SAE: Fix default PMK configuration for PMKSA caching case

The RSN supplicant state machine PMK was set based on WPA PSK even for
the cases where SAE would be used. If the AP allows PMKSA caching to be
used with SAE, but does not indicate the selected PMKID explicitly in
EAPOL-Key msg 1/4, this could result in trying to use the PSK instead of
SAE PMK. Fix this by not setting the WPA-PSK as default PMK for SAE
network profiles and instead, configuring the PMK explicitly from the
found PMKSA cache entry.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index b4b1c64294002e417504855685ef604465255af8..460e4e6a70b0388af2e88d8fce665bab3f24bd09 100644 (file)
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -551,6 +551,7 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
                                    NULL) == 0) {
                wpa_dbg(wpa_s, MSG_DEBUG,
                        "PMKSA cache entry found - try to use PMKSA caching instead of new SAE authentication");
+               wpa_sm_set_pmk_from_pmksa(wpa_s->wpa);
                params.auth_alg = WPA_AUTH_ALG_OPEN;
                wpa_s->sme.sae_pmksa_caching = 1;
        }

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index c0922d39e32f476c26aae41e81206a297f368a37..9808640eac1c752191b7ff5fc2adedd758d7b9d2 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -1466,8 +1466,13 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
 
        if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt)) {
                int psk_set = 0;
+               int sae_only;
 
-               if (ssid->psk_set) {
+               sae_only = (ssid->key_mgmt & (WPA_KEY_MGMT_PSK |
+                                             WPA_KEY_MGMT_FT_PSK |
+                                             WPA_KEY_MGMT_PSK_SHA256)) == 0;
+
+               if (ssid->psk_set && !sae_only) {
                        wpa_hexdump_key(MSG_MSGDUMP, "PSK (set in config)",
                                        ssid->psk, PMK_LEN);
                        wpa_sm_set_pmk(wpa_s->wpa, ssid->psk, PMK_LEN, NULL,
@@ -1475,12 +1480,13 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
                        psk_set = 1;
                }
 
-               if (wpa_key_mgmt_sae(ssid->key_mgmt) && ssid->sae_password)
+               if (wpa_key_mgmt_sae(ssid->key_mgmt) &&
+                   (ssid->sae_password || ssid->passphrase))
                        psk_set = 1;
 
 #ifndef CONFIG_NO_PBKDF2
                if (bss && ssid->bssid_set && ssid->ssid_len == 0 &&
-                   ssid->passphrase) {
+                   ssid->passphrase && !sae_only) {
                        u8 psk[PMK_LEN];
                        pbkdf2_sha1(ssid->passphrase, bss->ssid, bss->ssid_len,
                                    4096, psk, PMK_LEN);
@@ -1492,7 +1498,7 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
                }
 #endif /* CONFIG_NO_PBKDF2 */
 #ifdef CONFIG_EXT_PASSWORD
-               if (ssid->ext_psk) {
+               if (ssid->ext_psk && !sae_only) {
                        struct wpabuf *pw = ext_password_get(wpa_s->ext_pw,
                                                             ssid->ext_psk);
                        char pw_str[64 + 1];
@@ -1561,6 +1567,7 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
                if (!psk_set) {
                        wpa_msg(wpa_s, MSG_INFO,
                                "No PSK available for association");
+                       wpas_auth_failed(wpa_s, "NO_PSK_AVAILABLE");
                        return -1;
                }
 #ifdef CONFIG_OWE