Avoid keeping an PMK-R1 for indefinite time. Signed-off-by: Michael Braun <michael-dev@xxxxxxxxxxxxx> --- hostapd/config_file.c | 2 ++ hostapd/hostapd.conf | 5 +++++ src/ap/ap_config.h | 1 + src/ap/wpa_auth.h | 1 + src/ap/wpa_auth_ft.c | 4 ++++ src/ap/wpa_auth_glue.c | 1 + 6 files changed, 14 insertions(+) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 5bd0336..e1b5026 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2541,6 +2541,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, } } else if (os_strcmp(buf, "r0_key_lifetime") == 0) { bss->r0_key_lifetime = atoi(pos); + } else if (os_strcmp(buf, "r1_max_key_lifetime") == 0) { + bss->r1_max_key_lifetime = atoi(pos); } else if (os_strcmp(buf, "reassociation_deadline") == 0) { bss->reassociation_deadline = atoi(pos); } else if (os_strcmp(buf, "rkh_pos_timeout") == 0) { diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 811fa58..c749501 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1290,6 +1290,11 @@ own_ip_addr=127.0.0.1 # (dot11FTR0KeyLifetime) #r0_key_lifetime=10000 +# maximum lifetime for PMK-R1; applied only if != 0 +# PMK-R1 is removed at least after this limit. +# Removing any PMK-R1 for expiry can be disabled by setting this to -1 +#r1_max_key_lifetime=0 + # PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID) # 6-octet identifier as a hex string. # Defaults to BSSID. diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 8c03504..5aeaa0d 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -344,6 +344,7 @@ struct hostapd_bss_config { int pmk_r1_push; int ft_over_ds; int ft_psk_generate_local; + int r1_max_key_lifetime; #endif /* CONFIG_IEEE80211R */ char *ctrl_interface; /* directory for UNIX domain sockets */ diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index aa7920a..3c454ce 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -165,6 +165,7 @@ struct wpa_auth_config { int rkh_neg_timeout; int rkh_pull_timeout; /* ms */ int rkh_pull_retries; + int r1_max_key_lifetime; u32 reassociation_deadline; struct ft_remote_r0kh **r0kh_list; struct ft_remote_r1kh **r1kh_list; diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c index 89fbb63..86e6a27 100644 --- a/src/ap/wpa_auth_ft.c +++ b/src/ap/wpa_auth_ft.c @@ -763,10 +763,14 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, int expires_in) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; + int max_expires_in = wpa_auth->conf.r1_max_key_lifetime; struct wpa_ft_pmk_r1_sa *r1; /* TODO: add expiration and limit on number of entries in cache */ + if (max_expires_in && (max_expires_in < expires_in || expires_in == 0)) + expires_in = max_expires_in; + r1 = os_zalloc(sizeof(*r1)); if (r1 == NULL) return -1; diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index aca88d2..c29086a 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -68,6 +68,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf, } os_memcpy(wconf->r1_key_holder, conf->r1_key_holder, FT_R1KH_ID_LEN); wconf->r0_key_lifetime = conf->r0_key_lifetime; + wconf->r1_max_key_lifetime = conf->r1_max_key_lifetime; wconf->reassociation_deadline = conf->reassociation_deadline; wconf->rkh_pos_timeout = conf->rkh_pos_timeout; wconf->rkh_neg_timeout = conf->rkh_neg_timeout; -- 2.1.4 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap