SAE authentication derives PMKID differently from the EAP cases. The
value comes from information exchanged during SAE authentication and
does not bind in the MAC addresses of the STAs. As such, the same PMKID
is used with different BSSIDs. Fix both the hostapd and wpa_supplicant
to use the previous PMKID as is for OKC instead of deriving a new PMKID
using an incorrect derivation method when using an SAE AKM.
This fixes use of opportunistic key caching with SAE.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
for (entry = pmksa->pmksa; entry; entry = entry->next) {
if (os_memcmp(entry->spa, spa, ETH_ALEN) != 0)
continue;
+ if (wpa_key_mgmt_sae(entry->akmp)) {
+ if (os_memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0)
+ return entry;
+ continue;
+ }
rsn_pmkid(entry->pmk, entry->pmk_len, aa, spa, new_pmkid,
entry->akmp);
if (os_memcmp(new_pmkid, pmkid, PMKID_LEN) == 0)
{
struct rsn_pmksa_cache_entry *new_entry;
os_time_t old_expiration = old_entry->expiration;
+ const u8 *pmkid = NULL;
+ if (wpa_key_mgmt_sae(old_entry->akmp))
+ pmkid = old_entry->pmkid;
new_entry = pmksa_cache_add(pmksa, old_entry->pmk, old_entry->pmk_len,
- NULL, NULL, 0,
+ pmkid, NULL, 0,
aa, pmksa->sm->own_addr,
old_entry->network_ctx, old_entry->akmp,
old_entry->fils_cache_id_set ?