DPP: Set PMKSA expiration based on peer connector

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/ap/dpp_hostapd.c b/src/ap/dpp_hostapd.c
index f6ac9c8cf9cc811fd353a5917434be7cde3bb028..b5980d4c3b722962a41fd42f13de6a739a43f39f 100644 (file)
--- a/src/ap/dpp_hostapd.c
+++ b/src/ap/dpp_hostapd.c
@@ -880,6 +880,7 @@ static void hostapd_dpp_rx_peer_disc_req(struct hostapd_data *hapd,
        u16 connector_len;
        struct os_time now;
        struct dpp_introduction intro;
+       os_time_t expire;
        int expiration;
        struct wpabuf *msg;
 
@@ -923,19 +924,18 @@ static void hostapd_dpp_rx_peer_disc_req(struct hostapd_data *hapd,
                           wpabuf_len(hapd->conf->dpp_netaccesskey),
                           wpabuf_head(hapd->conf->dpp_csign),
                           wpabuf_len(hapd->conf->dpp_csign),
-                          connector, connector_len) < 0) {
+                          connector, connector_len, &expire) < 0) {
                wpa_printf(MSG_INFO,
                           "DPP: Network Introduction protocol resulted in failure");
                return;
        }
 
-       if (hapd->conf->dpp_netaccesskey_expiry &&
-           (!hapd->conf->dpp_csign_expiry ||
-            hapd->conf->dpp_netaccesskey_expiry <
-            hapd->conf->dpp_csign_expiry))
-               expiration = hapd->conf->dpp_netaccesskey_expiry - now.sec;
-       else if (hapd->conf->dpp_csign_expiry)
-               expiration = hapd->conf->dpp_csign_expiry - now.sec;
+       if (!expire || hapd->conf->dpp_netaccesskey_expiry < expire)
+               expire = hapd->conf->dpp_netaccesskey_expiry;
+       if (!expire || hapd->conf->dpp_csign_expiry < expire)
+               expire = hapd->conf->dpp_csign_expiry;
+       if (expire)
+               expiration = expire - now.sec;
        else
                expiration = 0;
 

diff --git a/src/common/dpp.c b/src/common/dpp.c
index 5311dee02e5bc948768dc4e226c6f1726ec69246..06e70a105c44c17c8815fbfeeea69735412faeb4 100644 (file)
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -4686,7 +4686,8 @@ static int dpp_netkey_hash(EVP_PKEY *key, u8 *hash)
 int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
                   const u8 *net_access_key, size_t net_access_key_len,
                   const u8 *csign_key, size_t csign_key_len,
-                  const u8 *peer_connector, size_t peer_connector_len)
+                  const u8 *peer_connector, size_t peer_connector_len,
+                  os_time_t *expiry)
 {
        struct json_token *root = NULL, *netkey, *token;
        struct json_token *own_root = NULL;
@@ -4711,6 +4712,8 @@ int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
 
        os_memset(intro, 0, sizeof(*intro));
        os_memset(&info, 0, sizeof(info));
+       if (expiry)
+               *expiry = 0;
 
        p = csign_key;
        csign = d2i_PUBKEY(NULL, &p, csign_key_len);
@@ -4802,7 +4805,7 @@ int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
                           "DPP: No expiry string found - connector does not expire");
        } else {
                wpa_printf(MSG_DEBUG, "DPP: expiry = %s", token->string);
-               if (dpp_key_expired(token->string, NULL)) {
+               if (dpp_key_expired(token->string, expiry)) {
                        wpa_printf(MSG_DEBUG,
                                   "DPP: Connector (netAccessKey) has expired");
                        goto fail;

diff --git a/src/common/dpp.h b/src/common/dpp.h
index 1c10928781eec9634144658c725cb150faf836d5..d68cd76b57852fb499f7dbe99d1a9c417240a249 100644 (file)
--- a/src/common/dpp.h
+++ b/src/common/dpp.h
@@ -256,7 +256,8 @@ dpp_keygen_configurator(const char *curve, const u8 *privkey,
 int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
                   const u8 *net_access_key, size_t net_access_key_len,
                   const u8 *csign_key, size_t csign_key_len,
-                  const u8 *peer_connector, size_t peer_connector_len);
+                  const u8 *peer_connector, size_t peer_connector_len,
+                  os_time_t *expiry);
 struct dpp_pkex * dpp_pkex_init(struct dpp_bootstrap_info *bi,
                                const u8 *own_mac,
                                const char *identifier,

diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c
index b7b50110c105a5262caf704a95f004c9ca7e326a..74233eb231bc1d9c5cb3c341a0d62f978973e953 100644 (file)
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -1269,6 +1269,10 @@ static void wpas_dpp_rx_peer_disc_resp(struct wpa_supplicant *wpa_s,
        u16 connector_len, pk_hash_len, nk_hash_len;
        struct dpp_introduction intro;
        struct rsn_pmksa_cache_entry *entry;
+       struct os_time now;
+       struct os_reltime rnow;
+       os_time_t expiry;
+       unsigned int seconds;
 
        wpa_printf(MSG_DEBUG, "DPP: Peer Discovery Response from " MACSTR,
                   MAC2STR(src));
@@ -1303,7 +1307,7 @@ static void wpas_dpp_rx_peer_disc_resp(struct wpa_supplicant *wpa_s,
                           ssid->dpp_netaccesskey_len,
                           ssid->dpp_csign,
                           ssid->dpp_csign_len,
-                          connector, connector_len) < 0) {
+                          connector, connector_len, &expiry) < 0) {
                wpa_printf(MSG_INFO,
                           "DPP: Network Introduction protocol resulted in failure");
                goto fail;
@@ -1347,7 +1351,17 @@ static void wpas_dpp_rx_peer_disc_resp(struct wpa_supplicant *wpa_s,
        os_memcpy(entry->pmk, intro.pmk, intro.pmk_len);
        entry->pmk_len = intro.pmk_len;
        entry->akmp = WPA_KEY_MGMT_DPP;
-       /* TODO: expiration */
+       if (!expiry || expiry > ssid->dpp_csign_expiry)
+               expiry = ssid->dpp_csign_expiry;
+       if (expiry) {
+               os_get_time(&now);
+               seconds = expiry - now.sec;
+       } else {
+               seconds = 86400 * 7;
+       }
+       os_get_reltime(&rnow);
+       entry->expiration = rnow.sec + seconds;
+       entry->reauth_time = rnow.sec + seconds;
        entry->network_ctx = ssid;
        wpa_sm_pmksa_cache_add_entry(wpa_s->wpa, entry);