[PATCH 1/6] fils: isolate ERP cache into fils.c

[PATCH 1/6] fils: isolate ERP cache into fils.c

[James Prestwood]

[-- Attachment #1: Type: text/plain, Size: 1281 bytes --]

This removes the need for the handshake_state to hold a reference
to the ERP cache. Really the handshake_state was merely holding a
pointer between station and fils and never needed to reference it
beyond fils_sm_new.
---
 src/fils.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/fils.c b/src/fils.c
index 7fffefb3..4e67d8df 100644
--- a/src/fils.c
+++ b/src/fils.c
@@ -567,6 +567,8 @@ struct auth_proto *fils_sm_new(struct handshake_state *hs,
 				void *user_data)
 {
 	struct fils_sm *fils;
+	struct erp_cache_entry *erp;
+	char ssid[33];
 
 	fils = l_new(struct fils_sm, 1);
 
@@ -580,7 +582,17 @@ struct auth_proto *fils_sm_new(struct handshake_state *hs,
 	fils->ap.rx_authenticate = fils_rx_authenticate;
 	fils->ap.rx_associate = fils_rx_associate;
 
-	fils->erp = erp_new(hs->erp_cache, fils_erp_tx_func, fils);
+	memcpy(ssid, hs->ssid, hs->ssid_len);
+	ssid[hs->ssid_len] = '\0';
+
+	/*
+	 * If FILS was chosen the ERP identity is known to exist, checked by
+	 * network_has_erp_identity. erp_new takes ownership of the cache and
+	 * will free it upon erp_free.
+	 */
+	erp = erp_cache_get(ssid);
+
+	fils->erp = erp_new(erp, fils_erp_tx_func, fils);
 
 	return &fils->ap;
 }
-- 
2.31.1

[PATCH 2/6] station: don't set ERP cache to handshake

[James Prestwood]

[-- Attachment #1: Type: text/plain, Size: 893 bytes --]

This is now done internally by fils.
---
 src/station.c | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/src/station.c b/src/station.c
index e914abb3..b793c8e5 100644
--- a/src/station.c
+++ b/src/station.c
@@ -889,17 +889,6 @@ static struct handshake_state *station_handshake_setup(struct station *station,
 	if (network_handshake_setup(network, hs) < 0)
 		goto not_supported;
 
-	/*
-	 * If FILS was chosen, the ERP cache has been verified to exist. We
-	 * wait to get it until here because@this point so there are no
-	 * failure paths before fils_sm_new
-	 */
-	if (hs->akm_suite & (IE_RSN_AKM_SUITE_FILS_SHA256 |
-				IE_RSN_AKM_SUITE_FILS_SHA384 |
-				IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA256 |
-				IE_RSN_AKM_SUITE_FT_OVER_FILS_SHA384))
-		hs->erp_cache = erp_cache_get(network_get_ssid(network));
-
 	return hs;
 
 not_supported:
-- 
2.31.1

[PATCH 3/6] handshake: remove ERP cache pointer

[James Prestwood]

[-- Attachment #1: Type: text/plain, Size: 455 bytes --]

---
 src/handshake.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/handshake.h b/src/handshake.h
index 2d51da7c..955e2eec 100644
--- a/src/handshake.h
+++ b/src/handshake.h
@@ -132,7 +132,6 @@ struct handshake_state {
 	uint8_t gtk_rsc[6];
 	uint8_t proto_version : 2;
 	unsigned int gtk_index;
-	struct erp_cache_entry *erp_cache;
 	bool support_ip_allocation : 1;
 	uint32_t client_ip_addr;
 	uint32_t subnet_mask;
-- 
2.31.1

[PATCH 4/6] erp: add erp_cache_check_identity

[James Prestwood]

[-- Attachment #1: Type: text/plain, Size: 1971 bytes --]

This offloads the ERP book keeping from network_has_erp_identity
into erp.c itself. Currently network needs to grab a cache
reference, check the identity, and potentially remove the entry
if not found. By moving this entirely into erp.c we can avoid the
need for ERP references all together as well as remove several
exposed APIs.
---
 src/erp.c | 23 +++++++++++++++++++++++
 src/erp.h |  2 ++
 2 files changed, 25 insertions(+)

diff --git a/src/erp.c b/src/erp.c
index 4db32feb..3ff277ea 100644
--- a/src/erp.c
+++ b/src/erp.c
@@ -267,6 +267,29 @@ const char *erp_cache_entry_get_identity(struct erp_cache_entry *cache)
 	return cache->id;
 }
 
+bool erp_cache_check_identity(const char *ssid, const char *identity)
+{
+	struct erp_cache_entry *cache = find_keycache(NULL, ssid);
+
+	if (!cache)
+		return false;
+
+	if (!strcmp(identity, cache->id))
+		return true;
+
+	/*
+	 * The identity passed here is assumed to be 'verified' i.e. it exists
+	 * in a network provisioning file. If the cache entry we have does not
+	 * match it is invalid and should be removed. This could happen if the
+	 * ERP identity was updated in the provisioning file after already
+	 * establishing an ERP cache from a past connection.
+	 */
+	l_queue_remove(key_cache, cache);
+	erp_cache_entry_destroy(cache);
+
+	return false;
+}
+
 #define ERP_RRK_LABEL	"EAP Re-authentication Root Key(a)ietf.org"
 #define ERP_RIK_LABEL	"Re-authentication Integrity Key(a)ietf.org"
 #define ERP_RMSK_LABEL	"Re-authentication Master Session Key(a)ietf.org"
diff --git a/src/erp.h b/src/erp.h
index d2c9da96..433b11c9 100644
--- a/src/erp.h
+++ b/src/erp.h
@@ -51,3 +51,5 @@ struct erp_cache_entry *erp_cache_get(const char *ssid);
 void erp_cache_put(struct erp_cache_entry *cache);
 
 const char *erp_cache_entry_get_identity(struct erp_cache_entry *cache);
+
+bool erp_cache_check_identity(const char *ssid, const char *identity);
-- 
2.31.1

[PATCH 5/6] network: use erp_cache_check_identity

[James Prestwood]

[-- Attachment #1: Type: text/plain, Size: 1281 bytes --]

This will both check, and remove an invalidated entry if needed.
---
 src/network.c | 21 +--------------------
 1 file changed, 1 insertion(+), 20 deletions(-)

diff --git a/src/network.c b/src/network.c
index b78a7cbf..ec52e2bd 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1058,10 +1058,8 @@ static bool match_bss(const void *a, const void *b)
 
 bool network_has_erp_identity(struct network *network)
 {
-	struct erp_cache_entry *cache;
 	struct l_settings *settings;
 	char *check_id;
-	const char *identity;
 	bool ret;
 
 	settings = network_get_settings(network);
@@ -1072,26 +1070,9 @@ bool network_has_erp_identity(struct network *network)
 	if (!check_id)
 		return false;
 
-	cache = erp_cache_get(network_get_ssid(network));
-	if (!cache) {
-		l_free(check_id);
-		return false;
-	}
-
-	identity = erp_cache_entry_get_identity(cache);
-
-	ret = strcmp(check_id, identity) == 0;
+	ret = erp_cache_check_identity(network->ssid, check_id);
 
 	l_free(check_id);
-	erp_cache_put(cache);
-
-	/*
-	 * The settings file must have change out from under us. In this
-	 * case we want to remove the ERP entry because it is no longer
-	 * valid.
-	 */
-	if (!ret)
-		erp_cache_remove(identity);
 
 	return ret;
 }
-- 
2.31.1

[PATCH 6/6] erp: refactor to eliminate references/put/remove

[James Prestwood]

[-- Attachment #1: Type: text/plain, Size: 4154 bytes --]

The ERP cache has now been isolated and no longer needs to
maintain external reference counts. This removes the need for
erp_cache_remove (done internally now), erp_cache_put,
and erp_cache_entry_get_identity, as well as the cache ref count.
---
 src/erp.c | 71 ++++++++-----------------------------------------------
 src/erp.h |  5 ----
 2 files changed, 10 insertions(+), 66 deletions(-)

diff --git a/src/erp.c b/src/erp.c
index 3ff277ea..50c9f02a 100644
--- a/src/erp.c
+++ b/src/erp.c
@@ -49,7 +49,6 @@ struct erp_cache_entry {
 	size_t session_len;
 	char *ssid;
 	uint64_t expire_time;
-	uint32_t ref;
 	bool invalid : 1;
 };
 
@@ -147,9 +146,6 @@ static void erp_cache_entry_destroy(void *data)
 {
 	struct erp_cache_entry *entry = data;
 
-	if (entry->ref)
-		l_error("ERP entry still has a reference on cleanup!");
-
 	l_free(entry->id);
 	l_free(entry->emsk);
 	l_free(entry->session_id);
@@ -181,11 +177,11 @@ void erp_cache_add(const char *id, const void *session_id,
 	l_queue_push_head(key_cache, entry);
 }
 
-static struct erp_cache_entry *find_keycache(const char *id, const char *ssid)
+static struct erp_cache_entry *find_keycache(const char *ssid)
 {
 	const struct l_queue_entry *entry;
 
-	if (!id && !ssid)
+	if (!ssid)
 		return NULL;
 
 	for (entry = l_queue_get_entries(key_cache); entry;
@@ -196,80 +192,30 @@ static struct erp_cache_entry *find_keycache(const char *id, const char *ssid)
 			continue;
 
 		if (l_time_after(l_time_now(), cache->expire_time)) {
-			if (!cache->ref) {
-				l_queue_remove(key_cache, cache);
-				erp_cache_entry_destroy(cache);
-			} else
-				cache->invalid = true;
-
+			cache->invalid = true;
 			continue;
 		}
 
-		if (id && !strcmp(cache->id, id))
-			return cache;
-
-		if (ssid && !strcmp(cache->ssid, ssid))
+		if (!strcmp(cache->ssid, ssid))
 			return cache;
 	}
 
 	return NULL;
 }
 
-void erp_cache_remove(const char *id)
-{
-	struct erp_cache_entry *entry = find_keycache(id, NULL);
-
-	if (!entry)
-		return;
-
-	if (entry->ref) {
-		entry->invalid = true;
-		return;
-	}
-
-	l_queue_remove(key_cache, entry);
-
-	erp_cache_entry_destroy(entry);
-}
-
 struct erp_cache_entry *erp_cache_get(const char *ssid)
 {
-	struct erp_cache_entry *cache = find_keycache(NULL, ssid);
+	struct erp_cache_entry *cache = find_keycache(ssid);
 
 	if (!cache)
 		return NULL;
 
-	cache->ref++;
-
 	return cache;
 }
 
-void erp_cache_put(struct erp_cache_entry *cache)
-{
-	cache->ref--;
-
-	if (cache->ref)
-		return;
-
-	if (!cache->invalid)
-		return;
-
-	/*
-	 * Cache entry marked as invalid, either it expired or something
-	 * attempted to remove it. Either way, it can now be removed.
-	 */
-	l_queue_remove(key_cache, cache);
-	erp_cache_entry_destroy(cache);
-}
-
-const char *erp_cache_entry_get_identity(struct erp_cache_entry *cache)
-{
-	return cache->id;
-}
-
 bool erp_cache_check_identity(const char *ssid, const char *identity)
 {
-	struct erp_cache_entry *cache = find_keycache(NULL, ssid);
+	struct erp_cache_entry *cache = find_keycache(ssid);
 
 	if (!cache)
 		return false;
@@ -365,7 +311,10 @@ struct erp_state *erp_new(struct erp_cache_entry *cache,
 
 void erp_free(struct erp_state *erp)
 {
-	erp_cache_put(erp->cache);
+	if (erp->cache->invalid) {
+		l_queue_remove(key_cache, erp->cache);
+		erp_cache_entry_destroy(erp->cache);
+	}
 
 	explicit_bzero(erp->rmsk, sizeof(erp->rmsk));
 	explicit_bzero(erp->r_ik, sizeof(erp->r_ik));
diff --git a/src/erp.h b/src/erp.h
index 433b11c9..a6310cb9 100644
--- a/src/erp.h
+++ b/src/erp.h
@@ -45,11 +45,6 @@ void erp_cache_add(const char *id, const void *session_id, size_t session_len,
 			const void *emsk, size_t emsk_len,
 			const char *ssid);
 
-void erp_cache_remove(const char *id);
-
 struct erp_cache_entry *erp_cache_get(const char *ssid);
-void erp_cache_put(struct erp_cache_entry *cache);
-
-const char *erp_cache_entry_get_identity(struct erp_cache_entry *cache);
 
 bool erp_cache_check_identity(const char *ssid, const char *identity);
-- 
2.31.1