FILS: Use FILS auth alg when connecting using PMKSA caching

When a PMKSA cache entry is available and used for connection with FILS
key management suite, use FILS authentication algorithm for connection
even if ERP keys are not available. This scenario may happen when
applications using wpa_supplicant cache persistently only PMKSA but not
ERP keys and reconfigures wpa_supplicant with PMKSA cache after
restarting wpa_supplicant.

The previous implementation correctly handles SME-in-wpa_supplicant
cases. However, SME-in-driver cases, complete FILS authentication
without PMKSA caching is performed.

Fix SME-in-driver behavior by setting authentication algorithm to
WPA_AUTH_ALG_FILS when connecting to a FILS AP using PMKSA caching.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Vinita S. Maloo 2020-05-19 17:43:22 +05:30 committed by Jouni Malinen
parent 70b80c31f9
commit d0819a11cc

View file

@ -2752,9 +2752,9 @@ static u8 * wpas_populate_assoc_ies(
#ifdef CONFIG_MBO #ifdef CONFIG_MBO
const u8 *mbo_ie; const u8 *mbo_ie;
#endif #endif
#ifdef CONFIG_SAE #if defined(CONFIG_SAE) || defined(CONFIG_FILS)
int sae_pmksa_cached = 0; int pmksa_cached = 0;
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE || CONFIG_FILS */
#ifdef CONFIG_FILS #ifdef CONFIG_FILS
const u8 *realm, *username, *rrk; const u8 *realm, *username, *rrk;
size_t realm_len, username_len, rrk_len; size_t realm_len, username_len, rrk_len;
@ -2794,9 +2794,9 @@ static u8 * wpas_populate_assoc_ies(
ssid, try_opportunistic, ssid, try_opportunistic,
cache_id, 0) == 0) { cache_id, 0) == 0) {
eapol_sm_notify_pmkid_attempt(wpa_s->eapol); eapol_sm_notify_pmkid_attempt(wpa_s->eapol);
#ifdef CONFIG_SAE #if defined(CONFIG_SAE) || defined(CONFIG_FILS)
sae_pmksa_cached = 1; pmksa_cached = 1;
#endif /* CONFIG_SAE */ #endif /* CONFIG_SAE || CONFIG_FILS */
} }
wpa_ie_len = max_wpa_ie_len; wpa_ie_len = max_wpa_ie_len;
if (wpa_supplicant_set_suites(wpa_s, bss, ssid, if (wpa_supplicant_set_suites(wpa_s, bss, ssid,
@ -2895,6 +2895,10 @@ static u8 * wpas_populate_assoc_ies(
if (mask) if (mask)
*mask |= WPA_DRV_UPDATE_FILS_ERP_INFO; *mask |= WPA_DRV_UPDATE_FILS_ERP_INFO;
} else if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_FILS_SK_OFFLOAD) &&
ssid->eap.erp && wpa_key_mgmt_fils(wpa_s->key_mgmt) &&
pmksa_cached) {
algs = WPA_AUTH_ALG_FILS;
} }
#endif /* CONFIG_FILS */ #endif /* CONFIG_FILS */
#endif /* IEEE8021X_EAPOL */ #endif /* IEEE8021X_EAPOL */
@ -2911,7 +2915,7 @@ static u8 * wpas_populate_assoc_ies(
} }
#ifdef CONFIG_SAE #ifdef CONFIG_SAE
if (sae_pmksa_cached && algs == WPA_AUTH_ALG_SAE) { if (pmksa_cached && algs == WPA_AUTH_ALG_SAE) {
wpa_dbg(wpa_s, MSG_DEBUG, wpa_dbg(wpa_s, MSG_DEBUG,
"SAE: Use WPA_AUTH_ALG_OPEN for PMKSA caching attempt"); "SAE: Use WPA_AUTH_ALG_OPEN for PMKSA caching attempt");
algs = WPA_AUTH_ALG_OPEN; algs = WPA_AUTH_ALG_OPEN;