Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

FILS: ERP-based PMKSA cache addition on AP

hostapd did not add a new PMKSA cache entry when FILS shared key
authentication was used, i.e., only the initial full authentication
resulted in a PMKSA cache entry being created. Derive the PMKID for the
ERP case as well and add a PMKSA cache entry if the ERP exchange
succeeds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen 7 years ago
parent
bfe448331f
commit
b3e567c890
2 changed files with 29 additions and 1 deletions
Split View Show Diff Stats
  1. 26 0
      src/ap/ieee802_11.c
  2. 3 1
      src/ap/sta_info.h

+ 26 - 0
src/ap/ieee802_11.c
View File 

@@ -1229,6 +1229,14 @@ void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
 
 			wpa_printf(MSG_DEBUG,
 
 				   "FILS: Will send Authentication frame once the response from authentication server is available");
 
 			sta->flags |= WLAN_STA_PENDING_FILS_ERP;
 
+			/* Calculate pending PMKID here so that we do not need
 
+			 * to maintain a copy of the EAP-Initiate/Reauth
 
+			 * message. */
 
+			if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
 
+					   elems.fils_wrapped_data,
 
+					   elems.fils_wrapped_data_len,
 
+					   sta->fils_erp_pmkid) == 0)
 
+				sta->fils_erp_pmkid_set = 1;
 
 			return;
 
 #else /* CONFIG_NO_RADIUS */
 
 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
 
@@ -1388,6 +1396,24 @@ prepare_auth_resp_fils(struct hostapd_data *hapd,
 
 			goto fail;
 
 		}
 
 		pmk = pmk_buf;
 
+
 
+		if (sta->fils_erp_pmkid_set) {
 
+			/* TODO: get PMKLifetime from WPA parameters */
 
+			unsigned int dot11RSNAConfigPMKLifetime = 43200;
 
+
 
+			sta->fils_erp_pmkid_set = 0;
 
+			if (wpa_auth_pmksa_add2(
 
+				    hapd->wpa_auth, sta->addr,
 
+				    pmk, pmk_len,
 
+				    sta->fils_erp_pmkid,
 
+				    sta->session_timeout_set ?
 
+				    sta->session_timeout :
 
+				    dot11RSNAConfigPMKLifetime,
 
+				    wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
 
+				wpa_printf(MSG_ERROR,
 
+					   "FILS: Failed to add PMKSA cache entry based on ERP");
 
+			}
 
+		}
 
 	} else if (pmksa) {
 
 		pmk = pmksa->pmk;
 
 		pmk_len = pmksa->pmk_len;

+ 3 - 1
src/ap/sta_info.h
View File 

@@ -12,11 +12,11 @@
 
 #ifdef CONFIG_MESH
 
 /* needed for mesh_plink_state enum */
 
 #include "common/defs.h"
 
-#include "common/wpa_common.h"
 
 #endif /* CONFIG_MESH */
 
 
 #include "list.h"
 
 #include "vlan.h"
 
+#include "common/wpa_common.h"
 
 #include "common/ieee802_11_defs.h"
 
 
 /* STA flags */
 
@@ -226,10 +226,12 @@ struct sta_info {
 
 #ifdef CONFIG_FILS
 
 	u8 fils_snonce[FILS_NONCE_LEN];
 
 	u8 fils_session[FILS_SESSION_LEN];
 
+	u8 fils_erp_pmkid[PMKID_LEN];
 
 	u8 *fils_pending_assoc_req;
 
 	size_t fils_pending_assoc_req_len;
 
 	unsigned int fils_pending_assoc_is_reassoc:1;
 
 	unsigned int fils_dhcp_rapid_commit_proxy:1;
 
+	unsigned int fils_erp_pmkid_set:1;
 
 	struct wpabuf *fils_hlp_resp;
 
 	struct wpabuf *hlp_dhcp_discover;
 
 	void (*fils_pending_cb)(struct hostapd_data *hapd, struct sta_info *sta,