git.ipfire.org Git - thirdparty/hostap.git/commit

author	Jouni Malinen <quic_jouni@quicinc.com>
	Tue, 14 Feb 2023 09:29:30 +0000 (11:29 +0200)
committer	Jouni Malinen <j@w1.fi>
	Tue, 14 Feb 2023 09:47:25 +0000 (11:47 +0200)
commit	ba150059d1ec964add8f29eb2c92dd6dfde97308
tree	58dc9467dc08bd57f107fc7dc75ec932c7175229	tree
parent	e4d1000cacea72a5d4befcd93528d31466ee7255	commit \| diff

FT: Store PMK-R0/PMK-R1 after EAPOL-Key msg 2/4 MIC validation

hostapd was previously storing the derived PMK-R0 and PMK-R1 as soon as
these keys were derived. While that is fine for most purposes, it is
unnecessary to do that so quickly and if anything were to fail before
the supplicant is able to return a valid EAPOL-Key msg 2/4, there would
not really be any real use for the derived keys.

For the special case of FT-PSK and VLAN determination based on the
wpa_psk file, the VLAN information is set in the per-STA data structures
only after the EAPOL-Key msg 2/4 MIC has been verified. This ended up
storing the PMK-R0/PMK-R1 entries without correct VLAN assignment and as
such, any use of the FT protocol would not be able to transfer the VLAN
information through RRB.

Split local storing of the FT key hierarchy for the cases using the FT
4-way handshake so that PMK-R0 and PMK-R1 are first derived and then
stored as a separate step after having verified the MIC in the EAPOL-Key
msg 2/4 (i.e., after having confirmed the per-STA passphrase/PSK was
selected) and VLAN update. This fixes VLAN information for the
wpa_psk_file cases with FT-PSK.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

src/ap/wpa_auth.c		diff \| blob \| blame \| history
src/ap/wpa_auth_ft.c		diff \| blob \| blame \| history
src/ap/wpa_auth_i.h		diff \| blob \| blame \| history