OKC with Suite B AKMPs in hostapd

To support Opportunistic Key Caching for Suite B key management, KCK needs to be stored on PMKSA to derive the new PMKID correctly when processing reassociation from a STA to a new AP. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-10-30 19:52:06 +02:00 · 2023-10-30 19:52:06 +02:00 · aac288914e
commit aac288914e
parent 0c9df339f5
2 changed files with 17 additions and 2 deletions
--- a/src/ap/pmksa_cache_auth.c
+++ b/src/ap/pmksa_cache_auth.c
@ -334,6 +334,10 @@ pmksa_cache_auth_create_entry(const u8 *pmk, size_t pmk_len, const u8 *pmkid,
 		return NULL;
 	os_memcpy(entry->pmk, pmk, pmk_len);
 	entry->pmk_len = pmk_len;
 	if (kck && kck_len && kck_len < WPA_KCK_MAX_LEN) {
 		os_memcpy(entry->kck, kck, kck_len);
 		entry->kck_len = kck_len;
 	}
 	if (pmkid)
 		os_memcpy(entry->pmkid, pmkid, PMKID_LEN);
 	else if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
@ -525,8 +529,17 @@ struct rsn_pmksa_cache_entry * pmksa_cache_get_okc(
 				return entry;
 			continue;
 		}
-		rsn_pmkid(entry->pmk, entry->pmk_len, aa, spa, new_pmkid,
+		if (entry->akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192 &&
-			  entry->akmp);
+		    entry->kck_len > 0)
 			rsn_pmkid_suite_b_192(entry->kck, entry->kck_len,
 					      aa, spa, new_pmkid);
 		else if (wpa_key_mgmt_suite_b(entry->akmp) &&
 			 entry->kck_len > 0)
 		rsn_pmkid_suite_b(entry->kck, entry->kck_len, aa, spa,
 				  new_pmkid);
 		else
 			rsn_pmkid(entry->pmk, entry->pmk_len, aa, spa,
 				  new_pmkid, entry->akmp);
 		if (os_memcmp(new_pmkid, pmkid, PMKID_LEN) == 0)
 			return entry;
 	}
--- a/src/ap/pmksa_cache_auth.h
+++ b/src/ap/pmksa_cache_auth.h
@ -19,6 +19,8 @@ struct rsn_pmksa_cache_entry {
 	u8 pmkid[PMKID_LEN];
 	u8 pmk[PMK_LEN_MAX];
 	size_t pmk_len;
 	u8 kck[WPA_KCK_MAX_LEN];
 	size_t kck_len;
 	os_time_t expiration;
 	int akmp; /* WPA_KEY_MGMT_* */
 	u8 spa[ETH_ALEN];