commit fb3a444d74031cb5c27121bd2a3b04ec771026c4
author Vinita S. Maloo <vmaloo@codeaurora.org> Tue May 19 17:43:22 2020 +0530
committer Sunil Ravi <sunilravi@google.com> Tue Jul 28 18:10:44 2020 +0000
tree f625b9948aa534ad3e35f914d959ef8fb72fad3e
parent 3a5b4419399ea11d1517aee557dd5eca7a10b4fc

FILS: Use FILS auth alg when connecting using PMKSA caching

When a PMKSA cache entry is available and used for connection with FILS
key management suite, use FILS authentication algorithm for connection
even if ERP keys are not available. This scenario may happen when
applications using wpa_supplicant cache persistently only PMKSA but not
ERP keys and reconfigures wpa_supplicant with PMKSA cache after
restarting wpa_supplicant.

The previous implementation correctly handles SME-in-wpa_supplicant
cases. However, SME-in-driver cases, complete FILS authentication
without PMKSA caching is performed.

Fix SME-in-driver behavior by setting authentication algorithm to
WPA_AUTH_ALG_FILS when connecting to a FILS AP using PMKSA caching.

Bug: 156130528
Test: Manual - Basic wifi sanity

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Sunil Ravi <sunilravi@google.com>
Change-Id: I352f4e9badfd39de3d1c47b047f5fc9882024a56

wpa_supplicant/wpa_supplicant.c

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 6f44613..78910fc 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -2742,9 +2742,9 @@
 #ifdef CONFIG_MBO
 	const u8 *mbo_ie;
 #endif
-#ifdef CONFIG_SAE
-	int sae_pmksa_cached = 0;
-#endif /* CONFIG_SAE */
+#if defined(CONFIG_SAE) || defined(CONFIG_FILS)
+	int pmksa_cached = 0;
+#endif /* CONFIG_SAE || CONFIG_FILS */
 #ifdef CONFIG_FILS
 	const u8 *realm, *username, *rrk;
 	size_t realm_len, username_len, rrk_len;
@@ -2784,9 +2784,9 @@
 					    ssid, try_opportunistic,
 					    cache_id, 0) == 0) {
 			eapol_sm_notify_pmkid_attempt(wpa_s->eapol);
-#ifdef CONFIG_SAE
-			sae_pmksa_cached = 1;
-#endif /* CONFIG_SAE */
+#if defined(CONFIG_SAE) || defined(CONFIG_FILS)
+			pmksa_cached = 1;
+#endif /* CONFIG_SAE || CONFIG_FILS */
 		}
 		wpa_ie_len = max_wpa_ie_len;
 		if (wpa_supplicant_set_suites(wpa_s, bss, ssid,
@@ -2885,6 +2885,10 @@
 
 		if (mask)
 			*mask |= WPA_DRV_UPDATE_FILS_ERP_INFO;
+	} else if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_FILS_SK_OFFLOAD) &&
+		   ssid->eap.erp && wpa_key_mgmt_fils(wpa_s->key_mgmt) &&
+		   pmksa_cached) {
+		algs = WPA_AUTH_ALG_FILS;
 	}
 #endif /* CONFIG_FILS */
 #endif /* IEEE8021X_EAPOL */
@@ -2901,7 +2905,7 @@
 	}
 
 #ifdef CONFIG_SAE
-	if (sae_pmksa_cached && algs == WPA_AUTH_ALG_SAE) {
+	if (pmksa_cached && algs == WPA_AUTH_ALG_SAE) {
 		wpa_dbg(wpa_s, MSG_DEBUG,
 			"SAE: Use WPA_AUTH_ALG_OPEN for PMKSA caching attempt");
 		algs = WPA_AUTH_ALG_OPEN;