FT: Allow PMKSA caching to be enabled with FT-EAP

The new wpa_supplicant network profile configuration parameter
ft_eap_pmksa_caching=1 can be used to enable use of PMKSA caching with
FT-EAP for FT initial mobility domain association. This is still
disabled by default (i.e., maintaining previous behavior) to avoid
likely interoperability issues.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 2058175f885e5f39575afb09a6be7c9506b6adfc..d33ad9a8a3bb678d8584062e55b57e8d0cb956ae 100644 (file)
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2407,6 +2407,7 @@ static const struct parse_data ssid_fields[] = {
        { INT_RANGE(owe_group, 0, 65535) },
        { INT_RANGE(owe_only, 0, 1) },
        { INT_RANGE(multi_ap_backhaul_sta, 0, 1) },
+       { INT_RANGE(ft_eap_pmksa_caching, 0, 1) },
 };
 
 #undef OFFSET

diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 26f6ee1478445ac09fb5b6fae2fcf6f658df60bf..fe5a0115a436cd54e3657970c8d106c6e85ec456 100644 (file)
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -894,6 +894,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
        INT(owe_group);
        INT(owe_only);
        INT(multi_ap_backhaul_sta);
+       INT(ft_eap_pmksa_caching);
 #ifdef CONFIG_HT_OVERRIDES
        INT_DEF(disable_ht, DEFAULT_DISABLE_HT);
        INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40);

diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 1b2b1f1a36f1556cb4772aaa87aa3b05cfe922aa..37b818395278b2bd3c61c4fd52ac30b092576165 100644 (file)
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -1005,6 +1005,16 @@ struct wpa_ssid {
         * 1 = Multi-AP backhaul station
         */
        int multi_ap_backhaul_sta;
+
+       /**
+        * ft_eap_pmksa_caching - Whether FT-EAP PMKSA caching is allowed
+        * 0 = do not try to use PMKSA caching with FT-EAP
+        * 1 = try to use PMKSA caching with FT-EAP
+        *
+        * This controls whether to try to use PMKSA caching with FT-EAP for the
+        * FT initial mobility domain association.
+        */
+       int ft_eap_pmksa_caching;
 };
 
 #endif /* CONFIG_SSID_H */

diff --git a/wpa_supplicant/config_winreg.c b/wpa_supplicant/config_winreg.c
index 6328e91b989e24b7609c041cc952e19d2f8c6783..3ea5c80770ee907bc293bea1b9ec33b6a1a0799c 100644 (file)
--- a/wpa_supplicant/config_winreg.c
+++ b/wpa_supplicant/config_winreg.c
@@ -946,6 +946,7 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id)
        INT(update_identifier);
 #endif /* CONFIG_HS20 */
        INT(group_rekey);
+       INT(ft_eap_pmksa_caching);
 
 #undef STR
 #undef INT

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 2ddd4f2d3a6fd428107e63cffe6690a09010731a..799e215a75b06c2ec828c8bd930d43b82a0524c1 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -1417,9 +1417,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
                wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
                wpa_dbg(wpa_s, MSG_DEBUG,
                        "WPA: using KEY_MGMT FT/802.1X-SHA384");
-               if (pmksa_cache_get_current(wpa_s->wpa)) {
-                       /* PMKSA caching with FT is not fully functional, so
-                        * disable the case for now. */
+               if (!ssid->ft_eap_pmksa_caching &&
+                   pmksa_cache_get_current(wpa_s->wpa)) {
+                       /* PMKSA caching with FT may have interoperability
+                        * issues, so disable that case by default for now. */
                        wpa_dbg(wpa_s, MSG_DEBUG,
                                "WPA: Disable PMKSA caching for FT/802.1X connection");
                        pmksa_cache_clear_current(wpa_s->wpa);
@@ -1458,9 +1459,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
        } else if (sel & WPA_KEY_MGMT_FT_IEEE8021X) {
                wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X;
                wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/802.1X");
-               if (pmksa_cache_get_current(wpa_s->wpa)) {
-                       /* PMKSA caching with FT is not fully functional, so
-                        * disable the case for now. */
+               if (!ssid->ft_eap_pmksa_caching &&
+                   pmksa_cache_get_current(wpa_s->wpa)) {
+                       /* PMKSA caching with FT may have interoperability
+                        * issues, so disable that case by default for now. */
                        wpa_dbg(wpa_s, MSG_DEBUG,
                                "WPA: Disable PMKSA caching for FT/802.1X connection");
                        pmksa_cache_clear_current(wpa_s->wpa);

diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index a9205f0b8a2c7726b6c775e98f37647fcdd9e914..842a8dbe01e9e1940e9db7a5261f17f12f3d0b31 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1058,6 +1058,14 @@ fast_reauth=1
 # 0 = disabled (default unless changed with the global okc parameter)
 # 1 = enabled
 #
+# ft_eap_pmksa_caching:
+# Whether FT-EAP PMKSA caching is allowed
+# 0 = do not try to use PMKSA caching with FT-EAP (default)
+# 1 = try to use PMKSA caching with FT-EAP
+# This controls whether to try to use PMKSA caching with FT-EAP for the
+# FT initial mobility domain association.
+#ft_eap_pmksa_caching=0
+#
 # wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
 # hex without quotation, e.g., 0102030405)
 # wep_tx_keyidx: Default WEP key index (TX) (0..3)