SAE: Do not clone PMKSA entry for OKC after its reauth threshold

Since SAE PMK can be updated only by going through a new SAE
authentication instead of being able to update it during an association
like EAP authentication, do not allow PMKSA entries to be used for OKC
after the reauthentication threshold has been reached. This allows the
PMK to be updated without having to force a disassociation when the PMK
expires if the station roams between the reauthentication threshold and
expiration timeout.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c
index 862fdec026d2babcc2933804b874fb210b480b2f..c48cd318dd8ea44e9f80b2780770a8bd60f79c3a 100644 (file)
--- a/src/rsn_supp/pmksa_cache.c
+++ b/src/rsn_supp/pmksa_cache.c
@@ -416,6 +416,20 @@ pmksa_cache_get_opportunistic(struct rsn_pmksa_cache *pmksa, void *network_ctx,
        while (entry) {
                if (entry->network_ctx == network_ctx &&
                    (!akmp || entry->akmp == akmp)) {
+                       struct os_reltime now;
+
+                       if (wpa_key_mgmt_sae(entry->akmp) &&
+                           os_get_reltime(&now) == 0 &&
+                           entry->reauth_time < now.sec) {
+                               wpa_printf(MSG_DEBUG,
+                                          "RSN: Do not clone PMKSA cache entry for "
+                                          MACSTR
+                                          " since its reauth threshold has passed",
+                                          MAC2STR(entry->aa));
+                               entry = entry->next;
+                               continue;
+                       }
+
                        entry = pmksa_cache_clone_entry(pmksa, entry, aa);
                        if (entry) {
                                wpa_printf(MSG_DEBUG, "RSN: added "