From patchwork Thu May 18 13:21:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: michael-dev X-Patchwork-Id: 763991 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3wTBkQ0rrgz9ryv for ; Thu, 18 May 2017 23:25:02 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="i+SORxhR"; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=YTVJ/VqUp0GdlYDlQCS38PPJR/O2xYkpfNKQzOU36h0=; b=i+SORxhRcXrVHboA+gYxSx/MaK ufuRJU5w5G0+123YomygRoAZrfTSqtxGttYNKqnUuoJSLyujGSd7AiH3fEftG7sKCb8eWO3PRGJ1O lpU0FRBkcisQZMhcz6dtTy8vWigqtvffzwQARvC7K/HgYoO4eUWE7E+WZVpMyR25prYrrVRrY7OvR bIOhwixNp5I9VVnTpz6ALRpGZU1utY5N+3SVWN//9B08YlRd8RdL0No1NoN9JDUwRgl41sPBOYdBM 09rR3MFgf59Mmbpe4xQhh33j7Zfs9NEjBgkMwyv1Ow3SbvsYJc5LGJGfV6Ad4JU1u8KMB16mYTeHb MdyNTODA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1dBLQ8-0004Jx-VF; Thu, 18 May 2017 13:24:48 +0000 Received: from mail.fem.tu-ilmenau.de ([141.24.220.54]) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1dBLPo-0003TA-RQ for hostap@lists.infradead.org; Thu, 18 May 2017 13:24:43 +0000 Received: from localhost (localhost [127.0.0.1]) by mail.fem.tu-ilmenau.de (Postfix) with ESMTP id CEF9B689E; Thu, 18 May 2017 15:23:43 +0200 (CEST) X-Virus-Scanned: amavisd-new at fem.tu-ilmenau.de Received: from mail.fem.tu-ilmenau.de ([127.0.0.1]) by localhost (mail.fem.tu-ilmenau.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LCrhsp2keTPI; Thu, 18 May 2017 15:23:42 +0200 (CEST) Received: from a234.fem.tu-ilmenau.de (ray-controller.net.fem.tu-ilmenau.de [10.42.51.234]) by mail.fem.tu-ilmenau.de (Postfix) with ESMTP; Thu, 18 May 2017 15:23:40 +0200 (CEST) Received: by a234.fem.tu-ilmenau.de (Postfix, from userid 1000) id 48A4C306AC49; Thu, 18 May 2017 15:22:03 +0200 (CEST) From: Michael Braun To: hostap@lists.infradead.org Subject: [PATCH 5/8] FT: include identity and radius_cui in pull/resp frames Date: Thu, 18 May 2017 15:21:54 +0200 Message-Id: <1495113717-26860-6-git-send-email-michael-dev@fami-braun.de> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1495113717-26860-1-git-send-email-michael-dev@fami-braun.de> References: <1495113717-26860-1-git-send-email-michael-dev@fami-braun.de> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170518_062430_279277_F90E9FD9 X-CRM114-Status: GOOD ( 14.35 ) X-Spam-Score: -4.2 (----) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [141.24.220.54 listed in list.dnswl.org] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: projekt-wlan@fem.tu-ilmenau.de, Michael Braun MIME-Version: 1.0 Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Michael Braun --- src/ap/ieee802_11.c | 3 + src/ap/wpa_auth.h | 12 ++- src/ap/wpa_auth_ft.c | 201 +++++++++++++++++++++++++++++++++++++++++++------ src/ap/wpa_auth_glue.c | 144 +++++++++++++++++++++++++++++++++++ 4 files changed, 334 insertions(+), 26 deletions(-) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index d15a70c..5331b2a 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -1540,8 +1540,11 @@ ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta, sta->psk = NULL; } + os_free(sta->identity); sta->identity = *identity; *identity = NULL; + + os_free(sta->radius_cui); sta->radius_cui = *radius_cui; *radius_cui = NULL; diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index bf7bf43..936831b 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -83,6 +83,9 @@ struct ft_rrb_frame { #define FT_RRB_VLAN_UNTAGGED 13 /* le16 */ #define FT_RRB_VLAN_TAGGED 14 /* n times le16 */ +#define FT_RRB_IDENTITY 15 +#define FT_RRB_RADIUS_CUI 16 + struct ft_rrb_tlv { le16 type; le16 len; @@ -97,7 +100,7 @@ struct ft_rrb_seq { /* session TLVs: * required: PMK_R1, PMK_R1_NAME, PAIRWISE - * optional: VLAN, EXPIRES_IN + * optional: VLAN, EXPIRES_IN, IDENTITY, RADIUS_CUI * * pull frame TLVs: * auth: @@ -264,6 +267,13 @@ struct wpa_auth_callbacks { struct vlan_description *vlan); int (*get_vlan)(void *ctx, const u8 *sta_addr, struct vlan_description *vlan); + size_t (*get_identity)(void *ctx, const u8 *sta_addr, const u8 **buf); + size_t (*get_radius_cui)(void *ctx, const u8 *sta_addr, const u8 **buf); + void (*set_identity)(void *ctx, const u8 *sta_addr, + const u8 *identity, size_t identity_len); + void (*set_radius_cui)(void *ctx, const u8 *sta_addr, + const u8 *radius_cui, size_t radius_cui_len); + int (*send_ft_action)(void *ctx, const u8 *dst, const u8 *data, size_t data_len); int (*add_tspec)(void *ctx, const u8 *sta_addr, u8 *tspec_ie, diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c index a06b983..321f5b1 100644 --- a/src/ap/wpa_auth_ft.c +++ b/src/ap/wpa_auth_ft.c @@ -326,6 +326,8 @@ static size_t wpa_ft_tlv_lin(const struct tlv_list *tlvs, u8 *start, if (tlv_len + tlvs[i].len > (size_t) (endpos - start)) return tlv_len; + if (tlvs[i].len == 0) + continue; tlv_len += tlvs[i].len; os_memcpy(pos, tlvs[i].data, tlvs[i].len); pos = start + tlv_len; @@ -647,6 +649,50 @@ wpa_ft_get_vlan(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, } +static size_t +wpa_ft_get_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, + const u8 **buf) +{ + *buf = NULL; + if (wpa_auth->cb->get_identity == NULL) + return 0; + return wpa_auth->cb->get_identity(wpa_auth->cb_ctx, sta_addr, buf); +} + + +static size_t +wpa_ft_get_radius_cui(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, + const u8 **buf) +{ + *buf = NULL; + if (wpa_auth->cb->get_radius_cui == NULL) + return 0; + return wpa_auth->cb->get_radius_cui(wpa_auth->cb_ctx, sta_addr, buf); +} + + +static void +wpa_ft_set_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, + const u8 *identity, size_t identity_len) +{ + if (wpa_auth->cb->set_identity == NULL) + return; + wpa_auth->cb->set_identity(wpa_auth->cb_ctx, sta_addr, identity, + identity_len); +} + + +static void +wpa_ft_set_radius_cui(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, + const u8 *radius_cui, size_t radius_cui_len) +{ + if (wpa_auth->cb->set_radius_cui == NULL) + return; + wpa_auth->cb->set_radius_cui(wpa_auth->cb_ctx, sta_addr, radius_cui, + radius_cui_len); +} + + static int wpa_ft_add_tspec(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, u8 *tspec_ie, size_t tspec_ielen) @@ -1032,7 +1078,11 @@ struct wpa_ft_pmk_r0_sa { int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */ struct vlan_description *vlan; os_time_t expiration; /* 0 for no expiration */ - /* TODO: identity, radius_class, EAP type */ + u8 *identity; + size_t identity_len; + u8 *radius_cui; + size_t radius_cui_len; + /* TODO: radius_class, EAP type, expiration from EAPOL */ int pmk_r1_pushed; }; @@ -1043,7 +1093,11 @@ struct wpa_ft_pmk_r1_sa { u8 spa[ETH_ALEN]; int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */ struct vlan_description *vlan; - /* TODO: expiration, identity, radius_class, EAP type */ + u8 *identity; + size_t identity_len; + u8 *radius_cui; + size_t radius_cui_len; + /* TODO: expiration from EAPOL, radius_class, EAP type */ }; struct wpa_ft_pmk_cache { @@ -1067,6 +1121,8 @@ static void wpa_ft_free_pmk_r0(struct wpa_ft_pmk_r0_sa *r0) os_memset(r0->pmk_r0, 0, PMK_LEN); os_free(r0->vlan); + os_free(r0->identity); + os_free(r0->radius_cui); os_free(r0); } @@ -1107,6 +1163,8 @@ static void wpa_ft_free_pmk_r1(struct wpa_ft_pmk_r1_sa *r1) os_memset(r1->pmk_r1, 0, PMK_LEN); os_free(r1->vlan); + os_free(r1->identity); + os_free(r1->radius_cui); os_free(r1); } @@ -1154,7 +1212,9 @@ static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth, const u8 *spa, const u8 *pmk_r0, const u8 *pmk_r0_name, int pairwise, const struct vlan_description *vlan, - const int expires_in) + const int expires_in, + const u8 *identity, size_t identity_len, + const u8 *radius_cui, size_t radius_cui_len) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; struct wpa_ft_pmk_r0_sa *r0; @@ -1178,6 +1238,20 @@ static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth, if (r0->vlan) *r0->vlan = *vlan; } + if (identity) { + r0->identity = os_zalloc(identity_len); + if (r0->identity) { + os_memcpy(r0->identity, identity, identity_len); + r0->identity_len = identity_len; + } + } + if (radius_cui) { + r0->radius_cui = os_zalloc(radius_cui_len); + if (r0->radius_cui) { + os_memcpy(r0->radius_cui, radius_cui, radius_cui_len); + r0->radius_cui_len = radius_cui_len; + } + } dl_list_add(&cache->pmk_r0, &r0->list); @@ -1216,7 +1290,9 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *spa, const u8 *pmk_r1, const u8 *pmk_r1_name, int pairwise, const struct vlan_description *vlan, - int expires_in) + int expires_in, + const u8 *identity, u8 identity_len, + const u8 *radius_cui, u8 radius_cui_len) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; int max_expires_in = wpa_auth->conf.r1_max_key_lifetime; @@ -1240,6 +1316,20 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, if (r1->vlan) *r1->vlan = *vlan; } + if (identity) { + r1->identity = os_zalloc(identity_len); + if (r1->identity) { + os_memcpy(r1->identity, identity, identity_len); + r1->identity_len = identity_len; + } + } + if (radius_cui) { + r1->radius_cui = os_zalloc(radius_cui_len); + if (r1->radius_cui) { + os_memcpy(r1->radius_cui, radius_cui, radius_cui_len); + r1->radius_cui_len = radius_cui_len; + } + } dl_list_add(&cache->pmk_r1, &r1->list); @@ -1254,7 +1344,9 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *spa, const u8 *pmk_r1_name, u8 *pmk_r1, int *pairwise, - struct vlan_description *vlan) + struct vlan_description *vlan, + const u8 **identity, size_t *identity_len, + const u8 **radius_cui, size_t *radius_cui_len) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; struct wpa_ft_pmk_r1_sa *r1; @@ -1270,6 +1362,14 @@ static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth, *vlan = *r1->vlan; if (vlan && !r1->vlan) os_memset(vlan, 0, sizeof(*vlan)); + if (identity && identity_len) { + *identity = r1->identity; + *identity_len = r1->identity_len; + } + if (radius_cui && radius_cui_len) { + *radius_cui = r1->radius_cui; + *radius_cui_len = r1->radius_cui_len; + } return 0; } } @@ -1804,15 +1904,21 @@ int wpa_ft_store_pmk_fils(struct wpa_state_machine *sm, { int expires_in = sm->wpa_auth->conf.r0_key_lifetime * 60; struct vlan_description vlan; + const u8 *identity, *radius_cui; + int identity_len, radius_cui_len; if (wpa_ft_get_vlan(sm->wpa_auth, sm->addr, &vlan) < 0) { wpa_printf(MSG_DEBUG, "FT: vlan not available for STA " MACSTR, MAC2STR(sm->addr)); return -1; } + identity_len = wpa_ft_get_identity(sm->wpa_auth, sm->addr, &identity); + radius_cui_len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr, + &radius_cui); return wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name, - sm->pairwise, &vlan, expires_in); + sm->pairwise, &vlan, expires_in, identity, + identity_len, radius_cui, radius_cui_len); } @@ -1831,6 +1937,8 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, int psk_local = sm->wpa_auth->conf.ft_psk_generate_local; int expires_in = sm->wpa_auth->conf.r0_key_lifetime * 60; struct vlan_description vlan; + const u8 *identity, *radius_cui; + int identity_len, radius_cui_len; if (sm->xxkey_len == 0) { wpa_printf(MSG_DEBUG, "FT: XXKey not available for key " @@ -1843,6 +1951,9 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, MAC2STR(sm->addr)); return -1; } + identity_len = wpa_ft_get_identity(sm->wpa_auth, sm->addr, &identity); + radius_cui_len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr, + &radius_cui); if (wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, ssid, ssid_len, mdid, r0kh, r0kh_len, sm->addr, @@ -1852,7 +1963,8 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN); if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name, - sm->pairwise, &vlan, expires_in); + sm->pairwise, &vlan, expires_in, identity, + identity_len, radius_cui, radius_cui_len); if (wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, r1kh, sm->addr, pmk_r1, sm->pmk_r1_name) < 0) @@ -1862,8 +1974,9 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, WPA_PMK_NAME_LEN); if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1, - sm->pmk_r1_name, sm->pairwise, - &vlan, expires_in); + sm->pmk_r1_name, sm->pairwise, &vlan, + expires_in, identity, identity_len, + radius_cui, radius_cui_len); return wpa_pmk_r1_to_ptk(pmk_r1, sm->SNonce, sm->ANonce, sm->addr, sm->wpa_auth->addr, sm->pmk_r1_name, @@ -2269,7 +2382,10 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm) static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm, const u8 *req_pmk_r1_name, u8 *out_pmk_r1, int *out_pairwise, - struct vlan_description *out_vlan) + struct vlan_description *out_vlan, + const u8 **out_identity, size_t *out_identity_len, + const u8 **out_radius_cui, + size_t *out_radius_cui_len) { const u8 *pmk = NULL; u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN]; @@ -2282,6 +2398,7 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm, const u8 *ssid = wpa_auth->conf.ssid; size_t ssid_len = wpa_auth->conf.ssid_len; int pairwise; + u8 len; pairwise = sm->pairwise; @@ -2312,7 +2429,16 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm, MACSTR, MAC2STR(sm->addr)); return -1; } - + if (out_identity && out_identity_len) { + len = wpa_ft_get_identity(sm->wpa_auth, sm->addr, + out_identity); + *out_identity_len = len; + } + if (out_radius_cui && out_radius_cui_len) { + len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr, + out_radius_cui); + *out_radius_cui_len = len; + } return 0; } @@ -2377,6 +2503,8 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, u8 *pos, *end; int pairwise; struct vlan_description vlan; + const u8 *identity, *radius_cui; + size_t identity_len = 0, radius_cui_len = 0; *resp_ies = NULL; *resp_ies_len = 0; @@ -2439,10 +2567,13 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, if (conf->ft_psk_generate_local && wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { if (wpa_ft_psk_pmk_r1(sm, pmk_r1_name, pmk_r1, &pairwise, - &vlan) < 0) + &vlan, &identity, &identity_len, + &radius_cui, &radius_cui_len) < 0) return WLAN_STATUS_INVALID_PMKID; } else if (wpa_ft_fetch_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1_name, - pmk_r1, &pairwise, &vlan) < 0) { + pmk_r1, &pairwise, &vlan, &identity, + &identity_len, &radius_cui, + &radius_cui_len) < 0) { if (wpa_ft_pull_pmk_r1(sm, ies, ies_len, parse.rsn_pmkid) < 0) { wpa_printf(MSG_DEBUG, "FT: Did not have matching PMK-R1 and either unknown or blocked R0KH-ID or NAK from R0KH"); @@ -2481,6 +2612,9 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, wpa_printf(MSG_DEBUG, "FT: Failed to configure VLAN"); return WLAN_STATUS_UNSPECIFIED_FAILURE; } + wpa_ft_set_identity(sm->wpa_auth, sm->addr, identity, identity_len); + wpa_ft_set_radius_cui(sm->wpa_auth, sm->addr, radius_cui, + radius_cui_len); buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + 2 + FT_R1KH_ID_LEN + 200; @@ -2913,14 +3047,13 @@ static int wpa_ft_rrb_build_r0(const u8 *key, const size_t key_len, .data = f_pairwise }, { .type = FT_RRB_EXPIRES_IN, .len = sizeof(f_expires_in), .data = f_expires_in }, + { .type = FT_RRB_IDENTITY, .len = pmk_r0->identity_len, + .data = pmk_r0->identity }, + { .type = FT_RRB_RADIUS_CUI, .len = pmk_r0->radius_cui_len, + .data = pmk_r0->radius_cui }, { .type = FT_RRB_LAST_EMPTY, .len = 0, .data = NULL }, }; - if (!pmk_r0) - return wpa_ft_rrb_build(key, key_len, tlvs, NULL, tlv_auth, - NULL, src_addr, type, - packet, packet_len); - if (wpa_derive_pmk_r1(pmk_r0->pmk_r0, pmk_r0->pmk_r0_name, r1kh_id, s1kh_id, pmk_r1, pmk_r1_name) < 0) return -1; @@ -3070,13 +3203,17 @@ static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth, resp_auth[4].len = 0; resp_auth[4].data = NULL; - if (wpa_ft_fetch_pmk_r0(wpa_auth, f_s1kh_id, f_pmk_r0_name, &r0) < 0) + if (wpa_ft_fetch_pmk_r0(wpa_auth, f_s1kh_id, f_pmk_r0_name, &r0) < 0) { wpa_printf(MSG_DEBUG, "FT: No matching PMK-R0-Name found"); - - ret = wpa_ft_rrb_build_r0(key, key_len, resp, r0, f_r1kh_id, f_s1kh_id, - resp_auth, wpa_auth->addr, - FT_PACKET_R0KH_R1KH_RESP, - &packet, &packet_len); + ret = wpa_ft_rrb_build(key, key_len, resp, NULL, resp_auth, + NULL, wpa_auth->addr, + FT_PACKET_R0KH_R1KH_RESP, + &packet, &packet_len); + } else + ret = wpa_ft_rrb_build_r0(key, key_len, resp, r0, f_r1kh_id, + f_s1kh_id, resp_auth, wpa_auth->addr, + FT_PACKET_R0KH_R1KH_RESP, + &packet, &packet_len); if (!ret) wpa_ft_rrb_oui_send(wpa_auth, src_addr, @@ -3116,8 +3253,10 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth, const u8 *f_pmk_r1_name, *f_pairwise, *f_pmk_r1; const u8 *f_expires_in; size_t f_r1kh_id_len, f_s1kh_id_len, f_r0kh_id_len; + const u8 *f_identity, *f_radius_cui; size_t f_pmk_r1_name_len, f_pairwise_len, f_pmk_r1_len; size_t f_expires_in_len; + size_t f_identity_len, f_radius_cui_len; int pairwise; int ret = -1; int expires_in; @@ -3224,8 +3363,20 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth, wpa_printf(MSG_DEBUG, "FT: vlan %d%s", le_to_host16(vlan.untagged), vlan.tagged[0] ? "+" : ""); + RRB_GET_OPTIONAL(FT_RRB_IDENTITY, identity, msgtype, -1); + if (f_identity) + wpa_hexdump(MSG_DEBUG, "FT: Identity", f_identity, + f_identity_len); + + RRB_GET_OPTIONAL(FT_RRB_RADIUS_CUI, radius_cui, msgtype, -1); + if (f_radius_cui) + wpa_hexdump(MSG_DEBUG, "FT: CUI", f_radius_cui, + f_radius_cui_len); + if (wpa_ft_store_pmk_r1(wpa_auth, f_s1kh_id, f_pmk_r1, f_pmk_r1_name, - pairwise, &vlan, expires_in) < 0) + pairwise, &vlan, expires_in, f_identity, + f_identity_len, f_radius_cui, + f_radius_cui_len) < 0) goto out; ret = 0; diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index 3ec8874..b5bfb2a 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -840,6 +840,146 @@ hostapd_wpa_auth_get_vlan(void *ctx, const u8 *sta_addr, } +static size_t +hostapd_wpa_auth_get_identity(void *ctx, const u8 *sta_addr, const u8 **buf) +{ + struct hostapd_data *hapd = ctx; + struct sta_info *sta; + size_t len; + char *identity; + + sta = ap_get_sta(hapd, sta_addr); + if (sta == NULL) + return 0; + + *buf = ieee802_1x_get_identity(sta->eapol_sm, &len); + if (*buf && len) + return len; + + if (!sta->identity) { + *buf = NULL; + return 0; + } + + identity = sta->identity; + + len = os_strlen(identity); + *buf = (u8 *) identity; + + return len; +} + + +static size_t +hostapd_wpa_auth_get_radius_cui(void *ctx, const u8 *sta_addr, const u8 **buf) +{ + struct hostapd_data *hapd = ctx; + struct sta_info *sta; + struct wpabuf *b; + size_t len; + char *radius_cui; + + sta = ap_get_sta(hapd, sta_addr); + if (sta == NULL) + return 0; + + b = ieee802_1x_get_radius_cui(sta->eapol_sm); + if (b) { + len = wpabuf_len(b); + *buf = wpabuf_head(b); + return len; + } + + if (!sta->radius_cui) { + *buf = NULL; + return 0; + } + + radius_cui = sta->radius_cui; + + len = os_strlen(radius_cui); + *buf = (u8 *) radius_cui; + + return len; +} + + +static void +hostapd_wpa_auth_set_identity(void *ctx, const u8 *sta_addr, + const u8 *identity, size_t identity_len) +{ + struct hostapd_data *hapd = ctx; + struct sta_info *sta; + + sta = ap_get_sta(hapd, sta_addr); + if (sta == NULL) + return; + + if (sta->identity) { + os_free(sta->identity); + sta->identity = NULL; + } + + if (sta->eapol_sm && sta->eapol_sm->identity) { + os_free(sta->eapol_sm->identity); + sta->eapol_sm->identity = NULL; + sta->eapol_sm->identity_len = 0; + } + + if (!identity_len) + return; + + /* sta->identity is NULL terminated */ + sta->identity = os_zalloc(identity_len + 1); + if (sta->identity) + os_memcpy(sta->identity, identity, identity_len); + + if (sta->eapol_sm) { + sta->eapol_sm->identity = os_zalloc(identity_len); + if (sta->eapol_sm->identity) { + os_memcpy(sta->eapol_sm->identity, identity, + identity_len); + sta->eapol_sm->identity_len = identity_len; + } + } +} + + +static void +hostapd_wpa_auth_set_radius_cui(void *ctx, const u8 *sta_addr, + const u8 *radius_cui, size_t radius_cui_len) +{ + struct hostapd_data *hapd = ctx; + struct sta_info *sta; + + sta = ap_get_sta(hapd, sta_addr); + if (sta == NULL) + return; + + if (sta->radius_cui) { + os_free(sta->radius_cui); + sta->radius_cui = NULL; + } + + if (sta->eapol_sm && sta->eapol_sm->radius_cui) { + wpabuf_free(sta->eapol_sm->radius_cui); + sta->eapol_sm->radius_cui = NULL; + } + + if (!radius_cui) + return; + + /* sta->radius_cui is NULL terminated */ + sta->radius_cui = os_zalloc(radius_cui_len + 1); + if (sta->radius_cui) + os_memcpy(sta->radius_cui, radius_cui, radius_cui_len); + + if (sta->eapol_sm) + sta->eapol_sm->radius_cui = wpabuf_alloc_copy(radius_cui, + radius_cui_len); +} + + static void hostapd_rrb_receive(void *ctx, const u8 *src_addr, const u8 *buf, size_t len) { @@ -961,6 +1101,10 @@ int hostapd_setup_wpa(struct hostapd_data *hapd) .add_tspec = hostapd_wpa_auth_add_tspec, .set_vlan = hostapd_wpa_auth_set_vlan, .get_vlan = hostapd_wpa_auth_get_vlan, + .get_identity = hostapd_wpa_auth_get_identity, + .get_radius_cui = hostapd_wpa_auth_get_radius_cui, + .set_identity = hostapd_wpa_auth_set_identity, + .set_radius_cui = hostapd_wpa_auth_set_radius_cui, #endif /* CONFIG_IEEE80211R_AP */ }; const u8 *wpa_ie;