Line data Source code
1 : /*
2 : * hostapd - PMKSA cache for IEEE 802.11i RSN
3 : * Copyright (c) 2004-2008, 2012-2015, Jouni Malinen <j@w1.fi>
4 : *
5 : * This software may be distributed under the terms of the BSD license.
6 : * See README for more details.
7 : */
8 :
9 : #include "utils/includes.h"
10 :
11 : #include "utils/common.h"
12 : #include "utils/eloop.h"
13 : #include "eapol_auth/eapol_auth_sm.h"
14 : #include "eapol_auth/eapol_auth_sm_i.h"
15 : #include "radius/radius_das.h"
16 : #include "sta_info.h"
17 : #include "ap_config.h"
18 : #include "pmksa_cache_auth.h"
19 :
20 :
21 : static const int pmksa_cache_max_entries = 1024;
22 : static const int dot11RSNAConfigPMKLifetime = 43200;
23 :
24 : struct rsn_pmksa_cache {
25 : #define PMKID_HASH_SIZE 128
26 : #define PMKID_HASH(pmkid) (unsigned int) ((pmkid)[0] & 0x7f)
27 : struct rsn_pmksa_cache_entry *pmkid[PMKID_HASH_SIZE];
28 : struct rsn_pmksa_cache_entry *pmksa;
29 : int pmksa_count;
30 :
31 : void (*free_cb)(struct rsn_pmksa_cache_entry *entry, void *ctx);
32 : void *ctx;
33 : };
34 :
35 :
36 : static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa);
37 :
38 :
39 739 : static void _pmksa_cache_free_entry(struct rsn_pmksa_cache_entry *entry)
40 : {
41 739 : os_free(entry->identity);
42 739 : wpabuf_free(entry->cui);
43 : #ifndef CONFIG_NO_RADIUS
44 731 : radius_free_class(&entry->radius_class);
45 : #endif /* CONFIG_NO_RADIUS */
46 739 : bin_clear_free(entry, sizeof(*entry));
47 739 : }
48 :
49 :
50 388 : void pmksa_cache_free_entry(struct rsn_pmksa_cache *pmksa,
51 : struct rsn_pmksa_cache_entry *entry)
52 : {
53 : struct rsn_pmksa_cache_entry *pos, *prev;
54 : unsigned int hash;
55 :
56 388 : pmksa->pmksa_count--;
57 388 : pmksa->free_cb(entry, pmksa->ctx);
58 :
59 : /* unlink from hash list */
60 388 : hash = PMKID_HASH(entry->pmkid);
61 388 : pos = pmksa->pmkid[hash];
62 388 : prev = NULL;
63 776 : while (pos) {
64 388 : if (pos == entry) {
65 388 : if (prev != NULL)
66 0 : prev->hnext = entry->hnext;
67 : else
68 388 : pmksa->pmkid[hash] = entry->hnext;
69 388 : break;
70 : }
71 0 : prev = pos;
72 0 : pos = pos->hnext;
73 : }
74 :
75 : /* unlink from entry list */
76 388 : pos = pmksa->pmksa;
77 388 : prev = NULL;
78 785 : while (pos) {
79 397 : if (pos == entry) {
80 388 : if (prev != NULL)
81 8 : prev->next = entry->next;
82 : else
83 380 : pmksa->pmksa = entry->next;
84 388 : break;
85 : }
86 9 : prev = pos;
87 9 : pos = pos->next;
88 : }
89 :
90 388 : _pmksa_cache_free_entry(entry);
91 388 : }
92 :
93 :
94 3 : static void pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx)
95 : {
96 3 : struct rsn_pmksa_cache *pmksa = eloop_ctx;
97 : struct os_reltime now;
98 :
99 3 : os_get_reltime(&now);
100 11 : while (pmksa->pmksa && pmksa->pmksa->expiration <= now.sec) {
101 30 : wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for "
102 30 : MACSTR, MAC2STR(pmksa->pmksa->spa));
103 5 : pmksa_cache_free_entry(pmksa, pmksa->pmksa);
104 : }
105 :
106 3 : pmksa_cache_set_expiration(pmksa);
107 3 : }
108 :
109 :
110 678 : static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa)
111 : {
112 : int sec;
113 : struct os_reltime now;
114 :
115 678 : eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
116 678 : if (pmksa->pmksa == NULL)
117 679 : return;
118 677 : os_get_reltime(&now);
119 677 : sec = pmksa->pmksa->expiration - now.sec;
120 677 : if (sec < 0)
121 0 : sec = 0;
122 677 : eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, pmksa, NULL);
123 : }
124 :
125 :
126 733 : static void pmksa_cache_from_eapol_data(struct rsn_pmksa_cache_entry *entry,
127 : struct eapol_state_machine *eapol)
128 : {
129 733 : if (eapol == NULL)
130 799 : return;
131 :
132 667 : if (eapol->identity) {
133 591 : entry->identity = os_malloc(eapol->identity_len);
134 591 : if (entry->identity) {
135 590 : entry->identity_len = eapol->identity_len;
136 590 : os_memcpy(entry->identity, eapol->identity,
137 : eapol->identity_len);
138 : }
139 : }
140 :
141 667 : if (eapol->radius_cui)
142 6 : entry->cui = wpabuf_dup(eapol->radius_cui);
143 :
144 : #ifndef CONFIG_NO_RADIUS
145 667 : radius_copy_class(&entry->radius_class, &eapol->radius_class);
146 : #endif /* CONFIG_NO_RADIUS */
147 :
148 667 : entry->eap_type_authsrv = eapol->eap_type_authsrv;
149 667 : entry->vlan_id = ((struct sta_info *) eapol->sta)->vlan_id;
150 :
151 667 : entry->acct_multi_session_id_hi = eapol->acct_multi_session_id_hi;
152 667 : entry->acct_multi_session_id_lo = eapol->acct_multi_session_id_lo;
153 : }
154 :
155 :
156 33 : void pmksa_cache_to_eapol_data(struct rsn_pmksa_cache_entry *entry,
157 : struct eapol_state_machine *eapol)
158 : {
159 33 : if (entry == NULL || eapol == NULL)
160 33 : return;
161 :
162 33 : if (entry->identity) {
163 31 : os_free(eapol->identity);
164 31 : eapol->identity = os_malloc(entry->identity_len);
165 31 : if (eapol->identity) {
166 31 : eapol->identity_len = entry->identity_len;
167 31 : os_memcpy(eapol->identity, entry->identity,
168 : entry->identity_len);
169 : }
170 62 : wpa_hexdump_ascii(MSG_DEBUG, "STA identity from PMKSA",
171 31 : eapol->identity, eapol->identity_len);
172 : }
173 :
174 33 : if (entry->cui) {
175 1 : wpabuf_free(eapol->radius_cui);
176 1 : eapol->radius_cui = wpabuf_dup(entry->cui);
177 : }
178 :
179 : #ifndef CONFIG_NO_RADIUS
180 33 : radius_free_class(&eapol->radius_class);
181 33 : radius_copy_class(&eapol->radius_class, &entry->radius_class);
182 : #endif /* CONFIG_NO_RADIUS */
183 33 : if (eapol->radius_class.attr) {
184 2 : wpa_printf(MSG_DEBUG, "Copied %lu Class attribute(s) from "
185 : "PMKSA", (unsigned long) eapol->radius_class.count);
186 : }
187 :
188 33 : eapol->eap_type_authsrv = entry->eap_type_authsrv;
189 33 : ((struct sta_info *) eapol->sta)->vlan_id = entry->vlan_id;
190 :
191 33 : eapol->acct_multi_session_id_hi = entry->acct_multi_session_id_hi;
192 33 : eapol->acct_multi_session_id_lo = entry->acct_multi_session_id_lo;
193 : }
194 :
195 :
196 739 : static void pmksa_cache_link_entry(struct rsn_pmksa_cache *pmksa,
197 : struct rsn_pmksa_cache_entry *entry)
198 : {
199 : struct rsn_pmksa_cache_entry *pos, *prev;
200 : int hash;
201 :
202 : /* Add the new entry; order by expiration time */
203 739 : pos = pmksa->pmksa;
204 739 : prev = NULL;
205 1560 : while (pos) {
206 87 : if (pos->expiration > entry->expiration)
207 5 : break;
208 82 : prev = pos;
209 82 : pos = pos->next;
210 : }
211 739 : if (prev == NULL) {
212 675 : entry->next = pmksa->pmksa;
213 675 : pmksa->pmksa = entry;
214 : } else {
215 64 : entry->next = prev->next;
216 64 : prev->next = entry;
217 : }
218 :
219 739 : hash = PMKID_HASH(entry->pmkid);
220 739 : entry->hnext = pmksa->pmkid[hash];
221 739 : pmksa->pmkid[hash] = entry;
222 :
223 739 : pmksa->pmksa_count++;
224 739 : if (prev == NULL)
225 675 : pmksa_cache_set_expiration(pmksa);
226 4434 : wpa_printf(MSG_DEBUG, "RSN: added PMKSA cache entry for " MACSTR,
227 4434 : MAC2STR(entry->spa));
228 739 : wpa_hexdump(MSG_DEBUG, "RSN: added PMKID", entry->pmkid, PMKID_LEN);
229 739 : }
230 :
231 :
232 : /**
233 : * pmksa_cache_auth_add - Add a PMKSA cache entry
234 : * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
235 : * @pmk: The new pairwise master key
236 : * @pmk_len: PMK length in bytes, usually PMK_LEN (32)
237 : * @kck: Key confirmation key or %NULL if not yet derived
238 : * @kck_len: KCK length in bytes
239 : * @aa: Authenticator address
240 : * @spa: Supplicant address
241 : * @session_timeout: Session timeout
242 : * @eapol: Pointer to EAPOL state machine data
243 : * @akmp: WPA_KEY_MGMT_* used in key derivation
244 : * Returns: Pointer to the added PMKSA cache entry or %NULL on error
245 : *
246 : * This function create a PMKSA entry for a new PMK and adds it to the PMKSA
247 : * cache. If an old entry is already in the cache for the same Supplicant,
248 : * this entry will be replaced with the new entry. PMKID will be calculated
249 : * based on the PMK.
250 : */
251 : struct rsn_pmksa_cache_entry *
252 734 : pmksa_cache_auth_add(struct rsn_pmksa_cache *pmksa,
253 : const u8 *pmk, size_t pmk_len,
254 : const u8 *kck, size_t kck_len,
255 : const u8 *aa, const u8 *spa, int session_timeout,
256 : struct eapol_state_machine *eapol, int akmp)
257 : {
258 : struct rsn_pmksa_cache_entry *entry, *pos;
259 : struct os_reltime now;
260 :
261 734 : if (pmk_len > PMK_LEN)
262 0 : return NULL;
263 :
264 734 : if (wpa_key_mgmt_suite_b(akmp) && !kck)
265 0 : return NULL;
266 :
267 734 : entry = os_zalloc(sizeof(*entry));
268 734 : if (entry == NULL)
269 1 : return NULL;
270 733 : os_memcpy(entry->pmk, pmk, pmk_len);
271 733 : entry->pmk_len = pmk_len;
272 733 : if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
273 2 : rsn_pmkid_suite_b_192(kck, kck_len, aa, spa, entry->pmkid);
274 731 : else if (wpa_key_mgmt_suite_b(akmp))
275 2 : rsn_pmkid_suite_b(kck, kck_len, aa, spa, entry->pmkid);
276 : else
277 729 : rsn_pmkid(pmk, pmk_len, aa, spa, entry->pmkid,
278 : wpa_key_mgmt_sha256(akmp));
279 733 : os_get_reltime(&now);
280 733 : entry->expiration = now.sec;
281 733 : if (session_timeout > 0)
282 667 : entry->expiration += session_timeout;
283 : else
284 66 : entry->expiration += dot11RSNAConfigPMKLifetime;
285 733 : entry->akmp = akmp;
286 733 : os_memcpy(entry->spa, spa, ETH_ALEN);
287 733 : pmksa_cache_from_eapol_data(entry, eapol);
288 :
289 : /* Replace an old entry for the same STA (if found) with the new entry
290 : */
291 733 : pos = pmksa_cache_auth_get(pmksa, spa, NULL);
292 733 : if (pos)
293 371 : pmksa_cache_free_entry(pmksa, pos);
294 :
295 733 : if (pmksa->pmksa_count >= pmksa_cache_max_entries && pmksa->pmksa) {
296 : /* Remove the oldest entry to make room for the new entry */
297 0 : wpa_printf(MSG_DEBUG, "RSN: removed the oldest PMKSA cache "
298 : "entry (for " MACSTR ") to make room for new one",
299 0 : MAC2STR(pmksa->pmksa->spa));
300 0 : pmksa_cache_free_entry(pmksa, pmksa->pmksa);
301 : }
302 :
303 733 : pmksa_cache_link_entry(pmksa, entry);
304 :
305 733 : return entry;
306 : }
307 :
308 :
309 : struct rsn_pmksa_cache_entry *
310 6 : pmksa_cache_add_okc(struct rsn_pmksa_cache *pmksa,
311 : const struct rsn_pmksa_cache_entry *old_entry,
312 : const u8 *aa, const u8 *pmkid)
313 : {
314 : struct rsn_pmksa_cache_entry *entry;
315 :
316 6 : entry = os_zalloc(sizeof(*entry));
317 6 : if (entry == NULL)
318 0 : return NULL;
319 6 : os_memcpy(entry->pmkid, pmkid, PMKID_LEN);
320 6 : os_memcpy(entry->pmk, old_entry->pmk, old_entry->pmk_len);
321 6 : entry->pmk_len = old_entry->pmk_len;
322 6 : entry->expiration = old_entry->expiration;
323 6 : entry->akmp = old_entry->akmp;
324 6 : os_memcpy(entry->spa, old_entry->spa, ETH_ALEN);
325 6 : entry->opportunistic = 1;
326 6 : if (old_entry->identity) {
327 6 : entry->identity = os_malloc(old_entry->identity_len);
328 6 : if (entry->identity) {
329 6 : entry->identity_len = old_entry->identity_len;
330 6 : os_memcpy(entry->identity, old_entry->identity,
331 : old_entry->identity_len);
332 : }
333 : }
334 6 : if (old_entry->cui)
335 0 : entry->cui = wpabuf_dup(old_entry->cui);
336 : #ifndef CONFIG_NO_RADIUS
337 6 : radius_copy_class(&entry->radius_class, &old_entry->radius_class);
338 : #endif /* CONFIG_NO_RADIUS */
339 6 : entry->eap_type_authsrv = old_entry->eap_type_authsrv;
340 6 : entry->vlan_id = old_entry->vlan_id;
341 6 : entry->opportunistic = 1;
342 :
343 6 : pmksa_cache_link_entry(pmksa, entry);
344 :
345 6 : return entry;
346 : }
347 :
348 :
349 : /**
350 : * pmksa_cache_auth_deinit - Free all entries in PMKSA cache
351 : * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
352 : */
353 1293 : void pmksa_cache_auth_deinit(struct rsn_pmksa_cache *pmksa)
354 : {
355 : struct rsn_pmksa_cache_entry *entry, *prev;
356 : int i;
357 :
358 1293 : if (pmksa == NULL)
359 1293 : return;
360 :
361 1293 : entry = pmksa->pmksa;
362 2937 : while (entry) {
363 351 : prev = entry;
364 351 : entry = entry->next;
365 351 : _pmksa_cache_free_entry(prev);
366 : }
367 1293 : eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
368 1293 : pmksa->pmksa_count = 0;
369 1293 : pmksa->pmksa = NULL;
370 166797 : for (i = 0; i < PMKID_HASH_SIZE; i++)
371 165504 : pmksa->pmkid[i] = NULL;
372 1293 : os_free(pmksa);
373 : }
374 :
375 :
376 : /**
377 : * pmksa_cache_auth_get - Fetch a PMKSA cache entry
378 : * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
379 : * @spa: Supplicant address or %NULL to match any
380 : * @pmkid: PMKID or %NULL to match any
381 : * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
382 : */
383 : struct rsn_pmksa_cache_entry *
384 1044 : pmksa_cache_auth_get(struct rsn_pmksa_cache *pmksa,
385 : const u8 *spa, const u8 *pmkid)
386 : {
387 : struct rsn_pmksa_cache_entry *entry;
388 :
389 1044 : if (pmkid) {
390 606 : for (entry = pmksa->pmkid[PMKID_HASH(pmkid)]; entry;
391 0 : entry = entry->hnext) {
392 56 : if ((spa == NULL ||
393 56 : os_memcmp(entry->spa, spa, ETH_ALEN) == 0) &&
394 28 : os_memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0)
395 28 : return entry;
396 : }
397 : } else {
398 816 : for (entry = pmksa->pmksa; entry; entry = entry->next) {
399 906 : if (spa == NULL ||
400 453 : os_memcmp(entry->spa, spa, ETH_ALEN) == 0)
401 378 : return entry;
402 : }
403 : }
404 :
405 638 : return NULL;
406 : }
407 :
408 :
409 : /**
410 : * pmksa_cache_get_okc - Fetch a PMKSA cache entry using OKC
411 : * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
412 : * @aa: Authenticator address
413 : * @spa: Supplicant address
414 : * @pmkid: PMKID
415 : * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
416 : *
417 : * Use opportunistic key caching (OKC) to find a PMK for a supplicant.
418 : */
419 6 : struct rsn_pmksa_cache_entry * pmksa_cache_get_okc(
420 : struct rsn_pmksa_cache *pmksa, const u8 *aa, const u8 *spa,
421 : const u8 *pmkid)
422 : {
423 : struct rsn_pmksa_cache_entry *entry;
424 : u8 new_pmkid[PMKID_LEN];
425 :
426 12 : for (entry = pmksa->pmksa; entry; entry = entry->next) {
427 12 : if (os_memcmp(entry->spa, spa, ETH_ALEN) != 0)
428 6 : continue;
429 6 : rsn_pmkid(entry->pmk, entry->pmk_len, aa, spa, new_pmkid,
430 : wpa_key_mgmt_sha256(entry->akmp));
431 6 : if (os_memcmp(new_pmkid, pmkid, PMKID_LEN) == 0)
432 6 : return entry;
433 : }
434 0 : return NULL;
435 : }
436 :
437 :
438 : /**
439 : * pmksa_cache_auth_init - Initialize PMKSA cache
440 : * @free_cb: Callback function to be called when a PMKSA cache entry is freed
441 : * @ctx: Context pointer for free_cb function
442 : * Returns: Pointer to PMKSA cache data or %NULL on failure
443 : */
444 : struct rsn_pmksa_cache *
445 1293 : pmksa_cache_auth_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry,
446 : void *ctx), void *ctx)
447 : {
448 : struct rsn_pmksa_cache *pmksa;
449 :
450 1293 : pmksa = os_zalloc(sizeof(*pmksa));
451 1293 : if (pmksa) {
452 1293 : pmksa->free_cb = free_cb;
453 1293 : pmksa->ctx = ctx;
454 : }
455 :
456 1293 : return pmksa;
457 : }
458 :
459 :
460 14 : static int das_attr_match(struct rsn_pmksa_cache_entry *entry,
461 : struct radius_das_attrs *attr)
462 : {
463 14 : int match = 0;
464 :
465 14 : if (attr->sta_addr) {
466 3 : if (os_memcmp(attr->sta_addr, entry->spa, ETH_ALEN) != 0)
467 1 : return 0;
468 2 : match++;
469 : }
470 :
471 13 : if (attr->acct_multi_session_id) {
472 : char buf[20];
473 :
474 5 : if (attr->acct_multi_session_id_len != 17)
475 5 : return 0;
476 4 : os_snprintf(buf, sizeof(buf), "%08X+%08X",
477 : entry->acct_multi_session_id_hi,
478 : entry->acct_multi_session_id_lo);
479 4 : if (os_memcmp(attr->acct_multi_session_id, buf, 17) != 0)
480 3 : return 0;
481 1 : match++;
482 : }
483 :
484 9 : if (attr->cui) {
485 3 : if (!entry->cui ||
486 2 : attr->cui_len != wpabuf_len(entry->cui) ||
487 1 : os_memcmp(attr->cui, wpabuf_head(entry->cui),
488 : attr->cui_len) != 0)
489 1 : return 0;
490 1 : match++;
491 : }
492 :
493 8 : if (attr->user_name) {
494 8 : if (!entry->identity ||
495 6 : attr->user_name_len != entry->identity_len ||
496 2 : os_memcmp(attr->user_name, entry->identity,
497 : attr->user_name_len) != 0)
498 2 : return 0;
499 2 : match++;
500 : }
501 :
502 6 : return match;
503 : }
504 :
505 :
506 13 : int pmksa_cache_auth_radius_das_disconnect(struct rsn_pmksa_cache *pmksa,
507 : struct radius_das_attrs *attr)
508 : {
509 13 : int found = 0;
510 : struct rsn_pmksa_cache_entry *entry, *prev;
511 :
512 13 : if (attr->acct_session_id)
513 2 : return -1;
514 :
515 11 : entry = pmksa->pmksa;
516 36 : while (entry) {
517 14 : if (das_attr_match(entry, attr)) {
518 5 : found++;
519 5 : prev = entry;
520 5 : entry = entry->next;
521 5 : pmksa_cache_free_entry(pmksa, prev);
522 5 : continue;
523 : }
524 9 : entry = entry->next;
525 : }
526 :
527 11 : return found ? 0 : -1;
528 : }
|