aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2008-08-03 17:17:58 (GMT)
committerJouni Malinen <j@w1.fi>2008-08-03 17:17:58 (GMT)
commitbf98f7f3bcf827f5cdcd2179dfcf3b0c55a8cd16 (patch)
tree62aad7eefae59afe0db75031bcd720bcbac040f4
parent3ff77e070de25ba9c78528906079e54377e61a95 (diff)
downloadhostap-06-bf98f7f3bcf827f5cdcd2179dfcf3b0c55a8cd16.zip
hostap-06-bf98f7f3bcf827f5cdcd2179dfcf3b0c55a8cd16.tar.gz
hostap-06-bf98f7f3bcf827f5cdcd2179dfcf3b0c55a8cd16.tar.bz2
Added support for opportunistic key caching (OKC)
This allows hostapd to share the PMKSA caches internally when multiple BSSes or radios are being controlled by the same hostapd process.
-rw-r--r--hostapd/ChangeLog1
-rw-r--r--hostapd/config.c2
-rw-r--r--hostapd/config.h2
-rw-r--r--hostapd/hostapd.c22
-rw-r--r--hostapd/hostapd.conf7
-rw-r--r--hostapd/ieee802_1x.c2
-rw-r--r--hostapd/ieee802_1x.h2
-rw-r--r--hostapd/pmksa_cache.c119
-rw-r--r--hostapd/pmksa_cache.h8
-rw-r--r--hostapd/wpa.c10
-rw-r--r--hostapd/wpa.h3
-rw-r--r--hostapd/wpa_auth_i.h3
-rw-r--r--hostapd/wpa_auth_ie.c54
13 files changed, 205 insertions, 30 deletions
diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
index 5146d1a..46c6696 100644
--- a/hostapd/ChangeLog
+++ b/hostapd/ChangeLog
@@ -12,6 +12,7 @@ ChangeLog for hostapd
* added fragmentation support for EAP-TNC
* added support for fragmenting EAP-TTLS/PEAP/FAST Phase 2 (tunneled)
data
+ * added support for opportunistic key caching (OKC)
2008-02-22 - v0.6.3
* fixed Reassociation Response callback processing when using internal
diff --git a/hostapd/config.c b/hostapd/config.c
index dd805c1..58fdaef 100644
--- a/hostapd/config.c
+++ b/hostapd/config.c
@@ -1935,6 +1935,8 @@ struct hostapd_config * hostapd_config_read(const char *fname)
#endif /* CONFIG_IEEE80211W */
} else if (os_strcmp(buf, "max_listen_interval") == 0) {
bss->max_listen_interval = atoi(pos);
+ } else if (os_strcmp(buf, "okc") == 0) {
+ bss->okc = atoi(pos);
} else {
printf("Line %d: unknown configuration item '%s'\n",
line, buf);
diff --git a/hostapd/config.h b/hostapd/config.h
index 0c1a56b..3f740bd 100644
--- a/hostapd/config.h
+++ b/hostapd/config.h
@@ -270,6 +270,8 @@ struct hostapd_bss_config {
* denied with status code 51.
*/
u16 max_listen_interval;
+
+ int okc; /* Opportunistic Key Caching */
};
diff --git a/hostapd/hostapd.c b/hostapd/hostapd.c
index 6316054..f0437fd 100644
--- a/hostapd/hostapd.c
+++ b/hostapd/hostapd.c
@@ -298,6 +298,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
wconf->eapol_version = conf->eapol_version;
wconf->peerkey = conf->peerkey;
wconf->wme_enabled = conf->wme_enabled;
+ wconf->okc = conf->okc;
#ifdef CONFIG_IEEE80211W
wconf->ieee80211w = conf->ieee80211w;
#endif /* CONFIG_IEEE80211W */
@@ -891,6 +892,26 @@ static int hostapd_wpa_auth_for_each_sta(
}
+static int hostapd_wpa_auth_for_each_auth(
+ void *ctx, int (*cb)(struct wpa_authenticator *sm, void *ctx),
+ void *cb_ctx)
+{
+ struct hostapd_data *ohapd;
+ size_t i, j;
+ struct hapd_interfaces *interfaces = eloop_get_user_data();
+
+ for (i = 0; i < interfaces->count; i++) {
+ for (j = 0; j < interfaces->iface[i]->num_bss; j++) {
+ ohapd = interfaces->iface[i]->bss[j];
+ if (cb(ohapd->wpa_auth, cb_ctx))
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+
static int hostapd_wpa_auth_send_ether(void *ctx, const u8 *dst, u16 proto,
const u8 *data, size_t data_len)
{
@@ -1095,6 +1116,7 @@ static int hostapd_setup_wpa(struct hostapd_data *hapd)
cb.get_seqnum_igtk = hostapd_wpa_auth_get_seqnum_igtk;
cb.send_eapol = hostapd_wpa_auth_send_eapol;
cb.for_each_sta = hostapd_wpa_auth_for_each_sta;
+ cb.for_each_auth = hostapd_wpa_auth_for_each_auth;
cb.send_ether = hostapd_wpa_auth_send_ether;
#ifdef CONFIG_IEEE80211R
cb.send_ft_action = hostapd_wpa_auth_send_ft_action;
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 8268f50..755d190 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -691,6 +691,13 @@ own_ip_addr=127.0.0.1
# 2 = required
#ieee80211w=0
+# okc: Opportunistic Key Caching (aka Proactive Key Caching)
+# Allow PMK cache to be shared opportunistically among configured interfaces
+# and BSSes (i.e., all configurations within a single hostapd process).
+# 0 = disabled (default)
+# 1 = enabled
+#okc=1
+
##### IEEE 802.11r configuration ##############################################
diff --git a/hostapd/ieee802_1x.c b/hostapd/ieee802_1x.c
index 9f66672..a3641ba 100644
--- a/hostapd/ieee802_1x.c
+++ b/hostapd/ieee802_1x.c
@@ -873,7 +873,7 @@ void ieee802_1x_free_radius_class(struct radius_class_data *class)
int ieee802_1x_copy_radius_class(struct radius_class_data *dst,
- struct radius_class_data *src)
+ const struct radius_class_data *src)
{
size_t i;
diff --git a/hostapd/ieee802_1x.h b/hostapd/ieee802_1x.h
index 08d808a..58ab21e 100644
--- a/hostapd/ieee802_1x.h
+++ b/hostapd/ieee802_1x.h
@@ -82,6 +82,6 @@ struct radius_class_data;
void ieee802_1x_free_radius_class(struct radius_class_data *class);
int ieee802_1x_copy_radius_class(struct radius_class_data *dst,
- struct radius_class_data *src);
+ const struct radius_class_data *src);
#endif /* IEEE802_1X_H */
diff --git a/hostapd/pmksa_cache.c b/hostapd/pmksa_cache.c
index e1f8d9b..bbeb7aa 100644
--- a/hostapd/pmksa_cache.c
+++ b/hostapd/pmksa_cache.c
@@ -208,6 +208,37 @@ void pmksa_cache_to_eapol_data(struct rsn_pmksa_cache_entry *entry,
}
+static void pmksa_cache_link_entry(struct rsn_pmksa_cache *pmksa,
+ struct rsn_pmksa_cache_entry *entry)
+{
+ struct rsn_pmksa_cache_entry *pos, *prev;
+
+ /* Add the new entry; order by expiration time */
+ pos = pmksa->pmksa;
+ prev = NULL;
+ while (pos) {
+ if (pos->expiration > entry->expiration)
+ break;
+ prev = pos;
+ pos = pos->next;
+ }
+ if (prev == NULL) {
+ entry->next = pmksa->pmksa;
+ pmksa->pmksa = entry;
+ } else {
+ entry->next = prev->next;
+ prev->next = entry;
+ }
+ entry->hnext = pmksa->pmkid[PMKID_HASH(entry->pmkid)];
+ pmksa->pmkid[PMKID_HASH(entry->pmkid)] = entry;
+
+ pmksa->pmksa_count++;
+ wpa_printf(MSG_DEBUG, "RSN: added PMKSA cache entry for " MACSTR,
+ MAC2STR(entry->spa));
+ wpa_hexdump(MSG_DEBUG, "RSN: added PMKID", entry->pmkid, PMKID_LEN);
+}
+
+
/**
* pmksa_cache_add - Add a PMKSA cache entry
* @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
@@ -229,7 +260,7 @@ pmksa_cache_add(struct rsn_pmksa_cache *pmksa, const u8 *pmk, size_t pmk_len,
const u8 *aa, const u8 *spa, int session_timeout,
struct eapol_state_machine *eapol)
{
- struct rsn_pmksa_cache_entry *entry, *pos, *prev;
+ struct rsn_pmksa_cache_entry *entry, *pos;
struct os_time now;
if (pmk_len > PMK_LEN)
@@ -265,29 +296,44 @@ pmksa_cache_add(struct rsn_pmksa_cache *pmksa, const u8 *pmk, size_t pmk_len,
pmksa_cache_free_entry(pmksa, pmksa->pmksa);
}
- /* Add the new entry; order by expiration time */
- pos = pmksa->pmksa;
- prev = NULL;
- while (pos) {
- if (pos->expiration > entry->expiration)
- break;
- prev = pos;
- pos = pos->next;
- }
- if (prev == NULL) {
- entry->next = pmksa->pmksa;
- pmksa->pmksa = entry;
- } else {
- entry->next = prev->next;
- prev->next = entry;
+ pmksa_cache_link_entry(pmksa, entry);
+
+ return entry;
+}
+
+
+struct rsn_pmksa_cache_entry *
+pmksa_cache_add_okc(struct rsn_pmksa_cache *pmksa,
+ const struct rsn_pmksa_cache_entry *old_entry,
+ const u8 *aa, const u8 *pmkid)
+{
+ struct rsn_pmksa_cache_entry *entry;
+
+ entry = os_zalloc(sizeof(*entry));
+ if (entry == NULL)
+ return NULL;
+ os_memcpy(entry->pmkid, pmkid, PMKID_LEN);
+ os_memcpy(entry->pmk, old_entry->pmk, old_entry->pmk_len);
+ entry->pmk_len = old_entry->pmk_len;
+ entry->expiration = old_entry->expiration;
+ entry->akmp = old_entry->akmp;
+ os_memcpy(entry->spa, old_entry->spa, ETH_ALEN);
+ entry->opportunistic = 1;
+ if (old_entry->identity) {
+ entry->identity = os_malloc(old_entry->identity_len);
+ if (entry->identity) {
+ entry->identity_len = old_entry->identity_len;
+ os_memcpy(entry->identity, old_entry->identity,
+ old_entry->identity_len);
+ }
}
- entry->hnext = pmksa->pmkid[PMKID_HASH(entry->pmkid)];
- pmksa->pmkid[PMKID_HASH(entry->pmkid)] = entry;
+ ieee802_1x_copy_radius_class(&entry->radius_class,
+ &old_entry->radius_class);
+ entry->eap_type_authsrv = old_entry->eap_type_authsrv;
+ entry->vlan_id = old_entry->vlan_id;
+ entry->opportunistic = 1;
- pmksa->pmksa_count++;
- wpa_printf(MSG_DEBUG, "RSN: added PMKSA cache entry for " MACSTR,
- MAC2STR(entry->spa));
- wpa_hexdump(MSG_DEBUG, "RSN: added PMKID", entry->pmkid, PMKID_LEN);
+ pmksa_cache_link_entry(pmksa, entry);
return entry;
}
@@ -347,6 +393,35 @@ struct rsn_pmksa_cache_entry * pmksa_cache_get(struct rsn_pmksa_cache *pmksa,
/**
+ * pmksa_cache_get_okc - Fetch a PMKSA cache entry using OKC
+ * @pmksa: Pointer to PMKSA cache data from pmksa_cache_init()
+ * @spa: Supplicant address
+ * @pmkid: PMKID
+ * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
+ *
+ * Use opportunistic key caching (OKC) to find a PMK for a supplicant.
+ */
+struct rsn_pmksa_cache_entry * pmksa_cache_get_okc(
+ struct rsn_pmksa_cache *pmksa, const u8 *aa, const u8 *spa,
+ const u8 *pmkid)
+{
+ struct rsn_pmksa_cache_entry *entry;
+ u8 new_pmkid[PMKID_LEN];
+
+ entry = pmksa->pmksa;
+ while (entry) {
+ if (os_memcmp(entry->spa, spa, ETH_ALEN) != 0)
+ continue;
+ rsn_pmkid(entry->pmk, entry->pmk_len, aa, spa, new_pmkid);
+ if (os_memcmp(new_pmkid, pmkid, PMKID_LEN) == 0)
+ return entry;
+ entry = entry->next;
+ }
+ return NULL;
+}
+
+
+/**
* pmksa_cache_init - Initialize PMKSA cache
* @free_cb: Callback function to be called when a PMKSA cache entry is freed
* @ctx: Context pointer for free_cb function
diff --git a/hostapd/pmksa_cache.h b/hostapd/pmksa_cache.h
index dd9074e..d5afc6f 100644
--- a/hostapd/pmksa_cache.h
+++ b/hostapd/pmksa_cache.h
@@ -32,6 +32,7 @@ struct rsn_pmksa_cache_entry {
struct radius_class_data radius_class;
u8 eap_type_authsrv;
int vlan_id;
+ int opportunistic;
};
struct rsn_pmksa_cache;
@@ -42,10 +43,17 @@ pmksa_cache_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry,
void pmksa_cache_deinit(struct rsn_pmksa_cache *pmksa);
struct rsn_pmksa_cache_entry * pmksa_cache_get(struct rsn_pmksa_cache *pmksa,
const u8 *spa, const u8 *pmkid);
+struct rsn_pmksa_cache_entry * pmksa_cache_get_okc(
+ struct rsn_pmksa_cache *pmksa, const u8 *spa, const u8 *aa,
+ const u8 *pmkid);
struct rsn_pmksa_cache_entry *
pmksa_cache_add(struct rsn_pmksa_cache *pmksa, const u8 *pmk, size_t pmk_len,
const u8 *aa, const u8 *spa, int session_timeout,
struct eapol_state_machine *eapol);
+struct rsn_pmksa_cache_entry *
+pmksa_cache_add_okc(struct rsn_pmksa_cache *pmksa,
+ const struct rsn_pmksa_cache_entry *old_entry,
+ const u8 *aa, const u8 *pmkid);
void pmksa_cache_to_eapol_data(struct rsn_pmksa_cache_entry *entry,
struct eapol_state_machine *eapol);
void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa,
diff --git a/hostapd/wpa.c b/hostapd/wpa.c
index 63efce2..4502808 100644
--- a/hostapd/wpa.c
+++ b/hostapd/wpa.c
@@ -151,6 +151,16 @@ int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
}
+int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
+ int (*cb)(struct wpa_authenticator *a, void *ctx),
+ void *cb_ctx)
+{
+ if (wpa_auth->cb.for_each_auth == NULL)
+ return 0;
+ return wpa_auth->cb.for_each_auth(wpa_auth->cb.ctx, cb, cb_ctx);
+}
+
+
void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr,
logger_level level, const char *txt)
{
diff --git a/hostapd/wpa.h b/hostapd/wpa.h
index 5778bb1..5bcb6a6 100644
--- a/hostapd/wpa.h
+++ b/hostapd/wpa.h
@@ -140,6 +140,7 @@ struct wpa_auth_config {
int eapol_version;
int peerkey;
int wme_enabled;
+ int okc;
#ifdef CONFIG_IEEE80211W
enum {
WPA_NO_IEEE80211W = 0,
@@ -192,6 +193,8 @@ struct wpa_auth_callbacks {
size_t data_len, int encrypt);
int (*for_each_sta)(void *ctx, int (*cb)(struct wpa_state_machine *sm,
void *ctx), void *cb_ctx);
+ int (*for_each_auth)(void *ctx, int (*cb)(struct wpa_authenticator *a,
+ void *ctx), void *cb_ctx);
int (*send_ether)(void *ctx, const u8 *dst, u16 proto, const u8 *data,
size_t data_len);
#ifdef CONFIG_IEEE80211R
diff --git a/hostapd/wpa_auth_i.h b/hostapd/wpa_auth_i.h
index 8178f01..fd22238 100644
--- a/hostapd/wpa_auth_i.h
+++ b/hostapd/wpa_auth_i.h
@@ -189,6 +189,9 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
int wpa_auth_for_each_sta(struct wpa_authenticator *wpa_auth,
int (*cb)(struct wpa_state_machine *sm, void *ctx),
void *cb_ctx);
+int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth,
+ int (*cb)(struct wpa_authenticator *a, void *ctx),
+ void *cb_ctx);
#ifdef CONFIG_PEERKEY
int wpa_stsl_remove(struct wpa_authenticator *wpa_auth,
diff --git a/hostapd/wpa_auth_ie.c b/hostapd/wpa_auth_ie.c
index 1d2caa3..7af7531 100644
--- a/hostapd/wpa_auth_ie.c
+++ b/hostapd/wpa_auth_ie.c
@@ -414,6 +414,25 @@ static int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
}
+struct wpa_auth_okc_iter_data {
+ struct rsn_pmksa_cache_entry *pmksa;
+ const u8 *aa;
+ const u8 *spa;
+ const u8 *pmkid;
+};
+
+
+static int wpa_auth_okc_iter(struct wpa_authenticator *a, void *ctx)
+{
+ struct wpa_auth_okc_iter_data *data = ctx;
+ data->pmksa = pmksa_cache_get_okc(a->pmksa, data->aa, data->spa,
+ data->pmkid);
+ if (data->pmksa)
+ return 1;
+ return 0;
+}
+
+
int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
struct wpa_state_machine *sm,
const u8 *wpa_ie, size_t wpa_ie_len,
@@ -423,6 +442,7 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
int ciphers, key_mgmt, res, version;
u32 selector;
size_t i;
+ const u8 *pmkid = NULL;
if (wpa_auth == NULL || sm == NULL)
return WPA_NOT_ENABLED;
@@ -615,22 +635,44 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
else
sm->wpa = WPA_VERSION_WPA;
+ sm->pmksa = NULL;
for (i = 0; i < data.num_pmkid; i++) {
wpa_hexdump(MSG_DEBUG, "RSN IE: STA PMKID",
&data.pmkid[i * PMKID_LEN], PMKID_LEN);
sm->pmksa = pmksa_cache_get(wpa_auth->pmksa, sm->addr,
&data.pmkid[i * PMKID_LEN]);
if (sm->pmksa) {
+ pmkid = sm->pmksa->pmkid;
+ break;
+ }
+ }
+ for (i = 0; sm->pmksa == NULL && wpa_auth->conf.okc &&
+ i < data.num_pmkid; i++) {
+ struct wpa_auth_okc_iter_data idata;
+ idata.pmksa = NULL;
+ idata.aa = wpa_auth->addr;
+ idata.spa = sm->addr;
+ idata.pmkid = &data.pmkid[i * PMKID_LEN];
+ wpa_auth_for_each_auth(wpa_auth, wpa_auth_okc_iter, &idata);
+ if (idata.pmksa) {
wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
- "PMKID found from PMKSA cache "
- "eap_type=%d vlan_id=%d",
- sm->pmksa->eap_type_authsrv,
- sm->pmksa->vlan_id);
- os_memcpy(wpa_auth->dot11RSNAPMKIDUsed,
- sm->pmksa->pmkid, PMKID_LEN);
+ "OKC match for PMKID");
+ sm->pmksa = pmksa_cache_add_okc(wpa_auth->pmksa,
+ idata.pmksa,
+ wpa_auth->addr,
+ idata.pmkid);
+ pmkid = idata.pmkid;
break;
}
}
+ if (sm->pmksa) {
+ wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG,
+ "PMKID found from PMKSA cache "
+ "eap_type=%d vlan_id=%d",
+ sm->pmksa->eap_type_authsrv,
+ sm->pmksa->vlan_id);
+ os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmkid, PMKID_LEN);
+ }
if (sm->wpa_ie == NULL || sm->wpa_ie_len < wpa_ie_len) {
os_free(sm->wpa_ie);