aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/wpa_supplicant.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2018-04-08 16:55:52 (GMT)
committerJouni Malinen <j@w1.fi>2018-04-09 10:10:08 (GMT)
commit06b1a1043427778b82374fc63e540a264e12d82d (patch)
tree44af4adf5895e858c494ce732d41195e97679718 /wpa_supplicant/wpa_supplicant.c
parent8e402d1657fa6c8246f5a2c588c656b7905aa5a2 (diff)
downloadhostap-06b1a1043427778b82374fc63e540a264e12d82d.zip
hostap-06b1a1043427778b82374fc63e540a264e12d82d.tar.gz
hostap-06b1a1043427778b82374fc63e540a264e12d82d.tar.bz2
SAE: Fix default PMK configuration for PMKSA caching case
The RSN supplicant state machine PMK was set based on WPA PSK even for the cases where SAE would be used. If the AP allows PMKSA caching to be used with SAE, but does not indicate the selected PMKID explicitly in EAPOL-Key msg 1/4, this could result in trying to use the PSK instead of SAE PMK. Fix this by not setting the WPA-PSK as default PMK for SAE network profiles and instead, configuring the PMK explicitly from the found PMKSA cache entry. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/wpa_supplicant.c')
-rw-r--r--wpa_supplicant/wpa_supplicant.c15
1 files changed, 11 insertions, 4 deletions
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index c0922d3..9808640 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -1466,8 +1466,13 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt)) {
int psk_set = 0;
+ int sae_only;
- if (ssid->psk_set) {
+ sae_only = (ssid->key_mgmt & (WPA_KEY_MGMT_PSK |
+ WPA_KEY_MGMT_FT_PSK |
+ WPA_KEY_MGMT_PSK_SHA256)) == 0;
+
+ if (ssid->psk_set && !sae_only) {
wpa_hexdump_key(MSG_MSGDUMP, "PSK (set in config)",
ssid->psk, PMK_LEN);
wpa_sm_set_pmk(wpa_s->wpa, ssid->psk, PMK_LEN, NULL,
@@ -1475,12 +1480,13 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
psk_set = 1;
}
- if (wpa_key_mgmt_sae(ssid->key_mgmt) && ssid->sae_password)
+ if (wpa_key_mgmt_sae(ssid->key_mgmt) &&
+ (ssid->sae_password || ssid->passphrase))
psk_set = 1;
#ifndef CONFIG_NO_PBKDF2
if (bss && ssid->bssid_set && ssid->ssid_len == 0 &&
- ssid->passphrase) {
+ ssid->passphrase && !sae_only) {
u8 psk[PMK_LEN];
pbkdf2_sha1(ssid->passphrase, bss->ssid, bss->ssid_len,
4096, psk, PMK_LEN);
@@ -1492,7 +1498,7 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
}
#endif /* CONFIG_NO_PBKDF2 */
#ifdef CONFIG_EXT_PASSWORD
- if (ssid->ext_psk) {
+ if (ssid->ext_psk && !sae_only) {
struct wpabuf *pw = ext_password_get(wpa_s->ext_pw,
ssid->ext_psk);
char pw_str[64 + 1];
@@ -1561,6 +1567,7 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
if (!psk_set) {
wpa_msg(wpa_s, MSG_INFO,
"No PSK available for association");
+ wpas_auth_failed(wpa_s, "NO_PSK_AVAILABLE");
return -1;
}
#ifdef CONFIG_OWE