Accueil Explorer Aide
S'inscrire Connexion
wareck
/
krackattacks
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

Allow PMKSA caching to be disabled on Authenticator

A new hostapd configuration parameter, disable_pmksa_caching=1, can now
be used to disable PMKSA caching on the Authenticator. This forces the
stations to complete EAP authentication on every association when WPA2
is being used.
Jouni Malinen il y a 14 ans
Parent
2db9174503
commit
cb465555d4
6 fichiers modifiés avec 14 ajouts et 1 suppressions
Vue séparée Afficher les stats Diff
  1. 2 0
      hostapd/config_file.c
  2. 7 0
      hostapd/hostapd.conf
  3. 1 0
      src/ap/ap_config.h
  4. 2 1
      src/ap/wpa_auth.c
  5. 1 0
      src/ap/wpa_auth.h
  6. 1 0
      src/ap/wpa_auth_glue.c

+ 2 - 0
hostapd/config_file.c
Voir le fichier 

@@ -1904,6 +1904,8 @@ struct hostapd_config * hostapd_config_read(const char *fname)
 
 #endif /* CONFIG_IEEE80211N */
 
 		} else if (os_strcmp(buf, "max_listen_interval") == 0) {
 
 			bss->max_listen_interval = atoi(pos);
 
+		} else if (os_strcmp(buf, "disable_pmksa_caching") == 0) {
 
+			bss->disable_pmksa_caching = atoi(pos);
 
 		} else if (os_strcmp(buf, "okc") == 0) {
 
 			bss->okc = atoi(pos);
 
 #ifdef CONFIG_WPS

+ 7 - 0
hostapd/hostapd.conf
Voir le fichier 

@@ -770,6 +770,13 @@ own_ip_addr=127.0.0.1
 
 # dot11AssociationSAQueryRetryTimeout, 1...4294967295
 
 #assoc_sa_query_retry_timeout=201
 
 
+# disable_pmksa_caching: Disable PMKSA caching
 
+# This parameter can be used to disable caching of PMKSA created through EAP
 
+# authentication. RSN preauthentication may still end up using PMKSA caching if
 
+# it is enabled (rsn_preauth=1).
 
+# 0 = PMKSA caching enabled (default)
 
+# 1 = PMKSA caching disabled
 
+#disable_pmksa_caching=0
 
 
 # okc: Opportunistic Key Caching (aka Proactive Key Caching)
 
 # Allow PMK cache to be shared opportunistically among configured interfaces

+ 1 - 0
src/ap/ap_config.h
Voir le fichier 

@@ -288,6 +288,7 @@ struct hostapd_bss_config {
 
 	 */
 
 	u16 max_listen_interval;
 
 
+	int disable_pmksa_caching;
 
 	int okc; /* Opportunistic Key Caching */
 
 
 	int wps_state;

+ 2 - 1
src/ap/wpa_auth.c
Voir le fichier 

@@ -2727,7 +2727,8 @@ const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
 
 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
 
 		       int session_timeout, struct eapol_state_machine *eapol)
 
 {
 
-	if (sm == NULL || sm->wpa != WPA_VERSION_WPA2)
 
+	if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
 
+	    sm->wpa_auth->conf.disable_pmksa_caching)
 
 		return -1;
 
 
 	if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN,

+ 1 - 0
src/ap/wpa_auth.h
Voir le fichier 

@@ -143,6 +143,7 @@ struct wpa_auth_config {
 
 	int peerkey;
 
 	int wmm_enabled;
 
 	int wmm_uapsd;
 
+	int disable_pmksa_caching;
 
 	int okc;
 
 	int tx_status;
 
 #ifdef CONFIG_IEEE80211W

+ 1 - 0
src/ap/wpa_auth_glue.c
Voir le fichier 

@@ -48,6 +48,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
 
 	wconf->peerkey = conf->peerkey;
 
 	wconf->wmm_enabled = conf->wmm_enabled;
 
 	wconf->wmm_uapsd = conf->wmm_uapsd;
 
+	wconf->disable_pmksa_caching = conf->disable_pmksa_caching;
 
 	wconf->okc = conf->okc;
 
 #ifdef CONFIG_IEEE80211W
 
 	wconf->ieee80211w = conf->ieee80211w;