From 9083ef135527cfdfa029a878df441d49285caed4 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 28 Apr 2019 16:01:45 +0300 Subject: [PATCH] FT: Allow PMKSA caching to be enabled with FT-EAP The new wpa_supplicant network profile configuration parameter ft_eap_pmksa_caching=1 can be used to enable use of PMKSA caching with FT-EAP for FT initial mobility domain association. This is still disabled by default (i.e., maintaining previous behavior) to avoid likely interoperability issues. Signed-off-by: Jouni Malinen --- wpa_supplicant/config.c | 1 + wpa_supplicant/config_file.c | 1 + wpa_supplicant/config_ssid.h | 10 ++++++++++ wpa_supplicant/config_winreg.c | 1 + wpa_supplicant/wpa_supplicant.c | 14 ++++++++------ wpa_supplicant/wpa_supplicant.conf | 8 ++++++++ 6 files changed, 29 insertions(+), 6 deletions(-) diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 2058175f8..d33ad9a8a 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -2407,6 +2407,7 @@ static const struct parse_data ssid_fields[] = { { INT_RANGE(owe_group, 0, 65535) }, { INT_RANGE(owe_only, 0, 1) }, { INT_RANGE(multi_ap_backhaul_sta, 0, 1) }, + { INT_RANGE(ft_eap_pmksa_caching, 0, 1) }, }; #undef OFFSET diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index 26f6ee147..fe5a0115a 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -894,6 +894,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) INT(owe_group); INT(owe_only); INT(multi_ap_backhaul_sta); + INT(ft_eap_pmksa_caching); #ifdef CONFIG_HT_OVERRIDES INT_DEF(disable_ht, DEFAULT_DISABLE_HT); INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40); diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h index 1b2b1f1a3..37b818395 100644 --- a/wpa_supplicant/config_ssid.h +++ b/wpa_supplicant/config_ssid.h @@ -1005,6 +1005,16 @@ struct wpa_ssid { * 1 = Multi-AP backhaul station */ int multi_ap_backhaul_sta; + + /** + * ft_eap_pmksa_caching - Whether FT-EAP PMKSA caching is allowed + * 0 = do not try to use PMKSA caching with FT-EAP + * 1 = try to use PMKSA caching with FT-EAP + * + * This controls whether to try to use PMKSA caching with FT-EAP for the + * FT initial mobility domain association. + */ + int ft_eap_pmksa_caching; }; #endif /* CONFIG_SSID_H */ diff --git a/wpa_supplicant/config_winreg.c b/wpa_supplicant/config_winreg.c index 6328e91b9..3ea5c8077 100644 --- a/wpa_supplicant/config_winreg.c +++ b/wpa_supplicant/config_winreg.c @@ -946,6 +946,7 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id) INT(update_identifier); #endif /* CONFIG_HS20 */ INT(group_rekey); + INT(ft_eap_pmksa_caching); #undef STR #undef INT diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 2ddd4f2d3..799e215a7 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -1417,9 +1417,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X_SHA384; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/802.1X-SHA384"); - if (pmksa_cache_get_current(wpa_s->wpa)) { - /* PMKSA caching with FT is not fully functional, so - * disable the case for now. */ + if (!ssid->ft_eap_pmksa_caching && + pmksa_cache_get_current(wpa_s->wpa)) { + /* PMKSA caching with FT may have interoperability + * issues, so disable that case by default for now. */ wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Disable PMKSA caching for FT/802.1X connection"); pmksa_cache_clear_current(wpa_s->wpa); @@ -1458,9 +1459,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, } else if (sel & WPA_KEY_MGMT_FT_IEEE8021X) { wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X; wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/802.1X"); - if (pmksa_cache_get_current(wpa_s->wpa)) { - /* PMKSA caching with FT is not fully functional, so - * disable the case for now. */ + if (!ssid->ft_eap_pmksa_caching && + pmksa_cache_get_current(wpa_s->wpa)) { + /* PMKSA caching with FT may have interoperability + * issues, so disable that case by default for now. */ wpa_dbg(wpa_s, MSG_DEBUG, "WPA: Disable PMKSA caching for FT/802.1X connection"); pmksa_cache_clear_current(wpa_s->wpa); diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index a9205f0b8..842a8dbe0 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -1058,6 +1058,14 @@ fast_reauth=1 # 0 = disabled (default unless changed with the global okc parameter) # 1 = enabled # +# ft_eap_pmksa_caching: +# Whether FT-EAP PMKSA caching is allowed +# 0 = do not try to use PMKSA caching with FT-EAP (default) +# 1 = try to use PMKSA caching with FT-EAP +# This controls whether to try to use PMKSA caching with FT-EAP for the +# FT initial mobility domain association. +#ft_eap_pmksa_caching=0 +# # wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or # hex without quotation, e.g., 0102030405) # wep_tx_keyidx: Default WEP key index (TX) (0..3) -- 2.39.2