Allow PMKSA caching to be disabled on Authenticator

A new hostapd configuration parameter, disable_pmksa_caching=1, can now
be used to disable PMKSA caching on the Authenticator. This forces the
stations to complete EAP authentication on every association when WPA2
is being used.

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 835f0500ab0ad041182a7dd07ff4889d4911c742..bfd480983c0c22cb927b19435abe460dde701605 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -1904,6 +1904,8 @@ struct hostapd_config * hostapd_config_read(const char *fname)
 #endif /* CONFIG_IEEE80211N */
                } else if (os_strcmp(buf, "max_listen_interval") == 0) {
                        bss->max_listen_interval = atoi(pos);
+               } else if (os_strcmp(buf, "disable_pmksa_caching") == 0) {
+                       bss->disable_pmksa_caching = atoi(pos);
                } else if (os_strcmp(buf, "okc") == 0) {
                        bss->okc = atoi(pos);
 #ifdef CONFIG_WPS

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index e0525e4054f0cb4403da7b4fd4133b67922ac844..3b1548c1bdd3326f19595f3a8d5e1175354a108c 100644 (file)
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -770,6 +770,13 @@ own_ip_addr=127.0.0.1
 # dot11AssociationSAQueryRetryTimeout, 1...4294967295
 #assoc_sa_query_retry_timeout=201
 
+# disable_pmksa_caching: Disable PMKSA caching
+# This parameter can be used to disable caching of PMKSA created through EAP
+# authentication. RSN preauthentication may still end up using PMKSA caching if
+# it is enabled (rsn_preauth=1).
+# 0 = PMKSA caching enabled (default)
+# 1 = PMKSA caching disabled
+#disable_pmksa_caching=0
 
 # okc: Opportunistic Key Caching (aka Proactive Key Caching)
 # Allow PMK cache to be shared opportunistically among configured interfaces

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 0a3e76ec7be098e6df8f52267d6f7467ebb2ab45..09eed5abd4e47c5800317c1910384c9925ca51e6 100644 (file)
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -288,6 +288,7 @@ struct hostapd_bss_config {
         */
        u16 max_listen_interval;
 
+       int disable_pmksa_caching;
        int okc; /* Opportunistic Key Caching */
 
        int wps_state;

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index cfb2cada464b0bbc60f1a6acbefbb9a11e2911e7..3fbb88b93544de008e0d02330f65694ed205202d 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -2727,7 +2727,8 @@ const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
                       int session_timeout, struct eapol_state_machine *eapol)
 {
-       if (sm == NULL || sm->wpa != WPA_VERSION_WPA2)
+       if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
+           sm->wpa_auth->conf.disable_pmksa_caching)
                return -1;
 
        if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN,

diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index b3e1ff027e06284b623a72eda0cf1d08aaae9cd7..e533a140a4e60b617e4beef9b9b357955929ea2b 100644 (file)
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -143,6 +143,7 @@ struct wpa_auth_config {
        int peerkey;
        int wmm_enabled;
        int wmm_uapsd;
+       int disable_pmksa_caching;
        int okc;
        int tx_status;
 #ifdef CONFIG_IEEE80211W

diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index b35b7ba5eef6ab332e203b037cc8cef086af0a43..0e3cb31fbff3fca22d810f5d5e65a991e35a3cb1 100644 (file)
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -48,6 +48,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
        wconf->peerkey = conf->peerkey;
        wconf->wmm_enabled = conf->wmm_enabled;
        wconf->wmm_uapsd = conf->wmm_uapsd;
+       wconf->disable_pmksa_caching = conf->disable_pmksa_caching;
        wconf->okc = conf->okc;
 #ifdef CONFIG_IEEE80211W
        wconf->ieee80211w = conf->ieee80211w;