From patchwork Thu May 18 13:21:56 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: michael-dev X-Patchwork-Id: 763993 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3wTBkV0N15z9ryv for ; Thu, 18 May 2017 23:25:06 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="eO+EYESV"; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=Gd9pzZRXn1KViu4Vz7B/7yQ0TP3bFr6jNYcfGCpRkbU=; b=eO+EYESVbFrknFpvDylGlwOlUR SbIYcg0lWHi3rklu2Jyvn54zj8TjHyn4YDr8p2jE2EkXd1Ss/Y+RX6jMEwUXKPmrrFYR6alwVxDPk isaBiMow/uTcc0DtPityTbL50vJqbAwg+fvvOb4hKfGB+veGISdyw/DdcgIEd31Bhp4HPQV8UR+14 Hx4RuPsAXQ9STdBmwgsyHC4OhXmynaVZT5MzSwMEc9/igNLeyQX4LqnxDtgprgg8Krkb34ITw8jGJ O31DMMx7xc8SO5g1KAVpO29+6QxU6E3yJS/CHzn7OBABpDswZP+ev5CxIYtnCMzxSwiMV3CE/dfWV rv82omPw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1dBLQD-0004Qv-OH; Thu, 18 May 2017 13:24:53 +0000 Received: from mail.fem.tu-ilmenau.de ([141.24.220.54]) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1dBLPo-0003TF-R2 for hostap@lists.infradead.org; Thu, 18 May 2017 13:24:44 +0000 Received: from localhost (localhost [127.0.0.1]) by mail.fem.tu-ilmenau.de (Postfix) with ESMTP id DBA7768A2; Thu, 18 May 2017 15:23:44 +0200 (CEST) X-Virus-Scanned: amavisd-new at fem.tu-ilmenau.de Received: from mail.fem.tu-ilmenau.de ([127.0.0.1]) by localhost (mail.fem.tu-ilmenau.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aip0SjJaM7Fe; Thu, 18 May 2017 15:23:43 +0200 (CEST) Received: from mail-backup.fem.tu-ilmenau.de (mail-backup.net.fem.tu-ilmenau.de [10.42.40.22]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.fem.tu-ilmenau.de (Postfix) with ESMTPS; Thu, 18 May 2017 15:23:41 +0200 (CEST) Received: from a234.fem.tu-ilmenau.de (ray-controller.net.fem.tu-ilmenau.de [10.42.51.234]) by mail-backup.fem.tu-ilmenau.de (Postfix) with ESMTP id A8C1A56055; Thu, 18 May 2017 15:23:40 +0200 (CEST) Received: by a234.fem.tu-ilmenau.de (Postfix, from userid 1000) id 6938E306ACE3; Thu, 18 May 2017 15:22:03 +0200 (CEST) From: Michael Braun To: hostap@lists.infradead.org Subject: [PATCH 7/8] FT: add session_timeout to push/resp Date: Thu, 18 May 2017 15:21:56 +0200 Message-Id: <1495113717-26860-8-git-send-email-michael-dev@fami-braun.de> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1495113717-26860-1-git-send-email-michael-dev@fami-braun.de> References: <1495113717-26860-1-git-send-email-michael-dev@fami-braun.de> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170518_062430_290990_CBDCA658 X-CRM114-Status: GOOD ( 18.65 ) X-Spam-Score: -4.2 (----) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [141.24.220.54 listed in list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: projekt-wlan@fem.tu-ilmenau.de, Michael Braun MIME-Version: 1.0 Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org This ensures a session timeout configured on R0 either using RADIUS-based ACL or 802.1X authentication is copied over to the new R1. As the session can be moved at any time, a timestamp needs to be kept so the remaining session time can be computed by R0 when requested. Signed-off-by: Michael Braun --- src/ap/ieee802_11.c | 9 +++- src/ap/ieee802_1x.c | 16 ++++-- src/ap/sta_info.h | 3 +- src/ap/wpa_auth.h | 6 ++- src/ap/wpa_auth_ft.c | 141 +++++++++++++++++++++++++++++++++++++++++-------- src/ap/wpa_auth_glue.c | 49 +++++++++++++++++ 6 files changed, 193 insertions(+), 31 deletions(-) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 5331b2a..a33a0f5 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -1550,10 +1550,15 @@ ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta, if (hapd->conf->acct_interim_interval == 0 && acct_interim_interval) sta->acct_interim_interval = acct_interim_interval; - if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) + if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) { + sta->session_timeout_set = 1; + os_get_reltime(&sta->session_timeout); + sta->session_timeout.sec += session_timeout; ap_sta_session_timeout(hapd, sta, session_timeout); - else + } else { + sta->session_timeout_set = 0; ap_sta_no_session_timeout(hapd, sta); + } return 0; } diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index cfda57c..c88018e 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -1814,14 +1814,17 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, break; sta->session_timeout_set = !!session_timeout_set; - sta->session_timeout = session_timeout; + os_get_reltime(&sta->session_timeout); + sta->session_timeout.sec += session_timeout; /* RFC 3580, Ch. 3.17 */ if (session_timeout_set && termination_action == RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { sm->reAuthPeriod = session_timeout; - } else if (session_timeout_set) + } else if (session_timeout_set) { ap_sta_session_timeout(hapd, sta, session_timeout); + } else + ap_sta_no_session_timeout(hapd, sta); sm->eap_if->aaaSuccess = TRUE; override_eapReq = 1; @@ -2703,6 +2706,7 @@ static void ieee802_1x_finished(struct hostapd_data *hapd, /* TODO: get PMKLifetime from WPA parameters */ static const int dot11RSNAConfigPMKLifetime = 43200; unsigned int session_timeout; + struct os_reltime now, remaining; #ifdef CONFIG_HS20 if (remediation && !sta->remediation) { @@ -2723,9 +2727,11 @@ static void ieee802_1x_finished(struct hostapd_data *hapd, #endif /* CONFIG_HS20 */ key = ieee802_1x_get_key(sta->eapol_sm, &len); - if (sta->session_timeout_set) - session_timeout = sta->session_timeout; - else + if (sta->session_timeout_set) { + os_get_reltime(&now); + os_reltime_sub(&sta->session_timeout, &now, &remaining); + session_timeout = (remaining.sec > 0) ? remaining.sec : 1; + } else session_timeout = dot11RSNAConfigPMKLifetime; if (success && key && len >= PMK_LEN && !sta->remediation && !sta->hs20_deauth_requested && diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h index 86acee2..b0914c9 100644 --- a/src/ap/sta_info.h +++ b/src/ap/sta_info.h @@ -199,7 +199,8 @@ struct sta_info { unsigned int mesh_sae_pmksa_caching:1; #endif /* CONFIG_SAE */ - u32 session_timeout; /* valid only if session_timeout_set == 1 */ + /* valid only if session_timeout_set == 1 */ + struct os_reltime session_timeout; /* Last Authentication/(Re)Association Request/Action frame sequence * control */ diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index 936831b..661acf1 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -85,6 +85,7 @@ struct ft_rrb_frame { #define FT_RRB_IDENTITY 15 #define FT_RRB_RADIUS_CUI 16 +#define FT_RRB_SESSION_TIMEOUT 17 /* le32 seconds */ struct ft_rrb_tlv { le16 type; @@ -100,7 +101,7 @@ struct ft_rrb_seq { /* session TLVs: * required: PMK_R1, PMK_R1_NAME, PAIRWISE - * optional: VLAN, EXPIRES_IN, IDENTITY, RADIUS_CUI + * optional: VLAN, EXPIRES_IN, IDENTITY, RADIUS_CUI, SESSION_TIMEOUT * * pull frame TLVs: * auth: @@ -269,10 +270,13 @@ struct wpa_auth_callbacks { struct vlan_description *vlan); size_t (*get_identity)(void *ctx, const u8 *sta_addr, const u8 **buf); size_t (*get_radius_cui)(void *ctx, const u8 *sta_addr, const u8 **buf); + int (*get_session_timeout)(void *ctx, const u8 *sta_addr); void (*set_identity)(void *ctx, const u8 *sta_addr, const u8 *identity, size_t identity_len); void (*set_radius_cui)(void *ctx, const u8 *sta_addr, const u8 *radius_cui, size_t radius_cui_len); + void (*set_session_timeout)(void *ctx, const u8 *sta_addr, + int session_timeout); int (*send_ft_action)(void *ctx, const u8 *dst, const u8 *data, size_t data_len); diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c index 321f5b1..dea60e8 100644 --- a/src/ap/wpa_auth_ft.c +++ b/src/ap/wpa_auth_ft.c @@ -649,6 +649,16 @@ wpa_ft_get_vlan(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, } +static int +wpa_ft_get_session_timeout(struct wpa_authenticator *wpa_auth, + const u8 *sta_addr) +{ + if (wpa_auth->cb->get_session_timeout == NULL) + return 0; + return wpa_auth->cb->get_session_timeout(wpa_auth->cb_ctx, sta_addr); +} + + static size_t wpa_ft_get_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, const u8 **buf) @@ -672,6 +682,17 @@ wpa_ft_get_radius_cui(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, static void +wpa_ft_set_session_timeout(struct wpa_authenticator *wpa_auth, + const u8 *sta_addr, int session_timeout) +{ + if (wpa_auth->cb->set_session_timeout == NULL) + return; + wpa_auth->cb->set_session_timeout(wpa_auth->cb_ctx, sta_addr, + session_timeout); +} + + +static void wpa_ft_set_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, const u8 *identity, size_t identity_len) { @@ -1082,7 +1103,8 @@ struct wpa_ft_pmk_r0_sa { size_t identity_len; u8 *radius_cui; size_t radius_cui_len; - /* TODO: radius_class, EAP type, expiration from EAPOL */ + os_time_t session_timeout; /* 0 for no expiration */ + /* TODO: radius_class, EAP type */ int pmk_r1_pushed; }; @@ -1097,7 +1119,8 @@ struct wpa_ft_pmk_r1_sa { size_t identity_len; u8 *radius_cui; size_t radius_cui_len; - /* TODO: expiration from EAPOL, radius_class, EAP type */ + os_time_t session_timeout; /* 0 for no expiration */ + /* TODO: radius_class, EAP type */ }; struct wpa_ft_pmk_cache { @@ -1132,6 +1155,7 @@ static void wpa_ft_expire_pmk_r0(void *eloop_ctx, void *timeout_ctx) struct wpa_ft_pmk_r0_sa *r0 = eloop_ctx; struct os_reltime now; int expires_in; + int session_timeout; os_get_reltime(&now); @@ -1139,13 +1163,23 @@ static void wpa_ft_expire_pmk_r0(void *eloop_ctx, void *timeout_ctx) return; expires_in = r0->expiration - now.sec; - if (expires_in > 0) { + session_timeout = r0->session_timeout - now.sec; + /* conditions to remove from cache: + * a) r0->expiration is set and hit + * -or- + * b) r0->session_timeout is set and hit + */ + if ((!r0->expiration || expires_in > 0) && + (!r0->session_timeout || session_timeout > 0)) { wpa_printf(MSG_ERROR, "FT: wpa_ft_expire_pmk_r0 called for " - "non-expired entry %p, delete in %ds", - r0, expires_in); + "non-expired entry %p", r0); eloop_cancel_timeout(wpa_ft_expire_pmk_r0, r0, NULL); - eloop_register_timeout(expires_in + 1, 0, - wpa_ft_expire_pmk_r0, r0, NULL); + if (r0->expiration && expires_in > 0) + eloop_register_timeout(expires_in + 1, 0, + wpa_ft_expire_pmk_r0, r0, NULL); + if (r0->session_timeout && session_timeout > 0) + eloop_register_timeout(session_timeout + 1, 0, + wpa_ft_expire_pmk_r0, r0, NULL); return; } @@ -1212,7 +1246,7 @@ static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth, const u8 *spa, const u8 *pmk_r0, const u8 *pmk_r0_name, int pairwise, const struct vlan_description *vlan, - const int expires_in, + const int expires_in, const int session_timeout, const u8 *identity, size_t identity_len, const u8 *radius_cui, size_t radius_cui_len) { @@ -1252,12 +1286,17 @@ static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth, r0->radius_cui_len = radius_cui_len; } } + if (session_timeout > 0) + r0->session_timeout = now.sec + session_timeout; dl_list_add(&cache->pmk_r0, &r0->list); if (expires_in > 0) eloop_register_timeout(expires_in + 1, 0, wpa_ft_expire_pmk_r0, r0, NULL); + if (session_timeout > 0) + eloop_register_timeout(session_timeout + 1, 0, + wpa_ft_expire_pmk_r0, r0, NULL); return 0; } @@ -1290,15 +1329,17 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *spa, const u8 *pmk_r1, const u8 *pmk_r1_name, int pairwise, const struct vlan_description *vlan, - int expires_in, + int expires_in, const int session_timeout, const u8 *identity, u8 identity_len, const u8 *radius_cui, u8 radius_cui_len) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; int max_expires_in = wpa_auth->conf.r1_max_key_lifetime; struct wpa_ft_pmk_r1_sa *r1; + struct os_reltime now; /* TODO: limit on number of entries in cache */ + os_get_reltime(&now); if (max_expires_in && (max_expires_in < expires_in || expires_in == 0)) expires_in = max_expires_in; @@ -1330,12 +1371,17 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, r1->radius_cui_len = radius_cui_len; } } + if (session_timeout > 0) + r1->session_timeout = now.sec + session_timeout; dl_list_add(&cache->pmk_r1, &r1->list); if (expires_in > 0) eloop_register_timeout(expires_in + 1, 0, wpa_ft_expire_pmk_r1, r1, NULL); + if (session_timeout > 0) + eloop_register_timeout(session_timeout + 1, 0, + wpa_ft_expire_pmk_r1, r1, NULL); return 0; } @@ -1346,10 +1392,14 @@ static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth, u8 *pmk_r1, int *pairwise, struct vlan_description *vlan, const u8 **identity, size_t *identity_len, - const u8 **radius_cui, size_t *radius_cui_len) + const u8 **radius_cui, size_t *radius_cui_len, + int *session_timeout) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; struct wpa_ft_pmk_r1_sa *r1; + struct os_reltime now; + + os_get_reltime(&now); dl_list_for_each(r1, &cache->pmk_r1, struct wpa_ft_pmk_r1_sa, list) { if (os_memcmp(r1->spa, spa, ETH_ALEN) == 0 && @@ -1370,6 +1420,13 @@ static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth, *radius_cui = r1->radius_cui; *radius_cui_len = r1->radius_cui_len; } + if (session_timeout && r1->session_timeout > now.sec) + *session_timeout = r1->session_timeout - + now.sec; + else if (session_timeout && r1->session_timeout) + *session_timeout = 1; + else + *session_timeout = 0; return 0; } } @@ -1906,6 +1963,7 @@ int wpa_ft_store_pmk_fils(struct wpa_state_machine *sm, struct vlan_description vlan; const u8 *identity, *radius_cui; int identity_len, radius_cui_len; + int session_timeout; if (wpa_ft_get_vlan(sm->wpa_auth, sm->addr, &vlan) < 0) { wpa_printf(MSG_DEBUG, "FT: vlan not available for STA " MACSTR, @@ -1915,10 +1973,12 @@ int wpa_ft_store_pmk_fils(struct wpa_state_machine *sm, identity_len = wpa_ft_get_identity(sm->wpa_auth, sm->addr, &identity); radius_cui_len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr, &radius_cui); + session_timeout = wpa_ft_get_session_timeout(sm->wpa_auth, sm->addr); return wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name, - sm->pairwise, &vlan, expires_in, identity, - identity_len, radius_cui, radius_cui_len); + sm->pairwise, &vlan, expires_in, + session_timeout, identity, identity_len, + radius_cui, radius_cui_len); } @@ -1939,6 +1999,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, struct vlan_description vlan; const u8 *identity, *radius_cui; int identity_len, radius_cui_len; + int session_timeout; if (sm->xxkey_len == 0) { wpa_printf(MSG_DEBUG, "FT: XXKey not available for key " @@ -1954,6 +2015,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, identity_len = wpa_ft_get_identity(sm->wpa_auth, sm->addr, &identity); radius_cui_len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr, &radius_cui); + session_timeout = wpa_ft_get_session_timeout(sm->wpa_auth, sm->addr); if (wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, ssid, ssid_len, mdid, r0kh, r0kh_len, sm->addr, @@ -1963,8 +2025,9 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN); if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name, - sm->pairwise, &vlan, expires_in, identity, - identity_len, radius_cui, radius_cui_len); + sm->pairwise, &vlan, expires_in, + session_timeout, identity, identity_len, + radius_cui, radius_cui_len); if (wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, r1kh, sm->addr, pmk_r1, sm->pmk_r1_name) < 0) @@ -1975,8 +2038,8 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1, sm->pmk_r1_name, sm->pairwise, &vlan, - expires_in, identity, identity_len, - radius_cui, radius_cui_len); + expires_in, session_timeout, identity, + identity_len, radius_cui, radius_cui_len); return wpa_pmk_r1_to_ptk(pmk_r1, sm->SNonce, sm->ANonce, sm->addr, sm->wpa_auth->addr, sm->pmk_r1_name, @@ -2385,7 +2448,8 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm, struct vlan_description *out_vlan, const u8 **out_identity, size_t *out_identity_len, const u8 **out_radius_cui, - size_t *out_radius_cui_len) + size_t *out_radius_cui_len, + int *out_session_timeout) { const u8 *pmk = NULL; u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN]; @@ -2399,6 +2463,7 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm, size_t ssid_len = wpa_auth->conf.ssid_len; int pairwise; u8 len; + int timeout; pairwise = sm->pairwise; @@ -2439,6 +2504,11 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm, out_radius_cui); *out_radius_cui_len = len; } + if (out_session_timeout) { + timeout = wpa_ft_get_session_timeout(sm->wpa_auth, + sm->addr); + *out_session_timeout = timeout; + } return 0; } @@ -2501,7 +2571,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, size_t buflen; int ret; u8 *pos, *end; - int pairwise; + int pairwise, session_timeout; struct vlan_description vlan; const u8 *identity, *radius_cui; size_t identity_len = 0, radius_cui_len = 0; @@ -2568,12 +2638,13 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { if (wpa_ft_psk_pmk_r1(sm, pmk_r1_name, pmk_r1, &pairwise, &vlan, &identity, &identity_len, - &radius_cui, &radius_cui_len) < 0) + &radius_cui, &radius_cui_len, + &session_timeout) < 0) return WLAN_STATUS_INVALID_PMKID; } else if (wpa_ft_fetch_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1_name, pmk_r1, &pairwise, &vlan, &identity, &identity_len, &radius_cui, - &radius_cui_len) < 0) { + &radius_cui_len, &session_timeout) < 0) { if (wpa_ft_pull_pmk_r1(sm, ies, ies_len, parse.rsn_pmkid) < 0) { wpa_printf(MSG_DEBUG, "FT: Did not have matching PMK-R1 and either unknown or blocked R0KH-ID or NAK from R0KH"); @@ -2615,6 +2686,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, wpa_ft_set_identity(sm->wpa_auth, sm->addr, identity, identity_len); wpa_ft_set_radius_cui(sm->wpa_auth, sm->addr, radius_cui, radius_cui_len); + wpa_ft_set_session_timeout(sm->wpa_auth, sm->addr, session_timeout); buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + 2 + FT_R1KH_ID_LEN + 200; @@ -3035,7 +3107,9 @@ static int wpa_ft_rrb_build_r0(const u8 *key, const size_t key_len, u8 pmk_r1_name[WPA_PMK_NAME_LEN]; u8 f_pairwise[sizeof(le16)]; u8 f_expires_in[sizeof(le16)]; + u8 f_session_timeout[sizeof(le32)]; int expires_in; + int session_timeout; struct os_reltime now; int ret; struct tlv_list sess_tlv[] = { @@ -3051,6 +3125,9 @@ static int wpa_ft_rrb_build_r0(const u8 *key, const size_t key_len, .data = pmk_r0->identity }, { .type = FT_RRB_RADIUS_CUI, .len = pmk_r0->radius_cui_len, .data = pmk_r0->radius_cui }, + { .type = FT_RRB_SESSION_TIMEOUT, + .len = sizeof(f_session_timeout), + .data = f_session_timeout }, { .type = FT_RRB_LAST_EMPTY, .len = 0, .data = NULL }, }; @@ -3062,6 +3139,7 @@ static int wpa_ft_rrb_build_r0(const u8 *key, const size_t key_len, WPA_PUT_LE16(f_pairwise, pmk_r0->pairwise); os_get_reltime(&now); + if (pmk_r0->expiration > now.sec) expires_in = pmk_r0->expiration - now.sec; else if (pmk_r0->expiration) @@ -3070,6 +3148,14 @@ static int wpa_ft_rrb_build_r0(const u8 *key, const size_t key_len, expires_in = 0; WPA_PUT_LE16(f_expires_in, expires_in); + if (pmk_r0->session_timeout > now.sec) + session_timeout = pmk_r0->session_timeout - now.sec; + else if (pmk_r0->session_timeout) + session_timeout = 1; + else + session_timeout = 0; + WPA_PUT_LE32(f_session_timeout, session_timeout); + ret = wpa_ft_rrb_build(key, key_len, tlvs, sess_tlv, tlv_auth, pmk_r0->vlan, src_addr, type, packet, packet_len); @@ -3254,12 +3340,15 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth, const u8 *f_expires_in; size_t f_r1kh_id_len, f_s1kh_id_len, f_r0kh_id_len; const u8 *f_identity, *f_radius_cui; + const u8 *f_session_timeout; size_t f_pmk_r1_name_len, f_pairwise_len, f_pmk_r1_len; size_t f_expires_in_len; size_t f_identity_len, f_radius_cui_len; + size_t f_session_timeout_len; int pairwise; int ret = -1; int expires_in; + int session_timeout; struct vlan_description vlan; RRB_GET_AUTH(FT_RRB_R0KH_ID, r0kh_id, msgtype, -1); @@ -3373,9 +3462,17 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth, wpa_hexdump(MSG_DEBUG, "FT: CUI", f_radius_cui, f_radius_cui_len); + RRB_GET_OPTIONAL(FT_RRB_SESSION_TIMEOUT, session_timeout, msgtype, + sizeof(le32)); + if (f_session_timeout) + session_timeout = WPA_GET_LE32(f_session_timeout); + else + session_timeout = 0; + wpa_printf(MSG_DEBUG, "FT: session_timeout %d", session_timeout); + if (wpa_ft_store_pmk_r1(wpa_auth, f_s1kh_id, f_pmk_r1, f_pmk_r1_name, - pairwise, &vlan, expires_in, f_identity, - f_identity_len, f_radius_cui, + pairwise, &vlan, expires_in, session_timeout, + f_identity, f_identity_len, f_radius_cui, f_radius_cui_len) < 0) goto out; diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index b5bfb2a..5996b9c 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -840,6 +840,31 @@ hostapd_wpa_auth_get_vlan(void *ctx, const u8 *sta_addr, } +static int +hostapd_wpa_auth_get_session_timeout(void *ctx, const u8 *sta_addr) +{ + struct hostapd_data *hapd = ctx; + struct sta_info *sta; + struct os_reltime now, remaining; + + sta = ap_get_sta(hapd, sta_addr); + if (sta == NULL) + return 0; + + if (!sta->session_timeout_set) + return 0; + + os_get_reltime(&now); + if (os_reltime_before(&sta->session_timeout, &now)) + /* already expired, return >0 as timeout was set */ + return 1; + + os_reltime_sub(&sta->session_timeout, &now, &remaining); + + return (remaining.sec > 0) ? remaining.sec : 1; +} + + static size_t hostapd_wpa_auth_get_identity(void *ctx, const u8 *sta_addr, const u8 **buf) { @@ -905,6 +930,28 @@ hostapd_wpa_auth_get_radius_cui(void *ctx, const u8 *sta_addr, const u8 **buf) static void +hostapd_wpa_auth_set_session_timeout(void *ctx, const u8 *sta_addr, + int session_timeout) +{ + struct hostapd_data *hapd = ctx; + struct sta_info *sta; + + sta = ap_get_sta(hapd, sta_addr); + if (sta == NULL) + return; + + os_get_reltime(&sta->session_timeout); + sta->session_timeout.sec += session_timeout; + sta->session_timeout_set = !!session_timeout; + + if (sta->session_timeout_set) + ap_sta_session_timeout(hapd, sta, session_timeout); + else + ap_sta_no_session_timeout(hapd, sta); +} + + +static void hostapd_wpa_auth_set_identity(void *ctx, const u8 *sta_addr, const u8 *identity, size_t identity_len) { @@ -1105,6 +1152,8 @@ int hostapd_setup_wpa(struct hostapd_data *hapd) .get_radius_cui = hostapd_wpa_auth_get_radius_cui, .set_identity = hostapd_wpa_auth_set_identity, .set_radius_cui = hostapd_wpa_auth_set_radius_cui, + .get_session_timeout = hostapd_wpa_auth_get_session_timeout, + .set_session_timeout = hostapd_wpa_auth_set_session_timeout, #endif /* CONFIG_IEEE80211R_AP */ }; const u8 *wpa_ie;