From e35f2494f86332e2c7f52bd09f3904ebbbf8e871 Mon Sep 17 00:00:00 2001 From: Beniamino Galvani Date: Tue, 19 Jul 2022 19:02:46 +0200 Subject: [PATCH] supplicant: increase the PMK lifetime for WPA-EAP By default, wpa_supplicant sets these parameters according to the 802.11 standard: dot11RSNAConfigPMKLifetime = 43200 seconds (12 hours) dot11RSNAConfigPMKReauthThreshold = 70% With these, the supplicant triggers a new EAP authentication every 8 hours and 24 minutes. If the network uses one-time secrets, the reauthentication fails and the supplicant disconnects. It doesn't seem desirable that the client starts a reauthentication so early; bump the lifetime to a week. Currently, due to a bug, the new value is ignored by wpa_supplicant when set via D-Bus. This patch needs the fix at [1], not yet merged. [1] http://lists.infradead.org/pipermail/hostap/2022-July/040664.html https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1306 --- src/core/supplicant/nm-supplicant-interface.c | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/src/core/supplicant/nm-supplicant-interface.c b/src/core/supplicant/nm-supplicant-interface.c index bdd6e9311f..fa8b4e3713 100644 --- a/src/core/supplicant/nm-supplicant-interface.c +++ b/src/core/supplicant/nm-supplicant-interface.c @@ -21,6 +21,7 @@ #include "nm-supplicant-manager.h" #define DBUS_TIMEOUT_MSEC 20000 +#define PMK_LIFETIME_SEC (3600 * 24 * 7) /*****************************************************************************/ @@ -2452,6 +2453,32 @@ assoc_set_ap_scan_cb(GVariant *ret, GError *error, gpointer user_data) add_network(self); } +static void +assoc_set_pmk_lifetime(GVariant *ret, GError *error, gpointer user_data) +{ + NMSupplicantInterface *self; + NMSupplicantInterfacePrivate *priv; + + if (nm_utils_error_is_cancelled(error)) + return; + + self = NM_SUPPLICANT_INTERFACE(user_data); + priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE(self); + + if (error) { + assoc_return(self, error, "failure to set PMK lifetime"); + return; + } + + _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: interface PMK lifetime set to %u", + NM_HASH_OBFUSCATE_PTR(priv->assoc_data), + PMK_LIFETIME_SEC); + + nm_assert(priv->assoc_data->calls_left > 0); + if (--priv->assoc_data->calls_left == 0) + add_network(self); +} + static gboolean assoc_fail_on_idle_cb(gpointer user_data) { @@ -2535,6 +2562,21 @@ nm_supplicant_interface_assoc(NMSupplicantInterface *self, assoc_set_ap_scan_cb, self); + /* Set the PMK lifetime to a longer interval (1 week) instead of + * the default one (12 hours) that would trigger a WPA-EAP + * reauthentication after only 8:24 hours (70% of the lifetime). */ + assoc_data->calls_left++; + nm_dbus_connection_call_set(priv->dbus_connection, + priv->name_owner->str, + priv->object_path->str, + NM_WPAS_DBUS_IFACE_INTERFACE, + "Dot11RSNAConfigPMKLifetime", + g_variant_new_take_string(g_strdup_printf("%u", PMK_LIFETIME_SEC)), + DBUS_TIMEOUT_MSEC, + assoc_data->cancellable, + assoc_set_pmk_lifetime, + self); + ap_isolation = nm_supplicant_config_get_ap_isolation(priv->assoc_data->cfg); if (!priv->ap_isolate_supported) { if (ap_isolation) {