From 3fb62bdae9c936db9ec261cb3087fdc0ac2a1bae Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Thu, 6 Aug 2015 15:51:36 +0300
Subject: [PATCH] wlantest: Add support for FT-PSK initial association key
 derivation

This adds minimal support for deriving keys for FT-PSK to allow the
initial mobility domain association to be analyzed in more detail.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 wlantest/bss.c      |  3 +++
 wlantest/rx_eapol.c | 40 +++++++++++++++++++++++++++++++++++-----
 wlantest/rx_mgmt.c  | 18 ++++++++++++++++--
 wlantest/wlantest.h |  4 ++++
 4 files changed, 58 insertions(+), 7 deletions(-)

diff --git a/wlantest/bss.c b/wlantest/bss.c
index 61e2960fd..f021956cc 100644
--- a/wlantest/bss.c
+++ b/wlantest/bss.c
@@ -217,6 +217,9 @@ void bss_update(struct wlantest *wt, struct wlantest_bss *bss,
 			  elems->wpa_ie_len + 2);
 	}
 
+	if (elems->mdie)
+		os_memcpy(bss->mdid, elems->mdie, 2);
+
 	if (!update)
 		return;
 
diff --git a/wlantest/rx_eapol.c b/wlantest/rx_eapol.c
index 569cd3c03..75bfa7d3e 100644
--- a/wlantest/rx_eapol.c
+++ b/wlantest/rx_eapol.c
@@ -100,12 +100,42 @@ static int try_pmk(struct wlantest *wt, struct wlantest_bss *bss,
 {
 	struct wpa_ptk ptk;
 
-	if (wpa_pmk_to_ptk(pmk->pmk, sizeof(pmk->pmk),
-			   "Pairwise key expansion",
-			   bss->bssid, sta->addr, sta->anonce, sta->snonce,
-			   &ptk, sta->key_mgmt, sta->pairwise_cipher) < 0 ||
-	    check_mic(ptk.kck, ptk.kck_len, sta->key_mgmt, ver, data, len) < 0)
+	if (wpa_key_mgmt_ft(sta->key_mgmt)) {
+		u8 pmk_r0[PMK_LEN];
+		u8 pmk_r0_name[WPA_PMK_NAME_LEN];
+		u8 pmk_r1[PMK_LEN];
+		u8 pmk_r1_name[WPA_PMK_NAME_LEN];
+		u8 ptk_name[WPA_PMK_NAME_LEN];
+
+		wpa_derive_pmk_r0(pmk->pmk, sizeof(pmk->pmk),
+				  bss->ssid, bss->ssid_len, bss->mdid,
+				  bss->r0kh_id, bss->r0kh_id_len,
+				  sta->addr, pmk_r0, pmk_r0_name);
+		wpa_hexdump(MSG_DEBUG, "FT: PMK-R0", pmk_r0, PMK_LEN);
+		wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name,
+			    WPA_PMK_NAME_LEN);
+		wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, bss->r1kh_id,
+				  sta->addr, pmk_r1, pmk_r1_name);
+		wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, PMK_LEN);
+		wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", pmk_r1_name,
+			    WPA_PMK_NAME_LEN);
+		if (wpa_pmk_r1_to_ptk(pmk_r1, sta->snonce, sta->anonce,
+				      sta->addr,
+				      bss->bssid, pmk_r1_name, &ptk, ptk_name,
+				      sta->key_mgmt,
+				      sta->pairwise_cipher) < 0 ||
+		    check_mic(ptk.kck, ptk.kck_len, sta->key_mgmt, ver, data,
+			      len) < 0)
+			return -1;
+	} else if (wpa_pmk_to_ptk(pmk->pmk, sizeof(pmk->pmk),
+				  "Pairwise key expansion",
+				  bss->bssid, sta->addr, sta->anonce,
+				  sta->snonce, &ptk, sta->key_mgmt,
+				  sta->pairwise_cipher) < 0 ||
+		   check_mic(ptk.kck, ptk.kck_len, sta->key_mgmt, ver, data,
+			     len) < 0) {
 		return -1;
+	}
 
 	sta->tk_len = wpa_cipher_key_len(sta->pairwise_cipher);
 	wpa_printf(MSG_INFO, "Derived PTK for STA " MACSTR " BSSID " MACSTR,
diff --git a/wlantest/rx_mgmt.c b/wlantest/rx_mgmt.c
index 45433dd4e..6242bc600 100644
--- a/wlantest/rx_mgmt.c
+++ b/wlantest/rx_mgmt.c
@@ -314,6 +314,9 @@ static void rx_mgmt_assoc_resp(struct wlantest *wt, const u8 *data, size_t len)
 	struct wlantest_bss *bss;
 	struct wlantest_sta *sta;
 	u16 capab, status, aid;
+	const u8 *ies;
+	size_t ies_len;
+	struct wpa_ft_ies parse;
 
 	mgmt = (const struct ieee80211_mgmt *) data;
 	bss = bss_get(wt, mgmt->bssid);
@@ -329,6 +332,9 @@ static void rx_mgmt_assoc_resp(struct wlantest *wt, const u8 *data, size_t len)
 		return;
 	}
 
+	ies = mgmt->u.assoc_resp.variable;
+	ies_len = len - (mgmt->u.assoc_resp.variable - data);
+
 	capab = le_to_host16(mgmt->u.assoc_resp.capab_info);
 	status = le_to_host16(mgmt->u.assoc_resp.status_code);
 	aid = le_to_host16(mgmt->u.assoc_resp.aid);
@@ -340,8 +346,6 @@ static void rx_mgmt_assoc_resp(struct wlantest *wt, const u8 *data, size_t len)
 
 	if (status == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
 		struct ieee802_11_elems elems;
-		const u8 *ies = mgmt->u.assoc_resp.variable;
-		size_t ies_len = len - (mgmt->u.assoc_resp.variable - data);
 		if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
 		    ParseFailed) {
 			add_note(wt, MSG_INFO, "Failed to parse IEs in "
@@ -382,6 +386,16 @@ static void rx_mgmt_assoc_resp(struct wlantest *wt, const u8 *data, size_t len)
 			 MAC2STR(sta->addr), MAC2STR(bss->bssid));
 		sta->state = STATE3;
 	}
+
+	if (wpa_ft_parse_ies(ies, ies_len, &parse) == 0) {
+		if (parse.r0kh_id) {
+			os_memcpy(bss->r0kh_id, parse.r0kh_id,
+				  parse.r0kh_id_len);
+			bss->r0kh_id_len = parse.r0kh_id_len;
+		}
+		if (parse.r1kh_id)
+			os_memcpy(bss->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
+	}
 }
 
 
diff --git a/wlantest/wlantest.h b/wlantest/wlantest.h
index 29bcab501..ced9baa0e 100644
--- a/wlantest/wlantest.h
+++ b/wlantest/wlantest.h
@@ -151,6 +151,10 @@ struct wlantest_bss {
 	u8 ipn[6][6];
 	u32 counters[NUM_WLANTEST_BSS_COUNTER];
 	struct dl_list tdls; /* struct wlantest_tdls */
+	u8 mdid[2];
+	u8 r0kh_id[FT_R0KH_ID_MAX_LEN];
+	size_t r0kh_id_len;
+	u8 r1kh_id[FT_R1KH_ID_LEN];
 };
 
 struct wlantest_radius {