From patchwork Mon Oct 11 11:24:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Barthe X-Patchwork-Id: 1539259 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=ndfW+rKj; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HSc1d36y6z9sPB for ; Mon, 11 Oct 2021 22:26:12 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=ivb1oxpTjwmc/d6vQvw4y9XKmerxlsT5wlDIqQjQ3w4=; b=ndfW+rKjCXr8ze +q0CKkbV/I8z1Mv64veMM1yhuL2ZP8GMQRFuP+5P2WYaiLFteHOsO/xXCYKly686WwcE4S+ykKCSo tVmix5wDIdd3bAOTZszl/s53FcvB/6B+Q1x+S6Q3VBhGVZwr9pJe/mp0t+pIVoC02jCtDzQRqEx3P hyd6PKq9NliB39TvMJrJVtC7SwV+v6pUr7Coj6XN9iJtichiw5OB6pRf7jhEsuf5yFEFP+WCLLyqY k70V5Vyf/j4M3nfj7df3r940qDKQMDl9HQCX1kSx6VniORLuwBrapUVjDwiR3vFDnVlzXLCnPIH/m yvZUke10HkuIpyOoc/WQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mZtQT-0092ia-KQ; Mon, 11 Oct 2021 11:25:01 +0000 Received: from mail.auro.re ([45.66.111.62]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mZtQO-0092hw-GT for hostap@lists.infradead.org; Mon, 11 Oct 2021 11:24:58 +0000 Received: from host0.inf.red.net (unknown [45.66.109.190]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.auro.re (Postfix) with ESMTPSA id C0068A2D; Mon, 11 Oct 2021 13:24:45 +0200 (CEST) From: Tom Barthe To: hostap@lists.infradead.org Cc: Tom Barthe Subject: [PATCH 1/7] Support for RADIUS attributes filtering by tag Date: Mon, 11 Oct 2021 13:24:31 +0200 Message-Id: <20211011112437.178673-2-jeltz+hostap@auro.re> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211011112437.178673-1-jeltz+hostap@auro.re> References: <20211011112437.178673-1-jeltz+hostap@auro.re> MIME-Version: 1.0 X-Spam: Yes X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211011_042456_847706_34B456D3 X-CRM114-Status: GOOD ( 16.52 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Tom Barthe --- src/ap/ap_config.h | 1 + src/ap/ieee802_11_auth.c | 6 ++++-- src/ap/ieee802_1x.c | 2 +- src/radius/radius.c | 17 +++++++++++++++-- src/radius/radiu [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Tom Barthe --- src/ap/ap_config.h | 1 + src/ap/ieee802_11_auth.c | 6 ++++-- src/ap/ieee802_1x.c | 2 +- src/radius/radius.c | 17 +++++++++++++++-- src/radius/radius.h | 5 +++-- 5 files changed, 24 insertions(+), 7 deletions(-) diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 3ba368987..edd21516b 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -152,6 +152,7 @@ struct hostapd_sta_wpa_psk_short { u8 psk[PMK_LEN]; char passphrase[MAX_PASSPHRASE_LEN + 1]; int ref; /* (number of references held) - 1 */ + u8 tag; }; struct hostapd_wpa_psk { diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c index 783ee6dea..68fbb5d91 100644 --- a/src/ap/ieee802_11_auth.c +++ b/src/ap/ieee802_11_auth.c @@ -380,6 +380,7 @@ static void decode_tunnel_passwords(struct hostapd_data *hapd, char *passphrase; size_t i; struct hostapd_sta_wpa_psk_short *psk; + u8 tag = 0; /* * Decode all tunnel passwords as PSK and save them into a linked list. @@ -387,7 +388,7 @@ static void decode_tunnel_passwords(struct hostapd_data *hapd, for (i = 0; ; i++) { passphrase = radius_msg_get_tunnel_password( msg, &passphraselen, shared_secret, shared_secret_len, - req, i); + req, i, &tag); /* * Passphrase is NULL iff there is no i-th Tunnel-Password * attribute in msg. @@ -424,6 +425,7 @@ static void decode_tunnel_passwords(struct hostapd_data *hapd, psk->is_passphrase = 1; } psk->next = cache->info.psk; + psk->tag = tag; cache->info.psk = psk; psk = NULL; } @@ -516,7 +518,7 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, if (hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED) info->vlan_id.notempty = !!radius_msg_get_vlanid( msg, &info->vlan_id.untagged, - MAX_NUM_TAGGED_VLAN, info->vlan_id.tagged); + MAX_NUM_TAGGED_VLAN, info->vlan_id.tagged, 0); decode_tunnel_passwords(hapd, shared_secret, shared_secret_len, msg, req, cache); diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index 753c88335..df8d3c260 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -1876,7 +1876,7 @@ static int ieee802_1x_update_vlan(struct radius_msg *msg, os_memset(&vlan_desc, 0, sizeof(vlan_desc)); vlan_desc.notempty = !!radius_msg_get_vlanid(msg, &vlan_desc.untagged, MAX_NUM_TAGGED_VLAN, - vlan_desc.tagged); + vlan_desc.tagged, 0); if (vlan_desc.notempty && !hostapd_vlan_valid(hapd->conf->vlan, &vlan_desc)) { diff --git a/src/radius/radius.c b/src/radius/radius.c index be16e27b9..210a0f75e 100644 --- a/src/radius/radius.c +++ b/src/radius/radius.c @@ -1437,6 +1437,11 @@ static int cmp_int(const void *a, const void *b) } +static int tag_is_valid(u8 tag) { + return 0x1 <= tag && tag <= 0x1F; +} + + /** * radius_msg_get_vlanid - Parse RADIUS attributes for VLAN tunnel information * The k tagged vlans found are sorted by vlan_id and stored in the first k @@ -1450,7 +1455,7 @@ static int cmp_int(const void *a, const void *b) * Returns: 0 if neither tagged nor untagged configuration is found, 1 otherwise */ int radius_msg_get_vlanid(struct radius_msg *msg, int *untagged, int numtagged, - int *tagged) + int *tagged, u8 tag) { struct radius_tunnel_attrs tunnel[RADIUS_TUNNEL_TAGS], *tun; size_t i; @@ -1524,6 +1529,8 @@ int radius_msg_get_vlanid(struct radius_msg *msg, int *untagged, int numtagged, /* Use tunnel with the lowest tag for untagged VLAN id */ for (i = 0; i < RADIUS_TUNNEL_TAGS; i++) { tun = &tunnel[i]; + if (tag_is_valid(tag) && i != tag) + continue; if (tun->tag_used && tun->type == RADIUS_TUNNEL_TYPE_VLAN && tun->medium_type == RADIUS_TUNNEL_MEDIUM_TYPE_802 && @@ -1554,7 +1561,7 @@ int radius_msg_get_vlanid(struct radius_msg *msg, int *untagged, int numtagged, */ char * radius_msg_get_tunnel_password(struct radius_msg *msg, int *keylen, const u8 *secret, size_t secret_len, - struct radius_msg *sent_msg, size_t n) + struct radius_msg *sent_msg, size_t n, u8 *tag) { u8 *buf = NULL; size_t buflen; @@ -1572,6 +1579,9 @@ char * radius_msg_get_tunnel_password(struct radius_msg *msg, int *keylen, size_t fdlen = -1; char *ret = NULL; + if (tag) + *tag = 0; + /* find n-th valid Tunnel-Password attribute */ for (i = 0; i < msg->attr_used; i++) { attr = radius_get_attr_hdr(msg, i); @@ -1589,6 +1599,9 @@ char * radius_msg_get_tunnel_password(struct radius_msg *msg, int *keylen, if (j <= n) continue; + if (tag_is_valid(data[0])) + *tag = data[0]; + fdata = data; fdlen = dlen; break; diff --git a/src/radius/radius.h b/src/radius/radius.h index fb8148180..70888fc51 100644 --- a/src/radius/radius.h +++ b/src/radius/radius.h @@ -294,10 +294,11 @@ radius_msg_add_attr_user_password(struct radius_msg *msg, const u8 *secret, size_t secret_len); int radius_msg_get_attr(struct radius_msg *msg, u8 type, u8 *buf, size_t len); int radius_msg_get_vlanid(struct radius_msg *msg, int *untagged, int numtagged, - int *tagged); + int *tagged, u8 tag); char * radius_msg_get_tunnel_password(struct radius_msg *msg, int *keylen, const u8 *secret, size_t secret_len, - struct radius_msg *sent_msg, size_t n); + struct radius_msg *sent_msg, size_t n, + u8 *tag); static inline int radius_msg_add_attr_int32(struct radius_msg *msg, u8 type, u32 value)