From: Jouni Malinen Date: Tue, 5 Jul 2011 14:13:04 +0000 (+0300) Subject: Allow PMKSA caching to be disabled on Authenticator X-Git-Tag: hostap-1-bp~329 X-Git-Url: http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff_plain;h=cb465555d47feabc4f041ef88ca81b9bc740c036 Allow PMKSA caching to be disabled on Authenticator A new hostapd configuration parameter, disable_pmksa_caching=1, can now be used to disable PMKSA caching on the Authenticator. This forces the stations to complete EAP authentication on every association when WPA2 is being used. --- diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 835f050..bfd4809 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -1904,6 +1904,8 @@ struct hostapd_config * hostapd_config_read(const char *fname) #endif /* CONFIG_IEEE80211N */ } else if (os_strcmp(buf, "max_listen_interval") == 0) { bss->max_listen_interval = atoi(pos); + } else if (os_strcmp(buf, "disable_pmksa_caching") == 0) { + bss->disable_pmksa_caching = atoi(pos); } else if (os_strcmp(buf, "okc") == 0) { bss->okc = atoi(pos); #ifdef CONFIG_WPS diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index e0525e4..3b1548c 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -770,6 +770,13 @@ own_ip_addr=127.0.0.1 # dot11AssociationSAQueryRetryTimeout, 1...4294967295 #assoc_sa_query_retry_timeout=201 +# disable_pmksa_caching: Disable PMKSA caching +# This parameter can be used to disable caching of PMKSA created through EAP +# authentication. RSN preauthentication may still end up using PMKSA caching if +# it is enabled (rsn_preauth=1). +# 0 = PMKSA caching enabled (default) +# 1 = PMKSA caching disabled +#disable_pmksa_caching=0 # okc: Opportunistic Key Caching (aka Proactive Key Caching) # Allow PMK cache to be shared opportunistically among configured interfaces diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 0a3e76e..09eed5a 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -288,6 +288,7 @@ struct hostapd_bss_config { */ u16 max_listen_interval; + int disable_pmksa_caching; int okc; /* Opportunistic Key Caching */ int wps_state; diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index cfb2cad..3fbb88b 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -2727,7 +2727,8 @@ const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, int session_timeout, struct eapol_state_machine *eapol) { - if (sm == NULL || sm->wpa != WPA_VERSION_WPA2) + if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || + sm->wpa_auth->conf.disable_pmksa_caching) return -1; if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN, diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index b3e1ff0..e533a14 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -143,6 +143,7 @@ struct wpa_auth_config { int peerkey; int wmm_enabled; int wmm_uapsd; + int disable_pmksa_caching; int okc; int tx_status; #ifdef CONFIG_IEEE80211W diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index b35b7ba..0e3cb31 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -48,6 +48,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf, wconf->peerkey = conf->peerkey; wconf->wmm_enabled = conf->wmm_enabled; wconf->wmm_uapsd = conf->wmm_uapsd; + wconf->disable_pmksa_caching = conf->disable_pmksa_caching; wconf->okc = conf->okc; #ifdef CONFIG_IEEE80211W wconf->ieee80211w = conf->ieee80211w;