aboutsummaryrefslogtreecommitdiffstats
path: root/src/ap/wpa_auth_glue.c
diff options
context:
space:
mode:
authorMichael Braun <michael-dev@fami-braun.de>2017-04-02 12:52:51 (GMT)
committerJouni Malinen <j@w1.fi>2017-05-03 19:16:14 (GMT)
commiteefe8630153f79fdabf004ba32d2ad7527381886 (patch)
treef6614098b4a01e6dd1e364c5bdc3b437c62a8117 /src/ap/wpa_auth_glue.c
parentc95dd8e48bc5a5ec0a2bb4284e845ba40c5ff95b (diff)
downloadhostap-eefe8630153f79fdabf004ba32d2ad7527381886.zip
hostap-eefe8630153f79fdabf004ba32d2ad7527381886.tar.gz
hostap-eefe8630153f79fdabf004ba32d2ad7527381886.tar.bz2
FT RRB: Add msg replay and msg delay protection
This adds a counter and adds sequence numbering to FT RRB packets. The sequence number is checked against r0kh/r1kh sequence number cache. Special attention is needed in case the remote AP reboots and thus loses its state. I prefer it to recover automatically even without synchronized clocks. Therefore an identifier called dom is generated randomly along the initial sequence number. If the dom transmitted does not match or the sequence number is not in the range currently expected, the sender is asked for a fresh confirmation of its currently used sequence numbers. The packet that triggered this is cached and processed again later. Additionally, in order to ensure freshness, the remote AP includes an timestamp with its messages. It is then verified that the received messages are indeed fresh by comparing it to the older timestamps received and the time elapsed since then. Therefore FT_RRB_TIMESTAMP is no longer needed. This assigns new OUI 00:13:74 vendor-specific subtype 0x0001 subtypes: 4 (SEQ_REQ) and 5 (SEQ_RESP). This breaks backward compatibility, i.e., hostapd needs to be updated on all APs at the same time to allow FT to remain functional. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Diffstat (limited to 'src/ap/wpa_auth_glue.c')
-rw-r--r--src/ap/wpa_auth_glue.c20
1 files changed, 20 insertions, 0 deletions
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 3e698e8..b364fce 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -578,6 +578,10 @@ static struct eth_p_oui_ctx * hostapd_wpa_get_oui(struct hostapd_data *hapd,
return hapd->oui_resp;
case FT_PACKET_R0KH_R1KH_PUSH:
return hapd->oui_push;
+ case FT_PACKET_R0KH_R1KH_SEQ_REQ:
+ return hapd->oui_sreq;
+ case FT_PACKET_R0KH_R1KH_SEQ_RESP:
+ return hapd->oui_sresp;
#endif /* CONFIG_IEEE80211R_AP */
default:
return NULL;
@@ -836,6 +840,18 @@ static int hostapd_wpa_register_ft_oui(struct hostapd_data *hapd,
if (!hapd->oui_push)
return -1;
+ hapd->oui_sreq = eth_p_oui_register(hapd, ft_iface,
+ FT_PACKET_R0KH_R1KH_SEQ_REQ,
+ hostapd_rrb_oui_receive, hapd);
+ if (!hapd->oui_sreq)
+ return -1;
+
+ hapd->oui_sresp = eth_p_oui_register(hapd, ft_iface,
+ FT_PACKET_R0KH_R1KH_SEQ_RESP,
+ hostapd_rrb_oui_receive, hapd);
+ if (!hapd->oui_sresp)
+ return -1;
+
return 0;
}
@@ -848,6 +864,10 @@ static void hostapd_wpa_unregister_ft_oui(struct hostapd_data *hapd)
hapd->oui_resp = NULL;
eth_p_oui_unregister(hapd->oui_push);
hapd->oui_push = NULL;
+ eth_p_oui_unregister(hapd->oui_sreq);
+ hapd->oui_sreq = NULL;
+ eth_p_oui_unregister(hapd->oui_sresp);
+ hapd->oui_sresp = NULL;
}
#endif /* CONFIG_IEEE80211R_AP */