Add REKEY_PTK to allow upper layer request to force PTK rekeying

"REKEY_PTK <STA MAC address>" can now be used to force rekeying of the
PTK for the specified associated STA.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index b39f40252f292af797de3766dfa603c6cfb7e34f..911098066ad6d21ab9248e63ad77c5674085f3d7 100644 (file)
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -2524,6 +2524,22 @@ static int hostapd_ctrl_resend_group_m1(struct hostapd_data *hapd,
 }
 
 
+static int hostapd_ctrl_rekey_ptk(struct hostapd_data *hapd, const char *cmd)
+{
+       struct sta_info *sta;
+       u8 addr[ETH_ALEN];
+
+       if (hwaddr_aton(cmd, addr))
+               return -1;
+
+       sta = ap_get_sta(hapd, addr);
+       if (!sta || !sta->wpa_sm)
+               return -1;
+
+       return wpa_auth_rekey_ptk(hapd->wpa_auth, sta->wpa_sm);
+}
+
+
 static int hostapd_ctrl_get_pmksa_pmk(struct hostapd_data *hapd, const u8 *addr,
                                      char *buf, size_t buflen)
 {
@@ -3670,6 +3686,9 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd,
        } else if (os_strncmp(buf, "RESEND_GROUP_M1 ", 16) == 0) {
                if (hostapd_ctrl_resend_group_m1(hapd, buf + 16) < 0)
                        reply_len = -1;
+       } else if (os_strncmp(buf, "REKEY_PTK ", 10) == 0) {
+               if (hostapd_ctrl_rekey_ptk(hapd, buf + 10) < 0)
+                       reply_len = -1;
        } else if (os_strcmp(buf, "REKEY_GTK") == 0) {
                if (wpa_auth_rekey_gtk(hapd->wpa_auth) < 0)
                        reply_len = -1;

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 6c4b737c851cfd6686e9accbbf56fb94aa85ff47..9655cd5221d0a8314d48c5f2461a8e84b875f28b 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -5643,6 +5643,18 @@ int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth)
 }
 
 
+int wpa_auth_rekey_ptk(struct wpa_authenticator *wpa_auth,
+                      struct wpa_state_machine *sm)
+{
+       if (!wpa_auth || !sm)
+               return -1;
+       wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK");
+       wpa_request_new_ptk(sm);
+       wpa_sm_step(sm);
+       return 0;
+}
+
+
 void wpa_auth_set_ft_rsnxe_used(struct wpa_authenticator *wpa_auth, int val)
 {
        if (wpa_auth)

diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index eaa2cafc8088c6c2e4ba80bde2045e4f8583eaa4..ec3e0b5d75b67a1aaef5d5a9813d9d48236d8a9a 100644 (file)
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -553,6 +553,8 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm,
 int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
                             void (*cb)(void *ctx1, void *ctx2),
                             void *ctx1, void *ctx2);
+int wpa_auth_rekey_ptk(struct wpa_authenticator *wpa_auth,
+                      struct wpa_state_machine *sm);
 int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth);
 void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine *sm);
 void wpa_auth_set_ft_rsnxe_used(struct wpa_authenticator *wpa_auth, int val);