FT RRB: Add msg replay and msg delay protection
This adds a counter and adds sequence numbering to FT RRB packets. The sequence number is checked against r0kh/r1kh sequence number cache. Special attention is needed in case the remote AP reboots and thus loses its state. I prefer it to recover automatically even without synchronized clocks. Therefore an identifier called dom is generated randomly along the initial sequence number. If the dom transmitted does not match or the sequence number is not in the range currently expected, the sender is asked for a fresh confirmation of its currently used sequence numbers. The packet that triggered this is cached and processed again later. Additionally, in order to ensure freshness, the remote AP includes an timestamp with its messages. It is then verified that the received messages are indeed fresh by comparing it to the older timestamps received and the time elapsed since then. Therefore FT_RRB_TIMESTAMP is no longer needed. This assigns new OUI 00:13:74 vendor-specific subtype 0x0001 subtypes: 4 (SEQ_REQ) and 5 (SEQ_RESP). This breaks backward compatibility, i.e., hostapd needs to be updated on all APs at the same time to allow FT to remain functional. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This commit is contained in:
Michael Braun
Jouni Malinen
parent
c95dd8e48b
commit
eefe863015
5 changed files with 796 additions and 73 deletions
|
|
@ -520,6 +520,7 @@ void wpa_deinit(struct wpa_authenticator *wpa_auth)
|
|||
#ifdef CONFIG_IEEE80211R_AP
|
||||
wpa_ft_pmk_cache_deinit(wpa_auth->ft_pmk_cache);
|
||||
wpa_auth->ft_pmk_cache = NULL;
|
||||
wpa_ft_deinit(wpa_auth);
|
||||
#endif /* CONFIG_IEEE80211R_AP */
|
||||
|
||||
#ifdef CONFIG_P2P
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue