Update default wpa_group_rekey to once-per-day when using CCMP/GCMP

The default value for GTK rekeying period was previously hardcoded to
600 seconds for all cases. Leave that short value only for TKIP as group
cipher while moving to the IEEE 802.11 default value of 86400 seconds
(once-per-day) for CCMP/GCMP.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2017-07-03 13:42:55 +03:00 committed by Jouni Malinen
parent 787615b381
commit 90f837b0bf
4 changed files with 9 additions and 1 deletions

View file

@ -2513,6 +2513,7 @@ static int hostapd_config_fill(struct hostapd_config *conf,
bss->wpa = atoi(pos); bss->wpa = atoi(pos);
} else if (os_strcmp(buf, "wpa_group_rekey") == 0) { } else if (os_strcmp(buf, "wpa_group_rekey") == 0) {
bss->wpa_group_rekey = atoi(pos); bss->wpa_group_rekey = atoi(pos);
bss->wpa_group_rekey_set = 1;
} else if (os_strcmp(buf, "wpa_strict_rekey") == 0) { } else if (os_strcmp(buf, "wpa_strict_rekey") == 0) {
bss->wpa_strict_rekey = atoi(pos); bss->wpa_strict_rekey = atoi(pos);
} else if (os_strcmp(buf, "wpa_gmk_rekey") == 0) { } else if (os_strcmp(buf, "wpa_gmk_rekey") == 0) {

View file

@ -1282,7 +1282,10 @@ own_ip_addr=127.0.0.1
# Time interval for rekeying GTK (broadcast/multicast encryption keys) in # Time interval for rekeying GTK (broadcast/multicast encryption keys) in
# seconds. (dot11RSNAConfigGroupRekeyTime) # seconds. (dot11RSNAConfigGroupRekeyTime)
#wpa_group_rekey=600 # This defaults to 86400 seconds (once per day) when using CCMP/GCMP as the
# group cipher and 600 seconds (once per 10 minutes) when using TKIP as the
# group cipher.
#wpa_group_rekey=86400
# Rekey GTK when any STA that possesses the current GTK is leaving the BSS. # Rekey GTK when any STA that possesses the current GTK is leaving the BSS.
# (dot11RSNAConfigGroupRekeyStrict) # (dot11RSNAConfigGroupRekeyStrict)

View file

@ -1036,6 +1036,9 @@ void hostapd_set_security_params(struct hostapd_bss_config *bss,
bss->rsn_pairwise = bss->wpa_pairwise; bss->rsn_pairwise = bss->wpa_pairwise;
bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa, bss->wpa_pairwise, bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa, bss->wpa_pairwise,
bss->rsn_pairwise); bss->rsn_pairwise);
if (!bss->wpa_group_rekey_set)
bss->wpa_group_rekey = bss->wpa_group == WPA_CIPHER_TKIP ?
600 : 86400;
if (full_config) { if (full_config) {
bss->radius->auth_server = bss->radius->auth_servers; bss->radius->auth_server = bss->radius->auth_servers;

View file

@ -327,6 +327,7 @@ struct hostapd_bss_config {
int wpa_pairwise; int wpa_pairwise;
int wpa_group; int wpa_group;
int wpa_group_rekey; int wpa_group_rekey;
int wpa_group_rekey_set;
int wpa_strict_rekey; int wpa_strict_rekey;
int wpa_gmk_rekey; int wpa_gmk_rekey;
int wpa_ptk_rekey; int wpa_ptk_rekey;