From 74db49d74c4b6481b42c48e7a0577fa8087ccf3b Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 28 Feb 2020 17:41:07 +0200 Subject: [PATCH] SAE: Do not use PMKSA entry after its reauth threshold Since SAE PMK can be updated only by going through a new SAE authentication instead of being able to update it during an association like EAP authentication, do not allow PMKSA entries to be used for caching after the reauthentication threshold has been reached. This allows the PMK to be updated without having to force a disassociation when the PMK expires if the station roams between the reauthentication threshold and expiration timeout. Signed-off-by: Jouni Malinen --- src/rsn_supp/pmksa_cache.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c index c48cd318d..9c970f811 100644 --- a/src/rsn_supp/pmksa_cache.c +++ b/src/rsn_supp/pmksa_cache.c @@ -533,6 +533,20 @@ int pmksa_cache_set_current(struct wpa_sm *sm, const u8 *pmkid, network_ctx, fils_cache_id); if (sm->cur_pmksa) { + struct os_reltime now; + + if (wpa_key_mgmt_sae(sm->cur_pmksa->akmp) && + os_get_reltime(&now) == 0 && + sm->cur_pmksa->reauth_time < now.sec) { + wpa_printf(MSG_DEBUG, + "RSN: Do not allow PMKSA cache entry for " + MACSTR + " to be used for SAE since its reauth threshold has passed", + MAC2STR(sm->cur_pmksa->aa)); + sm->cur_pmksa = NULL; + return -1; + } + wpa_hexdump(MSG_DEBUG, "RSN: PMKSA cache entry found - PMKID", sm->cur_pmksa->pmkid, PMKID_LEN); return 0;