aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2005-06-24 02:39:06 (GMT)
committerJouni Malinen <j@w1.fi>2005-06-24 02:39:06 (GMT)
commitac3d031ea2b0fa30e188dd02abcb51bcaa10397f (patch)
treecb1aaa2111badfcd406b731dbd38f17e50e4a778
parentd1fabab241422012ba599675cbc709236be12254 (diff)
downloadhostap-history-ac3d031ea2b0fa30e188dd02abcb51bcaa10397f.zip
hostap-history-ac3d031ea2b0fa30e188dd02abcb51bcaa10397f.tar.gz
hostap-history-ac3d031ea2b0fa30e188dd02abcb51bcaa10397f.tar.bz2
Made dot11RSNAConfigPMKLifetime, dot11RSNAConfigPMKReauthThreshold,
and dot11RSNAConfigSATimeout configurable through configuration file and ctrl_iface.
-rw-r--r--wpa_supplicant/config.c18
-rw-r--r--wpa_supplicant/config.h4
-rw-r--r--wpa_supplicant/ctrl_iface.c17
-rw-r--r--wpa_supplicant/preauth.c3
-rw-r--r--wpa_supplicant/wpa.c56
-rw-r--r--wpa_supplicant/wpa.h9
-rw-r--r--wpa_supplicant/wpa_cli.c6
-rw-r--r--wpa_supplicant/wpa_i.h4
-rw-r--r--wpa_supplicant/wpa_supplicant.c24
-rw-r--r--wpa_supplicant/wpa_supplicant.conf7
10 files changed, 136 insertions, 12 deletions
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index bbb3cfe..0ec67a6 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -958,6 +958,24 @@ struct wpa_config * wpa_config_read(const char *config_file)
config->driver_param = strdup(pos + 13);
wpa_printf(MSG_DEBUG, "driver_param='%s'",
config->driver_param);
+ } else if (strncmp(pos, "dot11RSNAConfigPMKLifetime=", 27) ==
+ 0) {
+ config->dot11RSNAConfigPMKLifetime = atoi(pos + 27);
+ wpa_printf(MSG_DEBUG, "dot11RSNAConfigPMKLifetime=%d",
+ config->dot11RSNAConfigPMKLifetime);
+ } else if (strncmp(pos, "dot11RSNAConfigPMKReauthThreshold=",
+ 34) ==
+ 0) {
+ config->dot11RSNAConfigPMKReauthThreshold =
+ atoi(pos + 34);
+ wpa_printf(MSG_DEBUG,
+ "dot11RSNAConfigPMKReauthThreshold=%d",
+ config->dot11RSNAConfigPMKReauthThreshold);
+ } else if (strncmp(pos, "dot11RSNAConfigSATimeout=", 25) ==
+ 0) {
+ config->dot11RSNAConfigSATimeout = atoi(pos + 25);
+ wpa_printf(MSG_DEBUG, "dot11RSNAConfigSATimeout=%d",
+ config->dot11RSNAConfigSATimeout);
} else {
wpa_printf(MSG_ERROR, "Line %d: Invalid configuration "
"line '%s'.", line, pos);
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index 00560c2..f663be6 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -45,6 +45,10 @@ struct wpa_config {
char *pkcs11_engine_path;
char *pkcs11_module_path;
char *driver_param;
+
+ unsigned int dot11RSNAConfigPMKLifetime;
+ unsigned int dot11RSNAConfigPMKReauthThreshold;
+ unsigned int dot11RSNAConfigSATimeout;
};
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index f59cbd8..f5e7825 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -69,6 +69,7 @@ static int wpa_supplicant_ctrl_iface_set(struct wpa_supplicant *wpa_s,
char *cmd)
{
char *value;
+ int ret = 0;
value = strchr(cmd, ' ');
if (value == NULL)
@@ -88,9 +89,21 @@ static int wpa_supplicant_ctrl_iface_set(struct wpa_supplicant *wpa_s,
} else if (strcasecmp(cmd, "EAPOL::maxStart") == 0) {
eapol_sm_configure(wpa_s->eapol,
-1, -1, -1, atoi(value));
+ } else if (strcasecmp(cmd, "dot11RSNAConfigPMKLifetime") == 0) {
+ if (wpa_sm_configure(wpa_s->wpa, RSNA_PMK_LIFETIME,
+ atoi(value)))
+ ret = -1;
+ } else if (strcasecmp(cmd, "dot11RSNAConfigPMKReauthThreshold") == 0) {
+ if (wpa_sm_configure(wpa_s->wpa, RSNA_PMK_REAUTH_THRESHOLD,
+ atoi(value)))
+ ret = -1;
+ } else if (strcasecmp(cmd, "dot11RSNAConfigSATimeout") == 0) {
+ if (wpa_sm_configure(wpa_s->wpa, RSNA_SA_TIMEOUT, atoi(value)))
+ ret = -1;
} else
- return -1;
- return 0;
+ ret = -1;
+
+ return ret;
}
diff --git a/wpa_supplicant/preauth.c b/wpa_supplicant/preauth.c
index 13e3ce7..ae5ab96 100644
--- a/wpa_supplicant/preauth.c
+++ b/wpa_supplicant/preauth.c
@@ -37,7 +37,6 @@
#define PMKID_CANDIDATE_PRIO_SCAN 1000
static const int pmksa_cache_max_entries = 32;
-static const int dot11RSNAConfigPMKLifetime = 43200;
struct rsn_pmksa_candidate {
@@ -153,7 +152,7 @@ pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk,
memcpy(entry->pmk, pmk, pmk_len);
entry->pmk_len = pmk_len;
rsn_pmkid(pmk, aa, spa, entry->pmkid);
- entry->expiration = time(NULL) + dot11RSNAConfigPMKLifetime;
+ entry->expiration = time(NULL) + sm->dot11RSNAConfigPMKLifetime;
entry->akmp = WPA_KEY_MGMT_IEEE8021X;
memcpy(entry->aa, aa, ETH_ALEN);
entry->ssid = ssid;
diff --git a/wpa_supplicant/wpa.c b/wpa_supplicant/wpa.c
index 126e2ad..c2e46ac 100644
--- a/wpa_supplicant/wpa.c
+++ b/wpa_supplicant/wpa.c
@@ -36,11 +36,6 @@
#include "wpa_i.h"
-/* TODO: make these configurable */
-static const int dot11RSNAConfigPMKLifetime = 43200;
-static const int dot11RSNAConfigPMKReauthThreshold = 70;
-static const int dot11RSNAConfigSATimeout = 60;
-
static const int WPA_SELECTOR_LEN = 4;
static const u8 WPA_OUI_TYPE[] = { 0x00, 0x50, 0xf2, 1 };
static const u16 WPA_VERSION = 1;
@@ -2114,9 +2109,9 @@ int wpa_get_mib(struct wpa_supplicant *wpa_s, char *buf, size_t buflen)
rsna ? "TRUE" : "FALSE",
RSN_VERSION,
wpa_cipher_bits(wpa_s->group_cipher),
- dot11RSNAConfigPMKLifetime,
- dot11RSNAConfigPMKReauthThreshold,
- dot11RSNAConfigSATimeout,
+ sm->dot11RSNAConfigPMKLifetime,
+ sm->dot11RSNAConfigPMKReauthThreshold,
+ sm->dot11RSNAConfigSATimeout,
RSN_SUITE_ARG(wpa_key_mgmt_suite(wpa_s)),
RSN_SUITE_ARG(wpa_cipher_suite(wpa_s,
wpa_s->pairwise_cipher)),
@@ -2151,6 +2146,11 @@ struct wpa_sm * wpa_sm_init(void *ctx)
memset(sm, 0, sizeof(*sm));
sm->renew_snonce = 1;
sm->ctx = ctx;
+
+ sm->dot11RSNAConfigPMKLifetime = 43200;
+ sm->dot11RSNAConfigPMKReauthThreshold = 70;
+ sm->dot11RSNAConfigSATimeout = 60;
+
return sm;
}
@@ -2306,3 +2306,43 @@ void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname)
if (sm)
sm->ifname = ifname;
}
+
+
+/**
+ * wpa_sm_configure - Configure WPA state machine parameters
+ * @sm: Pointer to WPA state machine data from wpa_sm_init()
+ * @param: Parameter field
+ * @value: Parameter value
+ * Returns: 0 on success, -1 on failure
+ */
+int wpa_sm_configure(struct wpa_sm *sm, enum wpa_sm_conf_params param,
+ unsigned int value)
+{
+ int ret = 0;
+
+ if (sm == NULL)
+ return -1;
+
+ switch (param) {
+ case RSNA_PMK_LIFETIME:
+ if (value > 0)
+ sm->dot11RSNAConfigPMKLifetime = value;
+ else
+ ret = -1;
+ break;
+ case RSNA_PMK_REAUTH_THRESHOLD:
+ if (value > 0 && value <= 100)
+ sm->dot11RSNAConfigPMKReauthThreshold = value;
+ else
+ ret = -1;
+ break;
+ case RSNA_SA_TIMEOUT:
+ if (value > 0)
+ sm->dot11RSNAConfigSATimeout = value;
+ else
+ ret = -1;
+ break;
+ }
+
+ return ret;
+}
diff --git a/wpa_supplicant/wpa.h b/wpa_supplicant/wpa.h
index ace1f94..23be366 100644
--- a/wpa_supplicant/wpa.h
+++ b/wpa_supplicant/wpa.h
@@ -143,6 +143,15 @@ void wpa_sm_set_config(struct wpa_sm *sm, struct wpa_ssid *config);
void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr);
void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname);
+enum wpa_sm_conf_params {
+ RSNA_PMK_LIFETIME /* dot11RSNAConfigPMKLifetime */,
+ RSNA_PMK_REAUTH_THRESHOLD /* dot11RSNAConfigPMKReauthThreshold */,
+ RSNA_SA_TIMEOUT /* dot11RSNAConfigSATimeout */
+};
+
+int wpa_sm_configure(struct wpa_sm *sm, enum wpa_sm_conf_params param,
+ unsigned int value);
+
struct wpa_supplicant;
void wpa_supplicant_key_request(struct wpa_supplicant *wpa_s,
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index 40f2d37..3f1a5f0 100644
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -283,6 +283,12 @@ static void wpa_cli_show_variables(void)
"seconds)\n"
" EAPOL::maxStart (EAPOL state machine maximum start "
"attempts)\n");
+ printf(" dot11RSNAConfigPMKLifetime (WPA/WPA2 PMK lifetime in "
+ "seconds)\n"
+ " dot11RSNAConfigPMKReauthThreshold (WPA/WPA2 reauthentication"
+ " threshold\n\tpercentage)\n"
+ " dot11RSNAConfigSATimeout (WPA/WPA2 timeout for completing "
+ "security\n\tassociation in seconds)\n");
}
diff --git a/wpa_supplicant/wpa_i.h b/wpa_supplicant/wpa_i.h
index b277be2..c282fe4 100644
--- a/wpa_supplicant/wpa_i.h
+++ b/wpa_supplicant/wpa_i.h
@@ -79,6 +79,10 @@ struct wpa_sm {
u8 own_addr[ETH_ALEN];
const char *ifname;
+
+ unsigned int dot11RSNAConfigPMKLifetime;
+ unsigned int dot11RSNAConfigPMKReauthThreshold;
+ unsigned int dot11RSNAConfigSATimeout;
};
#endif /* WPA_I_H */
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 15b57e8..30d1bc6 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -1739,6 +1739,30 @@ static int wpa_supplicant_init2(struct wpa_supplicant *wpa_s,
wpa_sm_set_ifname(wpa_s->wpa, wpa_s->ifname);
wpa_sm_set_fast_reauth(wpa_s->wpa, wpa_s->conf->fast_reauth);
+ if (wpa_s->conf->dot11RSNAConfigPMKLifetime &&
+ wpa_sm_configure(wpa_s->wpa, RSNA_PMK_LIFETIME,
+ wpa_s->conf->dot11RSNAConfigPMKLifetime)) {
+ fprintf(stderr, "Invalid WPA parameter value for "
+ "dot11RSNAConfigPMKLifetime\n");
+ return -1;
+ }
+
+ if (wpa_s->conf->dot11RSNAConfigPMKReauthThreshold &&
+ wpa_sm_configure(wpa_s->wpa, RSNA_PMK_REAUTH_THRESHOLD,
+ wpa_s->conf->dot11RSNAConfigPMKReauthThreshold)) {
+ fprintf(stderr, "Invalid WPA parameter value for "
+ "dot11RSNAConfigPMKReauthThreshold\n");
+ return -1;
+ }
+
+ if (wpa_s->conf->dot11RSNAConfigSATimeout &&
+ wpa_sm_configure(wpa_s->wpa, RSNA_SA_TIMEOUT,
+ wpa_s->conf->dot11RSNAConfigSATimeout)) {
+ fprintf(stderr, "Invalid WPA parameter value for "
+ "dot11RSNAConfigSATimeout\n");
+ return -1;
+ }
+
if (wpa_supplicant_driver_init(wpa_s, wait_for_interface) < 0) {
return -1;
}
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index e733a2a..a0162db 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -87,6 +87,13 @@ pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
# in most cases.
#driver_param="field=value"
+# Maximum lifetime for PMKSA in seconds; default 43200
+#dot11RSNAConfigPMKLifetime=43200
+# Threshold for reauthentication (percentage of PMK lifetime); default 70
+#dot11RSNAConfigPMKReauthThreshold=70
+# Timeout for security association negotiation in seconds; default 60
+#dot11RSNAConfigSATimeout=60
+
# network block
#
# Each network (usually AP's sharing the same SSID) is configured as a separate