From 47ea24c13d803c3a103704ec3c3bbb8db263626a Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 4 Oct 2014 19:36:48 +0300 Subject: [PATCH] Fix PMKSA cache timeout from Session-Timeout in WPA/WPA2 cases Previously, WPA/WPA2 case ended up using the hardcoded dot11RSNAConfigPMKLifetime (43200 seconds) for PMKSA cache entries instead of using the Session-Timeout value from the RADIUS server (if included in Access-Accept). Store a copy of the Session-Timeout value and use it instead of the default value so that WPA/WPA2 cases get the proper timeout similarly to non-WPA/WPA2 cases. Signed-off-by: Jouni Malinen --- src/ap/ieee802_1x.c | 10 +++++++++- src/ap/sta_info.h | 3 +++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index e4681e90d..2d09b67b1 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -1622,6 +1622,9 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0) break; + sta->session_timeout_set = !!session_timeout_set; + sta->session_timeout = session_timeout; + /* RFC 3580, Ch. 3.17 */ if (session_timeout_set && termination_action == RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { @@ -2396,6 +2399,7 @@ static void ieee802_1x_finished(struct hostapd_data *hapd, size_t len; /* TODO: get PMKLifetime from WPA parameters */ static const int dot11RSNAConfigPMKLifetime = 43200; + unsigned int session_timeout; #ifdef CONFIG_HS20 if (remediation && !sta->remediation) { @@ -2430,9 +2434,13 @@ static void ieee802_1x_finished(struct hostapd_data *hapd, #endif /* CONFIG_HS20 */ key = ieee802_1x_get_key(sta->eapol_sm, &len); + if (sta->session_timeout_set) + session_timeout = sta->session_timeout; + else + session_timeout = dot11RSNAConfigPMKLifetime; if (success && key && len >= PMK_LEN && !sta->remediation && !sta->hs20_deauth_requested && - wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime, + wpa_auth_pmksa_add(sta->wpa_sm, key, session_timeout, sta->eapol_sm) == 0) { hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, HOSTAPD_LEVEL_DEBUG, diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h index 03db98f66..faf32d859 100644 --- a/src/ap/sta_info.h +++ b/src/ap/sta_info.h @@ -60,6 +60,7 @@ struct sta_info { unsigned int qos_map_enabled:1; unsigned int remediation:1; unsigned int hs20_deauth_requested:1; + unsigned int session_timeout_set:1; u16 auth_alg; @@ -135,6 +136,8 @@ struct sta_info { #ifdef CONFIG_SAE struct sae_data *sae; #endif /* CONFIG_SAE */ + + u32 session_timeout; /* valid only if session_timeout_set == 1 */ };