[5/8] FT: include identity and radius_cui in pull/resp frames

Submitted by michael-dev@fami-braun.de on May 18, 2017, 1:21 p.m.

Details

Message ID 1495113717-26860-6-git-send-email-michael-dev@fami-braun.de
State New
Headers show

Commit Message

michael-dev@fami-braun.de May 18, 2017, 1:21 p.m.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
---
 src/ap/ieee802_11.c    |   3 +
 src/ap/wpa_auth.h      |  12 ++-
 src/ap/wpa_auth_ft.c   | 201 +++++++++++++++++++++++++++++++++++++++++++------
 src/ap/wpa_auth_glue.c | 144 +++++++++++++++++++++++++++++++++++
 4 files changed, 334 insertions(+), 26 deletions(-)

Patch hide | download patch | download mbox

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index d15a70c..5331b2a 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1540,8 +1540,11 @@  ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
 		sta->psk = NULL;
 	}
 
+	os_free(sta->identity);
 	sta->identity = *identity;
 	*identity = NULL;
+
+	os_free(sta->radius_cui);
 	sta->radius_cui = *radius_cui;
 	*radius_cui = NULL;
 
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index bf7bf43..936831b 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -83,6 +83,9 @@  struct ft_rrb_frame {
 #define FT_RRB_VLAN_UNTAGGED 13 /* le16 */
 #define FT_RRB_VLAN_TAGGED   14 /* n times le16 */
 
+#define FT_RRB_IDENTITY      15
+#define FT_RRB_RADIUS_CUI    16
+
 struct ft_rrb_tlv {
 	le16 type;
 	le16 len;
@@ -97,7 +100,7 @@  struct ft_rrb_seq {
 
 /* session TLVs:
  *   required: PMK_R1, PMK_R1_NAME, PAIRWISE
- *   optional: VLAN, EXPIRES_IN
+ *   optional: VLAN, EXPIRES_IN, IDENTITY, RADIUS_CUI
  *
  * pull frame TLVs:
  *   auth:
@@ -264,6 +267,13 @@  struct wpa_auth_callbacks {
 			struct vlan_description *vlan);
 	int (*get_vlan)(void *ctx, const u8 *sta_addr,
 			struct vlan_description *vlan);
+	size_t (*get_identity)(void *ctx, const u8 *sta_addr, const u8 **buf);
+	size_t (*get_radius_cui)(void *ctx, const u8 *sta_addr, const u8 **buf);
+	void (*set_identity)(void *ctx, const u8 *sta_addr,
+			     const u8 *identity, size_t identity_len);
+	void (*set_radius_cui)(void *ctx, const u8 *sta_addr,
+			       const u8 *radius_cui, size_t radius_cui_len);
+
 	int (*send_ft_action)(void *ctx, const u8 *dst,
 			      const u8 *data, size_t data_len);
 	int (*add_tspec)(void *ctx, const u8 *sta_addr, u8 *tspec_ie,
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index a06b983..321f5b1 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -326,6 +326,8 @@  static size_t wpa_ft_tlv_lin(const struct tlv_list *tlvs, u8 *start,
 
 		if (tlv_len + tlvs[i].len > (size_t) (endpos - start))
 			return tlv_len;
+		if (tlvs[i].len == 0)
+			continue;
 		tlv_len += tlvs[i].len;
 		os_memcpy(pos, tlvs[i].data, tlvs[i].len);
 		pos = start + tlv_len;
@@ -647,6 +649,50 @@  wpa_ft_get_vlan(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
 }
 
 
+static size_t
+wpa_ft_get_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
+		    const u8 **buf)
+{
+	*buf = NULL;
+	if (wpa_auth->cb->get_identity == NULL)
+		return 0;
+	return wpa_auth->cb->get_identity(wpa_auth->cb_ctx, sta_addr, buf);
+}
+
+
+static size_t
+wpa_ft_get_radius_cui(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
+		      const u8 **buf)
+{
+	*buf = NULL;
+	if (wpa_auth->cb->get_radius_cui == NULL)
+		return 0;
+	return wpa_auth->cb->get_radius_cui(wpa_auth->cb_ctx, sta_addr, buf);
+}
+
+
+static void
+wpa_ft_set_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
+		    const u8 *identity, size_t identity_len)
+{
+	if (wpa_auth->cb->set_identity == NULL)
+		return;
+	wpa_auth->cb->set_identity(wpa_auth->cb_ctx, sta_addr, identity,
+				   identity_len);
+}
+
+
+static void
+wpa_ft_set_radius_cui(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
+		      const u8 *radius_cui, size_t radius_cui_len)
+{
+	if (wpa_auth->cb->set_radius_cui == NULL)
+		return;
+	wpa_auth->cb->set_radius_cui(wpa_auth->cb_ctx, sta_addr, radius_cui,
+				     radius_cui_len);
+}
+
+
 static int wpa_ft_add_tspec(struct wpa_authenticator *wpa_auth,
 			    const u8 *sta_addr,
 			    u8 *tspec_ie, size_t tspec_ielen)
@@ -1032,7 +1078,11 @@  struct wpa_ft_pmk_r0_sa {
 	int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */
 	struct vlan_description *vlan;
 	os_time_t expiration; /* 0 for no expiration */
-	/* TODO: identity, radius_class, EAP type */
+	u8 *identity;
+	size_t identity_len;
+	u8 *radius_cui;
+	size_t radius_cui_len;
+	/* TODO: radius_class, EAP type, expiration from EAPOL */
 	int pmk_r1_pushed;
 };
 
@@ -1043,7 +1093,11 @@  struct wpa_ft_pmk_r1_sa {
 	u8 spa[ETH_ALEN];
 	int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */
 	struct vlan_description *vlan;
-	/* TODO: expiration, identity, radius_class, EAP type */
+	u8 *identity;
+	size_t identity_len;
+	u8 *radius_cui;
+	size_t radius_cui_len;
+	/* TODO: expiration from EAPOL, radius_class, EAP type */
 };
 
 struct wpa_ft_pmk_cache {
@@ -1067,6 +1121,8 @@  static void wpa_ft_free_pmk_r0(struct wpa_ft_pmk_r0_sa *r0)
 
 	os_memset(r0->pmk_r0, 0, PMK_LEN);
 	os_free(r0->vlan);
+	os_free(r0->identity);
+	os_free(r0->radius_cui);
 	os_free(r0);
 }
 
@@ -1107,6 +1163,8 @@  static void wpa_ft_free_pmk_r1(struct wpa_ft_pmk_r1_sa *r1)
 
 	os_memset(r1->pmk_r1, 0, PMK_LEN);
 	os_free(r1->vlan);
+	os_free(r1->identity);
+	os_free(r1->radius_cui);
 	os_free(r1);
 }
 
@@ -1154,7 +1212,9 @@  static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth,
 			       const u8 *spa, const u8 *pmk_r0,
 			       const u8 *pmk_r0_name, int pairwise,
 			       const struct vlan_description *vlan,
-			       const int expires_in)
+			       const int expires_in,
+			       const u8 *identity, size_t identity_len,
+			       const u8 *radius_cui, size_t radius_cui_len)
 {
 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
 	struct wpa_ft_pmk_r0_sa *r0;
@@ -1178,6 +1238,20 @@  static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth,
 		if (r0->vlan)
 			*r0->vlan = *vlan;
 	}
+	if (identity) {
+		r0->identity = os_zalloc(identity_len);
+		if (r0->identity) {
+			os_memcpy(r0->identity, identity, identity_len);
+			r0->identity_len = identity_len;
+		}
+	}
+	if (radius_cui) {
+		r0->radius_cui = os_zalloc(radius_cui_len);
+		if (r0->radius_cui) {
+			os_memcpy(r0->radius_cui, radius_cui, radius_cui_len);
+			r0->radius_cui_len = radius_cui_len;
+		}
+	}
 
 	dl_list_add(&cache->pmk_r0, &r0->list);
 
@@ -1216,7 +1290,9 @@  static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
 			       const u8 *spa, const u8 *pmk_r1,
 			       const u8 *pmk_r1_name, int pairwise,
 			       const struct vlan_description *vlan,
-			       int expires_in)
+			       int expires_in,
+			       const u8 *identity, u8 identity_len,
+			       const u8 *radius_cui, u8 radius_cui_len)
 {
 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
 	int max_expires_in = wpa_auth->conf.r1_max_key_lifetime;
@@ -1240,6 +1316,20 @@  static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
 		if (r1->vlan)
 			*r1->vlan = *vlan;
 	}
+	if (identity) {
+		r1->identity = os_zalloc(identity_len);
+		if (r1->identity) {
+			os_memcpy(r1->identity, identity, identity_len);
+			r1->identity_len = identity_len;
+		}
+	}
+	if (radius_cui) {
+		r1->radius_cui = os_zalloc(radius_cui_len);
+		if (r1->radius_cui) {
+			os_memcpy(r1->radius_cui, radius_cui, radius_cui_len);
+			r1->radius_cui_len = radius_cui_len;
+		}
+	}
 
 	dl_list_add(&cache->pmk_r1, &r1->list);
 
@@ -1254,7 +1344,9 @@  static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
 static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth,
 			       const u8 *spa, const u8 *pmk_r1_name,
 			       u8 *pmk_r1, int *pairwise,
-			       struct vlan_description *vlan)
+			       struct vlan_description *vlan,
+			       const u8 **identity, size_t *identity_len,
+			       const u8 **radius_cui, size_t *radius_cui_len)
 {
 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
 	struct wpa_ft_pmk_r1_sa *r1;
@@ -1270,6 +1362,14 @@  static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth,
 				*vlan = *r1->vlan;
 			if (vlan && !r1->vlan)
 				os_memset(vlan, 0, sizeof(*vlan));
+			if (identity && identity_len) {
+				*identity = r1->identity;
+				*identity_len = r1->identity_len;
+			}
+			if (radius_cui && radius_cui_len) {
+				*radius_cui = r1->radius_cui;
+				*radius_cui_len = r1->radius_cui_len;
+			}
 			return 0;
 		}
 	}
@@ -1804,15 +1904,21 @@  int wpa_ft_store_pmk_fils(struct wpa_state_machine *sm,
 {
 	int expires_in = sm->wpa_auth->conf.r0_key_lifetime * 60;
 	struct vlan_description vlan;
+	const u8 *identity, *radius_cui;
+	int identity_len, radius_cui_len;
 
 	if (wpa_ft_get_vlan(sm->wpa_auth, sm->addr, &vlan) < 0) {
 		wpa_printf(MSG_DEBUG, "FT: vlan not available for STA " MACSTR,
 			   MAC2STR(sm->addr));
 		return -1;
 	}
+	identity_len = wpa_ft_get_identity(sm->wpa_auth, sm->addr, &identity);
+	radius_cui_len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr,
+					       &radius_cui);
 
 	return wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name,
-				    sm->pairwise, &vlan, expires_in);
+				    sm->pairwise, &vlan, expires_in, identity,
+				    identity_len, radius_cui, radius_cui_len);
 }
 
 
@@ -1831,6 +1937,8 @@  int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
 	int psk_local = sm->wpa_auth->conf.ft_psk_generate_local;
 	int expires_in = sm->wpa_auth->conf.r0_key_lifetime * 60;
 	struct vlan_description vlan;
+	const u8 *identity, *radius_cui;
+	int identity_len, radius_cui_len;
 
 	if (sm->xxkey_len == 0) {
 		wpa_printf(MSG_DEBUG, "FT: XXKey not available for key "
@@ -1843,6 +1951,9 @@  int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
 			   MAC2STR(sm->addr));
 		return -1;
 	}
+	identity_len = wpa_ft_get_identity(sm->wpa_auth, sm->addr, &identity);
+	radius_cui_len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr,
+					       &radius_cui);
 
 	if (wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, ssid, ssid_len, mdid,
 			      r0kh, r0kh_len, sm->addr,
@@ -1852,7 +1963,8 @@  int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
 	wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN);
 	if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
 		wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name,
-				    sm->pairwise, &vlan, expires_in);
+				    sm->pairwise, &vlan, expires_in, identity,
+				    identity_len, radius_cui, radius_cui_len);
 
 	if (wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, r1kh, sm->addr,
 			      pmk_r1, sm->pmk_r1_name) < 0)
@@ -1862,8 +1974,9 @@  int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
 		    WPA_PMK_NAME_LEN);
 	if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
 		wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1,
-				    sm->pmk_r1_name, sm->pairwise,
-				    &vlan, expires_in);
+				    sm->pmk_r1_name, sm->pairwise, &vlan,
+				    expires_in, identity, identity_len,
+				    radius_cui, radius_cui_len);
 
 	return wpa_pmk_r1_to_ptk(pmk_r1, sm->SNonce, sm->ANonce, sm->addr,
 				 sm->wpa_auth->addr, sm->pmk_r1_name,
@@ -2269,7 +2382,10 @@  void wpa_ft_install_ptk(struct wpa_state_machine *sm)
 static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
 			     const u8 *req_pmk_r1_name,
 			     u8 *out_pmk_r1, int *out_pairwise,
-			     struct vlan_description *out_vlan)
+			     struct vlan_description *out_vlan,
+			     const u8 **out_identity, size_t *out_identity_len,
+			     const u8 **out_radius_cui,
+			     size_t *out_radius_cui_len)
 {
 	const u8 *pmk = NULL;
 	u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN];
@@ -2282,6 +2398,7 @@  static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
 	const u8 *ssid = wpa_auth->conf.ssid;
 	size_t ssid_len = wpa_auth->conf.ssid_len;
 	int pairwise;
+	u8 len;
 
 	pairwise = sm->pairwise;
 
@@ -2312,7 +2429,16 @@  static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
 					      MACSTR, MAC2STR(sm->addr));
 			return -1;
 		}
-
+		if (out_identity && out_identity_len) {
+			len = wpa_ft_get_identity(sm->wpa_auth, sm->addr,
+						  out_identity);
+			*out_identity_len = len;
+		}
+		if (out_radius_cui && out_radius_cui_len) {
+			len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr,
+						    out_radius_cui);
+			*out_radius_cui_len = len;
+		}
 		return 0;
 	}
 
@@ -2377,6 +2503,8 @@  static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
 	u8 *pos, *end;
 	int pairwise;
 	struct vlan_description vlan;
+	const u8 *identity, *radius_cui;
+	size_t identity_len = 0, radius_cui_len = 0;
 
 	*resp_ies = NULL;
 	*resp_ies_len = 0;
@@ -2439,10 +2567,13 @@  static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
 	if (conf->ft_psk_generate_local &&
 	    wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
 		if (wpa_ft_psk_pmk_r1(sm, pmk_r1_name, pmk_r1, &pairwise,
-				      &vlan) < 0)
+				      &vlan, &identity, &identity_len,
+				      &radius_cui, &radius_cui_len) < 0)
 			return WLAN_STATUS_INVALID_PMKID;
 	} else if (wpa_ft_fetch_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1_name,
-				       pmk_r1, &pairwise, &vlan) < 0) {
+				       pmk_r1, &pairwise, &vlan, &identity,
+				       &identity_len, &radius_cui,
+				       &radius_cui_len) < 0) {
 		if (wpa_ft_pull_pmk_r1(sm, ies, ies_len, parse.rsn_pmkid) < 0) {
 			wpa_printf(MSG_DEBUG,
 				   "FT: Did not have matching PMK-R1 and either unknown or blocked R0KH-ID or NAK from R0KH");
@@ -2481,6 +2612,9 @@  static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
 		wpa_printf(MSG_DEBUG, "FT: Failed to configure VLAN");
 		return WLAN_STATUS_UNSPECIFIED_FAILURE;
 	}
+	wpa_ft_set_identity(sm->wpa_auth, sm->addr, identity, identity_len);
+	wpa_ft_set_radius_cui(sm->wpa_auth, sm->addr, radius_cui,
+			      radius_cui_len);
 
 	buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
 		2 + FT_R1KH_ID_LEN + 200;
@@ -2913,14 +3047,13 @@  static int wpa_ft_rrb_build_r0(const u8 *key, const size_t key_len,
 		  .data = f_pairwise },
 		{ .type = FT_RRB_EXPIRES_IN, .len = sizeof(f_expires_in),
 		  .data = f_expires_in },
+		{ .type = FT_RRB_IDENTITY, .len = pmk_r0->identity_len,
+		  .data = pmk_r0->identity },
+		{ .type = FT_RRB_RADIUS_CUI, .len = pmk_r0->radius_cui_len,
+		  .data = pmk_r0->radius_cui },
 		{ .type = FT_RRB_LAST_EMPTY, .len = 0, .data = NULL },
 	};
 
-	if (!pmk_r0)
-		return wpa_ft_rrb_build(key, key_len, tlvs, NULL, tlv_auth,
-					NULL, src_addr, type,
-					packet, packet_len);
-
 	if (wpa_derive_pmk_r1(pmk_r0->pmk_r0, pmk_r0->pmk_r0_name, r1kh_id,
 			      s1kh_id, pmk_r1, pmk_r1_name) < 0)
 		return -1;
@@ -3070,13 +3203,17 @@  static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth,
 	resp_auth[4].len = 0;
 	resp_auth[4].data = NULL;
 
-	if (wpa_ft_fetch_pmk_r0(wpa_auth, f_s1kh_id, f_pmk_r0_name, &r0) < 0)
+	if (wpa_ft_fetch_pmk_r0(wpa_auth, f_s1kh_id, f_pmk_r0_name, &r0) < 0) {
 		wpa_printf(MSG_DEBUG, "FT: No matching PMK-R0-Name found");
-
-	ret = wpa_ft_rrb_build_r0(key, key_len, resp, r0, f_r1kh_id, f_s1kh_id,
-				  resp_auth, wpa_auth->addr,
-				  FT_PACKET_R0KH_R1KH_RESP,
-				  &packet, &packet_len);
+		ret = wpa_ft_rrb_build(key, key_len, resp, NULL, resp_auth,
+				       NULL, wpa_auth->addr,
+				       FT_PACKET_R0KH_R1KH_RESP,
+				       &packet, &packet_len);
+	} else
+		ret = wpa_ft_rrb_build_r0(key, key_len, resp, r0, f_r1kh_id,
+					  f_s1kh_id, resp_auth, wpa_auth->addr,
+					  FT_PACKET_R0KH_R1KH_RESP,
+					  &packet, &packet_len);
 
 	if (!ret)
 		wpa_ft_rrb_oui_send(wpa_auth, src_addr,
@@ -3116,8 +3253,10 @@  static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth,
 	const u8 *f_pmk_r1_name, *f_pairwise, *f_pmk_r1;
 	const u8 *f_expires_in;
 	size_t f_r1kh_id_len, f_s1kh_id_len, f_r0kh_id_len;
+	const u8 *f_identity, *f_radius_cui;
 	size_t f_pmk_r1_name_len, f_pairwise_len, f_pmk_r1_len;
 	size_t f_expires_in_len;
+	size_t f_identity_len, f_radius_cui_len;
 	int pairwise;
 	int ret = -1;
 	int expires_in;
@@ -3224,8 +3363,20 @@  static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth,
 	wpa_printf(MSG_DEBUG, "FT: vlan %d%s",
 		   le_to_host16(vlan.untagged), vlan.tagged[0] ? "+" : "");
 
+	RRB_GET_OPTIONAL(FT_RRB_IDENTITY, identity, msgtype, -1);
+	if (f_identity)
+		wpa_hexdump(MSG_DEBUG, "FT: Identity", f_identity,
+			    f_identity_len);
+
+	RRB_GET_OPTIONAL(FT_RRB_RADIUS_CUI, radius_cui, msgtype, -1);
+	if (f_radius_cui)
+		wpa_hexdump(MSG_DEBUG, "FT: CUI", f_radius_cui,
+			    f_radius_cui_len);
+
 	if (wpa_ft_store_pmk_r1(wpa_auth, f_s1kh_id, f_pmk_r1, f_pmk_r1_name,
-				pairwise, &vlan, expires_in) < 0)
+				pairwise, &vlan, expires_in, f_identity,
+				f_identity_len, f_radius_cui,
+				f_radius_cui_len) < 0)
 		goto out;
 
 	ret = 0;
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 3ec8874..b5bfb2a 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -840,6 +840,146 @@  hostapd_wpa_auth_get_vlan(void *ctx, const u8 *sta_addr,
 }
 
 
+static size_t
+hostapd_wpa_auth_get_identity(void *ctx, const u8 *sta_addr, const u8 **buf)
+{
+	struct hostapd_data *hapd = ctx;
+	struct sta_info *sta;
+	size_t len;
+	char *identity;
+
+	sta = ap_get_sta(hapd, sta_addr);
+	if (sta == NULL)
+		return 0;
+
+	*buf = ieee802_1x_get_identity(sta->eapol_sm, &len);
+	if (*buf && len)
+		return len;
+
+	if (!sta->identity) {
+		*buf = NULL;
+		return 0;
+	}
+
+	identity = sta->identity;
+
+	len = os_strlen(identity);
+	*buf = (u8 *) identity;
+
+	return len;
+}
+
+
+static size_t
+hostapd_wpa_auth_get_radius_cui(void *ctx, const u8 *sta_addr, const u8 **buf)
+{
+	struct hostapd_data *hapd = ctx;
+	struct sta_info *sta;
+	struct wpabuf *b;
+	size_t len;
+	char *radius_cui;
+
+	sta = ap_get_sta(hapd, sta_addr);
+	if (sta == NULL)
+		return 0;
+
+	b = ieee802_1x_get_radius_cui(sta->eapol_sm);
+	if (b) {
+		len = wpabuf_len(b);
+		*buf = wpabuf_head(b);
+		return len;
+	}
+
+	if (!sta->radius_cui) {
+		*buf = NULL;
+		return 0;
+	}
+
+	radius_cui = sta->radius_cui;
+
+	len = os_strlen(radius_cui);
+	*buf = (u8 *) radius_cui;
+
+	return len;
+}
+
+
+static void
+hostapd_wpa_auth_set_identity(void *ctx, const u8 *sta_addr,
+			      const u8 *identity, size_t identity_len)
+{
+	struct hostapd_data *hapd = ctx;
+	struct sta_info *sta;
+
+	sta = ap_get_sta(hapd, sta_addr);
+	if (sta == NULL)
+		return;
+
+	if (sta->identity) {
+		os_free(sta->identity);
+		sta->identity = NULL;
+	}
+
+	if (sta->eapol_sm && sta->eapol_sm->identity) {
+		os_free(sta->eapol_sm->identity);
+		sta->eapol_sm->identity = NULL;
+		sta->eapol_sm->identity_len = 0;
+	}
+
+	if (!identity_len)
+		return;
+
+	/* sta->identity is NULL terminated */
+	sta->identity = os_zalloc(identity_len + 1);
+	if (sta->identity)
+		os_memcpy(sta->identity, identity, identity_len);
+
+	if (sta->eapol_sm) {
+		sta->eapol_sm->identity = os_zalloc(identity_len);
+		if (sta->eapol_sm->identity) {
+			os_memcpy(sta->eapol_sm->identity, identity,
+				  identity_len);
+			sta->eapol_sm->identity_len = identity_len;
+		}
+	}
+}
+
+
+static void
+hostapd_wpa_auth_set_radius_cui(void *ctx, const u8 *sta_addr,
+				const u8 *radius_cui, size_t radius_cui_len)
+{
+	struct hostapd_data *hapd = ctx;
+	struct sta_info *sta;
+
+	sta = ap_get_sta(hapd, sta_addr);
+	if (sta == NULL)
+		return;
+
+	if (sta->radius_cui) {
+		os_free(sta->radius_cui);
+		sta->radius_cui = NULL;
+	}
+
+	if (sta->eapol_sm && sta->eapol_sm->radius_cui) {
+		wpabuf_free(sta->eapol_sm->radius_cui);
+		sta->eapol_sm->radius_cui = NULL;
+	}
+
+	if (!radius_cui)
+		return;
+
+	/* sta->radius_cui is NULL terminated */
+	sta->radius_cui = os_zalloc(radius_cui_len + 1);
+	if (sta->radius_cui)
+		os_memcpy(sta->radius_cui, radius_cui, radius_cui_len);
+
+	if (sta->eapol_sm)
+		sta->eapol_sm->radius_cui = wpabuf_alloc_copy(radius_cui,
+							      radius_cui_len);
+}
+
+
 static void hostapd_rrb_receive(void *ctx, const u8 *src_addr, const u8 *buf,
 				size_t len)
 {
@@ -961,6 +1101,10 @@  int hostapd_setup_wpa(struct hostapd_data *hapd)
 		.add_tspec = hostapd_wpa_auth_add_tspec,
 		.set_vlan = hostapd_wpa_auth_set_vlan,
 		.get_vlan = hostapd_wpa_auth_get_vlan,
+		.get_identity = hostapd_wpa_auth_get_identity,
+		.get_radius_cui = hostapd_wpa_auth_get_radius_cui,
+		.set_identity = hostapd_wpa_auth_set_identity,
+		.set_radius_cui = hostapd_wpa_auth_set_radius_cui,
 #endif /* CONFIG_IEEE80211R_AP */
 	};
 	const u8 *wpa_ie;