Work around broken AP PMKSA caching implementation

An interoperability issue with a deployed AP has been identified where
the connection fails due to that AP failing to operate correctly if
PMKID is included in the Association Request frame. To work around this,
allow EAPOL-Start packet to be transmitted on startWhen reaching 0 even
when trying to use PMKSA caching. In practice, this allows fallback to
full EAP authentication if the AP/Authenticator takes more than 1-2
seconds to initiate 4-way handshake for PMKSA caching or full EAP
authentication if there was no PMKSA cache match.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index 350b1229b645ffd7f5e816dd3215271b808f2ac0..09b59612426755c11dedff4bac11fcf0289a3b1b 100644 (file)
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -142,11 +142,29 @@ static int wpa_supplicant_eapol_send(void *ctx, int type, const u8 *buf,
 
        if (pmksa_cache_get_current(wpa_s->wpa) &&
            type == IEEE802_1X_TYPE_EAPOL_START) {
-               /* Trying to use PMKSA caching - do not send EAPOL-Start frames
-                * since they will trigger full EAPOL authentication. */
-               wpa_printf(MSG_DEBUG, "RSN: PMKSA caching - do not send "
-                          "EAPOL-Start");
-               return -1;
+               /*
+                * We were trying to use PMKSA caching and sending EAPOL-Start
+                * would abort that and trigger full EAPOL authentication.
+                * However, we've already waited for the AP/Authenticator to
+                * start 4-way handshake or EAP authentication, and apparently
+                * it has not done so since the startWhen timer has reached zero
+                * to get the state machine sending EAPOL-Start. This is not
+                * really supposed to happen, but an interoperability issue with
+                * a deployed AP has been identified where the connection fails
+                * due to that AP failing to operate correctly if PMKID is
+                * included in the Association Request frame. To work around
+                * this, assume PMKSA caching failed and try to initiate full
+                * EAP authentication.
+                */
+               if (!wpa_s->current_ssid ||
+                   wpa_s->current_ssid->eap_workaround) {
+                       wpa_printf(MSG_DEBUG,
+                                  "RSN: Timeout on waiting for the AP to initiate 4-way handshake for PMKSA caching or EAP authentication - try to force it to start EAP authentication");
+               } else {
+                       wpa_printf(MSG_DEBUG,
+                                  "RSN: PMKSA caching - do not send EAPOL-Start");
+                       return -1;
+               }
        }
 
        if (is_zero_ether_addr(wpa_s->bssid)) {