xref: /freebsd/contrib/wpa/src/ap/pmksa_cache_auth.c (revision 74d9553e43cfafc29448d0bb836916aa21dea0de)
1 /*
2  * hostapd - PMKSA cache for IEEE 802.11i RSN
3  * Copyright (c) 2004-2008, 2012-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "eapol_auth/eapol_auth_sm.h"
14 #include "eapol_auth/eapol_auth_sm_i.h"
15 #include "radius/radius_das.h"
16 #include "sta_info.h"
17 #include "ap_config.h"
18 #include "pmksa_cache_auth.h"
19 
20 
21 static const int pmksa_cache_max_entries = 1024;
22 static const int dot11RSNAConfigPMKLifetime = 43200;
23 
24 struct rsn_pmksa_cache {
25 #define PMKID_HASH_SIZE 128
26 #define PMKID_HASH(pmkid) (unsigned int) ((pmkid)[0] & 0x7f)
27 	struct rsn_pmksa_cache_entry *pmkid[PMKID_HASH_SIZE];
28 	struct rsn_pmksa_cache_entry *pmksa;
29 	int pmksa_count;
30 
31 	void (*free_cb)(struct rsn_pmksa_cache_entry *entry, void *ctx);
32 	void *ctx;
33 };
34 
35 
36 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa);
37 
38 
39 static void _pmksa_cache_free_entry(struct rsn_pmksa_cache_entry *entry)
40 {
41 	os_free(entry->identity);
42 	wpabuf_free(entry->cui);
43 #ifndef CONFIG_NO_RADIUS
44 	radius_free_class(&entry->radius_class);
45 #endif /* CONFIG_NO_RADIUS */
46 	bin_clear_free(entry, sizeof(*entry));
47 }
48 
49 
50 void pmksa_cache_free_entry(struct rsn_pmksa_cache *pmksa,
51 			    struct rsn_pmksa_cache_entry *entry)
52 {
53 	struct rsn_pmksa_cache_entry *pos, *prev;
54 	unsigned int hash;
55 
56 	pmksa->pmksa_count--;
57 	pmksa->free_cb(entry, pmksa->ctx);
58 
59 	/* unlink from hash list */
60 	hash = PMKID_HASH(entry->pmkid);
61 	pos = pmksa->pmkid[hash];
62 	prev = NULL;
63 	while (pos) {
64 		if (pos == entry) {
65 			if (prev != NULL)
66 				prev->hnext = entry->hnext;
67 			else
68 				pmksa->pmkid[hash] = entry->hnext;
69 			break;
70 		}
71 		prev = pos;
72 		pos = pos->hnext;
73 	}
74 
75 	/* unlink from entry list */
76 	pos = pmksa->pmksa;
77 	prev = NULL;
78 	while (pos) {
79 		if (pos == entry) {
80 			if (prev != NULL)
81 				prev->next = entry->next;
82 			else
83 				pmksa->pmksa = entry->next;
84 			break;
85 		}
86 		prev = pos;
87 		pos = pos->next;
88 	}
89 
90 	_pmksa_cache_free_entry(entry);
91 }
92 
93 
94 static void pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx)
95 {
96 	struct rsn_pmksa_cache *pmksa = eloop_ctx;
97 	struct os_reltime now;
98 
99 	os_get_reltime(&now);
100 	while (pmksa->pmksa && pmksa->pmksa->expiration <= now.sec) {
101 		wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for "
102 			   MACSTR, MAC2STR(pmksa->pmksa->spa));
103 		pmksa_cache_free_entry(pmksa, pmksa->pmksa);
104 	}
105 
106 	pmksa_cache_set_expiration(pmksa);
107 }
108 
109 
110 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa)
111 {
112 	int sec;
113 	struct os_reltime now;
114 
115 	eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
116 	if (pmksa->pmksa == NULL)
117 		return;
118 	os_get_reltime(&now);
119 	sec = pmksa->pmksa->expiration - now.sec;
120 	if (sec < 0)
121 		sec = 0;
122 	eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, pmksa, NULL);
123 }
124 
125 
126 static void pmksa_cache_from_eapol_data(struct rsn_pmksa_cache_entry *entry,
127 					struct eapol_state_machine *eapol)
128 {
129 	if (eapol == NULL)
130 		return;
131 
132 	if (eapol->identity) {
133 		entry->identity = os_malloc(eapol->identity_len);
134 		if (entry->identity) {
135 			entry->identity_len = eapol->identity_len;
136 			os_memcpy(entry->identity, eapol->identity,
137 				  eapol->identity_len);
138 		}
139 	}
140 
141 	if (eapol->radius_cui)
142 		entry->cui = wpabuf_dup(eapol->radius_cui);
143 
144 #ifndef CONFIG_NO_RADIUS
145 	radius_copy_class(&entry->radius_class, &eapol->radius_class);
146 #endif /* CONFIG_NO_RADIUS */
147 
148 	entry->eap_type_authsrv = eapol->eap_type_authsrv;
149 	entry->vlan_id = ((struct sta_info *) eapol->sta)->vlan_id;
150 
151 	entry->acct_multi_session_id_hi = eapol->acct_multi_session_id_hi;
152 	entry->acct_multi_session_id_lo = eapol->acct_multi_session_id_lo;
153 }
154 
155 
156 void pmksa_cache_to_eapol_data(struct rsn_pmksa_cache_entry *entry,
157 			       struct eapol_state_machine *eapol)
158 {
159 	if (entry == NULL || eapol == NULL)
160 		return;
161 
162 	if (entry->identity) {
163 		os_free(eapol->identity);
164 		eapol->identity = os_malloc(entry->identity_len);
165 		if (eapol->identity) {
166 			eapol->identity_len = entry->identity_len;
167 			os_memcpy(eapol->identity, entry->identity,
168 				  entry->identity_len);
169 		}
170 		wpa_hexdump_ascii(MSG_DEBUG, "STA identity from PMKSA",
171 				  eapol->identity, eapol->identity_len);
172 	}
173 
174 	if (entry->cui) {
175 		wpabuf_free(eapol->radius_cui);
176 		eapol->radius_cui = wpabuf_dup(entry->cui);
177 	}
178 
179 #ifndef CONFIG_NO_RADIUS
180 	radius_free_class(&eapol->radius_class);
181 	radius_copy_class(&eapol->radius_class, &entry->radius_class);
182 #endif /* CONFIG_NO_RADIUS */
183 	if (eapol->radius_class.attr) {
184 		wpa_printf(MSG_DEBUG, "Copied %lu Class attribute(s) from "
185 			   "PMKSA", (unsigned long) eapol->radius_class.count);
186 	}
187 
188 	eapol->eap_type_authsrv = entry->eap_type_authsrv;
189 	((struct sta_info *) eapol->sta)->vlan_id = entry->vlan_id;
190 
191 	eapol->acct_multi_session_id_hi = entry->acct_multi_session_id_hi;
192 	eapol->acct_multi_session_id_lo = entry->acct_multi_session_id_lo;
193 }
194 
195 
196 static void pmksa_cache_link_entry(struct rsn_pmksa_cache *pmksa,
197 				   struct rsn_pmksa_cache_entry *entry)
198 {
199 	struct rsn_pmksa_cache_entry *pos, *prev;
200 	int hash;
201 
202 	/* Add the new entry; order by expiration time */
203 	pos = pmksa->pmksa;
204 	prev = NULL;
205 	while (pos) {
206 		if (pos->expiration > entry->expiration)
207 			break;
208 		prev = pos;
209 		pos = pos->next;
210 	}
211 	if (prev == NULL) {
212 		entry->next = pmksa->pmksa;
213 		pmksa->pmksa = entry;
214 	} else {
215 		entry->next = prev->next;
216 		prev->next = entry;
217 	}
218 
219 	hash = PMKID_HASH(entry->pmkid);
220 	entry->hnext = pmksa->pmkid[hash];
221 	pmksa->pmkid[hash] = entry;
222 
223 	pmksa->pmksa_count++;
224 	if (prev == NULL)
225 		pmksa_cache_set_expiration(pmksa);
226 	wpa_printf(MSG_DEBUG, "RSN: added PMKSA cache entry for " MACSTR,
227 		   MAC2STR(entry->spa));
228 	wpa_hexdump(MSG_DEBUG, "RSN: added PMKID", entry->pmkid, PMKID_LEN);
229 }
230 
231 
232 /**
233  * pmksa_cache_auth_add - Add a PMKSA cache entry
234  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
235  * @pmk: The new pairwise master key
236  * @pmk_len: PMK length in bytes, usually PMK_LEN (32)
237  * @kck: Key confirmation key or %NULL if not yet derived
238  * @kck_len: KCK length in bytes
239  * @aa: Authenticator address
240  * @spa: Supplicant address
241  * @session_timeout: Session timeout
242  * @eapol: Pointer to EAPOL state machine data
243  * @akmp: WPA_KEY_MGMT_* used in key derivation
244  * Returns: Pointer to the added PMKSA cache entry or %NULL on error
245  *
246  * This function create a PMKSA entry for a new PMK and adds it to the PMKSA
247  * cache. If an old entry is already in the cache for the same Supplicant,
248  * this entry will be replaced with the new entry. PMKID will be calculated
249  * based on the PMK.
250  */
251 struct rsn_pmksa_cache_entry *
252 pmksa_cache_auth_add(struct rsn_pmksa_cache *pmksa,
253 		     const u8 *pmk, size_t pmk_len,
254 		     const u8 *kck, size_t kck_len,
255 		     const u8 *aa, const u8 *spa, int session_timeout,
256 		     struct eapol_state_machine *eapol, int akmp)
257 {
258 	struct rsn_pmksa_cache_entry *entry, *pos;
259 	struct os_reltime now;
260 
261 	if (pmk_len > PMK_LEN)
262 		return NULL;
263 
264 	if (wpa_key_mgmt_suite_b(akmp) && !kck)
265 		return NULL;
266 
267 	entry = os_zalloc(sizeof(*entry));
268 	if (entry == NULL)
269 		return NULL;
270 	os_memcpy(entry->pmk, pmk, pmk_len);
271 	entry->pmk_len = pmk_len;
272 	if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
273 		rsn_pmkid_suite_b_192(kck, kck_len, aa, spa, entry->pmkid);
274 	else if (wpa_key_mgmt_suite_b(akmp))
275 		rsn_pmkid_suite_b(kck, kck_len, aa, spa, entry->pmkid);
276 	else
277 		rsn_pmkid(pmk, pmk_len, aa, spa, entry->pmkid,
278 			  wpa_key_mgmt_sha256(akmp));
279 	os_get_reltime(&now);
280 	entry->expiration = now.sec;
281 	if (session_timeout > 0)
282 		entry->expiration += session_timeout;
283 	else
284 		entry->expiration += dot11RSNAConfigPMKLifetime;
285 	entry->akmp = akmp;
286 	os_memcpy(entry->spa, spa, ETH_ALEN);
287 	pmksa_cache_from_eapol_data(entry, eapol);
288 
289 	/* Replace an old entry for the same STA (if found) with the new entry
290 	 */
291 	pos = pmksa_cache_auth_get(pmksa, spa, NULL);
292 	if (pos)
293 		pmksa_cache_free_entry(pmksa, pos);
294 
295 	if (pmksa->pmksa_count >= pmksa_cache_max_entries && pmksa->pmksa) {
296 		/* Remove the oldest entry to make room for the new entry */
297 		wpa_printf(MSG_DEBUG, "RSN: removed the oldest PMKSA cache "
298 			   "entry (for " MACSTR ") to make room for new one",
299 			   MAC2STR(pmksa->pmksa->spa));
300 		pmksa_cache_free_entry(pmksa, pmksa->pmksa);
301 	}
302 
303 	pmksa_cache_link_entry(pmksa, entry);
304 
305 	return entry;
306 }
307 
308 
309 struct rsn_pmksa_cache_entry *
310 pmksa_cache_add_okc(struct rsn_pmksa_cache *pmksa,
311 		    const struct rsn_pmksa_cache_entry *old_entry,
312 		    const u8 *aa, const u8 *pmkid)
313 {
314 	struct rsn_pmksa_cache_entry *entry;
315 
316 	entry = os_zalloc(sizeof(*entry));
317 	if (entry == NULL)
318 		return NULL;
319 	os_memcpy(entry->pmkid, pmkid, PMKID_LEN);
320 	os_memcpy(entry->pmk, old_entry->pmk, old_entry->pmk_len);
321 	entry->pmk_len = old_entry->pmk_len;
322 	entry->expiration = old_entry->expiration;
323 	entry->akmp = old_entry->akmp;
324 	os_memcpy(entry->spa, old_entry->spa, ETH_ALEN);
325 	entry->opportunistic = 1;
326 	if (old_entry->identity) {
327 		entry->identity = os_malloc(old_entry->identity_len);
328 		if (entry->identity) {
329 			entry->identity_len = old_entry->identity_len;
330 			os_memcpy(entry->identity, old_entry->identity,
331 				  old_entry->identity_len);
332 		}
333 	}
334 	if (old_entry->cui)
335 		entry->cui = wpabuf_dup(old_entry->cui);
336 #ifndef CONFIG_NO_RADIUS
337 	radius_copy_class(&entry->radius_class, &old_entry->radius_class);
338 #endif /* CONFIG_NO_RADIUS */
339 	entry->eap_type_authsrv = old_entry->eap_type_authsrv;
340 	entry->vlan_id = old_entry->vlan_id;
341 	entry->opportunistic = 1;
342 
343 	pmksa_cache_link_entry(pmksa, entry);
344 
345 	return entry;
346 }
347 
348 
349 /**
350  * pmksa_cache_auth_deinit - Free all entries in PMKSA cache
351  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
352  */
353 void pmksa_cache_auth_deinit(struct rsn_pmksa_cache *pmksa)
354 {
355 	struct rsn_pmksa_cache_entry *entry, *prev;
356 	int i;
357 
358 	if (pmksa == NULL)
359 		return;
360 
361 	entry = pmksa->pmksa;
362 	while (entry) {
363 		prev = entry;
364 		entry = entry->next;
365 		_pmksa_cache_free_entry(prev);
366 	}
367 	eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
368 	pmksa->pmksa_count = 0;
369 	pmksa->pmksa = NULL;
370 	for (i = 0; i < PMKID_HASH_SIZE; i++)
371 		pmksa->pmkid[i] = NULL;
372 	os_free(pmksa);
373 }
374 
375 
376 /**
377  * pmksa_cache_auth_get - Fetch a PMKSA cache entry
378  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
379  * @spa: Supplicant address or %NULL to match any
380  * @pmkid: PMKID or %NULL to match any
381  * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
382  */
383 struct rsn_pmksa_cache_entry *
384 pmksa_cache_auth_get(struct rsn_pmksa_cache *pmksa,
385 		     const u8 *spa, const u8 *pmkid)
386 {
387 	struct rsn_pmksa_cache_entry *entry;
388 
389 	if (pmkid) {
390 		for (entry = pmksa->pmkid[PMKID_HASH(pmkid)]; entry;
391 		     entry = entry->hnext) {
392 			if ((spa == NULL ||
393 			     os_memcmp(entry->spa, spa, ETH_ALEN) == 0) &&
394 			    os_memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0)
395 				return entry;
396 		}
397 	} else {
398 		for (entry = pmksa->pmksa; entry; entry = entry->next) {
399 			if (spa == NULL ||
400 			    os_memcmp(entry->spa, spa, ETH_ALEN) == 0)
401 				return entry;
402 		}
403 	}
404 
405 	return NULL;
406 }
407 
408 
409 /**
410  * pmksa_cache_get_okc - Fetch a PMKSA cache entry using OKC
411  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
412  * @aa: Authenticator address
413  * @spa: Supplicant address
414  * @pmkid: PMKID
415  * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
416  *
417  * Use opportunistic key caching (OKC) to find a PMK for a supplicant.
418  */
419 struct rsn_pmksa_cache_entry * pmksa_cache_get_okc(
420 	struct rsn_pmksa_cache *pmksa, const u8 *aa, const u8 *spa,
421 	const u8 *pmkid)
422 {
423 	struct rsn_pmksa_cache_entry *entry;
424 	u8 new_pmkid[PMKID_LEN];
425 
426 	for (entry = pmksa->pmksa; entry; entry = entry->next) {
427 		if (os_memcmp(entry->spa, spa, ETH_ALEN) != 0)
428 			continue;
429 		rsn_pmkid(entry->pmk, entry->pmk_len, aa, spa, new_pmkid,
430 			  wpa_key_mgmt_sha256(entry->akmp));
431 		if (os_memcmp(new_pmkid, pmkid, PMKID_LEN) == 0)
432 			return entry;
433 	}
434 	return NULL;
435 }
436 
437 
438 /**
439  * pmksa_cache_auth_init - Initialize PMKSA cache
440  * @free_cb: Callback function to be called when a PMKSA cache entry is freed
441  * @ctx: Context pointer for free_cb function
442  * Returns: Pointer to PMKSA cache data or %NULL on failure
443  */
444 struct rsn_pmksa_cache *
445 pmksa_cache_auth_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry,
446 				      void *ctx), void *ctx)
447 {
448 	struct rsn_pmksa_cache *pmksa;
449 
450 	pmksa = os_zalloc(sizeof(*pmksa));
451 	if (pmksa) {
452 		pmksa->free_cb = free_cb;
453 		pmksa->ctx = ctx;
454 	}
455 
456 	return pmksa;
457 }
458 
459 
460 static int das_attr_match(struct rsn_pmksa_cache_entry *entry,
461 			  struct radius_das_attrs *attr)
462 {
463 	int match = 0;
464 
465 	if (attr->sta_addr) {
466 		if (os_memcmp(attr->sta_addr, entry->spa, ETH_ALEN) != 0)
467 			return 0;
468 		match++;
469 	}
470 
471 	if (attr->acct_multi_session_id) {
472 		char buf[20];
473 
474 		if (attr->acct_multi_session_id_len != 17)
475 			return 0;
476 		os_snprintf(buf, sizeof(buf), "%08X+%08X",
477 			    entry->acct_multi_session_id_hi,
478 			    entry->acct_multi_session_id_lo);
479 		if (os_memcmp(attr->acct_multi_session_id, buf, 17) != 0)
480 			return 0;
481 		match++;
482 	}
483 
484 	if (attr->cui) {
485 		if (!entry->cui ||
486 		    attr->cui_len != wpabuf_len(entry->cui) ||
487 		    os_memcmp(attr->cui, wpabuf_head(entry->cui),
488 			      attr->cui_len) != 0)
489 			return 0;
490 		match++;
491 	}
492 
493 	if (attr->user_name) {
494 		if (!entry->identity ||
495 		    attr->user_name_len != entry->identity_len ||
496 		    os_memcmp(attr->user_name, entry->identity,
497 			      attr->user_name_len) != 0)
498 			return 0;
499 		match++;
500 	}
501 
502 	return match;
503 }
504 
505 
506 int pmksa_cache_auth_radius_das_disconnect(struct rsn_pmksa_cache *pmksa,
507 					   struct radius_das_attrs *attr)
508 {
509 	int found = 0;
510 	struct rsn_pmksa_cache_entry *entry, *prev;
511 
512 	if (attr->acct_session_id)
513 		return -1;
514 
515 	entry = pmksa->pmksa;
516 	while (entry) {
517 		if (das_attr_match(entry, attr)) {
518 			found++;
519 			prev = entry;
520 			entry = entry->next;
521 			pmksa_cache_free_entry(pmksa, prev);
522 			continue;
523 		}
524 		entry = entry->next;
525 	}
526 
527 	return found ? 0 : -1;
528 }
529