diff options
author | Dennis Jeon <dennis.jeon@broadcom.com> | 2023-11-21 08:49:36 -0500 |
---|---|---|
committer | Ken Sun <kensun@google.com> | 2023-12-03 12:37:46 +0000 |
commit | 67e32eafde92be18cfc373cf5bf284cfe96df130 (patch) | |
tree | 34cb25d944b7ba3486bf7d79f4a7b7f4662b6bd0 | |
parent | d77432adc56084ae69588bb3c0aabb1f671b963f (diff) | |
download | wpa_supplicant_8-67e32eafde92be18cfc373cf5bf284cfe96df130.tar.gz |
Handling pmk addition in supplicant cache for 80211x connections
Fix conneciton issue seen with 8021x obsolete credential
Supplicant presently doesn't delete the PMKSA for 4way handshake
offload enabled drivers for 8021X cases. This is beacuse there is
no entry present in wpa_supplicant cache as the PMKSA cache add is
triggered only from EAPOL M1 (1/4) packet process context and hence
happens only for supplicant based 4way handshake. This patch invokes
set_pmk API so that a cache entry is made at the supplicant level.
Bug: 310053150
Test: basic security test
Change-Id: I4b2289fcc9366207db60c8e9ed7dbc3a3860dc8a
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>
-rw-r--r-- | src/rsn_supp/pmksa_cache.c | 22 | ||||
-rw-r--r-- | wpa_supplicant/wpas_glue.c | 6 |
2 files changed, 17 insertions, 11 deletions
diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c index e7b4d540..eb434fa9 100644 --- a/src/rsn_supp/pmksa_cache.c +++ b/src/rsn_supp/pmksa_cache.c @@ -224,22 +224,22 @@ pmksa_cache_add(struct rsn_pmksa_cache *pmksa, const u8 *pmk, size_t pmk_len, if (pmk_len > PMK_LEN_MAX) return NULL; - if (wpa_key_mgmt_suite_b(akmp) && !kck) - return NULL; - entry = os_zalloc(sizeof(*entry)); if (entry == NULL) return NULL; os_memcpy(entry->pmk, pmk, pmk_len); entry->pmk_len = pmk_len; - if (pmkid) - os_memcpy(entry->pmkid, pmkid, PMKID_LEN); - else if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) - rsn_pmkid_suite_b_192(kck, kck_len, aa, spa, entry->pmkid); - else if (wpa_key_mgmt_suite_b(akmp)) - rsn_pmkid_suite_b(kck, kck_len, aa, spa, entry->pmkid); - else - rsn_pmkid(pmk, pmk_len, aa, spa, entry->pmkid, akmp); + if (pmkid) { + os_memcpy(entry->pmkid, pmkid, PMKID_LEN); + } else if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) { + if (kck) + rsn_pmkid_suite_b_192(kck, kck_len, aa, spa, entry->pmkid); + } else if (wpa_key_mgmt_suite_b(akmp)) { + if (kck) + rsn_pmkid_suite_b(kck, kck_len, aa, spa, entry->pmkid); + } else { + rsn_pmkid(pmk, pmk_len, aa, spa, entry->pmkid, akmp); + } os_get_reltime(&now); if (pmksa->sm) { pmk_lifetime = pmksa->sm->dot11RSNAConfigPMKLifetime; diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c index bba77773..0047531a 100644 --- a/wpa_supplicant/wpas_glue.c +++ b/wpa_supplicant/wpas_glue.c @@ -380,6 +380,12 @@ static void wpa_supplicant_eapol_cb(struct eapol_sm *eapol, wpa_printf(MSG_DEBUG, "Failed to set PMK to the driver"); } + if (wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X) { + /* Add PMKSA cache entry */ + wpa_printf(MSG_INFO, "add pmksa entry for the PMK"); + wpa_sm_set_pmk(wpa_s->wpa, pmk, pmk_len, NULL, wpa_sm_get_auth_addr(wpa_s->wpa)); + } + wpa_supplicant_cancel_scan(wpa_s); wpa_supplicant_cancel_auth_timeout(wpa_s); wpa_supplicant_set_state(wpa_s, WPA_COMPLETED); |