]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/ap/pmksa_cache_auth.c
projects / thirdparty / hostap.git / blob
? search:


3a9cc7b4ec35ad7c4cf6057ee737d4a91ed6ef9d
[thirdparty/hostap.git] / src / ap / pmksa_cache_auth.c
1 /*
2 * hostapd - PMKSA cache for IEEE 802.11i RSN
3 * Copyright (c) 2004-2008, 2012, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "eapol_auth/eapol_auth_sm.h"
14 #include "eapol_auth/eapol_auth_sm_i.h"
15 #include "sta_info.h"
16 #include "ap_config.h"
17 #include "pmksa_cache_auth.h"
18
19
20 static const int pmksa_cache_max_entries = 1024;
21 static const int dot11RSNAConfigPMKLifetime = 43200;
22
23 struct rsn_pmksa_cache {
24 #define PMKID_HASH_SIZE 128
25 #define PMKID_HASH(pmkid) (unsigned int) ((pmkid)[0] & 0x7f)
26 struct rsn_pmksa_cache_entry *pmkid[PMKID_HASH_SIZE];
27 struct rsn_pmksa_cache_entry *pmksa;
28 int pmksa_count;
29
30 void (*free_cb)(struct rsn_pmksa_cache_entry *entry, void *ctx);
31 void *ctx;
32 };
33
34
35 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa);
36
37
38 static void _pmksa_cache_free_entry(struct rsn_pmksa_cache_entry *entry)
39 {
40 if (entry == NULL)
41 return;
42 os_free(entry->identity);
43 wpabuf_free(entry->cui);
44 #ifndef CONFIG_NO_RADIUS
45 radius_free_class(&entry->radius_class);
46 #endif /* CONFIG_NO_RADIUS */
47 os_free(entry);
48 }
49
50
51 static void pmksa_cache_free_entry(struct rsn_pmksa_cache *pmksa,
52 struct rsn_pmksa_cache_entry *entry)
53 {
54 struct rsn_pmksa_cache_entry *pos, *prev;
55
56 pmksa->pmksa_count--;
57 pmksa->free_cb(entry, pmksa->ctx);
58 pos = pmksa->pmkid[PMKID_HASH(entry->pmkid)];
59 prev = NULL;
60 while (pos) {
61 if (pos == entry) {
62 if (prev != NULL) {
63 prev->hnext = pos->hnext;
64 } else {
65 pmksa->pmkid[PMKID_HASH(entry->pmkid)] =
66 pos->hnext;
67 }
68 break;
69 }
70 prev = pos;
71 pos = pos->hnext;
72 }
73
74 pos = pmksa->pmksa;
75 prev = NULL;
76 while (pos) {
77 if (pos == entry) {
78 if (prev != NULL)
79 prev->next = pos->next;
80 else
81 pmksa->pmksa = pos->next;
82 break;
83 }
84 prev = pos;
85 pos = pos->next;
86 }
87 _pmksa_cache_free_entry(entry);
88 }
89
90
91 static void pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx)
92 {
93 struct rsn_pmksa_cache *pmksa = eloop_ctx;
94 struct os_time now;
95
96 os_get_time(&now);
97 while (pmksa->pmksa && pmksa->pmksa->expiration <= now.sec) {
98 wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for "
99 MACSTR, MAC2STR(pmksa->pmksa->spa));
100 pmksa_cache_free_entry(pmksa, pmksa->pmksa);
101 }
102
103 pmksa_cache_set_expiration(pmksa);
104 }
105
106
107 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa)
108 {
109 int sec;
110 struct os_time now;
111
112 eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
113 if (pmksa->pmksa == NULL)
114 return;
115 os_get_time(&now);
116 sec = pmksa->pmksa->expiration - now.sec;
117 if (sec < 0)
118 sec = 0;
119 eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, pmksa, NULL);
120 }
121
122
123 static void pmksa_cache_from_eapol_data(struct rsn_pmksa_cache_entry *entry,
124 struct eapol_state_machine *eapol)
125 {
126 if (eapol == NULL)
127 return;
128
129 if (eapol->identity) {
130 entry->identity = os_malloc(eapol->identity_len);
131 if (entry->identity) {
132 entry->identity_len = eapol->identity_len;
133 os_memcpy(entry->identity, eapol->identity,
134 eapol->identity_len);
135 }
136 }
137
138 if (eapol->radius_cui)
139 entry->cui = wpabuf_dup(eapol->radius_cui);
140
141 #ifndef CONFIG_NO_RADIUS
142 radius_copy_class(&entry->radius_class, &eapol->radius_class);
143 #endif /* CONFIG_NO_RADIUS */
144
145 entry->eap_type_authsrv = eapol->eap_type_authsrv;
146 entry->vlan_id = ((struct sta_info *) eapol->sta)->vlan_id;
147 }
148
149
150 void pmksa_cache_to_eapol_data(struct rsn_pmksa_cache_entry *entry,
151 struct eapol_state_machine *eapol)
152 {
153 if (entry == NULL || eapol == NULL)
154 return;
155
156 if (entry->identity) {
157 os_free(eapol->identity);
158 eapol->identity = os_malloc(entry->identity_len);
159 if (eapol->identity) {
160 eapol->identity_len = entry->identity_len;
161 os_memcpy(eapol->identity, entry->identity,
162 entry->identity_len);
163 }
164 wpa_hexdump_ascii(MSG_DEBUG, "STA identity from PMKSA",
165 eapol->identity, eapol->identity_len);
166 }
167
168 if (entry->cui) {
169 wpabuf_free(eapol->radius_cui);
170 eapol->radius_cui = wpabuf_dup(entry->cui);
171 }
172
173 #ifndef CONFIG_NO_RADIUS
174 radius_free_class(&eapol->radius_class);
175 radius_copy_class(&eapol->radius_class, &entry->radius_class);
176 #endif /* CONFIG_NO_RADIUS */
177 if (eapol->radius_class.attr) {
178 wpa_printf(MSG_DEBUG, "Copied %lu Class attribute(s) from "
179 "PMKSA", (unsigned long) eapol->radius_class.count);
180 }
181
182 eapol->eap_type_authsrv = entry->eap_type_authsrv;
183 ((struct sta_info *) eapol->sta)->vlan_id = entry->vlan_id;
184 }
185
186
187 static void pmksa_cache_link_entry(struct rsn_pmksa_cache *pmksa,
188 struct rsn_pmksa_cache_entry *entry)
189 {
190 struct rsn_pmksa_cache_entry *pos, *prev;
191
192 /* Add the new entry; order by expiration time */
193 pos = pmksa->pmksa;
194 prev = NULL;
195 while (pos) {
196 if (pos->expiration > entry->expiration)
197 break;
198 prev = pos;
199 pos = pos->next;
200 }
201 if (prev == NULL) {
202 entry->next = pmksa->pmksa;
203 pmksa->pmksa = entry;
204 } else {
205 entry->next = prev->next;
206 prev->next = entry;
207 }
208 entry->hnext = pmksa->pmkid[PMKID_HASH(entry->pmkid)];
209 pmksa->pmkid[PMKID_HASH(entry->pmkid)] = entry;
210
211 pmksa->pmksa_count++;
212 wpa_printf(MSG_DEBUG, "RSN: added PMKSA cache entry for " MACSTR,
213 MAC2STR(entry->spa));
214 wpa_hexdump(MSG_DEBUG, "RSN: added PMKID", entry->pmkid, PMKID_LEN);
215 }
216
217
218 /**
219 * pmksa_cache_auth_add - Add a PMKSA cache entry
220 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
221 * @pmk: The new pairwise master key
222 * @pmk_len: PMK length in bytes, usually PMK_LEN (32)
223 * @aa: Authenticator address
224 * @spa: Supplicant address
225 * @session_timeout: Session timeout
226 * @eapol: Pointer to EAPOL state machine data
227 * @akmp: WPA_KEY_MGMT_* used in key derivation
228 * Returns: Pointer to the added PMKSA cache entry or %NULL on error
229 *
230 * This function create a PMKSA entry for a new PMK and adds it to the PMKSA
231 * cache. If an old entry is already in the cache for the same Supplicant,
232 * this entry will be replaced with the new entry. PMKID will be calculated
233 * based on the PMK.
234 */
235 struct rsn_pmksa_cache_entry *
236 pmksa_cache_auth_add(struct rsn_pmksa_cache *pmksa,
237 const u8 *pmk, size_t pmk_len,
238 const u8 *aa, const u8 *spa, int session_timeout,
239 struct eapol_state_machine *eapol, int akmp)
240 {
241 struct rsn_pmksa_cache_entry *entry, *pos;
242 struct os_time now;
243
244 if (pmk_len > PMK_LEN)
245 return NULL;
246
247 entry = os_zalloc(sizeof(*entry));
248 if (entry == NULL)
249 return NULL;
250 os_memcpy(entry->pmk, pmk, pmk_len);
251 entry->pmk_len = pmk_len;
252 rsn_pmkid(pmk, pmk_len, aa, spa, entry->pmkid,
253 wpa_key_mgmt_sha256(akmp));
254 os_get_time(&now);
255 entry->expiration = now.sec;
256 if (session_timeout > 0)
257 entry->expiration += session_timeout;
258 else
259 entry->expiration += dot11RSNAConfigPMKLifetime;
260 entry->akmp = akmp;
261 os_memcpy(entry->spa, spa, ETH_ALEN);
262 pmksa_cache_from_eapol_data(entry, eapol);
263
264 /* Replace an old entry for the same STA (if found) with the new entry
265 */
266 pos = pmksa_cache_auth_get(pmksa, spa, NULL);
267 if (pos)
268 pmksa_cache_free_entry(pmksa, pos);
269
270 if (pmksa->pmksa_count >= pmksa_cache_max_entries && pmksa->pmksa) {
271 /* Remove the oldest entry to make room for the new entry */
272 wpa_printf(MSG_DEBUG, "RSN: removed the oldest PMKSA cache "
273 "entry (for " MACSTR ") to make room for new one",
274 MAC2STR(pmksa->pmksa->spa));
275 pmksa_cache_free_entry(pmksa, pmksa->pmksa);
276 }
277
278 pmksa_cache_link_entry(pmksa, entry);
279
280 return entry;
281 }
282
283
284 struct rsn_pmksa_cache_entry *
285 pmksa_cache_add_okc(struct rsn_pmksa_cache *pmksa,
286 const struct rsn_pmksa_cache_entry *old_entry,
287 const u8 *aa, const u8 *pmkid)
288 {
289 struct rsn_pmksa_cache_entry *entry;
290
291 entry = os_zalloc(sizeof(*entry));
292 if (entry == NULL)
293 return NULL;
294 os_memcpy(entry->pmkid, pmkid, PMKID_LEN);
295 os_memcpy(entry->pmk, old_entry->pmk, old_entry->pmk_len);
296 entry->pmk_len = old_entry->pmk_len;
297 entry->expiration = old_entry->expiration;
298 entry->akmp = old_entry->akmp;
299 os_memcpy(entry->spa, old_entry->spa, ETH_ALEN);
300 entry->opportunistic = 1;
301 if (old_entry->identity) {
302 entry->identity = os_malloc(old_entry->identity_len);
303 if (entry->identity) {
304 entry->identity_len = old_entry->identity_len;
305 os_memcpy(entry->identity, old_entry->identity,
306 old_entry->identity_len);
307 }
308 }
309 if (old_entry->cui)
310 entry->cui = wpabuf_dup(old_entry->cui);
311 #ifndef CONFIG_NO_RADIUS
312 radius_copy_class(&entry->radius_class, &old_entry->radius_class);
313 #endif /* CONFIG_NO_RADIUS */
314 entry->eap_type_authsrv = old_entry->eap_type_authsrv;
315 entry->vlan_id = old_entry->vlan_id;
316 entry->opportunistic = 1;
317
318 pmksa_cache_link_entry(pmksa, entry);
319
320 return entry;
321 }
322
323
324 /**
325 * pmksa_cache_auth_deinit - Free all entries in PMKSA cache
326 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
327 */
328 void pmksa_cache_auth_deinit(struct rsn_pmksa_cache *pmksa)
329 {
330 struct rsn_pmksa_cache_entry *entry, *prev;
331 int i;
332
333 if (pmksa == NULL)
334 return;
335
336 entry = pmksa->pmksa;
337 while (entry) {
338 prev = entry;
339 entry = entry->next;
340 _pmksa_cache_free_entry(prev);
341 }
342 eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
343 for (i = 0; i < PMKID_HASH_SIZE; i++)
344 pmksa->pmkid[i] = NULL;
345 os_free(pmksa);
346 }
347
348
349 /**
350 * pmksa_cache_auth_get - Fetch a PMKSA cache entry
351 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
352 * @spa: Supplicant address or %NULL to match any
353 * @pmkid: PMKID or %NULL to match any
354 * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
355 */
356 struct rsn_pmksa_cache_entry *
357 pmksa_cache_auth_get(struct rsn_pmksa_cache *pmksa,
358 const u8 *spa, const u8 *pmkid)
359 {
360 struct rsn_pmksa_cache_entry *entry;
361
362 if (pmkid)
363 entry = pmksa->pmkid[PMKID_HASH(pmkid)];
364 else
365 entry = pmksa->pmksa;
366 while (entry) {
367 if ((spa == NULL ||
368 os_memcmp(entry->spa, spa, ETH_ALEN) == 0) &&
369 (pmkid == NULL ||
370 os_memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0))
371 return entry;
372 entry = pmkid ? entry->hnext : entry->next;
373 }
374 return NULL;
375 }
376
377
378 /**
379 * pmksa_cache_get_okc - Fetch a PMKSA cache entry using OKC
380 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
381 * @aa: Authenticator address
382 * @spa: Supplicant address
383 * @pmkid: PMKID
384 * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
385 *
386 * Use opportunistic key caching (OKC) to find a PMK for a supplicant.
387 */
388 struct rsn_pmksa_cache_entry * pmksa_cache_get_okc(
389 struct rsn_pmksa_cache *pmksa, const u8 *aa, const u8 *spa,
390 const u8 *pmkid)
391 {
392 struct rsn_pmksa_cache_entry *entry;
393 u8 new_pmkid[PMKID_LEN];
394
395 entry = pmksa->pmksa;
396 while (entry) {
397 if (os_memcmp(entry->spa, spa, ETH_ALEN) != 0)
398 continue;
399 rsn_pmkid(entry->pmk, entry->pmk_len, aa, spa, new_pmkid,
400 wpa_key_mgmt_sha256(entry->akmp));
401 if (os_memcmp(new_pmkid, pmkid, PMKID_LEN) == 0)
402 return entry;
403 entry = entry->next;
404 }
405 return NULL;
406 }
407
408
409 /**
410 * pmksa_cache_auth_init - Initialize PMKSA cache
411 * @free_cb: Callback function to be called when a PMKSA cache entry is freed
412 * @ctx: Context pointer for free_cb function
413 * Returns: Pointer to PMKSA cache data or %NULL on failure
414 */
415 struct rsn_pmksa_cache *
416 pmksa_cache_auth_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry,
417 void *ctx), void *ctx)
418 {
419 struct rsn_pmksa_cache *pmksa;
420
421 pmksa = os_zalloc(sizeof(*pmksa));
422 if (pmksa) {
423 pmksa->free_cb = free_cb;
424 pmksa->ctx = ctx;
425 }
426
427 return pmksa;
428 }
Unnamed repository; edit this file 'description' to name the repository.