Work around broken AP PMKSA caching implementation

An interoperability issue with a deployed AP has been identified where
the connection fails due to that AP failing to operate correctly if
PMKID is included in the Association Request frame. To work around this,
allow EAPOL-Start packet to be transmitted on startWhen reaching 0 even
when trying to use PMKSA caching. In practice, this allows fallback to
full EAP authentication if the AP/Authenticator takes more than 1-2
seconds to initiate 4-way handshake for PMKSA caching or full EAP
authentication if there was no PMKSA cache match.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2014-09-08 17:18:01 +03:00 committed by Jouni Malinen
parent b08d5fa793
commit 76db5b6b12

View file

@ -142,11 +142,29 @@ static int wpa_supplicant_eapol_send(void *ctx, int type, const u8 *buf,
if (pmksa_cache_get_current(wpa_s->wpa) && if (pmksa_cache_get_current(wpa_s->wpa) &&
type == IEEE802_1X_TYPE_EAPOL_START) { type == IEEE802_1X_TYPE_EAPOL_START) {
/* Trying to use PMKSA caching - do not send EAPOL-Start frames /*
* since they will trigger full EAPOL authentication. */ * We were trying to use PMKSA caching and sending EAPOL-Start
wpa_printf(MSG_DEBUG, "RSN: PMKSA caching - do not send " * would abort that and trigger full EAPOL authentication.
"EAPOL-Start"); * However, we've already waited for the AP/Authenticator to
return -1; * start 4-way handshake or EAP authentication, and apparently
* it has not done so since the startWhen timer has reached zero
* to get the state machine sending EAPOL-Start. This is not
* really supposed to happen, but an interoperability issue with
* a deployed AP has been identified where the connection fails
* due to that AP failing to operate correctly if PMKID is
* included in the Association Request frame. To work around
* this, assume PMKSA caching failed and try to initiate full
* EAP authentication.
*/
if (!wpa_s->current_ssid ||
wpa_s->current_ssid->eap_workaround) {
wpa_printf(MSG_DEBUG,
"RSN: Timeout on waiting for the AP to initiate 4-way handshake for PMKSA caching or EAP authentication - try to force it to start EAP authentication");
} else {
wpa_printf(MSG_DEBUG,
"RSN: PMKSA caching - do not send EAPOL-Start");
return -1;
}
} }
if (is_zero_ether_addr(wpa_s->bssid)) { if (is_zero_ether_addr(wpa_s->bssid)) {