git.ipfire.org Git - thirdparty/hostap.git/commit

author	Michael Braun <michael-dev@fami-braun.de>
	Thu, 18 May 2017 13:21:50 +0000 (15:21 +0200)
committer	Jouni Malinen <j@w1.fi>
	Thu, 5 Apr 2018 10:58:20 +0000 (13:58 +0300)
commit	3a3e28320b6d68053c6c2b27d4d7f16cc676045a
tree	d7c69cf35b4aedb9c00a6d705b4b54b0c9eab0ca	tree \| snapshot
parent	09211c989468e4d592d9e54ff08832399bcc0abf	commit \| diff

FT: Add expiration to PMK-R0 and PMK-R1 cache

IEEE Std 802.11-2016, 12.7.1.7.1 indicates that the lifetime of the
PMK-R0 (and PMK-R1) is bound to the lifetime of PSK or MSK from which
the key was derived. This is currently stored in r0_key_lifetime, but
cache entries are not actually removed.

This commit uses the r0_key_lifetime configuration parameter when
wpa_auth_derive_ptk_ft() is called. This may need to be extended to use
the MSK lifetime, if provided by an external authentication server, with
some future changes. For PSK, there is no such lifetime, but it also
matters less as FT-PSK can be achieved without inter-AP communication.

The expiration timeout is then passed from R0KH to R1KH. The R1KH verifies
that the given timeout for sanity, it may not exceed the locally configured
r1_max_key_lifetime.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

hostapd/config_file.c		diff \| blob \| blame \| history
hostapd/hostapd.conf		diff \| blob \| blame \| history
src/ap/ap_config.h		diff \| blob \| blame \| history
src/ap/wpa_auth.h		diff \| blob \| blame \| history
src/ap/wpa_auth_ft.c		diff \| blob \| blame \| history
src/ap/wpa_auth_glue.c		diff \| blob \| blame \| history