SAE: Fix default PMK configuration for PMKSA caching case
The RSN supplicant state machine PMK was set based on WPA PSK even for the cases where SAE would be used. If the AP allows PMKSA caching to be used with SAE, but does not indicate the selected PMKID explicitly in EAPOL-Key msg 1/4, this could result in trying to use the PSK instead of SAE PMK. Fix this by not setting the WPA-PSK as default PMK for SAE network profiles and instead, configuring the PMK explicitly from the found PMKSA cache entry. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
8e402d1657
commit
06b1a10434
2 changed files with 12 additions and 4 deletions
|
@ -551,6 +551,7 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
|
||||||
NULL) == 0) {
|
NULL) == 0) {
|
||||||
wpa_dbg(wpa_s, MSG_DEBUG,
|
wpa_dbg(wpa_s, MSG_DEBUG,
|
||||||
"PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication");
|
"PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication");
|
||||||
|
wpa_sm_set_pmk_from_pmksa(wpa_s->wpa);
|
||||||
params.auth_alg = WPA_AUTH_ALG_OPEN;
|
params.auth_alg = WPA_AUTH_ALG_OPEN;
|
||||||
wpa_s->sme.sae_pmksa_caching = 1;
|
wpa_s->sme.sae_pmksa_caching = 1;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1466,8 +1466,13 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
|
||||||
|
|
||||||
if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt)) {
|
if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt)) {
|
||||||
int psk_set = 0;
|
int psk_set = 0;
|
||||||
|
int sae_only;
|
||||||
|
|
||||||
if (ssid->psk_set) {
|
sae_only = (ssid->key_mgmt & (WPA_KEY_MGMT_PSK |
|
||||||
|
WPA_KEY_MGMT_FT_PSK |
|
||||||
|
WPA_KEY_MGMT_PSK_SHA256)) == 0;
|
||||||
|
|
||||||
|
if (ssid->psk_set && !sae_only) {
|
||||||
wpa_hexdump_key(MSG_MSGDUMP, "PSK (set in config)",
|
wpa_hexdump_key(MSG_MSGDUMP, "PSK (set in config)",
|
||||||
ssid->psk, PMK_LEN);
|
ssid->psk, PMK_LEN);
|
||||||
wpa_sm_set_pmk(wpa_s->wpa, ssid->psk, PMK_LEN, NULL,
|
wpa_sm_set_pmk(wpa_s->wpa, ssid->psk, PMK_LEN, NULL,
|
||||||
|
@ -1475,12 +1480,13 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
|
||||||
psk_set = 1;
|
psk_set = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (wpa_key_mgmt_sae(ssid->key_mgmt) && ssid->sae_password)
|
if (wpa_key_mgmt_sae(ssid->key_mgmt) &&
|
||||||
|
(ssid->sae_password || ssid->passphrase))
|
||||||
psk_set = 1;
|
psk_set = 1;
|
||||||
|
|
||||||
#ifndef CONFIG_NO_PBKDF2
|
#ifndef CONFIG_NO_PBKDF2
|
||||||
if (bss && ssid->bssid_set && ssid->ssid_len == 0 &&
|
if (bss && ssid->bssid_set && ssid->ssid_len == 0 &&
|
||||||
ssid->passphrase) {
|
ssid->passphrase && !sae_only) {
|
||||||
u8 psk[PMK_LEN];
|
u8 psk[PMK_LEN];
|
||||||
pbkdf2_sha1(ssid->passphrase, bss->ssid, bss->ssid_len,
|
pbkdf2_sha1(ssid->passphrase, bss->ssid, bss->ssid_len,
|
||||||
4096, psk, PMK_LEN);
|
4096, psk, PMK_LEN);
|
||||||
|
@ -1492,7 +1498,7 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
|
||||||
}
|
}
|
||||||
#endif /* CONFIG_NO_PBKDF2 */
|
#endif /* CONFIG_NO_PBKDF2 */
|
||||||
#ifdef CONFIG_EXT_PASSWORD
|
#ifdef CONFIG_EXT_PASSWORD
|
||||||
if (ssid->ext_psk) {
|
if (ssid->ext_psk && !sae_only) {
|
||||||
struct wpabuf *pw = ext_password_get(wpa_s->ext_pw,
|
struct wpabuf *pw = ext_password_get(wpa_s->ext_pw,
|
||||||
ssid->ext_psk);
|
ssid->ext_psk);
|
||||||
char pw_str[64 + 1];
|
char pw_str[64 + 1];
|
||||||
|
@ -1561,6 +1567,7 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
|
||||||
if (!psk_set) {
|
if (!psk_set) {
|
||||||
wpa_msg(wpa_s, MSG_INFO,
|
wpa_msg(wpa_s, MSG_INFO,
|
||||||
"No PSK available for association");
|
"No PSK available for association");
|
||||||
|
wpas_auth_failed(wpa_s, "NO_PSK_AVAILABLE");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
#ifdef CONFIG_OWE
|
#ifdef CONFIG_OWE
|
||||||
|
|
Loading…
Reference in a new issue