PASN: Deauthenticate on PTKSA cache entry expiration

Add an option for an alternative processing of PTKSA life time expiry.

Register a callback in wpa_supplicant to handle the life time expiry of
the keys in PTKSA cache. Send PASN deauthentication when a PTKSA cache
entry expires.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Vinay Gannevaram 2022-07-08 11:41:01 +05:30 committed by Jouni Malinen
parent 74d894a2ea
commit 24929543ba
6 changed files with 35 additions and 8 deletions

View file

@ -3503,7 +3503,7 @@ static void handle_auth_pasn_3(struct hostapd_data *hapd, struct sta_info *sta,
"PASN: Success handling transaction == 3. Store PTK"); "PASN: Success handling transaction == 3. Store PTK");
ptksa_cache_add(hapd->ptksa, hapd->own_addr, sta->addr, ptksa_cache_add(hapd->ptksa, hapd->own_addr, sta->addr,
sta->pasn->cipher, 43200, &sta->pasn->ptk); sta->pasn->cipher, 43200, &sta->pasn->ptk, NULL, NULL);
fail: fail:
ap_free_sta(hapd, sta); ap_free_sta(hapd, sta);
} }

View file

@ -935,7 +935,7 @@ static void hostapd_store_ptksa(void *ctx, const u8 *addr,int cipher,
struct hostapd_data *hapd = ctx; struct hostapd_data *hapd = ctx;
ptksa_cache_add(hapd->ptksa, hapd->own_addr, addr, cipher, life_time, ptksa_cache_add(hapd->ptksa, hapd->own_addr, addr, cipher, life_time,
ptk); ptk, NULL, NULL);
} }

View file

@ -51,7 +51,10 @@ static void ptksa_cache_expire(void *eloop_ctx, void *timeout_ctx)
wpa_printf(MSG_DEBUG, "Expired PTKSA cache entry for " MACSTR, wpa_printf(MSG_DEBUG, "Expired PTKSA cache entry for " MACSTR,
MAC2STR(e->addr)); MAC2STR(e->addr));
ptksa_cache_free_entry(ptksa, e); if (e->cb && e->ctx)
e->cb(e);
else
ptksa_cache_free_entry(ptksa, e);
} }
ptksa_cache_set_expiration(ptksa); ptksa_cache_set_expiration(ptksa);
@ -259,6 +262,8 @@ void ptksa_cache_flush(struct ptksa_cache *ptksa, const u8 *addr, u32 cipher)
* @cipher: The cipher used * @cipher: The cipher used
* @life_time: The PTK life time in seconds * @life_time: The PTK life time in seconds
* @ptk: The PTK * @ptk: The PTK
* @life_time_expiry_cb: Callback for alternative expiration handling
* @ctx: Context pointer to save into e->ctx for the callback
* Returns: Pointer to the added PTKSA cache entry or %NULL on error * Returns: Pointer to the added PTKSA cache entry or %NULL on error
* *
* This function creates a PTKSA entry and adds it to the PTKSA cache. * This function creates a PTKSA entry and adds it to the PTKSA cache.
@ -269,7 +274,10 @@ struct ptksa_cache_entry * ptksa_cache_add(struct ptksa_cache *ptksa,
const u8 *own_addr, const u8 *own_addr,
const u8 *addr, u32 cipher, const u8 *addr, u32 cipher,
u32 life_time, u32 life_time,
const struct wpa_ptk *ptk) const struct wpa_ptk *ptk,
void (*life_time_expiry_cb)
(struct ptksa_cache_entry *e),
void *ctx)
{ {
struct ptksa_cache_entry *entry, *tmp, *tmp2 = NULL; struct ptksa_cache_entry *entry, *tmp, *tmp2 = NULL;
struct os_reltime now; struct os_reltime now;
@ -291,6 +299,9 @@ struct ptksa_cache_entry * ptksa_cache_add(struct ptksa_cache *ptksa,
dl_list_init(&entry->list); dl_list_init(&entry->list);
os_memcpy(entry->addr, addr, ETH_ALEN); os_memcpy(entry->addr, addr, ETH_ALEN);
entry->cipher = cipher; entry->cipher = cipher;
entry->cb = life_time_expiry_cb;
entry->ctx = ctx;
if (own_addr) if (own_addr)
os_memcpy(entry->own_addr, own_addr, ETH_ALEN); os_memcpy(entry->own_addr, own_addr, ETH_ALEN);

View file

@ -24,6 +24,8 @@ struct ptksa_cache_entry {
u32 cipher; u32 cipher;
u8 addr[ETH_ALEN]; u8 addr[ETH_ALEN];
u8 own_addr[ETH_ALEN]; u8 own_addr[ETH_ALEN];
void (*cb)(struct ptksa_cache_entry *e);
void *ctx;
}; };
#ifdef CONFIG_PTKSA_CACHE #ifdef CONFIG_PTKSA_CACHE
@ -39,7 +41,10 @@ struct ptksa_cache_entry * ptksa_cache_add(struct ptksa_cache *ptksa,
const u8 *own_addr, const u8 *own_addr,
const u8 *addr, u32 cipher, const u8 *addr, u32 cipher,
u32 life_time, u32 life_time,
const struct wpa_ptk *ptk); const struct wpa_ptk *ptk,
void (*cb)
(struct ptksa_cache_entry *e),
void *ctx);
void ptksa_cache_flush(struct ptksa_cache *ptksa, const u8 *addr, u32 cipher); void ptksa_cache_flush(struct ptksa_cache *ptksa, const u8 *addr, u32 cipher);
#else /* CONFIG_PTKSA_CACHE */ #else /* CONFIG_PTKSA_CACHE */
@ -67,7 +72,8 @@ static inline int ptksa_cache_list(struct ptksa_cache *ptksa,
static inline struct ptksa_cache_entry * static inline struct ptksa_cache_entry *
ptksa_cache_add(struct ptksa_cache *ptksa, const u8 *own_addr, const u8 *addr, ptksa_cache_add(struct ptksa_cache *ptksa, const u8 *own_addr, const u8 *addr,
u32 cipher, u32 life_time, const struct wpa_ptk *ptk) u32 cipher, u32 life_time, const struct wpa_ptk *ptk,
void (*cb)(struct ptksa_cache_entry *e), void *ctx)
{ {
return NULL; return NULL;
} }

View file

@ -1584,6 +1584,14 @@ static int wpas_pasn_immediate_retry(struct wpa_supplicant *wpa_s,
} }
static void wpas_pasn_deauth_cb(struct ptksa_cache_entry *entry)
{
struct wpa_supplicant *wpa_s = entry->ctx;
wpas_pasn_deauthenticate(wpa_s, entry->own_addr, entry->addr);
}
int wpas_pasn_auth_rx(struct wpa_supplicant *wpa_s, int wpas_pasn_auth_rx(struct wpa_supplicant *wpa_s,
const struct ieee80211_mgmt *mgmt, size_t len) const struct ieee80211_mgmt *mgmt, size_t len)
{ {
@ -1825,7 +1833,9 @@ int wpas_pasn_auth_rx(struct wpa_supplicant *wpa_s,
wpa_printf(MSG_DEBUG, "PASN: Success sending last frame. Store PTK"); wpa_printf(MSG_DEBUG, "PASN: Success sending last frame. Store PTK");
ptksa_cache_add(wpa_s->ptksa, pasn->own_addr, pasn->bssid, ptksa_cache_add(wpa_s->ptksa, pasn->own_addr, pasn->bssid,
pasn->cipher, dot11RSNAConfigPMKLifetime, &pasn->ptk); pasn->cipher, dot11RSNAConfigPMKLifetime, &pasn->ptk,
wpa_s->pasn_params ? wpas_pasn_deauth_cb : NULL,
wpa_s->pasn_params ? wpa_s : NULL);
forced_memzero(&pasn->ptk, sizeof(pasn->ptk)); forced_memzero(&pasn->ptk, sizeof(pasn->ptk));

View file

@ -1379,7 +1379,7 @@ static void wpa_supplicant_store_ptk(void *ctx, u8 *addr, int cipher,
struct wpa_supplicant *wpa_s = ctx; struct wpa_supplicant *wpa_s = ctx;
ptksa_cache_add(wpa_s->ptksa, wpa_s->own_addr, addr, cipher, life_time, ptksa_cache_add(wpa_s->ptksa, wpa_s->own_addr, addr, cipher, life_time,
ptk); ptk, NULL, NULL);
} }
#endif /* CONFIG_NO_WPA */ #endif /* CONFIG_NO_WPA */