From: Michael Braun <michael-dev@xxxxxxxxxxxxx>
Avoid keeping an PMK-R1 for indefinite time.
Signed-off-by: Michael Braun <michael-dev@xxxxxxxxxxxxx>
---
hostapd/config_file.c | 2 ++
hostapd/hostapd.conf | 5 +++++
src/ap/ap_config.h | 1 +
src/ap/wpa_auth.h | 1 +
src/ap/wpa_auth_ft.c | 4 ++++
src/ap/wpa_auth_glue.c | 1 +
6 files changed, 14 insertions(+)
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 5bd0336..e1b5026 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2541,6 +2541,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
}
} else if (os_strcmp(buf, "r0_key_lifetime") == 0) {
bss->r0_key_lifetime = atoi(pos);
+ } else if (os_strcmp(buf, "r1_max_key_lifetime") == 0) {
+ bss->r1_max_key_lifetime = atoi(pos);
} else if (os_strcmp(buf, "reassociation_deadline") == 0) {
bss->reassociation_deadline = atoi(pos);
} else if (os_strcmp(buf, "rkh_pos_timeout") == 0) {
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 811fa58..c749501 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1290,6 +1290,11 @@ own_ip_addr=127.0.0.1
# (dot11FTR0KeyLifetime)
#r0_key_lifetime=10000
+# maximum lifetime for PMK-R1; applied only if != 0
+# PMK-R1 is removed at least after this limit.
+# Removing any PMK-R1 for expiry can be disabled by setting this to -1
+#r1_max_key_lifetime=0
+
# PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID)
# 6-octet identifier as a hex string.
# Defaults to BSSID.
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 8c03504..5aeaa0d 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -344,6 +344,7 @@ struct hostapd_bss_config {
int pmk_r1_push;
int ft_over_ds;
int ft_psk_generate_local;
+ int r1_max_key_lifetime;
#endif /* CONFIG_IEEE80211R */
char *ctrl_interface; /* directory for UNIX domain sockets */
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index aa7920a..3c454ce 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -165,6 +165,7 @@ struct wpa_auth_config {
int rkh_neg_timeout;
int rkh_pull_timeout; /* ms */
int rkh_pull_retries;
+ int r1_max_key_lifetime;
u32 reassociation_deadline;
struct ft_remote_r0kh **r0kh_list;
struct ft_remote_r1kh **r1kh_list;
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 89fbb63..86e6a27 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -763,10 +763,14 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
int expires_in)
{
struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
+ int max_expires_in = wpa_auth->conf.r1_max_key_lifetime;
struct wpa_ft_pmk_r1_sa *r1;
/* TODO: add expiration and limit on number of entries in cache */
+ if (max_expires_in && (max_expires_in < expires_in || expires_in == 0))
+ expires_in = max_expires_in;
+
r1 = os_zalloc(sizeof(*r1));
if (r1 == NULL)
return -1;
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index aca88d2..c29086a 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -68,6 +68,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
}
os_memcpy(wconf->r1_key_holder, conf->r1_key_holder, FT_R1KH_ID_LEN);
wconf->r0_key_lifetime = conf->r0_key_lifetime;
+ wconf->r1_max_key_lifetime = conf->r1_max_key_lifetime;
wconf->reassociation_deadline = conf->reassociation_deadline;
wconf->rkh_pos_timeout = conf->rkh_pos_timeout;
wconf->rkh_neg_timeout = conf->rkh_neg_timeout;
--
2.1.4
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
