PASN: Store AKMP in the PTKSA cache

PTK is stored in the PTKSA cache following a successful PASN handshake,
however AKMP is removed upon a WPA PASN reset. The PASN handshake is
used in the Wi-Fi Aware R4 specification to define the pairing setup
process. KDK is used to generate a new set of keys, while AKMP is
required for key derivation for pairing. So, keep AKMP in the PTKSA
cache.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 50c81a6da71eb9896e27bc9699e93b20f6a30886..44c469cbc3d210f7589ec810b5801b0395d21804 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -3733,7 +3733,8 @@ static void handle_auth_pasn(struct hostapd_data *hapd, struct sta_info *sta,
                                       sta->addr, mgmt, len) == 0) {
                        ptksa_cache_add(hapd->ptksa, hapd->own_addr, sta->addr,
                                        sta->pasn->cipher, 43200,
-                                       &sta->pasn->ptk, NULL, NULL);
+                                       &sta->pasn->ptk, NULL, NULL,
+                                       sta->pasn->akmp);
 
                        pasn_set_keys_from_cache(hapd, hapd->own_addr,
                                                 sta->addr, sta->pasn->cipher,

diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index f388ffe9ffa62f88bd32379b5f4d5c0be49b956d..5107080643882de9a1ccf48a58bf3e424e7429e9 100644 (file)
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -935,7 +935,7 @@ static void hostapd_store_ptksa(void *ctx, const u8 *addr,int cipher,
        struct hostapd_data *hapd = ctx;
 
        ptksa_cache_add(hapd->ptksa, hapd->own_addr, addr, cipher, life_time,
-                       ptk, NULL, NULL);
+                       ptk, NULL, NULL, 0);
 }
 
 

diff --git a/src/common/ptksa_cache.c b/src/common/ptksa_cache.c
index aacc42512e36e834f293addec01c4e1763c625d0..3b5c0b8e5c99cc5dda228d960f420d3f08577736 100644 (file)
--- a/src/common/ptksa_cache.c
+++ b/src/common/ptksa_cache.c
@@ -264,6 +264,7 @@ void ptksa_cache_flush(struct ptksa_cache *ptksa, const u8 *addr, u32 cipher)
  * @ptk: The PTK
  * @life_time_expiry_cb: Callback for alternative expiration handling
  * @ctx: Context pointer to save into e->ctx for the callback
+ * @akmp: The key management mechanism that was used to derive the PTK
  * Returns: Pointer to the added PTKSA cache entry or %NULL on error
  *
  * This function creates a PTKSA entry and adds it to the PTKSA cache.
@@ -277,7 +278,7 @@ struct ptksa_cache_entry * ptksa_cache_add(struct ptksa_cache *ptksa,
                                           const struct wpa_ptk *ptk,
                                           void (*life_time_expiry_cb)
                                           (struct ptksa_cache_entry *e),
-                                          void *ctx)
+                                          void *ctx, u32 akmp)
 {
        struct ptksa_cache_entry *entry, *tmp, *tmp2 = NULL;
        struct os_reltime now;
@@ -302,6 +303,7 @@ struct ptksa_cache_entry * ptksa_cache_add(struct ptksa_cache *ptksa,
        entry->cipher = cipher;
        entry->cb = life_time_expiry_cb;
        entry->ctx = ctx;
+       entry->akmp = akmp;
 
        if (own_addr)
                os_memcpy(entry->own_addr, own_addr, ETH_ALEN);

diff --git a/src/common/ptksa_cache.h b/src/common/ptksa_cache.h
index a643a268e8787dc224818a1cf6f7096e683aec5d..6182215cddd72554f1bd7a683edb76069e9cd62e 100644 (file)
--- a/src/common/ptksa_cache.h
+++ b/src/common/ptksa_cache.h
@@ -26,6 +26,7 @@ struct ptksa_cache_entry {
        u8 own_addr[ETH_ALEN];
        void (*cb)(struct ptksa_cache_entry *e);
        void *ctx;
+       u32 akmp;
 };
 
 #ifdef CONFIG_PTKSA_CACHE
@@ -44,7 +45,7 @@ struct ptksa_cache_entry * ptksa_cache_add(struct ptksa_cache *ptksa,
                                           const struct wpa_ptk *ptk,
                                           void (*cb)
                                           (struct ptksa_cache_entry *e),
-                                          void *ctx);
+                                          void *ctx, u32 akmp);
 void ptksa_cache_flush(struct ptksa_cache *ptksa, const u8 *addr, u32 cipher);
 
 #else /* CONFIG_PTKSA_CACHE */
@@ -73,7 +74,7 @@ static inline int ptksa_cache_list(struct ptksa_cache *ptksa,
 static inline struct ptksa_cache_entry *
 ptksa_cache_add(struct ptksa_cache *ptksa, const u8 *own_addr, const u8 *addr,
                u32 cipher, u32 life_time, const struct wpa_ptk *ptk,
-               void (*cb)(struct ptksa_cache_entry *e), void *ctx)
+               void (*cb)(struct ptksa_cache_entry *e), void *ctx, u32 akmp)
 {
        return NULL;
 }

diff --git a/wpa_supplicant/pasn_supplicant.c b/wpa_supplicant/pasn_supplicant.c
index 14ffba448eb821c9d0f5a8ebdae6abd6e9648da1..2650fd31f6db84b925a9076606e0dbcbcfb071a5 100644 (file)
--- a/wpa_supplicant/pasn_supplicant.c
+++ b/wpa_supplicant/pasn_supplicant.c
@@ -1977,7 +1977,7 @@ int wpas_pasn_auth_rx(struct wpa_supplicant *wpa_s,
                                pasn->cipher, dot11RSNAConfigPMKLifetime,
                                &pasn->ptk,
                                wpa_s->pasn_params ? wpas_pasn_deauth_cb : NULL,
-                               wpa_s->pasn_params ? wpa_s : NULL);
+                               wpa_s->pasn_params ? wpa_s : NULL, pasn->akmp);
 
                if (pasn->pmksa_entry)
                        wpa_sm_set_cur_pmksa(wpa_s->wpa, pasn->pmksa_entry);

diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index c5cfa92e57203ed95f3bd8b900bda1869e57192c..685274875ba2ba60523d829677cd66f2b9e4baa7 100644 (file)
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -1379,7 +1379,7 @@ static void wpa_supplicant_store_ptk(void *ctx, u8 *addr, int cipher,
        struct wpa_supplicant *wpa_s = ctx;
 
        ptksa_cache_add(wpa_s->ptksa, wpa_s->own_addr, addr, cipher, life_time,
-                       ptk, NULL, NULL);
+                       ptk, NULL, NULL, 0);
 }
 
 #endif /* CONFIG_NO_WPA */