From patchwork Thu May 18 13:21:50 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: michael-dev X-Patchwork-Id: 763987 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3wTBjh6c4Zz9ryv for ; Thu, 18 May 2017 23:24:24 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="dUnVzuw9"; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=yWt6P5dmq6HJJ5c8tpl7m7r9PGVZnx04nOr9tggFGTA=; b=dUnVzuw9JklM80E1GW/kkbQOPP C1Mt8n5GJtxv57iOTTMBNLUqea701zTUSFYSkztcaAKf8OsvnNZ+m8gtxZXEL58tY/OaIWYDYgb1I /7ikeNGtW97htXzCOqDdsfTepHdJ+rroPoLoZq6Wg9M0sIyr8nNywLt8L8GKg/CLPxzO9lgqB41RD cFBKMSsTRhJeoi8Dbnx4OCXBumpWPjDAHl02sd3PelFc0tjtFM/2208OUIp/3/6XILJccV7Oz4gMm CyXZQJJmqLNQhECXgWVuIqd0g8fSMYMUdZd5THeRa+KWkAa/W5tmM3tuIhK5DAVIvXGkUo0ixSNwn L6xkHOOA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1dBLPj-0003l2-5s; Thu, 18 May 2017 13:24:23 +0000 Received: from mail.fem.tu-ilmenau.de ([141.24.220.54]) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1dBLPS-0003FS-1L for hostap@lists.infradead.org; Thu, 18 May 2017 13:24:10 +0000 Received: from localhost (localhost [127.0.0.1]) by mail.fem.tu-ilmenau.de (Postfix) with ESMTP id A6179689D; Thu, 18 May 2017 15:23:43 +0200 (CEST) X-Virus-Scanned: amavisd-new at fem.tu-ilmenau.de Received: from mail.fem.tu-ilmenau.de ([127.0.0.1]) by localhost (mail.fem.tu-ilmenau.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0GoVn1W03X6p; Thu, 18 May 2017 15:23:42 +0200 (CEST) Received: from mail-backup.fem.tu-ilmenau.de (mail-backup.net.fem.tu-ilmenau.de [10.42.40.22]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.fem.tu-ilmenau.de (Postfix) with ESMTPS; Thu, 18 May 2017 15:23:40 +0200 (CEST) Received: from a234.fem.tu-ilmenau.de (ray-controller.net.fem.tu-ilmenau.de [10.42.51.234]) by mail-backup.fem.tu-ilmenau.de (Postfix) with ESMTP id 43FB256052; Thu, 18 May 2017 15:23:40 +0200 (CEST) Received: by a234.fem.tu-ilmenau.de (Postfix, from userid 1000) id 13822306ACBD; Thu, 18 May 2017 15:22:03 +0200 (CEST) From: Michael Braun To: hostap@lists.infradead.org Subject: [PATCH 1/8] FT: add expiration to PMK-R0 and PMK-R1 cache Date: Thu, 18 May 2017 15:21:50 +0200 Message-Id: <1495113717-26860-2-git-send-email-michael-dev@fami-braun.de> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1495113717-26860-1-git-send-email-michael-dev@fami-braun.de> References: <1495113717-26860-1-git-send-email-michael-dev@fami-braun.de> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170518_062406_744101_98E53EBF X-CRM114-Status: GOOD ( 21.64 ) X-Spam-Score: -4.2 (----) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [141.24.220.54 listed in list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: projekt-wlan@fem.tu-ilmenau.de, Michael Braun MIME-Version: 1.0 Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org IEEE 802.11-2012 says: MSK has a lifetime that limits PMK_R0 and PMK_R1 lifetime. This is currently stored in r0_key_lifetime, but cache entries are not actually removed. This patch assumes a default MSK lifetime to be 3600s when wpa_auth_derive_ptk_ft is called. This matches the default eapol_reauth timeout and should probably be passed in from eapol state machine with some future changes. For PSK, there is no such lifetime, but it also matters less as FT-PSK can be achieved without inter-AP communication. The expiration timeout is then passed from R0KH to R1KH. The R1KH verifies that the given timeout for sanity, it may not exceed the locally configured r1_max_key_lifetime. Signed-off-by: Michael Braun --- FILS calls wpa_ft_store_pmk_r0 from wpa_auth.c. This is moved into a new function wpa_ft_store_pmk_fils as VLAN, Identity, CUI need to be added as well. The expires_in timeout needs to be reviewed. --- hostapd/config_file.c | 2 + hostapd/hostapd.conf | 6 ++ src/ap/ap_config.c | 1 + src/ap/ap_config.h | 1 + src/ap/wpa_auth.c | 3 +- src/ap/wpa_auth.h | 3 + src/ap/wpa_auth_ft.c | 202 ++++++++++++++++++++++++++++++++++++++----------- src/ap/wpa_auth_glue.c | 1 + src/ap/wpa_auth_i.h | 5 +- 9 files changed, 176 insertions(+), 48 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 900d811..1b491b4 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2639,6 +2639,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, } } else if (os_strcmp(buf, "r0_key_lifetime") == 0) { bss->r0_key_lifetime = atoi(pos); + } else if (os_strcmp(buf, "r1_max_key_lifetime") == 0) { + bss->r1_max_key_lifetime = atoi(pos); } else if (os_strcmp(buf, "reassociation_deadline") == 0) { bss->reassociation_deadline = atoi(pos); } else if (os_strcmp(buf, "rkh_pos_timeout") == 0) { diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 135715e..e4568e4 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1439,9 +1439,15 @@ own_ip_addr=127.0.0.1 # This is configured with nas_identifier (see RADIUS client section above). # Default lifetime of the PMK-RO in minutes; range 1..65535 +# (default: 60 minutes; 0 = disable timeout) # (dot11FTR0KeyLifetime) #r0_key_lifetime=10000 +# maximum lifetime for PMK-R1; applied only if != 0 +# PMK-R1 is removed at least after this limit. +# Removing any PMK-R1 for expiry can be disabled by setting this to -1 +#r1_max_key_lifetime=0 + # PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID) # 6-octet identifier as a hex string. # Defaults to BSSID. diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 09cbec3..d9e87ec 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -97,6 +97,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) bss->rkh_neg_timeout = 60; bss->rkh_pull_timeout = 1000; bss->rkh_pull_retries = 4; + bss->r0_key_lifetime = 60; /* same as eap_reauth_period */ #endif /* CONFIG_IEEE80211R_AP */ bss->radius_das_time_window = 300; diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 849c69d..9827813 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -352,6 +352,7 @@ struct hostapd_bss_config { int pmk_r1_push; int ft_over_ds; int ft_psk_generate_local; + int r1_max_key_lifetime; #endif /* CONFIG_IEEE80211R_AP */ char *ctrl_interface; /* directory for UNIX domain sockets */ diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 459b56e..d409fe7 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -2117,8 +2117,7 @@ int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk, wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0", pmk_r0, PMK_LEN); wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN); - wpa_ft_store_pmk_r0(wpa_auth, sm->addr, pmk_r0, pmk_r0_name, - sm->pairwise); + wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name); os_memset(fils_ft, 0, sizeof(fils_ft)); } #endif /* CONFIG_IEEE80211R_AP */ diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index c1aeb87..5b29f10 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -77,6 +77,7 @@ struct ft_rrb_frame { #define FT_RRB_PMK_R1 10 /* PMK_LEN */ #define FT_RRB_PAIRWISE 11 /* le16 */ +#define FT_RRB_EXPIRES_IN 12 /* le16 seconds */ struct ft_rrb_tlv { le16 type; @@ -92,6 +93,7 @@ struct ft_rrb_seq { /* session TLVs: * required: PMK_R1, PMK_R1_NAME, PAIRWISE + * optional: EXPIRES_IN * * pull frame TLVs: * auth: @@ -190,6 +192,7 @@ struct wpa_auth_config { int rkh_neg_timeout; int rkh_pull_timeout; /* ms */ int rkh_pull_retries; + int r1_max_key_lifetime; u32 reassociation_deadline; struct ft_remote_r0kh **r0kh_list; struct ft_remote_r1kh **r1kh_list; diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c index dd99db7..c994f7a 100644 --- a/src/ap/wpa_auth_ft.c +++ b/src/ap/wpa_auth_ft.c @@ -834,17 +834,18 @@ static int wpa_ft_new_seq(struct ft_remote_seq *rkh_seq, struct wpa_ft_pmk_r0_sa { - struct wpa_ft_pmk_r0_sa *next; + struct dl_list list; u8 pmk_r0[PMK_LEN]; u8 pmk_r0_name[WPA_PMK_NAME_LEN]; u8 spa[ETH_ALEN]; int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */ - /* TODO: expiration, identity, radius_class, EAP type, VLAN ID */ + os_time_t expiration; /* 0 for no expiration */ + /* TODO: identity, radius_class, EAP type */ int pmk_r1_pushed; }; struct wpa_ft_pmk_r1_sa { - struct wpa_ft_pmk_r1_sa *next; + struct dl_list list; u8 pmk_r1[PMK_LEN]; u8 pmk_r1_name[WPA_PMK_NAME_LEN]; u8 spa[ETH_ALEN]; @@ -853,15 +854,83 @@ struct wpa_ft_pmk_r1_sa { }; struct wpa_ft_pmk_cache { - struct wpa_ft_pmk_r0_sa *pmk_r0; - struct wpa_ft_pmk_r1_sa *pmk_r1; + struct dl_list pmk_r0; + struct dl_list pmk_r1; }; + +static void wpa_ft_free_pmk_r0(struct wpa_ft_pmk_r0_sa *r0); +static void wpa_ft_expire_pmk_r0(void *eloop_ctx, void *timeout_ctx); +static void wpa_ft_free_pmk_r1(struct wpa_ft_pmk_r1_sa *r1); +static void wpa_ft_expire_pmk_r1(void *eloop_ctx, void *timeout_ctx); + +static void wpa_ft_free_pmk_r0(struct wpa_ft_pmk_r0_sa *r0) +{ + if (!r0) + return; + + dl_list_del(&r0->list); + eloop_cancel_timeout(wpa_ft_expire_pmk_r0, r0, NULL); + + os_memset(r0->pmk_r0, 0, PMK_LEN); + os_free(r0); +} + + +static void wpa_ft_expire_pmk_r0(void *eloop_ctx, void *timeout_ctx) +{ + struct wpa_ft_pmk_r0_sa *r0 = eloop_ctx; + struct os_reltime now; + int expires_in; + + os_get_reltime(&now); + + if (!r0) + return; + + expires_in = r0->expiration - now.sec; + if (expires_in > 0) { + wpa_printf(MSG_ERROR, "FT: wpa_ft_expire_pmk_r0 called for " + "non-expired entry %p, delete in %ds", + r0, expires_in); + eloop_cancel_timeout(wpa_ft_expire_pmk_r0, r0, NULL); + eloop_register_timeout(expires_in + 1, 0, + wpa_ft_expire_pmk_r0, r0, NULL); + return; + } + + wpa_ft_free_pmk_r0(r0); +} + + +static void wpa_ft_free_pmk_r1(struct wpa_ft_pmk_r1_sa *r1) +{ + if (!r1) + return; + + dl_list_del(&r1->list); + eloop_cancel_timeout(wpa_ft_expire_pmk_r1, r1, NULL); + + os_memset(r1->pmk_r1, 0, PMK_LEN); + os_free(r1); +} + + +static void wpa_ft_expire_pmk_r1(void *eloop_ctx, void *timeout_ctx) +{ + struct wpa_ft_pmk_r1_sa *r1 = eloop_ctx; + + wpa_ft_free_pmk_r1(r1); +} + + struct wpa_ft_pmk_cache * wpa_ft_pmk_cache_init(void) { struct wpa_ft_pmk_cache *cache; cache = os_zalloc(sizeof(*cache)); + dl_list_init(&cache->pmk_r0); + dl_list_init(&cache->pmk_r1); return cache; } @@ -872,34 +941,31 @@ void wpa_ft_pmk_cache_deinit(struct wpa_ft_pmk_cache *cache) struct wpa_ft_pmk_r0_sa *r0, *r0prev; struct wpa_ft_pmk_r1_sa *r1, *r1prev; - r0 = cache->pmk_r0; - while (r0) { - r0prev = r0; - r0 = r0->next; - os_memset(r0prev->pmk_r0, 0, PMK_LEN); - os_free(r0prev); + dl_list_for_each_safe(r0, r0prev, &cache->pmk_r0, + struct wpa_ft_pmk_r0_sa, list) { + wpa_ft_free_pmk_r0(r0); } - r1 = cache->pmk_r1; - while (r1) { - r1prev = r1; - r1 = r1->next; - os_memset(r1prev->pmk_r1, 0, PMK_LEN); - os_free(r1prev); + dl_list_for_each_safe(r1, r1prev, &cache->pmk_r1, + struct wpa_ft_pmk_r1_sa, list) { + wpa_ft_free_pmk_r1(r1); } os_free(cache); } -int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth, - const u8 *spa, const u8 *pmk_r0, - const u8 *pmk_r0_name, int pairwise) +static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth, + const u8 *spa, const u8 *pmk_r0, + const u8 *pmk_r0_name, int pairwise, + const int expires_in) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; struct wpa_ft_pmk_r0_sa *r0; + struct os_reltime now; - /* TODO: add expiration and limit on number of entries in cache */ + /* TODO: add limit on number of entries in cache */ + os_get_reltime(&now); r0 = os_zalloc(sizeof(*r0)); if (r0 == NULL) @@ -909,9 +975,14 @@ int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth, os_memcpy(r0->pmk_r0_name, pmk_r0_name, WPA_PMK_NAME_LEN); os_memcpy(r0->spa, spa, ETH_ALEN); r0->pairwise = pairwise; + if (expires_in > 0) + r0->expiration = now.sec + expires_in; + + dl_list_add(&cache->pmk_r0, &r0->list); - r0->next = cache->pmk_r0; - cache->pmk_r0 = r0; + if (expires_in > 0) + eloop_register_timeout(expires_in + 1, 0, + wpa_ft_expire_pmk_r0, r0, NULL); return 0; } @@ -923,17 +994,16 @@ static int wpa_ft_fetch_pmk_r0(struct wpa_authenticator *wpa_auth, { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; struct wpa_ft_pmk_r0_sa *r0; + struct os_reltime now; - r0 = cache->pmk_r0; - while (r0) { + os_get_reltime(&now); + dl_list_for_each(r0, &cache->pmk_r0, struct wpa_ft_pmk_r0_sa, list) { if (os_memcmp(r0->spa, spa, ETH_ALEN) == 0 && os_memcmp_const(r0->pmk_r0_name, pmk_r0_name, WPA_PMK_NAME_LEN) == 0) { *r0_out = r0; return 0; } - - r0 = r0->next; } *r0_out = NULL; @@ -943,12 +1013,17 @@ static int wpa_ft_fetch_pmk_r0(struct wpa_authenticator *wpa_auth, static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *spa, const u8 *pmk_r1, - const u8 *pmk_r1_name, int pairwise) + const u8 *pmk_r1_name, int pairwise, + int expires_in) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; + int max_expires_in = wpa_auth->conf.r1_max_key_lifetime; struct wpa_ft_pmk_r1_sa *r1; - /* TODO: add expiration and limit on number of entries in cache */ + /* TODO: limit on number of entries in cache */ + + if (max_expires_in && (max_expires_in < expires_in || expires_in == 0)) + expires_in = max_expires_in; r1 = os_zalloc(sizeof(*r1)); if (r1 == NULL) @@ -959,8 +1034,11 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, os_memcpy(r1->spa, spa, ETH_ALEN); r1->pairwise = pairwise; - r1->next = cache->pmk_r1; - cache->pmk_r1 = r1; + dl_list_add(&cache->pmk_r1, &r1->list); + + if (expires_in > 0) + eloop_register_timeout(expires_in + 1, 0, + wpa_ft_expire_pmk_r1, r1, NULL); return 0; } @@ -973,8 +1051,7 @@ static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth, struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; struct wpa_ft_pmk_r1_sa *r1; - r1 = cache->pmk_r1; - while (r1) { + dl_list_for_each(r1, &cache->pmk_r1, struct wpa_ft_pmk_r1_sa, list) { if (os_memcmp(r1->spa, spa, ETH_ALEN) == 0 && os_memcmp_const(r1->pmk_r1_name, pmk_r1_name, WPA_PMK_NAME_LEN) == 0) { @@ -983,8 +1060,6 @@ static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth, *pairwise = r1->pairwise; return 0; } - - r1 = r1->next; } return -1; @@ -1512,6 +1587,16 @@ static int wpa_ft_pull_pmk_r1(struct wpa_state_machine *sm, } +int wpa_ft_store_pmk_fils(struct wpa_state_machine *sm, + const u8 *pmk_r0, const u8 *pmk_r0_name) +{ + int expires_in = sm->wpa_auth->conf.r0_key_lifetime * 60; + + return wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name, + sm->pairwise, expires_in); +} + + int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, struct wpa_ptk *ptk) { @@ -1525,6 +1610,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, const u8 *ssid = sm->wpa_auth->conf.ssid; size_t ssid_len = sm->wpa_auth->conf.ssid_len; int psk_local = sm->wpa_auth->conf.ft_psk_generate_local; + int expires_in = sm->wpa_auth->conf.r0_key_lifetime * 60; if (sm->xxkey_len == 0) { wpa_printf(MSG_DEBUG, "FT: XXKey not available for key " @@ -1540,7 +1626,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN); if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name, - sm->pairwise); + sm->pairwise, expires_in); if (wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, r1kh, sm->addr, pmk_r1, sm->pmk_r1_name) < 0) @@ -1550,7 +1636,8 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, WPA_PMK_NAME_LEN); if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1, - sm->pmk_r1_name, sm->pairwise); + sm->pmk_r1_name, sm->pairwise, + expires_in); return wpa_pmk_r1_to_ptk(pmk_r1, sm->SNonce, sm->ANonce, sm->addr, sm->wpa_auth->addr, sm->pmk_r1_name, @@ -2572,6 +2659,9 @@ static int wpa_ft_rrb_build_r0(const u8 *key, const size_t key_len, u8 pmk_r1[PMK_LEN]; u8 pmk_r1_name[WPA_PMK_NAME_LEN]; u8 f_pairwise[sizeof(le16)]; + u8 f_expires_in[sizeof(le16)]; + int expires_in; + struct os_reltime now; int ret; struct tlv_list sess_tlv[] = { { .type = FT_RRB_PMK_R1, .len = sizeof(pmk_r1), @@ -2580,6 +2670,8 @@ static int wpa_ft_rrb_build_r0(const u8 *key, const size_t key_len, .data = pmk_r1_name }, { .type = FT_RRB_PAIRWISE, .len = sizeof(f_pairwise), .data = f_pairwise }, + { .type = FT_RRB_EXPIRES_IN, .len = sizeof(f_expires_in), + .data = f_expires_in }, { .type = FT_RRB_LAST_EMPTY, .len = 0, .data = NULL }, }; @@ -2594,6 +2686,15 @@ static int wpa_ft_rrb_build_r0(const u8 *key, const size_t key_len, wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", pmk_r1_name, WPA_PMK_NAME_LEN); WPA_PUT_LE16(f_pairwise, pmk_r0->pairwise); + os_get_reltime(&now); + if (pmk_r0->expiration > now.sec) + expires_in = pmk_r0->expiration - now.sec; + else if (pmk_r0->expiration) + expires_in = 1; + else + expires_in = 0; + WPA_PUT_LE16(f_expires_in, expires_in); + ret = wpa_ft_rrb_build(key, key_len, tlvs, sess_tlv, tlv_auth, src_addr, type, packet, packet_len); @@ -2770,10 +2871,13 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth, int seq_ret; const u8 *f_r1kh_id, *f_s1kh_id, *f_r0kh_id; const u8 *f_pmk_r1_name, *f_pairwise, *f_pmk_r1; + const u8 *f_expires_in; size_t f_r1kh_id_len, f_s1kh_id_len, f_r0kh_id_len; size_t f_pmk_r1_name_len, f_pairwise_len, f_pmk_r1_len; + size_t f_expires_in_len; int pairwise; int ret = -1; + int expires_in; RRB_GET_AUTH(FT_RRB_R0KH_ID, r0kh_id, msgtype, -1); wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID", f_r0kh_id, f_r0kh_id_len); @@ -2857,8 +2961,18 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth, pairwise = WPA_GET_LE16(f_pairwise); + RRB_GET_OPTIONAL(FT_RRB_EXPIRES_IN, expires_in, msgtype, + sizeof(le16)); + if (f_expires_in) + expires_in = WPA_GET_LE16(f_expires_in); + else + expires_in = 0; + + wpa_printf(MSG_DEBUG, "FT: PMK-R1 %s - expires_in=%d", msgtype, + expires_in); + if (wpa_ft_store_pmk_r1(wpa_auth, f_s1kh_id, f_pmk_r1, f_pmk_r1_name, - pairwise) < 0) + pairwise, expires_in) < 0) goto out; ret = 0; @@ -3517,7 +3631,8 @@ static int wpa_ft_generate_pmk_r1(struct wpa_authenticator *wpa_auth, void wpa_ft_push_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *addr) { - struct wpa_ft_pmk_r0_sa *r0; + struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; + struct wpa_ft_pmk_r0_sa *r0, *r0found = NULL; struct ft_remote_r1kh *r1kh; if (!wpa_auth->conf.pmk_r1_push) @@ -3525,13 +3640,14 @@ void wpa_ft_push_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *addr) if (!wpa_auth->conf.r1kh_list) return; - r0 = wpa_auth->ft_pmk_cache->pmk_r0; - while (r0) { - if (os_memcmp(r0->spa, addr, ETH_ALEN) == 0) + dl_list_for_each(r0, &cache->pmk_r0, struct wpa_ft_pmk_r0_sa, list) { + if (os_memcmp(r0->spa, addr, ETH_ALEN) == 0) { + r0found = r0; break; - r0 = r0->next; + } } + r0 = r0found; if (r0 == NULL || r0->pmk_r1_pushed) return; r0->pmk_r1_pushed = 1; diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index 316f5d5..da8a1e6 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -73,6 +73,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf, } os_memcpy(wconf->r1_key_holder, conf->r1_key_holder, FT_R1KH_ID_LEN); wconf->r0_key_lifetime = conf->r0_key_lifetime; + wconf->r1_max_key_lifetime = conf->r1_max_key_lifetime; wconf->reassociation_deadline = conf->reassociation_deadline; wconf->rkh_pos_timeout = conf->rkh_pos_timeout; wconf->rkh_neg_timeout = conf->rkh_neg_timeout; diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h index e7d699e..f0516ae 100644 --- a/src/ap/wpa_auth_i.h +++ b/src/ap/wpa_auth_i.h @@ -288,9 +288,8 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, struct wpa_ft_pmk_cache * wpa_ft_pmk_cache_init(void); void wpa_ft_pmk_cache_deinit(struct wpa_ft_pmk_cache *cache); void wpa_ft_install_ptk(struct wpa_state_machine *sm); -int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth, - const u8 *spa, const u8 *pmk_r0, - const u8 *pmk_r0_name, int pairwise); +int wpa_ft_store_pmk_fils(struct wpa_state_machine *sm, const u8 *pmk_r0, + const u8 *pmk_r0_name); #endif /* CONFIG_IEEE80211R_AP */ #endif /* WPA_AUTH_I_H */