SAE: Do not use PMKSA entry after its reauth threshold

Since SAE PMK can be updated only by going through a new SAE
authentication instead of being able to update it during an association
like EAP authentication, do not allow PMKSA entries to be used for
caching after the reauthentication threshold has been reached. This
allows the PMK to be updated without having to force a disassociation
when the PMK expires if the station roams between the reauthentication
threshold and expiration timeout.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c
index c48cd318dd8ea44e9f80b2780770a8bd60f79c3a..9c970f8112348f2507b5c4662dd5575dd44ddafa 100644 (file)
--- a/src/rsn_supp/pmksa_cache.c
+++ b/src/rsn_supp/pmksa_cache.c
@@ -533,6 +533,20 @@ int pmksa_cache_set_current(struct wpa_sm *sm, const u8 *pmkid,
                                                              network_ctx,
                                                              fils_cache_id);
        if (sm->cur_pmksa) {
+               struct os_reltime now;
+
+               if (wpa_key_mgmt_sae(sm->cur_pmksa->akmp) &&
+                   os_get_reltime(&now) == 0 &&
+                   sm->cur_pmksa->reauth_time < now.sec) {
+                       wpa_printf(MSG_DEBUG,
+                                  "RSN: Do not allow PMKSA cache entry for "
+                                  MACSTR
+                                  " to be used for SAE since its reauth threshold has passed",
+                                  MAC2STR(sm->cur_pmksa->aa));
+                       sm->cur_pmksa = NULL;
+                       return -1;
+               }
+
                wpa_hexdump(MSG_DEBUG, "RSN: PMKSA cache entry found - PMKID",
                            sm->cur_pmksa->pmkid, PMKID_LEN);
                return 0;