RSN: Do not add PMKSA candidates unnecessarily

Add PMKSA candidates from scan results only if they advertise an AKMP
that is used with RSN pre-authentication. Previously, candidates were
added but then ignored later if the AKMP was not suitable.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/rsn_supp/preauth.c b/src/rsn_supp/preauth.c
index d0c43f464e27d4cdf017a7be1ce5f5eb59e7bb9a..a7ca2ed8b76526da523c7c9176ac3826e744be32 100644 (file)
--- a/src/rsn_supp/preauth.c
+++ b/src/rsn_supp/preauth.c
@@ -49,6 +49,15 @@ void pmksa_candidate_free(struct wpa_sm *sm)
 }
 
 
+static int rsn_preauth_key_mgmt(int akmp)
+{
+       return !!(akmp & (WPA_KEY_MGMT_IEEE8021X |
+                         WPA_KEY_MGMT_IEEE8021X_SHA256 |
+                         WPA_KEY_MGMT_IEEE8021X_SUITE_B |
+                         WPA_KEY_MGMT_IEEE8021X_SUITE_B_192));
+}
+
+
 static void rsn_preauth_receive(void *ctx, const u8 *src_addr,
                                const u8 *buf, size_t len)
 {
@@ -311,10 +320,7 @@ void rsn_preauth_candidate_process(struct wpa_sm *sm)
        if (sm->preauth_eapol ||
            sm->proto != WPA_PROTO_RSN ||
            wpa_sm_get_state(sm) != WPA_COMPLETED ||
-           (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X &&
-            sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SHA256 &&
-            sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SUITE_B &&
-            sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)) {
+           !rsn_preauth_key_mgmt(sm->key_mgmt)) {
                wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: not in suitable "
                        "state for new pre-authentication");
                return; /* invalid state for new pre-auth */
@@ -488,6 +494,9 @@ void rsn_preauth_scan_result(struct wpa_sm *sm, const u8 *bssid,
                      !(ie.capabilities & WPA_CAPABILITY_PREAUTH)))
                return;
 
+       if (!rsn_preauth_key_mgmt(ie.key_mgmt))
+               return;
+
        /* Give less priority to candidates found from normal scan results. */
        pmksa_candidate_add(sm, bssid, PMKID_CANDIDATE_PRIO_SCAN,
                            ie.capabilities & WPA_CAPABILITY_PREAUTH);