From patchwork Sat Sep 24 20:53:52 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: michael-dev X-Patchwork-Id: 674411 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3shNYp3S3Yz9s5g for ; Sun, 25 Sep 2016 07:25:34 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux)) id 1bnuRi-0001xX-L5; Sat, 24 Sep 2016 21:25:18 +0000 Received: from merlin.infradead.org ([2001:4978:20e::2]) by bombadil.infradead.org with esmtps (Exim 4.85_2 #1 (Red Hat Linux)) id 1bnuPc-0007b6-It for hostap@bombadil.infradead.org; Sat, 24 Sep 2016 21:23:08 +0000 Received: from mail.fem.tu-ilmenau.de ([141.24.220.54]) by merlin.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux)) id 1bnu35-0000zz-Dr for hostap@lists.infradead.org; Sat, 24 Sep 2016 20:59:52 +0000 Received: from localhost (localhost [127.0.0.1]) by mail.fem.tu-ilmenau.de (Postfix) with ESMTP id 7D1ED6936; Sat, 24 Sep 2016 22:54:18 +0200 (CEST) X-Virus-Scanned: amavisd-new at fem.tu-ilmenau.de Received: from mail.fem.tu-ilmenau.de ([127.0.0.1]) by localhost (mail.fem.tu-ilmenau.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Hx1KkdcP0Tq; Sat, 24 Sep 2016 22:54:18 +0200 (CEST) Received: from mail-backup.fem.tu-ilmenau.de (mail-backup.net.fem.tu-ilmenau.de [10.42.40.22]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.fem.tu-ilmenau.de (Postfix) with ESMTPS; Sat, 24 Sep 2016 22:54:18 +0200 (CEST) Received: from a234.fem.tu-ilmenau.de (ray-controller.net.fem.tu-ilmenau.de [10.42.51.234]) by mail-backup.fem.tu-ilmenau.de (Postfix) with ESMTP id 566D655131; Sat, 24 Sep 2016 22:54:18 +0200 (CEST) Received: by a234.fem.tu-ilmenau.de (Postfix, from userid 1000) id 407D3306ACA3; Sat, 24 Sep 2016 22:54:18 +0200 (CEST) From: Michael Braun To: hostap@lists.infradead.org Subject: [PATCH v2 11/33] FT: add IEEE vlan support (including tagged vlans) Date: Sat, 24 Sep 2016 22:53:52 +0200 Message-Id: <1474750454-6626-12-git-send-email-michael-dev@fami-braun.de> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1474750454-6626-1-git-send-email-michael-dev@fami-braun.de> References: <1474750454-6626-1-git-send-email-michael-dev@fami-braun.de> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160924_165951_692749_EDD697E0 X-CRM114-Status: GOOD ( 20.14 ) X-Spam-Score: -4.2 (----) X-Spam-Report: SpamAssassin version 3.4.1 on merlin.infradead.org summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [141.24.220.54 listed in list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: projekt-wlan@fem.tu-ilmenau.de, Michael Braun MIME-Version: 1.0 Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org This introduces set_vlan and get_vlan callbacks for wpa_auth and uses them to fetch and configure vlan of sta. The struct vlan_description is converted into a network encoding (struct ft_vlan) for byter order reasons. Signed-off-by: Michael Braun --- src/ap/ieee802_1x.c | 2 +- src/ap/wpa_auth.h | 10 +- src/ap/wpa_auth_ft.c | 254 ++++++++++++++++++++++++++++++++++++++++++++++--- src/ap/wpa_auth_glue.c | 61 ++++++++++++ 4 files changed, 312 insertions(+), 15 deletions(-) diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index 80ff996..5805758 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -1170,7 +1170,7 @@ void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) sta->eapol_sm->portValid = TRUE; if (sta->eapol_sm->eap) eap_sm_notify_cached(sta->eapol_sm->eap); - /* TODO: get vlan_id from R0KH using RRB message */ + ap_sta_bind_vlan(hapd, sta); return; } #endif /* CONFIG_IEEE80211R */ diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index d541f8d..aa7920a 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -13,6 +13,7 @@ #include "common/eapol_common.h" #include "common/wpa_common.h" #include "common/ieee802_11_defs.h" +#include "vlan.h" #define MAX_OWN_IE_OVERRIDE 256 @@ -75,6 +76,9 @@ struct ft_rrb_frame { #define FT_RRB_PAIRWISE 10 /* le16 */ #define FT_RRB_EXPIRES_IN 11 /* le16 seconds */ +#define FT_RRB_VLAN_UNTAGGED 12 /* le16 */ +#define FT_RRB_VLAN_TAGGED 13 /* n times le16 */ + struct ft_rrbv1_tlv { le16 type; le16 len; @@ -83,7 +87,7 @@ struct ft_rrbv1_tlv { /* session TLVs: * required: [PMK_R1, PMK_R1_NAME, PAIRWISE] - * optional: EXPIRES_IN + * optional: VLAN, EXPIRES_IN * * pull frame TLVs: * required: NONCE, R0KH_ID, PMK_R0_NAME, R1KH_ID, S1KH_ID @@ -219,6 +223,10 @@ struct wpa_auth_callbacks { size_t data_len); #ifdef CONFIG_IEEE80211R struct wpa_state_machine * (*add_sta)(void *ctx, const u8 *sta_addr); + int (*set_vlan)(void *ctx, const u8 *sta_addr, + struct vlan_description *vlan); + int (*get_vlan)(void *ctx, const u8 *sta_addr, + struct vlan_description *vlan); int (*send_ft_action)(void *ctx, const u8 *dst, const u8 *data, size_t data_len); int (*add_tspec)(void *ctx, const u8 *sta_addr, u8 *tspec_ie, diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c index 15bf55e..89fbb63 100644 --- a/src/ap/wpa_auth_ft.c +++ b/src/ap/wpa_auth_ft.c @@ -122,6 +122,87 @@ static int wpa_ft_rrb_get_tlv(const u8 *plain, const size_t plain_len, } +static int cmp_int(const void *a, const void *b) +{ + int x, y; + + x = *((int *) a); + y = *((int *) b); + return (x - y); +} + + +static int wpa_ft_rrb_get_tlv_vlan(const u8 *plain, const size_t plain_len, + struct vlan_description *vlan) +{ + struct ft_rrbv1_tlv *f; + size_t left; + size_t len; + int taggedidx; + int vlan_id; + int type; + + left = plain_len; + taggedidx = 0; + os_memset(vlan, 0, sizeof(*vlan)); + + while (left >= sizeof(*f)) { + f = (struct ft_rrbv1_tlv *) plain; + + left -= sizeof(*f); + plain += sizeof(*f); + + len = le_to_host16(f->len); + type = le_to_host16(f->type); + + if (left < len) + return -1; + + if (type != FT_RRB_VLAN_UNTAGGED && + type != FT_RRB_VLAN_TAGGED) + goto skip; + + if (type == FT_RRB_VLAN_UNTAGGED && + len != sizeof(le16)) + return -1; + + if (type == FT_RRB_VLAN_TAGGED && + len % sizeof(le16) != 0) + return -1; + + while (len >= sizeof(le16)) { + vlan_id = WPA_GET_LE16(plain); + plain += sizeof(le16); + left -= sizeof(le16); + len -= sizeof(le16); + + if (vlan_id <= 0 || vlan_id > MAX_VLAN_ID) + continue; + + if (type == FT_RRB_VLAN_UNTAGGED) + vlan->untagged = vlan_id; + + if (type == FT_RRB_VLAN_TAGGED && + taggedidx < MAX_NUM_TAGGED_VLAN) { + vlan->tagged[taggedidx] = vlan_id; + taggedidx++; + } + } + +skip: + left -= len; + plain += len; + } + + if (taggedidx) + qsort(vlan->tagged, taggedidx, sizeof(int), cmp_int); + + vlan->notempty = vlan->untagged || vlan->tagged[0]; + + return 0; +} + + /** * encrypt message * @frame ft_rrb_frame @@ -187,10 +268,83 @@ static inline size_t wpa_ft_tlv_lin(const struct tlv_list *tlvs, u8 *start, return tlv_len; } +static inline size_t wpa_ft_vlan_len(const struct vlan_description *vlan) +{ + size_t tlv_len = 0; + int i; + + if (!vlan || !vlan->notempty) + return 0; + + if (vlan->untagged) { + tlv_len += sizeof(struct ft_rrbv1_tlv); + tlv_len += sizeof(le16); + } + if (vlan->tagged[0]) + tlv_len += sizeof(struct ft_rrbv1_tlv); + for (i = 0; i < MAX_NUM_TAGGED_VLAN && vlan->tagged[i]; i++) + tlv_len += sizeof(le16); + + return tlv_len; +} + +static inline size_t wpa_ft_vlan_lin(const struct vlan_description *vlan, + u8 *start, u8 *endpos) { + size_t tlv_len; + int i, len; + struct ft_rrbv1_tlv *hdr; + u8 *pos = start; + + if (!vlan || !vlan->notempty) + return 0; + + tlv_len = 0; + if (vlan->untagged) { + tlv_len += sizeof(*hdr); + if (start + tlv_len > endpos) + return tlv_len; + hdr = (struct ft_rrbv1_tlv *) pos; + hdr->type = host_to_le16(FT_RRB_VLAN_UNTAGGED); + hdr->len = host_to_le16(sizeof(le16)); + pos = start + tlv_len; + + tlv_len += sizeof(le16); + if (start + tlv_len > endpos) + return tlv_len; + WPA_PUT_LE16(pos, vlan->untagged); + pos = start + tlv_len; + } + + if (!vlan->tagged[0]) + return tlv_len; + + tlv_len += sizeof(*hdr); + if (start + tlv_len > endpos) + return tlv_len; + hdr = (struct ft_rrbv1_tlv *) pos; + hdr->type = host_to_le16(FT_RRB_VLAN_TAGGED); + len = 0; /* len is computed below */ + pos = start + tlv_len; + + for (i = 0; i < MAX_NUM_TAGGED_VLAN && vlan->tagged[i]; i++) { + tlv_len += sizeof(le16); + if (start + tlv_len > endpos) + break; + len += sizeof(le16); + WPA_PUT_LE16(pos, vlan->tagged[i]); + pos = start + tlv_len; + } + + hdr->len = host_to_le16(len); + + return tlv_len; +} + static int wpa_ft_rrb_build(const u8 *kek, size_t kek_len, const struct ft_rrb_frame *frame, const struct tlv_list *tlvs1, const struct tlv_list *tlvs2, + const struct vlan_description *vlan, u8 **packet, size_t *packet_len) { u8 *plain, *pos, *crypt, *endpos; @@ -203,6 +357,7 @@ static int wpa_ft_rrb_build(const u8 *kek, size_t kek_len, tlv_len = 0; tlv_len += wpa_ft_tlv_len(tlvs1); tlv_len += wpa_ft_tlv_len(tlvs2); + tlv_len += wpa_ft_vlan_len(vlan); pad_len = (8 - (tlv_len % 8)) % 8; plain = os_zalloc(tlv_len + pad_len); @@ -213,6 +368,7 @@ static int wpa_ft_rrb_build(const u8 *kek, size_t kek_len, endpos = plain + tlv_len; pos += wpa_ft_tlv_lin(tlvs1, pos, endpos); pos += wpa_ft_tlv_lin(tlvs2, pos, endpos); + pos += wpa_ft_vlan_lin(vlan, pos, endpos); /* sanity check */ if (pos != endpos) { @@ -310,6 +466,26 @@ wpa_ft_add_sta(struct wpa_authenticator *wpa_auth, const u8 *sta_addr) } +static int +wpa_ft_set_vlan(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, + struct vlan_description *vlan) +{ + if (wpa_auth->cb.set_vlan == NULL) + return -1; + return wpa_auth->cb.set_vlan(wpa_auth->cb.ctx, sta_addr, vlan); +} + + +static int +wpa_ft_get_vlan(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, + struct vlan_description *vlan) +{ + if (wpa_auth->cb.get_vlan == NULL) + return -1; + return wpa_auth->cb.get_vlan(wpa_auth->cb.ctx, sta_addr, vlan); +} + + static int wpa_ft_add_tspec(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, u8 *tspec_ie, size_t tspec_ielen) @@ -398,6 +574,7 @@ struct wpa_ft_pmk_r0_sa { u8 pmk_r0_name[WPA_PMK_NAME_LEN]; u8 spa[ETH_ALEN]; int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */ + struct vlan_description *vlan; os_time_t expiration; /* 0 for no expiration */ /* TODO: identity, radius_class, EAP type */ int pmk_r1_pushed; @@ -409,7 +586,8 @@ struct wpa_ft_pmk_r1_sa { u8 pmk_r1_name[WPA_PMK_NAME_LEN]; u8 spa[ETH_ALEN]; int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */ - /* TODO: expiration, identity, radius_class, EAP type, VLAN ID */ + struct vlan_description *vlan; + /* TODO: expiration, identity, radius_class, EAP type */ }; struct wpa_ft_pmk_cache { @@ -432,6 +610,7 @@ static void wpa_ft_free_pmk_r0(struct wpa_ft_pmk_r0_sa *r0) eloop_cancel_timeout(wpa_ft_expire_pmk_r0, r0, NULL); os_memset(r0->pmk_r0, 0, PMK_LEN); + os_free(r0->vlan); os_free(r0); } @@ -471,6 +650,7 @@ static void wpa_ft_free_pmk_r1(struct wpa_ft_pmk_r1_sa *r1) eloop_cancel_timeout(wpa_ft_expire_pmk_r1, r1, NULL); os_memset(r1->pmk_r1, 0, PMK_LEN); + os_free(r1->vlan); os_free(r1); } @@ -517,6 +697,7 @@ void wpa_ft_pmk_cache_deinit(struct wpa_ft_pmk_cache *cache) static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth, const u8 *spa, const u8 *pmk_r0, const u8 *pmk_r0_name, int pairwise, + const struct vlan_description *vlan, const int expires_in) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; @@ -536,6 +717,11 @@ static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth, r0->pairwise = pairwise; if (expires_in > 0) r0->expiration = now.sec + expires_in; + if (vlan && vlan->notempty) { + r0->vlan = os_zalloc(sizeof(*vlan)); + if (r0->vlan) + *r0->vlan = *vlan; + } dl_list_add(&cache->pmk_r0, &r0->list); @@ -573,6 +759,7 @@ static int wpa_ft_fetch_pmk_r0(struct wpa_authenticator *wpa_auth, static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *spa, const u8 *pmk_r1, const u8 *pmk_r1_name, int pairwise, + const struct vlan_description *vlan, int expires_in) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; @@ -588,6 +775,11 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, os_memcpy(r1->pmk_r1_name, pmk_r1_name, WPA_PMK_NAME_LEN); os_memcpy(r1->spa, spa, ETH_ALEN); r1->pairwise = pairwise; + if (vlan && vlan->notempty) { + r1->vlan = os_zalloc(sizeof(*vlan)); + if (r1->vlan) + *r1->vlan = *vlan; + } dl_list_add(&cache->pmk_r1, &r1->list); @@ -601,7 +793,8 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *spa, const u8 *pmk_r1_name, - u8 *pmk_r1, int *pairwise) + u8 *pmk_r1, int *pairwise, + struct vlan_description *vlan) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; struct wpa_ft_pmk_r1_sa *r1; @@ -613,6 +806,10 @@ static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth, os_memcpy(pmk_r1, r1->pmk_r1, PMK_LEN); if (pairwise) *pairwise = r1->pairwise; + if (vlan && r1->vlan) + *vlan = *r1->vlan; + if (vlan && !r1->vlan) + os_memset(vlan, 0, sizeof(*vlan)); return 0; } } @@ -831,7 +1028,7 @@ static int wpa_ft_pull_pmk_r1(struct wpa_state_machine *sm, }; if (wpa_ft_rrb_build(r0kh->key, sizeof(r0kh->key), &req_hdr, - req_tlv, NULL, &packet, &packet_len) < 0) { + req_tlv, NULL, NULL, &packet, &packet_len) < 0) { return -1; } @@ -868,6 +1065,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, size_t ssid_len = sm->wpa_auth->conf.ssid_len; int psk_local = sm->wpa_auth->conf.ft_psk_generate_local; int expires_in = sm->wpa_auth->conf.r0_key_lifetime * 60; + struct vlan_description vlan; if (sm->xxkey_len == 0) { wpa_printf(MSG_DEBUG, "FT: XXKey not available for key " @@ -875,13 +1073,19 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, return -1; } + if (wpa_ft_get_vlan(sm->wpa_auth, sm->addr, &vlan) < 0) { + wpa_printf(MSG_DEBUG, "FT: vlan not available for STA " MACSTR, + MAC2STR(sm->addr)); + return -1; + } + wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, ssid, ssid_len, mdid, r0kh, r0kh_len, sm->addr, pmk_r0, pmk_r0_name); wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, PMK_LEN); wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN); if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name, - sm->pairwise, expires_in); + sm->pairwise, &vlan, expires_in); wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, r1kh, sm->addr, pmk_r1, sm->pmk_r1_name); @@ -891,7 +1095,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1, sm->pmk_r1_name, sm->pairwise, - expires_in); + &vlan, expires_in); return wpa_pmk_r1_to_ptk(pmk_r1, sm->SNonce, sm->ANonce, sm->addr, sm->wpa_auth->addr, sm->pmk_r1_name, @@ -1297,7 +1501,8 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) */ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm, const u8 *req_pmk_r1_name, - u8 *out_pmk_r1, int *out_pairwise) + u8 *out_pmk_r1, int *out_pairwise, + struct vlan_description *out_vlan) { const u8 *pmk = NULL; u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN]; @@ -1334,6 +1539,13 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm, os_memcpy(out_pmk_r1, pmk_r1, PMK_LEN); if (out_pairwise) *out_pairwise = pairwise; + if (out_vlan && + wpa_ft_get_vlan(sm->wpa_auth, sm->addr, out_vlan) < 0) { + wpa_printf(MSG_DEBUG, "FT: vlan not available for STA " + MACSTR, MAC2STR(sm->addr)); + return -1; + } + return 0; } @@ -1395,6 +1607,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, int ret; u8 *pos, *end; int pairwise; + struct vlan_description vlan; *resp_ies = NULL; *resp_ies_len = 0; @@ -1455,11 +1668,11 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, if (conf->ft_psk_generate_local && wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { - if (wpa_ft_psk_pmk_r1(sm, pmk_r1_name, pmk_r1, &pairwise) < 0) + if (wpa_ft_psk_pmk_r1(sm, pmk_r1_name, pmk_r1, &pairwise, + &vlan) < 0) return WLAN_STATUS_INVALID_PMKID; - } else - if (wpa_ft_fetch_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1_name, pmk_r1, - &pairwise) < 0) { + } else if (wpa_ft_fetch_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1_name, + pmk_r1, &pairwise, &vlan) < 0) { if (wpa_ft_pull_pmk_r1(sm, ies, ies_len, parse.rsn_pmkid) < 0) { wpa_printf(MSG_DEBUG, "FT: Did not have matching " "PMK-R1 and unknown R0KH-ID"); @@ -1494,6 +1707,11 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, sm->PTK_valid = TRUE; wpa_ft_install_ptk(sm); + if (wpa_ft_set_vlan(sm->wpa_auth, sm->addr, &vlan) < 0) { + wpa_printf(MSG_DEBUG, "FT: Failed to configure VLAN"); + return WLAN_STATUS_UNSPECIFIED_FAILURE; + } + buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + 2 + FT_R1KH_ID_LEN + 200; *resp_ies = os_zalloc(buflen); @@ -1918,7 +2136,7 @@ static int wpa_ft_rrb_build_r0(const u8 *kek, size_t kek_len, int ret; if (!pmk_r0) - return wpa_ft_rrb_build(kek, kek_len, frame, tlvs, NULL, + return wpa_ft_rrb_build(kek, kek_len, frame, tlvs, NULL, NULL, packet, packet_len); wpa_derive_pmk_r1(pmk_r0->pmk_r0, pmk_r0->pmk_r0_name, r1kh_id, @@ -1949,7 +2167,7 @@ static int wpa_ft_rrb_build_r0(const u8 *kek, size_t kek_len, }; ret = wpa_ft_rrb_build(kek, kek_len, frame, tlvs, sess_tlv, - packet, packet_len); + pmk_r0->vlan, packet, packet_len); os_memset(pmk_r1, 0, sizeof(pmk_r1)); @@ -2156,6 +2374,7 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth, int ret = -1; int expires_in; int max_expires_in = wpa_auth->conf.r0_key_lifetime * 60; + struct vlan_description vlan; RRB_GET(FT_RRB_R1KH_ID, r1kh_id, msgtype, FT_R1KH_ID_LEN); if (os_memcmp_const(f_r1kh_id, wpa_auth->conf.r1_key_holder, @@ -2195,11 +2414,20 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth, wpa_printf(MSG_DEBUG, "FT: PMK-R1 %s - expires_in=%d", msgtype, expires_in); + if (wpa_ft_rrb_get_tlv_vlan(plain, plain_len, &vlan) < 0) { + wpa_printf(MSG_DEBUG, "FT: PMK-R1 %s without parseable vlan", + msgtype); + goto out; + } + + wpa_printf(MSG_DEBUG, "FT: PMK-R1 %s - vlan %d%s", msgtype, + le_to_host16(vlan.untagged), vlan.tagged[0] ? "+" : ""); + if (expires_in <= 0 || expires_in > max_expires_in) expires_in = max_expires_in; if (wpa_ft_store_pmk_r1(wpa_auth, f_s1kh_id, f_pmk_r1, f_pmk_r1_name, - pairwise, expires_in) < 0) + pairwise, &vlan, expires_in) < 0) return -1; ret = 0; diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index fe926a4..aca88d2 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -573,6 +573,65 @@ hostapd_wpa_auth_add_sta(void *ctx, const u8 *sta_addr) } + +static int hostapd_wpa_auth_set_vlan(void *ctx, const u8 *sta_addr, + struct vlan_description *vlan) +{ + struct hostapd_data *hapd = ctx; + struct sta_info *sta; + + sta = ap_get_sta(hapd, sta_addr); + if (sta == NULL) + return -1; + + if (!sta->wpa_sm) + return -1; + + if (vlan->notempty && + !hostapd_vlan_valid(hapd->conf->vlan, vlan)) { + hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, + HOSTAPD_LEVEL_INFO, "Invalid VLAN " + "%d%s received from FT", + vlan->untagged, + vlan->tagged[0] ? "+" : ""); + return -1; + } + + if (ap_sta_set_vlan(hapd, sta, vlan) < 0) + return -1; + /* configure wpa_group for GTK but ignore error due to driver not + * knowing this sta + */ + ap_sta_bind_vlan(hapd, sta); + + if (sta->vlan_id) + hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, + HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id); + + return 0; +} + + +static int +hostapd_wpa_auth_get_vlan(void *ctx, const u8 *sta_addr, + struct vlan_description *vlan) +{ + struct hostapd_data *hapd = ctx; + struct sta_info *sta; + + sta = ap_get_sta(hapd, sta_addr); + if (sta == NULL) + return -1; + + if (sta->vlan_desc) + *vlan = *sta->vlan_desc; + else + os_memset(vlan, 0, sizeof(*vlan)); + + return 0; +} + + static void hostapd_rrb_receive(void *ctx, const u8 *src_addr, const u8 *buf, size_t len) { @@ -632,6 +691,8 @@ int hostapd_setup_wpa(struct hostapd_data *hapd) #ifdef CONFIG_IEEE80211R cb.send_ft_action = hostapd_wpa_auth_send_ft_action; cb.add_sta = hostapd_wpa_auth_add_sta; + cb.set_vlan = hostapd_wpa_auth_set_vlan; + cb.get_vlan = hostapd_wpa_auth_get_vlan; cb.add_tspec = hostapd_wpa_auth_add_tspec; #endif /* CONFIG_IEEE80211R */ hapd->wpa_auth = wpa_init(hapd->own_addr, &_conf, &cb);