Fix PMKSA cache timeout from Session-Timeout in WPA/WPA2 cases
Previously, WPA/WPA2 case ended up using the hardcoded dot11RSNAConfigPMKLifetime (43200 seconds) for PMKSA cache entries instead of using the Session-Timeout value from the RADIUS server (if included in Access-Accept). Store a copy of the Session-Timeout value and use it instead of the default value so that WPA/WPA2 cases get the proper timeout similarly to non-WPA/WPA2 cases. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
8e1fc78e1f
commit
47ea24c13d
2 changed files with 12 additions and 1 deletions
|
|
@ -1622,6 +1622,9 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
|
|||
if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0)
|
||||
break;
|
||||
|
||||
sta->session_timeout_set = !!session_timeout_set;
|
||||
sta->session_timeout = session_timeout;
|
||||
|
||||
/* RFC 3580, Ch. 3.17 */
|
||||
if (session_timeout_set && termination_action ==
|
||||
RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) {
|
||||
|
|
@ -2396,6 +2399,7 @@ static void ieee802_1x_finished(struct hostapd_data *hapd,
|
|||
size_t len;
|
||||
/* TODO: get PMKLifetime from WPA parameters */
|
||||
static const int dot11RSNAConfigPMKLifetime = 43200;
|
||||
unsigned int session_timeout;
|
||||
|
||||
#ifdef CONFIG_HS20
|
||||
if (remediation && !sta->remediation) {
|
||||
|
|
@ -2430,9 +2434,13 @@ static void ieee802_1x_finished(struct hostapd_data *hapd,
|
|||
#endif /* CONFIG_HS20 */
|
||||
|
||||
key = ieee802_1x_get_key(sta->eapol_sm, &len);
|
||||
if (sta->session_timeout_set)
|
||||
session_timeout = sta->session_timeout;
|
||||
else
|
||||
session_timeout = dot11RSNAConfigPMKLifetime;
|
||||
if (success && key && len >= PMK_LEN && !sta->remediation &&
|
||||
!sta->hs20_deauth_requested &&
|
||||
wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime,
|
||||
wpa_auth_pmksa_add(sta->wpa_sm, key, session_timeout,
|
||||
sta->eapol_sm) == 0) {
|
||||
hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA,
|
||||
HOSTAPD_LEVEL_DEBUG,
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@ struct sta_info {
|
|||
unsigned int qos_map_enabled:1;
|
||||
unsigned int remediation:1;
|
||||
unsigned int hs20_deauth_requested:1;
|
||||
unsigned int session_timeout_set:1;
|
||||
|
||||
u16 auth_alg;
|
||||
|
||||
|
|
@ -135,6 +136,8 @@ struct sta_info {
|
|||
#ifdef CONFIG_SAE
|
||||
struct sae_data *sae;
|
||||
#endif /* CONFIG_SAE */
|
||||
|
||||
u32 session_timeout; /* valid only if session_timeout_set == 1 */
|
||||
};
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue