FT: Allow PMKSA caching to be enabled with FT-EAP

The new wpa_supplicant network profile configuration parameter
ft_eap_pmksa_caching=1 can be used to enable use of PMKSA caching with
FT-EAP for FT initial mobility domain association. This is still
disabled by default (i.e., maintaining previous behavior) to avoid
likely interoperability issues.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-04-28 16:01:45 +03:00 committed by Jouni Malinen
parent a7b7ce82f4
commit 9083ef1355
6 changed files with 29 additions and 6 deletions

View file

@ -2407,6 +2407,7 @@ static const struct parse_data ssid_fields[] = {
{ INT_RANGE(owe_group, 0, 65535) }, { INT_RANGE(owe_group, 0, 65535) },
{ INT_RANGE(owe_only, 0, 1) }, { INT_RANGE(owe_only, 0, 1) },
{ INT_RANGE(multi_ap_backhaul_sta, 0, 1) }, { INT_RANGE(multi_ap_backhaul_sta, 0, 1) },
{ INT_RANGE(ft_eap_pmksa_caching, 0, 1) },
}; };
#undef OFFSET #undef OFFSET

View file

@ -894,6 +894,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
INT(owe_group); INT(owe_group);
INT(owe_only); INT(owe_only);
INT(multi_ap_backhaul_sta); INT(multi_ap_backhaul_sta);
INT(ft_eap_pmksa_caching);
#ifdef CONFIG_HT_OVERRIDES #ifdef CONFIG_HT_OVERRIDES
INT_DEF(disable_ht, DEFAULT_DISABLE_HT); INT_DEF(disable_ht, DEFAULT_DISABLE_HT);
INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40); INT_DEF(disable_ht40, DEFAULT_DISABLE_HT40);

View file

@ -1005,6 +1005,16 @@ struct wpa_ssid {
* 1 = Multi-AP backhaul station * 1 = Multi-AP backhaul station
*/ */
int multi_ap_backhaul_sta; int multi_ap_backhaul_sta;
/**
* ft_eap_pmksa_caching - Whether FT-EAP PMKSA caching is allowed
* 0 = do not try to use PMKSA caching with FT-EAP
* 1 = try to use PMKSA caching with FT-EAP
*
* This controls whether to try to use PMKSA caching with FT-EAP for the
* FT initial mobility domain association.
*/
int ft_eap_pmksa_caching;
}; };
#endif /* CONFIG_SSID_H */ #endif /* CONFIG_SSID_H */

View file

@ -946,6 +946,7 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id)
INT(update_identifier); INT(update_identifier);
#endif /* CONFIG_HS20 */ #endif /* CONFIG_HS20 */
INT(group_rekey); INT(group_rekey);
INT(ft_eap_pmksa_caching);
#undef STR #undef STR
#undef INT #undef INT

View file

@ -1417,9 +1417,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X_SHA384; wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
wpa_dbg(wpa_s, MSG_DEBUG, wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: using KEY_MGMT FT/802.1X-SHA384"); "WPA: using KEY_MGMT FT/802.1X-SHA384");
if (pmksa_cache_get_current(wpa_s->wpa)) { if (!ssid->ft_eap_pmksa_caching &&
/* PMKSA caching with FT is not fully functional, so pmksa_cache_get_current(wpa_s->wpa)) {
* disable the case for now. */ /* PMKSA caching with FT may have interoperability
* issues, so disable that case by default for now. */
wpa_dbg(wpa_s, MSG_DEBUG, wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: Disable PMKSA caching for FT/802.1X connection"); "WPA: Disable PMKSA caching for FT/802.1X connection");
pmksa_cache_clear_current(wpa_s->wpa); pmksa_cache_clear_current(wpa_s->wpa);
@ -1458,9 +1459,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
} else if (sel & WPA_KEY_MGMT_FT_IEEE8021X) { } else if (sel & WPA_KEY_MGMT_FT_IEEE8021X) {
wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X; wpa_s->key_mgmt = WPA_KEY_MGMT_FT_IEEE8021X;
wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/802.1X"); wpa_dbg(wpa_s, MSG_DEBUG, "WPA: using KEY_MGMT FT/802.1X");
if (pmksa_cache_get_current(wpa_s->wpa)) { if (!ssid->ft_eap_pmksa_caching &&
/* PMKSA caching with FT is not fully functional, so pmksa_cache_get_current(wpa_s->wpa)) {
* disable the case for now. */ /* PMKSA caching with FT may have interoperability
* issues, so disable that case by default for now. */
wpa_dbg(wpa_s, MSG_DEBUG, wpa_dbg(wpa_s, MSG_DEBUG,
"WPA: Disable PMKSA caching for FT/802.1X connection"); "WPA: Disable PMKSA caching for FT/802.1X connection");
pmksa_cache_clear_current(wpa_s->wpa); pmksa_cache_clear_current(wpa_s->wpa);

View file

@ -1058,6 +1058,14 @@ fast_reauth=1
# 0 = disabled (default unless changed with the global okc parameter) # 0 = disabled (default unless changed with the global okc parameter)
# 1 = enabled # 1 = enabled
# #
# ft_eap_pmksa_caching:
# Whether FT-EAP PMKSA caching is allowed
# 0 = do not try to use PMKSA caching with FT-EAP (default)
# 1 = try to use PMKSA caching with FT-EAP
# This controls whether to try to use PMKSA caching with FT-EAP for the
# FT initial mobility domain association.
#ft_eap_pmksa_caching=0
#
# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or # wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
# hex without quotation, e.g., 0102030405) # hex without quotation, e.g., 0102030405)
# wep_tx_keyidx: Default WEP key index (TX) (0..3) # wep_tx_keyidx: Default WEP key index (TX) (0..3)