[PATCH 07/92] PASN: Add support for PMK caching with PASN AKM
Andrei Otcheretianski
andrei.otcheretianski at intel.com
Wed Apr 22 05:22:58 PDT 2026
From: Avraham Stern <avraham.stern at intel.com>
WiFi Aware Specification version 4.0, section 7.6.4.3 defines NPK
caching for pairing setup using opportunistic bootstrapping which
uses PASN AKM.
Add support for PASN PMKSA caching with PASN AKM for PASN initiator
and responder:
1. Add an option to add a PMKSA with PASN AKM to the PMKSA cache
2. When handling PASN auth frames, use a cached PMK if available
or if a PMKID is specified in the RSN IE.
Signed-off-by: Avraham Stern <avraham.stern at intel.com>
---
src/common/proximity_ranging.c | 6 ++++--
src/p2p/p2p.c | 4 ++--
src/pasn/pasn_common.h | 4 ++--
src/pasn/pasn_initiator.c | 8 ++++----
src/pasn/pasn_responder.c | 27 +++++++++++++++++----------
5 files changed, 29 insertions(+), 20 deletions(-)
diff --git a/src/common/proximity_ranging.c b/src/common/proximity_ranging.c
index 449d8f3bb6..8d5fb3a4a8 100644
--- a/src/common/proximity_ranging.c
+++ b/src/common/proximity_ranging.c
@@ -1768,14 +1768,16 @@ static int pr_pasn_initialize(struct pr_data *pr, struct pr_device *dev,
pasn->peer_addr,
dev->pmk,
dev->pmk_len,
- pmkid);
+ pmkid,
+ WPA_KEY_MGMT_SAE);
else
pasn_responder_pmksa_cache_add(pr->responder_pmksa,
pasn->own_addr,
pasn->peer_addr,
dev->pmk,
dev->pmk_len,
- pmkid);
+ pmkid,
+ WPA_KEY_MGMT_SAE);
pasn->akmp = WPA_KEY_MGMT_SAE;
} else {
pasn->akmp = WPA_KEY_MGMT_PASN;
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index cbd4fb7625..cf0b4236c5 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -7317,9 +7317,9 @@ void p2p_pasn_pmksa_set_pmk(struct p2p_data *p2p, const u8 *src, const u8 *dst,
const u8 *pmk, size_t pmk_len, const u8 *pmkid)
{
pasn_initiator_pmksa_cache_add(p2p->initiator_pmksa, src, dst, pmk,
- pmk_len, pmkid);
+ pmk_len, pmkid, WPA_KEY_MGMT_SAE);
pasn_responder_pmksa_cache_add(p2p->responder_pmksa, src, dst, pmk,
- pmk_len, pmkid);
+ pmk_len, pmkid, WPA_KEY_MGMT_SAE);
}
diff --git a/src/pasn/pasn_common.h b/src/pasn/pasn_common.h
index ca5fa57eaa..910cdf5919 100644
--- a/src/pasn/pasn_common.h
+++ b/src/pasn/pasn_common.h
@@ -317,7 +317,7 @@ void pasn_initiator_pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa);
int pasn_initiator_pmksa_cache_add(struct rsn_pmksa_cache *pmksa,
const u8 *own_addr, const u8 *bssid,
const u8 *pmk, size_t pmk_len,
- const u8 *pmkid);
+ const u8 *pmkid, int akmp);
int pasn_initiator_pmksa_cache_get(struct rsn_pmksa_cache *pmksa,
const u8 *bssid, u8 *pmkid, u8 *pmk,
size_t *pmk_len);
@@ -343,7 +343,7 @@ void pasn_responder_pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa);
int pasn_responder_pmksa_cache_add(struct rsn_pmksa_cache *pmksa,
const u8 *own_addr, const u8 *bssid,
const u8 *pmk, size_t pmk_len,
- const u8 *pmkid);
+ const u8 *pmkid, int akmp);
int pasn_responder_pmksa_cache_get(struct rsn_pmksa_cache *pmksa,
const u8 *bssid, u8 *pmkid, u8 *pmk,
size_t *pmk_len);
diff --git a/src/pasn/pasn_initiator.c b/src/pasn/pasn_initiator.c
index 509eca9d34..b1cf36b971 100644
--- a/src/pasn/pasn_initiator.c
+++ b/src/pasn/pasn_initiator.c
@@ -42,10 +42,10 @@ void pasn_initiator_pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa)
int pasn_initiator_pmksa_cache_add(struct rsn_pmksa_cache *pmksa,
const u8 *own_addr, const u8 *bssid,
const u8 *pmk,
- size_t pmk_len, const u8 *pmkid)
+ size_t pmk_len, const u8 *pmkid, int akmp)
{
if (pmksa_cache_add(pmksa, pmk, pmk_len, pmkid, NULL, 0, bssid,
- own_addr, NULL, WPA_KEY_MGMT_SAE, NULL, 0))
+ own_addr, NULL, akmp, NULL, 0))
return 0;
return -1;
}
@@ -957,8 +957,8 @@ static int wpas_pasn_set_pmk(struct pasn_data *pasn,
os_memset(pasn->pmk, 0, sizeof(pasn->pmk));
pasn->pmk_len = 0;
- if (pasn->akmp == WPA_KEY_MGMT_PASN ||
- pasn->akmp == WPA_KEY_MGMT_EPPKE) {
+ if ((pasn->akmp == WPA_KEY_MGMT_PASN ||
+ pasn->akmp == WPA_KEY_MGMT_EPPKE) && !rsn_data->num_pmkid) {
wpa_printf(MSG_DEBUG, "PASN/EPPKE: Using default PMK");
pasn->pmk_len = WPA_PASN_PMK_LEN;
diff --git a/src/pasn/pasn_responder.c b/src/pasn/pasn_responder.c
index 7cecb943c2..faf57dc6ed 100644
--- a/src/pasn/pasn_responder.c
+++ b/src/pasn/pasn_responder.c
@@ -43,10 +43,10 @@ void pasn_responder_pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa)
int pasn_responder_pmksa_cache_add(struct rsn_pmksa_cache *pmksa,
const u8 *own_addr, const u8 *bssid,
const u8 *pmk, size_t pmk_len,
- const u8 *pmkid)
+ const u8 *pmkid, int akmp)
{
if (pmksa_cache_auth_add(pmksa, pmk, pmk_len, pmkid, NULL, 0, own_addr,
- bssid, 0, NULL, WPA_KEY_MGMT_SAE))
+ bssid, 0, NULL, akmp))
return 0;
return -1;
}
@@ -448,17 +448,17 @@ pasn_derive_keys(struct pasn_data *pasn,
if (!cached_pmk || !cached_pmk_len)
wpa_printf(MSG_DEBUG, "PASN: No valid PMKSA entry");
- if (pasn->akmp == WPA_KEY_MGMT_PASN ||
- pasn->akmp == WPA_KEY_MGMT_EPPKE) {
- wpa_printf(MSG_DEBUG, "PASN/EPPKE: Using default PMK");
-
- pmk_len = WPA_PASN_PMK_LEN;
- os_memcpy(pmk, pasn_default_pmk, sizeof(pasn_default_pmk));
- } else if (cached_pmk && cached_pmk_len) {
+ if (cached_pmk && cached_pmk_len) {
wpa_printf(MSG_DEBUG, "PASN: Using PMKSA entry");
pmk_len = cached_pmk_len;
os_memcpy(pmk, cached_pmk, cached_pmk_len);
+ } else if (pasn->akmp == WPA_KEY_MGMT_PASN ||
+ pasn->akmp == WPA_KEY_MGMT_EPPKE) {
+ wpa_printf(MSG_DEBUG, "PASN/EPPKE: Using default PMK");
+
+ pmk_len = WPA_PASN_PMK_LEN;
+ os_memcpy(pmk, pasn_default_pmk, sizeof(pasn_default_pmk));
} else {
switch (pasn->akmp) {
#ifdef CONFIG_SAE
@@ -1056,7 +1056,8 @@ int handle_auth_pasn_1(struct pasn_data *pasn,
}
if (!pasn->noauth && (pasn->akmp == WPA_KEY_MGMT_PASN ||
- pasn->akmp == WPA_KEY_MGMT_EPPKE)) {
+ pasn->akmp == WPA_KEY_MGMT_EPPKE) &&
+ (!rsn_data.num_pmkid || !pasn->pmksa)) {
wpa_printf(MSG_DEBUG, "PASN/EPPKE: Refuse UNAUTH");
status = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto send_resp;
@@ -1173,6 +1174,12 @@ int handle_auth_pasn_1(struct pasn_data *pasn,
if (pmksa) {
cached_pmk = pmksa->pmk;
cached_pmk_len = pmksa->pmk_len;
+ } else if (!pasn->noauth &&
+ pasn->akmp == WPA_KEY_MGMT_PASN) {
+ wpa_printf(MSG_DEBUG,
+ "PASN: No PMKSA entry found for PASN-UNAUTH");
+ status = WLAN_STATUS_UNSPECIFIED_FAILURE;
+ goto send_resp;
}
}
}
--
2.53.0
More information about the Hostap
mailing list