mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-28 10:18:21 -05:00
FT: Do not add PMKID to the driver for FT-EAP if caching is disabled
wpa_supplicant disables PMKSA caching with FT-EAP by default due to known interoperability issues with APs. This is allowed only if the network profile is explicitly enabling caching with ft_eap_pmksa_caching=1. However, the PMKID for such PMKSA cache entries was still being configured to the driver and it was possible for the driver to build an RSNE with the PMKID for SME-in-driver cases. This could result in hitting the interop issue with some APs. Fix this by skipping PMKID configuration to the driver fot FT-EAP AKM if ft_eap_pmksa_caching=1 is not used in the network profile so that the driver and wpa_supplicant behavior are in sync for this. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
5cf91afeeb
commit
215b4d8a72
@ -269,7 +269,8 @@ pmksa_cache_add_entry(struct rsn_pmksa_cache *pmksa,
|
|||||||
entry->fils_cache_id_set ? entry->fils_cache_id : NULL,
|
entry->fils_cache_id_set ? entry->fils_cache_id : NULL,
|
||||||
entry->pmk, entry->pmk_len,
|
entry->pmk, entry->pmk_len,
|
||||||
pmksa->sm->dot11RSNAConfigPMKLifetime,
|
pmksa->sm->dot11RSNAConfigPMKLifetime,
|
||||||
pmksa->sm->dot11RSNAConfigPMKReauthThreshold);
|
pmksa->sm->dot11RSNAConfigPMKReauthThreshold,
|
||||||
|
entry->akmp);
|
||||||
|
|
||||||
return entry;
|
return entry;
|
||||||
}
|
}
|
||||||
|
@ -349,7 +349,8 @@ void rsn_preauth_candidate_process(struct wpa_sm *sm)
|
|||||||
* PMKIDs again, so report the existing data now. */
|
* PMKIDs again, so report the existing data now. */
|
||||||
if (p) {
|
if (p) {
|
||||||
wpa_sm_add_pmkid(sm, NULL, candidate->bssid, p->pmkid,
|
wpa_sm_add_pmkid(sm, NULL, candidate->bssid, p->pmkid,
|
||||||
NULL, p->pmk, p->pmk_len, 0, 0);
|
NULL, p->pmk, p->pmk_len, 0, 0,
|
||||||
|
p->akmp);
|
||||||
}
|
}
|
||||||
|
|
||||||
dl_list_del(&candidate->list);
|
dl_list_del(&candidate->list);
|
||||||
|
@ -43,7 +43,7 @@ struct wpa_sm_ctx {
|
|||||||
int (*add_pmkid)(void *ctx, void *network_ctx, const u8 *bssid,
|
int (*add_pmkid)(void *ctx, void *network_ctx, const u8 *bssid,
|
||||||
const u8 *pmkid, const u8 *fils_cache_id,
|
const u8 *pmkid, const u8 *fils_cache_id,
|
||||||
const u8 *pmk, size_t pmk_len, u32 pmk_lifetime,
|
const u8 *pmk, size_t pmk_len, u32 pmk_lifetime,
|
||||||
u8 pmk_reauth_threshold);
|
u8 pmk_reauth_threshold, int akmp);
|
||||||
int (*remove_pmkid)(void *ctx, void *network_ctx, const u8 *bssid,
|
int (*remove_pmkid)(void *ctx, void *network_ctx, const u8 *bssid,
|
||||||
const u8 *pmkid, const u8 *fils_cache_id);
|
const u8 *pmkid, const u8 *fils_cache_id);
|
||||||
void (*set_config_blob)(void *ctx, struct wpa_config_blob *blob);
|
void (*set_config_blob)(void *ctx, struct wpa_config_blob *blob);
|
||||||
|
@ -268,12 +268,12 @@ static inline int wpa_sm_add_pmkid(struct wpa_sm *sm, void *network_ctx,
|
|||||||
const u8 *bssid, const u8 *pmkid,
|
const u8 *bssid, const u8 *pmkid,
|
||||||
const u8 *cache_id, const u8 *pmk,
|
const u8 *cache_id, const u8 *pmk,
|
||||||
size_t pmk_len, u32 pmk_lifetime,
|
size_t pmk_len, u32 pmk_lifetime,
|
||||||
u8 pmk_reauth_threshold)
|
u8 pmk_reauth_threshold, int akmp)
|
||||||
{
|
{
|
||||||
WPA_ASSERT(sm->ctx->add_pmkid);
|
WPA_ASSERT(sm->ctx->add_pmkid);
|
||||||
return sm->ctx->add_pmkid(sm->ctx->ctx, network_ctx, bssid, pmkid,
|
return sm->ctx->add_pmkid(sm->ctx->ctx, network_ctx, bssid, pmkid,
|
||||||
cache_id, pmk, pmk_len, pmk_lifetime,
|
cache_id, pmk, pmk_len, pmk_lifetime,
|
||||||
pmk_reauth_threshold);
|
pmk_reauth_threshold, akmp);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int wpa_sm_remove_pmkid(struct wpa_sm *sm, void *network_ctx,
|
static inline int wpa_sm_remove_pmkid(struct wpa_sm *sm, void *network_ctx,
|
||||||
|
@ -154,7 +154,8 @@ static int wpa_supplicant_add_pmkid(void *wpa_s, void *network_ctx,
|
|||||||
const u8 *bssid, const u8 *pmkid,
|
const u8 *bssid, const u8 *pmkid,
|
||||||
const u8 *fils_cache_id,
|
const u8 *fils_cache_id,
|
||||||
const u8 *pmk, size_t pmk_len,
|
const u8 *pmk, size_t pmk_len,
|
||||||
u32 pmk_lifetime, u8 pmk_reauth_threshold)
|
u32 pmk_lifetime, u8 pmk_reauth_threshold,
|
||||||
|
int akmp)
|
||||||
{
|
{
|
||||||
printf("%s - not implemented\n", __func__);
|
printf("%s - not implemented\n", __func__);
|
||||||
return -1;
|
return -1;
|
||||||
|
@ -575,7 +575,8 @@ static int wpa_supplicant_add_pmkid(void *_wpa_s, void *network_ctx,
|
|||||||
const u8 *bssid, const u8 *pmkid,
|
const u8 *bssid, const u8 *pmkid,
|
||||||
const u8 *fils_cache_id,
|
const u8 *fils_cache_id,
|
||||||
const u8 *pmk, size_t pmk_len,
|
const u8 *pmk, size_t pmk_len,
|
||||||
u32 pmk_lifetime, u8 pmk_reauth_threshold)
|
u32 pmk_lifetime, u8 pmk_reauth_threshold,
|
||||||
|
int akmp)
|
||||||
{
|
{
|
||||||
struct wpa_supplicant *wpa_s = _wpa_s;
|
struct wpa_supplicant *wpa_s = _wpa_s;
|
||||||
struct wpa_ssid *ssid;
|
struct wpa_ssid *ssid;
|
||||||
@ -583,9 +584,22 @@ static int wpa_supplicant_add_pmkid(void *_wpa_s, void *network_ctx,
|
|||||||
|
|
||||||
os_memset(¶ms, 0, sizeof(params));
|
os_memset(¶ms, 0, sizeof(params));
|
||||||
ssid = wpas_get_network_ctx(wpa_s, network_ctx);
|
ssid = wpas_get_network_ctx(wpa_s, network_ctx);
|
||||||
if (ssid)
|
if (ssid) {
|
||||||
wpa_msg(wpa_s, MSG_INFO, PMKSA_CACHE_ADDED MACSTR " %d",
|
wpa_msg(wpa_s, MSG_INFO, PMKSA_CACHE_ADDED MACSTR " %d",
|
||||||
MAC2STR(bssid), ssid->id);
|
MAC2STR(bssid), ssid->id);
|
||||||
|
if ((akmp == WPA_KEY_MGMT_FT_IEEE8021X ||
|
||||||
|
akmp == WPA_KEY_MGMT_FT_IEEE8021X_SHA384) &&
|
||||||
|
!ssid->ft_eap_pmksa_caching) {
|
||||||
|
/* Since we will not be using PMKSA caching for FT-EAP
|
||||||
|
* within wpa_supplicant to avoid known interop issues
|
||||||
|
* with APs, do not add this PMKID to the driver either
|
||||||
|
* so that we won't be hitting those interop issues
|
||||||
|
* with driver-based RSNE generation. */
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"FT: Do not add PMKID entry to the driver since FT-EAP PMKSA caching is not enabled in configuration");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
if (ssid && fils_cache_id) {
|
if (ssid && fils_cache_id) {
|
||||||
params.ssid = ssid->ssid;
|
params.ssid = ssid->ssid;
|
||||||
params.ssid_len = ssid->ssid_len;
|
params.ssid_len = ssid->ssid_len;
|
||||||
|
Loading…
Reference in New Issue
Block a user