SAE: Add support for PMKSA caching on the AP side
This makes hostapd create PMKSA cache entries from SAE authentication and allow PMKSA caching to be used with the SAE AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
fcc306e3cc
commit
f299117093
3 changed files with 37 additions and 4 deletions
|
@ -1,6 +1,6 @@
|
||||||
/*
|
/*
|
||||||
* hostapd / IEEE 802.11 Management
|
* hostapd / IEEE 802.11 Management
|
||||||
* Copyright (c) 2002-2013, Jouni Malinen <j@w1.fi>
|
* Copyright (c) 2002-2014, Jouni Malinen <j@w1.fi>
|
||||||
*
|
*
|
||||||
* This software may be distributed under the terms of the BSD license.
|
* This software may be distributed under the terms of the BSD license.
|
||||||
* See README for more details.
|
* See README for more details.
|
||||||
|
@ -29,6 +29,7 @@
|
||||||
#include "sta_info.h"
|
#include "sta_info.h"
|
||||||
#include "ieee802_1x.h"
|
#include "ieee802_1x.h"
|
||||||
#include "wpa_auth.h"
|
#include "wpa_auth.h"
|
||||||
|
#include "pmksa_cache_auth.h"
|
||||||
#include "wmm.h"
|
#include "wmm.h"
|
||||||
#include "ap_list.h"
|
#include "ap_list.h"
|
||||||
#include "accounting.h"
|
#include "accounting.h"
|
||||||
|
@ -517,6 +518,9 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
|
||||||
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
|
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||||
else {
|
else {
|
||||||
sta->sae->state = SAE_ACCEPTED;
|
sta->sae->state = SAE_ACCEPTED;
|
||||||
|
wpa_auth_pmksa_add_sae(hapd->wpa_auth,
|
||||||
|
sta->addr,
|
||||||
|
sta->sae->pmk);
|
||||||
sae_clear_temp_data(sta->sae);
|
sae_clear_temp_data(sta->sae);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1072,9 +1076,21 @@ static u16 check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
|
||||||
|
|
||||||
#ifdef CONFIG_SAE
|
#ifdef CONFIG_SAE
|
||||||
if (wpa_auth_uses_sae(sta->wpa_sm) &&
|
if (wpa_auth_uses_sae(sta->wpa_sm) &&
|
||||||
sta->auth_alg != WLAN_AUTH_SAE &&
|
sta->auth_alg == WLAN_AUTH_OPEN) {
|
||||||
!(sta->auth_alg == WLAN_AUTH_FT &&
|
struct rsn_pmksa_cache_entry *sa;
|
||||||
wpa_auth_uses_ft_sae(sta->wpa_sm))) {
|
sa = wpa_auth_sta_get_pmksa(sta->wpa_sm);
|
||||||
|
if (!sa || sa->akmp != WPA_KEY_MGMT_SAE) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"SAE: No PMKSA cache entry found for "
|
||||||
|
MACSTR, MAC2STR(sta->addr));
|
||||||
|
return WLAN_STATUS_INVALID_PMKID;
|
||||||
|
}
|
||||||
|
wpa_printf(MSG_DEBUG, "SAE: " MACSTR
|
||||||
|
" using PMKSA caching", MAC2STR(sta->addr));
|
||||||
|
} else if (wpa_auth_uses_sae(sta->wpa_sm) &&
|
||||||
|
sta->auth_alg != WLAN_AUTH_SAE &&
|
||||||
|
!(sta->auth_alg == WLAN_AUTH_FT &&
|
||||||
|
wpa_auth_uses_ft_sae(sta->wpa_sm))) {
|
||||||
wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
|
wpa_printf(MSG_DEBUG, "SAE: " MACSTR " tried to use "
|
||||||
"SAE AKM after non-SAE auth_alg %u",
|
"SAE AKM after non-SAE auth_alg %u",
|
||||||
MAC2STR(sta->addr), sta->auth_alg);
|
MAC2STR(sta->addr), sta->auth_alg);
|
||||||
|
|
|
@ -3082,6 +3082,21 @@ int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
|
||||||
|
const u8 *pmk)
|
||||||
|
{
|
||||||
|
if (wpa_auth->conf.disable_pmksa_caching)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN,
|
||||||
|
wpa_auth->addr, addr, 0, NULL,
|
||||||
|
WPA_KEY_MGMT_SAE))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
|
void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
|
||||||
const u8 *sta_addr)
|
const u8 *sta_addr)
|
||||||
{
|
{
|
||||||
|
|
|
@ -276,6 +276,8 @@ int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth,
|
||||||
const u8 *pmk, size_t len, const u8 *sta_addr,
|
const u8 *pmk, size_t len, const u8 *sta_addr,
|
||||||
int session_timeout,
|
int session_timeout,
|
||||||
struct eapol_state_machine *eapol);
|
struct eapol_state_machine *eapol);
|
||||||
|
int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
|
||||||
|
const u8 *pmk);
|
||||||
void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
|
void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
|
||||||
const u8 *sta_addr);
|
const u8 *sta_addr);
|
||||||
int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id);
|
int wpa_auth_sta_set_vlan(struct wpa_state_machine *sm, int vlan_id);
|
||||||
|
|
Loading…
Reference in a new issue