From 04283cf36b427005cd8cadf1d79c21d0ad440ea2 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 29 Jan 2021 20:17:22 +0200 Subject: [PATCH] Add REKEY_PTK to allow upper layer request to force PTK rekeying "REKEY_PTK " can now be used to force rekeying of the PTK for the specified associated STA. Signed-off-by: Jouni Malinen --- hostapd/ctrl_iface.c | 19 +++++++++++++++++++ src/ap/wpa_auth.c | 12 ++++++++++++ src/ap/wpa_auth.h | 2 ++ 3 files changed, 33 insertions(+) diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c index b39f40252..911098066 100644 --- a/hostapd/ctrl_iface.c +++ b/hostapd/ctrl_iface.c @@ -2524,6 +2524,22 @@ static int hostapd_ctrl_resend_group_m1(struct hostapd_data *hapd, } +static int hostapd_ctrl_rekey_ptk(struct hostapd_data *hapd, const char *cmd) +{ + struct sta_info *sta; + u8 addr[ETH_ALEN]; + + if (hwaddr_aton(cmd, addr)) + return -1; + + sta = ap_get_sta(hapd, addr); + if (!sta || !sta->wpa_sm) + return -1; + + return wpa_auth_rekey_ptk(hapd->wpa_auth, sta->wpa_sm); +} + + static int hostapd_ctrl_get_pmksa_pmk(struct hostapd_data *hapd, const u8 *addr, char *buf, size_t buflen) { @@ -3670,6 +3686,9 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd, } else if (os_strncmp(buf, "RESEND_GROUP_M1 ", 16) == 0) { if (hostapd_ctrl_resend_group_m1(hapd, buf + 16) < 0) reply_len = -1; + } else if (os_strncmp(buf, "REKEY_PTK ", 10) == 0) { + if (hostapd_ctrl_rekey_ptk(hapd, buf + 10) < 0) + reply_len = -1; } else if (os_strcmp(buf, "REKEY_GTK") == 0) { if (wpa_auth_rekey_gtk(hapd->wpa_auth) < 0) reply_len = -1; diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 6c4b737c8..9655cd522 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -5643,6 +5643,18 @@ int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth) } +int wpa_auth_rekey_ptk(struct wpa_authenticator *wpa_auth, + struct wpa_state_machine *sm) +{ + if (!wpa_auth || !sm) + return -1; + wpa_auth_logger(wpa_auth, sm->addr, LOGGER_DEBUG, "rekeying PTK"); + wpa_request_new_ptk(sm); + wpa_sm_step(sm); + return 0; +} + + void wpa_auth_set_ft_rsnxe_used(struct wpa_authenticator *wpa_auth, int val) { if (wpa_auth) diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index eaa2cafc8..ec3e0b5d7 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -553,6 +553,8 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm, int wpa_auth_resend_group_m1(struct wpa_state_machine *sm, void (*cb)(void *ctx1, void *ctx2), void *ctx1, void *ctx2); +int wpa_auth_rekey_ptk(struct wpa_authenticator *wpa_auth, + struct wpa_state_machine *sm); int wpa_auth_rekey_gtk(struct wpa_authenticator *wpa_auth); void wpa_auth_set_ptk_rekey_timer(struct wpa_state_machine *sm); void wpa_auth_set_ft_rsnxe_used(struct wpa_authenticator *wpa_auth, int val);