From 5604eb8aaf8382376e6511850e70b66c6e2a22b8 Mon Sep 17 00:00:00 2001 From: Kurt Lee Date: Sun, 13 Feb 2022 21:34:09 -0600 Subject: [PATCH 19/60] Fix for PMK expiration issue through supplicant Description : Sending Deauth from AP once PMK timeout occurs, So that STA will initiate the Auth process. Changes : 1) Added support to get the dot11RSNAConfigPMKLifetime conf element in wpa_authenticator structure to pass to the lower API's 2) Sending deauth from the wpa_auth_pmksa_free_cb once PMK time out occurs. Tested: Confirmed once PMK timeout occurs AP is sending deauth and STA starting AUTH frame. Upstream-Status: Inappropriate [DEY specific] --- hostapd/config_file.c | 2 ++ src/ap/ap_config.h | 2 ++ src/ap/ieee802_11.c | 1 + src/ap/wpa_auth.c | 9 ++++++++- src/ap/wpa_auth.h | 1 + src/ap/wpa_auth_i.h | 1 + 6 files changed, 15 insertions(+), 1 deletion(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index b14728d1b..386499323 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -3671,6 +3671,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, bss->max_listen_interval = atoi(pos); } else if (os_strcmp(buf, "disable_pmksa_caching") == 0) { bss->disable_pmksa_caching = atoi(pos); + } else if (os_strcmp(buf, "dot11RSNAConfigPMKLifetime") == 0) { + bss->dot11RSNAConfigPMKLifetime = atoi(pos); } else if (os_strcmp(buf, "okc") == 0) { bss->okc = atoi(pos); #ifdef CONFIG_WPS diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 49cd3168a..a82ca1853 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -898,6 +898,8 @@ struct hostapd_bss_config { u8 ext_capa[EXT_CAPA_MAX_LEN]; u8 rnr; + + unsigned int dot11RSNAConfigPMKLifetime; }; /** diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 3b735c09f..c4f7d00cc 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -980,6 +980,7 @@ void sae_accept_sta(struct hostapd_data *hapd, struct sta_info *sta) crypto_bignum_deinit(sta->sae->peer_commit_scalar_accepted, 0); sta->sae->peer_commit_scalar_accepted = sta->sae->peer_commit_scalar; sta->sae->peer_commit_scalar = NULL; + wpa_auth_set_pmk_life_time(hapd->wpa_auth,hapd->conf->dot11RSNAConfigPMKLifetime); wpa_auth_pmksa_add_sae(hapd->wpa_auth, sta->addr, sta->sae->pmk, sta->sae->pmkid); #ifndef CONFIG_WPA3_SAE_AUTH_EARLY_SET diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 4b506c1db..e92ea4302 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -390,6 +390,7 @@ static void wpa_auth_pmksa_free_cb(struct rsn_pmksa_cache_entry *entry, void *ctx) { struct wpa_authenticator *wpa_auth = ctx; + wpa_sta_disconnect(wpa_auth, entry->spa, WLAN_REASON_PREV_AUTH_NOT_VALID); wpa_auth_for_each_sta(wpa_auth, wpa_auth_pmksa_clear_cb, entry); } @@ -4835,6 +4836,12 @@ int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, } +void wpa_auth_set_pmk_life_time(struct wpa_authenticator *wpa_auth, unsigned int pmk_life_time) +{ + wpa_auth->pmk_life_time = pmk_life_time; +} + + int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, const u8 *pmk, const u8 *pmkid) { @@ -4844,7 +4851,7 @@ int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, wpa_hexdump_key(MSG_DEBUG, "RSN: Cache PMK from SAE", pmk, PMK_LEN); if (pmksa_cache_auth_add(wpa_auth->pmksa, pmk, PMK_LEN, pmkid, NULL, 0, - wpa_auth->addr, addr, 0, NULL, + wpa_auth->addr, addr, wpa_auth->pmk_life_time, NULL, WPA_KEY_MGMT_SAE)) return 0; diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index ff36cfe95..fb456f07c 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -426,6 +426,7 @@ int wpa_auth_pmksa_add_preauth(struct wpa_authenticator *wpa_auth, struct eapol_state_machine *eapol); int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr, const u8 *pmk, const u8 *pmkid); +void wpa_auth_set_pmk_life_time(struct wpa_authenticator *wpa_auth, unsigned int pmk_life_time); void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid); int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr, const u8 *pmk, size_t pmk_len, const u8 *pmkid, diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h index a6dc1a591..f46bdabdd 100644 --- a/src/ap/wpa_auth_i.h +++ b/src/ap/wpa_auth_i.h @@ -237,6 +237,7 @@ struct wpa_authenticator { #ifdef CONFIG_P2P struct bitfield *ip_pool; #endif /* CONFIG_P2P */ + unsigned int pmk_life_time; }; -- 2.17.1