From: Jouni Malinen Date: Fri, 28 Feb 2020 15:26:36 +0000 (+0200) Subject: SAE: Do not clone PMKSA entry for OKC after its reauth threshold X-Git-Tag: hostap_2_10~1736 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bb93ea234e4bfb3589c0b79d60e56c76ae56fb13;p=thirdparty%2Fhostap.git SAE: Do not clone PMKSA entry for OKC after its reauth threshold Since SAE PMK can be updated only by going through a new SAE authentication instead of being able to update it during an association like EAP authentication, do not allow PMKSA entries to be used for OKC after the reauthentication threshold has been reached. This allows the PMK to be updated without having to force a disassociation when the PMK expires if the station roams between the reauthentication threshold and expiration timeout. Signed-off-by: Jouni Malinen --- diff --git a/src/rsn_supp/pmksa_cache.c b/src/rsn_supp/pmksa_cache.c index 862fdec02..c48cd318d 100644 --- a/src/rsn_supp/pmksa_cache.c +++ b/src/rsn_supp/pmksa_cache.c @@ -416,6 +416,20 @@ pmksa_cache_get_opportunistic(struct rsn_pmksa_cache *pmksa, void *network_ctx, while (entry) { if (entry->network_ctx == network_ctx && (!akmp || entry->akmp == akmp)) { + struct os_reltime now; + + if (wpa_key_mgmt_sae(entry->akmp) && + os_get_reltime(&now) == 0 && + entry->reauth_time < now.sec) { + wpa_printf(MSG_DEBUG, + "RSN: Do not clone PMKSA cache entry for " + MACSTR + " since its reauth threshold has passed", + MAC2STR(entry->aa)); + entry = entry->next; + continue; + } + entry = pmksa_cache_clone_entry(pmksa, entry, aa); if (entry) { wpa_printf(MSG_DEBUG, "RSN: added "