hostapd/pmksa_cache.c

   1 /*
   2  * hostapd - PMKSA cache for IEEE 802.11i RSN
   3  * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "sta_info.h"
  19 #include "config.h"
  20 #include "common.h"
  21 #include "eloop.h"
  22 #include "eapol_auth/eapol_auth_sm.h"
  23 #include "pmksa_cache.h"
  24
  25
  26 static const int pmksa_cache_max_entries = 1024;
  27 static const int dot11RSNAConfigPMKLifetime = 43200;
  28
  29 struct rsn_pmksa_cache {
  30 #define PMKID_HASH_SIZE 128
  31 #define PMKID_HASH(pmkid) (unsigned int) ((pmkid)[0] & 0x7f)
  32         struct rsn_pmksa_cache_entry *pmkid[PMKID_HASH_SIZE];
  33         struct rsn_pmksa_cache_entry *pmksa;
  34         int pmksa_count;
  35
  36         void (*free_cb)(struct rsn_pmksa_cache_entry *entry, void *ctx);
  37         void *ctx;
  38 };
  39
  40
  41 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa);
  42
  43
  44 static void _pmksa_cache_free_entry(struct rsn_pmksa_cache_entry *entry)
  45 {
  46         if (entry == NULL)
  47                 return;
  48         os_free(entry->identity);
  49         radius_free_class(&entry->radius_class);
  50         os_free(entry);
  51 }
  52
  53
  54 static void pmksa_cache_free_entry(struct rsn_pmksa_cache *pmksa,
  55                                    struct rsn_pmksa_cache_entry *entry)
  56 {
  57         struct rsn_pmksa_cache_entry *pos, *prev;
  58
  59         pmksa->pmksa_count--;
  60         pmksa->free_cb(entry, pmksa->ctx);
  61         pos = pmksa->pmkid[PMKID_HASH(entry->pmkid)];
  62         prev = NULL;
  63         while (pos) {
  64                 if (pos == entry) {
  65                         if (prev != NULL) {
  66                                 prev->hnext = pos->hnext;
  67                         } else {
  68                                 pmksa->pmkid[PMKID_HASH(entry->pmkid)] =
  69                                         pos->hnext;
  70                         }
  71                         break;
  72                 }
  73                 prev = pos;
  74                 pos = pos->hnext;
  75         }
  76
  77         pos = pmksa->pmksa;
  78         prev = NULL;
  79         while (pos) {
  80                 if (pos == entry) {
  81                         if (prev != NULL)
  82                                 prev->next = pos->next;
  83                         else
  84                                 pmksa->pmksa = pos->next;
  85                         break;
  86                 }
  87                 prev = pos;
  88                 pos = pos->next;
  89         }
  90         _pmksa_cache_free_entry(entry);
  91 }
  92
  93
  94 static void pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx)
  95 {
  96         struct rsn_pmksa_cache *pmksa = eloop_ctx;
  97         struct os_time now;
  98
  99         os_get_time(&now);
 100         while (pmksa->pmksa && pmksa->pmksa->expiration <= now.sec) {
 101                 struct rsn_pmksa_cache_entry *entry = pmksa->pmksa;
 102                 pmksa->pmksa = entry->next;
 103                 wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for "
 104                            MACSTR, MAC2STR(entry->spa));
 105                 pmksa_cache_free_entry(pmksa, entry);
 106         }
 107
 108         pmksa_cache_set_expiration(pmksa);
 109 }
 110
 111
 112 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa)
 113 {
 114         int sec;
 115         struct os_time now;
 116
 117         eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
 118         if (pmksa->pmksa == NULL)
 119                 return;
 120         os_get_time(&now);
 121         sec = pmksa->pmksa->expiration - now.sec;
 122         if (sec < 0)
 123                 sec = 0;
 124         eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, pmksa, NULL);
 125 }
 126
 127
 128 static void pmksa_cache_from_eapol_data(struct rsn_pmksa_cache_entry *entry,
 129                                         struct eapol_state_machine *eapol)
 130 {
 131         if (eapol == NULL)
 132                 return;
 133
 134         if (eapol->identity) {
 135                 entry->identity = os_malloc(eapol->identity_len);
 136                 if (entry->identity) {
 137                         entry->identity_len = eapol->identity_len;
 138                         os_memcpy(entry->identity, eapol->identity,
 139                                   eapol->identity_len);
 140                 }
 141         }
 142
 143         radius_copy_class(&entry->radius_class, &eapol->radius_class);
 144
 145         entry->eap_type_authsrv = eapol->eap_type_authsrv;
 146         entry->vlan_id = ((struct sta_info *) eapol->sta)->vlan_id;
 147 }
 148
 149
 150 void pmksa_cache_to_eapol_data(struct rsn_pmksa_cache_entry *entry,
 151                                struct eapol_state_machine *eapol)
 152 {
 153         if (entry == NULL || eapol == NULL)
 154                 return;
 155
 156         if (entry->identity) {
 157                 os_free(eapol->identity);
 158                 eapol->identity = os_malloc(entry->identity_len);
 159                 if (eapol->identity) {
 160                         eapol->identity_len = entry->identity_len;
 161                         os_memcpy(eapol->identity, entry->identity,
 162                                   entry->identity_len);
 163                 }
 164                 wpa_hexdump_ascii(MSG_DEBUG, "STA identity from PMKSA",
 165                                   eapol->identity, eapol->identity_len);
 166         }
 167
 168         radius_free_class(&eapol->radius_class);
 169         radius_copy_class(&eapol->radius_class, &entry->radius_class);
 170         if (eapol->radius_class.attr) {
 171                 wpa_printf(MSG_DEBUG, "Copied %lu Class attribute(s) from "
 172                            "PMKSA", (unsigned long) eapol->radius_class.count);
 173         }
 174
 175         eapol->eap_type_authsrv = entry->eap_type_authsrv;
 176         ((struct sta_info *) eapol->sta)->vlan_id = entry->vlan_id;
 177 }
 178
 179
 180 static void pmksa_cache_link_entry(struct rsn_pmksa_cache *pmksa,
 181                                    struct rsn_pmksa_cache_entry *entry)
 182 {
 183         struct rsn_pmksa_cache_entry *pos, *prev;
 184
 185         /* Add the new entry; order by expiration time */
 186         pos = pmksa->pmksa;
 187         prev = NULL;
 188         while (pos) {
 189                 if (pos->expiration > entry->expiration)
 190                         break;
 191                 prev = pos;
 192                 pos = pos->next;
 193         }
 194         if (prev == NULL) {
 195                 entry->next = pmksa->pmksa;
 196                 pmksa->pmksa = entry;
 197         } else {
 198                 entry->next = prev->next;
 199                 prev->next = entry;
 200         }
 201         entry->hnext = pmksa->pmkid[PMKID_HASH(entry->pmkid)];
 202         pmksa->pmkid[PMKID_HASH(entry->pmkid)] = entry;
 203
 204         pmksa->pmksa_count++;
 205         wpa_printf(MSG_DEBUG, "RSN: added PMKSA cache entry for " MACSTR,
 206                    MAC2STR(entry->spa));
 207         wpa_hexdump(MSG_DEBUG, "RSN: added PMKID", entry->pmkid, PMKID_LEN);
 208 }
 209
 210
 211 /**
 212  * pmksa_cache_auth_add - Add a PMKSA cache entry
 213  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
 214  * @pmk: The new pairwise master key
 215  * @pmk_len: PMK length in bytes, usually PMK_LEN (32)
 216  * @aa: Authenticator address
 217  * @spa: Supplicant address
 218  * @session_timeout: Session timeout
 219  * @eapol: Pointer to EAPOL state machine data
 220  * @akmp: WPA_KEY_MGMT_* used in key derivation
 221  * Returns: Pointer to the added PMKSA cache entry or %NULL on error
 222  *
 223  * This function create a PMKSA entry for a new PMK and adds it to the PMKSA
 224  * cache. If an old entry is already in the cache for the same Supplicant,
 225  * this entry will be replaced with the new entry. PMKID will be calculated
 226  * based on the PMK.
 227  */
 228 struct rsn_pmksa_cache_entry *
 229 pmksa_cache_auth_add(struct rsn_pmksa_cache *pmksa,
 230                      const u8 *pmk, size_t pmk_len,
 231                 const u8 *aa, const u8 *spa, int session_timeout,
 232                 struct eapol_state_machine *eapol, int akmp)
 233 {
 234         struct rsn_pmksa_cache_entry *entry, *pos;
 235         struct os_time now;
 236
 237         if (pmk_len > PMK_LEN)
 238                 return NULL;
 239
 240         entry = os_zalloc(sizeof(*entry));
 241         if (entry == NULL)
 242                 return NULL;
 243         os_memcpy(entry->pmk, pmk, pmk_len);
 244         entry->pmk_len = pmk_len;
 245         rsn_pmkid(pmk, pmk_len, aa, spa, entry->pmkid,
 246                   wpa_key_mgmt_sha256(akmp));
 247         os_get_time(&now);
 248         entry->expiration = now.sec;
 249         if (session_timeout > 0)
 250                 entry->expiration += session_timeout;
 251         else
 252                 entry->expiration += dot11RSNAConfigPMKLifetime;
 253         entry->akmp = akmp;
 254         os_memcpy(entry->spa, spa, ETH_ALEN);
 255         pmksa_cache_from_eapol_data(entry, eapol);
 256
 257         /* Replace an old entry for the same STA (if found) with the new entry
 258          */
 259         pos = pmksa_cache_auth_get(pmksa, spa, NULL);
 260         if (pos)
 261                 pmksa_cache_free_entry(pmksa, pos);
 262
 263         if (pmksa->pmksa_count >= pmksa_cache_max_entries && pmksa->pmksa) {
 264                 /* Remove the oldest entry to make room for the new entry */
 265                 wpa_printf(MSG_DEBUG, "RSN: removed the oldest PMKSA cache "
 266                            "entry (for " MACSTR ") to make room for new one",
 267                            MAC2STR(pmksa->pmksa->spa));
 268                 pmksa_cache_free_entry(pmksa, pmksa->pmksa);
 269         }
 270
 271         pmksa_cache_link_entry(pmksa, entry);
 272
 273         return entry;
 274 }
 275
 276
 277 struct rsn_pmksa_cache_entry *
 278 pmksa_cache_add_okc(struct rsn_pmksa_cache *pmksa,
 279                     const struct rsn_pmksa_cache_entry *old_entry,
 280                     const u8 *aa, const u8 *pmkid)
 281 {
 282         struct rsn_pmksa_cache_entry *entry;
 283
 284         entry = os_zalloc(sizeof(*entry));
 285         if (entry == NULL)
 286                 return NULL;
 287         os_memcpy(entry->pmkid, pmkid, PMKID_LEN);
 288         os_memcpy(entry->pmk, old_entry->pmk, old_entry->pmk_len);
 289         entry->pmk_len = old_entry->pmk_len;
 290         entry->expiration = old_entry->expiration;
 291         entry->akmp = old_entry->akmp;
 292         os_memcpy(entry->spa, old_entry->spa, ETH_ALEN);
 293         entry->opportunistic = 1;
 294         if (old_entry->identity) {
 295                 entry->identity = os_malloc(old_entry->identity_len);
 296                 if (entry->identity) {
 297                         entry->identity_len = old_entry->identity_len;
 298                         os_memcpy(entry->identity, old_entry->identity,
 299                                   old_entry->identity_len);
 300                 }
 301         }
 302         radius_copy_class(&entry->radius_class, &old_entry->radius_class);
 303         entry->eap_type_authsrv = old_entry->eap_type_authsrv;
 304         entry->vlan_id = old_entry->vlan_id;
 305         entry->opportunistic = 1;
 306
 307         pmksa_cache_link_entry(pmksa, entry);
 308
 309         return entry;
 310 }
 311
 312
 313 /**
 314  * pmksa_cache_auth_deinit - Free all entries in PMKSA cache
 315  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
 316  */
 317 void pmksa_cache_auth_deinit(struct rsn_pmksa_cache *pmksa)
 318 {
 319         struct rsn_pmksa_cache_entry *entry, *prev;
 320         int i;
 321
 322         if (pmksa == NULL)
 323                 return;
 324
 325         entry = pmksa->pmksa;
 326         while (entry) {
 327                 prev = entry;
 328                 entry = entry->next;
 329                 _pmksa_cache_free_entry(prev);
 330         }
 331         eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
 332         for (i = 0; i < PMKID_HASH_SIZE; i++)
 333                 pmksa->pmkid[i] = NULL;
 334         os_free(pmksa);
 335 }
 336
 337
 338 /**
 339  * pmksa_cache_auth_get - Fetch a PMKSA cache entry
 340  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
 341  * @spa: Supplicant address or %NULL to match any
 342  * @pmkid: PMKID or %NULL to match any
 343  * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
 344  */
 345 struct rsn_pmksa_cache_entry *
 346 pmksa_cache_auth_get(struct rsn_pmksa_cache *pmksa,
 347                      const u8 *spa, const u8 *pmkid)
 348 {
 349         struct rsn_pmksa_cache_entry *entry;
 350
 351         if (pmkid)
 352                 entry = pmksa->pmkid[PMKID_HASH(pmkid)];
 353         else
 354                 entry = pmksa->pmksa;
 355         while (entry) {
 356                 if ((spa == NULL ||
 357                      os_memcmp(entry->spa, spa, ETH_ALEN) == 0) &&
 358                     (pmkid == NULL ||
 359                      os_memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0))
 360                         return entry;
 361                 entry = pmkid ? entry->hnext : entry->next;
 362         }
 363         return NULL;
 364 }
 365
 366
 367 /**
 368  * pmksa_cache_get_okc - Fetch a PMKSA cache entry using OKC
 369  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
 370  * @aa: Authenticator address
 371  * @spa: Supplicant address
 372  * @pmkid: PMKID
 373  * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
 374  *
 375  * Use opportunistic key caching (OKC) to find a PMK for a supplicant.
 376  */
 377 struct rsn_pmksa_cache_entry * pmksa_cache_get_okc(
 378         struct rsn_pmksa_cache *pmksa, const u8 *aa, const u8 *spa,
 379         const u8 *pmkid)
 380 {
 381         struct rsn_pmksa_cache_entry *entry;
 382         u8 new_pmkid[PMKID_LEN];
 383
 384         entry = pmksa->pmksa;
 385         while (entry) {
 386                 if (os_memcmp(entry->spa, spa, ETH_ALEN) != 0)
 387                         continue;
 388                 rsn_pmkid(entry->pmk, entry->pmk_len, aa, spa, new_pmkid,
 389                           wpa_key_mgmt_sha256(entry->akmp));
 390                 if (os_memcmp(new_pmkid, pmkid, PMKID_LEN) == 0)
 391                         return entry;
 392                 entry = entry->next;
 393         }
 394         return NULL;
 395 }
 396
 397
 398 /**
 399  * pmksa_cache_auth_init - Initialize PMKSA cache
 400  * @free_cb: Callback function to be called when a PMKSA cache entry is freed
 401  * @ctx: Context pointer for free_cb function
 402  * Returns: Pointer to PMKSA cache data or %NULL on failure
 403  */
 404 struct rsn_pmksa_cache *
 405 pmksa_cache_auth_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry,
 406                                       void *ctx), void *ctx)
 407 {
 408         struct rsn_pmksa_cache *pmksa;
 409
 410         pmksa = os_zalloc(sizeof(*pmksa));
 411         if (pmksa) {
 412                 pmksa->free_cb = free_cb;
 413                 pmksa->ctx = ctx;
 414         }
 415
 416         return pmksa;
 417 }