From patchwork Mon Feb 24 09:15:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilan Peer X-Patchwork-Id: 1242961 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20170209 header.b=S8ZjGjgi; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48Qxy949mcz9sPk for ; Mon, 24 Feb 2020 20:45:37 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=8SiHbKJNfyZ4uaS5TywP1wqYkLhf0+pxQjjOFiXMkDo=; b=S8ZjGjgiQECQODYiVvj8NVJNHX KvrnSzylZA5LMXIgSTADl8/yCXxeiGgARE/7/NkqJO9FN3p5NY7JJ9fwZg8dY2+hZZR9L63Hlhu6Y KYwVwCBW4XL5XV1Lz1XYE4xIwh32ZTU9FRdeVsorGih/6aRbdHlnGqGo9jBMIB173NdhNm/7ooHD1 aVrCzzK0d+o/EWp3E9dW3Eg1JLHFMy+4DWrKb+bdPpZsdTvhnDNcxxkfDke+LDwaJ5gj47AnDZdki WZaYp4djl3I/PC4iOKrUoBL0+nYqQURY9Y4egTbH7XwO6rIiCZDaaayjQ6j2YW55Xqltw3IoWf52f iLGH8V4Q==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1j6AIt-0007jm-TU; Mon, 24 Feb 2020 09:45:31 +0000 Received: from mga17.intel.com ([192.55.52.151]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1j69qR-0007ne-CJ for hostap@lists.infradead.org; Mon, 24 Feb 2020 09:16:11 +0000 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Feb 2020 01:15:51 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,479,1574150400"; d="scan'208";a="225914535" Received: from jed01681.jer.intel.com ([10.12.190.127]) by orsmga007.jf.intel.com with ESMTP; 24 Feb 2020 01:15:50 -0800 From: Ilan Peer To: hostap@lists.infradead.org Subject: [PATCH 12/14] WPA_AUTH: Add PTKSA cache to hostapd Date: Mon, 24 Feb 2020 11:15:27 +0200 Message-Id: <20200224091529.15259-13-ilan.peer@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200224091529.15259-1-ilan.peer@intel.com> References: <20200224091529.15259-1-ilan.peer@intel.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200224_011607_515697_71BF4FCA X-CRM114-Status: GOOD ( 13.74 ) X-Spam-Score: -2.3 (--) X-Spam-Report: SpamAssassin version 3.4.3 on bombadil.infradead.org summary: Content analysis details: (-2.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [192.55.52.151 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ilan Peer MIME-Version: 1.0 Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Ilan Peer --- hostapd/Makefile | 2 ++ hostapd/ctrl_iface.c | 4 ++++ src/ap/hostapd.h | 3 +++ src/ap/wpa_auth.c | 30 ++++++++++++++++++++++++++++++ src/ap/wpa_auth.h | 3 +++ src/ap/wpa_auth_glue.c | 34 ++++++++++++++++++++++++++++++++++ 6 files changed, 76 insertions(+) diff --git a/hostapd/Makefile b/hostapd/Makefile index b194624d9b..d99b2d9d11 100644 --- a/hostapd/Makefile +++ b/hostapd/Makefile @@ -587,10 +587,12 @@ endif ifdef CONFIG_PASN CFLAGS += -DCONFIG_PASN +CFLAGS += -DCONFIG_PTKSA_CACHE NEED_HMAC_SHA256_KDF=y NEED_HMAC_SHA384_KDF=y NEED_SHA256=y NEED_SHA384=y +OBJS += ../src/common/ptksa_cache.o endif ifdef CONFIG_EAP_IKEV2 diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c index 6d2ecbc9c2..031ff89206 100644 --- a/hostapd/ctrl_iface.c +++ b/hostapd/ctrl_iface.c @@ -3507,6 +3507,10 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd, } else if (os_strncmp(buf, "GET_CAPABILITY ", 15) == 0) { reply_len = hostapd_ctrl_iface_get_capability( hapd, buf + 15, reply, reply_size); +#ifdef CONFIG_PASN + } else if (os_strcmp(buf, "PTKSA_CACHE_LIST") == 0) { + reply_len = ptksa_cache_list(hapd->ptksa, reply, reply_size); +#endif /* CONFIG_PASN */ } else { os_memcpy(reply, "UNKNOWN COMMAND\n", 16); reply_len = 16; diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h index ec5b9d57fe..11913aaddd 100644 --- a/src/ap/hostapd.h +++ b/src/ap/hostapd.h @@ -17,6 +17,7 @@ #include "utils/list.h" #include "ap_config.h" #include "drivers/driver.h" +#include "common/ptksa_cache.h" #define OCE_STA_CFON_ENABLED(hapd) \ ((hapd->conf->oce & OCE_STA_CFON) && \ @@ -365,6 +366,8 @@ struct hostapd_data { int dhcp_sock; /* UDP socket used with the DHCP server */ + struct ptksa_cache *ptksa; + #ifdef CONFIG_DPP int dpp_init_done; struct dpp_authentication *dpp_auth; diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 52eeedea13..0c29713b0c 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -222,6 +222,23 @@ int wpa_auth_for_each_auth(struct wpa_authenticator *wpa_auth, } +void wpa_auth_store_ptksa(struct wpa_authenticator *wpa_auth, + const u8 *addr, int cipher, + u32 life_time, struct wpa_ptk *ptk) +{ + if (wpa_auth->cb->store_ptksa) + wpa_auth->cb->store_ptksa(wpa_auth->cb_ctx, addr, cipher, + life_time, ptk); +} + + +void wpa_auth_remove_ptksa(struct wpa_authenticator *wpa_auth, + const u8 *addr, int cipher) +{ + if (wpa_auth->cb->clear_ptksa) + wpa_auth->cb->clear_ptksa(wpa_auth->cb_ctx, addr, cipher); +} + void wpa_auth_logger(struct wpa_authenticator *wpa_auth, const u8 *addr, logger_level level, const char *txt) { @@ -1750,6 +1767,9 @@ void wpa_remove_ptk(struct wpa_state_machine *sm) { sm->PTK_valid = FALSE; os_memset(&sm->PTK, 0, sizeof(sm->PTK)); + + wpa_auth_remove_ptksa(sm->wpa_auth, sm->addr, sm->pairwise); + if (wpa_auth_set_key(sm->wpa_auth, 0, WPA_ALG_NONE, sm->addr, 0, NULL, 0, KEY_FLAG_PAIRWISE)) wpa_printf(MSG_DEBUG, @@ -2805,6 +2825,12 @@ int fils_set_tk(struct wpa_state_machine *sm) wpa_printf(MSG_DEBUG, "FILS: Failed to set TK to the driver"); return -1; } + + wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, + sm->pairwise, + dot11RSNAConfigPMKLifetime, + &sm->PTK); + sm->tk_already_set = TRUE; return 0; @@ -3469,6 +3495,10 @@ SM_STATE(WPA_PTK, PTKINITDONE) sm->pairwise_set = TRUE; wpa_auth_set_ptk_rekey_timer(sm); + wpa_auth_store_ptksa(sm->wpa_auth, sm->addr, + sm->pairwise, + dot11RSNAConfigPMKLifetime, + &sm->PTK); if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) || sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP || diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index 9c5de83e30..56abfab141 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -290,6 +290,9 @@ struct wpa_auth_callbacks { int (*get_sta_tx_params)(void *ctx, const u8 *addr, int ap_max_chanwidth, int ap_seg1_idx, int *bandwidth, int *seg1_idx); + void (*store_ptksa)(void *ctx, const u8 *addr, int cipher, u32 life_time, + struct wpa_ptk *ptk); + void (*clear_ptksa)(void *ctx, const u8 *addr, int cipher); #ifdef CONFIG_IEEE80211R_AP struct wpa_state_machine * (*add_sta)(void *ctx, const u8 *sta_addr); int (*set_vlan)(void *ctx, const u8 *sta_addr, diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index 2d0299be00..6d7fd5902f 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -863,6 +863,26 @@ static int hostapd_channel_info(void *ctx, struct wpa_channel_info *ci) return hostapd_drv_channel_info(hapd, ci); } +#ifdef CONFIG_PASN + +static void hostapd_store_ptksa(void *ctx, const u8 *addr,int cipher, + u32 life_time, struct wpa_ptk *ptk) +{ + struct hostapd_data *hapd = ctx; + + ptksa_cache_add(hapd->ptksa, addr, cipher, life_time, ptk); +} + + +static void hostapd_clear_ptksa(void *ctx, const u8 *addr, int cipher) +{ + struct hostapd_data *hapd = ctx; + + ptksa_cache_flush(hapd->ptksa, addr, cipher); +} + +#endif /* CONFIG_PASN */ + static int hostapd_wpa_auth_update_vlan(void *ctx, const u8 *addr, int vlan_id) { @@ -1361,6 +1381,11 @@ int hostapd_setup_wpa(struct hostapd_data *hapd) .send_oui = hostapd_wpa_auth_send_oui, .channel_info = hostapd_channel_info, .update_vlan = hostapd_wpa_auth_update_vlan, +#ifdef CONFIG_PASN + .store_ptksa = hostapd_store_ptksa, + .clear_ptksa = hostapd_clear_ptksa, +#endif /* CONFIG_PASN */ + #ifdef CONFIG_OCV .get_sta_tx_params = hostapd_get_sta_tx_params, #endif /* CONFIG_OCV */ @@ -1421,6 +1446,12 @@ int hostapd_setup_wpa(struct hostapd_data *hapd) return -1; } + hapd->ptksa = ptksa_cache_init(); + if (!hapd->ptksa) { + wpa_printf(MSG_ERROR, "Failed to allocate PTKSA cache"); + return -1; + } + #ifdef CONFIG_IEEE80211R_AP if (!hostapd_drv_none(hapd) && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt)) { @@ -1460,6 +1491,9 @@ void hostapd_reconfig_wpa(struct hostapd_data *hapd) void hostapd_deinit_wpa(struct hostapd_data *hapd) { ieee80211_tkip_countermeasures_deinit(hapd); + ptksa_cache_deinit(hapd->ptksa); + hapd->ptksa = NULL; + rsn_preauth_iface_deinit(hapd); if (hapd->wpa_auth) { wpa_deinit(hapd->wpa_auth);