Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-01-31 01:04:03 -05:00
Code Issues Projects Releases Wiki Activity

DPP: Set PMKSA expiration based on peer connector

Browse Source 
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2017-07-02 12:36:41 +03:00 committed by Jouni Malinen
parent 0651dfb76c
commit 787615b381
4 changed files with 31 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/ap/dpp_hostapd.c
View File

@ -880,6 +880,7 @@ static void hostapd_dpp_rx_peer_disc_req(struct hostapd_data *hapd,
u16 connector_len; u16 connector_len;
struct os_time now; struct os_time now;
struct dpp_introduction intro; struct dpp_introduction intro;
os_time_t expire;
int expiration; int expiration;
struct wpabuf *msg; struct wpabuf *msg;
@ -923,19 +924,18 @@ static void hostapd_dpp_rx_peer_disc_req(struct hostapd_data *hapd,
wpabuf_len(hapd->conf->dpp_netaccesskey), wpabuf_len(hapd->conf->dpp_netaccesskey),
wpabuf_head(hapd->conf->dpp_csign), wpabuf_head(hapd->conf->dpp_csign),
wpabuf_len(hapd->conf->dpp_csign), wpabuf_len(hapd->conf->dpp_csign),
connector, connector_len) < 0) { connector, connector_len, &expire) < 0) {
wpa_printf(MSG_INFO, wpa_printf(MSG_INFO,
"DPP: Network Introduction protocol resulted in failure"); "DPP: Network Introduction protocol resulted in failure");
return; return;
} }
if (hapd->conf->dpp_netaccesskey_expiry && if (!expire || hapd->conf->dpp_netaccesskey_expiry < expire)
(!hapd->conf->dpp_csign_expiry || expire = hapd->conf->dpp_netaccesskey_expiry;
hapd->conf->dpp_netaccesskey_expiry < if (!expire || hapd->conf->dpp_csign_expiry < expire)
hapd->conf->dpp_csign_expiry)) expire = hapd->conf->dpp_csign_expiry;
expiration = hapd->conf->dpp_netaccesskey_expiry - now.sec; if (expire)
else if (hapd->conf->dpp_csign_expiry) expiration = expire - now.sec;
expiration = hapd->conf->dpp_csign_expiry - now.sec;
else else
expiration = 0; expiration = 0;

7
src/common/dpp.c
View File

@ -4686,7 +4686,8 @@ static int dpp_netkey_hash(EVP_PKEY *key, u8 *hash)
int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector, int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
const u8 *net_access_key, size_t net_access_key_len, const u8 *net_access_key, size_t net_access_key_len,
const u8 *csign_key, size_t csign_key_len, const u8 *csign_key, size_t csign_key_len,
const u8 *peer_connector, size_t peer_connector_len) const u8 *peer_connector, size_t peer_connector_len,
os_time_t *expiry)
{ {
struct json_token *root = NULL, *netkey, *token; struct json_token *root = NULL, *netkey, *token;
struct json_token *own_root = NULL; struct json_token *own_root = NULL;
@ -4711,6 +4712,8 @@ int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
os_memset(intro, 0, sizeof(*intro)); os_memset(intro, 0, sizeof(*intro));
os_memset(&info, 0, sizeof(info)); os_memset(&info, 0, sizeof(info));
if (expiry)
*expiry = 0;
p = csign_key; p = csign_key;
csign = d2i_PUBKEY(NULL, &p, csign_key_len); csign = d2i_PUBKEY(NULL, &p, csign_key_len);
@ -4802,7 +4805,7 @@ int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
"DPP: No expiry string found - connector does not expire"); "DPP: No expiry string found - connector does not expire");
} else { } else {
wpa_printf(MSG_DEBUG, "DPP: expiry = %s", token->string); wpa_printf(MSG_DEBUG, "DPP: expiry = %s", token->string);
if (dpp_key_expired(token->string, NULL)) { if (dpp_key_expired(token->string, expiry)) {
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,
"DPP: Connector (netAccessKey) has expired"); "DPP: Connector (netAccessKey) has expired");
goto fail; goto fail;

3
src/common/dpp.h
View File

@ -256,7 +256,8 @@ dpp_keygen_configurator(const char *curve, const u8 *privkey,
int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector, int dpp_peer_intro(struct dpp_introduction *intro, const char *own_connector,
const u8 *net_access_key, size_t net_access_key_len, const u8 *net_access_key, size_t net_access_key_len,
const u8 *csign_key, size_t csign_key_len, const u8 *csign_key, size_t csign_key_len,
const u8 *peer_connector, size_t peer_connector_len); const u8 *peer_connector, size_t peer_connector_len,
os_time_t *expiry);
struct dpp_pkex * dpp_pkex_init(struct dpp_bootstrap_info *bi, struct dpp_pkex * dpp_pkex_init(struct dpp_bootstrap_info *bi,
const u8 *own_mac, const u8 *own_mac,
const char *identifier, const char *identifier,

18
wpa_supplicant/dpp_supplicant.c
View File

@ -1269,6 +1269,10 @@ static void wpas_dpp_rx_peer_disc_resp(struct wpa_supplicant *wpa_s,
u16 connector_len, pk_hash_len, nk_hash_len; u16 connector_len, pk_hash_len, nk_hash_len;
struct dpp_introduction intro; struct dpp_introduction intro;
struct rsn_pmksa_cache_entry *entry; struct rsn_pmksa_cache_entry *entry;
struct os_time now;
struct os_reltime rnow;
os_time_t expiry;
unsigned int seconds;
wpa_printf(MSG_DEBUG, "DPP: Peer Discovery Response from " MACSTR, wpa_printf(MSG_DEBUG, "DPP: Peer Discovery Response from " MACSTR,
MAC2STR(src)); MAC2STR(src));
@ -1303,7 +1307,7 @@ static void wpas_dpp_rx_peer_disc_resp(struct wpa_supplicant *wpa_s,
ssid->dpp_netaccesskey_len, ssid->dpp_netaccesskey_len,
ssid->dpp_csign, ssid->dpp_csign,
ssid->dpp_csign_len, ssid->dpp_csign_len,
connector, connector_len) < 0) { connector, connector_len, &expiry) < 0) {
wpa_printf(MSG_INFO, wpa_printf(MSG_INFO,
"DPP: Network Introduction protocol resulted in failure"); "DPP: Network Introduction protocol resulted in failure");
goto fail; goto fail;
@ -1347,7 +1351,17 @@ static void wpas_dpp_rx_peer_disc_resp(struct wpa_supplicant *wpa_s,
os_memcpy(entry->pmk, intro.pmk, intro.pmk_len); os_memcpy(entry->pmk, intro.pmk, intro.pmk_len);
entry->pmk_len = intro.pmk_len; entry->pmk_len = intro.pmk_len;
entry->akmp = WPA_KEY_MGMT_DPP; entry->akmp = WPA_KEY_MGMT_DPP;
/* TODO: expiration */ if (!expiry || expiry > ssid->dpp_csign_expiry)
expiry = ssid->dpp_csign_expiry;
if (expiry) {
os_get_time(&now);
seconds = expiry - now.sec;
} else {
seconds = 86400 * 7;
}
os_get_reltime(&rnow);
entry->expiration = rnow.sec + seconds;
entry->reauth_time = rnow.sec + seconds;
entry->network_ctx = ssid; entry->network_ctx = ssid;
wpa_sm_pmksa_cache_add_entry(wpa_s->wpa, entry); wpa_sm_pmksa_cache_add_entry(wpa_s->wpa, entry);