@@ -79,6 +79,9 @@ struct ft_rrb_frame {
#define FT_RRB_VLAN_UNTAGGED 12 /* le16 */
#define FT_RRB_VLAN_TAGGED 13 /* n times le16 */
+#define FT_RRB_IDENTITY 14
+#define FT_RRB_RADIUS_CUI 15
+
struct ft_rrbv1_tlv {
le16 type;
le16 len;
@@ -87,7 +90,7 @@ struct ft_rrbv1_tlv {
/* session TLVs:
* required: [PMK_R1, PMK_R1_NAME, PAIRWISE]
- * optional: VLAN, EXPIRES_IN
+ * optional: VLAN, EXPIRES_IN, IDENTITY, RADIUS_CUI
*
* pull frame TLVs:
* required: NONCE, R0KH_ID, PMK_R0_NAME, R1KH_ID, S1KH_ID
@@ -233,6 +236,13 @@ struct wpa_auth_callbacks {
struct vlan_description *vlan);
int (*get_vlan)(void *ctx, const u8 *sta_addr,
struct vlan_description *vlan);
+ size_t (*get_identity)(void *ctx, const u8 *sta_addr, const u8 **buf);
+ size_t (*get_radius_cui)(void *ctx, const u8 *sta_addr, const u8 **buf);
+ void (*set_identity)(void *ctx, const u8 *sta_addr,
+ const u8 *identity, size_t identity_len);
+ void (*set_radius_cui)(void *ctx, const u8 *sta_addr,
+ const u8 *radius_cui, size_t radius_cui_len);
+
int (*send_ft_action)(void *ctx, const u8 *dst,
const u8 *data, size_t data_len);
int (*add_tspec)(void *ctx, const u8 *sta_addr, u8 *tspec_ie,
@@ -496,6 +496,50 @@ wpa_ft_get_vlan(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
}
+static size_t
+wpa_ft_get_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
+ const u8 **buf)
+{
+ *buf = NULL;
+ if (wpa_auth->cb.get_identity == NULL)
+ return 0;
+ return wpa_auth->cb.get_identity(wpa_auth->cb.ctx, sta_addr, buf);
+}
+
+
+static size_t
+wpa_ft_get_radius_cui(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
+ const u8 **buf)
+{
+ *buf = NULL;
+ if (wpa_auth->cb.get_radius_cui == NULL)
+ return 0;
+ return wpa_auth->cb.get_radius_cui(wpa_auth->cb.ctx, sta_addr, buf);
+}
+
+
+static void
+wpa_ft_set_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
+ const u8 *identity, size_t identity_len)
+{
+ if (wpa_auth->cb.set_identity == NULL)
+ return;
+ wpa_auth->cb.set_identity(wpa_auth->cb.ctx, sta_addr, identity,
+ identity_len);
+}
+
+
+static void
+wpa_ft_set_radius_cui(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
+ const u8 *radius_cui, size_t radius_cui_len)
+{
+ if (wpa_auth->cb.set_radius_cui == NULL)
+ return;
+ wpa_auth->cb.set_radius_cui(wpa_auth->cb.ctx, sta_addr, radius_cui,
+ radius_cui_len);
+}
+
+
static int wpa_ft_add_tspec(struct wpa_authenticator *wpa_auth,
const u8 *sta_addr,
u8 *tspec_ie, size_t tspec_ielen)
@@ -586,7 +630,11 @@ struct wpa_ft_pmk_r0_sa {
int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */
struct vlan_description *vlan;
os_time_t expiration; /* 0 for no expiration */
- /* TODO: identity, radius_class, EAP type */
+ u8 *identity;
+ size_t identity_len;
+ u8 *radius_cui;
+ size_t radius_cui_len;
+ /* TODO: radius_class, EAP type, expiration from EAPOL */
int pmk_r1_pushed;
};
@@ -597,7 +645,11 @@ struct wpa_ft_pmk_r1_sa {
u8 spa[ETH_ALEN];
int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */
struct vlan_description *vlan;
- /* TODO: expiration, identity, radius_class, EAP type */
+ u8 *identity;
+ size_t identity_len;
+ u8 *radius_cui;
+ size_t radius_cui_len;
+ /* TODO: expiration from EAPOL, radius_class, EAP type */
};
struct wpa_ft_pmk_cache {
@@ -621,6 +673,8 @@ static void wpa_ft_free_pmk_r0(struct wpa_ft_pmk_r0_sa *r0)
os_memset(r0->pmk_r0, 0, PMK_LEN);
os_free(r0->vlan);
+ os_free(r0->identity);
+ os_free(r0->radius_cui);
os_free(r0);
}
@@ -661,6 +715,8 @@ static void wpa_ft_free_pmk_r1(struct wpa_ft_pmk_r1_sa *r1)
os_memset(r1->pmk_r1, 0, PMK_LEN);
os_free(r1->vlan);
+ os_free(r1->identity);
+ os_free(r1->radius_cui);
os_free(r1);
}
@@ -708,7 +764,9 @@ static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth,
const u8 *spa, const u8 *pmk_r0,
const u8 *pmk_r0_name, int pairwise,
const struct vlan_description *vlan,
- const int expires_in)
+ const int expires_in,
+ const u8 *identity, size_t identity_len,
+ const u8 *radius_cui, size_t radius_cui_len)
{
struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
struct wpa_ft_pmk_r0_sa *r0;
@@ -732,6 +790,20 @@ static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth,
if (r0->vlan)
*r0->vlan = *vlan;
}
+ if (identity) {
+ r0->identity = os_zalloc(identity_len);
+ if (r0->identity) {
+ os_memcpy(r0->identity, identity, identity_len);
+ r0->identity_len = identity_len;
+ }
+ }
+ if (radius_cui) {
+ r0->radius_cui = os_zalloc(radius_cui_len);
+ if (r0->radius_cui) {
+ os_memcpy(r0->radius_cui, radius_cui, radius_cui_len);
+ r0->radius_cui_len = radius_cui_len;
+ }
+ }
dl_list_add(&cache->pmk_r0, &r0->list);
@@ -770,7 +842,9 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
const u8 *spa, const u8 *pmk_r1,
const u8 *pmk_r1_name, int pairwise,
const struct vlan_description *vlan,
- int expires_in)
+ int expires_in,
+ const u8 *identity, u8 identity_len,
+ const u8 *radius_cui, u8 radius_cui_len)
{
struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
int max_expires_in = wpa_auth->conf.r1_max_key_lifetime;
@@ -794,6 +868,20 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
if (r1->vlan)
*r1->vlan = *vlan;
}
+ if (identity) {
+ r1->identity = os_zalloc(identity_len);
+ if (r1->identity) {
+ os_memcpy(r1->identity, identity, identity_len);
+ r1->identity_len = identity_len;
+ }
+ }
+ if (radius_cui) {
+ r1->radius_cui = os_zalloc(radius_cui_len);
+ if (r1->radius_cui) {
+ os_memcpy(r1->radius_cui, radius_cui, radius_cui_len);
+ r1->radius_cui_len = radius_cui_len;
+ }
+ }
dl_list_add(&cache->pmk_r1, &r1->list);
@@ -808,7 +896,9 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth,
const u8 *spa, const u8 *pmk_r1_name,
u8 *pmk_r1, int *pairwise,
- struct vlan_description *vlan)
+ struct vlan_description *vlan,
+ const u8 **identity, size_t *identity_len,
+ const u8 **radius_cui, size_t *radius_cui_len)
{
struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
struct wpa_ft_pmk_r1_sa *r1;
@@ -824,6 +914,14 @@ static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth,
*vlan = *r1->vlan;
if (vlan && !r1->vlan)
os_memset(vlan, 0, sizeof(*vlan));
+ if (identity && identity_len) {
+ *identity = r1->identity;
+ *identity_len = r1->identity_len;
+ }
+ if (radius_cui && radius_cui_len) {
+ *radius_cui = r1->radius_cui;
+ *radius_cui_len = r1->radius_cui_len;
+ }
return 0;
}
}
@@ -1080,6 +1178,8 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
int psk_local = sm->wpa_auth->conf.ft_psk_generate_local;
int expires_in = sm->wpa_auth->conf.r0_key_lifetime * 60;
struct vlan_description vlan;
+ const u8 *identity, *radius_cui;
+ int identity_len, radius_cui_len;
if (sm->xxkey_len == 0) {
wpa_printf(MSG_DEBUG, "FT: XXKey not available for key "
@@ -1092,6 +1192,9 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
MAC2STR(sm->addr));
return -1;
}
+ identity_len = wpa_ft_get_identity(sm->wpa_auth, sm->addr, &identity);
+ radius_cui_len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr,
+ &radius_cui);
wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, ssid, ssid_len, mdid,
r0kh, r0kh_len, sm->addr, pmk_r0, pmk_r0_name);
@@ -1099,7 +1202,8 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN);
if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name,
- sm->pairwise, &vlan, expires_in);
+ sm->pairwise, &vlan, expires_in, identity,
+ identity_len, radius_cui, radius_cui_len);
wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, r1kh, sm->addr,
pmk_r1, sm->pmk_r1_name);
@@ -1108,8 +1212,9 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
WPA_PMK_NAME_LEN);
if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1,
- sm->pmk_r1_name, sm->pairwise,
- &vlan, expires_in);
+ sm->pmk_r1_name, sm->pairwise, &vlan,
+ expires_in, identity, identity_len,
+ radius_cui, radius_cui_len);
return wpa_pmk_r1_to_ptk(pmk_r1, sm->SNonce, sm->ANonce, sm->addr,
sm->wpa_auth->addr, sm->pmk_r1_name,
@@ -1516,7 +1621,10 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
const u8 *req_pmk_r1_name,
u8 *out_pmk_r1, int *out_pairwise,
- struct vlan_description *out_vlan)
+ struct vlan_description *out_vlan,
+ const u8 **out_identity, size_t *out_identity_len,
+ const u8 **out_radius_cui,
+ size_t *out_radius_cui_len)
{
const u8 *pmk = NULL;
u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN];
@@ -1529,6 +1637,7 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
const u8 *ssid = wpa_auth->conf.ssid;
size_t ssid_len = wpa_auth->conf.ssid_len;
int pairwise;
+ u8 len;
pairwise = sm->pairwise;
@@ -1559,7 +1668,16 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
MACSTR, MAC2STR(sm->addr));
return -1;
}
-
+ if (out_identity && out_identity_len) {
+ len = wpa_ft_get_identity(sm->wpa_auth, sm->addr,
+ out_identity);
+ *out_identity_len = len;
+ }
+ if (out_radius_cui && out_radius_cui_len) {
+ len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr,
+ out_radius_cui);
+ *out_radius_cui_len = len;
+ }
return 0;
}
@@ -1622,6 +1740,8 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
u8 *pos, *end;
int pairwise;
struct vlan_description vlan;
+ const u8 *identity, *radius_cui;
+ size_t identity_len = 0, radius_cui_len = 0;
*resp_ies = NULL;
*resp_ies_len = 0;
@@ -1683,10 +1803,13 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
if (conf->ft_psk_generate_local &&
wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
if (wpa_ft_psk_pmk_r1(sm, pmk_r1_name, pmk_r1, &pairwise,
- &vlan) < 0)
+ &vlan, &identity, &identity_len,
+ &radius_cui, &radius_cui_len) < 0)
return WLAN_STATUS_INVALID_PMKID;
} else if (wpa_ft_fetch_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1_name,
- pmk_r1, &pairwise, &vlan) < 0) {
+ pmk_r1, &pairwise, &vlan, &identity,
+ &identity_len, &radius_cui,
+ &radius_cui_len) < 0) {
if (wpa_ft_pull_pmk_r1(sm, ies, ies_len, parse.rsn_pmkid) < 0) {
wpa_printf(MSG_DEBUG, "FT: Did not have matching "
"PMK-R1 and unknown R0KH-ID");
@@ -1725,6 +1848,9 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
wpa_printf(MSG_DEBUG, "FT: Failed to configure VLAN");
return WLAN_STATUS_UNSPECIFIED_FAILURE;
}
+ wpa_ft_set_identity(sm->wpa_auth, sm->addr, identity, identity_len);
+ wpa_ft_set_radius_cui(sm->wpa_auth, sm->addr, radius_cui,
+ radius_cui_len);
buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
2 + FT_R1KH_ID_LEN + 200;
@@ -2218,6 +2344,10 @@ static int wpa_ft_rrb_build_r0(const u8 *kek, size_t kek_len,
.data = f_pairwise },
{ .type = FT_RRB_EXPIRES_IN, .len = sizeof(f_expires_in),
.data = f_expires_in },
+ { .type = FT_RRB_IDENTITY, .len = pmk_r0->identity_len,
+ .data = pmk_r0->identity },
+ { .type = FT_RRB_RADIUS_CUI, .len = pmk_r0->radius_cui_len,
+ .data = pmk_r0->radius_cui },
{ .type = FT_RRB_LAST_EMPTY, .len = 0, .data = NULL },
};
@@ -2422,14 +2552,17 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth,
const u8 *f_r1kh_id, *f_s1kh_id;
const u8 *f_pmk_r1_name, *f_pairwise, *f_pmk_r1;
const u8 *f_expires_in;
+ const u8 *f_identity, *f_radius_cui;
size_t f_r1kh_id_len, f_s1kh_id_len;
size_t f_pmk_r1_name_len, f_pairwise_len, f_pmk_r1_len;
size_t f_expires_in_len;
+ size_t f_identity_len, f_radius_cui_len;
int pairwise;
int ret = -1;
int expires_in;
int max_expires_in = wpa_auth->conf.r0_key_lifetime * 60;
struct vlan_description vlan;
+ char buf[256];
RRB_GET(FT_RRB_R1KH_ID, r1kh_id, msgtype, FT_R1KH_ID_LEN);
if (os_memcmp_const(f_r1kh_id, wpa_auth->conf.r1_key_holder,
@@ -2481,8 +2614,25 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth,
if (expires_in <= 0 || expires_in > max_expires_in)
expires_in = max_expires_in;
+ RRB_GET_OPTIONAL(FT_RRB_IDENTITY, identity, msgtype, -1);
+
+ if (f_identity) {
+ os_snprintf(buf, sizeof(buf), "FT: PMK-R1 %s - Identity",
+ msgtype);
+ wpa_hexdump(MSG_DEBUG, buf, f_identity, f_identity_len);
+ }
+
+ RRB_GET_OPTIONAL(FT_RRB_RADIUS_CUI, radius_cui, msgtype, -1);
+ if (f_radius_cui) {
+ os_snprintf(buf, sizeof(buf), "FT: PMK-R1 %s - Cui",
+ msgtype);
+ wpa_hexdump(MSG_DEBUG, buf, f_radius_cui, f_radius_cui_len);
+ }
+
if (wpa_ft_store_pmk_r1(wpa_auth, f_s1kh_id, f_pmk_r1, f_pmk_r1_name,
- pairwise, &vlan, expires_in) < 0)
+ pairwise, &vlan, expires_in, f_identity,
+ f_identity_len, f_radius_cui,
+ f_radius_cui_len) < 0)
return -1;
ret = 0;
@@ -710,6 +710,146 @@ hostapd_wpa_auth_get_vlan(void *ctx, const u8 *sta_addr,
}
+static size_t
+hostapd_wpa_auth_get_identity(void *ctx, const u8 *sta_addr, const u8 **buf)
+{
+ struct hostapd_data *hapd = ctx;
+ struct sta_info *sta;
+ size_t len;
+ char *identity;
+
+ sta = ap_get_sta(hapd, sta_addr);
+ if (sta == NULL)
+ return 0;
+
+ *buf = ieee802_1x_get_identity(sta->eapol_sm, &len);
+ if (*buf && len)
+ return len;
+
+ if (!sta->identity) {
+ *buf = NULL;
+ return 0;
+ }
+
+ identity = sta->identity;
+
+ len = os_strlen(identity);
+ *buf = (u8 *) identity;
+
+ return len;
+}
+
+
+static size_t
+hostapd_wpa_auth_get_radius_cui(void *ctx, const u8 *sta_addr, const u8 **buf)
+{
+ struct hostapd_data *hapd = ctx;
+ struct sta_info *sta;
+ struct wpabuf *b;
+ size_t len;
+ char *radius_cui;
+
+ sta = ap_get_sta(hapd, sta_addr);
+ if (sta == NULL)
+ return 0;
+
+ b = ieee802_1x_get_radius_cui(sta->eapol_sm);
+ if (b) {
+ len = wpabuf_len(b);
+ *buf = wpabuf_head(b);
+ return len;
+ }
+
+ if (!sta->radius_cui) {
+ *buf = NULL;
+ return 0;
+ }
+
+ radius_cui = sta->radius_cui;
+
+ len = os_strlen(radius_cui);
+ *buf = (u8 *) radius_cui;
+
+ return len;
+}
+
+
+static void
+hostapd_wpa_auth_set_identity(void *ctx, const u8 *sta_addr,
+ const u8 *identity, size_t identity_len)
+{
+ struct hostapd_data *hapd = ctx;
+ struct sta_info *sta;
+
+ sta = ap_get_sta(hapd, sta_addr);
+ if (sta == NULL)
+ return;
+
+ if (sta->identity) {
+ os_free(sta->identity);
+ sta->identity = NULL;
+ }
+
+ if (sta->eapol_sm && sta->eapol_sm->identity) {
+ os_free(sta->eapol_sm->identity);
+ sta->eapol_sm->identity = NULL;
+ sta->eapol_sm->identity_len = 0;
+ }
+
+ if (!identity_len)
+ return;
+
+ /* sta->identity is NULL terminated */
+ sta->identity = os_zalloc(identity_len + 1);
+ if (sta->identity)
+ os_memcpy(sta->identity, identity, identity_len);
+
+ if (sta->eapol_sm) {
+ sta->eapol_sm->identity = os_zalloc(identity_len);
+ if (sta->eapol_sm->identity) {
+ os_memcpy(sta->eapol_sm->identity, identity,
+ identity_len);
+ sta->eapol_sm->identity_len = identity_len;
+ }
+ }
+}
+
+
+static void
+hostapd_wpa_auth_set_radius_cui(void *ctx, const u8 *sta_addr,
+ const u8 *radius_cui, size_t radius_cui_len)
+{
+ struct hostapd_data *hapd = ctx;
+ struct sta_info *sta;
+
+ sta = ap_get_sta(hapd, sta_addr);
+ if (sta == NULL)
+ return;
+
+ if (sta->radius_cui) {
+ os_free(sta->radius_cui);
+ sta->radius_cui = NULL;
+ }
+
+ if (sta->eapol_sm && sta->eapol_sm->radius_cui) {
+ wpabuf_free(sta->eapol_sm->radius_cui);
+ sta->eapol_sm->radius_cui = NULL;
+ }
+
+ if (!radius_cui)
+ return;
+
+ /* sta->radius_cui is NULL terminated */
+ sta->radius_cui = os_zalloc(radius_cui_len + 1);
+ if (sta->radius_cui)
+ os_memcpy(sta->radius_cui, radius_cui, radius_cui_len);
+
+ if (sta->eapol_sm)
+ sta->eapol_sm->radius_cui = wpabuf_alloc_copy(radius_cui,
+ radius_cui_len);
+}
+
+
static void hostapd_rrb_receive(void *ctx, const u8 *src_addr, const u8 *buf,
size_t len)
{
@@ -774,6 +914,10 @@ int hostapd_setup_wpa(struct hostapd_data *hapd)
cb.add_sta = hostapd_wpa_auth_add_sta_auth;
cb.set_vlan = hostapd_wpa_auth_set_vlan;
cb.get_vlan = hostapd_wpa_auth_get_vlan;
+ cb.get_identity = hostapd_wpa_auth_get_identity;
+ cb.get_radius_cui = hostapd_wpa_auth_get_radius_cui;
+ cb.set_identity = hostapd_wpa_auth_set_identity;
+ cb.set_radius_cui = hostapd_wpa_auth_set_radius_cui;
cb.add_tspec = hostapd_wpa_auth_add_tspec;
#endif /* CONFIG_IEEE80211R */
hapd->wpa_auth = wpa_init(hapd->own_addr, &_conf, &cb);
Signed-off-by: Michael Braun <michael-dev@fami-braun.de> --- src/ap/wpa_auth.h | 12 +++- src/ap/wpa_auth_ft.c | 176 +++++++++++++++++++++++++++++++++++++++++++++---- src/ap/wpa_auth_glue.c | 144 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 318 insertions(+), 14 deletions(-)