aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2017-07-05 14:52:23 (GMT)
committerJouni Malinen <j@w1.fi>2017-07-05 14:52:23 (GMT)
commitb3e567c890d0d396b7f35336bde33b07855c3129 (patch)
treea8eba987a88009af59a320da1d8dbc52037584d1 /src
parentbfe448331f3e6a5b40326348dd5b7faeff5ac04c (diff)
downloadhostap-b3e567c890d0d396b7f35336bde33b07855c3129.zip
hostap-b3e567c890d0d396b7f35336bde33b07855c3129.tar.gz
hostap-b3e567c890d0d396b7f35336bde33b07855c3129.tar.bz2
FILS: ERP-based PMKSA cache addition on AP
hostapd did not add a new PMKSA cache entry when FILS shared key authentication was used, i.e., only the initial full authentication resulted in a PMKSA cache entry being created. Derive the PMKID for the ERP case as well and add a PMKSA cache entry if the ERP exchange succeeds. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Diffstat (limited to 'src')
-rw-r--r--src/ap/ieee802_11.c26
-rw-r--r--src/ap/sta_info.h4
2 files changed, 29 insertions, 1 deletions
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index efbdc49..ac89c90 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1229,6 +1229,14 @@ void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
wpa_printf(MSG_DEBUG,
"FILS: Will send Authentication frame once the response from authentication server is available");
sta->flags |= WLAN_STA_PENDING_FILS_ERP;
+ /* Calculate pending PMKID here so that we do not need
+ * to maintain a copy of the EAP-Initiate/Reauth
+ * message. */
+ if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
+ elems.fils_wrapped_data,
+ elems.fils_wrapped_data_len,
+ sta->fils_erp_pmkid) == 0)
+ sta->fils_erp_pmkid_set = 1;
return;
#else /* CONFIG_NO_RADIUS */
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
@@ -1388,6 +1396,24 @@ prepare_auth_resp_fils(struct hostapd_data *hapd,
goto fail;
}
pmk = pmk_buf;
+
+ if (sta->fils_erp_pmkid_set) {
+ /* TODO: get PMKLifetime from WPA parameters */
+ unsigned int dot11RSNAConfigPMKLifetime = 43200;
+
+ sta->fils_erp_pmkid_set = 0;
+ if (wpa_auth_pmksa_add2(
+ hapd->wpa_auth, sta->addr,
+ pmk, pmk_len,
+ sta->fils_erp_pmkid,
+ sta->session_timeout_set ?
+ sta->session_timeout :
+ dot11RSNAConfigPMKLifetime,
+ wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
+ wpa_printf(MSG_ERROR,
+ "FILS: Failed to add PMKSA cache entry based on ERP");
+ }
+ }
} else if (pmksa) {
pmk = pmksa->pmk;
pmk_len = pmksa->pmk_len;
diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h
index 81ad693..0a23050 100644
--- a/src/ap/sta_info.h
+++ b/src/ap/sta_info.h
@@ -12,11 +12,11 @@
#ifdef CONFIG_MESH
/* needed for mesh_plink_state enum */
#include "common/defs.h"
-#include "common/wpa_common.h"
#endif /* CONFIG_MESH */
#include "list.h"
#include "vlan.h"
+#include "common/wpa_common.h"
#include "common/ieee802_11_defs.h"
/* STA flags */
@@ -226,10 +226,12 @@ struct sta_info {
#ifdef CONFIG_FILS
u8 fils_snonce[FILS_NONCE_LEN];
u8 fils_session[FILS_SESSION_LEN];
+ u8 fils_erp_pmkid[PMKID_LEN];
u8 *fils_pending_assoc_req;
size_t fils_pending_assoc_req_len;
unsigned int fils_pending_assoc_is_reassoc:1;
unsigned int fils_dhcp_rapid_commit_proxy:1;
+ unsigned int fils_erp_pmkid_set:1;
struct wpabuf *fils_hlp_resp;
struct wpabuf *hlp_dhcp_discover;
void (*fils_pending_cb)(struct hostapd_data *hapd, struct sta_info *sta,