diff options
author | Jouni Malinen <jouni.malinen@atheros.com> | 2008-11-06 19:57:21 +0200 |
---|---|---|
committer | Jouni Malinen <j@w1.fi> | 2008-11-06 19:57:21 +0200 |
commit | 581a8cde77670ba7de2cce57f4a723ba435df9b7 (patch) | |
tree | d06cf58048193c7a10dc8e6de59fc414124fffcc /src/rsn_supp | |
parent | 81eec387dd7c1f4521822e48023e950dfa7b5a52 (diff) | |
download | external_wpa_supplicant_8_ti-581a8cde77670ba7de2cce57f4a723ba435df9b7.zip external_wpa_supplicant_8_ti-581a8cde77670ba7de2cce57f4a723ba435df9b7.tar.gz external_wpa_supplicant_8_ti-581a8cde77670ba7de2cce57f4a723ba435df9b7.tar.bz2 |
Added support for enforcing frequent PTK rekeying
Added a new configuration option, wpa_ptk_rekey, that can be used to
enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP
deficiencies. This can be set either by the Authenticator (to initiate
periodic 4-way handshake to rekey PTK) or by the Supplicant (to request
Authenticator to rekey PTK).
With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP
keys will not be used for more than 10 minutes which may make some attacks
against TKIP more difficult to implement.
Diffstat (limited to 'src/rsn_supp')
-rw-r--r-- | src/rsn_supp/wpa.c | 19 | ||||
-rw-r--r-- | src/rsn_supp/wpa.h | 1 | ||||
-rw-r--r-- | src/rsn_supp/wpa_i.h | 1 |
3 files changed, 20 insertions, 1 deletions
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index 5ec1dab..1da54f2 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -133,7 +133,6 @@ void wpa_eapol_key_send(struct wpa_sm *sm, const u8 *kck, * @sm: Pointer to WPA state machine data from wpa_sm_init() * @error: Indicate whether this is an Michael MIC error report * @pairwise: 1 = error report for pairwise packet, 0 = for group packet - * Returns: Pointer to the current network structure or %NULL on failure * * Send an EAPOL-Key Request to the current authenticator. This function is * used to request rekeying and it is usually called when a local Michael MIC @@ -489,6 +488,14 @@ static void wpa_supplicant_key_neg_complete(struct wpa_sm *sm, } +static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx) +{ + struct wpa_sm *sm = eloop_ctx; + wpa_printf(MSG_DEBUG, "WPA: Request PTK rekeying"); + wpa_sm_key_request(sm, 0, 1); +} + + static int wpa_supplicant_install_ptk(struct wpa_sm *sm, const struct wpa_eapol_key *key) { @@ -533,6 +540,13 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm, "driver."); return -1; } + + if (sm->wpa_ptk_rekey) { + eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); + eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk, + sm, NULL); + } + return 0; } @@ -1849,6 +1863,7 @@ void wpa_sm_deinit(struct wpa_sm *sm) return; pmksa_cache_deinit(sm->pmksa); eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL); + eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL); os_free(sm->assoc_wpa_ie); os_free(sm->ap_wpa_ie); os_free(sm->ap_rsn_ie); @@ -2018,6 +2033,7 @@ void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config) sm->ssid_len = config->ssid_len; } else sm->ssid_len = 0; + sm->wpa_ptk_rekey = config->wpa_ptk_rekey; } else { sm->network_ctx = NULL; sm->peerkey_enabled = 0; @@ -2026,6 +2042,7 @@ void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config) sm->eap_workaround = 0; sm->eap_conf_ctx = NULL; sm->ssid_len = 0; + sm->wpa_ptk_rekey = 0; } if (config == NULL || config->network_ctx != sm->network_ctx) pmksa_cache_notify_reconfig(sm->pmksa); diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h index 650e75f..bdf7785 100644 --- a/src/rsn_supp/wpa.h +++ b/src/rsn_supp/wpa.h @@ -85,6 +85,7 @@ struct rsn_supp_config { void *eap_conf_ctx; const u8 *ssid; size_t ssid_len; + int wpa_ptk_rekey; }; #ifndef CONFIG_NO_WPA diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h index 1505155..95348da 100644 --- a/src/rsn_supp/wpa_i.h +++ b/src/rsn_supp/wpa_i.h @@ -60,6 +60,7 @@ struct wpa_sm { void *eap_conf_ctx; u8 ssid[32]; size_t ssid_len; + int wpa_ptk_rekey; u8 own_addr[ETH_ALEN]; const char *ifname; |