supplicant: increase the PMK lifetime for WPA-EAP

By default, wpa_supplicant sets these parameters according to the 802.11 standard: dot11RSNAConfigPMKLifetime = 43200 seconds (12 hours) dot11RSNAConfigPMKReauthThreshold = 70% With these, the supplicant triggers a new EAP authentication every 8 hours and 24 minutes. If the network uses one-time secrets, the reauthentication fails and the supplicant disconnects. It doesn't seem desirable that the client starts a reauthentication so early; bump the lifetime to a week. Currently, due to a bug, the new value is ignored by wpa_supplicant when set via D-Bus. This patch needs the fix at [1], not yet merged. [1] http://lists.infradead.org/pipermail/hostap/2022-July/040664.html https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1306
2025-12-27 19:50:08 +01:00 · 2022-07-19 19:02:46 +02:00 · 2022-07-19 19:02:46 +02:00 · e35f2494f8
commit e35f2494f8
parent 8e8fed433f
1 changed files with 42 additions and 0 deletions
--- a/src/core/supplicant/nm-supplicant-interface.c
+++ b/src/core/supplicant/nm-supplicant-interface.c
@ -21,6 +21,7 @@
 #include "nm-supplicant-manager.h"

 #define DBUS_TIMEOUT_MSEC 20000
+#define PMK_LIFETIME_SEC  (3600 * 24 * 7)

 /*****************************************************************************/

@ -2452,6 +2453,32 @@ assoc_set_ap_scan_cb(GVariant *ret, GError *error, gpointer user_data)
        add_network(self);
 }

+static void
+assoc_set_pmk_lifetime(GVariant *ret, GError *error, gpointer user_data)
+{
+    NMSupplicantInterface        *self;
+    NMSupplicantInterfacePrivate *priv;
+
+    if (nm_utils_error_is_cancelled(error))
+        return;
+
+    self = NM_SUPPLICANT_INTERFACE(user_data);
+    priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE(self);
+
+    if (error) {
+        assoc_return(self, error, "failure to set PMK lifetime");
+        return;
+    }
+
+    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: interface PMK lifetime set to %u",
+          NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
+          PMK_LIFETIME_SEC);
+
+    nm_assert(priv->assoc_data->calls_left > 0);
+    if (--priv->assoc_data->calls_left == 0)
+        add_network(self);
+}
+
 static gboolean
 assoc_fail_on_idle_cb(gpointer user_data)
 {
@ -2535,6 +2562,21 @@ nm_supplicant_interface_assoc(NMSupplicantInterface       *self,
        assoc_set_ap_scan_cb,
        self);

+    /* Set the PMK lifetime to a longer interval (1 week) instead of
+     * the default one (12 hours) that would trigger a WPA-EAP
+     * reauthentication after only 8:24 hours (70% of the lifetime). */
+    assoc_data->calls_left++;
+    nm_dbus_connection_call_set(priv->dbus_connection,
+                                priv->name_owner->str,
+                                priv->object_path->str,
+                                NM_WPAS_DBUS_IFACE_INTERFACE,
+                                "Dot11RSNAConfigPMKLifetime",
+                                g_variant_new_take_string(g_strdup_printf("%u", PMK_LIFETIME_SEC)),
+                                DBUS_TIMEOUT_MSEC,
+                                assoc_data->cancellable,
+                                assoc_set_pmk_lifetime,
+                                self);
+
    ap_isolation = nm_supplicant_config_get_ap_isolation(priv->assoc_data->cfg);
    if (!priv->ap_isolate_supported) {
        if (ap_isolation) {