FT: Do not try to use FT protocol between mobility domains

wpa_supplicant has support for only a single FT key hierarchy and as such, cannot use more than a single mobility domain at a time. Do not allow FT protocol to be started if there is a request to reassociate to a different BSS within the same ESS if that BSS is in a different mobility domain. This results in the initial mobility domain association being used whenever moving to another mobility domain. While it would be possible to add support for multiple FT key hierachies and multiple mobility domains in theory, there does not yet seem to be sufficient justification to add the complexity needed for that due to limited, if any, deployment of such networks. As such, it is simplest to just prevent these attempts for now and start with a clean initial mobility domain association. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-08 23:43:43 +02:00 · 2022-11-08 23:43:43 +02:00 · bbe5f0c1eb
commit bbe5f0c1eb
parent b92f61885c
9 changed files with 46 additions and 13 deletions
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@ -1317,6 +1317,7 @@ static int wpa_supplicant_ctrl_iface_ft_ds(
 	u8 target_ap[ETH_ALEN];
 	struct wpa_bss *bss;
 	const u8 *mdie;
+	bool force = os_strstr(addr, " force") != NULL;

 	if (hwaddr_aton(addr, target_ap)) {
 		wpa_printf(MSG_DEBUG, "CTRL_IFACE FT_DS: invalid "
@ -1332,7 +1333,7 @@ static int wpa_supplicant_ctrl_iface_ft_ds(
 	else
 		mdie = NULL;

-	return wpa_ft_start_over_ds(wpa_s->wpa, target_ap, mdie);
+	return wpa_ft_start_over_ds(wpa_s->wpa, target_ap, mdie, force);
 }
 #endif /* CONFIG_IEEE80211R */

--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@ -619,7 +619,7 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,

 		if (wpa_s->sme.prev_bssid_set && wpa_s->sme.ft_used &&
 		    os_memcmp(md, wpa_s->sme.mobility_domain, 2) == 0 &&
-		    wpa_sm_has_ptk(wpa_s->wpa)) {
+		    wpa_sm_has_ft_keys(wpa_s->wpa, md)) {
 			wpa_dbg(wpa_s, MSG_DEBUG, "SME: Trying to use FT "
 				"over-the-air");
 			params.auth_alg = WPA_AUTH_ALG_FT;
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@ -3490,7 +3490,7 @@ pfs_fail:
 			}
 #ifdef CONFIG_SME
 			if (len > 0 && wpa_s->sme.ft_used &&
-			    wpa_sm_has_ptk(wpa_s->wpa)) {
+			    wpa_sm_has_ft_keys(wpa_s->wpa, md)) {
 				wpa_dbg(wpa_s, MSG_DEBUG,
 					"SME: Trying to use FT over-the-air");
 				algs |= WPA_AUTH_ALG_FT;