Commit 4033935dd9 updated
pmksa_cache_flush() function arguments, but forgot to update the wrapper
function for cases where WPA2 or EAP has been disabled in the build.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit c3fea27274 added a call to clear
all other PMKSA cache entries for the same network if the PMKSA cache
entry of the current AP changed. This was needed to fix OKC cases since
the other APs would likely use the new PMK in the future. However, this
ended up clearing entries in cases where that is not desired and this
resulted in needing additional full EAP authentication with networks
that did not support OKC if wpa_supplicant was configured to try to use
it.
Make PMKSA cache entry flushing more limited so that the other entries
are removed only if they used the old PMK that was replaced for the
current AP and only if that PMK had previously been used successfully
(i.e., opportunistic flag was already cleared back to 0 in
wpa_supplicant_key_neg_complete()). This is still enough to fix the
issue described in that older commit while not causing problems for
standard PMKSA caching operations even if OKC is enabled in
wpa_supplicant configuration.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 6aaac006af modified the
pmksa_cache_init() prototype, but forgot to update the empty wrapper
function which is used when PMKSA caching is not included in the build.
Signed-hostap: Jouni Malinen <j@w1.fi>
Expiry can always trigger a deauthentication, but otherwise,
deauthentication should only happen when the *current* cache entry is
removed and not being replaced. It should not happen when the current
PMK just happens to match the PMK of the entry being removed, since
multiple entries can have the same PMK when OKC is used and these
entries are often removed at different times.
This fixes an issue where eviction of the oldest inactive entry due to
adding a newer entry to a full cache caused a deauthentication when the
entry being removed had the same PMK as the current entry.
Signed-hostap: Dan Williams <dcbw@redhat.com>
In case of !defined(IEEE8021X_EAPOL) the definition of the stub
pmksa_cache_get() in rsn_supp/pmksa_cache.h is not correct. This patch
adds the missing argument to the function definition to fix a
regression from commit 96efeeb66b.
Signed-hostap: Antonio Quartulli <ordex@autistici.org>
When looking for PMKSA cache entries to use with a new association, only
accept entries created with the same network block that was used to
create the cache entry.
Signed-hostap: Jouni Malinen <j@w1.fi>
If a network configuration block is removed or modified, flush
all PMKSA cache entries that were created using that network
configuration. Similarly, invalidate EAP state (fast re-auth).
The special case for OKC on wpa_supplicant reconfiguration
(network_ctx pointer change) is now addressed as part of the
PMKSA cache flushing, so it does not need a separate mechanism
for clearing the network_ctx values in the PMKSA cache.
IEEE 802.11w/D6.0 defines new AKMPs to indicate SHA256-based algorithms for
key derivation (and AES-CMAC for EAPOL-Key MIC). Add support for using new
AKMPs and clean up AKMP processing with helper functions in defs.h.