From: Jouni Malinen Date: Sun, 28 Apr 2019 12:52:43 +0000 (+0300) Subject: FT: Allow cached XXKey/MPMK to be used if new XXKey is not available X-Git-Tag: hostap_2_9~317 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a7b7ce82f4a67d8b355525068459dd3013a7bcb0;p=thirdparty%2Fhostap.git FT: Allow cached XXKey/MPMK to be used if new XXKey is not available This allows authenticator side to complete FT initial mobility domain association using FT-EAP with PMKSA caching. Signed-off-by: Jouni Malinen --- diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c index 09d579e01..d1a983e0b 100644 --- a/src/ap/wpa_auth_ft.c +++ b/src/ap/wpa_auth_ft.c @@ -25,6 +25,7 @@ #include "wmm.h" #include "wpa_auth.h" #include "wpa_auth_i.h" +#include "pmksa_cache_auth.h" #ifdef CONFIG_IEEE80211R_AP @@ -2094,8 +2095,16 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, struct wpa_ptk *ptk) const u8 *identity, *radius_cui; size_t identity_len, radius_cui_len; int session_timeout; - - if (sm->xxkey_len == 0) { + const u8 *mpmk; + size_t mpmk_len; + + if (sm->xxkey_len > 0) { + mpmk = sm->xxkey; + mpmk_len = sm->xxkey_len; + } else if (sm->pmksa) { + mpmk = sm->pmksa->pmk; + mpmk_len = sm->pmksa->pmk_len; + } else { wpa_printf(MSG_DEBUG, "FT: XXKey not available for key " "derivation"); return -1; @@ -2112,7 +2121,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, struct wpa_ptk *ptk) &radius_cui); session_timeout = wpa_ft_get_session_timeout(sm->wpa_auth, sm->addr); - if (wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, ssid, ssid_len, mdid, + if (wpa_derive_pmk_r0(mpmk, mpmk_len, ssid, ssid_len, mdid, r0kh, r0kh_len, sm->addr, pmk_r0, pmk_r0_name, wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) < 0)