SAE: Add support for PMKSA caching on the AP side

This makes hostapd create PMKSA cache entries from SAE authentication
and allow PMKSA caching to be used with the SAE AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index de1ee5ed0ec29134652cb337e0eda8a1a4878a49..ed4f55a4feeb04b2abc905a4efc9f83373a06aa7 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1,6 +1,6 @@
 /*
  * hostapd / IEEE 802.11 Management
- * Copyright (c) 2002-2013, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2002-2014, Jouni Malinen <j@w1.fi>
  *
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
@@ -29,6 +29,7 @@
 #include "sta_info.h"
 #include "ieee802_1x.h"
 #include "wpa_auth.h"
+#include "pmksa_cache_auth.h"
 #include "wmm.h"
 #include "ap_list.h"
 #include "accounting.h"
@@ -517,6 +518,9 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
                                resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
                        else {
                                sta->sae->state = SAE_ACCEPTED;
+                               wpa_auth_pmksa_add_sae(hapd->wpa_auth,
+                                                      sta->addr,
+                                                      sta->sae->pmk);
                                sae_clear_temp_data(sta->sae);
                        }
                }
@@ -1072,9 +1076,21 @@ static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
 
 #ifdef CONFIG_SAE
                if (wpa_auth_uses_sae(sta->wpa_sm) &&
-                   sta->auth_alg != WLAN_AUTH_SAE &&
-                   !(sta->auth_alg == WLAN_AUTH_FT &&
-                     wpa_auth_uses_ft_sae(sta->wpa_sm))) {
+                   sta->auth_alg == WLAN_AUTH_OPEN) {
+                       struct rsn_pmksa_cache_entry *sa;
+                       sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
+                       if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
+                               wpa_printf(MSG_DEBUG,
+                                          "SAE: No PMKSA cache entry found for "
+                                          MACSTR, MAC2STR(sta->addr));
+                               return WLAN_STATUS_INVALID_PMKID;
+                       }
+                       wpa_printf(MSG_DEBUG, "SAE: " MACSTR
+                                  " using PMKSA caching", MAC2STR(sta->addr));
+               } else if (wpa_auth_uses_sae(sta->wpa_sm) &&
+                          sta->auth_alg != WLAN_AUTH_SAE &&
+                          !(sta->auth_alg == WLAN_AUTH_FT &&
+                            wpa_auth_uses_ft_sae(sta->wpa_sm))) {
                        wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
                                   "SAE AKM after non-SAE auth_alg %u",
                                   MAC2STR(sta->addr), sta->auth_alg);

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index a884d9faf29617acfa2a0dbd4105fd80711f22c7..102845b3616fcff41363e8bdb24a57202e01e5bc 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -3082,6 +3082,21 @@ int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
 }
 
 
+int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
+                          const u8 *pmk)
+{
+       if (wpa_auth->conf.disable_pmksa_caching)
+               return -1;
+
+       if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN,
+                                wpa_auth->addr, addr, 0, NULL,
+                                WPA_KEY_MGMT_SAE))
+               return 0;
+
+       return -1;
+}
+
+
 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
                           const u8 *sta_addr)
 {

diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 929a25359470f7550308d2d57d6baf34a7d2858c..2a5bc1a85388c79a7c60e136c2a2cd0ea4e5562c 100644 (file)
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -276,6 +276,8 @@ int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
                               const u8 *pmk, size_t len, const u8 *sta_addr,
                               int session_timeout,
                               struct eapol_state_machine *eapol);
+int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
+                          const u8 *pmk);
 void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
                           const u8 *sta_addr);
 int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id);