projects / mech_eap.git / blob
? search:


1021be016e51ba1d569d9e38dfd5d31d22e56bdd
[mech_eap.git] / src / ap / pmksa_cache_auth.c
1 /*
2  * hostapd - PMKSA cache for IEEE 802.11i RSN
3  * Copyright (c) 2004-2008, 2012-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "eapol_auth/eapol_auth_sm.h"
14 #include "eapol_auth/eapol_auth_sm_i.h"
15 #include "radius/radius_das.h"
16 #include "sta_info.h"
17 #include "ap_config.h"
18 #include "pmksa_cache_auth.h"
19
20
21 static const int pmksa_cache_max_entries = 1024;
22 static const int dot11RSNAConfigPMKLifetime = 43200;
23
24 struct rsn_pmksa_cache {
25 #define PMKID_HASH_SIZE 128
26 #define PMKID_HASH(pmkid) (unsigned int) ((pmkid)[0] & 0x7f)
27         struct rsn_pmksa_cache_entry *pmkid[PMKID_HASH_SIZE];
28         struct rsn_pmksa_cache_entry *pmksa;
29         int pmksa_count;
30
31         void (*free_cb)(struct rsn_pmksa_cache_entry *entry, void *ctx);
32         void *ctx;
33 };
34
35
36 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa);
37
38
39 static void _pmksa_cache_free_entry(struct rsn_pmksa_cache_entry *entry)
40 {
41         os_free(entry->vlan_desc);
42         os_free(entry->identity);
43         wpabuf_free(entry->cui);
44 #ifndef CONFIG_NO_RADIUS
45         radius_free_class(&entry->radius_class);
46 #endif /* CONFIG_NO_RADIUS */
47         bin_clear_free(entry, sizeof(*entry));
48 }
49
50
51 void pmksa_cache_free_entry(struct rsn_pmksa_cache *pmksa,
52                             struct rsn_pmksa_cache_entry *entry)
53 {
54         struct rsn_pmksa_cache_entry *pos, *prev;
55         unsigned int hash;
56
57         pmksa->pmksa_count--;
58         pmksa->free_cb(entry, pmksa->ctx);
59
60         /* unlink from hash list */
61         hash = PMKID_HASH(entry->pmkid);
62         pos = pmksa->pmkid[hash];
63         prev = NULL;
64         while (pos) {
65                 if (pos == entry) {
66                         if (prev != NULL)
67                                 prev->hnext = entry->hnext;
68                         else
69                                 pmksa->pmkid[hash] = entry->hnext;
70                         break;
71                 }
72                 prev = pos;
73                 pos = pos->hnext;
74         }
75
76         /* unlink from entry list */
77         pos = pmksa->pmksa;
78         prev = NULL;
79         while (pos) {
80                 if (pos == entry) {
81                         if (prev != NULL)
82                                 prev->next = entry->next;
83                         else
84                                 pmksa->pmksa = entry->next;
85                         break;
86                 }
87                 prev = pos;
88                 pos = pos->next;
89         }
90
91         _pmksa_cache_free_entry(entry);
92 }
93
94
95 static void pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx)
96 {
97         struct rsn_pmksa_cache *pmksa = eloop_ctx;
98         struct os_reltime now;
99
100         os_get_reltime(&now);
101         while (pmksa->pmksa && pmksa->pmksa->expiration <= now.sec) {
102                 wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for "
103                            MACSTR, MAC2STR(pmksa->pmksa->spa));
104                 pmksa_cache_free_entry(pmksa, pmksa->pmksa);
105         }
106
107         pmksa_cache_set_expiration(pmksa);
108 }
109
110
111 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa)
112 {
113         int sec;
114         struct os_reltime now;
115
116         eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
117         if (pmksa->pmksa == NULL)
118                 return;
119         os_get_reltime(&now);
120         sec = pmksa->pmksa->expiration - now.sec;
121         if (sec < 0)
122                 sec = 0;
123         eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, pmksa, NULL);
124 }
125
126
127 static void pmksa_cache_from_eapol_data(struct rsn_pmksa_cache_entry *entry,
128                                         struct eapol_state_machine *eapol)
129 {
130         struct vlan_description *vlan_desc;
131
132         if (eapol == NULL)
133                 return;
134
135         if (eapol->identity) {
136                 entry->identity = os_malloc(eapol->identity_len);
137                 if (entry->identity) {
138                         entry->identity_len = eapol->identity_len;
139                         os_memcpy(entry->identity, eapol->identity,
140                                   eapol->identity_len);
141                 }
142         }
143
144         if (eapol->radius_cui)
145                 entry->cui = wpabuf_dup(eapol->radius_cui);
146
147 #ifndef CONFIG_NO_RADIUS
148         radius_copy_class(&entry->radius_class, &eapol->radius_class);
149 #endif /* CONFIG_NO_RADIUS */
150
151         entry->eap_type_authsrv = eapol->eap_type_authsrv;
152
153         vlan_desc = ((struct sta_info *) eapol->sta)->vlan_desc;
154         if (vlan_desc && vlan_desc->notempty) {
155                 entry->vlan_desc = os_zalloc(sizeof(struct vlan_description));
156                 if (entry->vlan_desc)
157                         *entry->vlan_desc = *vlan_desc;
158         } else {
159                 entry->vlan_desc = NULL;
160         }
161
162         entry->acct_multi_session_id = eapol->acct_multi_session_id;
163 }
164
165
166 void pmksa_cache_to_eapol_data(struct hostapd_data *hapd,
167                                struct rsn_pmksa_cache_entry *entry,
168                                struct eapol_state_machine *eapol)
169 {
170         struct sta_info *sta;
171
172         if (entry == NULL || eapol == NULL)
173                 return;
174
175         if (entry->identity) {
176                 os_free(eapol->identity);
177                 eapol->identity = os_malloc(entry->identity_len);
178                 if (eapol->identity) {
179                         eapol->identity_len = entry->identity_len;
180                         os_memcpy(eapol->identity, entry->identity,
181                                   entry->identity_len);
182                 }
183                 wpa_hexdump_ascii(MSG_DEBUG, "STA identity from PMKSA",
184                                   eapol->identity, eapol->identity_len);
185         }
186
187         if (entry->cui) {
188                 wpabuf_free(eapol->radius_cui);
189                 eapol->radius_cui = wpabuf_dup(entry->cui);
190         }
191
192 #ifndef CONFIG_NO_RADIUS
193         radius_free_class(&eapol->radius_class);
194         radius_copy_class(&eapol->radius_class, &entry->radius_class);
195 #endif /* CONFIG_NO_RADIUS */
196         if (eapol->radius_class.attr) {
197                 wpa_printf(MSG_DEBUG, "Copied %lu Class attribute(s) from "
198                            "PMKSA", (unsigned long) eapol->radius_class.count);
199         }
200
201         eapol->eap_type_authsrv = entry->eap_type_authsrv;
202         sta = (struct sta_info *) eapol->sta;
203         ap_sta_set_vlan(hapd, sta, entry->vlan_desc);
204
205         eapol->acct_multi_session_id = entry->acct_multi_session_id;
206 }
207
208
209 static void pmksa_cache_link_entry(struct rsn_pmksa_cache *pmksa,
210                                    struct rsn_pmksa_cache_entry *entry)
211 {
212         struct rsn_pmksa_cache_entry *pos, *prev;
213         int hash;
214
215         /* Add the new entry; order by expiration time */
216         pos = pmksa->pmksa;
217         prev = NULL;
218         while (pos) {
219                 if (pos->expiration > entry->expiration)
220                         break;
221                 prev = pos;
222                 pos = pos->next;
223         }
224         if (prev == NULL) {
225                 entry->next = pmksa->pmksa;
226                 pmksa->pmksa = entry;
227         } else {
228                 entry->next = prev->next;
229                 prev->next = entry;
230         }
231
232         hash = PMKID_HASH(entry->pmkid);
233         entry->hnext = pmksa->pmkid[hash];
234         pmksa->pmkid[hash] = entry;
235
236         pmksa->pmksa_count++;
237         if (prev == NULL)
238                 pmksa_cache_set_expiration(pmksa);
239         wpa_printf(MSG_DEBUG, "RSN: added PMKSA cache entry for " MACSTR,
240                    MAC2STR(entry->spa));
241         wpa_hexdump(MSG_DEBUG, "RSN: added PMKID", entry->pmkid, PMKID_LEN);
242 }
243
244
245 /**
246  * pmksa_cache_auth_add - Add a PMKSA cache entry
247  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
248  * @pmk: The new pairwise master key
249  * @pmk_len: PMK length in bytes, usually PMK_LEN (32)
250  * @kck: Key confirmation key or %NULL if not yet derived
251  * @kck_len: KCK length in bytes
252  * @aa: Authenticator address
253  * @spa: Supplicant address
254  * @session_timeout: Session timeout
255  * @eapol: Pointer to EAPOL state machine data
256  * @akmp: WPA_KEY_MGMT_* used in key derivation
257  * Returns: Pointer to the added PMKSA cache entry or %NULL on error
258  *
259  * This function create a PMKSA entry for a new PMK and adds it to the PMKSA
260  * cache. If an old entry is already in the cache for the same Supplicant,
261  * this entry will be replaced with the new entry. PMKID will be calculated
262  * based on the PMK.
263  */
264 struct rsn_pmksa_cache_entry *
265 pmksa_cache_auth_add(struct rsn_pmksa_cache *pmksa,
266                      const u8 *pmk, size_t pmk_len,
267                      const u8 *kck, size_t kck_len,
268                      const u8 *aa, const u8 *spa, int session_timeout,
269                      struct eapol_state_machine *eapol, int akmp)
270 {
271         struct rsn_pmksa_cache_entry *entry, *pos;
272         struct os_reltime now;
273
274         if (pmk_len > PMK_LEN_MAX)
275                 return NULL;
276
277         if (wpa_key_mgmt_suite_b(akmp) && !kck)
278                 return NULL;
279
280         entry = os_zalloc(sizeof(*entry));
281         if (entry == NULL)
282                 return NULL;
283         os_memcpy(entry->pmk, pmk, pmk_len);
284         entry->pmk_len = pmk_len;
285         if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
286                 rsn_pmkid_suite_b_192(kck, kck_len, aa, spa, entry->pmkid);
287         else if (wpa_key_mgmt_suite_b(akmp))
288                 rsn_pmkid_suite_b(kck, kck_len, aa, spa, entry->pmkid);
289         else
290                 rsn_pmkid(pmk, pmk_len, aa, spa, entry->pmkid,
291                           wpa_key_mgmt_sha256(akmp));
292         os_get_reltime(&now);
293         entry->expiration = now.sec;
294         if (session_timeout > 0)
295                 entry->expiration += session_timeout;
296         else
297                 entry->expiration += dot11RSNAConfigPMKLifetime;
298         entry->akmp = akmp;
299         os_memcpy(entry->spa, spa, ETH_ALEN);
300         pmksa_cache_from_eapol_data(entry, eapol);
301
302         /* Replace an old entry for the same STA (if found) with the new entry
303          */
304         pos = pmksa_cache_auth_get(pmksa, spa, NULL);
305         if (pos)
306                 pmksa_cache_free_entry(pmksa, pos);
307
308         if (pmksa->pmksa_count >= pmksa_cache_max_entries && pmksa->pmksa) {
309                 /* Remove the oldest entry to make room for the new entry */
310                 wpa_printf(MSG_DEBUG, "RSN: removed the oldest PMKSA cache "
311                            "entry (for " MACSTR ") to make room for new one",
312                            MAC2STR(pmksa->pmksa->spa));
313                 pmksa_cache_free_entry(pmksa, pmksa->pmksa);
314         }
315
316         pmksa_cache_link_entry(pmksa, entry);
317
318         return entry;
319 }
320
321
322 struct rsn_pmksa_cache_entry *
323 pmksa_cache_add_okc(struct rsn_pmksa_cache *pmksa,
324                     const struct rsn_pmksa_cache_entry *old_entry,
325                     const u8 *aa, const u8 *pmkid)
326 {
327         struct rsn_pmksa_cache_entry *entry;
328
329         entry = os_zalloc(sizeof(*entry));
330         if (entry == NULL)
331                 return NULL;
332         os_memcpy(entry->pmkid, pmkid, PMKID_LEN);
333         os_memcpy(entry->pmk, old_entry->pmk, old_entry->pmk_len);
334         entry->pmk_len = old_entry->pmk_len;
335         entry->expiration = old_entry->expiration;
336         entry->akmp = old_entry->akmp;
337         os_memcpy(entry->spa, old_entry->spa, ETH_ALEN);
338         entry->opportunistic = 1;
339         if (old_entry->identity) {
340                 entry->identity = os_malloc(old_entry->identity_len);
341                 if (entry->identity) {
342                         entry->identity_len = old_entry->identity_len;
343                         os_memcpy(entry->identity, old_entry->identity,
344                                   old_entry->identity_len);
345                 }
346         }
347         if (old_entry->cui)
348                 entry->cui = wpabuf_dup(old_entry->cui);
349 #ifndef CONFIG_NO_RADIUS
350         radius_copy_class(&entry->radius_class, &old_entry->radius_class);
351 #endif /* CONFIG_NO_RADIUS */
352         entry->eap_type_authsrv = old_entry->eap_type_authsrv;
353         if (old_entry->vlan_desc) {
354                 entry->vlan_desc = os_zalloc(sizeof(struct vlan_description));
355                 if (entry->vlan_desc)
356                         *entry->vlan_desc = *old_entry->vlan_desc;
357         } else {
358                 entry->vlan_desc = NULL;
359         }
360         entry->opportunistic = 1;
361
362         pmksa_cache_link_entry(pmksa, entry);
363
364         return entry;
365 }
366
367
368 /**
369  * pmksa_cache_auth_deinit - Free all entries in PMKSA cache
370  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
371  */
372 void pmksa_cache_auth_deinit(struct rsn_pmksa_cache *pmksa)
373 {
374         struct rsn_pmksa_cache_entry *entry, *prev;
375         int i;
376
377         if (pmksa == NULL)
378                 return;
379
380         entry = pmksa->pmksa;
381         while (entry) {
382                 prev = entry;
383                 entry = entry->next;
384                 _pmksa_cache_free_entry(prev);
385         }
386         eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
387         pmksa->pmksa_count = 0;
388         pmksa->pmksa = NULL;
389         for (i = 0; i < PMKID_HASH_SIZE; i++)
390                 pmksa->pmkid[i] = NULL;
391         os_free(pmksa);
392 }
393
394
395 /**
396  * pmksa_cache_auth_get - Fetch a PMKSA cache entry
397  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
398  * @spa: Supplicant address or %NULL to match any
399  * @pmkid: PMKID or %NULL to match any
400  * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
401  */
402 struct rsn_pmksa_cache_entry *
403 pmksa_cache_auth_get(struct rsn_pmksa_cache *pmksa,
404                      const u8 *spa, const u8 *pmkid)
405 {
406         struct rsn_pmksa_cache_entry *entry;
407
408         if (pmkid) {
409                 for (entry = pmksa->pmkid[PMKID_HASH(pmkid)]; entry;
410                      entry = entry->hnext) {
411                         if ((spa == NULL ||
412                              os_memcmp(entry->spa, spa, ETH_ALEN) == 0) &&
413                             os_memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0)
414                                 return entry;
415                 }
416         } else {
417                 for (entry = pmksa->pmksa; entry; entry = entry->next) {
418                         if (spa == NULL ||
419                             os_memcmp(entry->spa, spa, ETH_ALEN) == 0)
420                                 return entry;
421                 }
422         }
423
424         return NULL;
425 }
426
427
428 /**
429  * pmksa_cache_get_okc - Fetch a PMKSA cache entry using OKC
430  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
431  * @aa: Authenticator address
432  * @spa: Supplicant address
433  * @pmkid: PMKID
434  * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
435  *
436  * Use opportunistic key caching (OKC) to find a PMK for a supplicant.
437  */
438 struct rsn_pmksa_cache_entry * pmksa_cache_get_okc(
439         struct rsn_pmksa_cache *pmksa, const u8 *aa, const u8 *spa,
440         const u8 *pmkid)
441 {
442         struct rsn_pmksa_cache_entry *entry;
443         u8 new_pmkid[PMKID_LEN];
444
445         for (entry = pmksa->pmksa; entry; entry = entry->next) {
446                 if (os_memcmp(entry->spa, spa, ETH_ALEN) != 0)
447                         continue;
448                 rsn_pmkid(entry->pmk, entry->pmk_len, aa, spa, new_pmkid,
449                           wpa_key_mgmt_sha256(entry->akmp));
450                 if (os_memcmp(new_pmkid, pmkid, PMKID_LEN) == 0)
451                         return entry;
452         }
453         return NULL;
454 }
455
456
457 /**
458  * pmksa_cache_auth_init - Initialize PMKSA cache
459  * @free_cb: Callback function to be called when a PMKSA cache entry is freed
460  * @ctx: Context pointer for free_cb function
461  * Returns: Pointer to PMKSA cache data or %NULL on failure
462  */
463 struct rsn_pmksa_cache *
464 pmksa_cache_auth_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry,
465                                       void *ctx), void *ctx)
466 {
467         struct rsn_pmksa_cache *pmksa;
468
469         pmksa = os_zalloc(sizeof(*pmksa));
470         if (pmksa) {
471                 pmksa->free_cb = free_cb;
472                 pmksa->ctx = ctx;
473         }
474
475         return pmksa;
476 }
477
478
479 static int das_attr_match(struct rsn_pmksa_cache_entry *entry,
480                           struct radius_das_attrs *attr)
481 {
482         int match = 0;
483
484         if (attr->sta_addr) {
485                 if (os_memcmp(attr->sta_addr, entry->spa, ETH_ALEN) != 0)
486                         return 0;
487                 match++;
488         }
489
490         if (attr->acct_multi_session_id) {
491                 char buf[20];
492
493                 if (attr->acct_multi_session_id_len != 16)
494                         return 0;
495                 os_snprintf(buf, sizeof(buf), "%016lX",
496                             (long unsigned int) entry->acct_multi_session_id);
497                 if (os_memcmp(attr->acct_multi_session_id, buf, 16) != 0)
498                         return 0;
499                 match++;
500         }
501
502         if (attr->cui) {
503                 if (!entry->cui ||
504                     attr->cui_len != wpabuf_len(entry->cui) ||
505                     os_memcmp(attr->cui, wpabuf_head(entry->cui),
506                               attr->cui_len) != 0)
507                         return 0;
508                 match++;
509         }
510
511         if (attr->user_name) {
512                 if (!entry->identity ||
513                     attr->user_name_len != entry->identity_len ||
514                     os_memcmp(attr->user_name, entry->identity,
515                               attr->user_name_len) != 0)
516                         return 0;
517                 match++;
518         }
519
520         return match;
521 }
522
523
524 int pmksa_cache_auth_radius_das_disconnect(struct rsn_pmksa_cache *pmksa,
525                                            struct radius_das_attrs *attr)
526 {
527         int found = 0;
528         struct rsn_pmksa_cache_entry *entry, *prev;
529
530         if (attr->acct_session_id)
531                 return -1;
532
533         entry = pmksa->pmksa;
534         while (entry) {
535                 if (das_attr_match(entry, attr)) {
536                         found++;
537                         prev = entry;
538                         entry = entry->next;
539                         pmksa_cache_free_entry(pmksa, prev);
540                         continue;
541                 }
542                 entry = entry->next;
543         }
544
545         return found ? 0 : -1;
546 }
Moonshot GSS-API mechanism