Accueil Explorer Aide
S'inscrire Connexion
wareck
/
krackattacks
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

DPP: Set PMKSA expiration based on peer connector

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen il y a 7 ans
Parent
0651dfb76c
commit
787615b381
4 fichiers modifiés avec 31 ajouts et 13 suppressions
Vue séparée Afficher les stats Diff
  1. 8 8
      src/ap/dpp_hostapd.c
  2. 5 2
      src/common/dpp.c
  3. 2 1
      src/common/dpp.h
  4. 16 2
      wpa_supplicant/dpp_supplicant.c

+ 8 - 8
src/ap/dpp_hostapd.c
Voir le fichier 

@@ -880,6 +880,7 @@ static void hostapd_dpp_rx_peer_disc_req(struct hostapd_data *hapd,
 
 	u16 connector_len;
 
 	struct os_time now;
 
 	struct dpp_introduction intro;
 
+	os_time_t expire;
 
 	int expiration;
 
 	struct wpabuf *msg;
 
 
@@ -923,19 +924,18 @@ static void hostapd_dpp_rx_peer_disc_req(struct hostapd_data *hapd,
 
 			   wpabuf_len(hapd->conf->dpp_netaccesskey),
 
 			   wpabuf_head(hapd->conf->dpp_csign),
 
 			   wpabuf_len(hapd->conf->dpp_csign),
 
-			   connector, connector_len) < 0) {
 
+			   connector, connector_len, &expire) < 0) {
 
 		wpa_printf(MSG_INFO,
 
 			   "DPP: Network Introduction protocol resulted in failure");
 
 		return;
 
 	}
 
 
-	if (hapd->conf->dpp_netaccesskey_expiry &&
 
-	    (!hapd->conf->dpp_csign_expiry ||
 
-	     hapd->conf->dpp_netaccesskey_expiry <
 
-	     hapd->conf->dpp_csign_expiry))
 
-		expiration = hapd->conf->dpp_netaccesskey_expiry - now.sec;
 
-	else if (hapd->conf->dpp_csign_expiry)
 
-		expiration = hapd->conf->dpp_csign_expiry - now.sec;
 
+	if (!expire || hapd->conf->dpp_netaccesskey_expiry < expire)
 
+		expire = hapd->conf->dpp_netaccesskey_expiry;
 
+	if (!expire || hapd->conf->dpp_csign_expiry < expire)
 
+		expire = hapd->conf->dpp_csign_expiry;
 
+	if (expire)
 
+		expiration = expire - now.sec;
 
 	else
 
 		expiration = 0;

+ 5 - 2
src/common/dpp.c
Voir le fichier 

@@ -4686,7 +4686,8 @@ static int dpp_netkey_hash(EVP_PKEY *key, u8 *hash)
 
 int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
 
 		   const u8 *net_access_key, size_t net_access_key_len,
 
 		   const u8 *csign_key, size_t csign_key_len,
 
-		   const u8 *peer_connector, size_t peer_connector_len)
 
+		   const u8 *peer_connector, size_t peer_connector_len,
 
+		   os_time_t *expiry)
 
 {
 
 	struct json_token *root = NULL, *netkey, *token;
 
 	struct json_token *own_root = NULL;
 
@@ -4711,6 +4712,8 @@ int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
 
 
 	os_memset(intro, 0, sizeof(*intro));
 
 	os_memset(&info, 0, sizeof(info));
 
+	if (expiry)
 
+		*expiry = 0;
 
 
 	p = csign_key;
 
 	csign = d2i_PUBKEY(NULL, &p, csign_key_len);
 
@@ -4802,7 +4805,7 @@ int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
 
 			   "DPP: No expiry string found - connector does not expire");
 
 	} else {
 
 		wpa_printf(MSG_DEBUG, "DPP: expiry = %s", token->string);
 
-		if (dpp_key_expired(token->string, NULL)) {
 
+		if (dpp_key_expired(token->string, expiry)) {
 
 			wpa_printf(MSG_DEBUG,
 
 				   "DPP: Connector (netAccessKey) has expired");
 
 			goto fail;

+ 2 - 1
src/common/dpp.h
Voir le fichier 

@@ -256,7 +256,8 @@ dpp_keygen_configurator(const char *curve, const u8 *privkey,
 
 int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
 
 		   const u8 *net_access_key, size_t net_access_key_len,
 
 		   const u8 *csign_key, size_t csign_key_len,
 
-		   const u8 *peer_connector, size_t peer_connector_len);
 
+		   const u8 *peer_connector, size_t peer_connector_len,
 
+		   os_time_t *expiry);
 
 struct dpp_pkex * dpp_pkex_init(struct dpp_bootstrap_info *bi,
 
 				const u8 *own_mac,
 
 				const char *identifier,

+ 16 - 2
wpa_supplicant/dpp_supplicant.c
Voir le fichier 

@@ -1269,6 +1269,10 @@ static void wpas_dpp_rx_peer_disc_resp(struct wpa_supplicant *wpa_s,
 
 	u16 connector_len, pk_hash_len, nk_hash_len;
 
 	struct dpp_introduction intro;
 
 	struct rsn_pmksa_cache_entry *entry;
 
+	struct os_time now;
 
+	struct os_reltime rnow;
 
+	os_time_t expiry;
 
+	unsigned int seconds;
 
 
 	wpa_printf(MSG_DEBUG, "DPP: Peer Discovery Response from " MACSTR,
 
 		   MAC2STR(src));
 
@@ -1303,7 +1307,7 @@ static void wpas_dpp_rx_peer_disc_resp(struct wpa_supplicant *wpa_s,
 
 			   ssid->dpp_netaccesskey_len,
 
 			   ssid->dpp_csign,
 
 			   ssid->dpp_csign_len,
 
-			   connector, connector_len) < 0) {
 
+			   connector, connector_len, &expiry) < 0) {
 
 		wpa_printf(MSG_INFO,
 
 			   "DPP: Network Introduction protocol resulted in failure");
 
 		goto fail;
 
@@ -1347,7 +1351,17 @@ static void wpas_dpp_rx_peer_disc_resp(struct wpa_supplicant *wpa_s,
 
 	os_memcpy(entry->pmk, intro.pmk, intro.pmk_len);
 
 	entry->pmk_len = intro.pmk_len;
 
 	entry->akmp = WPA_KEY_MGMT_DPP;
 
-	/* TODO: expiration */
 
+	if (!expiry || expiry > ssid->dpp_csign_expiry)
 
+		expiry = ssid->dpp_csign_expiry;
 
+	if (expiry) {
 
+		os_get_time(&now);
 
+		seconds = expiry - now.sec;
 
+	} else {
 
+		seconds = 86400 * 7;
 
+	}
 
+	os_get_reltime(&rnow);
 
+	entry->expiration = rnow.sec + seconds;
 
+	entry->reauth_time = rnow.sec + seconds;
 
 	entry->network_ctx = ssid;
 
 	wpa_sm_pmksa_cache_add_entry(wpa_s->wpa, entry);