RSN: Do not add PMKSA candidates unnecessarily

Add PMKSA candidates from scan results only if they advertise an AKMP that is used with RSN pre-authentication. Previously, candidates were added but then ignored later if the AKMP was not suitable. Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-01 11:26:52 +02:00 · 2020-01-01 11:26:52 +02:00 · 568950c6e7
commit 568950c6e7
parent 0d1d1f0d21
1 changed files with 13 additions and 4 deletions
--- a/src/rsn_supp/preauth.c
+++ b/src/rsn_supp/preauth.c
@ -49,6 +49,15 @@ void pmksa_candidate_free(struct wpa_sm *sm)
 }


+static int rsn_preauth_key_mgmt(int akmp)
+{
+	return !!(akmp & (WPA_KEY_MGMT_IEEE8021X |
+			  WPA_KEY_MGMT_IEEE8021X_SHA256 |
+			  WPA_KEY_MGMT_IEEE8021X_SUITE_B |
+			  WPA_KEY_MGMT_IEEE8021X_SUITE_B_192));
+}
+
+
 static void rsn_preauth_receive(void *ctx, const u8 *src_addr,
 				const u8 *buf, size_t len)
 {
@ -311,10 +320,7 @@ void rsn_preauth_candidate_process(struct wpa_sm *sm)
 	if (sm->preauth_eapol ||
 	    sm->proto != WPA_PROTO_RSN ||
 	    wpa_sm_get_state(sm) != WPA_COMPLETED ||
-	    (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X &&
-	     sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SHA256 &&
-	     sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SUITE_B &&
-	     sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)) {
+	    !rsn_preauth_key_mgmt(sm->key_mgmt)) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: not in suitable "
 			"state for new pre-authentication");
 		return; /* invalid state for new pre-auth */
@ -488,6 +494,9 @@ void rsn_preauth_scan_result(struct wpa_sm *sm, const u8 *bssid,
 		      !(ie.capabilities & WPA_CAPABILITY_PREAUTH)))
 		return;

+	if (!rsn_preauth_key_mgmt(ie.key_mgmt))
+		return;
+
 	/* Give less priority to candidates found from normal scan results. */
 	pmksa_candidate_add(sm, bssid, PMKID_CANDIDATE_PRIO_SCAN,
 			    ie.capabilities & WPA_CAPABILITY_PREAUTH);