1 /*
2 * WPA Supplicant - RSN PMKSA cache
3 * Copyright (c) 2004-2009, 2011-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "eloop.h"
13 #include "eapol_supp/eapol_supp_sm.h"
14 #include "wpa.h"
15 #include "wpa_i.h"
16 #include "pmksa_cache.h"
17 #include "wpa_supplicant_i.h"
18 #include "notify.h"
19
20 #if defined(IEEE8021X_EAPOL) && !defined(CONFIG_NO_WPA)
21
22 static const int pmksa_cache_max_entries = 32;
23
24 struct rsn_pmksa_cache {
25 struct rsn_pmksa_cache_entry *pmksa; /* PMKSA cache */
26 int pmksa_count; /* number of entries in PMKSA cache */
27 struct wpa_sm *sm; /* TODO: get rid of this reference(?) */
28
29 void (*free_cb)(struct rsn_pmksa_cache_entry *entry, void *ctx,
30 enum pmksa_free_reason reason);
31 bool (*is_current_cb)(struct rsn_pmksa_cache_entry *entry,
32 void *ctx);
33 void (*notify_cb)(struct rsn_pmksa_cache_entry *entry, void *ctx);
34 void *ctx;
35 };
36
37
38 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa);
39
40
_pmksa_cache_free_entry(struct rsn_pmksa_cache_entry * entry)41 static void _pmksa_cache_free_entry(struct rsn_pmksa_cache_entry *entry)
42 {
43 bin_clear_free(entry, sizeof(*entry));
44 }
45
46
pmksa_cache_free_entry(struct rsn_pmksa_cache * pmksa,struct rsn_pmksa_cache_entry * entry,enum pmksa_free_reason reason)47 static void pmksa_cache_free_entry(struct rsn_pmksa_cache *pmksa,
48 struct rsn_pmksa_cache_entry *entry,
49 enum pmksa_free_reason reason)
50 {
51 if (pmksa->sm)
52 wpa_sm_remove_pmkid(pmksa->sm, entry->network_ctx, entry->aa,
53 entry->pmkid,
54 entry->fils_cache_id_set ?
55 entry->fils_cache_id : NULL);
56 pmksa->pmksa_count--;
57 if (pmksa->free_cb)
58 pmksa->free_cb(entry, pmksa->ctx, reason);
59 _pmksa_cache_free_entry(entry);
60 }
61
62
pmksa_cache_remove(struct rsn_pmksa_cache * pmksa,struct rsn_pmksa_cache_entry * entry)63 void pmksa_cache_remove(struct rsn_pmksa_cache *pmksa,
64 struct rsn_pmksa_cache_entry *entry)
65 {
66 struct rsn_pmksa_cache_entry *e;
67
68 e = pmksa->pmksa;
69 while (e) {
70 if (e == entry) {
71 pmksa->pmksa = entry->next;
72 break;
73 }
74 if (e->next == entry) {
75 e->next = entry->next;
76 break;
77 }
78 }
79
80 if (!e) {
81 wpa_printf(MSG_DEBUG,
82 "RSN: Could not remove PMKSA cache entry %p since it is not in the list",
83 entry);
84 return;
85 }
86
87 pmksa_cache_free_entry(pmksa, entry, PMKSA_FREE);
88 }
89
90
pmksa_cache_expire(void * eloop_ctx,void * timeout_ctx)91 static void pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx)
92 {
93 struct rsn_pmksa_cache *pmksa = eloop_ctx;
94 struct os_reltime now;
95 struct rsn_pmksa_cache_entry *prev = NULL, *tmp;
96 struct rsn_pmksa_cache_entry *entry = pmksa->pmksa;
97
98 os_get_reltime(&now);
99 while (entry && entry->expiration <= now.sec) {
100 if (wpa_key_mgmt_sae(entry->akmp) && pmksa->is_current_cb &&
101 pmksa->is_current_cb(entry, pmksa->ctx)) {
102 /* Do not expire the currently used PMKSA entry for SAE
103 * since there is no convenient mechanism for
104 * reauthenticating during an association with SAE. The
105 * expired entry will be removed after this association
106 * has been lost. */
107 wpa_printf(MSG_DEBUG,
108 "RSN: postpone PMKSA cache entry expiration for SAE with "
109 MACSTR, MAC2STR(entry->aa));
110 prev = entry;
111 entry = entry->next;
112 continue;
113 }
114
115 wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for "
116 MACSTR, MAC2STR(entry->aa));
117 if (prev)
118 prev->next = entry->next;
119 else
120 pmksa->pmksa = entry->next;
121 tmp = entry;
122 entry = entry->next;
123 pmksa_cache_free_entry(pmksa, tmp, PMKSA_EXPIRE);
124 }
125
126 pmksa_cache_set_expiration(pmksa);
127 }
128
129
pmksa_cache_reauth(void * eloop_ctx,void * timeout_ctx)130 static void pmksa_cache_reauth(void *eloop_ctx, void *timeout_ctx)
131 {
132 struct rsn_pmksa_cache *pmksa = eloop_ctx;
133
134 if (!pmksa->sm)
135 return;
136
137 pmksa->sm->cur_pmksa = NULL;
138 eapol_sm_request_reauth(pmksa->sm->eapol);
139 }
140
141
pmksa_cache_set_expiration(struct rsn_pmksa_cache * pmksa)142 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa)
143 {
144 int sec;
145 struct rsn_pmksa_cache_entry *entry;
146 struct os_reltime now;
147
148 eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
149 eloop_cancel_timeout(pmksa_cache_reauth, pmksa, NULL);
150 if (pmksa->pmksa == NULL)
151 return;
152 os_get_reltime(&now);
153 sec = pmksa->pmksa->expiration - now.sec;
154 if (sec < 0) {
155 sec = 0;
156 if (wpa_key_mgmt_sae(pmksa->pmksa->akmp) &&
157 pmksa->is_current_cb &&
158 pmksa->is_current_cb(pmksa->pmksa, pmksa->ctx)) {
159 /* Do not continue polling for the current PMKSA entry
160 * from SAE to expire every second. Use the expiration
161 * time to the following entry, if any, and wait at
162 * maximum 10 minutes to check again.
163 */
164 entry = pmksa->pmksa->next;
165 if (entry) {
166 sec = entry->expiration - now.sec;
167 if (sec < 0)
168 sec = 0;
169 else if (sec > 600)
170 sec = 600;
171 } else {
172 sec = 600;
173 }
174 }
175 }
176 eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, pmksa, NULL);
177
178 if (!pmksa->sm)
179 return;
180
181 entry = pmksa->sm->cur_pmksa ? pmksa->sm->cur_pmksa :
182 pmksa_cache_get(pmksa, pmksa->sm->bssid, NULL, NULL, NULL, 0);
183 if (entry && !wpa_key_mgmt_sae(entry->akmp)) {
184 sec = pmksa->pmksa->reauth_time - now.sec;
185 if (sec < 0)
186 sec = 0;
187 eloop_register_timeout(sec, 0, pmksa_cache_reauth, pmksa,
188 NULL);
189 }
190 }
191
192
193 /**
194 * pmksa_cache_add - Add a PMKSA cache entry
195 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
196 * @pmk: The new pairwise master key
197 * @pmk_len: PMK length in bytes, usually PMK_LEN (32)
198 * @pmkid: Calculated PMKID
199 * @kck: Key confirmation key or %NULL if not yet derived
200 * @kck_len: KCK length in bytes
201 * @aa: Authenticator address
202 * @spa: Supplicant address
203 * @network_ctx: Network configuration context for this PMK
204 * @akmp: WPA_KEY_MGMT_* used in key derivation
205 * @cache_id: Pointer to FILS Cache Identifier or %NULL if not advertised
206 * Returns: Pointer to the added PMKSA cache entry or %NULL on error
207 *
208 * This function create a PMKSA entry for a new PMK and adds it to the PMKSA
209 * cache. If an old entry is already in the cache for the same Authenticator,
210 * this entry will be replaced with the new entry. PMKID will be calculated
211 * based on the PMK and the driver interface is notified of the new PMKID.
212 */
213 struct rsn_pmksa_cache_entry *
pmksa_cache_add(struct rsn_pmksa_cache * pmksa,const u8 * pmk,size_t pmk_len,const u8 * pmkid,const u8 * kck,size_t kck_len,const u8 * aa,const u8 * spa,void * network_ctx,int akmp,const u8 * cache_id)214 pmksa_cache_add(struct rsn_pmksa_cache *pmksa, const u8 *pmk, size_t pmk_len,
215 const u8 *pmkid, const u8 *kck, size_t kck_len,
216 const u8 *aa, const u8 *spa, void *network_ctx, int akmp,
217 const u8 *cache_id)
218 {
219 struct rsn_pmksa_cache_entry *entry;
220 struct os_reltime now;
221 unsigned int pmk_lifetime = 43200;
222 unsigned int pmk_reauth_threshold = 70;
223
224 if (pmk_len > PMK_LEN_MAX)
225 return NULL;
226
227 if (wpa_key_mgmt_suite_b(akmp) && !kck)
228 return NULL;
229
230 entry = os_zalloc(sizeof(*entry));
231 if (entry == NULL)
232 return NULL;
233 os_memcpy(entry->pmk, pmk, pmk_len);
234 entry->pmk_len = pmk_len;
235 if (pmkid)
236 os_memcpy(entry->pmkid, pmkid, PMKID_LEN);
237 else if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
238 rsn_pmkid_suite_b_192(kck, kck_len, aa, spa, entry->pmkid);
239 else if (wpa_key_mgmt_suite_b(akmp))
240 rsn_pmkid_suite_b(kck, kck_len, aa, spa, entry->pmkid);
241 else
242 rsn_pmkid(pmk, pmk_len, aa, spa, entry->pmkid, akmp);
243 os_get_reltime(&now);
244 if (pmksa->sm) {
245 pmk_lifetime = pmksa->sm->dot11RSNAConfigPMKLifetime;
246 pmk_reauth_threshold =
247 pmksa->sm->dot11RSNAConfigPMKReauthThreshold;
248 }
249 entry->expiration = now.sec + pmk_lifetime;
250 entry->reauth_time = now.sec +
251 pmk_lifetime * pmk_reauth_threshold / 100;
252 entry->akmp = akmp;
253 if (cache_id) {
254 entry->fils_cache_id_set = 1;
255 os_memcpy(entry->fils_cache_id, cache_id, FILS_CACHE_ID_LEN);
256 }
257 os_memcpy(entry->aa, aa, ETH_ALEN);
258 os_memcpy(entry->spa, spa, ETH_ALEN);
259 entry->network_ctx = network_ctx;
260
261 return pmksa_cache_add_entry(pmksa, entry);
262 }
263
264
265 struct rsn_pmksa_cache_entry *
pmksa_cache_add_entry(struct rsn_pmksa_cache * pmksa,struct rsn_pmksa_cache_entry * entry)266 pmksa_cache_add_entry(struct rsn_pmksa_cache *pmksa,
267 struct rsn_pmksa_cache_entry *entry)
268 {
269 struct rsn_pmksa_cache_entry *pos, *prev;
270
271 /* Replace an old entry for the same Authenticator (if found) with the
272 * new entry */
273 pos = pmksa->pmksa;
274 prev = NULL;
275 while (pos) {
276 if (os_memcmp(entry->aa, pos->aa, ETH_ALEN) == 0 &&
277 os_memcmp(entry->spa, pos->spa, ETH_ALEN) == 0) {
278 if (pos->pmk_len == entry->pmk_len &&
279 os_memcmp_const(pos->pmk, entry->pmk,
280 entry->pmk_len) == 0 &&
281 os_memcmp_const(pos->pmkid, entry->pmkid,
282 PMKID_LEN) == 0) {
283 wpa_printf(MSG_DEBUG, "WPA: reusing previous "
284 "PMKSA entry");
285 os_free(entry);
286 return pos;
287 }
288 if (prev == NULL)
289 pmksa->pmksa = pos->next;
290 else
291 prev->next = pos->next;
292
293 /*
294 * If OKC is used, there may be other PMKSA cache
295 * entries based on the same PMK. These needs to be
296 * flushed so that a new entry can be created based on
297 * the new PMK. Only clear other entries if they have a
298 * matching PMK and this PMK has been used successfully
299 * with the current AP, i.e., if opportunistic flag has
300 * been cleared in wpa_supplicant_key_neg_complete().
301 */
302 wpa_printf(MSG_DEBUG, "RSN: Replace PMKSA entry for "
303 "the current AP and any PMKSA cache entry "
304 "that was based on the old PMK");
305 if (!pos->opportunistic)
306 pmksa_cache_flush(pmksa, entry->network_ctx,
307 pos->pmk, pos->pmk_len,
308 false);
309 pmksa_cache_free_entry(pmksa, pos, PMKSA_REPLACE);
310 break;
311 }
312 prev = pos;
313 pos = pos->next;
314 }
315
316 if (pmksa->pmksa_count >= pmksa_cache_max_entries && pmksa->pmksa) {
317 /* Remove the oldest entry to make room for the new entry */
318 pos = pmksa->pmksa;
319
320 if (pmksa->sm && pos == pmksa->sm->cur_pmksa) {
321 /*
322 * Never remove the current PMKSA cache entry, since
323 * it's in use, and removing it triggers a needless
324 * deauthentication.
325 */
326 pos = pos->next;
327 pmksa->pmksa->next = pos ? pos->next : NULL;
328 } else
329 pmksa->pmksa = pos->next;
330
331 if (pos) {
332 wpa_printf(MSG_DEBUG, "RSN: removed the oldest idle "
333 "PMKSA cache entry (for " MACSTR ") to "
334 "make room for new one",
335 MAC2STR(pos->aa));
336 pmksa_cache_free_entry(pmksa, pos, PMKSA_FREE);
337 }
338 }
339
340 /* Add the new entry; order by expiration time */
341 pos = pmksa->pmksa;
342 prev = NULL;
343 while (pos) {
344 if (pos->expiration > entry->expiration)
345 break;
346 prev = pos;
347 pos = pos->next;
348 }
349 if (prev == NULL) {
350 entry->next = pmksa->pmksa;
351 pmksa->pmksa = entry;
352 pmksa_cache_set_expiration(pmksa);
353 } else {
354 entry->next = prev->next;
355 prev->next = entry;
356 }
357 pmksa->pmksa_count++;
358 wpa_printf(MSG_DEBUG, "RSN: Added PMKSA cache entry for " MACSTR
359 " spa=" MACSTR " network_ctx=%p akmp=0x%x",
360 MAC2STR(entry->aa), MAC2STR(entry->spa),
361 entry->network_ctx, entry->akmp);
362
363 if (!pmksa->sm)
364 return entry;
365
366 if (pmksa->notify_cb)
367 pmksa->notify_cb(entry, pmksa->ctx);
368
369 wpa_sm_add_pmkid(pmksa->sm, entry->network_ctx, entry->aa, entry->pmkid,
370 entry->fils_cache_id_set ? entry->fils_cache_id : NULL,
371 entry->pmk, entry->pmk_len,
372 pmksa->sm->dot11RSNAConfigPMKLifetime,
373 pmksa->sm->dot11RSNAConfigPMKReauthThreshold,
374 entry->akmp);
375
376 return entry;
377 }
378
379
380 /**
381 * pmksa_cache_flush - Flush PMKSA cache entries for a specific network
382 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
383 * @network_ctx: Network configuration context or %NULL to flush all entries
384 * @pmk: PMK to match for or %NULL to match all PMKs
385 * @pmk_len: PMK length
386 * @external_only: Flush only PMKSA cache entries configured by external
387 * applications
388 */
pmksa_cache_flush(struct rsn_pmksa_cache * pmksa,void * network_ctx,const u8 * pmk,size_t pmk_len,bool external_only)389 void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx,
390 const u8 *pmk, size_t pmk_len, bool external_only)
391 {
392 struct rsn_pmksa_cache_entry *entry, *prev = NULL, *tmp;
393 int removed = 0;
394
395 entry = pmksa->pmksa;
396 while (entry) {
397 if ((entry->network_ctx == network_ctx ||
398 network_ctx == NULL) &&
399 (pmk == NULL ||
400 (pmk_len == entry->pmk_len &&
401 os_memcmp(pmk, entry->pmk, pmk_len) == 0)) &&
402 (!external_only || entry->external)) {
403 wpa_printf(MSG_DEBUG, "RSN: Flush PMKSA cache entry "
404 "for " MACSTR, MAC2STR(entry->aa));
405 if (prev)
406 prev->next = entry->next;
407 else
408 pmksa->pmksa = entry->next;
409 tmp = entry;
410 entry = entry->next;
411 pmksa_cache_free_entry(pmksa, tmp, PMKSA_FREE);
412 removed++;
413 } else {
414 prev = entry;
415 entry = entry->next;
416 }
417 }
418 if (removed)
419 pmksa_cache_set_expiration(pmksa);
420 }
421
422
423 /**
424 * pmksa_cache_deinit - Free all entries in PMKSA cache
425 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
426 */
pmksa_cache_deinit(struct rsn_pmksa_cache * pmksa)427 void pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa)
428 {
429 struct rsn_pmksa_cache_entry *entry, *prev;
430
431 if (pmksa == NULL)
432 return;
433
434 entry = pmksa->pmksa;
435 pmksa->pmksa = NULL;
436 while (entry) {
437 prev = entry;
438 entry = entry->next;
439 os_free(prev);
440 }
441 pmksa_cache_set_expiration(pmksa);
442 os_free(pmksa);
443 }
444
445
446 /**
447 * pmksa_cache_get - Fetch a PMKSA cache entry
448 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
449 * @aa: Authenticator address or %NULL to match any
450 * @pmkid: PMKID or %NULL to match any
451 * @network_ctx: Network context or %NULL to match any
452 * @akmp: Specific AKMP to search for or 0 for any
453 * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
454 */
pmksa_cache_get(struct rsn_pmksa_cache * pmksa,const u8 * aa,const u8 * spa,const u8 * pmkid,const void * network_ctx,int akmp)455 struct rsn_pmksa_cache_entry * pmksa_cache_get(struct rsn_pmksa_cache *pmksa,
456 const u8 *aa, const u8 *spa,
457 const u8 *pmkid,
458 const void *network_ctx,
459 int akmp)
460 {
461 struct rsn_pmksa_cache_entry *entry = pmksa->pmksa;
462 while (entry) {
463 if ((aa == NULL || os_memcmp(entry->aa, aa, ETH_ALEN) == 0) &&
464 (!spa || os_memcmp(entry->spa, spa, ETH_ALEN) == 0) &&
465 (pmkid == NULL ||
466 os_memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0) &&
467 (!akmp || akmp == entry->akmp) &&
468 (network_ctx == NULL || network_ctx == entry->network_ctx))
469 return entry;
470 entry = entry->next;
471 }
472 return NULL;
473 }
474
475
476 static struct rsn_pmksa_cache_entry *
pmksa_cache_clone_entry(struct rsn_pmksa_cache * pmksa,const struct rsn_pmksa_cache_entry * old_entry,const u8 * aa)477 pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa,
478 const struct rsn_pmksa_cache_entry *old_entry,
479 const u8 *aa)
480 {
481 struct rsn_pmksa_cache_entry *new_entry;
482 os_time_t old_expiration = old_entry->expiration;
483 os_time_t old_reauth_time = old_entry->reauth_time;
484 const u8 *pmkid = NULL;
485
486 if (!pmksa->sm)
487 return NULL;
488
489 if (wpa_key_mgmt_sae(old_entry->akmp) ||
490 wpa_key_mgmt_fils(old_entry->akmp))
491 pmkid = old_entry->pmkid;
492 new_entry = pmksa_cache_add(pmksa, old_entry->pmk, old_entry->pmk_len,
493 pmkid, NULL, 0,
494 aa, pmksa->sm->own_addr,
495 old_entry->network_ctx, old_entry->akmp,
496 old_entry->fils_cache_id_set ?
497 old_entry->fils_cache_id : NULL);
498 if (new_entry == NULL)
499 return NULL;
500
501 /* TODO: reorder entries based on expiration time? */
502 new_entry->expiration = old_expiration;
503 new_entry->reauth_time = old_reauth_time;
504 new_entry->opportunistic = 1;
505
506 return new_entry;
507 }
508
509
510 /**
511 * pmksa_cache_get_opportunistic - Try to get an opportunistic PMKSA entry
512 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
513 * @network_ctx: Network configuration context
514 * @aa: Authenticator address for the new AP
515 * @akmp: Specific AKMP to search for or 0 for any
516 * Returns: Pointer to a new PMKSA cache entry or %NULL if not available
517 *
518 * Try to create a new PMKSA cache entry opportunistically by guessing that the
519 * new AP is sharing the same PMK as another AP that has the same SSID and has
520 * already an entry in PMKSA cache.
521 */
522 struct rsn_pmksa_cache_entry *
pmksa_cache_get_opportunistic(struct rsn_pmksa_cache * pmksa,void * network_ctx,const u8 * aa,int akmp)523 pmksa_cache_get_opportunistic(struct rsn_pmksa_cache *pmksa, void *network_ctx,
524 const u8 *aa, int akmp)
525 {
526 struct rsn_pmksa_cache_entry *entry = pmksa->pmksa;
527
528 wpa_printf(MSG_DEBUG, "RSN: Consider " MACSTR " for OKC", MAC2STR(aa));
529 if (network_ctx == NULL)
530 return NULL;
531 while (entry) {
532 if (entry->network_ctx == network_ctx &&
533 (!akmp || entry->akmp == akmp)) {
534 struct os_reltime now;
535
536 if (wpa_key_mgmt_sae(entry->akmp) &&
537 os_get_reltime(&now) == 0 &&
538 entry->reauth_time < now.sec) {
539 wpa_printf(MSG_DEBUG,
540 "RSN: Do not clone PMKSA cache entry for "
541 MACSTR
542 " since its reauth threshold has passed",
543 MAC2STR(entry->aa));
544 entry = entry->next;
545 continue;
546 }
547
548 entry = pmksa_cache_clone_entry(pmksa, entry, aa);
549 if (entry) {
550 wpa_printf(MSG_DEBUG, "RSN: added "
551 "opportunistic PMKSA cache entry "
552 "for " MACSTR, MAC2STR(aa));
553 }
554 return entry;
555 }
556 entry = entry->next;
557 }
558 return NULL;
559 }
560
561
562 static struct rsn_pmksa_cache_entry *
pmksa_cache_get_fils_cache_id(struct rsn_pmksa_cache * pmksa,const void * network_ctx,const u8 * cache_id)563 pmksa_cache_get_fils_cache_id(struct rsn_pmksa_cache *pmksa,
564 const void *network_ctx, const u8 *cache_id)
565 {
566 struct rsn_pmksa_cache_entry *entry;
567
568 for (entry = pmksa->pmksa; entry; entry = entry->next) {
569 if (network_ctx == entry->network_ctx &&
570 entry->fils_cache_id_set &&
571 os_memcmp(cache_id, entry->fils_cache_id,
572 FILS_CACHE_ID_LEN) == 0)
573 return entry;
574 }
575
576 return NULL;
577 }
578
579
580 /**
581 * pmksa_cache_get_current - Get the current used PMKSA entry
582 * @sm: Pointer to WPA state machine data from wpa_sm_init()
583 * Returns: Pointer to the current PMKSA cache entry or %NULL if not available
584 */
pmksa_cache_get_current(struct wpa_sm * sm)585 struct rsn_pmksa_cache_entry * pmksa_cache_get_current(struct wpa_sm *sm)
586 {
587 if (sm == NULL)
588 return NULL;
589 return sm->cur_pmksa;
590 }
591
592
593 /**
594 * pmksa_cache_clear_current - Clear the current PMKSA entry selection
595 * @sm: Pointer to WPA state machine data from wpa_sm_init()
596 */
pmksa_cache_clear_current(struct wpa_sm * sm)597 void pmksa_cache_clear_current(struct wpa_sm *sm)
598 {
599 if (sm == NULL)
600 return;
601 if (sm->cur_pmksa)
602 wpa_printf(MSG_DEBUG,
603 "RSN: Clear current PMKSA entry selection");
604 sm->cur_pmksa = NULL;
605 }
606
607
608 /**
609 * pmksa_cache_set_current - Set the current PMKSA entry selection
610 * @sm: Pointer to WPA state machine data from wpa_sm_init()
611 * @pmkid: PMKID for selecting PMKSA or %NULL if not used
612 * @bssid: BSSID for PMKSA or %NULL if not used
613 * @network_ctx: Network configuration context
614 * @try_opportunistic: Whether to allow opportunistic PMKSA caching
615 * @fils_cache_id: Pointer to FILS Cache Identifier or %NULL if not used
616 * Returns: 0 if PMKSA was found or -1 if no matching entry was found
617 */
pmksa_cache_set_current(struct wpa_sm * sm,const u8 * pmkid,const u8 * bssid,void * network_ctx,int try_opportunistic,const u8 * fils_cache_id,int akmp)618 int pmksa_cache_set_current(struct wpa_sm *sm, const u8 *pmkid,
619 const u8 *bssid, void *network_ctx,
620 int try_opportunistic, const u8 *fils_cache_id,
621 int akmp)
622 {
623 struct rsn_pmksa_cache *pmksa = sm->pmksa;
624 wpa_printf(MSG_DEBUG, "RSN: PMKSA cache search - network_ctx=%p "
625 "try_opportunistic=%d akmp=0x%x",
626 network_ctx, try_opportunistic, akmp);
627 if (pmkid)
628 wpa_hexdump(MSG_DEBUG, "RSN: Search for PMKID",
629 pmkid, PMKID_LEN);
630 if (bssid)
631 wpa_printf(MSG_DEBUG, "RSN: Search for BSSID " MACSTR,
632 MAC2STR(bssid));
633 if (fils_cache_id)
634 wpa_printf(MSG_DEBUG,
635 "RSN: Search for FILS Cache Identifier %02x%02x",
636 fils_cache_id[0], fils_cache_id[1]);
637
638 sm->cur_pmksa = NULL;
639 if (pmkid)
640 sm->cur_pmksa = pmksa_cache_get(pmksa, NULL, sm->own_addr,
641 pmkid, network_ctx, akmp);
642 if (sm->cur_pmksa == NULL && bssid)
643 sm->cur_pmksa = pmksa_cache_get(pmksa, bssid, sm->own_addr,
644 NULL, network_ctx, akmp);
645 if (sm->cur_pmksa == NULL && try_opportunistic && bssid)
646 sm->cur_pmksa = pmksa_cache_get_opportunistic(pmksa,
647 network_ctx,
648 bssid, akmp);
649 if (sm->cur_pmksa == NULL && fils_cache_id)
650 sm->cur_pmksa = pmksa_cache_get_fils_cache_id(pmksa,
651 network_ctx,
652 fils_cache_id);
653 if (sm->cur_pmksa) {
654 struct os_reltime now;
655
656 if (wpa_key_mgmt_sae(sm->cur_pmksa->akmp) &&
657 os_get_reltime(&now) == 0 &&
658 sm->cur_pmksa->reauth_time < now.sec) {
659 wpa_printf(MSG_DEBUG,
660 "RSN: Do not allow PMKSA cache entry for "
661 MACSTR
662 " to be used for SAE since its reauth threshold has passed",
663 MAC2STR(sm->cur_pmksa->aa));
664 sm->cur_pmksa = NULL;
665 return -1;
666 }
667
668 wpa_hexdump(MSG_DEBUG, "RSN: PMKSA cache entry found - PMKID",
669 sm->cur_pmksa->pmkid, PMKID_LEN);
670 return 0;
671 }
672 wpa_printf(MSG_DEBUG, "RSN: No PMKSA cache entry found");
673 return -1;
674 }
675
676
677 /**
678 * pmksa_cache_list - Dump text list of entries in PMKSA cache
679 * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
680 * @buf: Buffer for the list
681 * @len: Length of the buffer
682 * Returns: number of bytes written to buffer
683 *
684 * This function is used to generate a text format representation of the
685 * current PMKSA cache contents for the ctrl_iface PMKSA command.
686 */
pmksa_cache_list(struct rsn_pmksa_cache * pmksa,char * buf,size_t len)687 int pmksa_cache_list(struct rsn_pmksa_cache *pmksa, char *buf, size_t len)
688 {
689 int i, ret;
690 char *pos = buf;
691 struct rsn_pmksa_cache_entry *entry;
692 struct os_reltime now;
693 int cache_id_used = 0;
694
695 for (entry = pmksa->pmksa; entry; entry = entry->next) {
696 if (entry->fils_cache_id_set) {
697 cache_id_used = 1;
698 break;
699 }
700 }
701
702 os_get_reltime(&now);
703 ret = os_snprintf(pos, buf + len - pos,
704 "Index / AA / PMKID / expiration (in seconds) / "
705 "opportunistic%s\n",
706 cache_id_used ? " / FILS Cache Identifier" : "");
707 if (os_snprintf_error(buf + len - pos, ret))
708 return pos - buf;
709 pos += ret;
710 i = 0;
711 entry = pmksa->pmksa;
712 while (entry) {
713 i++;
714 ret = os_snprintf(pos, buf + len - pos, "%d " MACSTR " ",
715 i, MAC2STR(entry->aa));
716 if (os_snprintf_error(buf + len - pos, ret))
717 return pos - buf;
718 pos += ret;
719 pos += wpa_snprintf_hex(pos, buf + len - pos, entry->pmkid,
720 PMKID_LEN);
721 ret = os_snprintf(pos, buf + len - pos, " %d %d",
722 (int) (entry->expiration - now.sec),
723 entry->opportunistic);
724 if (os_snprintf_error(buf + len - pos, ret))
725 return pos - buf;
726 pos += ret;
727 if (entry->fils_cache_id_set) {
728 ret = os_snprintf(pos, buf + len - pos, " %02x%02x",
729 entry->fils_cache_id[0],
730 entry->fils_cache_id[1]);
731 if (os_snprintf_error(buf + len - pos, ret))
732 return pos - buf;
733 pos += ret;
734 }
735 ret = os_snprintf(pos, buf + len - pos, "\n");
736 if (os_snprintf_error(buf + len - pos, ret))
737 return pos - buf;
738 pos += ret;
739 entry = entry->next;
740 }
741 return pos - buf;
742 }
743
744
pmksa_cache_head(struct rsn_pmksa_cache * pmksa)745 struct rsn_pmksa_cache_entry * pmksa_cache_head(struct rsn_pmksa_cache *pmksa)
746 {
747 return pmksa->pmksa;
748 }
749
750
751 /**
752 * pmksa_cache_init - Initialize PMKSA cache
753 * @free_cb: Callback function to be called when a PMKSA cache entry is freed
754 * @ctx: Context pointer for free_cb function
755 * @sm: Pointer to WPA state machine data from wpa_sm_init()
756 * Returns: Pointer to PMKSA cache data or %NULL on failure
757 */
758 struct rsn_pmksa_cache *
pmksa_cache_init(void (* free_cb)(struct rsn_pmksa_cache_entry * entry,void * ctx,enum pmksa_free_reason reason),bool (* is_current_cb)(struct rsn_pmksa_cache_entry * entry,void * ctx),void (* notify_cb)(struct rsn_pmksa_cache_entry * entry,void * ctx),void * ctx,struct wpa_sm * sm)759 pmksa_cache_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry,
760 void *ctx, enum pmksa_free_reason reason),
761 bool (*is_current_cb)(struct rsn_pmksa_cache_entry *entry,
762 void *ctx),
763 void (*notify_cb)(struct rsn_pmksa_cache_entry *entry,
764 void *ctx),
765 void *ctx, struct wpa_sm *sm)
766 {
767 struct rsn_pmksa_cache *pmksa;
768
769 pmksa = os_zalloc(sizeof(*pmksa));
770 if (pmksa) {
771 pmksa->free_cb = free_cb;
772 pmksa->is_current_cb = is_current_cb;
773 pmksa->notify_cb = notify_cb;
774 pmksa->ctx = ctx;
775 pmksa->sm = sm;
776 }
777
778 return pmksa;
779 }
780
781
pmksa_cache_reconfig(struct rsn_pmksa_cache * pmksa)782 void pmksa_cache_reconfig(struct rsn_pmksa_cache *pmksa)
783 {
784 struct rsn_pmksa_cache_entry *entry;
785 struct os_reltime now;
786
787 if (!pmksa || !pmksa->pmksa)
788 return;
789
790 os_get_reltime(&now);
791 for (entry = pmksa->pmksa; entry; entry = entry->next) {
792 u32 life_time;
793 u8 reauth_threshold;
794
795 if (entry->expiration - now.sec < 1 ||
796 entry->reauth_time - now.sec < 1)
797 continue;
798
799 life_time = entry->expiration - now.sec;
800 reauth_threshold = (entry->reauth_time - now.sec) * 100 /
801 life_time;
802 if (!reauth_threshold)
803 continue;
804
805 wpa_sm_add_pmkid(pmksa->sm, entry->network_ctx, entry->aa,
806 entry->pmkid,
807 entry->fils_cache_id_set ?
808 entry->fils_cache_id : NULL,
809 entry->pmk, entry->pmk_len, life_time,
810 reauth_threshold, entry->akmp);
811 }
812 }
813
814 #endif /* IEEE8021X_EAPOL */
815