SAE: Do not clone PMKSA entry for OKC after its reauth threshold
Since SAE PMK can be updated only by going through a new SAE authentication instead of being able to update it during an association like EAP authentication, do not allow PMKSA entries to be used for OKC after the reauthentication threshold has been reached. This allows the PMK to be updated without having to force a disassociation when the PMK expires if the station roams between the reauthentication threshold and expiration timeout. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
114d124186
commit
bb93ea234e
1 changed files with 14 additions and 0 deletions
|
@ -416,6 +416,20 @@ pmksa_cache_get_opportunistic(struct rsn_pmksa_cache *pmksa, void *network_ctx,
|
||||||
while (entry) {
|
while (entry) {
|
||||||
if (entry->network_ctx == network_ctx &&
|
if (entry->network_ctx == network_ctx &&
|
||||||
(!akmp || entry->akmp == akmp)) {
|
(!akmp || entry->akmp == akmp)) {
|
||||||
|
struct os_reltime now;
|
||||||
|
|
||||||
|
if (wpa_key_mgmt_sae(entry->akmp) &&
|
||||||
|
os_get_reltime(&now) == 0 &&
|
||||||
|
entry->reauth_time < now.sec) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"RSN: Do not clone PMKSA cache entry for "
|
||||||
|
MACSTR
|
||||||
|
" since its reauth threshold has passed",
|
||||||
|
MAC2STR(entry->aa));
|
||||||
|
entry = entry->next;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
entry = pmksa_cache_clone_entry(pmksa, entry, aa);
|
entry = pmksa_cache_clone_entry(pmksa, entry, aa);
|
||||||
if (entry) {
|
if (entry) {
|
||||||
wpa_printf(MSG_DEBUG, "RSN: added "
|
wpa_printf(MSG_DEBUG, "RSN: added "
|
||||||
|
|
Loading…
Reference in a new issue