From: Michael Braun <michael-dev@xxxxxxxxxxxxx> This patch 1. adds tagged vlan to struct vlan_description (compile limited number of tagged vlans per description) For k tagged vlans, the first k entries in vlan_description.tagged are used. They are sorted in ascending order. All other entries are zero. This way os_memcmp can find identical configurations. 2. lets tagged VLANs be parsed from RADIUS Access-Accept 3. prints VLAN %d+ with %d=untagged VID if tagged VLANs are set 4. Selects an unused vlan_id > 4096 for new tagged vlan configurations 5. adds EGRESS_VLAN RADIUS attribute parsing also for untagged vlans Signed-off-by: Michael Braun <michael-dev@xxxxxxxxxxxxx> -- v2: squash EGRESS_VLAN for RADIUS request dumper patch v2: rework to make per_sta_vif based on top of this Signed-off-by: Michael Braun <michael-dev@xxxxxxxxxxxxx> --- src/ap/ap_config.c | 9 +++++++- src/ap/ieee802_11.c | 5 +++-- src/ap/ieee802_11_auth.c | 15 +++++++++---- src/ap/ieee802_1x.c | 15 +++++++++---- src/ap/sta_info.c | 40 +++++++++++++++++++++++++++------ src/ap/vlan.h | 3 +++ src/ap/wpa_auth_ie.c | 9 ++++---- src/radius/radius.c | 57 +++++++++++++++++++++++++++++++++++++++++++----- src/radius/radius.h | 4 +++- 9 files changed, 129 insertions(+), 28 deletions(-) diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index d67096e..f4eadf3 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -673,10 +673,17 @@ int hostapd_vlan_valid(struct hostapd_vlan *vlan, struct vlan_description *vlan_desc) { struct hostapd_vlan *v = vlan; + int i; - if (!vlan_desc->notempty || vlan_desc->untagged <= 0 || + if (!vlan_desc->notempty || vlan_desc->untagged < 0 || vlan_desc->untagged > MAX_VLAN_ID) return 0; + for (i = 0; i < MAX_NUM_TAGGED_VLAN; i++) + if (vlan_desc->tagged[i] < 0 || + vlan_desc->tagged[i] > MAX_VLAN_ID) + return 0; + if (!vlan_desc->untagged && !vlan_desc->tagged[0]) + return 0; while (v) { if (!vlan_compare(&v->vlan_desc, vlan_desc) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index be99dda..cba995a 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -1101,8 +1101,9 @@ static void handle_auth(struct hostapd_data *hapd, if (!hostapd_vlan_valid(hapd->conf->vlan, &vlan_id)) { hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, HOSTAPD_LEVEL_INFO, "Invalid VLAN " - "%d received from RADIUS server", - vlan_id.untagged); + "%d%s received from RADIUS server", + vlan_id.untagged, + vlan_id.tagged[0] ? "+" : ""); resp = WLAN_STATUS_UNSPECIFIED_FAILURE; goto fail; } diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c index ffa75a4..bd86607 100644 --- a/src/ap/ieee802_11_auth.c +++ b/src/ap/ieee802_11_auth.c @@ -499,6 +499,7 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, struct hostapd_acl_query_data *query, *prev; struct hostapd_cached_radius_acl *cache; struct radius_hdr *hdr = radius_msg_get_hdr(msg); + int *untagged, *tagged, *notempty; query = hapd->acl_queries; prev = NULL; @@ -556,8 +557,12 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, cache->acct_interim_interval = 0; } - cache->vlan_id.untagged = radius_msg_get_vlanid(msg); - cache->vlan_id.notempty = !!cache->vlan_id.untagged; + notempty = &cache->vlan_id.notempty; + untagged = &cache->vlan_id.untagged; + tagged = cache->vlan_id.tagged; + *notempty = !!radius_msg_get_vlanid(msg, untagged, + MAX_NUM_TAGGED_VLAN, + tagged); decode_tunnel_passwords(hapd, shared_secret, shared_secret_len, msg, req, cache); @@ -585,8 +590,10 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, hostapd_logger(hapd, query->addr, HOSTAPD_MODULE_RADIUS, HOSTAPD_LEVEL_INFO, - "Invalid VLAN %d received from RADIUS server", - cache->vlan_id.untagged); + "Invalid VLAN %d%s received from " + "RADIUS server", + cache->vlan_id.untagged, + cache->vlan_id.tagged[0] ? "+" : ""); os_memset(&cache->vlan_id, 0, sizeof(cache->vlan_id)); } if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_REQUIRED && diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index 6c79147..01e27eb 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -1606,6 +1606,7 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, int override_eapReq = 0; struct radius_hdr *hdr = radius_msg_get_hdr(msg); struct vlan_description vlan_desc; + int *untagged, *tagged, *notempty; os_memset(&vlan_desc, 0, sizeof(vlan_desc)); @@ -1673,8 +1674,12 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, case RADIUS_CODE_ACCESS_ACCEPT: #ifndef CONFIG_NO_VLAN if (hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED) { - vlan_desc.untagged = radius_msg_get_vlanid(msg); - vlan_desc.notempty = !!vlan_desc.untagged; + notempty = &vlan_desc.notempty; + untagged = &vlan_desc.untagged; + tagged = vlan_desc.tagged; + *notempty = !!radius_msg_get_vlanid(msg, untagged, + MAX_NUM_TAGGED_VLAN, + tagged); } if (vlan_desc.notempty && @@ -1683,8 +1688,10 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS, HOSTAPD_LEVEL_INFO, - "Invalid VLAN %d received from RADIUS server", - vlan_desc.untagged); + "Invalid VLAN %d%s received from " + "RADIUS server", + vlan_desc.untagged, + vlan_desc.tagged[0] ? "+" : ""); os_memset(&vlan_desc, 0, sizeof(vlan_desc)); ap_sta_set_vlan(hapd, sta, &vlan_desc); break; diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c index 23963b7..a41ce4b 100644 --- a/src/ap/sta_info.c +++ b/src/ap/sta_info.c @@ -793,6 +793,23 @@ int ap_sta_wps_cancel(struct hostapd_data *hapd, #endif /* CONFIG_WPS */ +static int ap_sta_get_free_vlan_id(struct hostapd_data *hapd) +{ + struct hostapd_vlan *vlan = NULL; + int vlan_id = MAX_VLAN_ID + 2; +retry: + vlan = hapd->conf->vlan; + while (vlan) { + if (vlan->vlan_id == vlan_id) + break; + vlan = vlan->next; + } + if (!vlan) + return vlan_id; + vlan_id++; + goto retry; +} + int ap_sta_set_vlan(struct hostapd_data *hapd, struct sta_info *sta, struct vlan_description *vlan_desc) { @@ -801,10 +818,13 @@ int ap_sta_set_vlan(struct hostapd_data *hapd, struct sta_info *sta, if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_DISABLED) vlan_desc = NULL; - else if (vlan_desc && vlan_desc->notempty) { - if (!vlan_compare(vlan_desc, sta->vlan_desc)) - return 0; /* nothing to change */ + /* check if there is something to do */ + if (!vlan_compare(vlan_desc, sta->vlan_desc)) + return 0; /* nothing to change */ + + /* now the real vlan changed or the sta just needs its own vif */ + if (vlan_desc->notempty) { vlan = hapd->conf->vlan; while (vlan) { if (!vlan_compare(&vlan->vlan_desc, vlan_desc)) @@ -818,12 +838,16 @@ int ap_sta_set_vlan(struct hostapd_data *hapd, struct sta_info *sta, else if (wildcard_vlan) { vlan = wildcard_vlan; vlan_id = vlan_desc->untagged; + if (vlan_desc->tagged[0]) + /* tagged vlan configuration */ + vlan_id = ap_sta_get_free_vlan_id(hapd); } else { hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_DEBUG, "missing vlan and " - "wildcard for vlan=%d", - vlan_desc->untagged); + "wildcard for vlan=%d%s", + vlan_desc->untagged, + vlan_desc->tagged[0] ? "+" : ""); vlan_id = 0; ret = -1; goto done; @@ -836,8 +860,10 @@ int ap_sta_set_vlan(struct hostapd_data *hapd, struct sta_info *sta, hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_DEBUG, "could not add " - "dynamic VLAN interface for vlan=%d", - vlan_desc->untagged); + "dynamic VLAN interface for " + "vlan=%d%s", + vlan_desc->untagged, + vlan_desc->tagged[0] ? "+" : ""); vlan_id = 0; ret = -1; goto done; diff --git a/src/ap/vlan.h b/src/ap/vlan.h index f0e1901..d1b30ed 100644 --- a/src/ap/vlan.h +++ b/src/ap/vlan.h @@ -9,9 +9,12 @@ #ifndef VLAN_H #define VLAN_H +#define MAX_NUM_TAGGED_VLAN 32 + struct vlan_description { int notempty; /* 0 : no vlan information present, 1: else */ int untagged; /* >0 802.1q vid */ + int tagged[MAX_NUM_TAGGED_VLAN]; /* first k items, ascending order */ }; #ifndef CONFIG_NO_VLAN diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c index 5a9b9bd..2828abe 100644 --- a/src/ap/wpa_auth_ie.c +++ b/src/ap/wpa_auth_ie.c @@ -481,7 +481,7 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, u32 selector; size_t i; const u8 *pmkid = NULL; - struct vlan_description *vlan_desc; + struct vlan_description *vlan; if (wpa_auth == NULL || sm == NULL) return WPA_NOT_ENABLED; @@ -713,12 +713,13 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, } } if (sm->pmksa && pmkid) { - vlan_desc = sm->pmksa->vlan_desc; + vlan = sm->pmksa->vlan_desc; wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_DEBUG, "PMKID found from PMKSA cache " - "eap_type=%d vlan=%d", + "eap_type=%d vlan=%d%s", sm->pmksa->eap_type_authsrv, - vlan_desc ? vlan_desc->untagged : 0); + vlan ? vlan->untagged : 0, + (vlan && vlan->tagged[0]) ? "+" : ""); os_memcpy(wpa_auth->dot11RSNAPMKIDUsed, pmkid, PMKID_LEN); } diff --git a/src/radius/radius.c b/src/radius/radius.c index 266b29f..5dcfbb5 100644 --- a/src/radius/radius.c +++ b/src/radius/radius.c @@ -256,6 +256,8 @@ static const struct radius_attr_type radius_attrs[] = RADIUS_ATTR_HEXDUMP }, { RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, "WLAN-Group-Mgmt-Pairwise-Cipher", RADIUS_ATTR_HEXDUMP }, + { RADIUS_ATTR_EGRESS_VLANID, "EGRESS-VLANID", + RADIUS_ATTR_HEXDUMP }, }; #define RADIUS_ATTRS ARRAY_SIZE(radius_attrs) @@ -1422,13 +1424,29 @@ struct radius_tunnel_attrs { int vlanid; }; +static int cmp_int(const void *a, const void *b) +{ + int x, y; + + x = *((int *) a); + y = *((int *) b); + return (x - y); +} /** * radius_msg_get_vlanid - Parse RADIUS attributes for VLAN tunnel information + * The k tagged vlans found are sorted by vlan_id and stored in the first k + * items of tagged. + * * @msg: RADIUS message - * Returns: VLAN ID for the first tunnel configuration or 0 if none is found + * @param untagged: pointer to store untagged vid + * @param numtagged: size of tagged + * @param tagged: pointer to store tagged list + * + * Returns: 0 if neither tagged nor untagged configuration is found, 1 else */ -int radius_msg_get_vlanid(struct radius_msg *msg) +int radius_msg_get_vlanid(struct radius_msg *msg, int *untagged, int numtagged, + int *tagged) { struct radius_tunnel_attrs tunnel[RADIUS_TUNNEL_TAGS], *tun; size_t i; @@ -1436,8 +1454,12 @@ int radius_msg_get_vlanid(struct radius_msg *msg) const u8 *data; char buf[10]; size_t dlen; + int taggedidx = 0, vlan_id; os_memset(&tunnel, 0, sizeof(tunnel)); + for (i = 0; i < numtagged; i++) + tagged[i] = 0; + *untagged = 0; for (i = 0; i < msg->attr_used; i++) { attr = radius_get_attr_hdr(msg, i); @@ -1474,21 +1496,46 @@ int radius_msg_get_vlanid(struct radius_msg *msg) break; os_memcpy(buf, data, dlen); buf[dlen] = '\0'; + vlan_id = atoi(buf); + if (vlan_id <= 0) + break; tun->tag_used++; - tun->vlanid = atoi(buf); + tun->vlanid = vlan_id; + break; + case RADIUS_ATTR_EGRESS_VLANID: /* RFC 4675 */ + if (attr->length != 6) + break; + vlan_id = WPA_GET_BE24(data + 1); + if (vlan_id <= 0) + break; + if (data[0] == 0x32) + *untagged = vlan_id; + else if (data[0] == 0x31 && tagged && + taggedidx < numtagged) + tagged[taggedidx++] = vlan_id; break; } } + /* use tunnel with lowest tag for untagged vlan id */ for (i = 0; i < RADIUS_TUNNEL_TAGS; i++) { tun = &tunnel[i]; if (tun->tag_used && tun->type == RADIUS_TUNNEL_TYPE_VLAN && tun->medium_type == RADIUS_TUNNEL_MEDIUM_TYPE_802 && - tun->vlanid > 0) - return tun->vlanid; + tun->vlanid > 0) { + *untagged = tun->vlanid; + break; + } } + if (taggedidx) + qsort(tagged, taggedidx, sizeof(int), cmp_int); + + if (*untagged > 0) + return 1; + if (taggedidx) + return 1; return 0; } diff --git a/src/radius/radius.h b/src/radius/radius.h index f14de53..c841c89 100644 --- a/src/radius/radius.h +++ b/src/radius/radius.h @@ -80,6 +80,7 @@ enum { RADIUS_ATTR_USER_NAME = 1, RADIUS_ATTR_ACCT_INPUT_GIGAWORDS = 52, RADIUS_ATTR_ACCT_OUTPUT_GIGAWORDS = 53, RADIUS_ATTR_EVENT_TIMESTAMP = 55, + RADIUS_ATTR_EGRESS_VLANID = 56, RADIUS_ATTR_NAS_PORT_TYPE = 61, RADIUS_ATTR_TUNNEL_TYPE = 64, RADIUS_ATTR_TUNNEL_MEDIUM_TYPE = 65, @@ -275,7 +276,8 @@ radius_msg_add_attr_user_password(struct radius_msg *msg, const u8 *data, size_t data_len, const u8 *secret, size_t secret_len); int radius_msg_get_attr(struct radius_msg *msg, u8 type, u8 *buf, size_t len); -int radius_msg_get_vlanid(struct radius_msg *msg); +int radius_msg_get_vlanid(struct radius_msg *msg, int *untagged, int numtagged, + int *tagged); char * radius_msg_get_tunnel_password(struct radius_msg *msg, int *keylen, const u8 *secret, size_t secret_len, struct radius_msg *sent_msg, size_t n); -- 2.1.4 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap