[PATCH 42/44] FT: add r1_max_key_lifetime

michael-dev at fami-braun.de michael-dev at fami-braun.de
Wed Feb 24 03:53:48 PST 2016 

From: Michael Braun <michael-dev at fami-braun.de>

Avoid keeping an PMK-R1 for indefinite time.

Signed-off-by: Michael Braun <michael-dev at fami-braun.de>
---
 hostapd/config_file.c  | 2 ++
 hostapd/hostapd.conf   | 5 +++++
 src/ap/ap_config.h     | 1 +
 src/ap/wpa_auth.h      | 1 +
 src/ap/wpa_auth_ft.c   | 4 ++++
 src/ap/wpa_auth_glue.c | 1 +
 6 files changed, 14 insertions(+)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 2b9727b..34d9fa6 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2548,6 +2548,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 		}
 	} else if (os_strcmp(buf, "r0_key_lifetime") == 0) {
 		bss->r0_key_lifetime = atoi(pos);
+	} else if (os_strcmp(buf, "r1_max_key_lifetime") == 0) {
+		bss->r1_max_key_lifetime = atoi(pos);
 	} else if (os_strcmp(buf, "reassociation_deadline") == 0) {
 		bss->reassociation_deadline = atoi(pos);
 	} else if (os_strcmp(buf, "rkh_pos_timeout") == 0) {
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 631f0e0..d1fe3d8 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1278,6 +1278,11 @@ own_ip_addr=127.0.0.1
 # (dot11FTR0KeyLifetime)
 #r0_key_lifetime=10000
 
+# maximum lifetime for PMK-R1; applied only if != 0
+# PMK-R1 is removed at least after this limit.
+# Removing any PMK-R1 for expiry can be disabled by setting this to -1
+#r1_max_key_lifetime=0
+
 # PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID)
 # 6-octet identifier as a hex string.
 # Defaults to BSSID.
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 2143fc3..d166e10 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -346,6 +346,7 @@ struct hostapd_bss_config {
 	int pmk_r1_push;
 	int ft_over_ds;
 	int ft_psk_generate_local;
+	int r1_max_key_lifetime;
 #endif /* CONFIG_IEEE80211R */
 
 	char *ctrl_interface; /* directory for UNIX domain sockets */
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 63178c9..0a6c07b 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -203,6 +203,7 @@ struct wpa_auth_config {
 	int rkh_neg_timeout;
 	int rkh_pull_timeout; /* ms */
 	int rkh_pull_retries;
+	int r1_max_key_lifetime;
 	u32 reassociation_deadline;
 	struct ft_remote_r0kh **r0kh_list;
 	struct ft_remote_r1kh **r1kh_list;
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 07b0b09..7e7ad25 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -512,12 +512,16 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
 			       const u8 *radius_cui, u8 radius_cui_len)
 {
 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
+	int maxExpiresIn = wpa_auth->conf.r1_max_key_lifetime;
 	struct wpa_ft_pmk_r1_sa *r1;
 	struct os_reltime now;
 
 	/* TODO: add expiration and limit on number of entries in cache */
 	os_get_reltime(&now);
 
+	if (maxExpiresIn && (maxExpiresIn < expiresIn || expiresIn == 0))
+		expiresIn = maxExpiresIn;
+
 	r1 = os_zalloc(sizeof(*r1));
 	if (r1 == NULL)
 		return -1;
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 7a6fd26..3133713 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -77,6 +77,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
 	}
 	os_memcpy(wconf->r1_key_holder, conf->r1_key_holder, FT_R1KH_ID_LEN);
 	wconf->r0_key_lifetime = conf->r0_key_lifetime;
+	wconf->r1_max_key_lifetime = conf->r1_max_key_lifetime;
 	wconf->reassociation_deadline = conf->reassociation_deadline;
 	wconf->rkh_pos_timeout = conf->rkh_pos_timeout;
 	wconf->rkh_neg_timeout = conf->rkh_neg_timeout;
-- 
1.9.1

More information about the Hostap mailing list