Skip to content

Commit

Permalink
cfg80211: Configure PMK lifetime and reauth threshold for PMKSA entries
Browse files Browse the repository at this point in the history
Drivers that trigger roaming need to know the lifetime of the configured
PMKSA for deciding whether to trigger the full or PMKSA cache based
authentication. The configured PMKSA is invalid after the PMK lifetime
has expired and must not be used after that and the STA needs to
disassociate if the PMK expires. Hence the STA is expected to refresh
the PMK with a full authentication before this happens (e.g., when
reassociating to a new BSS the next time or by performing EAPOL
reauthentication depending on the AKM) to avoid unnecessary
disconnection.

The PMK reauthentication threshold is the percentage of the PMK lifetime
value and indicates to the driver to trigger a full authentication roam
(without PMKSA caching) after the reauthentication threshold time, but
before the PMK timer has expired. Authentication methods like SAE need
to be able to generate a new PMKSA entry without having to force a
disconnection after this threshold timeout. If no roaming occurs between
the reauthentication threshold time and PMK lifetime expiration,
disassociation is still forced.

The new attributes for providing these values correspond to the dot11
MIB variables dot11RSNAConfigPMKLifetime and
dot11RSNAConfigPMKReauthThreshold.

This type of functionality is already available in cases where user
space component is in control of roaming. This commit extends that same
capability into cases where parts or all of this functionality is
offloaded to the driver.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Link: https://lore.kernel.org/r/20200312235903.18462-1-jouni@codeaurora.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  • Loading branch information
Veerendranath Jakkam authored and Johannes Berg committed Mar 20, 2020
1 parent b255b72 commit 7fc82af
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 0 deletions.
13 changes: 13 additions & 0 deletions include/net/cfg80211.h
Original file line number Diff line number Diff line change
Expand Up @@ -2699,6 +2699,17 @@ enum wiphy_params_flags {
* @cache_id: 2-octet cache identifier advertized by a FILS AP identifying the
* scope of PMKSA. This is valid only if @ssid_len is non-zero (may be
* %NULL).
* @pmk_lifetime: Maximum lifetime for PMKSA in seconds
* (dot11RSNAConfigPMKLifetime) or 0 if not specified.
* The configured PMKSA must not be used for PMKSA caching after
* expiration and any keys derived from this PMK become invalid on
* expiration, i.e., the current association must be dropped if the PMK
* used for it expires.
* @pmk_reauth_threshold: Threshold time for reauthentication (percentage of
* PMK lifetime, dot11RSNAConfigPMKReauthThreshold) or 0 if not specified.
* Drivers are expected to trigger a full authentication instead of using
* this PMKSA for caching when reassociating to a new BSS after this
* threshold to generate a new PMK before the current one expires.
*/
struct cfg80211_pmksa {
const u8 *bssid;
Expand All @@ -2708,6 +2719,8 @@ struct cfg80211_pmksa {
const u8 *ssid;
size_t ssid_len;
const u8 *cache_id;
u32 pmk_lifetime;
u8 pmk_reauth_threshold;
};

/**
Expand Down
27 changes: 27 additions & 0 deletions include/uapi/linux/nl80211.h
Original file line number Diff line number Diff line change
Expand Up @@ -2446,6 +2446,30 @@ enum nl80211_commands {
* @NL80211_ATTR_CONTROL_PORT_NO_PREAUTH: disable preauth frame rx on control
* port in order to forward/receive them as ordinary data frames.
*
* @NL80211_ATTR_PMK_LIFETIME: Maximum lifetime for PMKSA in seconds (u32,
* dot11RSNAConfigPMKReauthThreshold; 0 is not a valid value).
* An optional parameter configured through %NL80211_CMD_SET_PMKSA.
* Drivers that trigger roaming need to know the lifetime of the
* configured PMKSA for triggering the full vs. PMKSA caching based
* authentication. This timeout helps authentication methods like SAE,
* where PMK gets updated only by going through a full (new SAE)
* authentication instead of getting updated during an association for EAP
* authentication. No new full authentication within the PMK expiry shall
* result in a disassociation at the end of the lifetime.
*
* @NL80211_ATTR_PMK_REAUTH_THRESHOLD: Reauthentication threshold time, in
* terms of percentage of %NL80211_ATTR_PMK_LIFETIME
* (u8, dot11RSNAConfigPMKReauthThreshold, 1..100). This is an optional
* parameter configured through %NL80211_CMD_SET_PMKSA. Requests the
* driver to trigger a full authentication roam (without PMKSA caching)
* after the reauthentication threshold time, but before the PMK lifetime
* has expired.
*
* Authentication methods like SAE need to be able to generate a new PMKSA
* entry without having to force a disconnection after the PMK timeout. If
* no roaming occurs between the reauth threshold and PMK expiration,
* disassociation is still forced.
*
* @NUM_NL80211_ATTR: total number of nl80211_attrs available
* @NL80211_ATTR_MAX: highest attribute number currently defined
* @__NL80211_ATTR_AFTER_LAST: internal use
Expand Down Expand Up @@ -2918,6 +2942,9 @@ enum nl80211_attrs {

NL80211_ATTR_CONTROL_PORT_NO_PREAUTH,

NL80211_ATTR_PMK_LIFETIME,
NL80211_ATTR_PMK_REAUTH_THRESHOLD,

/* add attributes here, update the policy in nl80211.c */

__NL80211_ATTR_AFTER_LAST,
Expand Down
11 changes: 11 additions & 0 deletions net/wireless/nl80211.c
Original file line number Diff line number Diff line change
Expand Up @@ -661,6 +661,8 @@ const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
[NL80211_ATTR_TID_CONFIG] =
NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
};

/* policy for the key attributes */
Expand Down Expand Up @@ -10514,6 +10516,15 @@ static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
}

if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
pmksa.pmk_lifetime =
nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);

if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
pmksa.pmk_reauth_threshold =
nla_get_u8(
info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);

if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
!(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
Expand Down

0 comments on commit 7fc82af

Please sign in to comment.