static struct rsn_pmksa_cache * pmksa_cache_clone_entry(struct wpa_supplicant *wpa_s, const struct rsn_pmksa_cache *old_entry, const u8 *aa) { struct rsn_pmksa_cache *new_entry; new_entry = pmksa_cache_add(wpa_s, old_entry->pmk, old_entry->pmk_len, aa, wpa_s->own_addr, old_entry->ssid); if (new_entry == NULL) return NULL; /* TODO: reorder entries based on expiration time? */ new_entry->expiration = old_entry->expiration; new_entry->opportunistic = 1; return new_entry; }
static struct rsn_pmksa_cache_entry * pmksa_cache_clone_entry(struct rsn_pmksa_cache *pmksa, const struct rsn_pmksa_cache_entry *old_entry, const u8 *aa) { struct rsn_pmksa_cache_entry *new_entry; new_entry = pmksa_cache_add(pmksa, old_entry->pmk, old_entry->pmk_len, aa, pmksa->sm->own_addr, old_entry->network_ctx, old_entry->akmp); if (new_entry == NULL) return NULL; /* TODO: reorder entries based on expiration time? */ new_entry->expiration = old_entry->expiration; new_entry->opportunistic = 1; return new_entry; }
static void rsn_preauth_eapol_cb(struct eapol_sm *eapol, int success, void *ctx) { struct wpa_sm *sm = ctx; u8 pmk[PMK_LEN]; if (success) { int res, pmk_len; pmk_len = PMK_LEN; res = eapol_sm_get_key(eapol, pmk, PMK_LEN); if (res) { /* * EAP-LEAP is an exception from other EAP methods: it * uses only 16-byte PMK. */ res = eapol_sm_get_key(eapol, pmk, 16); pmk_len = 16; } if (res == 0) { wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from pre-auth", pmk, pmk_len); sm->pmk_len = pmk_len; pmksa_cache_add(sm->pmksa, pmk, pmk_len, sm->preauth_bssid, sm->own_addr, sm->network_ctx, WPA_KEY_MGMT_IEEE8021X); } else { wpa_msg(sm->ctx->ctx, MSG_INFO, "RSN: failed to get " "master session key from pre-auth EAPOL state " "machines"); success = 0; } } wpa_msg(sm->ctx->ctx, MSG_INFO, "RSN: pre-authentication with " MACSTR " %s", MAC2STR(sm->preauth_bssid), success ? "completed successfully" : "failed"); rsn_preauth_deinit(sm); rsn_preauth_candidate_process(sm); }
static void rsn_preauth_eapol_cb(struct eapol_sm *eapol, int success, void *ctx) { struct wpa_sm *sm = ctx; u8 pmk[PMK_LEN]; if (success) { int res, pmk_len; pmk_len = PMK_LEN; res = eapol_sm_get_key(eapol, pmk, PMK_LEN); #ifdef EAP_LEAP if (res) { res = eapol_sm_get_key(eapol, pmk, 16); pmk_len = 16; } #endif /* EAP_LEAP */ if (res == 0) { wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from pre-auth", pmk, pmk_len); sm->pmk_len = pmk_len; pmksa_cache_add(sm, pmk, pmk_len, sm->preauth_bssid, sm->own_addr, sm->cur_ssid); } else { wpa_msg(sm->ctx->ctx, MSG_INFO, "RSN: failed to get " "master session key from pre-auth EAPOL state " "machines"); success = 0; } } wpa_msg(sm->ctx->ctx, MSG_INFO, "RSN: pre-authentication with " MACSTR " %s", MAC2STR(sm->preauth_bssid), success ? "completed successfully" : "failed"); rsn_preauth_deinit(sm); rsn_preauth_candidate_process(sm); }
/* Process the RADIUS frames from Authentication Server */ static RadiusRxResult ieee802_1x_receive_auth(struct wpa_supplicant *wpa_s, struct radius_msg *msg, struct radius_msg *req, u8 *shared_secret, size_t shared_secret_len, void *data) { #if 0 u32 session_timeout, termination_action; int session_timeout_set; int acct_interim_interval; #endif #if 0 sta = ap_get_sta_radius_identifier(hapd, msg->hdr->identifier); if (sta == NULL) { wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not " "find matching station for this RADIUS " "message\n"); return RADIUS_RX_UNKNOWN; } #endif /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be * present when packet contains an EAP-Message attribute */ if (msg->hdr->code == RADIUS_CODE_ACCESS_REJECT && radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 0) < 0 && radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { wpa_printf(MSG_DEBUG, "Allowing RADIUS " "Access-Reject without Message-Authenticator " "since it does not include EAP-Message\n"); } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, req)) { printf("Incoming RADIUS packet did not have correct " "Message-Authenticator - dropped\n"); return RADIUS_RX_UNKNOWN; } if (msg->hdr->code != RADIUS_CODE_ACCESS_ACCEPT && msg->hdr->code != RADIUS_CODE_ACCESS_REJECT && msg->hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { printf("Unknown RADIUS message code\n"); return RADIUS_RX_UNKNOWN; } wpa_s->radius_identifier = -1; wpa_printf(MSG_DEBUG, "RADIUS packet matching with station"); if (wpa_s->last_recv_radius) { radius_msg_free(wpa_s->last_recv_radius); free(wpa_s->last_recv_radius); } wpa_s->last_recv_radius = msg; #if 0 session_timeout_set = !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, &session_timeout); if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, &termination_action)) termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; if (hapd->conf->radius_acct_interim_interval == 0 && msg->hdr->code == RADIUS_CODE_ACCESS_ACCEPT && radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, &acct_interim_interval) == 0) { if (acct_interim_interval < 60) { hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, HOSTAPD_LEVEL_INFO, "ignored too small " "Acct-Interim-Interval %d", acct_interim_interval); } else sta->acct_interim_interval = acct_interim_interval; } switch (msg->hdr->code) { case RADIUS_CODE_ACCESS_ACCEPT: /* draft-congdon-radius-8021x-22.txt, Ch. 3.17 */ if (session_timeout_set && termination_action == RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { sta->eapol_sm->reauth_timer.reAuthPeriod = session_timeout; } else if (session_timeout_set) ap_sta_session_timeout(hapd, sta, session_timeout); sta->eapol_sm->be_auth.aSuccess = TRUE; ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, shared_secret_len); if (sta->eapol_sm->keyAvailable) { pmksa_cache_add(hapd, sta, sta->eapol_key_crypt, session_timeout_set ? session_timeout : -1); } break; case RADIUS_CODE_ACCESS_REJECT: sta->eapol_sm->be_auth.aFail = TRUE; break; case RADIUS_CODE_ACCESS_CHALLENGE: if (session_timeout_set) { /* RFC 2869, Ch. 2.3.2 * draft-congdon-radius-8021x-22.txt, Ch. 3.17 */ sta->eapol_sm->be_auth.suppTimeout = session_timeout; } sta->eapol_sm->be_auth.aReq = TRUE; break; } #else switch (msg->hdr->code) { case RADIUS_CODE_ACCESS_ACCEPT: wpa_s->radius_access_accept_received = 1; ieee802_1x_get_keys(wpa_s, msg, req, shared_secret, shared_secret_len); break; case RADIUS_CODE_ACCESS_REJECT: wpa_s->radius_access_reject_received = 1; break; } #endif ieee802_1x_decapsulate_radius(wpa_s); /* eapol_sm_step(sta->eapol_sm); */ if (msg->hdr->code == RADIUS_CODE_ACCESS_ACCEPT || msg->hdr->code == RADIUS_CODE_ACCESS_REJECT) { eloop_terminate(); } return RADIUS_RX_QUEUED; }
static int wpa_supplicant_get_pmk(struct wpa_sm *sm, const unsigned char *src_addr, const u8 *pmkid) { int abort_cached = 0; if (pmkid && !sm->cur_pmksa) { /* When using drivers that generate RSN IE, wpa_supplicant may * not have enough time to get the association information * event before receiving this 1/4 message, so try to find a * matching PMKSA cache entry here. */ sm->cur_pmksa = pmksa_cache_get(sm->pmksa, src_addr, pmkid); if (sm->cur_pmksa) { wpa_printf(MSG_DEBUG, "RSN: found matching PMKID from " "PMKSA cache"); } else { wpa_printf(MSG_DEBUG, "RSN: no matching PMKID found"); abort_cached = 1; } } if (pmkid && sm->cur_pmksa && os_memcmp(pmkid, sm->cur_pmksa->pmkid, PMKID_LEN) == 0) { wpa_hexdump(MSG_DEBUG, "RSN: matched PMKID", pmkid, PMKID_LEN); wpa_sm_set_pmk_from_pmksa(sm); wpa_hexdump_key(MSG_DEBUG, "RSN: PMK from PMKSA cache", sm->pmk, sm->pmk_len); eapol_sm_notify_cached(sm->eapol); #ifdef CONFIG_IEEE80211R sm->xxkey_len = 0; #endif /* CONFIG_IEEE80211R */ } else if (wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && sm->eapol) { int res, pmk_len; pmk_len = PMK_LEN; res = eapol_sm_get_key(sm->eapol, sm->pmk, PMK_LEN); if (res) { /* * EAP-LEAP is an exception from other EAP methods: it * uses only 16-byte PMK. */ res = eapol_sm_get_key(sm->eapol, sm->pmk, 16); pmk_len = 16; } else { #ifdef CONFIG_IEEE80211R u8 buf[2 * PMK_LEN]; if (eapol_sm_get_key(sm->eapol, buf, 2 * PMK_LEN) == 0) { os_memcpy(sm->xxkey, buf + PMK_LEN, PMK_LEN); sm->xxkey_len = PMK_LEN; os_memset(buf, 0, sizeof(buf)); } #endif /* CONFIG_IEEE80211R */ } if (res == 0) { wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state " "machines", sm->pmk, pmk_len); sm->pmk_len = pmk_len; if (sm->proto == WPA_PROTO_RSN) { pmksa_cache_add(sm->pmksa, sm->pmk, pmk_len, src_addr, sm->own_addr, sm->network_ctx, sm->key_mgmt); } if (!sm->cur_pmksa && pmkid && pmksa_cache_get(sm->pmksa, src_addr, pmkid)) { wpa_printf(MSG_DEBUG, "RSN: the new PMK " "matches with the PMKID"); abort_cached = 0; } } else { wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: Failed to get master session key from " "EAPOL state machines"); wpa_msg(sm->ctx->msg_ctx, MSG_WARNING, "WPA: Key handshake aborted"); if (sm->cur_pmksa) { wpa_printf(MSG_DEBUG, "RSN: Cancelled PMKSA " "caching attempt"); sm->cur_pmksa = NULL; abort_cached = 1; } else if (!abort_cached) { return -1; } } } if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) { /* Send EAPOL-Start to trigger full EAP authentication. */ u8 *buf; size_t buflen; wpa_printf(MSG_DEBUG, "RSN: no PMKSA entry found - trigger " "full EAP authentication"); buf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_START, NULL, 0, &buflen, NULL); if (buf) { wpa_sm_ether_send(sm, sm->bssid, ETH_P_EAPOL, buf, buflen); os_free(buf); return -2; } return -1; } return 0; }