From 04a0e6304b2ff09a0ca708a8a32385e2e8a2956d Mon Sep 17 00:00:00 2001 From: Sarvesh Bodakhe Date: Sat, 19 Apr 2025 16:39:55 +0530 Subject: [PATCH] fix(wifi): Fix wrong PMKSA cache entry being used when wifi password is changed Co-authored-by: yinqingzhao --- components/esp_wifi/include/esp_wifi_types_generic.h | 4 ++-- components/esp_wifi/lib | 2 +- .../esp_supplicant/src/esp_wifi_driver.h | 7 ++++--- .../wpa_supplicant/esp_supplicant/src/esp_wpa_main.c | 10 +++++++++- components/wpa_supplicant/src/rsn_supp/wpa.c | 10 ++++++++-- components/wpa_supplicant/src/rsn_supp/wpa.h | 1 + 6 files changed, 25 insertions(+), 9 deletions(-) diff --git a/components/esp_wifi/include/esp_wifi_types_generic.h b/components/esp_wifi/include/esp_wifi_types_generic.h index 59a1b50835..594c941af0 100644 --- a/components/esp_wifi/include/esp_wifi_types_generic.h +++ b/components/esp_wifi/include/esp_wifi_types_generic.h @@ -333,7 +333,7 @@ typedef enum { * @brief Structure describing parameters for a Wi-Fi fast scan */ typedef struct { - int8_t rssi; /**< The minimum rssi to accept in the fast scan mode */ + int8_t rssi; /**< The minimum rssi to accept in the fast scan mode. Defaults to -127 if set to >= 0 */ wifi_auth_mode_t authmode; /**< The weakest auth mode to accept in the fast scan mode Note: In case this value is not set and password is set as per WPA2 standards(password len >= 8), it will be defaulted to WPA2 and device won't connect to deprecated WEP/WPA networks. Please set auth mode threshold as WIFI_AUTH_WEP/WIFI_AUTH_WPA_PSK to connect to WEP/WPA networks */ } wifi_scan_threshold_t; @@ -427,7 +427,7 @@ typedef struct { wifi_scan_method_t scan_method; /**< Do all channel scan or fast scan */ bool bssid_set; /**< Whether set MAC address of target AP or not. Generally, station_config.bssid_set needs to be 0; and it needs to be 1 only when users need to check the MAC address of the AP.*/ uint8_t bssid[6]; /**< MAC address of target AP*/ - uint8_t channel; /**< Channel of target AP. Set to 1~13 to scan starting from the specified channel before connecting to AP. If the channel of AP is unknown, set it to 0.*/ + uint8_t channel; /**< Channel hint for target AP. Set to 1~13 to scan starting from the specified channel before connecting to AP. Set to 0 for no preference */ uint16_t listen_interval; /**< Listen interval for ESP32 station to receive beacon when WIFI_PS_MAX_MODEM is set. Units: AP beacon intervals. Defaults to 3 if set to 0. */ wifi_sort_method_t sort_method; /**< Sort the connect AP in the list by rssi or security mode */ wifi_scan_threshold_t threshold; /**< When scan_threshold is set, only APs which have an auth mode that is more secure than the selected auth mode and a signal stronger than the minimum RSSI will be used. */ diff --git a/components/esp_wifi/lib b/components/esp_wifi/lib index 50d28dbf98..d1e2500da3 160000 --- a/components/esp_wifi/lib +++ b/components/esp_wifi/lib @@ -1 +1 @@ -Subproject commit 50d28dbf9848f20bfe7cd1e59d816940f35f4c3b +Subproject commit d1e2500da379bdcc4ae06a893b3115131b0f88cf diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h b/components/wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h index 006083b433..ef6ed2c58d 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h +++ b/components/wpa_supplicant/esp_supplicant/src/esp_wifi_driver.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2019-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -145,6 +145,7 @@ struct wpa_funcs { uint8_t *(*owe_build_dhie)(uint16_t group); int (*owe_process_assoc_resp)(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_ie, size_t dh_len); void (*wpa_sta_clear_curr_pmksa)(void); + void (*wpa_config_reload)(void); }; struct wpa2_funcs { @@ -222,7 +223,7 @@ uint8_t esp_wifi_ap_get_prof_authmode_internal(void); uint8_t esp_wifi_sta_get_prof_authmode_internal(void); uint8_t *esp_wifi_ap_get_prof_password_internal(void); struct wifi_ssid *esp_wifi_sta_get_prof_ssid_internal(void); -uint8_t esp_wifi_sta_get_reset_param_internal(void); +uint8_t esp_wifi_sta_get_reset_nvs_pmk_internal(void); uint8_t esp_wifi_sta_get_pairwise_cipher_internal(void); uint8_t esp_wifi_sta_get_group_cipher_internal(void); bool esp_wifi_sta_prof_is_wpa_internal(void); @@ -242,7 +243,7 @@ int esp_wifi_set_sta_key_internal(int alg, u8 *addr, int key_idx, int set_tx, int esp_wifi_get_sta_key_internal(uint8_t *ifx, int *alg, u8 *addr, int *key_idx, u8 *key, size_t key_len, enum key_flag key_flag); bool esp_wifi_wpa_ptk_init_done_internal(uint8_t *mac); -uint8_t esp_wifi_sta_set_reset_param_internal(uint8_t reset_flag); +uint8_t esp_wifi_sta_set_reset_nvs_pmk_internal(uint8_t reset_flag); uint8_t esp_wifi_get_sta_gtk_index_internal(void); int esp_wifi_register_tx_cb_internal(wifi_tx_cb_t fn, u8 id); int esp_wifi_register_eapol_txdonecb_internal(eapol_txcb_t fn); diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c b/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c index 80ec4edd6a..21b9a60049 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2019-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -40,6 +40,7 @@ #include "ap/sta_info.h" #include "wps/wps_defs.h" #include "wps/wps.h" +#include "rsn_supp/pmksa_cache.h" #ifdef CONFIG_DPP #include "common/dpp.h" @@ -443,6 +444,12 @@ fail: } #endif +static void wpa_config_reload(void) +{ + struct wpa_sm *sm = &gWpaSm; + wpa_sm_pmksa_cache_flush(sm, NULL); +} + int esp_supplicant_init(void) { int ret = ESP_OK; @@ -480,6 +487,7 @@ int esp_supplicant_init(void) wpa_cb->wpa_michael_mic_failure = wpa_michael_mic_failure; wpa_cb->wpa_config_done = wpa_config_done; wpa_cb->wpa_sta_clear_curr_pmksa = wpa_sta_clear_curr_pmksa; + wpa_cb->wpa_config_reload = wpa_config_reload; esp_wifi_register_wpa3_ap_cb(wpa_cb); esp_wifi_register_wpa3_cb(wpa_cb); diff --git a/components/wpa_supplicant/src/rsn_supp/wpa.c b/components/wpa_supplicant/src/rsn_supp/wpa.c index d05b4afa82..6161d0b8c1 100644 --- a/components/wpa_supplicant/src/rsn_supp/wpa.c +++ b/components/wpa_supplicant/src/rsn_supp/wpa.c @@ -2471,7 +2471,7 @@ wpa_set_passphrase(char * passphrase, u8 *ssid, size_t ssid_len) return; /* This is really SLOW, so just re cacl while reset param */ - if (esp_wifi_sta_get_reset_param_internal() != 0) { + if (esp_wifi_sta_get_reset_nvs_pmk_internal() != 0) { // check it's psk if (strlen((char *)esp_wifi_sta_get_prof_password_internal()) == 64) { if (hexstr2bin((char *)esp_wifi_sta_get_prof_password_internal(), @@ -2482,7 +2482,7 @@ wpa_set_passphrase(char * passphrase, u8 *ssid, size_t ssid_len) 4096, esp_wifi_sta_get_ap_info_prof_pmk_internal(), PMK_LEN); } esp_wifi_sta_update_ap_info_internal(); - esp_wifi_sta_set_reset_param_internal(0); + esp_wifi_sta_set_reset_nvs_pmk_internal(0); } if (sm->key_mgmt == WPA_KEY_MGMT_IEEE8021X) { @@ -2994,4 +2994,10 @@ fail: return -1; } #endif // CONFIG_OWE_STA + + +void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx) +{ + pmksa_cache_flush(sm->pmksa, network_ctx, NULL, 0); +} #endif // ESP_SUPPLICANT diff --git a/components/wpa_supplicant/src/rsn_supp/wpa.h b/components/wpa_supplicant/src/rsn_supp/wpa.h index 257735d270..12e0fd7f09 100644 --- a/components/wpa_supplicant/src/rsn_supp/wpa.h +++ b/components/wpa_supplicant/src/rsn_supp/wpa.h @@ -133,4 +133,5 @@ int owe_process_assoc_resp(const u8 *rsn_ie, size_t rsn_len, const uint8_t *dh_i struct wpabuf *owe_build_assoc_req(struct wpa_sm *sm, u16 group); +void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx); #endif /* WPA_H */