2 * hostapd - PMKSA cache for IEEE 802.11i RSN
3 * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
22 #include "eapol_auth/eapol_auth_sm.h"
23 #include "eapol_auth/eapol_auth_sm_i.h"
24 #include "pmksa_cache.h"
27 static const int pmksa_cache_max_entries = 1024;
28 static const int dot11RSNAConfigPMKLifetime = 43200;
30 struct rsn_pmksa_cache {
31 #define PMKID_HASH_SIZE 128
32 #define PMKID_HASH(pmkid) (unsigned int) ((pmkid)[0] & 0x7f)
33 struct rsn_pmksa_cache_entry *pmkid[PMKID_HASH_SIZE];
34 struct rsn_pmksa_cache_entry *pmksa;
37 void (*free_cb)(struct rsn_pmksa_cache_entry *entry, void *ctx);
42 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa);
45 static void _pmksa_cache_free_entry(struct rsn_pmksa_cache_entry *entry)
49 os_free(entry->identity);
50 #ifndef CONFIG_NO_RADIUS
51 radius_free_class(&entry->radius_class);
52 #endif /* CONFIG_NO_RADIUS */
57 static void pmksa_cache_free_entry(struct rsn_pmksa_cache *pmksa,
58 struct rsn_pmksa_cache_entry *entry)
60 struct rsn_pmksa_cache_entry *pos, *prev;
63 pmksa->free_cb(entry, pmksa->ctx);
64 pos = pmksa->pmkid[PMKID_HASH(entry->pmkid)];
69 prev->hnext = pos->hnext;
71 pmksa->pmkid[PMKID_HASH(entry->pmkid)] =
85 prev->next = pos->next;
87 pmksa->pmksa = pos->next;
93 _pmksa_cache_free_entry(entry);
97 static void pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx)
99 struct rsn_pmksa_cache *pmksa = eloop_ctx;
103 while (pmksa->pmksa && pmksa->pmksa->expiration <= now.sec) {
104 struct rsn_pmksa_cache_entry *entry = pmksa->pmksa;
105 pmksa->pmksa = entry->next;
106 wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for "
107 MACSTR, MAC2STR(entry->spa));
108 pmksa_cache_free_entry(pmksa, entry);
111 pmksa_cache_set_expiration(pmksa);
115 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa)
120 eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
121 if (pmksa->pmksa == NULL)
124 sec = pmksa->pmksa->expiration - now.sec;
127 eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, pmksa, NULL);
131 static void pmksa_cache_from_eapol_data(struct rsn_pmksa_cache_entry *entry,
132 struct eapol_state_machine *eapol)
137 if (eapol->identity) {
138 entry->identity = os_malloc(eapol->identity_len);
139 if (entry->identity) {
140 entry->identity_len = eapol->identity_len;
141 os_memcpy(entry->identity, eapol->identity,
142 eapol->identity_len);
146 #ifndef CONFIG_NO_RADIUS
147 radius_copy_class(&entry->radius_class, &eapol->radius_class);
148 #endif /* CONFIG_NO_RADIUS */
150 entry->eap_type_authsrv = eapol->eap_type_authsrv;
151 entry->vlan_id = ((struct sta_info *) eapol->sta)->vlan_id;
155 void pmksa_cache_to_eapol_data(struct rsn_pmksa_cache_entry *entry,
156 struct eapol_state_machine *eapol)
158 if (entry == NULL || eapol == NULL)
161 if (entry->identity) {
162 os_free(eapol->identity);
163 eapol->identity = os_malloc(entry->identity_len);
164 if (eapol->identity) {
165 eapol->identity_len = entry->identity_len;
166 os_memcpy(eapol->identity, entry->identity,
167 entry->identity_len);
169 wpa_hexdump_ascii(MSG_DEBUG, "STA identity from PMKSA",
170 eapol->identity, eapol->identity_len);
173 #ifndef CONFIG_NO_RADIUS
174 radius_free_class(&eapol->radius_class);
175 radius_copy_class(&eapol->radius_class, &entry->radius_class);
176 #endif /* CONFIG_NO_RADIUS */
177 if (eapol->radius_class.attr) {
178 wpa_printf(MSG_DEBUG, "Copied %lu Class attribute(s) from "
179 "PMKSA", (unsigned long) eapol->radius_class.count);
182 eapol->eap_type_authsrv = entry->eap_type_authsrv;
183 ((struct sta_info *) eapol->sta)->vlan_id = entry->vlan_id;
187 static void pmksa_cache_link_entry(struct rsn_pmksa_cache *pmksa,
188 struct rsn_pmksa_cache_entry *entry)
190 struct rsn_pmksa_cache_entry *pos, *prev;
192 /* Add the new entry; order by expiration time */
196 if (pos->expiration > entry->expiration)
202 entry->next = pmksa->pmksa;
203 pmksa->pmksa = entry;
205 entry->next = prev->next;
208 entry->hnext = pmksa->pmkid[PMKID_HASH(entry->pmkid)];
209 pmksa->pmkid[PMKID_HASH(entry->pmkid)] = entry;
211 pmksa->pmksa_count++;
212 wpa_printf(MSG_DEBUG, "RSN: added PMKSA cache entry for " MACSTR,
213 MAC2STR(entry->spa));
214 wpa_hexdump(MSG_DEBUG, "RSN: added PMKID", entry->pmkid, PMKID_LEN);
219 * pmksa_cache_auth_add - Add a PMKSA cache entry
220 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
221 * @pmk: The new pairwise master key
222 * @pmk_len: PMK length in bytes, usually PMK_LEN (32)
223 * @aa: Authenticator address
224 * @spa: Supplicant address
225 * @session_timeout: Session timeout
226 * @eapol: Pointer to EAPOL state machine data
227 * @akmp: WPA_KEY_MGMT_* used in key derivation
228 * Returns: Pointer to the added PMKSA cache entry or %NULL on error
230 * This function create a PMKSA entry for a new PMK and adds it to the PMKSA
231 * cache. If an old entry is already in the cache for the same Supplicant,
232 * this entry will be replaced with the new entry. PMKID will be calculated
235 struct rsn_pmksa_cache_entry *
236 pmksa_cache_auth_add(struct rsn_pmksa_cache *pmksa,
237 const u8 *pmk, size_t pmk_len,
238 const u8 *aa, const u8 *spa, int session_timeout,
239 struct eapol_state_machine *eapol, int akmp)
241 struct rsn_pmksa_cache_entry *entry, *pos;
244 if (pmk_len > PMK_LEN)
247 entry = os_zalloc(sizeof(*entry));
250 os_memcpy(entry->pmk, pmk, pmk_len);
251 entry->pmk_len = pmk_len;
252 rsn_pmkid(pmk, pmk_len, aa, spa, entry->pmkid,
253 wpa_key_mgmt_sha256(akmp));
255 entry->expiration = now.sec;
256 if (session_timeout > 0)
257 entry->expiration += session_timeout;
259 entry->expiration += dot11RSNAConfigPMKLifetime;
261 os_memcpy(entry->spa, spa, ETH_ALEN);
262 pmksa_cache_from_eapol_data(entry, eapol);
264 /* Replace an old entry for the same STA (if found) with the new entry
266 pos = pmksa_cache_auth_get(pmksa, spa, NULL);
268 pmksa_cache_free_entry(pmksa, pos);
270 if (pmksa->pmksa_count >= pmksa_cache_max_entries && pmksa->pmksa) {
271 /* Remove the oldest entry to make room for the new entry */
272 wpa_printf(MSG_DEBUG, "RSN: removed the oldest PMKSA cache "
273 "entry (for " MACSTR ") to make room for new one",
274 MAC2STR(pmksa->pmksa->spa));
275 pmksa_cache_free_entry(pmksa, pmksa->pmksa);
278 pmksa_cache_link_entry(pmksa, entry);
284 struct rsn_pmksa_cache_entry *
285 pmksa_cache_add_okc(struct rsn_pmksa_cache *pmksa,
286 const struct rsn_pmksa_cache_entry *old_entry,
287 const u8 *aa, const u8 *pmkid)
289 struct rsn_pmksa_cache_entry *entry;
291 entry = os_zalloc(sizeof(*entry));
294 os_memcpy(entry->pmkid, pmkid, PMKID_LEN);
295 os_memcpy(entry->pmk, old_entry->pmk, old_entry->pmk_len);
296 entry->pmk_len = old_entry->pmk_len;
297 entry->expiration = old_entry->expiration;
298 entry->akmp = old_entry->akmp;
299 os_memcpy(entry->spa, old_entry->spa, ETH_ALEN);
300 entry->opportunistic = 1;
301 if (old_entry->identity) {
302 entry->identity = os_malloc(old_entry->identity_len);
303 if (entry->identity) {
304 entry->identity_len = old_entry->identity_len;
305 os_memcpy(entry->identity, old_entry->identity,
306 old_entry->identity_len);
309 #ifndef CONFIG_NO_RADIUS
310 radius_copy_class(&entry->radius_class, &old_entry->radius_class);
311 #endif /* CONFIG_NO_RADIUS */
312 entry->eap_type_authsrv = old_entry->eap_type_authsrv;
313 entry->vlan_id = old_entry->vlan_id;
314 entry->opportunistic = 1;
316 pmksa_cache_link_entry(pmksa, entry);
323 * pmksa_cache_auth_deinit - Free all entries in PMKSA cache
324 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
326 void pmksa_cache_auth_deinit(struct rsn_pmksa_cache *pmksa)
328 struct rsn_pmksa_cache_entry *entry, *prev;
334 entry = pmksa->pmksa;
338 _pmksa_cache_free_entry(prev);
340 eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
341 for (i = 0; i < PMKID_HASH_SIZE; i++)
342 pmksa->pmkid[i] = NULL;
348 * pmksa_cache_auth_get - Fetch a PMKSA cache entry
349 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
350 * @spa: Supplicant address or %NULL to match any
351 * @pmkid: PMKID or %NULL to match any
352 * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
354 struct rsn_pmksa_cache_entry *
355 pmksa_cache_auth_get(struct rsn_pmksa_cache *pmksa,
356 const u8 *spa, const u8 *pmkid)
358 struct rsn_pmksa_cache_entry *entry;
361 entry = pmksa->pmkid[PMKID_HASH(pmkid)];
363 entry = pmksa->pmksa;
366 os_memcmp(entry->spa, spa, ETH_ALEN) == 0) &&
368 os_memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0))
370 entry = pmkid ? entry->hnext : entry->next;
377 * pmksa_cache_get_okc - Fetch a PMKSA cache entry using OKC
378 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
379 * @aa: Authenticator address
380 * @spa: Supplicant address
382 * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
384 * Use opportunistic key caching (OKC) to find a PMK for a supplicant.
386 struct rsn_pmksa_cache_entry * pmksa_cache_get_okc(
387 struct rsn_pmksa_cache *pmksa, const u8 *aa, const u8 *spa,
390 struct rsn_pmksa_cache_entry *entry;
391 u8 new_pmkid[PMKID_LEN];
393 entry = pmksa->pmksa;
395 if (os_memcmp(entry->spa, spa, ETH_ALEN) != 0)
397 rsn_pmkid(entry->pmk, entry->pmk_len, aa, spa, new_pmkid,
398 wpa_key_mgmt_sha256(entry->akmp));
399 if (os_memcmp(new_pmkid, pmkid, PMKID_LEN) == 0)
408 * pmksa_cache_auth_init - Initialize PMKSA cache
409 * @free_cb: Callback function to be called when a PMKSA cache entry is freed
410 * @ctx: Context pointer for free_cb function
411 * Returns: Pointer to PMKSA cache data or %NULL on failure
413 struct rsn_pmksa_cache *
414 pmksa_cache_auth_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry,
415 void *ctx), void *ctx)
417 struct rsn_pmksa_cache *pmksa;
419 pmksa = os_zalloc(sizeof(*pmksa));
421 pmksa->free_cb = free_cb;