Home | History | Annotate | Download | only in ap
      1 /*
      2  * hostapd - PMKSA cache for IEEE 802.11i RSN
      3  * Copyright (c) 2004-2008, 2012-2015, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "utils/includes.h"
     10 
     11 #include "utils/common.h"
     12 #include "utils/eloop.h"
     13 #include "eapol_auth/eapol_auth_sm.h"
     14 #include "eapol_auth/eapol_auth_sm_i.h"
     15 #include "radius/radius_das.h"
     16 #include "sta_info.h"
     17 #include "ap_config.h"
     18 #include "pmksa_cache_auth.h"
     19 
     20 
     21 static const int pmksa_cache_max_entries = 1024;
     22 static const int dot11RSNAConfigPMKLifetime = 43200;
     23 
     24 struct rsn_pmksa_cache {
     25 #define PMKID_HASH_SIZE 128
     26 #define PMKID_HASH(pmkid) (unsigned int) ((pmkid)[0] & 0x7f)
     27 	struct rsn_pmksa_cache_entry *pmkid[PMKID_HASH_SIZE];
     28 	struct rsn_pmksa_cache_entry *pmksa;
     29 	int pmksa_count;
     30 
     31 	void (*free_cb)(struct rsn_pmksa_cache_entry *entry, void *ctx);
     32 	void *ctx;
     33 };
     34 
     35 
     36 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa);
     37 
     38 
     39 static void _pmksa_cache_free_entry(struct rsn_pmksa_cache_entry *entry)
     40 {
     41 	os_free(entry->vlan_desc);
     42 	os_free(entry->identity);
     43 	wpabuf_free(entry->cui);
     44 #ifndef CONFIG_NO_RADIUS
     45 	radius_free_class(&entry->radius_class);
     46 #endif /* CONFIG_NO_RADIUS */
     47 	bin_clear_free(entry, sizeof(*entry));
     48 }
     49 
     50 
     51 void pmksa_cache_free_entry(struct rsn_pmksa_cache *pmksa,
     52 			    struct rsn_pmksa_cache_entry *entry)
     53 {
     54 	struct rsn_pmksa_cache_entry *pos, *prev;
     55 	unsigned int hash;
     56 
     57 	pmksa->pmksa_count--;
     58 	pmksa->free_cb(entry, pmksa->ctx);
     59 
     60 	/* unlink from hash list */
     61 	hash = PMKID_HASH(entry->pmkid);
     62 	pos = pmksa->pmkid[hash];
     63 	prev = NULL;
     64 	while (pos) {
     65 		if (pos == entry) {
     66 			if (prev != NULL)
     67 				prev->hnext = entry->hnext;
     68 			else
     69 				pmksa->pmkid[hash] = entry->hnext;
     70 			break;
     71 		}
     72 		prev = pos;
     73 		pos = pos->hnext;
     74 	}
     75 
     76 	/* unlink from entry list */
     77 	pos = pmksa->pmksa;
     78 	prev = NULL;
     79 	while (pos) {
     80 		if (pos == entry) {
     81 			if (prev != NULL)
     82 				prev->next = entry->next;
     83 			else
     84 				pmksa->pmksa = entry->next;
     85 			break;
     86 		}
     87 		prev = pos;
     88 		pos = pos->next;
     89 	}
     90 
     91 	_pmksa_cache_free_entry(entry);
     92 }
     93 
     94 
     95 /**
     96  * pmksa_cache_auth_flush - Flush all PMKSA cache entries
     97  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
     98  */
     99 void pmksa_cache_auth_flush(struct rsn_pmksa_cache *pmksa)
    100 {
    101 	while (pmksa->pmksa) {
    102 		wpa_printf(MSG_DEBUG, "RSN: Flush PMKSA cache entry for "
    103 			   MACSTR, MAC2STR(pmksa->pmksa->spa));
    104 		pmksa_cache_free_entry(pmksa, pmksa->pmksa);
    105 	}
    106 }
    107 
    108 
    109 static void pmksa_cache_expire(void *eloop_ctx, void *timeout_ctx)
    110 {
    111 	struct rsn_pmksa_cache *pmksa = eloop_ctx;
    112 	struct os_reltime now;
    113 
    114 	os_get_reltime(&now);
    115 	while (pmksa->pmksa && pmksa->pmksa->expiration <= now.sec) {
    116 		wpa_printf(MSG_DEBUG, "RSN: expired PMKSA cache entry for "
    117 			   MACSTR, MAC2STR(pmksa->pmksa->spa));
    118 		pmksa_cache_free_entry(pmksa, pmksa->pmksa);
    119 	}
    120 
    121 	pmksa_cache_set_expiration(pmksa);
    122 }
    123 
    124 
    125 static void pmksa_cache_set_expiration(struct rsn_pmksa_cache *pmksa)
    126 {
    127 	int sec;
    128 	struct os_reltime now;
    129 
    130 	eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
    131 	if (pmksa->pmksa == NULL)
    132 		return;
    133 	os_get_reltime(&now);
    134 	sec = pmksa->pmksa->expiration - now.sec;
    135 	if (sec < 0)
    136 		sec = 0;
    137 	eloop_register_timeout(sec + 1, 0, pmksa_cache_expire, pmksa, NULL);
    138 }
    139 
    140 
    141 static void pmksa_cache_from_eapol_data(struct rsn_pmksa_cache_entry *entry,
    142 					struct eapol_state_machine *eapol)
    143 {
    144 	struct vlan_description *vlan_desc;
    145 
    146 	if (eapol == NULL)
    147 		return;
    148 
    149 	if (eapol->identity) {
    150 		entry->identity = os_malloc(eapol->identity_len);
    151 		if (entry->identity) {
    152 			entry->identity_len = eapol->identity_len;
    153 			os_memcpy(entry->identity, eapol->identity,
    154 				  eapol->identity_len);
    155 		}
    156 	}
    157 
    158 	if (eapol->radius_cui)
    159 		entry->cui = wpabuf_dup(eapol->radius_cui);
    160 
    161 #ifndef CONFIG_NO_RADIUS
    162 	radius_copy_class(&entry->radius_class, &eapol->radius_class);
    163 #endif /* CONFIG_NO_RADIUS */
    164 
    165 	entry->eap_type_authsrv = eapol->eap_type_authsrv;
    166 
    167 	vlan_desc = ((struct sta_info *) eapol->sta)->vlan_desc;
    168 	if (vlan_desc && vlan_desc->notempty) {
    169 		entry->vlan_desc = os_zalloc(sizeof(struct vlan_description));
    170 		if (entry->vlan_desc)
    171 			*entry->vlan_desc = *vlan_desc;
    172 	} else {
    173 		entry->vlan_desc = NULL;
    174 	}
    175 
    176 	entry->acct_multi_session_id = eapol->acct_multi_session_id;
    177 }
    178 
    179 
    180 void pmksa_cache_to_eapol_data(struct hostapd_data *hapd,
    181 			       struct rsn_pmksa_cache_entry *entry,
    182 			       struct eapol_state_machine *eapol)
    183 {
    184 	if (entry == NULL || eapol == NULL)
    185 		return;
    186 
    187 	if (entry->identity) {
    188 		os_free(eapol->identity);
    189 		eapol->identity = os_malloc(entry->identity_len);
    190 		if (eapol->identity) {
    191 			eapol->identity_len = entry->identity_len;
    192 			os_memcpy(eapol->identity, entry->identity,
    193 				  entry->identity_len);
    194 		}
    195 		wpa_hexdump_ascii(MSG_DEBUG, "STA identity from PMKSA",
    196 				  eapol->identity, eapol->identity_len);
    197 	}
    198 
    199 	if (entry->cui) {
    200 		wpabuf_free(eapol->radius_cui);
    201 		eapol->radius_cui = wpabuf_dup(entry->cui);
    202 	}
    203 
    204 #ifndef CONFIG_NO_RADIUS
    205 	radius_free_class(&eapol->radius_class);
    206 	radius_copy_class(&eapol->radius_class, &entry->radius_class);
    207 #endif /* CONFIG_NO_RADIUS */
    208 	if (eapol->radius_class.attr) {
    209 		wpa_printf(MSG_DEBUG, "Copied %lu Class attribute(s) from "
    210 			   "PMKSA", (unsigned long) eapol->radius_class.count);
    211 	}
    212 
    213 	eapol->eap_type_authsrv = entry->eap_type_authsrv;
    214 #ifndef CONFIG_NO_VLAN
    215 	ap_sta_set_vlan(hapd, eapol->sta, entry->vlan_desc);
    216 #endif /* CONFIG_NO_VLAN */
    217 
    218 	eapol->acct_multi_session_id = entry->acct_multi_session_id;
    219 }
    220 
    221 
    222 static void pmksa_cache_link_entry(struct rsn_pmksa_cache *pmksa,
    223 				   struct rsn_pmksa_cache_entry *entry)
    224 {
    225 	struct rsn_pmksa_cache_entry *pos, *prev;
    226 	int hash;
    227 
    228 	/* Add the new entry; order by expiration time */
    229 	pos = pmksa->pmksa;
    230 	prev = NULL;
    231 	while (pos) {
    232 		if (pos->expiration > entry->expiration)
    233 			break;
    234 		prev = pos;
    235 		pos = pos->next;
    236 	}
    237 	if (prev == NULL) {
    238 		entry->next = pmksa->pmksa;
    239 		pmksa->pmksa = entry;
    240 	} else {
    241 		entry->next = prev->next;
    242 		prev->next = entry;
    243 	}
    244 
    245 	hash = PMKID_HASH(entry->pmkid);
    246 	entry->hnext = pmksa->pmkid[hash];
    247 	pmksa->pmkid[hash] = entry;
    248 
    249 	pmksa->pmksa_count++;
    250 	if (prev == NULL)
    251 		pmksa_cache_set_expiration(pmksa);
    252 	wpa_printf(MSG_DEBUG, "RSN: added PMKSA cache entry for " MACSTR,
    253 		   MAC2STR(entry->spa));
    254 	wpa_hexdump(MSG_DEBUG, "RSN: added PMKID", entry->pmkid, PMKID_LEN);
    255 }
    256 
    257 
    258 /**
    259  * pmksa_cache_auth_add - Add a PMKSA cache entry
    260  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
    261  * @pmk: The new pairwise master key
    262  * @pmk_len: PMK length in bytes, usually PMK_LEN (32)
    263  * @pmkid: Calculated PMKID
    264  * @kck: Key confirmation key or %NULL if not yet derived
    265  * @kck_len: KCK length in bytes
    266  * @aa: Authenticator address
    267  * @spa: Supplicant address
    268  * @session_timeout: Session timeout
    269  * @eapol: Pointer to EAPOL state machine data
    270  * @akmp: WPA_KEY_MGMT_* used in key derivation
    271  * Returns: Pointer to the added PMKSA cache entry or %NULL on error
    272  *
    273  * This function create a PMKSA entry for a new PMK and adds it to the PMKSA
    274  * cache. If an old entry is already in the cache for the same Supplicant,
    275  * this entry will be replaced with the new entry. PMKID will be calculated
    276  * based on the PMK.
    277  */
    278 struct rsn_pmksa_cache_entry *
    279 pmksa_cache_auth_add(struct rsn_pmksa_cache *pmksa,
    280 		     const u8 *pmk, size_t pmk_len, const u8 *pmkid,
    281 		     const u8 *kck, size_t kck_len,
    282 		     const u8 *aa, const u8 *spa, int session_timeout,
    283 		     struct eapol_state_machine *eapol, int akmp)
    284 {
    285 	struct rsn_pmksa_cache_entry *entry;
    286 
    287 	entry = pmksa_cache_auth_create_entry(pmk, pmk_len, pmkid, kck, kck_len,
    288 					      aa, spa, session_timeout, eapol,
    289 					      akmp);
    290 
    291 	if (pmksa_cache_auth_add_entry(pmksa, entry) < 0)
    292 		return NULL;
    293 
    294 	return entry;
    295 }
    296 
    297 
    298 /**
    299  * pmksa_cache_auth_create_entry - Create a PMKSA cache entry
    300  * @pmk: The new pairwise master key
    301  * @pmk_len: PMK length in bytes, usually PMK_LEN (32)
    302  * @pmkid: Calculated PMKID
    303  * @kck: Key confirmation key or %NULL if not yet derived
    304  * @kck_len: KCK length in bytes
    305  * @aa: Authenticator address
    306  * @spa: Supplicant address
    307  * @session_timeout: Session timeout
    308  * @eapol: Pointer to EAPOL state machine data
    309  * @akmp: WPA_KEY_MGMT_* used in key derivation
    310  * Returns: Pointer to the added PMKSA cache entry or %NULL on error
    311  *
    312  * This function creates a PMKSA entry.
    313  */
    314 struct rsn_pmksa_cache_entry *
    315 pmksa_cache_auth_create_entry(const u8 *pmk, size_t pmk_len, const u8 *pmkid,
    316 			      const u8 *kck, size_t kck_len, const u8 *aa,
    317 			      const u8 *spa, int session_timeout,
    318 			      struct eapol_state_machine *eapol, int akmp)
    319 {
    320 	struct rsn_pmksa_cache_entry *entry;
    321 	struct os_reltime now;
    322 
    323 	if (pmk_len > PMK_LEN_MAX)
    324 		return NULL;
    325 
    326 	if (wpa_key_mgmt_suite_b(akmp) && !kck)
    327 		return NULL;
    328 
    329 	entry = os_zalloc(sizeof(*entry));
    330 	if (entry == NULL)
    331 		return NULL;
    332 	os_memcpy(entry->pmk, pmk, pmk_len);
    333 	entry->pmk_len = pmk_len;
    334 	if (pmkid)
    335 		os_memcpy(entry->pmkid, pmkid, PMKID_LEN);
    336 	else if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
    337 		rsn_pmkid_suite_b_192(kck, kck_len, aa, spa, entry->pmkid);
    338 	else if (wpa_key_mgmt_suite_b(akmp))
    339 		rsn_pmkid_suite_b(kck, kck_len, aa, spa, entry->pmkid);
    340 	else
    341 		rsn_pmkid(pmk, pmk_len, aa, spa, entry->pmkid,
    342 			  wpa_key_mgmt_sha256(akmp));
    343 	os_get_reltime(&now);
    344 	entry->expiration = now.sec;
    345 	if (session_timeout > 0)
    346 		entry->expiration += session_timeout;
    347 	else
    348 		entry->expiration += dot11RSNAConfigPMKLifetime;
    349 	entry->akmp = akmp;
    350 	os_memcpy(entry->spa, spa, ETH_ALEN);
    351 	pmksa_cache_from_eapol_data(entry, eapol);
    352 
    353 	return entry;
    354 }
    355 
    356 
    357 /**
    358  * pmksa_cache_auth_add_entry - Add a PMKSA cache entry
    359  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
    360  * @entry: Pointer to PMKSA cache entry
    361  *
    362  * This function adds PMKSA cache entry to the PMKSA cache. If an old entry is
    363  * already in the cache for the same Supplicant, this entry will be replaced
    364  * with the new entry. PMKID will be calculated based on the PMK.
    365  */
    366 int pmksa_cache_auth_add_entry(struct rsn_pmksa_cache *pmksa,
    367 			       struct rsn_pmksa_cache_entry *entry)
    368 {
    369 	struct rsn_pmksa_cache_entry *pos;
    370 
    371 	if (entry == NULL)
    372 		return -1;
    373 
    374 	/* Replace an old entry for the same STA (if found) with the new entry
    375 	 */
    376 	pos = pmksa_cache_auth_get(pmksa, entry->spa, NULL);
    377 	if (pos)
    378 		pmksa_cache_free_entry(pmksa, pos);
    379 
    380 	if (pmksa->pmksa_count >= pmksa_cache_max_entries && pmksa->pmksa) {
    381 		/* Remove the oldest entry to make room for the new entry */
    382 		wpa_printf(MSG_DEBUG, "RSN: removed the oldest PMKSA cache "
    383 			   "entry (for " MACSTR ") to make room for new one",
    384 			   MAC2STR(pmksa->pmksa->spa));
    385 		pmksa_cache_free_entry(pmksa, pmksa->pmksa);
    386 	}
    387 
    388 	pmksa_cache_link_entry(pmksa, entry);
    389 
    390 	return 0;
    391 }
    392 
    393 
    394 struct rsn_pmksa_cache_entry *
    395 pmksa_cache_add_okc(struct rsn_pmksa_cache *pmksa,
    396 		    const struct rsn_pmksa_cache_entry *old_entry,
    397 		    const u8 *aa, const u8 *pmkid)
    398 {
    399 	struct rsn_pmksa_cache_entry *entry;
    400 
    401 	entry = os_zalloc(sizeof(*entry));
    402 	if (entry == NULL)
    403 		return NULL;
    404 	os_memcpy(entry->pmkid, pmkid, PMKID_LEN);
    405 	os_memcpy(entry->pmk, old_entry->pmk, old_entry->pmk_len);
    406 	entry->pmk_len = old_entry->pmk_len;
    407 	entry->expiration = old_entry->expiration;
    408 	entry->akmp = old_entry->akmp;
    409 	os_memcpy(entry->spa, old_entry->spa, ETH_ALEN);
    410 	entry->opportunistic = 1;
    411 	if (old_entry->identity) {
    412 		entry->identity = os_malloc(old_entry->identity_len);
    413 		if (entry->identity) {
    414 			entry->identity_len = old_entry->identity_len;
    415 			os_memcpy(entry->identity, old_entry->identity,
    416 				  old_entry->identity_len);
    417 		}
    418 	}
    419 	if (old_entry->cui)
    420 		entry->cui = wpabuf_dup(old_entry->cui);
    421 #ifndef CONFIG_NO_RADIUS
    422 	radius_copy_class(&entry->radius_class, &old_entry->radius_class);
    423 #endif /* CONFIG_NO_RADIUS */
    424 	entry->eap_type_authsrv = old_entry->eap_type_authsrv;
    425 	if (old_entry->vlan_desc) {
    426 		entry->vlan_desc = os_zalloc(sizeof(struct vlan_description));
    427 		if (entry->vlan_desc)
    428 			*entry->vlan_desc = *old_entry->vlan_desc;
    429 	} else {
    430 		entry->vlan_desc = NULL;
    431 	}
    432 	entry->opportunistic = 1;
    433 
    434 	pmksa_cache_link_entry(pmksa, entry);
    435 
    436 	return entry;
    437 }
    438 
    439 
    440 /**
    441  * pmksa_cache_auth_deinit - Free all entries in PMKSA cache
    442  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
    443  */
    444 void pmksa_cache_auth_deinit(struct rsn_pmksa_cache *pmksa)
    445 {
    446 	struct rsn_pmksa_cache_entry *entry, *prev;
    447 	int i;
    448 
    449 	if (pmksa == NULL)
    450 		return;
    451 
    452 	entry = pmksa->pmksa;
    453 	while (entry) {
    454 		prev = entry;
    455 		entry = entry->next;
    456 		_pmksa_cache_free_entry(prev);
    457 	}
    458 	eloop_cancel_timeout(pmksa_cache_expire, pmksa, NULL);
    459 	pmksa->pmksa_count = 0;
    460 	pmksa->pmksa = NULL;
    461 	for (i = 0; i < PMKID_HASH_SIZE; i++)
    462 		pmksa->pmkid[i] = NULL;
    463 	os_free(pmksa);
    464 }
    465 
    466 
    467 /**
    468  * pmksa_cache_auth_get - Fetch a PMKSA cache entry
    469  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
    470  * @spa: Supplicant address or %NULL to match any
    471  * @pmkid: PMKID or %NULL to match any
    472  * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
    473  */
    474 struct rsn_pmksa_cache_entry *
    475 pmksa_cache_auth_get(struct rsn_pmksa_cache *pmksa,
    476 		     const u8 *spa, const u8 *pmkid)
    477 {
    478 	struct rsn_pmksa_cache_entry *entry;
    479 
    480 	if (pmkid) {
    481 		for (entry = pmksa->pmkid[PMKID_HASH(pmkid)]; entry;
    482 		     entry = entry->hnext) {
    483 			if ((spa == NULL ||
    484 			     os_memcmp(entry->spa, spa, ETH_ALEN) == 0) &&
    485 			    os_memcmp(entry->pmkid, pmkid, PMKID_LEN) == 0)
    486 				return entry;
    487 		}
    488 	} else {
    489 		for (entry = pmksa->pmksa; entry; entry = entry->next) {
    490 			if (spa == NULL ||
    491 			    os_memcmp(entry->spa, spa, ETH_ALEN) == 0)
    492 				return entry;
    493 		}
    494 	}
    495 
    496 	return NULL;
    497 }
    498 
    499 
    500 /**
    501  * pmksa_cache_get_okc - Fetch a PMKSA cache entry using OKC
    502  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
    503  * @aa: Authenticator address
    504  * @spa: Supplicant address
    505  * @pmkid: PMKID
    506  * Returns: Pointer to PMKSA cache entry or %NULL if no match was found
    507  *
    508  * Use opportunistic key caching (OKC) to find a PMK for a supplicant.
    509  */
    510 struct rsn_pmksa_cache_entry * pmksa_cache_get_okc(
    511 	struct rsn_pmksa_cache *pmksa, const u8 *aa, const u8 *spa,
    512 	const u8 *pmkid)
    513 {
    514 	struct rsn_pmksa_cache_entry *entry;
    515 	u8 new_pmkid[PMKID_LEN];
    516 
    517 	for (entry = pmksa->pmksa; entry; entry = entry->next) {
    518 		if (os_memcmp(entry->spa, spa, ETH_ALEN) != 0)
    519 			continue;
    520 		rsn_pmkid(entry->pmk, entry->pmk_len, aa, spa, new_pmkid,
    521 			  wpa_key_mgmt_sha256(entry->akmp));
    522 		if (os_memcmp(new_pmkid, pmkid, PMKID_LEN) == 0)
    523 			return entry;
    524 	}
    525 	return NULL;
    526 }
    527 
    528 
    529 /**
    530  * pmksa_cache_auth_init - Initialize PMKSA cache
    531  * @free_cb: Callback function to be called when a PMKSA cache entry is freed
    532  * @ctx: Context pointer for free_cb function
    533  * Returns: Pointer to PMKSA cache data or %NULL on failure
    534  */
    535 struct rsn_pmksa_cache *
    536 pmksa_cache_auth_init(void (*free_cb)(struct rsn_pmksa_cache_entry *entry,
    537 				      void *ctx), void *ctx)
    538 {
    539 	struct rsn_pmksa_cache *pmksa;
    540 
    541 	pmksa = os_zalloc(sizeof(*pmksa));
    542 	if (pmksa) {
    543 		pmksa->free_cb = free_cb;
    544 		pmksa->ctx = ctx;
    545 	}
    546 
    547 	return pmksa;
    548 }
    549 
    550 
    551 static int das_attr_match(struct rsn_pmksa_cache_entry *entry,
    552 			  struct radius_das_attrs *attr)
    553 {
    554 	int match = 0;
    555 
    556 	if (attr->sta_addr) {
    557 		if (os_memcmp(attr->sta_addr, entry->spa, ETH_ALEN) != 0)
    558 			return 0;
    559 		match++;
    560 	}
    561 
    562 	if (attr->acct_multi_session_id) {
    563 		char buf[20];
    564 
    565 		if (attr->acct_multi_session_id_len != 16)
    566 			return 0;
    567 		os_snprintf(buf, sizeof(buf), "%016llX",
    568 			    (unsigned long long) entry->acct_multi_session_id);
    569 		if (os_memcmp(attr->acct_multi_session_id, buf, 16) != 0)
    570 			return 0;
    571 		match++;
    572 	}
    573 
    574 	if (attr->cui) {
    575 		if (!entry->cui ||
    576 		    attr->cui_len != wpabuf_len(entry->cui) ||
    577 		    os_memcmp(attr->cui, wpabuf_head(entry->cui),
    578 			      attr->cui_len) != 0)
    579 			return 0;
    580 		match++;
    581 	}
    582 
    583 	if (attr->user_name) {
    584 		if (!entry->identity ||
    585 		    attr->user_name_len != entry->identity_len ||
    586 		    os_memcmp(attr->user_name, entry->identity,
    587 			      attr->user_name_len) != 0)
    588 			return 0;
    589 		match++;
    590 	}
    591 
    592 	return match;
    593 }
    594 
    595 
    596 int pmksa_cache_auth_radius_das_disconnect(struct rsn_pmksa_cache *pmksa,
    597 					   struct radius_das_attrs *attr)
    598 {
    599 	int found = 0;
    600 	struct rsn_pmksa_cache_entry *entry, *prev;
    601 
    602 	if (attr->acct_session_id)
    603 		return -1;
    604 
    605 	entry = pmksa->pmksa;
    606 	while (entry) {
    607 		if (das_attr_match(entry, attr)) {
    608 			found++;
    609 			prev = entry;
    610 			entry = entry->next;
    611 			pmksa_cache_free_entry(pmksa, prev);
    612 			continue;
    613 		}
    614 		entry = entry->next;
    615 	}
    616 
    617 	return found ? 0 : -1;
    618 }
    619 
    620 
    621 /**
    622  * pmksa_cache_auth_list - Dump text list of entries in PMKSA cache
    623  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
    624  * @buf: Buffer for the list
    625  * @len: Length of the buffer
    626  * Returns: Number of bytes written to buffer
    627  *
    628  * This function is used to generate a text format representation of the
    629  * current PMKSA cache contents for the ctrl_iface PMKSA command.
    630  */
    631 int pmksa_cache_auth_list(struct rsn_pmksa_cache *pmksa, char *buf, size_t len)
    632 {
    633 	int i, ret;
    634 	char *pos = buf;
    635 	struct rsn_pmksa_cache_entry *entry;
    636 	struct os_reltime now;
    637 
    638 	os_get_reltime(&now);
    639 	ret = os_snprintf(pos, buf + len - pos,
    640 			  "Index / SPA / PMKID / expiration (in seconds) / opportunistic\n");
    641 	if (os_snprintf_error(buf + len - pos, ret))
    642 		return pos - buf;
    643 	pos += ret;
    644 	i = 0;
    645 	entry = pmksa->pmksa;
    646 	while (entry) {
    647 		ret = os_snprintf(pos, buf + len - pos, "%d " MACSTR " ",
    648 				  i, MAC2STR(entry->spa));
    649 		if (os_snprintf_error(buf + len - pos, ret))
    650 			return pos - buf;
    651 		pos += ret;
    652 		pos += wpa_snprintf_hex(pos, buf + len - pos, entry->pmkid,
    653 					PMKID_LEN);
    654 		ret = os_snprintf(pos, buf + len - pos, " %d %d\n",
    655 				  (int) (entry->expiration - now.sec),
    656 				  entry->opportunistic);
    657 		if (os_snprintf_error(buf + len - pos, ret))
    658 			return pos - buf;
    659 		pos += ret;
    660 		entry = entry->next;
    661 	}
    662 	return pos - buf;
    663 }
    664 
    665 
    666 #ifdef CONFIG_PMKSA_CACHE_EXTERNAL
    667 #ifdef CONFIG_MESH
    668 
    669 /**
    670  * pmksa_cache_auth_list_mesh - Dump text list of entries in PMKSA cache
    671  * @pmksa: Pointer to PMKSA cache data from pmksa_cache_auth_init()
    672  * @addr: MAC address of the peer (NULL means any)
    673  * @buf: Buffer for the list
    674  * @len: Length of the buffer
    675  * Returns: Number of bytes written to buffer
    676  *
    677  * This function is used to generate a text format representation of the
    678  * current PMKSA cache contents for the ctrl_iface PMKSA_GET command to store
    679  * in external storage.
    680  */
    681 int pmksa_cache_auth_list_mesh(struct rsn_pmksa_cache *pmksa, const u8 *addr,
    682 			       char *buf, size_t len)
    683 {
    684 	int ret;
    685 	char *pos, *end;
    686 	struct rsn_pmksa_cache_entry *entry;
    687 	struct os_reltime now;
    688 
    689 	pos = buf;
    690 	end = buf + len;
    691 	os_get_reltime(&now);
    692 
    693 
    694 	/*
    695 	 * Entry format:
    696 	 * <BSSID> <PMKID> <PMK> <expiration in seconds>
    697 	 */
    698 	for (entry = pmksa->pmksa; entry; entry = entry->next) {
    699 		if (addr && os_memcmp(entry->spa, addr, ETH_ALEN) != 0)
    700 			continue;
    701 
    702 		ret = os_snprintf(pos, end - pos, MACSTR " ",
    703 				  MAC2STR(entry->spa));
    704 		if (os_snprintf_error(end - pos, ret))
    705 			return 0;
    706 		pos += ret;
    707 
    708 		pos += wpa_snprintf_hex(pos, end - pos, entry->pmkid,
    709 					PMKID_LEN);
    710 
    711 		ret = os_snprintf(pos, end - pos, " ");
    712 		if (os_snprintf_error(end - pos, ret))
    713 			return 0;
    714 		pos += ret;
    715 
    716 		pos += wpa_snprintf_hex(pos, end - pos, entry->pmk,
    717 					entry->pmk_len);
    718 
    719 		ret = os_snprintf(pos, end - pos, " %d\n",
    720 				  (int) (entry->expiration - now.sec));
    721 		if (os_snprintf_error(end - pos, ret))
    722 			return 0;
    723 		pos += ret;
    724 	}
    725 
    726 	return pos - buf;
    727 }
    728 
    729 #endif /* CONFIG_MESH */
    730 #endif /* CONFIG_PMKSA_CACHE_EXTERNAL */
    731