t igtk_len;
   1847 			u8 *nbuf;
   1848 			igtk = wpa_ft_igtk_subelem(sm, &igtk_len);
   1849 			if (igtk == NULL) {
   1850 				os_free(subelem);
   1851 				return pos;
   1852 			}
   1853 			nbuf = os_realloc(subelem, subelem_len + igtk_len);
   1854 			if (nbuf == NULL) {
   1855 				os_free(subelem);
   1856 				os_free(igtk);
   1857 				return pos;
   1858 			}
   1859 			subelem = nbuf;
   1860 			os_memcpy(subelem + subelem_len, igtk, igtk_len);
   1861 			subelem_len += igtk_len;
   1862 			os_free(igtk);
   1863 		}
   1864 #endif /* CONFIG_IEEE80211W */
   1865 	} else {
   1866 		r0kh_id = conf->r0_key_holder;
   1867 		r0kh_id_len = conf->r0_key_holder_len;
   1868 		anonce = NULL;
   1869 		snonce = NULL;
   1870 	}
   1871 	res = wpa_write_ftie(conf, r0kh_id, r0kh_id_len, anonce, snonce, pos,
   1872 			     end - pos, subelem, subelem_len);
   1873 	os_free(subelem);
   1874 	if (res < 0)
   1875 		return pos;
   1876 	ftie = pos;
   1877 	ftie_len = res;
   1878 	pos += res;
   1879 
   1880 	_ftie = (struct rsn_ftie *) (ftie + 2);
   1881 	if (auth_alg == WLAN_AUTH_FT)
   1882 		_ftie->mic_control[1] = 3; /* Information element count */
   1883 
   1884 	ric_start = pos;
   1885 	if (wpa_ft_parse_ies(req_ies, req_ies_len, &parse) == 0 && parse.ric) {
   1886 		pos = wpa_ft_process_ric(sm, pos, end, parse.ric,
   1887 					 parse.ric_len);
   1888 		if (auth_alg == WLAN_AUTH_FT)
   1889 			_ftie->mic_control[1] +=
   1890 				ieee802_11_ie_count(ric_start,
   1891 						    pos - ric_start);
   1892 	}
   1893 	if (ric_start == pos)
   1894 		ric_start = NULL;
   1895 
   1896 	if (auth_alg == WLAN_AUTH_FT &&
   1897 	    wpa_ft_mic(sm->PTK.kck, sm->PTK.kck_len, sm->addr,
   1898 		       sm->wpa_auth->addr, 6,
   1899 		       mdie, mdie_len, ftie, ftie_len,
   1900 		       rsnie, rsnie_len,
   1901 		       ric_start, ric_start ? pos - ric_start : 0,
   1902 		       _ftie->mic) < 0)
   1903 		wpa_printf(MSG_DEBUG, "FT: Failed to calculate MIC");
   1904 
   1905 	os_free(sm->assoc_resp_ftie);
   1906 	sm->assoc_resp_ftie = os_malloc(ftie_len);
   1907 	if (sm->assoc_resp_ftie)
   1908 		os_memcpy(sm->assoc_resp_ftie, ftie, ftie_len);
   1909 
   1910 	return pos;
   1911 }
   1912 
   1913 
   1914 static inline int wpa_auth_set_key(struct wpa_authenticator *wpa_auth,
   1915 				   int vlan_id,
   1916 				   enum wpa_alg alg, const u8 *addr, int idx,
   1917 				   u8 *key, size_t key_len)
   1918 {
   1919 	if (wpa_auth->cb->set_key == NULL)
   1920 		return -1;
   1921 	return wpa_auth->cb->set_key(wpa_auth->cb_ctx, vlan_id, alg, addr, idx,
   1922 				     key, key_len);
   1923 }
   1924 
   1925 
   1926 void wpa_ft_install_ptk(struct wpa_state_machine *sm)
   1927 {
   1928 	enum wpa_alg alg;
   1929 	int klen;
   1930 
   1931 	/* MLME-SETKEYS.request(PTK) */
   1932 	alg = wpa_cipher_to_alg(sm->pairwise);
   1933 	klen = wpa_cipher_key_len(sm->pairwise);
   1934 	if (!wpa_cipher_valid_pairwise(sm->pairwise)) {
   1935 		wpa_printf(MSG_DEBUG, "FT: Unknown pairwise alg 0x%x - skip "
   1936 			   "PTK configuration", sm->pairwise);
   1937 		return;
   1938 	}
   1939 
   1940 	if (sm->tk_already_set) {
   1941 		/* Must avoid TK reconfiguration to prevent clearing of TX/RX
   1942 		 * PN in the driver */
   1943 		wpa_printf(MSG_DEBUG,
   1944 			   "FT: Do not re-install same PTK to the driver");
   1945 		return;
   1946 	}
   1947 
   1948 	/* FIX: add STA entry to kernel/driver here? The set_key will fail
   1949 	 * most likely without this.. At the moment, STA entry is added only
   1950 	 * after association has been completed. This function will be called
   1951 	 * again after association to get the PTK configured, but that could be
   1952 	 * optimized by adding the STA entry earlier.
   1953 	 */
   1954 	if (wpa_auth_set_key(sm->wpa_auth, 0, alg, sm->addr, 0,
   1955 			     sm->PTK.tk, klen))
   1956 		return;
   1957 
   1958 	/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
   1959 	sm->pairwise_set = TRUE;
   1960 	sm->tk_already_set = TRUE;
   1961 }
   1962 
   1963 
   1964 /* Derive PMK-R1 from PSK, check all available PSK */
   1965 static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
   1966 			     const u8 *req_pmk_r1_name,
   1967 			     u8 *out_pmk_r1, int *out_pairwise)
   1968 {
   1969 	const u8 *pmk = NULL;
   1970 	u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN];
   1971 	u8 pmk_r1[PMK_LEN], pmk_r1_name[WPA_PMK_NAME_LEN];
   1972 	struct wpa_authenticator *wpa_auth = sm->wpa_auth;
   1973 	const u8 *mdid = wpa_auth->conf.mobility_domain;
   1974 	const u8 *r0kh = sm->r0kh_id;
   1975 	size_t r0kh_len = sm->r0kh_id_len;
   1976 	const u8 *r1kh = wpa_auth->conf.r1_key_holder;
   1977 	const u8 *ssid = wpa_auth->conf.ssid;
   1978 	size_t ssid_len = wpa_auth->conf.ssid_len;
   1979 	int pairwise;
   1980 
   1981 	pairwise = sm->pairwise;
   1982 
   1983 	for (;;) {
   1984 		pmk = wpa_ft_get_psk(wpa_auth, sm->addr, sm->p2p_dev_addr,
   1985 				     pmk);
   1986 		if (pmk == NULL)
   1987 			break;
   1988 
   1989 		if (wpa_derive_pmk_r0(pmk, PMK_LEN, ssid, ssid_len, mdid, r0kh,
   1990 				      r0kh_len, sm->addr,
   1991 				      pmk_r0, pmk_r0_name) < 0 ||
   1992 		    wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, r1kh, sm->addr,
   1993 				      pmk_r1, pmk_r1_name) < 0 ||
   1994 		    os_memcmp_const(pmk_r1_name, req_pmk_r1_name,
   1995 				    WPA_PMK_NAME_LEN) != 0)
   1996 			continue;
   1997 
   1998 		/* We found a PSK that matches the requested pmk_r1_name */
   1999 		wpa_printf(MSG_DEBUG,
   2000 			   "FT: Found PSK to generate PMK-R1 locally");
   2001 		os_memcpy(out_pmk_r1, pmk_r1, PMK_LEN);
   2002 		if (out_pairwise)
   2003 			*out_pairwise = pairwise;
   2004 		return 0;
   2005 	}
   2006 
   2007 	wpa_printf(MSG_DEBUG,
   2008 		   "FT: Did not find PSK to generate PMK-R1 locally");
   2009 	return -1;
   2010 }
   2011 
   2012 
   2013 /* Detect the configuration the station asked for.
   2014  * Required to detect FT-PSK and pairwise cipher.
   2015  */
   2016 static int wpa_ft_set_key_mgmt(struct wpa_state_machine *sm,
   2017 			       struct wpa_ft_ies *parse)
   2018 {
   2019 	int key_mgmt, ciphers;
   2020 
   2021 	if (sm->wpa_key_mgmt)
   2022 		return 0;
   2023 
   2024 	key_mgmt = parse->key_mgmt & sm->wpa_auth->conf.wpa_key_mgmt;
   2025 	if (!key_mgmt) {
   2026 		wpa_printf(MSG_DEBUG, "FT: Invalid key mgmt (0x%x) from "
   2027 			   MACSTR, parse->key_mgmt, MAC2STR(sm->addr));
   2028 		return -1;
   2029 	}
   2030 	if (key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X)
   2031 		sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X;
   2032 	else if (key_mgmt & WPA_KEY_MGMT_FT_PSK)
   2033 		sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_PSK;
   2034 #ifdef CONFIG_FILS
   2035 	else if (key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256)
   2036 		sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_FILS_SHA256;
   2037 	else if (key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA384)
   2038 		sm->wpa_key_mgmt = WPA_KEY_MGMT_FT_FILS_SHA384;
   2039 #endif /* CONFIG_FILS */
   2040 	ciphers = parse->pairwise_cipher & sm->wpa_auth->conf.rsn_pairwise;
   2041 	if (!ciphers) {
   2042 		wpa_printf(MSG_DEBUG, "FT: Invalid pairwise cipher (0x%x) from "
   2043 			   MACSTR,
   2044 			   parse->pairwise_cipher, MAC2STR(sm->addr));
   2045 		return -1;
   2046 	}
   2047 	sm->pairwise = wpa_pick_pairwise_cipher(ciphers, 0);
   2048 
   2049 	return 0;
   2050 }
   2051 
   2052 
   2053 static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
   2054 				   const u8 *ies, size_t ies_len,
   2055 				   u8 **resp_ies, size_t *resp_ies_len)
   2056 {
   2057 	struct rsn_mdie *mdie;
   2058 	struct rsn_ftie *ftie;
   2059 	u8 pmk_r1[PMK_LEN], pmk_r1_name[WPA_PMK_NAME_LEN];
   2060 	u8 ptk_name[WPA_PMK_NAME_LEN];
   2061 	struct wpa_auth_config *conf;
   2062 	struct wpa_ft_ies parse;
   2063 	size_t buflen;
   2064 	int ret;
   2065 	u8 *pos, *end;
   2066 	int pairwise;
   2067 
   2068 	*resp_ies = NULL;
   2069 	*resp_ies_len = 0;
   2070 
   2071 	sm->pmk_r1_name_valid = 0;
   2072 	conf = &sm->wpa_auth->conf;
   2073 
   2074 	wpa_hexdump(MSG_DEBUG, "FT: Received authentication frame IEs",
   2075 		    ies, ies_len);
   2076 
   2077 	if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
   2078 		wpa_printf(MSG_DEBUG, "FT: Failed to parse FT IEs");
   2079 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
   2080 	}
   2081 
   2082 	mdie = (struct rsn_mdie *) parse.mdie;
   2083 	if (mdie == NULL || parse.mdie_len < sizeof(*mdie) ||
   2084 	    os_memcmp(mdie->mobility_domain,
   2085 		      sm->wpa_auth->conf.mobility_domain,
   2086 		      MOBILITY_DOMAIN_ID_LEN) != 0) {
   2087 		wpa_printf(MSG_DEBUG, "FT: Invalid MDIE");
   2088 		return WLAN_STATUS_INVALID_MDIE;
   2089 	}
   2090 
   2091 	ftie = (struct rsn_ftie *) parse.ftie;
   2092 	if (ftie == NULL || parse.ftie_len < sizeof(*ftie)) {
   2093 		wpa_printf(MSG_DEBUG, "FT: Invalid FTIE");
   2094 		return WLAN_STATUS_INVALID_FTIE;
   2095 	}
   2096 
   2097 	os_memcpy(sm->SNonce, ftie->snonce, WPA_NONCE_LEN);
   2098 
   2099 	if (parse.r0kh_id == NULL) {
   2100 		wpa_printf(MSG_DEBUG, "FT: Invalid FTIE - no R0KH-ID");
   2101 		return WLAN_STATUS_INVALID_FTIE;
   2102 	}
   2103 
   2104 	wpa_hexdump(MSG_DEBUG, "FT: STA R0KH-ID",
   2105 		    parse.r0kh_id, parse.r0kh_id_len);
   2106 	os_memcpy(sm->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
   2107 	sm->r0kh_id_len = parse.r0kh_id_len;
   2108 
   2109 	if (parse.rsn_pmkid == NULL) {
   2110 		wpa_printf(MSG_DEBUG, "FT: No PMKID in RSNIE");
   2111 		return WLAN_STATUS_INVALID_PMKID;
   2112 	}
   2113 
   2114 	if (wpa_ft_set_key_mgmt(sm, &parse) < 0)
   2115 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
   2116 
   2117 	wpa_hexdump(MSG_DEBUG, "FT: Requested PMKR0Name",
   2118 		    parse.rsn_pmkid, WPA_PMK_NAME_LEN);
   2119 	if (wpa_derive_pmk_r1_name(parse.rsn_pmkid,
   2120 				   sm->wpa_auth->conf.r1_key_holder, sm->addr,
   2121 				   pmk_r1_name) < 0)
   2122 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
   2123 	wpa_hexdump(MSG_DEBUG, "FT: Derived requested PMKR1Name",
   2124 		    pmk_r1_name, WPA_PMK_NAME_LEN);
   2125 
   2126 	if (conf->ft_psk_generate_local &&
   2127 	    wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
   2128 		if (wpa_ft_psk_pmk_r1(sm, pmk_r1_name, pmk_r1, &pairwise) < 0)
   2129 			return WLAN_STATUS_INVALID_PMKID;
   2130 	} else if (wpa_ft_fetch_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1_name,
   2131 				       pmk_r1, &pairwise) < 0) {
   2132 		if (wpa_ft_pull_pmk_r1(sm, ies, ies_len, parse.rsn_pmkid) < 0) {
   2133 			wpa_printf(MSG_DEBUG,
   2134 				   "FT: Did not have matching PMK-R1 and either unknown or blocked R0KH-ID or NAK from R0KH");
   2135 			return WLAN_STATUS_INVALID_PMKID;
   2136 		}
   2137 
   2138 		return -1; /* Status pending */
   2139 	}
   2140 
   2141 	wpa_hexdump_key(MSG_DEBUG, "FT: Selected PMK-R1", pmk_r1, PMK_LEN);
   2142 	sm->pmk_r1_name_valid = 1;
   2143 	os_memcpy(sm->pmk_r1_name, pmk_r1_name, WPA_PMK_NAME_LEN);
   2144 
   2145 	if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
   2146 		wpa_printf(MSG_DEBUG, "FT: Failed to get random data for "
   2147 			   "ANonce");
   2148 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
   2149 	}
   2150 
   2151 	wpa_hexdump(MSG_DEBUG, "FT: Received SNonce",
   2152 		    sm->SNonce, WPA_NONCE_LEN);
   2153 	wpa_hexdump(MSG_DEBUG, "FT: Generated ANonce",
   2154 		    sm->ANonce, WPA_NONCE_LEN);
   2155 
   2156 	if (wpa_pmk_r1_to_ptk(pmk_r1, sm->SNonce, sm->ANonce, sm->addr,
   2157 			      sm->wpa_auth->addr, pmk_r1_name,
   2158 			      &sm->PTK, ptk_name, sm->wpa_key_mgmt,
   2159 			      pairwise) < 0)
   2160 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
   2161 
   2162 	sm->pairwise = pairwise;
   2163 	sm->PTK_valid = TRUE;
   2164 	sm->tk_already_set = FALSE;
   2165 	wpa_ft_install_ptk(sm);
   2166 
   2167 	buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
   2168 		2 + FT_R1KH_ID_LEN + 200;
   2169 	*resp_ies = os_zalloc(buflen);
   2170 	if (*resp_ies == NULL)
   2171 		goto fail;
   2172 
   2173 	pos = *resp_ies;
   2174 	end = *resp_ies + buflen;
   2175 
   2176 	ret = wpa_write_rsn_ie(conf, pos, end - pos, parse.rsn_pmkid);
   2177 	if (ret < 0)
   2178 		goto fail;
   2179 	pos += ret;
   2180 
   2181 	ret = wpa_write_mdie(conf, pos, end - pos);
   2182 	if (ret < 0)
   2183 		goto fail;
   2184 	pos += ret;
   2185 
   2186 	ret = wpa_write_ftie(conf, parse.r0kh_id, parse.r0kh_id_len,
   2187 			     sm->ANonce, sm->SNonce, pos, end - pos, NULL, 0);
   2188 	if (ret < 0)
   2189 		goto fail;
   2190 	pos += ret;
   2191 
   2192 	*resp_ies_len = pos - *resp_ies;
   2193 
   2194 	return WLAN_STATUS_SUCCESS;
   2195 fail:
   2196 	os_free(*resp_ies);
   2197 	*resp_ies = NULL;
   2198 	return WLAN_STATUS_UNSPECIFIED_FAILURE;
   2199 }
   2200 
   2201 
   2202 void wpa_ft_process_auth(struct wpa_state_machine *sm, const u8 *bssid,
   2203 			 u16 auth_transaction, const u8 *ies, size_t ies_len,
   2204 			 void (*cb)(void *ctx, const u8 *dst, const u8 *bssid,
   2205 				    u16 auth_transaction, u16 status,
   2206 				    const u8 *ies, size_t ies_len),
   2207 			 void *ctx)
   2208 {
   2209 	u16 status;
   2210 	u8 *resp_ies;
   2211 	size_t resp_ies_len;
   2212 	int res;
   2213 
   2214 	if (sm == NULL) {
   2215 		wpa_printf(MSG_DEBUG, "FT: Received authentication frame, but "
   2216 			   "WPA SM not available");
   2217 		return;
   2218 	}
   2219 
   2220 	wpa_printf(MSG_DEBUG, "FT: Received authentication frame: STA=" MACSTR
   2221 		   " BSSID=" MACSTR " transaction=%d",
   2222 		   MAC2STR(sm->addr), MAC2STR(bssid), auth_transaction);
   2223 	sm->ft_pending_cb = cb;
   2224 	sm->ft_pending_cb_ctx = ctx;
   2225 	sm->ft_pending_auth_transaction = auth_transaction;
   2226 	sm->ft_pending_pull_left_retries = sm->wpa_auth->conf.rkh_pull_retries;
   2227 	res = wpa_ft_process_auth_req(sm, ies, ies_len, &resp_ies,
   2228 				      &resp_ies_len);
   2229 	if (res < 0) {
   2230 		wpa_printf(MSG_DEBUG, "FT: Callback postponed until response is available");
   2231 		return;
   2232 	}
   2233 	status = res;
   2234 
   2235 	wpa_printf(MSG_DEBUG, "FT: FT authentication response: dst=" MACSTR
   2236 		   " auth_transaction=%d status=%d",
   2237 		   MAC2STR(sm->addr), auth_transaction + 1, status);
   2238 	wpa_hexdump(MSG_DEBUG, "FT: Response IEs", resp_ies, resp_ies_len);
   2239 	cb(ctx, sm->addr, bssid, auth_transaction + 1, status,
   2240 	   resp_ies, resp_ies_len);
   2241 	os_free(resp_ies);
   2242 }
   2243 
   2244 
   2245 u16 wpa_ft_validate_reassoc(struct wpa_state_machine *sm, const u8 *ies,
   2246 			    size_t ies_len)
   2247 {
   2248 	struct wpa_ft_ies parse;
   2249 	struct rsn_mdie *mdie;
   2250 	struct rsn_ftie *ftie;
   2251 	u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
   2252 	size_t mic_len = 16;
   2253 	unsigned int count;
   2254 
   2255 	if (sm == NULL)
   2256 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
   2257 
   2258 	wpa_hexdump(MSG_DEBUG, "FT: Reassoc Req IEs", ies, ies_len);
   2259 
   2260 	if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
   2261 		wpa_printf(MSG_DEBUG, "FT: Failed to parse FT IEs");
   2262 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
   2263 	}
   2264 
   2265 	if (parse.rsn == NULL) {
   2266 		wpa_printf(MSG_DEBUG, "FT: No RSNIE in Reassoc Req");
   2267 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
   2268 	}
   2269 
   2270 	if (parse.rsn_pmkid == NULL) {
   2271 		wpa_printf(MSG_DEBUG, "FT: No PMKID in RSNIE");
   2272 		return WLAN_STATUS_INVALID_PMKID;
   2273 	}
   2274 
   2275 	if (os_memcmp_const(parse.rsn_pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN)
   2276 	    != 0) {
   2277 		wpa_printf(MSG_DEBUG, "FT: PMKID in Reassoc Req did not match "
   2278 			   "with the PMKR1Name derived from auth request");
   2279 		return WLAN_STATUS_INVALID_PMKID;
   2280 	}
   2281 
   2282 	mdie = (struct rsn_mdie *) parse.mdie;
   2283 	if (mdie == NULL || parse.mdie_len < sizeof(*mdie) ||
   2284 	    os_memcmp(mdie->mobility_domain,
   2285 		      sm->wpa_auth->conf.mobility_domain,
   2286 		      MOBILITY_DOMAIN_ID_LEN) != 0) {
   2287 		wpa_printf(MSG_DEBUG, "FT: Invalid MDIE");
   2288 		return WLAN_STATUS_INVALID_MDIE;
   2289 	}
   2290 
   2291 	ftie = (struct rsn_ftie *) parse.ftie;
   2292 	if (ftie == NULL || parse.ftie_len < sizeof(*ftie)) {
   2293 		wpa_printf(MSG_DEBUG, "FT: Invalid FTIE");
   2294 		return WLAN_STATUS_INVALID_FTIE;
   2295 	}
   2296 
   2297 	if (os_memcmp(ftie->snonce, sm->SNonce, WPA_NONCE_LEN) != 0) {
   2298 		wpa_printf(MSG_DEBUG, "FT: SNonce mismatch in FTIE");
   2299 		wpa_hexdump(MSG_DEBUG, "FT: Received SNonce",
   2300 			    ftie->snonce, WPA_NONCE_LEN);
   2301 		wpa_hexdump(MSG_DEBUG, "FT: Expected SNonce",
   2302 			    sm->SNonce, WPA_NONCE_LEN);
   2303 		return WLAN_STATUS_INVALID_FTIE;
   2304 	}
   2305 
   2306 	if (os_memcmp(ftie->anonce, sm->ANonce, WPA_NONCE_LEN) != 0) {
   2307 		wpa_printf(MSG_DEBUG, "FT: ANonce mismatch in FTIE");
   2308 		wpa_hexdump(MSG_DEBUG, "FT: Received ANonce",
   2309 			    ftie->anonce, WPA_NONCE_LEN);
   2310 		wpa_hexdump(MSG_DEBUG, "FT: Expected ANonce",
   2311 			    sm->ANonce, WPA_NONCE_LEN);
   2312 		return WLAN_STATUS_INVALID_FTIE;
   2313 	}
   2314 
   2315 
   2316 	if (parse.r0kh_id == NULL) {
   2317 		wpa_printf(MSG_DEBUG, "FT: No R0KH-ID subelem in FTIE");
   2318 		return WLAN_STATUS_INVALID_FTIE;
   2319 	}
   2320 
   2321 	if (parse.r0kh_id_len != sm->r0kh_id_len ||
   2322 	    os_memcmp_const(parse.r0kh_id, sm->r0kh_id, parse.r0kh_id_len) != 0)
   2323 	{
   2324 		wpa_printf(MSG_DEBUG, "FT: R0KH-ID in FTIE did not match with "
   2325 			   "the current R0KH-ID");
   2326 		wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID in FTIE",
   2327 			    parse.r0kh_id, parse.r0kh_id_len);
   2328 		wpa_hexdump(MSG_DEBUG, "FT: The current R0KH-ID",
   2329 			    sm->r0kh_id, sm->r0kh_id_len);
   2330 		return WLAN_STATUS_INVALID_FTIE;
   2331 	}
   2332 
   2333 	if (parse.r1kh_id == NULL) {
   2334 		wpa_printf(MSG_DEBUG, "FT: No R1KH-ID subelem in FTIE");
   2335 		return WLAN_STATUS_INVALID_FTIE;
   2336 	}
   2337 
   2338 	if (os_memcmp_const(parse.r1kh_id, sm->wpa_auth->conf.r1_key_holder,
   2339 			    FT_R1KH_ID_LEN) != 0) {
   2340 		wpa_printf(MSG_DEBUG, "FT: Unknown R1KH-ID used in "
   2341 			   "ReassocReq");
   2342 		wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID in FTIE",
   2343 			    parse.r1kh_id, FT_R1KH_ID_LEN);
   2344 		wpa_hexdump(MSG_DEBUG, "FT: Expected R1KH-ID",
   2345 			    sm->wpa_auth->conf.r1_key_holder, FT_R1KH_ID_LEN);
   2346 		return WLAN_STATUS_INVALID_FTIE;
   2347 	}
   2348 
   2349 	if (parse.rsn_pmkid == NULL ||
   2350 	    os_memcmp_const(parse.rsn_pmkid, sm->pmk_r1_name, WPA_PMK_NAME_LEN))
   2351 	{
   2352 		wpa_printf(MSG_DEBUG, "FT: No matching PMKR1Name (PMKID) in "
   2353 			   "RSNIE (pmkid=%d)", !!parse.rsn_pmkid);
   2354 		return WLAN_STATUS_INVALID_PMKID;
   2355 	}
   2356 
   2357 	count = 3;
   2358 	if (parse.ric)
   2359 		count += ieee802_11_ie_count(parse.ric, parse.ric_len);
   2360 	if (ftie->mic_control[1] != count) {
   2361 		wpa_printf(MSG_DEBUG, "FT: Unexpected IE count in MIC "
   2362 			   "Control: received %u expected %u",
   2363 			   ftie->mic_control[1], count);
   2364 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
   2365 	}
   2366 
   2367 	if (wpa_ft_mic(sm->PTK.kck, sm->PTK.kck_len, sm->addr,
   2368 		       sm->wpa_auth->addr, 5,
   2369 		       parse.mdie - 2, parse.mdie_len + 2,
   2370 		       parse.ftie - 2, parse.ftie_len + 2,
   2371 		       parse.rsn - 2, parse.rsn_len + 2,
   2372 		       parse.ric, parse.ric_len,
   2373 		       mic) < 0) {
   2374 		wpa_printf(MSG_DEBUG, "FT: Failed to calculate MIC");
   2375 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
   2376 	}
   2377 
   2378 	if (os_memcmp_const(mic, ftie->mic, mic_len) != 0) {
   2379 		wpa_printf(MSG_DEBUG, "FT: Invalid MIC in FTIE");
   2380 		wpa_printf(MSG_DEBUG, "FT: addr=" MACSTR " auth_addr=" MACSTR,
   2381 			   MAC2STR(sm->addr), MAC2STR(sm->wpa_auth->addr));
   2382 		wpa_hexdump(MSG_MSGDUMP, "FT: Received MIC",
   2383 			    ftie->mic, mic_len);
   2384 		wpa_hexdump(MSG_MSGDUMP, "FT: Calculated MIC", mic, mic_len);
   2385 		wpa_hexdump(MSG_MSGDUMP, "FT: MDIE",
   2386 			    parse.mdie - 2, parse.mdie_len + 2);
   2387 		wpa_hexdump(MSG_MSGDUMP, "FT: FTIE",
   2388 			    parse.ftie - 2, parse.ftie_len + 2);
   2389 		wpa_hexdump(MSG_MSGDUMP, "FT: RSN",
   2390 			    parse.rsn - 2, parse.rsn_len + 2);
   2391 		return WLAN_STATUS_INVALID_FTIE;
   2392 	}
   2393 
   2394 	return WLAN_STATUS_SUCCESS;
   2395 }
   2396 
   2397 
   2398 int wpa_ft_action_rx(struct wpa_state_machine *sm, const u8 *data, size_t len)
   2399 {
   2400 	const u8 *sta_addr, *target_ap;
   2401 	const u8 *ies;
   2402 	size_t ies_len;
   2403 	u8 action;
   2404 	struct ft_rrb_frame *frame;
   2405 
   2406 	if (sm == NULL)
   2407 		return -1;
   2408 
   2409 	/*
   2410 	 * data: Category[1] Action[1] STA_Address[6] Target_AP_Address[6]
   2411 	 * FT Request action frame body[variable]
   2412 	 */
   2413 
   2414 	if (len < 14) {
   2415 		wpa_printf(MSG_DEBUG, "FT: Too short FT Action frame "
   2416 			   "(len=%lu)", (unsigned long) len);
   2417 		return -1;
   2418 	}
   2419 
   2420 	action = data[1];
   2421 	sta_addr = data + 2;
   2422 	target_ap = data + 8;
   2423 	ies = data + 14;
   2424 	ies_len = len - 14;
   2425 
   2426 	wpa_printf(MSG_DEBUG, "FT: Received FT Action frame (STA=" MACSTR
   2427 		   " Target AP=" MACSTR " Action=%d)",
   2428 		   MAC2STR(sta_addr), MAC2STR(target_ap), action);
   2429 
   2430 	if (os_memcmp(sta_addr, sm->addr, ETH_ALEN) != 0) {
   2431 		wpa_printf(MSG_DEBUG, "FT: Mismatch in FT Action STA address: "
   2432 			   "STA=" MACSTR " STA-Address=" MACSTR,
   2433 			   MAC2STR(sm->addr), MAC2STR(sta_addr));
   2434 		return -1;
   2435 	}
   2436 
   2437 	/*
   2438 	 * Do some sanity checking on the target AP address (not own and not
   2439 	 * broadcast. This could be extended to filter based on a list of known
   2440 	 * APs in the MD (if such a list were configured).
   2441 	 */
   2442 	if ((target_ap[0] & 0x01) ||
   2443 	    os_memcmp(target_ap, sm->wpa_auth->addr, ETH_ALEN) == 0) {
   2444 		wpa_printf(MSG_DEBUG, "FT: Invalid Target AP in FT Action "
   2445 			   "frame");
   2446 		return -1;
   2447 	}
   2448 
   2449 	wpa_hexdump(MSG_MSGDUMP, "FT: Action frame body", ies, ies_len);
   2450 
   2451 	if (!sm->wpa_auth->conf.ft_over_ds) {
   2452 		wpa_printf(MSG_DEBUG, "FT: Over-DS option disabled - reject");
   2453 		return -1;
   2454 	}
   2455 
   2456 	/* RRB - Forward action frame to the target AP */
   2457 	frame = os_malloc(sizeof(*frame) + len);
   2458 	if (frame == NULL)
   2459 		return -1;
   2460 	frame->frame_type = RSN_REMOTE_FRAME_TYPE_FT_RRB;
   2461 	frame->packet_type = FT_PACKET_REQUEST;
   2462 	frame->action_length = host_to_le16(len);
   2463 	os_memcpy(frame->ap_address, sm->wpa_auth->addr, ETH_ALEN);
   2464 	os_memcpy(frame + 1, data, len);
   2465 
   2466 	wpa_ft_rrb_send(sm->wpa_auth, target_ap, (u8 *) frame,
   2467 			sizeof(*frame) + len);
   2468 	os_free(frame);
   2469 
   2470 	return 0;
   2471 }
   2472 
   2473 
   2474 static void wpa_ft_rrb_rx_request_cb(void *ctx, const u8 *dst, const u8 *bssid,
   2475 				     u16 auth_transaction, u16 resp,
   2476 				     const u8 *ies, size_t ies_len)
   2477 {
   2478 	struct wpa_state_machine *sm = ctx;
   2479 	wpa_printf(MSG_DEBUG, "FT: Over-the-DS RX request cb for " MACSTR,
   2480 		   MAC2STR(sm->addr));
   2481 	wpa_ft_send_rrb_auth_resp(sm, sm->ft_pending_current_ap, sm->addr,
   2482 				  WLAN_STATUS_SUCCESS, ies, ies_len);
   2483 }
   2484 
   2485 
   2486 static int wpa_ft_rrb_rx_request(struct wpa_authenticator *wpa_auth,
   2487 				 const u8 *current_ap, const u8 *sta_addr,
   2488 				 const u8 *body, size_t len)
   2489 {
   2490 	struct wpa_state_machine *sm;
   2491 	u16 status;
   2492 	u8 *resp_ies;
   2493 	size_t resp_ies_len;
   2494 	int res;
   2495 
   2496 	sm = wpa_ft_add_sta(wpa_auth, sta_addr);
   2497 	if (sm == NULL) {
   2498 		wpa_printf(MSG_DEBUG, "FT: Failed to add new STA based on "
   2499 			   "RRB Request");
   2500 		return -1;
   2501 	}
   2502 
   2503 	wpa_hexdump(MSG_MSGDUMP, "FT: RRB Request Frame body", body, len);
   2504 
   2505 	sm->ft_pending_cb = wpa_ft_rrb_rx_request_cb;
   2506 	sm->ft_pending_cb_ctx = sm;
   2507 	os_memcpy(sm->ft_pending_current_ap, current_ap, ETH_ALEN);
   2508 	sm->ft_pending_pull_left_retries = sm->wpa_auth->conf.rkh_pull_retries;
   2509 	res = wpa_ft_process_auth_req(sm, body, len, &resp_ies,
   2510 				      &resp_ies_len);
   2511 	if (res < 0) {
   2512 		wpa_printf(MSG_DEBUG, "FT: No immediate response available - wait for pull response");
   2513 		return 0;
   2514 	}
   2515 	status = res;
   2516 
   2517 	res = wpa_ft_send_rrb_auth_resp(sm, current_ap, sta_addr, status,
   2518 					resp_ies, resp_ies_len);
   2519 	os_free(resp_ies);
   2520 	return res;
   2521 }
   2522 
   2523 
   2524 static int wpa_ft_send_rrb_auth_resp(struct wpa_state_machine *sm,
   2525 				     const u8 *current_ap, const u8 *sta_addr,
   2526 				     u16 status, const u8 *resp_ies,
   2527 				     size_t resp_ies_len)
   2528 {
   2529 	struct wpa_authenticator *wpa_auth = sm->wpa_auth;
   2530 	size_t rlen;
   2531 	struct ft_rrb_frame *frame;
   2532 	u8 *pos;
   2533 
   2534 	wpa_printf(MSG_DEBUG, "FT: RRB authentication response: STA=" MACSTR
   2535 		   " CurrentAP=" MACSTR " status=%d",
   2536 		   MAC2STR(sm->addr), MAC2STR(current_ap), status);
   2537 	wpa_hexdump(MSG_DEBUG, "FT: Response IEs", resp_ies, resp_ies_len);
   2538 
   2539 	/* RRB - Forward action frame response to the Current AP */
   2540 
   2541 	/*
   2542 	 * data: Category[1] Action[1] STA_Address[6] Target_AP_Address[6]
   2543 	 * Status_Code[2] FT Request action frame body[variable]
   2544 	 */
   2545 	rlen = 2 + 2 * ETH_ALEN + 2 + resp_ies_len;
   2546 
   2547 	frame = os_malloc(sizeof(*frame) + rlen);
   2548 	if (frame == NULL)
   2549 		return -1;
   2550 	frame->frame_type = RSN_REMOTE_FRAME_TYPE_FT_RRB;
   2551 	frame->packet_type = FT_PACKET_RESPONSE;
   2552 	frame->action_length = host_to_le16(rlen);
   2553 	os_memcpy(frame->ap_address, wpa_auth->addr, ETH_ALEN);
   2554 	pos = (u8 *) (frame + 1);
   2555 	*pos++ = WLAN_ACTION_FT;
   2556 	*pos++ = 2; /* Action: Response */
   2557 	os_memcpy(pos, sta_addr, ETH_ALEN);
   2558 	pos += ETH_ALEN;
   2559 	os_memcpy(pos, wpa_auth->addr, ETH_ALEN);
   2560 	pos += ETH_ALEN;
   2561 	WPA_PUT_LE16(pos, status);
   2562 	pos += 2;
   2563 	if (resp_ies)
   2564 		os_memcpy(pos, resp_ies, resp_ies_len);
   2565 
   2566 	wpa_ft_rrb_send(wpa_auth, current_ap, (u8 *) frame,
   2567 			sizeof(*frame) + rlen);
   2568 	os_free(frame);
   2569 
   2570 	return 0;
   2571 }
   2572 
   2573 
   2574 static int wpa_ft_rrb_build_r0(const u8 *key, const size_t key_len,
   2575 			       const struct tlv_list *tlvs,
   2576 			       const struct wpa_ft_pmk_r0_sa *pmk_r0,
   2577 			       const u8 *r1kh_id, const u8 *s1kh_id,
   2578 			       const struct tlv_list *tlv_auth,
   2579 			       const u8 *src_addr, u8 type,
   2580 			       u8 **packet, size_t *packet_len)
   2581 {
   2582 	u8 pmk_r1[PMK_LEN];
   2583 	u8 pmk_r1_name[WPA_PMK_NAME_LEN];
   2584 	u8 f_pairwise[sizeof(le16)];
   2585 	int ret;
   2586 	struct tlv_list sess_tlv[] = {
   2587 		{ .type = FT_RRB_PMK_R1, .len = sizeof(pmk_r1),
   2588 		  .data = pmk_r1 },
   2589 		{ .type = FT_RRB_PMK_R1_NAME, .len = sizeof(pmk_r1_name),
   2590 		  .data = pmk_r1_name },
   2591 		{ .type = FT_RRB_PAIRWISE, .len = sizeof(f_pairwise),
   2592 		  .data = f_pairwise },
   2593 		{ .type = FT_RRB_LAST_EMPTY, .len = 0, .data = NULL },
   2594 	};
   2595 
   2596 	if (!pmk_r0)
   2597 		return wpa_ft_rrb_build(key, key_len, tlvs, NULL, tlv_auth,
   2598 					src_addr, type, packet, packet_len);
   2599 
   2600 	if (wpa_derive_pmk_r1(pmk_r0->pmk_r0, pmk_r0->pmk_r0_name, r1kh_id,
   2601 			      s1kh_id, pmk_r1, pmk_r1_name) < 0)
   2602 		return -1;
   2603 	wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, PMK_LEN);
   2604 	wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", pmk_r1_name, WPA_PMK_NAME_LEN);
   2605 	WPA_PUT_LE16(f_pairwise, pmk_r0->pairwise);
   2606 
   2607 	ret = wpa_ft_rrb_build(key, key_len, tlvs, sess_tlv, tlv_auth,
   2608 			       src_addr, type, packet, packet_len);
   2609 
   2610 	os_memset(pmk_r1, 0, sizeof(pmk_r1));
   2611 
   2612 	return ret;
   2613 }
   2614 
   2615 
   2616 static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth,
   2617 			      const u8 *src_addr,
   2618 			      const u8 *enc, size_t enc_len,
   2619 			      const u8 *auth, size_t auth_len,
   2620 			      int no_defer)
   2621 {
   2622 	const char *msgtype = "pull request";
   2623 	u8 *plain = NULL, *packet = NULL;
   2624 	size_t plain_len = 0, packet_len = 0;
   2625 	struct ft_remote_r1kh *r1kh, *r1kh_wildcard;
   2626 	const u8 *key;
   2627 	size_t key_len;
   2628 	int seq_ret;
   2629 	const u8 *f_nonce, *f_r0kh_id, *f_r1kh_id, *f_s1kh_id, *f_pmk_r0_name;
   2630 	size_t f_nonce_len, f_r0kh_id_len, f_r1kh_id_len, f_s1kh_id_len;
   2631 	size_t f_pmk_r0_name_len;
   2632 	const struct wpa_ft_pmk_r0_sa *r0;
   2633 	int ret;
   2634 	struct tlv_list resp[2];
   2635 	struct tlv_list resp_auth[5];
   2636 	struct ft_rrb_seq f_seq;
   2637 
   2638 	wpa_printf(MSG_DEBUG, "FT: Received PMK-R1 pull");
   2639 
   2640 	RRB_GET_AUTH(FT_RRB_R0KH_ID, r0kh_id, msgtype, -1);
   2641 	wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID", f_r0kh_id, f_r0kh_id_len);
   2642 
   2643 	if (wpa_ft_rrb_check_r0kh(wpa_auth, f_r0kh_id, f_r0kh_id_len)) {
   2644 		wpa_printf(MSG_DEBUG, "FT: R0KH-ID mismatch");
   2645 		goto out;
   2646 	}
   2647 
   2648 	RRB_GET_AUTH(FT_RRB_R1KH_ID, r1kh_id, msgtype, FT_R1KH_ID_LEN);
   2649 	wpa_printf(MSG_DEBUG, "FT: R1KH-ID=" MACSTR, MAC2STR(f_r1kh_id));
   2650 
   2651 	wpa_ft_rrb_lookup_r1kh(wpa_auth, f_r1kh_id, &r1kh, &r1kh_wildcard);
   2652 	if (r1kh) {
   2653 		key = r1kh->key;
   2654 		key_len = sizeof(r1kh->key);
   2655 	} else if (r1kh_wildcard) {
   2656 		wpa_printf(MSG_DEBUG, "FT: Using wildcard R1KH-ID");
   2657 		key = r1kh_wildcard->key;
   2658 		key_len = sizeof(r1kh_wildcard->key);
   2659 	} else {
   2660 		goto out;
   2661 	}
   2662 
   2663 	RRB_GET_AUTH(FT_RRB_NONCE, nonce, "pull request", FT_RRB_NONCE_LEN);
   2664 	wpa_hexdump(MSG_DEBUG, "FT: nonce", f_nonce, f_nonce_len);
   2665 
   2666 	seq_ret = FT_RRB_SEQ_DROP;
   2667 	if (r1kh)
   2668 		seq_ret = wpa_ft_rrb_seq_chk(r1kh->seq, src_addr, enc, enc_len,
   2669 					     auth, auth_len, msgtype, no_defer);
   2670 	if (!no_defer && r1kh_wildcard &&
   2671 	    (!r1kh || os_memcmp(r1kh->addr, src_addr, ETH_ALEN) != 0)) {
   2672 		/* wildcard: r1kh-id unknown or changed addr -> do a seq req */
   2673 		seq_ret = FT_RRB_SEQ_DEFER;
   2674 	}
   2675 
   2676 	if (seq_ret == FT_RRB_SEQ_DROP)
   2677 		goto out;
   2678 
   2679 	if (wpa_ft_rrb_decrypt(key, key_len, enc, enc_len, auth, auth_len,
   2680 			       src_addr, FT_PACKET_R0KH_R1KH_PULL,
   2681 			       &plain, &plain_len) < 0)
   2682 		goto out;
   2683 
   2684 	if (!r1kh)
   2685 		r1kh = wpa_ft_rrb_add_r1kh(wpa_auth, r1kh_wildcard, src_addr,
   2686 					   f_r1kh_id,
   2687 					   wpa_auth->conf.rkh_pos_timeout);
   2688 	if (!r1kh)
   2689 		goto out;
   2690 
   2691 	if (seq_ret == FT_RRB_SEQ_DEFER) {
   2692 		wpa_ft_rrb_seq_req(wpa_auth, r1kh->seq, src_addr, f_r0kh_id,
   2693 				   f_r0kh_id_len, f_r1kh_id, key, key_len,
   2694 				   enc, enc_len, auth, auth_len,
   2695 				   &wpa_ft_rrb_rx_pull);
   2696 		goto out;
   2697 	}
   2698 
   2699 	wpa_ft_rrb_seq_accept(wpa_auth, r1kh->seq, src_addr, auth, auth_len,
   2700 			      msgtype);
   2701 	wpa_ft_rrb_r1kh_replenish(wpa_auth, r1kh,
   2702 				  wpa_auth->conf.rkh_pos_timeout);
   2703 
   2704 	RRB_GET(FT_RRB_PMK_R0_NAME, pmk_r0_name, msgtype, WPA_PMK_NAME_LEN);
   2705 	wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", f_pmk_r0_name,
   2706 		    f_pmk_r0_name_len);
   2707 
   2708 	RRB_GET(FT_RRB_S1KH_ID, s1kh_id, msgtype, ETH_ALEN);
   2709 	wpa_printf(MSG_DEBUG, "FT: S1KH-ID=" MACSTR, MAC2STR(f_s1kh_id));
   2710 
   2711 	if (wpa_ft_new_seq(r1kh->seq, &f_seq) < 0) {
   2712 		wpa_printf(MSG_DEBUG, "FT: Failed to get seq num");
   2713 		goto out;
   2714 	}
   2715 
   2716 	resp[0].type = FT_RRB_S1KH_ID;
   2717 	resp[0].len = f_s1kh_id_len;
   2718 	resp[0].data = f_s1kh_id;
   2719 	resp[1].type = FT_RRB_LAST_EMPTY;
   2720 	resp[1].len = 0;
   2721 	resp[1].data = NULL;
   2722 
   2723 	resp_auth[0].type = FT_RRB_NONCE;
   2724 	resp_auth[0].len = f_nonce_len;
   2725 	resp_auth[0].data = f_nonce;
   2726 	resp_auth[1].type = FT_RRB_SEQ;
   2727 	resp_auth[1].len = sizeof(f_seq);
   2728 	resp_auth[1].data = (u8 *) &f_seq;
   2729 	resp_auth[2].type = FT_RRB_R0KH_ID;
   2730 	resp_auth[2].len = f_r0kh_id_len;
   2731 	resp_auth[2].data = f_r0kh_id;
   2732 	resp_auth[3].type = FT_RRB_R1KH_ID;
   2733 	resp_auth[3].len = f_r1kh_id_len;
   2734 	resp_auth[3].data = f_r1kh_id;
   2735 	resp_auth[4].type = FT_RRB_LAST_EMPTY;
   2736 	resp_auth[4].len = 0;
   2737 	resp_auth[4].data = NULL;
   2738 
   2739 	if (wpa_ft_fetch_pmk_r0(wpa_auth, f_s1kh_id, f_pmk_r0_name, &r0) < 0)
   2740 		wpa_printf(MSG_DEBUG, "FT: No matching PMK-R0-Name found");
   2741 
   2742 	ret = wpa_ft_rrb_build_r0(key, key_len, resp, r0, f_r1kh_id, f_s1kh_id,
   2743 				  resp_auth, wpa_auth->addr,
   2744 				  FT_PACKET_R0KH_R1KH_RESP,
   2745 				  &packet, &packet_len);
   2746 
   2747 	if (!ret)
   2748 		wpa_ft_rrb_oui_send(wpa_auth, src_addr,
   2749 				    FT_PACKET_R0KH_R1KH_RESP, packet,
   2750 				    packet_len);
   2751 
   2752 out:
   2753 	os_free(plain);
   2754 	os_free(packet);
   2755 
   2756 	return 0;
   2757 }
   2758 
   2759 
   2760 /* @returns  0 on success
   2761  *          -1 on error
   2762  *          -2 if FR_RRB_PAIRWISE is missing
   2763  */
   2764 static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth,
   2765 			    const u8 *src_addr, u8 type,
   2766 			    const u8 *enc, size_t enc_len,
   2767 			    const u8 *auth, size_t auth_len,
   2768 			    const char *msgtype, u8 *s1kh_id_out,
   2769 			    int (*cb)(struct wpa_authenticator *wpa_auth,
   2770 				      const u8 *src_addr,
   2771 				      const u8 *enc, size_t enc_len,
   2772 				      const u8 *auth, size_t auth_len,
   2773 				      int no_defer))
   2774 {
   2775 	u8 *plain = NULL;
   2776 	size_t plain_len = 0;
   2777 	struct ft_remote_r0kh *r0kh, *r0kh_wildcard;
   2778 	const u8 *key;
   2779 	size_t key_len;
   2780 	int seq_ret;
   2781 	const u8 *f_r1kh_id, *f_s1kh_id, *f_r0kh_id;
   2782 	const u8 *f_pmk_r1_name, *f_pairwise, *f_pmk_r1;
   2783 	size_t f_r1kh_id_len, f_s1kh_id_len, f_r0kh_id_len;
   2784 	size_t f_pmk_r1_name_len, f_pairwise_len, f_pmk_r1_len;
   2785 	int pairwise;
   2786 	int ret = -1;
   2787 
   2788 	RRB_GET_AUTH(FT_RRB_R0KH_ID, r0kh_id, msgtype, -1);
   2789 	wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID", f_r0kh_id, f_r0kh_id_len);
   2790 
   2791 	RRB_GET_AUTH(FT_RRB_R1KH_ID, r1kh_id, msgtype, FT_R1KH_ID_LEN);
   2792 	wpa_printf(MSG_DEBUG, "FT: R1KH-ID=" MACSTR, MAC2STR(f_r1kh_id));
   2793 
   2794 	if (wpa_ft_rrb_check_r1kh(wpa_auth, f_r1kh_id)) {
   2795 		wpa_printf(MSG_DEBUG, "FT: R1KH-ID mismatch");
   2796 		goto out;
   2797 	}
   2798 
   2799 	wpa_ft_rrb_lookup_r0kh(wpa_auth, f_r0kh_id, f_r0kh_id_len, &r0kh,
   2800 			       &r0kh_wildcard);
   2801 	if (r0kh) {
   2802 		key = r0kh->key;
   2803 		key_len = sizeof(r0kh->key);
   2804 	} else if (r0kh_wildcard) {
   2805 		wpa_printf(MSG_DEBUG, "FT: Using wildcard R0KH-ID");
   2806 		key = r0kh_wildcard->key;
   2807 		key_len = sizeof(r0kh_wildcard->key);
   2808 	} else {
   2809 		goto out;
   2810 	}
   2811 
   2812 	seq_ret = FT_RRB_SEQ_DROP;
   2813 	if (r0kh) {
   2814 		seq_ret = wpa_ft_rrb_seq_chk(r0kh->seq, src_addr, enc, enc_len,
   2815 					     auth, auth_len, msgtype,
   2816 					     cb ? 0 : 1);
   2817 	}
   2818 	if (cb && r0kh_wildcard &&
   2819 	    (!r0kh || os_memcmp(r0kh->addr, src_addr, ETH_ALEN) != 0)) {
   2820 		/* wildcard: r0kh-id unknown or changed addr -> do a seq req */
   2821 		seq_ret = FT_RRB_SEQ_DEFER;
   2822 	}
   2823 
   2824 	if (seq_ret == FT_RRB_SEQ_DROP)
   2825 		goto out;
   2826 
   2827 	if (wpa_ft_rrb_decrypt(key, key_len, enc, enc_len, auth, auth_len,
   2828 			       src_addr, type, &plain, &plain_len) < 0)
   2829 		goto out;
   2830 
   2831 	if (!r0kh)
   2832 		r0kh = wpa_ft_rrb_add_r0kh(wpa_auth, r0kh_wildcard, src_addr,
   2833 					   f_r0kh_id, f_r0kh_id_len,
   2834 					   wpa_auth->conf.rkh_pos_timeout);
   2835 	if (!r0kh)
   2836 		goto out;
   2837 
   2838 	if (seq_ret == FT_RRB_SEQ_DEFER) {
   2839 		wpa_ft_rrb_seq_req(wpa_auth, r0kh->seq, src_addr, f_r0kh_id,
   2840 				   f_r0kh_id_len, f_r1kh_id, key, key_len,
   2841 				   enc, enc_len, auth, auth_len, cb);
   2842 		goto out;
   2843 	}
   2844 
   2845 	wpa_ft_rrb_seq_accept(wpa_auth, r0kh->seq, src_addr, auth, auth_len,
   2846 			      msgtype);
   2847 	wpa_ft_rrb_r0kh_replenish(wpa_auth, r0kh,
   2848 				  wpa_auth->conf.rkh_pos_timeout);
   2849 
   2850 	RRB_GET(FT_RRB_S1KH_ID, s1kh_id, msgtype, ETH_ALEN);
   2851 	wpa_printf(MSG_DEBUG, "FT: S1KH-ID=" MACSTR, MAC2STR(f_s1kh_id));
   2852 
   2853 	if (s1kh_id_out)
   2854 		os_memcpy(s1kh_id_out, f_s1kh_id, ETH_ALEN);
   2855 
   2856 	ret = -2;
   2857 	RRB_GET(FT_RRB_PAIRWISE, pairwise, msgtype, sizeof(le16));
   2858 	wpa_hexdump(MSG_DEBUG, "FT: pairwise", f_pairwise, f_pairwise_len);
   2859 
   2860 	ret = -1;
   2861 	RRB_GET(FT_RRB_PMK_R1_NAME, pmk_r1_name, msgtype, WPA_PMK_NAME_LEN);
   2862 	wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name",
   2863 		    f_pmk_r1_name, WPA_PMK_NAME_LEN);
   2864 
   2865 	RRB_GET(FT_RRB_PMK_R1, pmk_r1, msgtype, PMK_LEN);
   2866 	wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", f_pmk_r1, PMK_LEN);
   2867 
   2868 	pairwise = WPA_GET_LE16(f_pairwise);
   2869 
   2870 	if (wpa_ft_store_pmk_r1(wpa_auth, f_s1kh_id, f_pmk_r1, f_pmk_r1_name,
   2871 				pairwise) < 0)
   2872 		goto out;
   2873 
   2874 	ret = 0;
   2875 out:
   2876 	if (plain) {
   2877 		os_memset(plain, 0, plain_len);
   2878 		os_free(plain);
   2879 	}
   2880 
   2881 	return ret;
   2882 
   2883 }
   2884 
   2885 
   2886 static void ft_finish_pull(struct wpa_state_machine *sm)
   2887 {
   2888 	int res;
   2889 	u8 *resp_ies;
   2890 	size_t resp_ies_len;
   2891 	u16 status;
   2892 
   2893 	if (!sm->ft_pending_cb || !sm->ft_pending_req_ies)
   2894 		return;
   2895 
   2896 	res = wpa_ft_process_auth_req(sm, wpabuf_head(sm->ft_pending_req_ies),
   2897 				      wpabuf_len(sm->ft_pending_req_ies),
   2898 				      &resp_ies, &resp_ies_len);
   2899 	if (res < 0) {
   2900 		/* this loop is broken by ft_pending_pull_left_retries */
   2901 		wpa_printf(MSG_DEBUG,
   2902 			   "FT: Callback postponed until response is available");
   2903 		return;
   2904 	}
   2905 	wpabuf_free(sm->ft_pending_req_ies);
   2906 	sm->ft_pending_req_ies = NULL;
   2907 	status = res;
   2908 	wpa_printf(MSG_DEBUG, "FT: Postponed auth callback result for " MACSTR
   2909 		   " - status %u", MAC2STR(sm->addr), status);
   2910 
   2911 	sm->ft_pending_cb(sm->ft_pending_cb_ctx, sm->addr, sm->wpa_auth->addr,
   2912 			  sm->ft_pending_auth_transaction + 1, status,
   2913 			  resp_ies, resp_ies_len);
   2914 	os_free(resp_ies);
   2915 }
   2916 
   2917 
   2918 struct ft_get_sta_ctx {
   2919 	const u8 *nonce;
   2920 	const u8 *s1kh_id;
   2921 	struct wpa_state_machine *sm;
   2922 };
   2923 
   2924 
   2925 static int ft_get_sta_cb(struct wpa_state_machine *sm, void *ctx)
   2926 {
   2927 	struct ft_get_sta_ctx *info = ctx;
   2928 
   2929 	if ((info->s1kh_id &&
   2930 	     os_memcmp(info->s1kh_id, sm->addr, ETH_ALEN) != 0) ||
   2931 	    os_memcmp(info->nonce, sm->ft_pending_pull_nonce,
   2932 		      FT_RRB_NONCE_LEN) != 0 ||
   2933 	    sm->ft_pending_cb == NULL || sm->ft_pending_req_ies == NULL)
   2934 		return 0;
   2935 
   2936 	info->sm = sm;
   2937 
   2938 	return 1;
   2939 }
   2940 
   2941 
   2942 static int wpa_ft_rrb_rx_resp(struct wpa_authenticator *wpa_auth,
   2943 			      const u8 *src_addr,
   2944 			      const u8 *enc, size_t enc_len,
   2945 			      const u8 *auth, size_t auth_len,
   2946 			      int no_defer)
   2947 {
   2948 	const char *msgtype = "pull response";
   2949 	int nak, ret = -1;
   2950 	struct ft_get_sta_ctx ctx;
   2951 	u8 s1kh_id[ETH_ALEN];
   2952 	const u8 *f_nonce;
   2953 	size_t f_nonce_len;
   2954 
   2955 	wpa_printf(MSG_DEBUG, "FT: Received PMK-R1 pull response");
   2956 
   2957 	RRB_GET_AUTH(FT_RRB_NONCE, nonce, msgtype, FT_RRB_NONCE_LEN);
   2958 	wpa_hexdump(MSG_DEBUG, "FT: nonce", f_nonce, f_nonce_len);
   2959 
   2960 	os_memset(&ctx, 0, sizeof(ctx));
   2961 	ctx.nonce = f_nonce;
   2962 	if (!wpa_auth_for_each_sta(wpa_auth, ft_get_sta_cb, &ctx)) {
   2963 		/* nonce not found */
   2964 		wpa_printf(MSG_DEBUG, "FT: Invalid nonce");
   2965 		return -1;
   2966 	}
   2967 
   2968 	ret = wpa_ft_rrb_rx_r1(wpa_auth, src_addr, FT_PACKET_R0KH_R1KH_RESP,
   2969 			       enc, enc_len, auth, auth_len, msgtype, s1kh_id,
   2970 			       no_defer ? NULL : &wpa_ft_rrb_rx_resp);
   2971 	if (ret == -2) {
   2972 		ret = 0;
   2973 		nak = 1;
   2974 	} else {
   2975 		nak = 0;
   2976 	}
   2977 	if (ret < 0)
   2978 		return -1;
   2979 
   2980 	ctx.s1kh_id = s1kh_id;
   2981 	if (wpa_auth_for_each_sta(wpa_auth, ft_get_sta_cb, &ctx)) {
   2982 		wpa_printf(MSG_DEBUG,
   2983 			   "FT: Response to a pending pull request for " MACSTR,
   2984 			   MAC2STR(ctx.sm->addr));
   2985 		eloop_cancel_timeout(wpa_ft_expire_pull, ctx.sm, NULL);
   2986 		if (nak)
   2987 			ctx.sm->ft_pending_pull_left_retries = 0;
   2988 		ft_finish_pull(ctx.sm);
   2989 	}
   2990 
   2991 out:
   2992 	return ret;
   2993 }
   2994 
   2995 
   2996 static int wpa_ft_rrb_rx_push(struct wpa_authenticator *wpa_auth,
   2997 			      const u8 *src_addr,
   2998 			      const u8 *enc, size_t enc_len,
   2999 			      const u8 *auth, size_t auth_len, int no_defer)
   3000 {
   3001 	const char *msgtype = "push";
   3002 
   3003 	wpa_printf(MSG_DEBUG, "FT: Received PMK-R1 push");
   3004 
   3005 	if (wpa_ft_rrb_rx_r1(wpa_auth, src_addr, FT_PACKET_R0KH_R1KH_PUSH,
   3006 			     enc, enc_len, auth, auth_len, msgtype, NULL,
   3007 			     no_defer ? NULL : wpa_ft_rrb_rx_push) < 0)
   3008 		return -1;
   3009 
   3010 	return 0;
   3011 }
   3012 
   3013 
   3014 static int wpa_ft_rrb_rx_seq(struct wpa_authenticator *wpa_auth,
   3015 			     const u8 *src_addr, int type,
   3016 			     const u8 *enc, size_t enc_len,
   3017 			     const u8 *auth, size_t auth_len,
   3018 			     struct ft_remote_seq **rkh_seq,
   3019 			     u8 **key, size_t *key_len,
   3020 			     struct ft_remote_r0kh **r0kh_out,
   3021 			     struct ft_remote_r1kh **r1kh_out,
   3022 			     struct ft_remote_r0kh **r0kh_wildcard_out,
   3023 			     struct ft_remote_r1kh **r1kh_wildcard_out)
   3024 {
   3025 	struct ft_remote_r0kh *r0kh = NULL;
   3026 	struct ft_remote_r1kh *r1kh = NULL;
   3027 	const u8 *f_r0kh_id, *f_r1kh_id;
   3028 	size_t f_r0kh_id_len, f_r1kh_id_len;
   3029 	int to_r0kh, to_r1kh;
   3030 	u8 *plain = NULL;
   3031 	size_t plain_len = 0;
   3032 	struct ft_remote_r0kh *r0kh_wildcard;
   3033 	struct ft_remote_r1kh *r1kh_wildcard;
   3034 
   3035 	RRB_GET_AUTH(FT_RRB_R0KH_ID, r0kh_id, "seq", -1);
   3036 	RRB_GET_AUTH(FT_RRB_R1KH_ID, r1kh_id, "seq", FT_R1KH_ID_LEN);
   3037 
   3038 	to_r0kh = !wpa_ft_rrb_check_r0kh(wpa_auth, f_r0kh_id, f_r0kh_id_len);
   3039 	to_r1kh = !wpa_ft_rrb_check_r1kh(wpa_auth, f_r1kh_id);
   3040 
   3041 	if (to_r0kh && to_r1kh) {
   3042 		wpa_printf(MSG_DEBUG, "FT: seq - local R0KH-ID and R1KH-ID");
   3043 		goto out;
   3044 	}
   3045 
   3046 	if (!to_r0kh && !to_r1kh) {
   3047 		wpa_printf(MSG_DEBUG, "FT: seq - remote R0KH-ID and R1KH-ID");
   3048 		goto out;
   3049 	}
   3050 
   3051 	if (!to_r0kh) {
   3052 		wpa_ft_rrb_lookup_r0kh(wpa_auth, f_r0kh_id, f_r0kh_id_len,
   3053 				       &r0kh, &r0kh_wildcard);
   3054 		if (!r0kh_wildcard &&
   3055 		    (!r0kh || os_memcmp(r0kh->addr, src_addr, ETH_ALEN) != 0)) {
   3056 			wpa_hexdump(MSG_DEBUG, "FT: Did not find R0KH-ID",
   3057 				    f_r0kh_id, f_r0kh_id_len);
   3058 			goto out;
   3059 		}
   3060 		if (r0kh) {
   3061 			*key = r0kh->key;
   3062 			*key_len = sizeof(r0kh->key);
   3063 		} else {
   3064 			*key = r0kh_wildcard->key;
   3065 			*key_len = sizeof(r0kh_wildcard->key);
   3066 		}
   3067 	}
   3068 
   3069 	if (!to_r1kh) {
   3070 		wpa_ft_rrb_lookup_r1kh(wpa_auth, f_r1kh_id, &r1kh,
   3071 				       &r1kh_wildcard);
   3072 		if (!r1kh_wildcard &&
   3073 		    (!r1kh || os_memcmp(r1kh->addr, src_addr, ETH_ALEN) != 0)) {
   3074 			wpa_hexdump(MSG_DEBUG, "FT: Did not find R1KH-ID",
   3075 				    f_r1kh_id, FT_R1KH_ID_LEN);
   3076 			goto out;
   3077 		}
   3078 		if (r1kh) {
   3079 			*key = r1kh->key;
   3080 			*key_len = sizeof(r1kh->key);
   3081 		} else {
   3082 			*key = r1kh_wildcard->key;
   3083 			*key_len = sizeof(r1kh_wildcard->key);
   3084 		}
   3085 	}
   3086 
   3087 	if (wpa_ft_rrb_decrypt(*key, *key_len, enc, enc_len, auth, auth_len,
   3088 			       src_addr, type, &plain, &plain_len) < 0)
   3089 		goto out;
   3090 
   3091 	os_free(plain);
   3092 
   3093 	if (!to_r0kh) {
   3094 		if (!r0kh)
   3095 			r0kh = wpa_ft_rrb_add_r0kh(wpa_auth, r0kh_wildcard,
   3096 						   src_addr, f_r0kh_id,
   3097 						   f_r0kh_id_len,
   3098 						   ftRRBseqTimeout);
   3099 		if (!r0kh)
   3100 			goto out;
   3101 
   3102 		wpa_ft_rrb_r0kh_replenish(wpa_auth, r0kh, ftRRBseqTimeout);
   3103 		*rkh_seq = r0kh->seq;
   3104 		if (r0kh_out)
   3105 			*r0kh_out = r0kh;
   3106 		if (r0kh_wildcard_out)
   3107 			*r0kh_wildcard_out = r0kh_wildcard;
   3108 	}
   3109 
   3110 	if (!to_r1kh) {
   3111 		if (!r1kh)
   3112 			r1kh = wpa_ft_rrb_add_r1kh(wpa_auth, r1kh_wildcard,
   3113 						   src_addr, f_r1kh_id,
   3114 						   ftRRBseqTimeout);
   3115 		if (!r1kh)
   3116 			goto out;
   3117 
   3118 		wpa_ft_rrb_r1kh_replenish(wpa_auth, r1kh, ftRRBseqTimeout);
   3119 		*rkh_seq = r1kh->seq;
   3120 		if (r1kh_out)
   3121 			*r1kh_out = r1kh;
   3122 		if (r1kh_wildcard_out)
   3123 			*r1kh_wildcard_out = r1kh_wildcard;
   3124 	}
   3125 
   3126 	return 0;
   3127 out:
   3128 	return -1;
   3129 }
   3130 
   3131 
   3132 static int wpa_ft_rrb_rx_seq_req(struct wpa_authenticator *wpa_auth,
   3133 				 const u8 *src_addr,
   3134 				 const u8 *enc, size_t enc_len,
   3135 				 const u8 *auth, size_t auth_len,
   3136 				 int no_defer)
   3137 {
   3138 	int ret = -1;
   3139 	struct ft_rrb_seq f_seq;
   3140 	const u8 *f_nonce, *f_r0kh_id, *f_r1kh_id;
   3141 	size_t f_nonce_len, f_r0kh_id_len, f_r1kh_id_len;
   3142 	struct ft_remote_seq *rkh_seq = NULL;
   3143 	u8 *packet = NULL, *key = NULL;
   3144 	size_t packet_len = 0, key_len = 0;
   3145 	struct tlv_list seq_resp_auth[5];
   3146 
   3147 	wpa_printf(MSG_DEBUG, "FT: Received sequence number request");
   3148 
   3149 	if (wpa_ft_rrb_rx_seq(wpa_auth, src_addr, FT_PACKET_R0KH_R1KH_SEQ_REQ,
   3150 			      enc, enc_len, auth, auth_len, &rkh_seq, &key,
   3151 			      &key_len, NULL, NULL, NULL, NULL) < 0)
   3152 		goto out;
   3153 
   3154 	RRB_GET_AUTH(FT_RRB_NONCE, nonce, "seq request", FT_RRB_NONCE_LEN);
   3155 	wpa_hexdump(MSG_DEBUG, "FT: seq request - nonce", f_nonce, f_nonce_len);
   3156 
   3157 	RRB_GET_AUTH(FT_RRB_R0KH_ID, r0kh_id, "seq", -1);
   3158 	RRB_GET_AUTH(FT_RRB_R1KH_ID, r1kh_id, "seq", FT_R1KH_ID_LEN);
   3159 
   3160 	if (wpa_ft_new_seq(rkh_seq, &f_seq) < 0) {
   3161 		wpa_printf(MSG_DEBUG, "FT: Failed to get seq num");
   3162 		goto out;
   3163 	}
   3164 
   3165 	seq_resp_auth[0].type = FT_RRB_NONCE;
   3166 	seq_resp_auth[0].len = f_nonce_len;
   3167 	seq_resp_auth[0].data = f_nonce;
   3168 	seq_resp_auth[1].type = FT_RRB_SEQ;
   3169 	seq_resp_auth[1].len = sizeof(f_seq);
   3170 	seq_resp_auth[1].data = (u8 *) &f_seq;
   3171 	seq_resp_auth[2].type = FT_RRB_R0KH_ID;
   3172 	seq_resp_auth[2].len = f_r0kh_id_len;
   3173 	seq_resp_auth[2].data = f_r0kh_id;
   3174 	seq_resp_auth[3].type = FT_RRB_R1KH_ID;
   3175 	seq_resp_auth[3].len = FT_R1KH_ID_LEN;
   3176 	seq_resp_auth[3].data = f_r1kh_id;
   3177 	seq_resp_auth[4].type = FT_RRB_LAST_EMPTY;
   3178 	seq_resp_auth[4].len = 0;
   3179 	seq_resp_auth[4].data = NULL;
   3180 
   3181 	if (wpa_ft_rrb_build(key, key_len, NULL, NULL, seq_resp_auth,
   3182 			     wpa_auth->addr, FT_PACKET_R0KH_R1KH_SEQ_RESP,
   3183 			     &packet, &packet_len) < 0)
   3184 		goto out;
   3185 
   3186 	wpa_ft_rrb_oui_send(wpa_auth, src_addr,
   3187 			    FT_PACKET_R0KH_R1KH_SEQ_RESP, packet,
   3188 			    packet_len);
   3189 
   3190 out:
   3191 	os_free(packet);
   3192 
   3193 	return ret;
   3194 }
   3195 
   3196 
   3197 static int wpa_ft_rrb_rx_seq_resp(struct wpa_authenticator *wpa_auth,
   3198 				  const u8 *src_addr,
   3199 				  const u8 *enc, size_t enc_len,
   3200 				  const u8 *auth, size_t auth_len,
   3201 				  int no_defer)
   3202 {
   3203 	u8 *key = NULL;
   3204 	size_t key_len = 0;
   3205 	struct ft_remote_r0kh *r0kh = NULL, *r0kh_wildcard = NULL;
   3206 	struct ft_remote_r1kh *r1kh = NULL, *r1kh_wildcard = NULL;
   3207 	const u8 *f_nonce, *f_seq;
   3208 	size_t f_nonce_len, f_seq_len;
   3209 	struct ft_remote_seq *rkh_seq = NULL;
   3210 	struct ft_remote_item *item;
   3211 	struct os_reltime now, now_remote;
   3212 	int seq_ret, found;
   3213 	const struct ft_rrb_seq *msg_both;
   3214 	u32 msg_dom, msg_seq;
   3215 
   3216 	wpa_printf(MSG_DEBUG, "FT: Received sequence number response");
   3217 
   3218 	if (wpa_ft_rrb_rx_seq(wpa_auth, src_addr, FT_PACKET_R0KH_R1KH_SEQ_RESP,
   3219 			      enc, enc_len, auth, auth_len, &rkh_seq, &key,
   3220 			      &key_len, &r0kh, &r1kh, &r0kh_wildcard,
   3221 			      &r1kh_wildcard) < 0)
   3222 		goto out;
   3223 
   3224 	RRB_GET_AUTH(FT_RRB_NONCE, nonce, "seq response", FT_RRB_NONCE_LEN);
   3225 	wpa_hexdump(MSG_DEBUG, "FT: seq response - nonce", f_nonce,
   3226 		    f_nonce_len);
   3227 
   3228 	found = 0;
   3229 	dl_list_for_each(item, &rkh_seq->rx.queue, struct ft_remote_item,
   3230 			 list) {
   3231 		if (os_memcmp_const(f_nonce, item->nonce,
   3232 				    FT_RRB_NONCE_LEN) != 0 ||
   3233 		    os_get_reltime(&now) < 0 ||
   3234 		    os_reltime_expired(&now, &item->nonce_ts, ftRRBseqTimeout))
   3235 			continue;
   3236 
   3237 		found = 1;
   3238 		break;
   3239 	}
   3240 	if (!found) {
   3241 		wpa_printf(MSG_DEBUG, "FT: seq response - bad nonce");
   3242 		goto out;
   3243 	}
   3244 
   3245 	if (r0kh) {
   3246 		wpa_ft_rrb_r0kh_replenish(wpa_auth, r0kh,
   3247 					  wpa_auth->conf.rkh_pos_timeout);
   3248 		if (r0kh_wildcard)
   3249 			os_memcpy(r0kh->addr, src_addr, ETH_ALEN);
   3250 	}
   3251 
   3252 	if (r1kh) {
   3253 		wpa_ft_rrb_r1kh_replenish(wpa_auth, r1kh,
   3254 					  wpa_auth->conf.rkh_pos_timeout);
   3255 		if (r1kh_wildcard)
   3256 			os_memcpy(r1kh->addr, src_addr, ETH_ALEN);
   3257 	}
   3258 
   3259 	seq_ret = wpa_ft_rrb_seq_chk(rkh_seq, src_addr, enc, enc_len, auth,
   3260 				     auth_len, "seq response", 1);
   3261 	if (seq_ret == FT_RRB_SEQ_OK) {
   3262 		wpa_printf(MSG_DEBUG, "FT: seq response - valid seq number");
   3263 		wpa_ft_rrb_seq_accept(wpa_auth, rkh_seq, src_addr, auth,
   3264 				      auth_len, "seq response");
   3265 	} else {
   3266 		wpa_printf(MSG_DEBUG, "FT: seq response - reset seq number");
   3267 
   3268 		RRB_GET_AUTH(FT_RRB_SEQ, seq, "seq response",
   3269 			     sizeof(*msg_both));
   3270 		msg_both = (const struct ft_rrb_seq *) f_seq;
   3271 
   3272 		msg_dom = le_to_host32(msg_both->dom);
   3273 		msg_seq = le_to_host32(msg_both->seq);
   3274 		now_remote.sec = le_to_host32(msg_both->ts);
   3275 		now_remote.usec = 0;
   3276 
   3277 		rkh_seq->rx.num_last = 2;
   3278 		rkh_seq->rx.dom = msg_dom;
   3279 		rkh_seq->rx.offsetidx = 0;
   3280 		/* Accept some older, possibly cached packets as well */
   3281 		rkh_seq->rx.last[0] = msg_seq - FT_REMOTE_SEQ_BACKLOG -
   3282 			dl_list_len(&rkh_seq->rx.queue);
   3283 		rkh_seq->rx.last[1] = msg_seq;
   3284 
   3285 		/* local time - offset = remote time
   3286 		 * <=> local time - remote time = offset */
   3287 		os_reltime_sub(&now, &now_remote, &rkh_seq->rx.time_offset);
   3288 	}
   3289 
   3290 	wpa_ft_rrb_seq_flush(wpa_auth, rkh_seq, 1);
   3291 
   3292 	return 0;
   3293 out:
   3294 	return -1;
   3295 }
   3296 
   3297 
   3298 int wpa_ft_rrb_rx(struct wpa_authenticator *wpa_auth, const u8 *src_addr,
   3299 		  const u8 *data, size_t data_len)
   3300 {
   3301 	struct ft_rrb_frame *frame;
   3302 	u16 alen;
   3303 	const u8 *pos, *end, *start;
   3304 	u8 action;
   3305 	const u8 *sta_addr, *target_ap_addr;
   3306 
   3307 	wpa_printf(MSG_DEBUG, "FT: RRB received frame from remote AP " MACSTR,
   3308 		   MAC2STR(src_addr));
   3309 
   3310 	if (data_len < sizeof(*frame)) {
   3311 		wpa_printf(MSG_DEBUG, "FT: Too short RRB frame (data_len=%lu)",
   3312 			   (unsigned long) data_len);
   3313 		return -1;
   3314 	}
   3315 
   3316 	pos = data;
   3317 	frame = (struct ft_rrb_frame *) pos;
   3318 	pos += sizeof(*frame);
   3319 
   3320 	alen = le_to_host16(frame->action_length);
   3321 	wpa_printf(MSG_DEBUG, "FT: RRB frame - frame_type=%d packet_type=%d "
   3322 		   "action_length=%d ap_address=" MACSTR,
   3323 		   frame->frame_type, frame->packet_type, alen,
   3324 		   MAC2STR(frame->ap_address));
   3325 
   3326 	if (frame->frame_type != RSN_REMOTE_FRAME_TYPE_FT_RRB) {
   3327 		/* Discard frame per IEEE Std 802.11r-2008, 11A.10.3 */
   3328 		wpa_printf(MSG_DEBUG, "FT: RRB discarded frame with "
   3329 			   "unrecognized type %d", frame->frame_type);
   3330 		return -1;
   3331 	}
   3332 
   3333 	if (alen > data_len - sizeof(*frame)) {
   3334 		wpa_printf(MSG_DEBUG, "FT: RRB frame too short for action "
   3335 			   "frame");
   3336 		return -1;
   3337 	}
   3338 
   3339 	wpa_hexdump(MSG_MSGDUMP, "FT: RRB - FT Action frame", pos, alen);
   3340 
   3341 	if (alen < 1 + 1 + 2 * ETH_ALEN) {
   3342 		wpa_printf(MSG_DEBUG, "FT: Too short RRB frame (not enough "
   3343 			   "room for Action Frame body); alen=%lu",
   3344 			   (unsigned long) alen);
   3345 		return -1;
   3346 	}
   3347 	start = pos;
   3348 	end = pos + alen;
   3349 
   3350 	if (*pos != WLAN_ACTION_FT) {
   3351 		wpa_printf(MSG_DEBUG, "FT: Unexpected Action frame category "
   3352 			   "%d", *pos);
   3353 		return -1;
   3354 	}
   3355 
   3356 	pos++;
   3357 	action = *pos++;
   3358 	sta_addr = pos;
   3359 	pos += ETH_ALEN;
   3360 	target_ap_addr = pos;
   3361 	pos += ETH_ALEN;
   3362 	wpa_printf(MSG_DEBUG, "FT: RRB Action Frame: action=%d sta_addr="
   3363 		   MACSTR " target_ap_addr=" MACSTR,
   3364 		   action, MAC2STR(sta_addr), MAC2STR(target_ap_addr));
   3365 
   3366 	if (frame->packet_type == FT_PACKET_REQUEST) {
   3367 		wpa_printf(MSG_DEBUG, "FT: FT Packet Type - Request");
   3368 
   3369 		if (action != 1) {
   3370 			wpa_printf(MSG_DEBUG, "FT: Unexpected Action %d in "
   3371 				   "RRB Request", action);
   3372 			return -1;
   3373 		}
   3374 
   3375 		if (os_memcmp(target_ap_addr, wpa_auth->addr, ETH_ALEN) != 0) {
   3376 			wpa_printf(MSG_DEBUG, "FT: Target AP address in the "
   3377 				   "RRB Request does not match with own "
   3378 				   "address");
   3379 			return -1;
   3380 		}
   3381 
   3382 		if (wpa_ft_rrb_rx_request(wpa_auth, frame->ap_address,
   3383 					  sta_addr, pos, end - pos) < 0)
   3384 			return -1;
   3385 	} else if (frame->packet_type == FT_PACKET_RESPONSE) {
   3386 		u16 status_code;
   3387 
   3388 		if (end - pos < 2) {
   3389 			wpa_printf(MSG_DEBUG, "FT: Not enough room for status "
   3390 				   "code in RRB Response");
   3391 			return -1;
   3392 		}
   3393 		status_code = WPA_GET_LE16(pos);
   3394 		pos += 2;
   3395 
   3396 		wpa_printf(MSG_DEBUG, "FT: FT Packet Type - Response "
   3397 			   "(status_code=%d)", status_code);
   3398 
   3399 		if (wpa_ft_action_send(wpa_auth, sta_addr, start, alen) < 0)
   3400 			return -1;
   3401 	} else {
   3402 		wpa_printf(MSG_DEBUG, "FT: RRB discarded frame with unknown "
   3403 			   "packet_type %d", frame->packet_type);
   3404 		return -1;
   3405 	}
   3406 
   3407 	if (end > pos) {
   3408 		wpa_hexdump(MSG_DEBUG, "FT: Ignore extra data in end",
   3409 			    pos, end - pos);
   3410 	}
   3411 
   3412 	return 0;
   3413 }
   3414 
   3415 
   3416 void wpa_ft_rrb_oui_rx(struct wpa_authenticator *wpa_auth, const u8 *src_addr,
   3417 		       const u8 *dst_addr, u8 oui_suffix, const u8 *data,
   3418 		       size_t data_len)
   3419 {
   3420 	const u8 *auth, *enc;
   3421 	size_t alen, elen;
   3422 	int no_defer = 0;
   3423 
   3424 	wpa_printf(MSG_DEBUG, "FT: RRB-OUI received frame from remote AP "
   3425 		   MACSTR, MAC2STR(src_addr));
   3426 	wpa_printf(MSG_DEBUG, "FT: RRB-OUI frame - oui_suffix=%d", oui_suffix);
   3427 
   3428 	if (is_multicast_ether_addr(src_addr)) {
   3429 		wpa_printf(MSG_DEBUG,
   3430 			   "FT: RRB-OUI received frame from multicast address "
   3431 			   MACSTR, MAC2STR(src_addr));
   3432 		return;
   3433 	}
   3434 
   3435 	if (is_multicast_ether_addr(dst_addr)) {
   3436 		wpa_printf(MSG_DEBUG,
   3437 			   "FT: RRB-OUI received frame from remote AP " MACSTR
   3438 			   " to multicast address " MACSTR,
   3439 			   MAC2STR(src_addr), MAC2STR(dst_addr));
   3440 		no_defer = 1;
   3441 	}
   3442 
   3443 	if (data_len < sizeof(u16)) {
   3444 		wpa_printf(MSG_DEBUG, "FT: RRB-OUI frame too short");
   3445 		return;
   3446 	}
   3447 
   3448 	alen = WPA_GET_LE16(data);
   3449 	if (data_len < sizeof(u16) + alen) {
   3450 		wpa_printf(MSG_DEBUG, "FT: RRB-OUI frame too short");
   3451 		return;
   3452 	}
   3453 
   3454 	auth = data + sizeof(u16);
   3455 	enc = data + sizeof(u16) + alen;
   3456 	elen = data_len - sizeof(u16) - alen;
   3457 
   3458 	switch (oui_suffix) {
   3459 	case FT_PACKET_R0KH_R1KH_PULL:
   3460 		wpa_ft_rrb_rx_pull(wpa_auth, src_addr, enc, elen, auth, alen,
   3461 				   no_defer);
   3462 		break;
   3463 	case FT_PACKET_R0KH_R1KH_RESP:
   3464 		wpa_ft_rrb_rx_resp(wpa_auth, src_addr, enc, elen, auth, alen,
   3465 				   no_defer);
   3466 		break;
   3467 	case FT_PACKET_R0KH_R1KH_PUSH:
   3468 		wpa_ft_rrb_rx_push(wpa_auth, src_addr, enc, elen, auth, alen,
   3469 				   no_defer);
   3470 		break;
   3471 	case FT_PACKET_R0KH_R1KH_SEQ_REQ:
   3472 		wpa_ft_rrb_rx_seq_req(wpa_auth, src_addr, enc, elen, auth, alen,
   3473 				      no_defer);
   3474 		break;
   3475 	case FT_PACKET_R0KH_R1KH_SEQ_RESP:
   3476 		wpa_ft_rrb_rx_seq_resp(wpa_auth, src_addr, enc, elen, auth,
   3477 				       alen, no_defer);
   3478 		break;
   3479 	}
   3480 }
   3481 
   3482 
   3483 static int wpa_ft_generate_pmk_r1(struct wpa_authenticator *wpa_auth,
   3484 				  struct wpa_ft_pmk_r0_sa *pmk_r0,
   3485 				  struct ft_remote_r1kh *r1kh,
   3486 				  const u8 *s1kh_id)
   3487 {
   3488 	u8 *packet;
   3489 	size_t packet_len;
   3490 	struct ft_rrb_seq f_seq;
   3491 	struct tlv_list push[] = {
   3492 		{ .type = FT_RRB_S1KH_ID, .len = ETH_ALEN,
   3493 		  .data = s1kh_id },
   3494 		{ .type = FT_RRB_PMK_R0_NAME, .len = WPA_PMK_NAME_LEN,
   3495 		  .data = pmk_r0->pmk_r0_name },
   3496 		{ .type = FT_RRB_LAST_EMPTY, .len = 0, .data = NULL },
   3497 	};
   3498 	struct tlv_list push_auth[] = {
   3499 		{ .type = FT_RRB_SEQ, .len = sizeof(f_seq),
   3500 		  .data = (u8 *) &f_seq },
   3501 		{ .type = FT_RRB_R0KH_ID,
   3502 		  .len = wpa_auth->conf.r0_key_holder_len,
   3503 		  .data = wpa_auth->conf.r0_key_holder },
   3504 		{ .type = FT_RRB_R1KH_ID, .len = FT_R1KH_ID_LEN,
   3505 		  .data = r1kh->id },
   3506 		{ .type = FT_RRB_LAST_EMPTY, .len = 0, .data = NULL },
   3507 	};
   3508 
   3509 	if (wpa_ft_new_seq(r1kh->seq, &f_seq) < 0) {
   3510 		wpa_printf(MSG_DEBUG, "FT: Failed to get seq num");
   3511 		return -1;
   3512 	}
   3513 
   3514 	if (wpa_ft_rrb_build_r0(r1kh->key, sizeof(r1kh->key), push, pmk_r0,
   3515 				r1kh->id, s1kh_id, push_auth, wpa_auth->addr,
   3516 				FT_PACKET_R0KH_R1KH_PUSH,
   3517 				&packet, &packet_len) < 0)
   3518 		return -1;
   3519 
   3520 	wpa_ft_rrb_oui_send(wpa_auth, r1kh->addr, FT_PACKET_R0KH_R1KH_PUSH,
   3521 			    packet, packet_len);
   3522 
   3523 	os_free(packet);
   3524 	return 0;
   3525 }
   3526 
   3527 
   3528 void wpa_ft_push_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *addr)
   3529 {
   3530 	struct wpa_ft_pmk_r0_sa *r0;
   3531 	struct ft_remote_r1kh *r1kh;
   3532 
   3533 	if (!wpa_auth->conf.pmk_r1_push)
   3534 		return;
   3535 	if (!wpa_auth->conf.r1kh_list)
   3536 		return;
   3537 
   3538 	r0 = wpa_auth->ft_pmk_cache->pmk_r0;
   3539 	while (r0) {
   3540 		if (os_memcmp(r0->spa, addr, ETH_ALEN) == 0)
   3541 			break;
   3542 		r0 = r0->next;
   3543 	}
   3544 
   3545 	if (r0 == NULL || r0->pmk_r1_pushed)
   3546 		return;
   3547 	r0->pmk_r1_pushed = 1;
   3548 
   3549 	wpa_printf(MSG_DEBUG, "FT: Deriving and pushing PMK-R1 keys to R1KHs "
   3550 		   "for STA " MACSTR, MAC2STR(addr));
   3551 
   3552 	for (r1kh = *wpa_auth->conf.r1kh_list; r1kh; r1kh = r1kh->next) {
   3553 		if (is_zero_ether_addr(r1kh->addr) ||
   3554 		    is_zero_ether_addr(r1kh->id))
   3555 			continue;
   3556 		if (wpa_ft_rrb_init_r1kh_seq(r1kh) < 0)
   3557 			continue;
   3558 		wpa_ft_generate_pmk_r1(wpa_auth, r0, r1kh, addr);
   3559 	}
   3560 }
   3561 
   3562 #endif /* CONFIG_IEEE80211R_AP */
   3563