path: root/src/rsn_supp/pmksa_cache.h
Commit message (Collapse)AuthorAgeFilesLines
* DPP2: Try to negotiate PFS only if AP supports version 2 or newerJouni Malinen2020-05-031-0/+1
| | | | | | | | Check AP's DPP Protocol Version during network introduction and mark the PMKSA cache as suitable for PFS use with version 2 or newer. This avoids unnecessary attempt of negotiating PFS with version 1 APs. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix wpa_supplicant build with CONFIG_NO_WPADaniel Golle2018-04-131-2/+3
| | | | | | | | | | pmksa_cache stubs have not been updated when function prototypes have been modified in commit 852b2f2738 (SAE: Only allow SAE AKMP for PMKSA caching attempts). Add new function parameter int akmp to stubs of pmksa_cache_get() and pmksa_cache_set_current() as well to fix build. Fixes: 852b2f2738 ("SAE: Only allow SAE AKMP for PMKSA caching attempts") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* SAE: Only allow SAE AKMP for PMKSA caching attemptsJouni Malinen2018-04-091-3/+5
| | | | | | | | | | Explicitly check the PMKSA cache entry to have matching SAE AKMP for the case where determining whether to use PMKSA caching instead of new SAE authentication. Previously, only the network context was checked, but a single network configuration profile could be used with both WPA2-PSK and SAE, so should check the AKMP as well. Signed-off-by: Jouni Malinen <j@w1.fi>
* FILS: Use FILS Cache Identifier to extend PMKSA applicabilityJouni Malinen2017-02-261-4/+15
| | | | | | | | This allows PMKSA cache entries for FILS-enabled BSSs to be shared within an ESS when the BSSs advertise the same FILS Cache Identifier value. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix wpa_supplicant build error with IEEE8021X_EAPOL unsetFelix Fietkau2016-12-141-0/+13
| | | | | | | Add missing inline stubs for newly added functions. Fixes: 3459381dd260 ("External persistent storage for PMKSA cache entries") Signed-off-by: Felix Fietkau <nbd@nbd.name>
* External persistent storage for PMKSA cache entriesJouni Malinen2016-12-121-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds new wpa_supplicant control interface commands PMKSA_GET and PMKSA_ADD that can be used to store PMKSA cache entries in an external persistent storage when terminating a wpa_supplicant process and then restore those entries when starting a new process. The previously added PMKSA-CACHE-ADDED/REMOVED events can be used to help in synchronizing the external storage with the memory-only volatile storage within wpa_supplicant. "PMKSA_GET <network_id>" fetches all stored PMKSA cache entries bound to a specific network profile. The network_id of the current profile is available with the STATUS command (id=<network_id). In addition, the network_id is included in the PMKSA-CACHE-ADDED/REMOVED events. The output of the PMKSA_GET command uses the following format: <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds> <akmp> <opportunistic> For example: 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30240 43200 1 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30240 43200 1 0 The PMKSA_GET command uses the following format: <network_id> <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds> <akmp> <opportunistic> (i.e., "PMKSA_ADD <network_id> " prefix followed by a line of PMKSA_GET output data; however, the reauth_time and expiration values need to be updated by decrementing them by number of seconds between the PMKSA_GET and PMKSA_ADD commands) For example: PMKSA_ADD 0 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30140 43100 1 0 PMKSA_ADD 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30140 43100 1 0 This functionality is disabled be default and can be enabled with CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option. It should be noted that this allows any process that has access to the wpa_supplicant control interface to use PMKSA_ADD command to fetch keying material (PMK), so this is for environments in which the control interface access is restricted. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* SAE: Fix PMKID calculation for PMKSA cacheMasashi Honma2016-02-181-2/+2
| | | | | | | | The SAE PMKID is calculated with IEEE Std 802.11-2012, but the PMKID was re-calculated with and saved into PMKSA cache. Fix this to save the PMKID calculated with into the PMKSA cache. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* Fix wpa_supplicant build with IEEE8021X_EAPOL=y and CONFIG_NO_WPA=yJouni Malinen2016-01-151-1/+1
| | | | | | | | The PMKSA caching and RSN pre-authentication components were marked as conditional on IEEE8021X_EAPOL. However, the empty wrappers are needed also in a case IEEE8021X_EAPOL is defined with CONFIG_NO_WPA. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix Suite B 192-bit AKM to use proper PMK lengthJouni Malinen2015-10-141-1/+1
| | | | | | | | | | | | | In addition to the PTK length increasing, the length of the PMK was increased (from 256 to 384 bits) for the 00-0f-ac:12 AKM. This part was missing from the initial implementation and a fixed length (256-bit) PMK was used for all AKMs. Fix this by adding more complete support for variable length PMK and use 384 bits from MSK instead of 256 bits when using this AKM. This is not backwards compatible with the earlier implementations. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Suite B: PMKID derivation for AKM 00-0F-AC:11Jouni Malinen2014-11-161-0/+2
| | | | | | | | | The new AKM uses a different mechanism of deriving the PMKID based on KCK instead of PMK. hostapd was already doing this after the KCK had been derived, but wpa_supplicant functionality needs to be moved from processing of EAPOL-Key frame 1/4 to 3/4 to have the KCK available. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove CONFIG_NO_WPA2 build parameterJouni Malinen2013-06-071-3/+3
| | | | | | | | | | There is not much use for enabling WPA without WPA2 nowadays since most networks have been upgraded to WPA2. Furthermore, the code size savings from disabling just WPA2 are pretty small, so there is not much justification for maintaining this build option. Remove it to get rid of undesired complexity. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix build without WPA2 or EAPJouni Malinen2013-06-071-1/+2
| | | | | | | | Commit 4033935dd9098938838d6d7934ceb65f92a1fa3c updated pmksa_cache_flush() function arguments, but forgot to update the wrapper function for cases where WPA2 or EAP has been disabled in the build. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix OKC-based PMKSA cache entry clearingJouni Malinen2013-05-221-1/+2
| | | | | | | | | | | | | | | | | | | | | | Commit c3fea272747f738f5723fc577371fe03711d988f added a call to clear all other PMKSA cache entries for the same network if the PMKSA cache entry of the current AP changed. This was needed to fix OKC cases since the other APs would likely use the new PMK in the future. However, this ended up clearing entries in cases where that is not desired and this resulted in needing additional full EAP authentication with networks that did not support OKC if wpa_supplicant was configured to try to use it. Make PMKSA cache entry flushing more limited so that the other entries are removed only if they used the old PMK that was replaced for the current AP and only if that PMK had previously been used successfully (i.e., opportunistic flag was already cleared back to 0 in wpa_supplicant_key_neg_complete()). This is still enough to fix the issue described in that older commit while not causing problems for standard PMKSA caching operations even if OKC is enabled in wpa_supplicant configuration. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix compilation with PMKSA caching support disabledJouni Malinen2013-02-031-1/+1
| | | | | | | | Commit 6aaac006af7fd39d618c6546939bed9f0f0cea37 modified the pmksa_cache_init() prototype, but forgot to update the empty wrapper function which is used when PMKSA caching is not included in the build. Signed-hostap: Jouni Malinen <j@w1.fi>
* PMKSA: Make deauthentication due to cache entry removal more granularDan Williams2012-11-251-2/+8
| | | | | | | | | | | | | | | Expiry can always trigger a deauthentication, but otherwise, deauthentication should only happen when the *current* cache entry is removed and not being replaced. It should not happen when the current PMK just happens to match the PMK of the entry being removed, since multiple entries can have the same PMK when OKC is used and these entries are often removed at different times. This fixes an issue where eviction of the oldest inactive entry due to adding a newer entry to a full cache caused a deauthentication when the entry being removed had the same PMK as the current entry. Signed-hostap: Dan Williams <dcbw@redhat.com>
* Remove the GPL notification from files contributed by Jouni MalinenJouni Malinen2012-02-111-8/+2
| | | | | | | Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
* Fix pmksa_cache_get() arguments in !IEEE80211_X_EAPOL buildsAntonio Quartulli2012-02-111-1/+2
| | | | | | | | | In case of !defined(IEEE8021X_EAPOL) the definition of the stub pmksa_cache_get() in rsn_supp/pmksa_cache.h is not correct. This patch adds the missing argument to the function definition to fix a regression from commit 96efeeb66bd8762ab9fccd9fe2b5c3e276ff220c. Signed-hostap: Antonio Quartulli <ordex@autistici.org>
* Use PMKSA cache entries with only a single network contextJouni Malinen2012-02-041-2/+3
| | | | | | | | When looking for PMKSA cache entries to use with a new association, only accept entries created with the same network block that was used to create the cache entry. Signed-hostap: Jouni Malinen <j@w1.fi>
* Flush PMKSA cache entries and invalidate EAP state on network changesJouni Malinen2011-09-071-5/+6
| | | | | | | | | | | If a network configuration block is removed or modified, flush all PMKSA cache entries that were created using that network configuration. Similarly, invalidate EAP state (fast re-auth). The special case for OKC on wpa_supplicant reconfiguration (network_ctx pointer change) is now addressed as part of the PMKSA cache flushing, so it does not need a separate mechanism for clearing the network_ctx values in the PMKSA cache.
* Removed wpa_sm dereference from pmksa_cache_list()Jouni Malinen2009-01-131-2/+3
* Added support for using SHA256-based stronger key derivation for WPA2Jouni Malinen2008-08-311-3/+3
| | | | | | IEEE 802.11w/D6.0 defines new AKMPs to indicate SHA256-based algorithms for key derivation (and AES-CMAC for EAPOL-Key MIC). Add support for using new AKMPs and clean up AKMP processing with helper functions in defs.h.
* Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 releaseJouni Malinen2008-02-281-0/+126