FILS: ERP-based PMKSA cache addition on AP

hostapd did not add a new PMKSA cache entry when FILS shared key
authentication was used, i.e., only the initial full authentication
resulted in a PMKSA cache entry being created. Derive the PMKID for the
ERP case as well and add a PMKSA cache entry if the ERP exchange
succeeds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index efbdc49ec60424484e2462d762275647ed56607a..ac89c908ea425950f5e3d01b60d86fb1c1fae8b4 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1229,6 +1229,14 @@ void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
                        wpa_printf(MSG_DEBUG,
                                   "FILS: Will send Authentication frame once the response from authentication server is available");
                        sta->flags |= WLAN_STA_PENDING_FILS_ERP;
+                       /* Calculate pending PMKID here so that we do not need
+                        * to maintain a copy of the EAP-Initiate/Reauth
+                        * message. */
+                       if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
+                                          elems.fils_wrapped_data,
+                                          elems.fils_wrapped_data_len,
+                                          sta->fils_erp_pmkid) == 0)
+                               sta->fils_erp_pmkid_set = 1;
                        return;
 #else /* CONFIG_NO_RADIUS */
                        resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
@@ -1388,6 +1396,24 @@ prepare_auth_resp_fils(struct hostapd_data *hapd,
                        goto fail;
                }
                pmk = pmk_buf;
+
+               if (sta->fils_erp_pmkid_set) {
+                       /* TODO: get PMKLifetime from WPA parameters */
+                       unsigned int dot11RSNAConfigPMKLifetime = 43200;
+
+                       sta->fils_erp_pmkid_set = 0;
+                       if (wpa_auth_pmksa_add2(
+                                   hapd->wpa_auth, sta->addr,
+                                   pmk, pmk_len,
+                                   sta->fils_erp_pmkid,
+                                   sta->session_timeout_set ?
+                                   sta->session_timeout :
+                                   dot11RSNAConfigPMKLifetime,
+                                   wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
+                               wpa_printf(MSG_ERROR,
+                                          "FILS: Failed to add PMKSA cache entry based on ERP");
+                       }
+               }
        } else if (pmksa) {
                pmk = pmksa->pmk;
                pmk_len = pmksa->pmk_len;

diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h
index 81ad693bfb75691cce12068a59d01d6df2afdef6..0a23050846c3ee6254ccd8f19f9bf6be33df5a12 100644 (file)
--- a/src/ap/sta_info.h
+++ b/src/ap/sta_info.h
@@ -12,11 +12,11 @@
 #ifdef CONFIG_MESH
 /* needed for mesh_plink_state enum */
 #include "common/defs.h"
-#include "common/wpa_common.h"
 #endif /* CONFIG_MESH */
 
 #include "list.h"
 #include "vlan.h"
+#include "common/wpa_common.h"
 #include "common/ieee802_11_defs.h"
 
 /* STA flags */
@@ -226,10 +226,12 @@ struct sta_info {
 #ifdef CONFIG_FILS
        u8 fils_snonce[FILS_NONCE_LEN];
        u8 fils_session[FILS_SESSION_LEN];
+       u8 fils_erp_pmkid[PMKID_LEN];
        u8 *fils_pending_assoc_req;
        size_t fils_pending_assoc_req_len;
        unsigned int fils_pending_assoc_is_reassoc:1;
        unsigned int fils_dhcp_rapid_commit_proxy:1;
+       unsigned int fils_erp_pmkid_set:1;
        struct wpabuf *fils_hlp_resp;
        struct wpabuf *hlp_dhcp_discover;
        void (*fils_pending_cb)(struct hostapd_data *hapd, struct sta_info *sta,