From: Michael Braun <michael-dev@xxxxxxxxxxxxx> Avoid keeping an PMK-R1 for indefinite time. Signed-off-by: Michael Braun <michael-dev@xxxxxxxxxxxxx> --- hostapd/config_file.c | 2 ++ hostapd/hostapd.conf | 5 +++++ src/ap/ap_config.h | 1 + src/ap/wpa_auth.h | 1 + src/ap/wpa_auth_ft.c | 4 ++++ src/ap/wpa_auth_glue.c | 1 + 6 files changed, 14 insertions(+) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 2b9727b..34d9fa6 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2548,6 +2548,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, } } else if (os_strcmp(buf, "r0_key_lifetime") == 0) { bss->r0_key_lifetime = atoi(pos); + } else if (os_strcmp(buf, "r1_max_key_lifetime") == 0) { + bss->r1_max_key_lifetime = atoi(pos); } else if (os_strcmp(buf, "reassociation_deadline") == 0) { bss->reassociation_deadline = atoi(pos); } else if (os_strcmp(buf, "rkh_pos_timeout") == 0) { diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 631f0e0..d1fe3d8 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1278,6 +1278,11 @@ own_ip_addr=127.0.0.1 # (dot11FTR0KeyLifetime) #r0_key_lifetime=10000 +# maximum lifetime for PMK-R1; applied only if != 0 +# PMK-R1 is removed at least after this limit. +# Removing any PMK-R1 for expiry can be disabled by setting this to -1 +#r1_max_key_lifetime=0 + # PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID) # 6-octet identifier as a hex string. # Defaults to BSSID. diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 2143fc3..d166e10 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -346,6 +346,7 @@ struct hostapd_bss_config { int pmk_r1_push; int ft_over_ds; int ft_psk_generate_local; + int r1_max_key_lifetime; #endif /* CONFIG_IEEE80211R */ char *ctrl_interface; /* directory for UNIX domain sockets */ diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index 63178c9..0a6c07b 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -203,6 +203,7 @@ struct wpa_auth_config { int rkh_neg_timeout; int rkh_pull_timeout; /* ms */ int rkh_pull_retries; + int r1_max_key_lifetime; u32 reassociation_deadline; struct ft_remote_r0kh **r0kh_list; struct ft_remote_r1kh **r1kh_list; diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c index 07b0b09..7e7ad25 100644 --- a/src/ap/wpa_auth_ft.c +++ b/src/ap/wpa_auth_ft.c @@ -512,12 +512,16 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *radius_cui, u8 radius_cui_len) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; + int maxExpiresIn = wpa_auth->conf.r1_max_key_lifetime; struct wpa_ft_pmk_r1_sa *r1; struct os_reltime now; /* TODO: add expiration and limit on number of entries in cache */ os_get_reltime(&now); + if (maxExpiresIn && (maxExpiresIn < expiresIn || expiresIn == 0)) + expiresIn = maxExpiresIn; + r1 = os_zalloc(sizeof(*r1)); if (r1 == NULL) return -1; diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index 7a6fd26..3133713 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -77,6 +77,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf, } os_memcpy(wconf->r1_key_holder, conf->r1_key_holder, FT_R1KH_ID_LEN); wconf->r0_key_lifetime = conf->r0_key_lifetime; + wconf->r1_max_key_lifetime = conf->r1_max_key_lifetime; wconf->reassociation_deadline = conf->reassociation_deadline; wconf->rkh_pos_timeout = conf->rkh_pos_timeout; wconf->rkh_neg_timeout = conf->rkh_neg_timeout; -- 1.9.1 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap