xref: /freebsd/contrib/wpa/src/rsn_supp/pmksa_cache.c (revision d5b0e70f7e04d971691517ce1304d86a1e367e2e)
1 /*
2  * WPA Supplicant - RSN PMKSA cache
3  * Copyright (c) 2004-2009, 2011-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "eloop.h"
13 #include "eapol_supp/eapol_supp_sm.h"
14 #include "wpa.h"
15 #include "wpa_i.h"
16 #include "pmksa_cache.h"
17 
18 #if defined(IEEE8021X_EAPOL) && !defined(CONFIG_NO_WPA)
19 
20 static const int pmksa_cache_max_entries = 32;
21 
22 struct rsn_pmksa_cache {
23 	struct rsn_pmksa_cache_entry *pmksa; /* PMKSA cache */
24 	int pmksa_count; /* number of entries in PMKSA cache */
25 	struct wpa_sm *sm; /* TODO: get rid of this reference(?) */
26 
27 	void (*free_cb)(struct rsn_pmksa_cache_entry *entry, void *ctx,
28 			enum pmksa_free_reason reason);
29 	bool (*is_current_cb)(struct rsn_pmksa_cache_entry *entry,
30 			      void *ctx);
31 	void *ctx;
32 };
33 
34 
35 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa);
36 
37 
38 static void _pmksa_cache_free_entry(struct rsn_pmksa_cache_entry *entry)
39 {
40 	bin_clear_free(entry, sizeof(*entry));
41 }
42 
43 
44 static void pmksa_cache_free_entry(struct rsn_pmksa_cache *pmksa,
45 				   struct rsn_pmksa_cache_entry *entry,
46 				   enum pmksa_free_reason reason)
47 {
48 	wpa_sm_remove_pmkid(pmksa->sm, entry->network_ctx, entry->aa,
49 			    entry->pmkid,
50 			    entry->fils_cache_id_set ? entry->fils_cache_id :
51 			    NULL);
52 	pmksa->pmksa_count--;
53 	pmksa->free_cb(entry, pmksa->ctx, reason);
54 	_pmksa_cache_free_entry(entry);
55 }
56 
57 
58 static void pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx)
59 {
60 	struct rsn_pmksa_cache *pmksa = eloop_ctx;
61 	struct os_reltime now;
62 	struct rsn_pmksa_cache_entry *prev = NULL, *tmp;
63 	struct rsn_pmksa_cache_entry *entry = pmksa->pmksa;
64 
65 	os_get_reltime(&now);
66 	while (entry && entry->expiration <= now.sec) {
67 		if (wpa_key_mgmt_sae(entry->akmp) &&
68 		    pmksa->is_current_cb(entry, pmksa->ctx)) {
69 			/* Do not expire the currently used PMKSA entry for SAE
70 			 * since there is no convenient mechanism for
71 			 * reauthenticating during an association with SAE. The
72 			 * expired entry will be removed after this association
73 			 * has been lost. */
74 			wpa_printf(MSG_DEBUG,
75 				   "RSN: postpone PMKSA cache entry expiration for SAE with "
76 				   MACSTR, MAC2STR(entry->aa));
77 			prev = entry;
78 			entry = entry->next;
79 			continue;
80 		}
81 
82 		wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for "
83 			   MACSTR, MAC2STR(entry->aa));
84 		if (prev)
85 			prev->next = entry->next;
86 		else
87 			pmksa->pmksa = entry->next;
88 		tmp = entry;
89 		entry = entry->next;
90 		pmksa_cache_free_entry(pmksa, tmp, PMKSA_EXPIRE);
91 	}
92 
93 	pmksa_cache_set_expiration(pmksa);
94 }
95 
96 
97 static void pmksa_cache_reauth(void *eloop_ctx, void *timeout_ctx)
98 {
99 	struct rsn_pmksa_cache *pmksa = eloop_ctx;
100 	pmksa->sm->cur_pmksa = NULL;
101 	eapol_sm_request_reauth(pmksa->sm->eapol);
102 }
103 
104 
105 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa)
106 {
107 	int sec;
108 	struct rsn_pmksa_cache_entry *entry;
109 	struct os_reltime now;
110 
111 	eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
112 	eloop_cancel_timeout(pmksa_cache_reauth, pmksa, NULL);
113 	if (pmksa->pmksa == NULL)
114 		return;
115 	os_get_reltime(&now);
116 	sec = pmksa->pmksa->expiration - now.sec;
117 	if (sec < 0) {
118 		sec = 0;
119 		if (wpa_key_mgmt_sae(pmksa->pmksa->akmp) &&
120 		    pmksa->is_current_cb(pmksa->pmksa, pmksa->ctx)) {
121 			/* Do not continue polling for the current PMKSA entry
122 			 * from SAE to expire every second. Use the expiration
123 			 * time to the following entry, if any, and wait at
124 			 * maximum 10 minutes to check again.
125 			 */
126 			entry = pmksa->pmksa->next;
127 			if (entry) {
128 				sec = entry->expiration - now.sec;
129 				if (sec < 0)
130 					sec = 0;
131 				else if (sec > 600)
132 					sec = 600;
133 			} else {
134 				sec = 600;
135 			}
136 		}
137 	}
138 	eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, pmksa, NULL);
139 
140 	entry = pmksa->sm->cur_pmksa ? pmksa->sm->cur_pmksa :
141 		pmksa_cache_get(pmksa, pmksa->sm->bssid, NULL, NULL, 0);
142 	if (entry && !wpa_key_mgmt_sae(entry->akmp)) {
143 		sec = pmksa->pmksa->reauth_time - now.sec;
144 		if (sec < 0)
145 			sec = 0;
146 		eloop_register_timeout(sec, 0, pmksa_cache_reauth, pmksa,
147 				       NULL);
148 	}
149 }
150 
151 
152 /**
153  * pmksa_cache_add - Add a PMKSA cache entry
154  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
155  * @pmk: The new pairwise master key
156  * @pmk_len: PMK length in bytes, usually PMK_LEN (32)
157  * @pmkid: Calculated PMKID
158  * @kck: Key confirmation key or %NULL if not yet derived
159  * @kck_len: KCK length in bytes
160  * @aa: Authenticator address
161  * @spa: Supplicant address
162  * @network_ctx: Network configuration context for this PMK
163  * @akmp: WPA_KEY_MGMT_* used in key derivation
164  * @cache_id: Pointer to FILS Cache Identifier or %NULL if not advertised
165  * Returns: Pointer to the added PMKSA cache entry or %NULL on error
166  *
167  * This function create a PMKSA entry for a new PMK and adds it to the PMKSA
168  * cache. If an old entry is already in the cache for the same Authenticator,
169  * this entry will be replaced with the new entry. PMKID will be calculated
170  * based on the PMK and the driver interface is notified of the new PMKID.
171  */
172 struct rsn_pmksa_cache_entry *
173 pmksa_cache_add(struct rsn_pmksa_cache *pmksa, const u8 *pmk, size_t pmk_len,
174 		const u8 *pmkid, const u8 *kck, size_t kck_len,
175 		const u8 *aa, const u8 *spa, void *network_ctx, int akmp,
176 		const u8 *cache_id)
177 {
178 	struct rsn_pmksa_cache_entry *entry;
179 	struct os_reltime now;
180 
181 	if (pmk_len > PMK_LEN_MAX)
182 		return NULL;
183 
184 	if (wpa_key_mgmt_suite_b(akmp) && !kck)
185 		return NULL;
186 
187 	entry = os_zalloc(sizeof(*entry));
188 	if (entry == NULL)
189 		return NULL;
190 	os_memcpy(entry->pmk, pmk, pmk_len);
191 	entry->pmk_len = pmk_len;
192 	if (pmkid)
193 		os_memcpy(entry->pmkid, pmkid, PMKID_LEN);
194 	else if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
195 		rsn_pmkid_suite_b_192(kck, kck_len, aa, spa, entry->pmkid);
196 	else if (wpa_key_mgmt_suite_b(akmp))
197 		rsn_pmkid_suite_b(kck, kck_len, aa, spa, entry->pmkid);
198 	else
199 		rsn_pmkid(pmk, pmk_len, aa, spa, entry->pmkid, akmp);
200 	os_get_reltime(&now);
201 	entry->expiration = now.sec + pmksa->sm->dot11RSNAConfigPMKLifetime;
202 	entry->reauth_time = now.sec + pmksa->sm->dot11RSNAConfigPMKLifetime *
203 		pmksa->sm->dot11RSNAConfigPMKReauthThreshold / 100;
204 	entry->akmp = akmp;
205 	if (cache_id) {
206 		entry->fils_cache_id_set = 1;
207 		os_memcpy(entry->fils_cache_id, cache_id, FILS_CACHE_ID_LEN);
208 	}
209 	os_memcpy(entry->aa, aa, ETH_ALEN);
210 	entry->network_ctx = network_ctx;
211 
212 	return pmksa_cache_add_entry(pmksa, entry);
213 }
214 
215 
216 struct rsn_pmksa_cache_entry *
217 pmksa_cache_add_entry(struct rsn_pmksa_cache *pmksa,
218 		      struct rsn_pmksa_cache_entry *entry)
219 {
220 	struct rsn_pmksa_cache_entry *pos, *prev;
221 
222 	/* Replace an old entry for the same Authenticator (if found) with the
223 	 * new entry */
224 	pos = pmksa->pmksa;
225 	prev = NULL;
226 	while (pos) {
227 		if (os_memcmp(entry->aa, pos->aa, ETH_ALEN) == 0) {
228 			if (pos->pmk_len == entry->pmk_len &&
229 			    os_memcmp_const(pos->pmk, entry->pmk,
230 					    entry->pmk_len) == 0 &&
231 			    os_memcmp_const(pos->pmkid, entry->pmkid,
232 					    PMKID_LEN) == 0) {
233 				wpa_printf(MSG_DEBUG, "WPA: reusing previous "
234 					   "PMKSA entry");
235 				os_free(entry);
236 				return pos;
237 			}
238 			if (prev == NULL)
239 				pmksa->pmksa = pos->next;
240 			else
241 				prev->next = pos->next;
242 
243 			/*
244 			 * If OKC is used, there may be other PMKSA cache
245 			 * entries based on the same PMK. These needs to be
246 			 * flushed so that a new entry can be created based on
247 			 * the new PMK. Only clear other entries if they have a
248 			 * matching PMK and this PMK has been used successfully
249 			 * with the current AP, i.e., if opportunistic flag has
250 			 * been cleared in wpa_supplicant_key_neg_complete().
251 			 */
252 			wpa_printf(MSG_DEBUG, "RSN: Replace PMKSA entry for "
253 				   "the current AP and any PMKSA cache entry "
254 				   "that was based on the old PMK");
255 			if (!pos->opportunistic)
256 				pmksa_cache_flush(pmksa, entry->network_ctx,
257 						  pos->pmk, pos->pmk_len,
258 						  false);
259 			pmksa_cache_free_entry(pmksa, pos, PMKSA_REPLACE);
260 			break;
261 		}
262 		prev = pos;
263 		pos = pos->next;
264 	}
265 
266 	if (pmksa->pmksa_count >= pmksa_cache_max_entries && pmksa->pmksa) {
267 		/* Remove the oldest entry to make room for the new entry */
268 		pos = pmksa->pmksa;
269 
270 		if (pos == pmksa->sm->cur_pmksa) {
271 			/*
272 			 * Never remove the current PMKSA cache entry, since
273 			 * it's in use, and removing it triggers a needless
274 			 * deauthentication.
275 			 */
276 			pos = pos->next;
277 			pmksa->pmksa->next = pos ? pos->next : NULL;
278 		} else
279 			pmksa->pmksa = pos->next;
280 
281 		if (pos) {
282 			wpa_printf(MSG_DEBUG, "RSN: removed the oldest idle "
283 				   "PMKSA cache entry (for " MACSTR ") to "
284 				   "make room for new one",
285 				   MAC2STR(pos->aa));
286 			pmksa_cache_free_entry(pmksa, pos, PMKSA_FREE);
287 		}
288 	}
289 
290 	/* Add the new entry; order by expiration time */
291 	pos = pmksa->pmksa;
292 	prev = NULL;
293 	while (pos) {
294 		if (pos->expiration > entry->expiration)
295 			break;
296 		prev = pos;
297 		pos = pos->next;
298 	}
299 	if (prev == NULL) {
300 		entry->next = pmksa->pmksa;
301 		pmksa->pmksa = entry;
302 		pmksa_cache_set_expiration(pmksa);
303 	} else {
304 		entry->next = prev->next;
305 		prev->next = entry;
306 	}
307 	pmksa->pmksa_count++;
308 	wpa_printf(MSG_DEBUG, "RSN: Added PMKSA cache entry for " MACSTR
309 		   " network_ctx=%p akmp=0x%x", MAC2STR(entry->aa),
310 		   entry->network_ctx, entry->akmp);
311 	wpa_sm_add_pmkid(pmksa->sm, entry->network_ctx, entry->aa, entry->pmkid,
312 			 entry->fils_cache_id_set ? entry->fils_cache_id : NULL,
313 			 entry->pmk, entry->pmk_len,
314 			 pmksa->sm->dot11RSNAConfigPMKLifetime,
315 			 pmksa->sm->dot11RSNAConfigPMKReauthThreshold,
316 			 entry->akmp);
317 
318 	return entry;
319 }
320 
321 
322 /**
323  * pmksa_cache_flush - Flush PMKSA cache entries for a specific network
324  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
325  * @network_ctx: Network configuration context or %NULL to flush all entries
326  * @pmk: PMK to match for or %NULL to match all PMKs
327  * @pmk_len: PMK length
328  * @external_only: Flush only PMKSA cache entries configured by external
329  * applications
330  */
331 void pmksa_cache_flush(struct rsn_pmksa_cache *pmksa, void *network_ctx,
332 		       const u8 *pmk, size_t pmk_len, bool external_only)
333 {
334 	struct rsn_pmksa_cache_entry *entry, *prev = NULL, *tmp;
335 	int removed = 0;
336 
337 	entry = pmksa->pmksa;
338 	while (entry) {
339 		if ((entry->network_ctx == network_ctx ||
340 		     network_ctx == NULL) &&
341 		    (pmk == NULL ||
342 		     (pmk_len == entry->pmk_len &&
343 		      os_memcmp(pmk, entry->pmk, pmk_len) == 0)) &&
344 		    (!external_only || entry->external)) {
345 			wpa_printf(MSG_DEBUG, "RSN: Flush PMKSA cache entry "
346 				   "for " MACSTR, MAC2STR(entry->aa));
347 			if (prev)
348 				prev->next = entry->next;
349 			else
350 				pmksa->pmksa = entry->next;
351 			tmp = entry;
352 			entry = entry->next;
353 			pmksa_cache_free_entry(pmksa, tmp, PMKSA_FREE);
354 			removed++;
355 		} else {
356 			prev = entry;
357 			entry = entry->next;
358 		}
359 	}
360 	if (removed)
361 		pmksa_cache_set_expiration(pmksa);
362 }
363 
364 
365 /**
366  * pmksa_cache_deinit - Free all entries in PMKSA cache
367  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
368  */
369 void pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa)
370 {
371 	struct rsn_pmksa_cache_entry *entry, *prev;
372 
373 	if (pmksa == NULL)
374 		return;
375 
376 	entry = pmksa->pmksa;
377 	pmksa->pmksa = NULL;
378 	while (entry) {
379 		prev = entry;
380 		entry = entry->next;
381 		os_free(prev);
382 	}
383 	pmksa_cache_set_expiration(pmksa);
384 	os_free(pmksa);
385 }
386 
387 
388 /**
389  * pmksa_cache_get - Fetch a PMKSA cache entry
390  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
391  * @aa: Authenticator address or %NULL to match any
392  * @pmkid: PMKID or %NULL to match any
393  * @network_ctx: Network context or %NULL to match any
394  * @akmp: Specific AKMP to search for or 0 for any
395  * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
396  */
397 struct rsn_pmksa_cache_entry * pmksa_cache_get(struct rsn_pmksa_cache *pmksa,
398 					       const u8 *aa, const u8 *pmkid,
399 					       const void *network_ctx,
400 					       int akmp)
401 {
402 	struct rsn_pmksa_cache_entry *entry = pmksa->pmksa;
403 	while (entry) {
404 		if ((aa == NULL || os_memcmp(entry->aa, aa, ETH_ALEN) == 0) &&
405 		    (pmkid == NULL ||
406 		     os_memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0) &&
407 		    (!akmp || akmp == entry->akmp) &&
408 		    (network_ctx == NULL || network_ctx == entry->network_ctx))
409 			return entry;
410 		entry = entry->next;
411 	}
412 	return NULL;
413 }
414 
415 
416 static struct rsn_pmksa_cache_entry *
417 pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa,
418 			const struct rsn_pmksa_cache_entry *old_entry,
419 			const u8 *aa)
420 {
421 	struct rsn_pmksa_cache_entry *new_entry;
422 	os_time_t old_expiration = old_entry->expiration;
423 	os_time_t old_reauth_time = old_entry->reauth_time;
424 	const u8 *pmkid = NULL;
425 
426 	if (wpa_key_mgmt_sae(old_entry->akmp) ||
427 	    wpa_key_mgmt_fils(old_entry->akmp))
428 		pmkid = old_entry->pmkid;
429 	new_entry = pmksa_cache_add(pmksa, old_entry->pmk, old_entry->pmk_len,
430 				    pmkid, NULL, 0,
431 				    aa, pmksa->sm->own_addr,
432 				    old_entry->network_ctx, old_entry->akmp,
433 				    old_entry->fils_cache_id_set ?
434 				    old_entry->fils_cache_id : NULL);
435 	if (new_entry == NULL)
436 		return NULL;
437 
438 	/* TODO: reorder entries based on expiration time? */
439 	new_entry->expiration = old_expiration;
440 	new_entry->reauth_time = old_reauth_time;
441 	new_entry->opportunistic = 1;
442 
443 	return new_entry;
444 }
445 
446 
447 /**
448  * pmksa_cache_get_opportunistic - Try to get an opportunistic PMKSA entry
449  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
450  * @network_ctx: Network configuration context
451  * @aa: Authenticator address for the new AP
452  * @akmp: Specific AKMP to search for or 0 for any
453  * Returns: Pointer to a new PMKSA cache entry or %NULL if not available
454  *
455  * Try to create a new PMKSA cache entry opportunistically by guessing that the
456  * new AP is sharing the same PMK as another AP that has the same SSID and has
457  * already an entry in PMKSA cache.
458  */
459 struct rsn_pmksa_cache_entry *
460 pmksa_cache_get_opportunistic(struct rsn_pmksa_cache *pmksa, void *network_ctx,
461 			      const u8 *aa, int akmp)
462 {
463 	struct rsn_pmksa_cache_entry *entry = pmksa->pmksa;
464 
465 	wpa_printf(MSG_DEBUG, "RSN: Consider " MACSTR " for OKC", MAC2STR(aa));
466 	if (network_ctx == NULL)
467 		return NULL;
468 	while (entry) {
469 		if (entry->network_ctx == network_ctx &&
470 		    (!akmp || entry->akmp == akmp)) {
471 			struct os_reltime now;
472 
473 			if (wpa_key_mgmt_sae(entry->akmp) &&
474 			    os_get_reltime(&now) == 0 &&
475 			    entry->reauth_time < now.sec) {
476 				wpa_printf(MSG_DEBUG,
477 					   "RSN: Do not clone PMKSA cache entry for "
478 					   MACSTR
479 					   " since its reauth threshold has passed",
480 					   MAC2STR(entry->aa));
481 				entry = entry->next;
482 				continue;
483 			}
484 
485 			entry = pmksa_cache_clone_entry(pmksa, entry, aa);
486 			if (entry) {
487 				wpa_printf(MSG_DEBUG, "RSN: added "
488 					   "opportunistic PMKSA cache entry "
489 					   "for " MACSTR, MAC2STR(aa));
490 			}
491 			return entry;
492 		}
493 		entry = entry->next;
494 	}
495 	return NULL;
496 }
497 
498 
499 static struct rsn_pmksa_cache_entry *
500 pmksa_cache_get_fils_cache_id(struct rsn_pmksa_cache *pmksa,
501 			      const void *network_ctx, const u8 *cache_id)
502 {
503 	struct rsn_pmksa_cache_entry *entry;
504 
505 	for (entry = pmksa->pmksa; entry; entry = entry->next) {
506 		if (network_ctx == entry->network_ctx &&
507 		    entry->fils_cache_id_set &&
508 		    os_memcmp(cache_id, entry->fils_cache_id,
509 			      FILS_CACHE_ID_LEN) == 0)
510 			return entry;
511 	}
512 
513 	return NULL;
514 }
515 
516 
517 /**
518  * pmksa_cache_get_current - Get the current used PMKSA entry
519  * @sm: Pointer to WPA state machine data from wpa_sm_init()
520  * Returns: Pointer to the current PMKSA cache entry or %NULL if not available
521  */
522 struct rsn_pmksa_cache_entry * pmksa_cache_get_current(struct wpa_sm *sm)
523 {
524 	if (sm == NULL)
525 		return NULL;
526 	return sm->cur_pmksa;
527 }
528 
529 
530 /**
531  * pmksa_cache_clear_current - Clear the current PMKSA entry selection
532  * @sm: Pointer to WPA state machine data from wpa_sm_init()
533  */
534 void pmksa_cache_clear_current(struct wpa_sm *sm)
535 {
536 	if (sm == NULL)
537 		return;
538 	if (sm->cur_pmksa)
539 		wpa_printf(MSG_DEBUG,
540 			   "RSN: Clear current PMKSA entry selection");
541 	sm->cur_pmksa = NULL;
542 }
543 
544 
545 /**
546  * pmksa_cache_set_current - Set the current PMKSA entry selection
547  * @sm: Pointer to WPA state machine data from wpa_sm_init()
548  * @pmkid: PMKID for selecting PMKSA or %NULL if not used
549  * @bssid: BSSID for PMKSA or %NULL if not used
550  * @network_ctx: Network configuration context
551  * @try_opportunistic: Whether to allow opportunistic PMKSA caching
552  * @fils_cache_id: Pointer to FILS Cache Identifier or %NULL if not used
553  * Returns: 0 if PMKSA was found or -1 if no matching entry was found
554  */
555 int pmksa_cache_set_current(struct wpa_sm *sm, const u8 *pmkid,
556 			    const u8 *bssid, void *network_ctx,
557 			    int try_opportunistic, const u8 *fils_cache_id,
558 			    int akmp)
559 {
560 	struct rsn_pmksa_cache *pmksa = sm->pmksa;
561 	wpa_printf(MSG_DEBUG, "RSN: PMKSA cache search - network_ctx=%p "
562 		   "try_opportunistic=%d akmp=0x%x",
563 		   network_ctx, try_opportunistic, akmp);
564 	if (pmkid)
565 		wpa_hexdump(MSG_DEBUG, "RSN: Search for PMKID",
566 			    pmkid, PMKID_LEN);
567 	if (bssid)
568 		wpa_printf(MSG_DEBUG, "RSN: Search for BSSID " MACSTR,
569 			   MAC2STR(bssid));
570 	if (fils_cache_id)
571 		wpa_printf(MSG_DEBUG,
572 			   "RSN: Search for FILS Cache Identifier %02x%02x",
573 			   fils_cache_id[0], fils_cache_id[1]);
574 
575 	sm->cur_pmksa = NULL;
576 	if (pmkid)
577 		sm->cur_pmksa = pmksa_cache_get(pmksa, NULL, pmkid,
578 						network_ctx, akmp);
579 	if (sm->cur_pmksa == NULL && bssid)
580 		sm->cur_pmksa = pmksa_cache_get(pmksa, bssid, NULL,
581 						network_ctx, akmp);
582 	if (sm->cur_pmksa == NULL && try_opportunistic && bssid)
583 		sm->cur_pmksa = pmksa_cache_get_opportunistic(pmksa,
584 							      network_ctx,
585 							      bssid, akmp);
586 	if (sm->cur_pmksa == NULL && fils_cache_id)
587 		sm->cur_pmksa = pmksa_cache_get_fils_cache_id(pmksa,
588 							      network_ctx,
589 							      fils_cache_id);
590 	if (sm->cur_pmksa) {
591 		struct os_reltime now;
592 
593 		if (wpa_key_mgmt_sae(sm->cur_pmksa->akmp) &&
594 		    os_get_reltime(&now) == 0 &&
595 		    sm->cur_pmksa->reauth_time < now.sec) {
596 			wpa_printf(MSG_DEBUG,
597 				   "RSN: Do not allow PMKSA cache entry for "
598 				   MACSTR
599 				   " to be used for SAE since its reauth threshold has passed",
600 				   MAC2STR(sm->cur_pmksa->aa));
601 			sm->cur_pmksa = NULL;
602 			return -1;
603 		}
604 
605 		wpa_hexdump(MSG_DEBUG, "RSN: PMKSA cache entry found - PMKID",
606 			    sm->cur_pmksa->pmkid, PMKID_LEN);
607 		return 0;
608 	}
609 	wpa_printf(MSG_DEBUG, "RSN: No PMKSA cache entry found");
610 	return -1;
611 }
612 
613 
614 /**
615  * pmksa_cache_list - Dump text list of entries in PMKSA cache
616  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
617  * @buf: Buffer for the list
618  * @len: Length of the buffer
619  * Returns: number of bytes written to buffer
620  *
621  * This function is used to generate a text format representation of the
622  * current PMKSA cache contents for the ctrl_iface PMKSA command.
623  */
624 int pmksa_cache_list(struct rsn_pmksa_cache *pmksa, char *buf, size_t len)
625 {
626 	int i, ret;
627 	char *pos = buf;
628 	struct rsn_pmksa_cache_entry *entry;
629 	struct os_reltime now;
630 	int cache_id_used = 0;
631 
632 	for (entry = pmksa->pmksa; entry; entry = entry->next) {
633 		if (entry->fils_cache_id_set) {
634 			cache_id_used = 1;
635 			break;
636 		}
637 	}
638 
639 	os_get_reltime(&now);
640 	ret = os_snprintf(pos, buf + len - pos,
641 			  "Index / AA / PMKID / expiration (in seconds) / "
642 			  "opportunistic%s\n",
643 			  cache_id_used ? " / FILS Cache Identifier" : "");
644 	if (os_snprintf_error(buf + len - pos, ret))
645 		return pos - buf;
646 	pos += ret;
647 	i = 0;
648 	entry = pmksa->pmksa;
649 	while (entry) {
650 		i++;
651 		ret = os_snprintf(pos, buf + len - pos, "%d " MACSTR " ",
652 				  i, MAC2STR(entry->aa));
653 		if (os_snprintf_error(buf + len - pos, ret))
654 			return pos - buf;
655 		pos += ret;
656 		pos += wpa_snprintf_hex(pos, buf + len - pos, entry->pmkid,
657 					PMKID_LEN);
658 		ret = os_snprintf(pos, buf + len - pos, " %d %d",
659 				  (int) (entry->expiration - now.sec),
660 				  entry->opportunistic);
661 		if (os_snprintf_error(buf + len - pos, ret))
662 			return pos - buf;
663 		pos += ret;
664 		if (entry->fils_cache_id_set) {
665 			ret = os_snprintf(pos, buf + len - pos, " %02x%02x",
666 					  entry->fils_cache_id[0],
667 					  entry->fils_cache_id[1]);
668 			if (os_snprintf_error(buf + len - pos, ret))
669 				return pos - buf;
670 			pos += ret;
671 		}
672 		ret = os_snprintf(pos, buf + len - pos, "\n");
673 		if (os_snprintf_error(buf + len - pos, ret))
674 			return pos - buf;
675 		pos += ret;
676 		entry = entry->next;
677 	}
678 	return pos - buf;
679 }
680 
681 
682 struct rsn_pmksa_cache_entry * pmksa_cache_head(struct rsn_pmksa_cache *pmksa)
683 {
684 	return pmksa->pmksa;
685 }
686 
687 
688 /**
689  * pmksa_cache_init - Initialize PMKSA cache
690  * @free_cb: Callback function to be called when a PMKSA cache entry is freed
691  * @ctx: Context pointer for free_cb function
692  * @sm: Pointer to WPA state machine data from wpa_sm_init()
693  * Returns: Pointer to PMKSA cache data or %NULL on failure
694  */
695 struct rsn_pmksa_cache *
696 pmksa_cache_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry,
697 				 void *ctx, enum pmksa_free_reason reason),
698 		 bool (*is_current_cb)(struct rsn_pmksa_cache_entry *entry,
699 				       void *ctx),
700 		 void *ctx, struct wpa_sm *sm)
701 {
702 	struct rsn_pmksa_cache *pmksa;
703 
704 	pmksa = os_zalloc(sizeof(*pmksa));
705 	if (pmksa) {
706 		pmksa->free_cb = free_cb;
707 		pmksa->is_current_cb = is_current_cb;
708 		pmksa->ctx = ctx;
709 		pmksa->sm = sm;
710 	}
711 
712 	return pmksa;
713 }
714 
715 
716 void pmksa_cache_reconfig(struct rsn_pmksa_cache *pmksa)
717 {
718 	struct rsn_pmksa_cache_entry *entry;
719 	struct os_reltime now;
720 
721 	if (!pmksa || !pmksa->pmksa)
722 		return;
723 
724 	os_get_reltime(&now);
725 	for (entry = pmksa->pmksa; entry; entry = entry->next) {
726 		u32 life_time;
727 		u8 reauth_threshold;
728 
729 		if (entry->expiration - now.sec < 1 ||
730 		    entry->reauth_time - now.sec < 1)
731 			continue;
732 
733 		life_time = entry->expiration - now.sec;
734 		reauth_threshold = (entry->reauth_time - now.sec) * 100 /
735 			life_time;
736 		if (!reauth_threshold)
737 			continue;
738 
739 		wpa_sm_add_pmkid(pmksa->sm, entry->network_ctx, entry->aa,
740 				 entry->pmkid,
741 				 entry->fils_cache_id_set ?
742 				 entry->fils_cache_id : NULL,
743 				 entry->pmk, entry->pmk_len, life_time,
744 				 reauth_threshold, entry->akmp);
745 	}
746 }
747 
748 #endif /* IEEE8021X_EAPOL */
749