From d0819a11ccf00cc11f9c7f2b023c43401249bbde Mon Sep 17 00:00:00 2001 From: "Vinita S. Maloo" Date: Tue, 19 May 2020 17:43:22 +0530 Subject: [PATCH] FILS: Use FILS auth alg when connecting using PMKSA caching When a PMKSA cache entry is available and used for connection with FILS key management suite, use FILS authentication algorithm for connection even if ERP keys are not available. This scenario may happen when applications using wpa_supplicant cache persistently only PMKSA but not ERP keys and reconfigures wpa_supplicant with PMKSA cache after restarting wpa_supplicant. The previous implementation correctly handles SME-in-wpa_supplicant cases. However, SME-in-driver cases, complete FILS authentication without PMKSA caching is performed. Fix SME-in-driver behavior by setting authentication algorithm to WPA_AUTH_ALG_FILS when connecting to a FILS AP using PMKSA caching. Signed-off-by: Jouni Malinen --- wpa_supplicant/wpa_supplicant.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 4c1daf1fa..e7989baef 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -2752,9 +2752,9 @@ static u8 * wpas_populate_assoc_ies( #ifdef CONFIG_MBO const u8 *mbo_ie; #endif -#ifdef CONFIG_SAE - int sae_pmksa_cached = 0; -#endif /* CONFIG_SAE */ +#if defined(CONFIG_SAE) || defined(CONFIG_FILS) + int pmksa_cached = 0; +#endif /* CONFIG_SAE || CONFIG_FILS */ #ifdef CONFIG_FILS const u8 *realm, *username, *rrk; size_t realm_len, username_len, rrk_len; @@ -2794,9 +2794,9 @@ static u8 * wpas_populate_assoc_ies( ssid, try_opportunistic, cache_id, 0) == 0) { eapol_sm_notify_pmkid_attempt(wpa_s->eapol); -#ifdef CONFIG_SAE - sae_pmksa_cached = 1; -#endif /* CONFIG_SAE */ +#if defined(CONFIG_SAE) || defined(CONFIG_FILS) + pmksa_cached = 1; +#endif /* CONFIG_SAE || CONFIG_FILS */ } wpa_ie_len = max_wpa_ie_len; if (wpa_supplicant_set_suites(wpa_s, bss, ssid, @@ -2895,6 +2895,10 @@ static u8 * wpas_populate_assoc_ies( if (mask) *mask |= WPA_DRV_UPDATE_FILS_ERP_INFO; + } else if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_FILS_SK_OFFLOAD) && + ssid->eap.erp && wpa_key_mgmt_fils(wpa_s->key_mgmt) && + pmksa_cached) { + algs = WPA_AUTH_ALG_FILS; } #endif /* CONFIG_FILS */ #endif /* IEEE8021X_EAPOL */ @@ -2911,7 +2915,7 @@ static u8 * wpas_populate_assoc_ies( } #ifdef CONFIG_SAE - if (sae_pmksa_cached && algs == WPA_AUTH_ALG_SAE) { + if (pmksa_cached && algs == WPA_AUTH_ALG_SAE) { wpa_dbg(wpa_s, MSG_DEBUG, "SAE: Use WPA_AUTH_ALG_OPEN for PMKSA caching attempt"); algs = WPA_AUTH_ALG_OPEN;