FILS: Use FILS auth alg when connecting using PMKSA caching

When a PMKSA cache entry is available and used for connection with FILS
key management suite, use FILS authentication algorithm for connection
even if ERP keys are not available. This scenario may happen when
applications using wpa_supplicant cache persistently only PMKSA but not
ERP keys and reconfigures wpa_supplicant with PMKSA cache after
restarting wpa_supplicant.

The previous implementation correctly handles SME-in-wpa_supplicant
cases. However, SME-in-driver cases, complete FILS authentication
without PMKSA caching is performed.

Fix SME-in-driver behavior by setting authentication algorithm to
WPA_AUTH_ALG_FILS when connecting to a FILS AP using PMKSA caching.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 4c1daf1fab9eb48de1af6df45615cb4d329021ee..e7989baef078378082b3885d52ae65f18512f7ca 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -2752,9 +2752,9 @@ static u8 * wpas_populate_assoc_ies(
 #ifdef CONFIG_MBO
        const u8 *mbo_ie;
 #endif
-#ifdef CONFIG_SAE
-       int sae_pmksa_cached = 0;
-#endif /* CONFIG_SAE */
+#if defined(CONFIG_SAE) || defined(CONFIG_FILS)
+       int pmksa_cached = 0;
+#endif /* CONFIG_SAE || CONFIG_FILS */
 #ifdef CONFIG_FILS
        const u8 *realm, *username, *rrk;
        size_t realm_len, username_len, rrk_len;
@@ -2794,9 +2794,9 @@ static u8 * wpas_populate_assoc_ies(
                                            ssid, try_opportunistic,
                                            cache_id, 0) == 0) {
                        eapol_sm_notify_pmkid_attempt(wpa_s->eapol);
-#ifdef CONFIG_SAE
-                       sae_pmksa_cached = 1;
-#endif /* CONFIG_SAE */
+#if defined(CONFIG_SAE) || defined(CONFIG_FILS)
+                       pmksa_cached = 1;
+#endif /* CONFIG_SAE || CONFIG_FILS */
                }
                wpa_ie_len = max_wpa_ie_len;
                if (wpa_supplicant_set_suites(wpa_s, bss, ssid,
@@ -2895,6 +2895,10 @@ static u8 * wpas_populate_assoc_ies(
 
                if (mask)
                        *mask |= WPA_DRV_UPDATE_FILS_ERP_INFO;
+       } else if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_FILS_SK_OFFLOAD) &&
+                  ssid->eap.erp && wpa_key_mgmt_fils(wpa_s->key_mgmt) &&
+                  pmksa_cached) {
+               algs = WPA_AUTH_ALG_FILS;
        }
 #endif /* CONFIG_FILS */
 #endif /* IEEE8021X_EAPOL */
@@ -2911,7 +2915,7 @@ static u8 * wpas_populate_assoc_ies(
        }
 
 #ifdef CONFIG_SAE
-       if (sae_pmksa_cached && algs == WPA_AUTH_ALG_SAE) {
+       if (pmksa_cached && algs == WPA_AUTH_ALG_SAE) {
                wpa_dbg(wpa_s, MSG_DEBUG,
                        "SAE: Use WPA_AUTH_ALG_OPEN for PMKSA caching attempt");
                algs = WPA_AUTH_ALG_OPEN;