SAE: Fix default PMK configuration for PMKSA caching case

The RSN supplicant state machine PMK was set based on WPA PSK even for
the cases where SAE would be used. If the AP allows PMKSA caching to be
used with SAE, but does not indicate the selected PMKID explicitly in
EAPOL-Key msg 1/4, this could result in trying to use the PSK instead of
SAE PMK. Fix this by not setting the WPA-PSK as default PMK for SAE
network profiles and instead, configuring the PMK explicitly from the
found PMKSA cache entry.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2018-04-08 19:55:52 +03:00
parent 8e402d1657
commit 06b1a10434
2 changed files with 12 additions and 4 deletions

View file

@ -551,6 +551,7 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
NULL) == 0) { NULL) == 0) {
wpa_dbg(wpa_s, MSG_DEBUG, wpa_dbg(wpa_s, MSG_DEBUG,
"PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication"); "PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication");
wpa_sm_set_pmk_from_pmksa(wpa_s->wpa);
params.auth_alg = WPA_AUTH_ALG_OPEN; params.auth_alg = WPA_AUTH_ALG_OPEN;
wpa_s->sme.sae_pmksa_caching = 1; wpa_s->sme.sae_pmksa_caching = 1;
} }

View file

@ -1466,8 +1466,13 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt)) { if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt)) {
int psk_set = 0; int psk_set = 0;
int sae_only;
if (ssid->psk_set) { sae_only = (ssid->key_mgmt & (WPA_KEY_MGMT_PSK |
WPA_KEY_MGMT_FT_PSK |
WPA_KEY_MGMT_PSK_SHA256)) == 0;
if (ssid->psk_set && !sae_only) {
wpa_hexdump_key(MSG_MSGDUMP, "PSK (set in config)", wpa_hexdump_key(MSG_MSGDUMP, "PSK (set in config)",
ssid->psk, PMK_LEN); ssid->psk, PMK_LEN);
wpa_sm_set_pmk(wpa_s->wpa, ssid->psk, PMK_LEN, NULL, wpa_sm_set_pmk(wpa_s->wpa, ssid->psk, PMK_LEN, NULL,
@ -1475,12 +1480,13 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
psk_set = 1; psk_set = 1;
} }
if (wpa_key_mgmt_sae(ssid->key_mgmt) && ssid->sae_password) if (wpa_key_mgmt_sae(ssid->key_mgmt) &&
(ssid->sae_password || ssid->passphrase))
psk_set = 1; psk_set = 1;
#ifndef CONFIG_NO_PBKDF2 #ifndef CONFIG_NO_PBKDF2
if (bss && ssid->bssid_set && ssid->ssid_len == 0 && if (bss && ssid->bssid_set && ssid->ssid_len == 0 &&
ssid->passphrase) { ssid->passphrase && !sae_only) {
u8 psk[PMK_LEN]; u8 psk[PMK_LEN];
pbkdf2_sha1(ssid->passphrase, bss->ssid, bss->ssid_len, pbkdf2_sha1(ssid->passphrase, bss->ssid, bss->ssid_len,
4096, psk, PMK_LEN); 4096, psk, PMK_LEN);
@ -1492,7 +1498,7 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
} }
#endif /* CONFIG_NO_PBKDF2 */ #endif /* CONFIG_NO_PBKDF2 */
#ifdef CONFIG_EXT_PASSWORD #ifdef CONFIG_EXT_PASSWORD
if (ssid->ext_psk) { if (ssid->ext_psk && !sae_only) {
struct wpabuf *pw = ext_password_get(wpa_s->ext_pw, struct wpabuf *pw = ext_password_get(wpa_s->ext_pw,
ssid->ext_psk); ssid->ext_psk);
char pw_str[64 + 1]; char pw_str[64 + 1];
@ -1561,6 +1567,7 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
if (!psk_set) { if (!psk_set) {
wpa_msg(wpa_s, MSG_INFO, wpa_msg(wpa_s, MSG_INFO,
"No PSK available for association"); "No PSK available for association");
wpas_auth_failed(wpa_s, "NO_PSK_AVAILABLE");
return -1; return -1;
} }
#ifdef CONFIG_OWE #ifdef CONFIG_OWE