From f9854c183d2fd1d3ef502e1a9e38c5dd0f077e83 Mon Sep 17 00:00:00 2001 From: Michal Kazior Date: Thu, 1 Feb 2018 12:03:28 +0100 Subject: [PATCH] hostapd: Fix wpa_psk_file support for FT-PSK For FT-PSK sm->xxkey was populated with only the first password on the linked list (i.e., last matching password in the wpa_psk_file) in INITPSK. This caused only that password to be recognized and accepted. All other passwords were not verified properly and subsequently prevented clients from connecting. Hostapd would report: Jan 30 12:55:44 hostapd: ap0: STA xx:xx:xx:xx:xx:xx WPA: sending 1/4 msg of 4-Way Handshake Jan 30 12:55:44 hostapd: ap0: STA xx:xx:xx:xx:xx:xx WPA: received EAPOL-Key frame (2/4 Pairwise) Jan 30 12:55:44 hostapd: ap0: STA xx:xx:xx:xx:xx:xx WPA: invalid MIC in msg 2/4 of 4-Way Handshake Jan 30 12:55:45 hostapd: ap0: STA xx:xx:xx:xx:xx:xx WPA: EAPOL-Key timeout Signed-off-by: Michal Kazior --- src/ap/wpa_auth.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 5664caa35..ccb21fe4c 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -861,6 +861,12 @@ static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data, sm->p2p_dev_addr, pmk, &pmk_len); if (pmk == NULL) break; +#ifdef CONFIG_IEEE80211R_AP + if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { + os_memcpy(sm->xxkey, pmk, pmk_len); + sm->xxkey_len = pmk_len; + } +#endif /* CONFIG_IEEE80211R_AP */ } else { pmk = sm->PMK; pmk_len = sm->pmk_len; @@ -2643,6 +2649,12 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING) if (pmk == NULL) break; psk_found = 1; +#ifdef CONFIG_IEEE80211R_AP + if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { + os_memcpy(sm->xxkey, pmk, pmk_len); + sm->xxkey_len = pmk_len; + } +#endif /* CONFIG_IEEE80211R_AP */ } else { pmk = sm->PMK; pmk_len = sm->pmk_len;