mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2025-01-17 18:34:03 -05:00
Work around broken AP PMKSA caching implementation
An interoperability issue with a deployed AP has been identified where the connection fails due to that AP failing to operate correctly if PMKID is included in the Association Request frame. To work around this, allow EAPOL-Start packet to be transmitted on startWhen reaching 0 even when trying to use PMKSA caching. In practice, this allows fallback to full EAP authentication if the AP/Authenticator takes more than 1-2 seconds to initiate 4-way handshake for PMKSA caching or full EAP authentication if there was no PMKSA cache match. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
b08d5fa793
commit
76db5b6b12
@ -142,11 +142,29 @@ static int wpa_supplicant_eapol_send(void *ctx, int type, const u8 *buf,
|
||||
|
||||
if (pmksa_cache_get_current(wpa_s->wpa) &&
|
||||
type == IEEE802_1X_TYPE_EAPOL_START) {
|
||||
/* Trying to use PMKSA caching - do not send EAPOL-Start frames
|
||||
* since they will trigger full EAPOL authentication. */
|
||||
wpa_printf(MSG_DEBUG, "RSN: PMKSA caching - do not send "
|
||||
"EAPOL-Start");
|
||||
return -1;
|
||||
/*
|
||||
* We were trying to use PMKSA caching and sending EAPOL-Start
|
||||
* would abort that and trigger full EAPOL authentication.
|
||||
* However, we've already waited for the AP/Authenticator to
|
||||
* start 4-way handshake or EAP authentication, and apparently
|
||||
* it has not done so since the startWhen timer has reached zero
|
||||
* to get the state machine sending EAPOL-Start. This is not
|
||||
* really supposed to happen, but an interoperability issue with
|
||||
* a deployed AP has been identified where the connection fails
|
||||
* due to that AP failing to operate correctly if PMKID is
|
||||
* included in the Association Request frame. To work around
|
||||
* this, assume PMKSA caching failed and try to initiate full
|
||||
* EAP authentication.
|
||||
*/
|
||||
if (!wpa_s->current_ssid ||
|
||||
wpa_s->current_ssid->eap_workaround) {
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"RSN: Timeout on waiting for the AP to initiate 4-way handshake for PMKSA caching or EAP authentication - try to force it to start EAP authentication");
|
||||
} else {
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"RSN: PMKSA caching - do not send EAPOL-Start");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if (is_zero_ether_addr(wpa_s->bssid)) {
|
||||
|
Loading…
Reference in New Issue
Block a user