[PATCH v2 14/33] FT: add r1_max_key_lifetime

Sat Sep 24 14:07:58 PDT 2016

From: Michael Braun <michael-dev at fami-braun.de>

Avoid keeping an PMK-R1 for indefinite time.

Signed-off-by: Michael Braun <michael-dev at fami-braun.de>
---
 hostapd/config_file.c  | 2 ++
 hostapd/hostapd.conf   | 5 +++++
 src/ap/ap_config.h     | 1 +
 src/ap/wpa_auth.h      | 1 +
 src/ap/wpa_auth_ft.c   | 4 ++++
 src/ap/wpa_auth_glue.c | 1 +
 6 files changed, 14 insertions(+)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 5bd0336..e1b5026 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2541,6 +2541,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 		}
 	} else if (os_strcmp(buf, "r0_key_lifetime") == 0) {
 		bss->r0_key_lifetime = atoi(pos);
+	} else if (os_strcmp(buf, "r1_max_key_lifetime") == 0) {
+		bss->r1_max_key_lifetime = atoi(pos);
 	} else if (os_strcmp(buf, "reassociation_deadline") == 0) {
 		bss->reassociation_deadline = atoi(pos);
 	} else if (os_strcmp(buf, "rkh_pos_timeout") == 0) {
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 811fa58..c749501 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1290,6 +1290,11 @@ own_ip_addr=127.0.0.1
 # (dot11FTR0KeyLifetime)
 #r0_key_lifetime=10000
 
+# maximum lifetime for PMK-R1; applied only if != 0
+# PMK-R1 is removed at least after this limit.
+# Removing any PMK-R1 for expiry can be disabled by setting this to -1
+#r1_max_key_lifetime=0
+
 # PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID)
 # 6-octet identifier as a hex string.
 # Defaults to BSSID.
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 8c03504..5aeaa0d 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -344,6 +344,7 @@ struct hostapd_bss_config {
 	int pmk_r1_push;
 	int ft_over_ds;
 	int ft_psk_generate_local;
+	int r1_max_key_lifetime;
 #endif /* CONFIG_IEEE80211R */
 
 	char *ctrl_interface; /* directory for UNIX domain sockets */
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index aa7920a..3c454ce 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -165,6 +165,7 @@ struct wpa_auth_config {
 	int rkh_neg_timeout;
 	int rkh_pull_timeout; /* ms */
 	int rkh_pull_retries;
+	int r1_max_key_lifetime;
 	u32 reassociation_deadline;
 	struct ft_remote_r0kh **r0kh_list;
 	struct ft_remote_r1kh **r1kh_list;
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 89fbb63..86e6a27 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -763,10 +763,14 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
 			       int expires_in)
 {
 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
+	int max_expires_in = wpa_auth->conf.r1_max_key_lifetime;
 	struct wpa_ft_pmk_r1_sa *r1;
 
 	/* TODO: add expiration and limit on number of entries in cache */
 
+	if (max_expires_in && (max_expires_in < expires_in || expires_in == 0))
+		expires_in = max_expires_in;
+
 	r1 = os_zalloc(sizeof(*r1));
 	if (r1 == NULL)
 		return -1;
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index aca88d2..c29086a 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -68,6 +68,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
 	}
 	os_memcpy(wconf->r1_key_holder, conf->r1_key_holder, FT_R1KH_ID_LEN);
 	wconf->r0_key_lifetime = conf->r0_key_lifetime;
+	wconf->r1_max_key_lifetime = conf->r1_max_key_lifetime;
 	wconf->reassociation_deadline = conf->reassociation_deadline;
 	wconf->rkh_pos_timeout = conf->rkh_pos_timeout;
 	wconf->rkh_neg_timeout = conf->rkh_neg_timeout;
-- 
2.1.4


