FT: Add expiration to PMK-R0 and PMK-R1 cache
IEEE Std 802.11-2016, 12.7.1.7.1 indicates that the lifetime of the PMK-R0 (and PMK-R1) is bound to the lifetime of PSK or MSK from which the key was derived. This is currently stored in r0_key_lifetime, but cache entries are not actually removed. This commit uses the r0_key_lifetime configuration parameter when wpa_auth_derive_ptk_ft() is called. This may need to be extended to use the MSK lifetime, if provided by an external authentication server, with some future changes. For PSK, there is no such lifetime, but it also matters less as FT-PSK can be achieved without inter-AP communication. The expiration timeout is then passed from R0KH to R1KH. The R1KH verifies that the given timeout for sanity, it may not exceed the locally configured r1_max_key_lifetime. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This commit is contained in:
Michael Braun
Jouni Malinen
parent
09211c9894
commit
3a3e28320b
6 changed files with 122 additions and 10 deletions
|
|
@ -77,6 +77,7 @@ struct ft_rrb_frame {
|
|||
#define FT_RRB_PMK_R1 10 /* PMK_LEN */
|
||||
|
||||
#define FT_RRB_PAIRWISE 11 /* le16 */
|
||||
#define FT_RRB_EXPIRES_IN 12 /* le16 seconds */
|
||||
|
||||
struct ft_rrb_tlv {
|
||||
le16 type;
|
||||
|
|
@ -92,6 +93,7 @@ struct ft_rrb_seq {
|
|||
|
||||
/* session TLVs:
|
||||
* required: PMK_R1, PMK_R1_NAME, PAIRWISE
|
||||
* optional: EXPIRES_IN
|
||||
*
|
||||
* pull frame TLVs:
|
||||
* auth:
|
||||
|
|
@ -191,6 +193,7 @@ struct wpa_auth_config {
|
|||
int rkh_neg_timeout;
|
||||
int rkh_pull_timeout; /* ms */
|
||||
int rkh_pull_retries;
|
||||
int r1_max_key_lifetime;
|
||||
u32 reassociation_deadline;
|
||||
struct ft_remote_r0kh **r0kh_list;
|
||||
struct ft_remote_r1kh **r1kh_list;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue