FT: Do not add PMKID to the driver for FT-EAP if caching is disabled

wpa_supplicant disables PMKSA caching with FT-EAP by default due to
known interoperability issues with APs. This is allowed only if the
network profile is explicitly enabling caching with
ft_eap_pmksa_caching=1. However, the PMKID for such PMKSA cache entries
was still being configured to the driver and it was possible for the
driver to build an RSNE with the PMKID for SME-in-driver cases. This
could result in hitting the interop issue with some APs.

Fix this by skipping PMKID configuration to the driver fot FT-EAP AKM if
ft_eap_pmksa_caching=1 is not used in the network profile so that the
driver and wpa_supplicant behavior are in sync for this.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c
index 4a175f166e7222226264c6a05e5c5416703a089d..e481dd5d6943fa6fc777357836ef6b5976749b8b 100644 (file)
--- a/src/rsn_supp/pmksa_cache.c
+++ b/src/rsn_supp/pmksa_cache.c
@@ -269,7 +269,8 @@ pmksa_cache_add_entry(struct rsn_pmksa_cache *pmksa,
                         entry->fils_cache_id_set ? entry->fils_cache_id : NULL,
                         entry->pmk, entry->pmk_len,
                         pmksa->sm->dot11RSNAConfigPMKLifetime,
-                        pmksa->sm->dot11RSNAConfigPMKReauthThreshold);
+                        pmksa->sm->dot11RSNAConfigPMKReauthThreshold,
+                        entry->akmp);
 
        return entry;
 }

diff --git a/src/rsn_supp/preauth.c b/src/rsn_supp/preauth.c
index d4d1307a9c60635fe79bad38adb9eaa0432a7024..1a38bf6bcbfac75543e3d758edd86b99d1fcd8d8 100644 (file)
--- a/src/rsn_supp/preauth.c
+++ b/src/rsn_supp/preauth.c
@@ -349,7 +349,8 @@ void rsn_preauth_candidate_process(struct wpa_sm *sm)
                 * PMKIDs again, so report the existing data now. */
                if (p) {
                        wpa_sm_add_pmkid(sm, NULL, candidate->bssid, p->pmkid,
-                                        NULL, p->pmk, p->pmk_len, 0, 0);
+                                        NULL, p->pmk, p->pmk_len, 0, 0,
+                                        p->akmp);
                }
 
                dl_list_del(&candidate->list);

diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h
index f3901e01b32bb82da35e7c4a66b3ced42059405a..a4512eadc26553d74c01ffd9e4b1862d717c9f25 100644 (file)
--- a/src/rsn_supp/wpa.h
+++ b/src/rsn_supp/wpa.h
@@ -43,7 +43,7 @@ struct wpa_sm_ctx {
        int (*add_pmkid)(void *ctx, void *network_ctx, const u8 *bssid,
                         const u8 *pmkid, const u8 *fils_cache_id,
                         const u8 *pmk, size_t pmk_len, u32 pmk_lifetime,
-                        u8 pmk_reauth_threshold);
+                        u8 pmk_reauth_threshold, int akmp);
        int (*remove_pmkid)(void *ctx, void *network_ctx, const u8 *bssid,
                            const u8 *pmkid, const u8 *fils_cache_id);
        void (*set_config_blob)(void *ctx, struct wpa_config_blob *blob);

diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
index 4db925619b4f56003c3e2e3897af6d9adaa6831b..b2b43f4f07d0c52534e9360bc3f859c3c0463d3a 100644 (file)
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -268,12 +268,12 @@ static inline int wpa_sm_add_pmkid(struct wpa_sm *sm, void *network_ctx,
                                   const u8 *bssid, const u8 *pmkid,
                                   const u8 *cache_id, const u8 *pmk,
                                   size_t pmk_len, u32 pmk_lifetime,
-                                  u8 pmk_reauth_threshold)
+                                  u8 pmk_reauth_threshold, int akmp)
 {
        WPA_ASSERT(sm->ctx->add_pmkid);
        return sm->ctx->add_pmkid(sm->ctx->ctx, network_ctx, bssid, pmkid,
                                  cache_id, pmk, pmk_len, pmk_lifetime,
-                                 pmk_reauth_threshold);
+                                 pmk_reauth_threshold, akmp);
 }
 
 static inline int wpa_sm_remove_pmkid(struct wpa_sm *sm, void *network_ctx,

diff --git a/wpa_supplicant/preauth_test.c b/wpa_supplicant/preauth_test.c
index 4a8f4ff8fbc6fd61c60343e6253256b93b60bf5f..de49948f71e48c4a2f65703bb216313b72c07dab 100644 (file)
--- a/wpa_supplicant/preauth_test.c
+++ b/wpa_supplicant/preauth_test.c
@@ -154,7 +154,8 @@ static int wpa_supplicant_add_pmkid(void *wpa_s, void *network_ctx,
                                    const u8 *bssid, const u8 *pmkid,
                                    const u8 *fils_cache_id,
                                    const u8 *pmk, size_t pmk_len,
-                                   u32 pmk_lifetime, u8 pmk_reauth_threshold)
+                                   u32 pmk_lifetime, u8 pmk_reauth_threshold,
+                                   int akmp)
 {
        printf("%s - not implemented\n", __func__);
        return -1;

diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index ec6d7858d81d1ade54a1ea47c0e0e7c70f43b72f..bafcb00e037423a15306f032dfa3d1dabb71ab95 100644 (file)
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -575,7 +575,8 @@ static int wpa_supplicant_add_pmkid(void *_wpa_s, void *network_ctx,
                                    const u8 *bssid, const u8 *pmkid,
                                    const u8 *fils_cache_id,
                                    const u8 *pmk, size_t pmk_len,
-                                   u32 pmk_lifetime, u8 pmk_reauth_threshold)
+                                   u32 pmk_lifetime, u8 pmk_reauth_threshold,
+                                   int akmp)
 {
        struct wpa_supplicant *wpa_s = _wpa_s;
        struct wpa_ssid *ssid;
@@ -583,9 +584,22 @@ static int wpa_supplicant_add_pmkid(void *_wpa_s, void *network_ctx,
 
        os_memset(&params, 0, sizeof(params));
        ssid = wpas_get_network_ctx(wpa_s, network_ctx);
-       if (ssid)
+       if (ssid) {
                wpa_msg(wpa_s, MSG_INFO, PMKSA_CACHE_ADDED MACSTR " %d",
                        MAC2STR(bssid), ssid->id);
+               if ((akmp == WPA_KEY_MGMT_FT_IEEE8021X ||
+                    akmp == WPA_KEY_MGMT_FT_IEEE8021X_SHA384) &&
+                   !ssid->ft_eap_pmksa_caching) {
+                       /* Since we will not be using PMKSA caching for FT-EAP
+                        * within wpa_supplicant to avoid known interop issues
+                        * with APs, do not add this PMKID to the driver either
+                        * so that we won't be hitting those interop issues
+                        * with driver-based RSNE generation. */
+                       wpa_printf(MSG_DEBUG,
+                                  "FT: Do not add PMKID entry to the driver since FT-EAP PMKSA caching is not enabled in configuration");
+                       return 0;
+               }
+       }
        if (ssid && fils_cache_id) {
                params.ssid = ssid->ssid;
                params.ssid_len = ssid->ssid_len;