path: root/src/ap/wpa_auth_glue.c
diff options
authorMichael Braun <michael-dev@fami-braun.de>2017-05-18 13:21:50 (GMT)
committerJouni Malinen <j@w1.fi>2018-04-05 10:58:20 (GMT)
commit3a3e28320b6d68053c6c2b27d4d7f16cc676045a (patch)
treed7c69cf35b4aedb9c00a6d705b4b54b0c9eab0ca /src/ap/wpa_auth_glue.c
parent09211c989468e4d592d9e54ff08832399bcc0abf (diff)
FT: Add expiration to PMK-R0 and PMK-R1 cache
IEEE Std 802.11-2016, indicates that the lifetime of the PMK-R0 (and PMK-R1) is bound to the lifetime of PSK or MSK from which the key was derived. This is currently stored in r0_key_lifetime, but cache entries are not actually removed. This commit uses the r0_key_lifetime configuration parameter when wpa_auth_derive_ptk_ft() is called. This may need to be extended to use the MSK lifetime, if provided by an external authentication server, with some future changes. For PSK, there is no such lifetime, but it also matters less as FT-PSK can be achieved without inter-AP communication. The expiration timeout is then passed from R0KH to R1KH. The R1KH verifies that the given timeout for sanity, it may not exceed the locally configured r1_max_key_lifetime. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Diffstat (limited to 'src/ap/wpa_auth_glue.c')
1 files changed, 1 insertions, 0 deletions
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index afc10f9..c891a35 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -76,6 +76,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
os_memcpy(wconf->r1_key_holder, conf->r1_key_holder, FT_R1KH_ID_LEN);
wconf->r0_key_lifetime = conf->r0_key_lifetime;
+ wconf->r1_max_key_lifetime = conf->r1_max_key_lifetime;
wconf->reassociation_deadline = conf->reassociation_deadline;
wconf->rkh_pos_timeout = conf->rkh_pos_timeout;
wconf->rkh_neg_timeout = conf->rkh_neg_timeout;