From 568950c6e7021ae79fd074b06726689d99c0b254 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 1 Jan 2020 11:26:52 +0200 Subject: [PATCH] RSN: Do not add PMKSA candidates unnecessarily Add PMKSA candidates from scan results only if they advertise an AKMP that is used with RSN pre-authentication. Previously, candidates were added but then ignored later if the AKMP was not suitable. Signed-off-by: Jouni Malinen --- src/rsn_supp/preauth.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/src/rsn_supp/preauth.c b/src/rsn_supp/preauth.c index d0c43f464..a7ca2ed8b 100644 --- a/src/rsn_supp/preauth.c +++ b/src/rsn_supp/preauth.c @@ -49,6 +49,15 @@ void pmksa_candidate_free(struct wpa_sm *sm) } +static int rsn_preauth_key_mgmt(int akmp) +{ + return !!(akmp & (WPA_KEY_MGMT_IEEE8021X | + WPA_KEY_MGMT_IEEE8021X_SHA256 | + WPA_KEY_MGMT_IEEE8021X_SUITE_B | + WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)); +} + + static void rsn_preauth_receive(void *ctx, const u8 *src_addr, const u8 *buf, size_t len) { @@ -311,10 +320,7 @@ void rsn_preauth_candidate_process(struct wpa_sm *sm) if (sm->preauth_eapol || sm->proto != WPA_PROTO_RSN || wpa_sm_get_state(sm) != WPA_COMPLETED || - (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X && - sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SHA256 && - sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SUITE_B && - sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)) { + !rsn_preauth_key_mgmt(sm->key_mgmt)) { wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: not in suitable " "state for new pre-authentication"); return; /* invalid state for new pre-auth */ @@ -488,6 +494,9 @@ void rsn_preauth_scan_result(struct wpa_sm *sm, const u8 *bssid, !(ie.capabilities & WPA_CAPABILITY_PREAUTH))) return; + if (!rsn_preauth_key_mgmt(ie.key_mgmt)) + return; + /* Give less priority to candidates found from normal scan results. */ pmksa_candidate_add(sm, bssid, PMKID_CANDIDATE_PRIO_SCAN, ie.capabilities & WPA_CAPABILITY_PREAUTH);