FILS: ERP-based PMKSA cache addition on AP
hostapd did not add a new PMKSA cache entry when FILS shared key authentication was used, i.e., only the initial full authentication resulted in a PMKSA cache entry being created. Derive the PMKID for the ERP case as well and add a PMKSA cache entry if the ERP exchange succeeds. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
		
							parent
							
								
									bfe448331f
								
							
						
					
					
						commit
						b3e567c890
					
				
					 2 changed files with 29 additions and 1 deletions
				
			
		|  | @ -1229,6 +1229,14 @@ void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta, | ||||||
| 			wpa_printf(MSG_DEBUG, | 			wpa_printf(MSG_DEBUG, | ||||||
| 				   "FILS: Will send Authentication frame once the response from authentication server is available"); | 				   "FILS: Will send Authentication frame once the response from authentication server is available"); | ||||||
| 			sta->flags |= WLAN_STA_PENDING_FILS_ERP; | 			sta->flags |= WLAN_STA_PENDING_FILS_ERP; | ||||||
|  | 			/* Calculate pending PMKID here so that we do not need
 | ||||||
|  | 			 * to maintain a copy of the EAP-Initiate/Reauth | ||||||
|  | 			 * message. */ | ||||||
|  | 			if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm), | ||||||
|  | 					   elems.fils_wrapped_data, | ||||||
|  | 					   elems.fils_wrapped_data_len, | ||||||
|  | 					   sta->fils_erp_pmkid) == 0) | ||||||
|  | 				sta->fils_erp_pmkid_set = 1; | ||||||
| 			return; | 			return; | ||||||
| #else /* CONFIG_NO_RADIUS */ | #else /* CONFIG_NO_RADIUS */ | ||||||
| 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE; | 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE; | ||||||
|  | @ -1388,6 +1396,24 @@ prepare_auth_resp_fils(struct hostapd_data *hapd, | ||||||
| 			goto fail; | 			goto fail; | ||||||
| 		} | 		} | ||||||
| 		pmk = pmk_buf; | 		pmk = pmk_buf; | ||||||
|  | 
 | ||||||
|  | 		if (sta->fils_erp_pmkid_set) { | ||||||
|  | 			/* TODO: get PMKLifetime from WPA parameters */ | ||||||
|  | 			unsigned int dot11RSNAConfigPMKLifetime = 43200; | ||||||
|  | 
 | ||||||
|  | 			sta->fils_erp_pmkid_set = 0; | ||||||
|  | 			if (wpa_auth_pmksa_add2( | ||||||
|  | 				    hapd->wpa_auth, sta->addr, | ||||||
|  | 				    pmk, pmk_len, | ||||||
|  | 				    sta->fils_erp_pmkid, | ||||||
|  | 				    sta->session_timeout_set ? | ||||||
|  | 				    sta->session_timeout : | ||||||
|  | 				    dot11RSNAConfigPMKLifetime, | ||||||
|  | 				    wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) { | ||||||
|  | 				wpa_printf(MSG_ERROR, | ||||||
|  | 					   "FILS: Failed to add PMKSA cache entry based on ERP"); | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
| 	} else if (pmksa) { | 	} else if (pmksa) { | ||||||
| 		pmk = pmksa->pmk; | 		pmk = pmksa->pmk; | ||||||
| 		pmk_len = pmksa->pmk_len; | 		pmk_len = pmksa->pmk_len; | ||||||
|  |  | ||||||
|  | @ -12,11 +12,11 @@ | ||||||
| #ifdef CONFIG_MESH | #ifdef CONFIG_MESH | ||||||
| /* needed for mesh_plink_state enum */ | /* needed for mesh_plink_state enum */ | ||||||
| #include "common/defs.h" | #include "common/defs.h" | ||||||
| #include "common/wpa_common.h" |  | ||||||
| #endif /* CONFIG_MESH */ | #endif /* CONFIG_MESH */ | ||||||
| 
 | 
 | ||||||
| #include "list.h" | #include "list.h" | ||||||
| #include "vlan.h" | #include "vlan.h" | ||||||
|  | #include "common/wpa_common.h" | ||||||
| #include "common/ieee802_11_defs.h" | #include "common/ieee802_11_defs.h" | ||||||
| 
 | 
 | ||||||
| /* STA flags */ | /* STA flags */ | ||||||
|  | @ -226,10 +226,12 @@ struct sta_info { | ||||||
| #ifdef CONFIG_FILS | #ifdef CONFIG_FILS | ||||||
| 	u8 fils_snonce[FILS_NONCE_LEN]; | 	u8 fils_snonce[FILS_NONCE_LEN]; | ||||||
| 	u8 fils_session[FILS_SESSION_LEN]; | 	u8 fils_session[FILS_SESSION_LEN]; | ||||||
|  | 	u8 fils_erp_pmkid[PMKID_LEN]; | ||||||
| 	u8 *fils_pending_assoc_req; | 	u8 *fils_pending_assoc_req; | ||||||
| 	size_t fils_pending_assoc_req_len; | 	size_t fils_pending_assoc_req_len; | ||||||
| 	unsigned int fils_pending_assoc_is_reassoc:1; | 	unsigned int fils_pending_assoc_is_reassoc:1; | ||||||
| 	unsigned int fils_dhcp_rapid_commit_proxy:1; | 	unsigned int fils_dhcp_rapid_commit_proxy:1; | ||||||
|  | 	unsigned int fils_erp_pmkid_set:1; | ||||||
| 	struct wpabuf *fils_hlp_resp; | 	struct wpabuf *fils_hlp_resp; | ||||||
| 	struct wpabuf *hlp_dhcp_discover; | 	struct wpabuf *hlp_dhcp_discover; | ||||||
| 	void (*fils_pending_cb)(struct hostapd_data *hapd, struct sta_info *sta, | 	void (*fils_pending_cb)(struct hostapd_data *hapd, struct sta_info *sta, | ||||||
|  |  | ||||||
		Loading…
	
		Reference in a new issue
	
	 Jouni Malinen
						Jouni Malinen