FT: Use correct BSSID when deriving PTK and verifying MIC

The old version was using struct wpa_sm::bssid which is not necessarily
updated to point to the correct target address when doing over-the-air FT
since the address is used before the association has actually been
completed.

diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h
index 6ab53fe..60a3fa0 100644 (file)
--- a/src/rsn_supp/wpa.h
+++ b/src/rsn_supp/wpa.h
@@ -280,7 +280,7 @@ int wpa_ft_process_response(struct wpa_sm *sm, const u8 *ies, size_t ies_len,
                            int ft_action, const u8 *target_ap);
 int wpa_ft_is_completed(struct wpa_sm *sm);
 int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
-                                size_t ies_len);
+                                size_t ies_len, const u8 *src_addr);
 int wpa_ft_start_over_ds(struct wpa_sm *sm, const u8 *target_ap);
 
 #else /* CONFIG_IEEE80211R */
@@ -310,7 +310,8 @@ static inline int wpa_ft_is_completed(struct wpa_sm *sm)
 }
 
 static inline int
-wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, size_t ies_len)
+wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, size_t ies_len,
+                            const u8 *src_addr)
 {
        return -1;
 }

diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
index b0c4aad..b2ffd55 100644 (file)
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -536,7 +536,7 @@ int wpa_ft_process_response(struct wpa_sm *sm, const u8 *ies, size_t ies_len,
        wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name",
                    sm->pmk_r1_name, WPA_PMK_NAME_LEN);
 
-       bssid = ft_action ? sm->target_ap : sm->bssid;
+       bssid = target_ap;
        wpa_pmk_r1_to_ptk(sm->pmk_r1, sm->snonce, ftie->anonce, sm->own_addr,
                          bssid, sm->pmk_r1_name,
                          (u8 *) &sm->ptk, sizeof(sm->ptk), ptk_name);
@@ -582,7 +582,7 @@ int wpa_ft_is_completed(struct wpa_sm *sm)
 
 
 int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
-                                size_t ies_len)
+                                size_t ies_len, const u8 *src_addr)
 {
        struct wpa_ft_ies parse;
        struct rsn_mdie *mdie;
@@ -665,7 +665,7 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
                return -1;
        }
 
-       if (wpa_ft_mic(sm->ptk.kck, sm->own_addr, sm->bssid, 6,
+       if (wpa_ft_mic(sm->ptk.kck, sm->own_addr, src_addr, 6,
                       parse.mdie - 2, parse.mdie_len + 2,
                       parse.ftie - 2, parse.ftie_len + 2,
                       parse.rsn - 2, parse.rsn_len + 2, NULL, 0,

diff --git a/wpa_supplicant/mlme.c b/wpa_supplicant/mlme.c
index 35fa8fc..4d169e4 100644 (file)
--- a/wpa_supplicant/mlme.c
+++ b/wpa_supplicant/mlme.c
@@ -356,7 +356,7 @@ static void ieee80211_sta_wmm_params(struct wpa_supplicant *wpa_s,
 
 static void ieee80211_set_associated(struct wpa_supplicant *wpa_s, int assoc)
 {
-       if (wpa_s->mlme.associated == assoc)
+       if (wpa_s->mlme.associated == assoc && !assoc)
                return;
 
        wpa_s->mlme.associated = assoc;
@@ -1051,6 +1051,7 @@ static void ieee80211_rx_mgmt_auth(struct wpa_supplicant *wpa_s,
                data.ft_ies.ies = mgmt->u.auth.variable;
                data.ft_ies.ies_len = len -
                        (mgmt->u.auth.variable - (u8 *) mgmt);
+               os_memcpy(data.ft_ies.target_ap, wpa_s->bssid, ETH_ALEN);
                wpa_supplicant_event(wpa_s, EVENT_FT_RESPONSE, &data);
                ieee80211_auth_completed(wpa_s);
                break;
@@ -1258,7 +1259,8 @@ static void ieee80211_rx_mgmt_assoc_resp(struct wpa_supplicant *wpa_s,
                        return;
                }
                if (wpa_ft_validate_reassoc_resp(
-                           wpa_s->wpa, pos, len - (pos - (u8 *) mgmt)) < 0) {
+                           wpa_s->wpa, pos, len - (pos - (u8 *) mgmt),
+                           mgmt->sa) < 0) {
                        wpa_printf(MSG_DEBUG, "MLME: FT validation of Reassoc"
                                   "Resp failed");
                        return;