PMKSA: Make sure reauth time is not greater than expiration time

While creating a cloned PMKSA entry for OKC both expiration and
reauth_time values are set to maximum values, but later only the
expiration time is copied from the old PMKSA entry to the new PMKSA
entry. Due to this there is a possibility of reauth_time becoming
greater than expiration time in some cloned entries. To avoid this copy
reauth_time also to the cloned entry.

Also, add check to reject control interface commands with reauth time
greater than expiration time.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>

src/rsn_supp/pmksa_cache.c

@@ -378,6 +378,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa,
 {
 	struct rsn_pmksa_cache_entry *new_entry;
 	os_time_t old_expiration = old_entry->expiration;
+	os_time_t old_reauth_time = old_entry->reauth_time;
 	const u8 *pmkid = NULL;
 
 	if (wpa_key_mgmt_sae(old_entry->akmp) ||
@@ -394,6 +395,7 @@ pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa,
 
 	/* TODO: reorder entries based on expiration time? */
 	new_entry->expiration = old_expiration;
+	new_entry->reauth_time = old_reauth_time;
 	new_entry->opportunistic = 1;
 
 	return new_entry;

wpa_supplicant/ctrl_iface.c

@@ -10624,6 +10624,8 @@ static int wpas_ctrl_iface_pmksa_add(struct wpa_supplicant *wpa_s,
 	if (sscanf(pos, "%d %d %d %d", &reauth_time, &expiration,
 		   &entry->akmp, &entry->opportunistic) != 4)
 		goto fail;
+	if (reauth_time > expiration)
+		goto fail;
 	for (i = 0; i < 4; i++) {
 		pos = os_strchr(pos, ' ');
 		if (!pos) {