static struct rsn_pmksa_cache *
pmksa_cache_clone_entry(struct wpa_supplicant *wpa_s,
const struct rsn_pmksa_cache *old_entry, const u8 *aa)
{
struct rsn_pmksa_cache *new_entry;
new_entry = pmksa_cache_add(wpa_s, old_entry->pmk, old_entry->pmk_len,
aa, wpa_s->own_addr, old_entry->ssid);
if (new_entry == NULL)
return NULL;
/* TODO: reorder entries based on expiration time? */
new_entry->expiration = old_entry->expiration;
new_entry->opportunistic = 1;
return new_entry;
}
static struct rsn_pmksa_cache_entry *
pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa,
const struct rsn_pmksa_cache_entry *old_entry,
const u8 *aa)
{
struct rsn_pmksa_cache_entry *new_entry;
new_entry = pmksa_cache_add(pmksa, old_entry->pmk, old_entry->pmk_len,
aa, pmksa->sm->own_addr,
old_entry->network_ctx, old_entry->akmp);
if (new_entry == NULL)
return NULL;
/* TODO: reorder entries based on expiration time? */
new_entry->expiration = old_entry->expiration;
new_entry->opportunistic = 1;
return new_entry;
}
static void rsn_preauth_eapol_cb(struct eapol_sm *eapol, int success,
void *ctx)
{
struct wpa_sm *sm = ctx;
u8 pmk[PMK_LEN];
if (success) {
int res, pmk_len;
pmk_len = PMK_LEN;
res = eapol_sm_get_key(eapol, pmk, PMK_LEN);
if (res) {
/*
* EAP-LEAP is an exception from other EAP methods: it
* uses only 16-byte PMK.
*/
res = eapol_sm_get_key(eapol, pmk, 16);
pmk_len = 16;
}
if (res == 0) {
wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from pre-auth",
pmk, pmk_len);
sm->pmk_len = pmk_len;
pmksa_cache_add(sm->pmksa, pmk, pmk_len,
sm->preauth_bssid, sm->own_addr,
sm->network_ctx,
WPA_KEY_MGMT_IEEE8021X);
} else {
wpa_msg(sm->ctx->ctx, MSG_INFO, "RSN: failed to get "
"master session key from pre-auth EAPOL state "
"machines");
success = 0;
}
}
wpa_msg(sm->ctx->ctx, MSG_INFO, "RSN: pre-authentication with " MACSTR
" %s", MAC2STR(sm->preauth_bssid),
success ? "completed successfully" : "failed");
rsn_preauth_deinit(sm);
rsn_preauth_candidate_process(sm);
}
static void rsn_preauth_eapol_cb(struct eapol_sm *eapol, int success,
void *ctx)
{
struct wpa_sm *sm = ctx;
u8 pmk[PMK_LEN];
if (success) {
int res, pmk_len;
pmk_len = PMK_LEN;
res = eapol_sm_get_key(eapol, pmk, PMK_LEN);
#ifdef EAP_LEAP
if (res) {
res = eapol_sm_get_key(eapol, pmk, 16);
pmk_len = 16;
}
#endif /* EAP_LEAP */
if (res == 0) {
wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from pre-auth",
pmk, pmk_len);
sm->pmk_len = pmk_len;
pmksa_cache_add(sm, pmk, pmk_len,
sm->preauth_bssid, sm->own_addr,
sm->cur_ssid);
} else {
wpa_msg(sm->ctx->ctx, MSG_INFO, "RSN: failed to get "
"master session key from pre-auth EAPOL state "
"machines");
success = 0;
}
}
wpa_msg(sm->ctx->ctx, MSG_INFO, "RSN: pre-authentication with " MACSTR
" %s", MAC2STR(sm->preauth_bssid),
success ? "completed successfully" : "failed");
rsn_preauth_deinit(sm);
rsn_preauth_candidate_process(sm);
}
/* Process the RADIUS frames from Authentication Server */
static RadiusRxResult
ieee802_1x_receive_auth(struct wpa_supplicant *wpa_s,
struct radius_msg *msg, struct radius_msg *req,
u8 *shared_secret, size_t shared_secret_len,
void *data)
{
#if 0
u32 session_timeout, termination_action;
int session_timeout_set;
int acct_interim_interval;
#endif
#if 0
sta = ap_get_sta_radius_identifier(hapd, msg->hdr->identifier);
if (sta == NULL) {
wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not "
"find matching station for this RADIUS "
"message\n");
return RADIUS_RX_UNKNOWN;
}
#endif
/* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
* present when packet contains an EAP-Message attribute */
if (msg->hdr->code == RADIUS_CODE_ACCESS_REJECT &&
radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,
0) < 0 &&
radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {
wpa_printf(MSG_DEBUG, "Allowing RADIUS "
"Access-Reject without Message-Authenticator "
"since it does not include EAP-Message\n");
} else if (radius_msg_verify(msg, shared_secret, shared_secret_len,
req)) {
printf("Incoming RADIUS packet did not have correct "
"Message-Authenticator - dropped\n");
return RADIUS_RX_UNKNOWN;
}
if (msg->hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
msg->hdr->code != RADIUS_CODE_ACCESS_REJECT &&
msg->hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) {
printf("Unknown RADIUS message code\n");
return RADIUS_RX_UNKNOWN;
}
wpa_s->radius_identifier = -1;
wpa_printf(MSG_DEBUG, "RADIUS packet matching with station");
if (wpa_s->last_recv_radius) {
radius_msg_free(wpa_s->last_recv_radius);
free(wpa_s->last_recv_radius);
}
wpa_s->last_recv_radius = msg;
#if 0
session_timeout_set =
!radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT,
&session_timeout);
if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION,
&termination_action))
termination_action = RADIUS_TERMINATION_ACTION_DEFAULT;
if (hapd->conf->radius_acct_interim_interval == 0 &&
msg->hdr->code == RADIUS_CODE_ACCESS_ACCEPT &&
radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL,
&acct_interim_interval) == 0) {
if (acct_interim_interval < 60) {
hostapd_logger(hapd, sta->addr,
HOSTAPD_MODULE_IEEE8021X,
HOSTAPD_LEVEL_INFO,
"ignored too small "
"Acct-Interim-Interval %d",
acct_interim_interval);
} else
sta->acct_interim_interval = acct_interim_interval;
}
switch (msg->hdr->code) {
case RADIUS_CODE_ACCESS_ACCEPT:
/* draft-congdon-radius-8021x-22.txt, Ch. 3.17 */
if (session_timeout_set &&
termination_action ==
RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) {
sta->eapol_sm->reauth_timer.reAuthPeriod =
session_timeout;
} else if (session_timeout_set)
ap_sta_session_timeout(hapd, sta, session_timeout);
sta->eapol_sm->be_auth.aSuccess = TRUE;
ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret,
shared_secret_len);
if (sta->eapol_sm->keyAvailable) {
pmksa_cache_add(hapd, sta, sta->eapol_key_crypt,
session_timeout_set ?
session_timeout : -1);
}
break;
case RADIUS_CODE_ACCESS_REJECT:
sta->eapol_sm->be_auth.aFail = TRUE;
break;
case RADIUS_CODE_ACCESS_CHALLENGE:
if (session_timeout_set) {
/* RFC 2869, Ch. 2.3.2
* draft-congdon-radius-8021x-22.txt, Ch. 3.17 */
sta->eapol_sm->be_auth.suppTimeout = session_timeout;
}
sta->eapol_sm->be_auth.aReq = TRUE;
break;
}
#else
switch (msg->hdr->code) {
case RADIUS_CODE_ACCESS_ACCEPT:
wpa_s->radius_access_accept_received = 1;
ieee802_1x_get_keys(wpa_s, msg, req, shared_secret,
shared_secret_len);
break;
case RADIUS_CODE_ACCESS_REJECT:
wpa_s->radius_access_reject_received = 1;
break;
}
#endif
ieee802_1x_decapsulate_radius(wpa_s);
/* eapol_sm_step(sta->eapol_sm); */
if (msg->hdr->code == RADIUS_CODE_ACCESS_ACCEPT ||
msg->hdr->code == RADIUS_CODE_ACCESS_REJECT) {
eloop_terminate();
}
return RADIUS_RX_QUEUED;
}
static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
const unsigned char *src_addr,
const u8 *pmkid)
{
int abort_cached = 0;
if (pmkid && !sm->cur_pmksa) {
/* When using drivers that generate RSN IE, wpa_supplicant may
* not have enough time to get the association information
* event before receiving this 1/4 message, so try to find a
* matching PMKSA cache entry here. */
sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid);
if (sm->cur_pmksa) {
wpa_printf(MSG_DEBUG, "RSN: found matching PMKID from "
"PMKSA cache");
} else {
wpa_printf(MSG_DEBUG, "RSN: no matching PMKID found");
abort_cached = 1;
}
}
if (pmkid && sm->cur_pmksa &&
os_memcmp(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) {
wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN);
wpa_sm_set_pmk_from_pmksa(sm);
wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache",
sm->pmk, sm->pmk_len);
eapol_sm_notify_cached(sm->eapol);
#ifdef CONFIG_IEEE80211R
sm->xxkey_len = 0;
#endif /* CONFIG_IEEE80211R */
} else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) {
int res, pmk_len;
pmk_len = PMK_LEN;
res = eapol_sm_get_key(sm->eapol, sm->pmk, PMK_LEN);
if (res) {
/*
* EAP-LEAP is an exception from other EAP methods: it
* uses only 16-byte PMK.
*/
res = eapol_sm_get_key(sm->eapol, sm->pmk, 16);
pmk_len = 16;
} else {
#ifdef CONFIG_IEEE80211R
u8 buf[2 * PMK_LEN];
if (eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0)
{
os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN);
sm->xxkey_len = PMK_LEN;
os_memset(buf, 0, sizeof(buf));
}
#endif /* CONFIG_IEEE80211R */
}
if (res == 0) {
wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
"machines", sm->pmk, pmk_len);
sm->pmk_len = pmk_len;
if (sm->proto == WPA_PROTO_RSN) {
pmksa_cache_add(sm->pmksa, sm->pmk, pmk_len,
src_addr, sm->own_addr,
sm->network_ctx, sm->key_mgmt);
}
if (!sm->cur_pmksa && pmkid &&
pmksa_cache_get(sm->pmksa, src_addr, pmkid)) {
wpa_printf(MSG_DEBUG, "RSN: the new PMK "
"matches with the PMKID");
abort_cached = 0;
}
} else {
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Failed to get master session key from "
"EAPOL state machines");
wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
"WPA: Key handshake aborted");
if (sm->cur_pmksa) {
wpa_printf(MSG_DEBUG, "RSN: Cancelled PMKSA "
"caching attempt");
sm->cur_pmksa = NULL;
abort_cached = 1;
} else if (!abort_cached) {
return -1;
}
}
}
if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) {
/* Send EAPOL-Start to trigger full EAP authentication. */
u8 *buf;
size_t buflen;
wpa_printf(MSG_DEBUG, "RSN: no PMKSA entry found - trigger "
"full EAP authentication");
buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START,
NULL, 0, &buflen, NULL);
if (buf) {
wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL,
buf, buflen);
os_free(buf);
return -2;
}
return -1;
}
return 0;
}
