diff mbox

[41/44] FT: convert r0_key_lifetime to seconds

Message ID 1456314830-12935-42-git-send-email-michael-dev@fami-braun.de
State Changes Requested
Headers show

Commit Message

michael-dev Feb. 24, 2016, 11:53 a.m. UTC 
From: Michael Braun <michael-dev@fami-braun.de>

Simplifies testing. All other items are seconds as well.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
---
 hostapd/hostapd.conf | 2 +-
 src/ap/ap_config.c   | 2 +-
 src/ap/wpa_auth.c    | 2 +-
 src/ap/wpa_auth_ft.c | 6 +++---
 4 files changed, 6 insertions(+), 6 deletions(-)

Comments

Jouni Malinen Feb. 27, 2016, 7:42 p.m. UTC | #1 
On Wed, Feb 24, 2016 at 12:53:47PM +0100, michael-dev@fami-braun.de wrote:
> Simplifies testing. All other items are seconds as well.

> diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
> @@ -1273,7 +1273,7 @@ own_ip_addr=127.0.0.1
> -# Default lifetime of the PMK-RO in minutes; range 1..65535
> +# Default lifetime of the PMK-RO in seconds; range 1..65535
>  # (default: 60 minutes; 0 = disable timeout)
>  # (dot11FTR0KeyLifetime)
>  #r0_key_lifetime=10000

This is problematic since this would change the interpretation of an
existing configuration parameter. In addition, the range here is not
valid. Interestingly dot11FTR0KeyLifetime is actually defined to use
seconds as the unit and 60..4294967295 as the allowed range and 1209600
as the default value. Maybe that changed at some point during P802.11r
development and the hostapd design did not get updated to match..

Normally, I'd prefer a new configuration file parameter to be added if
the design changes in this manner and then leaving the old parameter in
place for backwards compatibility. For example, ft_r0_key_lifetime could
be defined as the new value and if r0_key_lifetime is set in the
configuration file, that could be parsed to ft_r0_key_lifetime with 60
times the value. This would avoid unexpected changes in behavior if
someone updates hostapd and continues to use an old configuration file.

The documentation in hostapd.conf should specify 60 as the minimum
value, but it is convenient to allow smaller values for testing
purposes.
diff mbox

Patch

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 53983bb..631f0e0 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1273,7 +1273,7 @@  own_ip_addr=127.0.0.1
 # 1 to 48 octet identifier.
 # This is configured with nas_identifier (see RADIUS client section above).
 
-# Default lifetime of the PMK-RO in minutes; range 1..65535
+# Default lifetime of the PMK-RO in seconds; range 1..65535
 # (default: 60 minutes; 0 = disable timeout)
 # (dot11FTR0KeyLifetime)
 #r0_key_lifetime=10000
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index c2361e0..2d5961d 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -92,7 +92,7 @@  void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 
 #ifdef CONFIG_IEEE80211R
 	bss->ft_over_ds = 1;
-	bss->r0_key_lifetime = 60; /* same as eap_reauth_period */
+	bss->r0_key_lifetime = 3600; /* same as eap_reauth_period */
 	bss->rkh_pos_timeout = 86400;
 	bss->rkh_neg_timeout = 60;
 	bss->rkh_pull_timeout = 1000;
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 8414335..371ecfb 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -2363,7 +2363,7 @@  SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 		*pos++ = WLAN_EID_TIMEOUT_INTERVAL;
 		*pos++ = 5;
 		*pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
-		WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
+		WPA_PUT_LE32(pos, conf->r0_key_lifetime);
 		pos += 4;
 	}
 #endif /* CONFIG_IEEE80211R */
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index beeeca7..07b0b09 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -838,7 +838,7 @@  int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
 	const u8 *ssid = sm->wpa_auth->conf.ssid;
 	size_t ssid_len = sm->wpa_auth->conf.ssid_len;
 	int psk_local = sm->wpa_auth->conf.ft_psk_generate_local;
-	int expiresIn = sm->wpa_auth->conf.r0_key_lifetime * 60;
+	int expiresIn = sm->wpa_auth->conf.r0_key_lifetime;
 	struct ft_vlan vlan;
 	u8 identity[FT_IDENTITY_LEN], radius_cui[FT_RADIUS_CUI_LEN];
 	int identity_len, radius_cui_len;
@@ -2189,7 +2189,7 @@  static int wpa_ft_rrb_rx_resp(struct wpa_authenticator *wpa_auth,
 	struct ft_remote_r0kh *r0kh, *r0kh_wildcard = NULL;
 	int pairwise, res, expiresIn, session_timeout;
 	struct ft_pull_resp_cb_ctx ctx;
-	int maxExpiresIn = wpa_auth->conf.r0_key_lifetime * 60;
+	int maxExpiresIn = wpa_auth->conf.r0_key_lifetime;
 
 	wpa_printf(MSG_DEBUG, "FT: Received PMK-R1 pull response");
 
@@ -2301,7 +2301,7 @@  static int wpa_ft_rrb_rx_push(struct wpa_authenticator *wpa_auth,
 	struct os_time now;
 	os_time_t tsend;
 	int pairwise, expiresIn, session_timeout;
-	int maxExpiresIn = wpa_auth->conf.r0_key_lifetime * 60;
+	int maxExpiresIn = wpa_auth->conf.r0_key_lifetime;
 
 	wpa_printf(MSG_DEBUG, "FT: Received PMK-R1 push");