[PATCH 37/44] FT: add session_timeout to push/resp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Michael Braun <michael-dev@xxxxxxxxxxxxx>

This ensures a session timeout configured on R0 either using RADIUS-based
ACL or 802.1X authentication is copied over to the new R1.

As the session can be moved at any time, a timestamp needs to be kept so
the remaining session time can be computed by R0 when requested.

Signed-off-by: Michael Braun <michael-dev@xxxxxxxxxxxxx>
---
 src/ap/ieee802_11.c    |   9 ++-
 src/ap/ieee802_1x.c    |  16 +++--
 src/ap/sta_info.h      |   3 +-
 src/ap/wpa_auth.h      |   9 ++-
 src/ap/wpa_auth_ft.c   | 163 ++++++++++++++++++++++++++++++++++++++-----------
 src/ap/wpa_auth_glue.c |  49 +++++++++++++++
 6 files changed, 204 insertions(+), 45 deletions(-)

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 0486923..2bbbf99 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -970,10 +970,15 @@ int handle_auth_cfg_sta(struct hostapd_data *hapd, struct sta_info *sta,
 	    info->acct_interim_interval)
 		sta->acct_interim_interval = info->acct_interim_interval;
 
-	if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT)
+	if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
+		sta->session_timeout_set = 1;
+		os_get_reltime(&sta->session_timeout);
+		sta->session_timeout.sec += info->session_timeout;
 		ap_sta_session_timeout(hapd, sta, info->session_timeout);
-	else
+	} else {
+		sta->session_timeout_set = 0;
 		ap_sta_no_session_timeout(hapd, sta);
+	}
 
 	return 0;
 }
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index c774d5c..f28ada8 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -1751,14 +1751,17 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
 			break;
 
 		sta->session_timeout_set = !!session_timeout_set;
-		sta->session_timeout = session_timeout;
+		os_get_reltime(&sta->session_timeout);
+		sta->session_timeout.sec += session_timeout;
 
 		/* RFC 3580, Ch. 3.17 */
 		if (session_timeout_set && termination_action ==
 		    RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) {
 			sm->reAuthPeriod = session_timeout;
-		} else if (session_timeout_set)
+		} else if (session_timeout_set) {
 			ap_sta_session_timeout(hapd, sta, session_timeout);
+		} else
+			ap_sta_no_session_timeout(hapd, sta);
 
 		sm->eap_if->aaaSuccess = TRUE;
 		override_eapReq = 1;
@@ -2618,6 +2621,7 @@ static void ieee802_1x_finished(struct hostapd_data *hapd,
 	/* TODO: get PMKLifetime from WPA parameters */
 	static const int dot11RSNAConfigPMKLifetime = 43200;
 	unsigned int session_timeout;
+	struct os_reltime now, remaining;
 
 #ifdef CONFIG_HS20
 	if (remediation && !sta->remediation) {
@@ -2638,9 +2642,11 @@ static void ieee802_1x_finished(struct hostapd_data *hapd,
 #endif /* CONFIG_HS20 */
 
 	key = ieee802_1x_get_key(sta->eapol_sm, &len);
-	if (sta->session_timeout_set)
-		session_timeout = sta->session_timeout;
-	else
+	if (sta->session_timeout_set) {
+		os_get_reltime(&now);
+		os_reltime_sub(&sta->session_timeout, &now, &remaining);
+		session_timeout = (remaining.sec > 0) ? remaining.sec : 1;
+	} else
 		session_timeout = dot11RSNAConfigPMKLifetime;
 	if (success && key && len >= PMK_LEN && !sta->remediation &&
 	    !sta->hs20_deauth_requested &&
diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h
index abb207c..8437b84 100644
--- a/src/ap/sta_info.h
+++ b/src/ap/sta_info.h
@@ -178,7 +178,8 @@ struct sta_info {
 	struct sae_data *sae;
 #endif /* CONFIG_SAE */
 
-	u32 session_timeout; /* valid only if session_timeout_set == 1 */
+	/* valid only if session_timeout_set == 1 */
+	struct os_reltime session_timeout;
 
 	/* Last Authentication/(Re)Association Request/Action frame sequence
 	 * control */
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 3b27760..63178c9 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -82,7 +82,7 @@ struct ft_r0kh_r1kh_pull_frame {
 				    FT_R1KH_ID_LEN + ETH_ALEN + PMK_LEN + \
 				    WPA_PMK_NAME_LEN + 2 + 2 + \
 				    FT_VLAN_DATA_LEN + 1 + FT_IDENTITY_LEN + \
-				    1 + FT_RADIUS_CUI_LEN)
+				    1 + FT_RADIUS_CUI_LEN + 4)
 #define FT_R0KH_R1KH_RESP_PAD_LEN (8 - FT_R0KH_R1KH_RESP_DATA_LEN % 8)
 struct ft_r0kh_r1kh_resp_frame {
 	u8 frame_type; /* RSN_REMOTE_FRAME_TYPE_FT_RRB */
@@ -102,6 +102,7 @@ struct ft_r0kh_r1kh_resp_frame {
 	u8 identity[FT_IDENTITY_LEN];
 	u8 radius_cui_len;
 	u8 radius_cui[FT_RADIUS_CUI_LEN];
+	le32 session_timeout;
 	u8 pad[FT_R0KH_R1KH_RESP_PAD_LEN]; /* 8-octet boundary for AES block */
 	u8 key_wrap_extra[8];
 } STRUCT_PACKED;
@@ -110,7 +111,7 @@ struct ft_r0kh_r1kh_resp_frame {
 				    WPA_PMK_NAME_LEN + PMK_LEN + \
 				    WPA_PMK_NAME_LEN + 2 + 2 + \
 				    FT_VLAN_DATA_LEN + 1 + FT_IDENTITY_LEN + \
-				    1 + FT_RADIUS_CUI_LEN)
+				    1 + FT_RADIUS_CUI_LEN + 4)
 #define FT_R0KH_R1KH_PUSH_PAD_LEN (8 - FT_R0KH_R1KH_PUSH_DATA_LEN % 8)
 struct ft_r0kh_r1kh_push_frame {
 	u8 frame_type; /* RSN_REMOTE_FRAME_TYPE_FT_RRB */
@@ -133,6 +134,7 @@ struct ft_r0kh_r1kh_push_frame {
 	u8 identity[FT_IDENTITY_LEN];
 	u8 radius_cui_len;
 	u8 radius_cui[FT_RADIUS_CUI_LEN];
+	le32 session_timeout;
 	u8 pad[FT_R0KH_R1KH_PUSH_PAD_LEN]; /* 8-octet boundary for AES block */
 	u8 key_wrap_extra[8];
 } STRUCT_PACKED;
@@ -270,10 +272,13 @@ struct wpa_auth_callbacks {
 			       size_t buflen);
 	size_t (*get_radius_cui)(void *ctx, const u8 *sta_addr, u8 *buf,
 				 size_t buflen);
+	int (*get_session_timeout)(void *ctx, const u8 *sta_addr);
 	void (*set_identity)(void *ctx, const u8 *sta_addr, u8 *identity,
 			     size_t identity_len);
 	void (*set_radius_cui)(void *ctx, const u8 *sta_addr, u8 *radius_cui,
 			       size_t radius_cui_len);
+	void (*set_session_timeout)(void *ctx, const u8 *sta_addr,
+				    int session_timeout);
 
 	int (*send_ft_action)(void *ctx, const u8 *dst,
 			      const u8 *data, size_t data_len);
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 2f68d45..beeeca7 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -103,6 +103,16 @@ wpa_ft_get_vlan(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
 }
 
 
+static int
+wpa_ft_get_session_timeout(struct wpa_authenticator *wpa_auth,
+			    const u8 *sta_addr)
+{
+	if (wpa_auth->cb.get_session_timeout == NULL)
+		return 0;
+	return wpa_auth->cb.get_session_timeout(wpa_auth->cb.ctx, sta_addr);
+}
+
+
 static size_t
 wpa_ft_get_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
 		     u8 *buf, size_t buflen)
@@ -126,6 +136,17 @@ wpa_ft_get_radius_cui(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
 
 
 static void
+wpa_ft_set_session_timeout(struct wpa_authenticator *wpa_auth,
+			    const u8 *sta_addr, int session_timeout)
+{
+	if (wpa_auth->cb.set_session_timeout == NULL)
+		return;
+	wpa_auth->cb.set_session_timeout(wpa_auth->cb.ctx, sta_addr,
+					 session_timeout);
+}
+
+
+static void
 wpa_ft_set_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
 		    u8 *identity, size_t identity_len)
 {
@@ -241,7 +262,8 @@ struct wpa_ft_pmk_r0_sa {
 	u8 identity_len;
 	u8 radius_cui[FT_RADIUS_CUI_LEN];
 	u8 radius_cui_len;
-	/* TODO: radius_class, EAP type, expiration from EAPOL */
+	os_time_t session_timeout; /* 0 for no expiration */
+	/* TODO: radius_class, EAP type */
 	int pmk_r1_pushed;
 };
 
@@ -256,7 +278,8 @@ struct wpa_ft_pmk_r1_sa {
 	u8 identity_len;
 	u8 radius_cui[FT_RADIUS_CUI_LEN];
 	u8 radius_cui_len;
-	/* TODO: expiration from EAPOL, radius_class, EAP type */
+	os_time_t session_timeout; /* 0 for no expiration */
+	/* TODO: radius_class, EAP type */
 };
 
 struct wpa_ft_pmk_cache {
@@ -288,6 +311,7 @@ static void wpa_ft_expire_pmk_r0(void *eloop_ctx, void *timeout_ctx)
 	struct wpa_ft_pmk_r0_sa *r0 = eloop_ctx;
 	struct os_reltime now;
 	int expiresIn;
+	int session_timeout;
 
 	os_get_reltime(&now);
 
@@ -295,13 +319,23 @@ static void wpa_ft_expire_pmk_r0(void *eloop_ctx, void *timeout_ctx)
 		return;
 
 	expiresIn = r0->expiration - now.sec;
-	if (expiresIn > 0) {
+	session_timeout = r0->session_timeout - now.sec;
+	/* conditions to remove from cache:
+	 * a) r0->expiration is set and hit
+	 * -or-
+	 * b) r0->session_timeout is set and hit
+	 */
+	if ((!r0->expiration || expiresIn > 0) &&
+	    (!r0->session_timeout || session_timeout > 0)) {
 		wpa_printf(MSG_ERROR, "FT: wpa_ft_expire_pmk_r0 called for "
-				      "non-expired entry %p, delete in %ds",
-				      r0, expiresIn);
+				      "non-expired entry %p", r0);
 		eloop_cancel_timeout(wpa_ft_expire_pmk_r0, r0, NULL);
-		eloop_register_timeout(expiresIn + 1, 0,
-				       wpa_ft_expire_pmk_r0, r0, NULL);
+		if (r0->expiration && expiresIn > 0)
+			eloop_register_timeout(expiresIn + 1, 0,
+					       wpa_ft_expire_pmk_r0, r0, NULL);
+		if (r0->session_timeout && session_timeout > 0)
+			eloop_register_timeout(session_timeout + 1, 0,
+					       wpa_ft_expire_pmk_r0, r0, NULL);
 		return;
 	}
 
@@ -365,7 +399,7 @@ static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth,
 			       const u8 *spa, const u8 *pmk_r0,
 			       const u8 *pmk_r0_name, int pairwise,
 			       const struct ft_vlan vlan,
-			       const int expiresIn,
+			       const int expiresIn, const int session_timeout,
 			       const u8 *identity, u8 identity_len,
 			       const u8 *radius_cui, u8 radius_cui_len)
 {
@@ -395,12 +429,17 @@ static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth,
 		os_memcpy(r0->radius_cui, radius_cui, radius_cui_len);
 		r0->radius_cui_len = radius_cui_len;
 	}
+	if (session_timeout > 0)
+		r0->session_timeout = now.sec + session_timeout;
 
 	dl_list_add(&cache->pmk_r0, &r0->list);
 
 	if (expiresIn > 0)
 		eloop_register_timeout(expiresIn + 1, 0,
 				       wpa_ft_expire_pmk_r0, r0, NULL);
+	if (session_timeout > 0)
+		eloop_register_timeout(session_timeout + 1, 0,
+				       wpa_ft_expire_pmk_r0, r0, NULL);
 
 	return 0;
 }
@@ -414,8 +453,9 @@ static int wpa_ft_fetch_pmk_r0(struct wpa_authenticator *wpa_auth,
 			       const u8 *spa, const u8 *pmk_r0_name,
 			       u8 *pmk_r0, int *pairwise,
 			       struct ft_vlan *vlan, int *expiresIn,
-			       u8 *identity, u8 *identity_len,
-			       u8 *radius_cui, u8 *radius_cui_len)
+			       int *session_timeout, u8 *identity,
+			       u8 *identity_len, u8 *radius_cui,
+			       u8 *radius_cui_len)
 {
 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
 	struct wpa_ft_pmk_r0_sa *r0;
@@ -447,6 +487,13 @@ static int wpa_ft_fetch_pmk_r0(struct wpa_authenticator *wpa_auth,
 					  r0->radius_cui_len);
 				*radius_cui_len = r0->radius_cui_len;
 			}
+			if (session_timeout && r0->session_timeout > now.sec)
+				*session_timeout = r0->session_timeout -
+						   now.sec;
+			else if (session_timeout && r0->session_timeout)
+				*session_timeout = 1;
+			else
+				*session_timeout = 0;
 
 			return 0;
 		}
@@ -460,14 +507,16 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
 			       const u8 *spa, const u8 *pmk_r1,
 			       const u8 *pmk_r1_name, int pairwise,
 			       const struct ft_vlan vlan,
-			       int expiresIn,
+			       int expiresIn, const int session_timeout,
 			       const u8 *identity, u8 identity_len,
 			       const u8 *radius_cui, u8 radius_cui_len)
 {
 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
 	struct wpa_ft_pmk_r1_sa *r1;
+	struct os_reltime now;
 
 	/* TODO: add expiration and limit on number of entries in cache */
+	os_get_reltime(&now);
 
 	r1 = os_zalloc(sizeof(*r1));
 	if (r1 == NULL)
@@ -486,12 +535,17 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
 		os_memcpy(r1->radius_cui, radius_cui, radius_cui_len);
 		r1->radius_cui_len = radius_cui_len;
 	}
+	if (session_timeout > 0)
+		r1->session_timeout = now.sec + session_timeout;
 
 	dl_list_add(&cache->pmk_r1, &r1->list);
 
 	if (expiresIn > 0)
 		eloop_register_timeout(expiresIn + 1, 0,
 				       wpa_ft_expire_pmk_r1, r1, NULL);
+	if (session_timeout > 0)
+		eloop_register_timeout(session_timeout + 1, 0,
+				       wpa_ft_expire_pmk_r1, r1, NULL);
 
 	return 0;
 }
@@ -500,12 +554,15 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
 static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth,
 			       const u8 *spa, const u8 *pmk_r1_name,
 			       u8 *pmk_r1, int *pairwise,
-			       struct ft_vlan *vlan,
+			       struct ft_vlan *vlan, int *session_timeout,
 			       u8 *identity, u8 *identity_len,
 			       u8 *radius_cui, u8 *radius_cui_len)
 {
 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
 	struct wpa_ft_pmk_r1_sa *r1;
+	struct os_reltime now;
+
+	os_get_reltime(&now);
 
 	dl_list_for_each(r1, &cache->pmk_r1, struct wpa_ft_pmk_r1_sa, list) {
 		if (os_memcmp(r1->spa, spa, ETH_ALEN) == 0 &&
@@ -526,6 +583,13 @@ static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth,
 					  r1->radius_cui_len);
 				*radius_cui_len = r1->radius_cui_len;
 			}
+			if (session_timeout && r1->session_timeout > now.sec)
+				*session_timeout = r1->session_timeout -
+						   now.sec;
+			else if (session_timeout && r1->session_timeout)
+				*session_timeout = 1;
+			else
+				*session_timeout = 0;
 			return 0;
 		}
 	}
@@ -778,6 +842,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
 	struct ft_vlan vlan;
 	u8 identity[FT_IDENTITY_LEN], radius_cui[FT_RADIUS_CUI_LEN];
 	int identity_len, radius_cui_len;
+	int session_timeout;
 
 	if (sm->xxkey_len == 0) {
 		wpa_printf(MSG_DEBUG, "FT: XXKey not available for key "
@@ -794,6 +859,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
 					   sizeof(identity));
 	radius_cui_len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr,
 					       radius_cui, sizeof(radius_cui));
+	session_timeout = wpa_ft_get_session_timeout(sm->wpa_auth, sm->addr);
 
 	wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, ssid, ssid_len, mdid,
 			  r0kh, r0kh_len, sm->addr, pmk_r0, pmk_r0_name);
@@ -802,8 +868,8 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
 	if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
 		wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0,
 				    pmk_r0_name, sm->pairwise, vlan, expiresIn,
-				    identity, identity_len, radius_cui,
-				    radius_cui_len);
+				    session_timeout, identity, identity_len,
+				    radius_cui, radius_cui_len);
 
 	wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, r1kh, sm->addr,
 			  pmk_r1, sm->pmk_r1_name);
@@ -813,8 +879,8 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
 	if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
 		wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1,
 				    sm->pmk_r1_name, sm->pairwise, vlan,
-				    expiresIn, identity, identity_len,
-				    radius_cui, radius_cui_len);
+				    expiresIn, session_timeout, identity,
+				    identity_len, radius_cui, radius_cui_len);
 
 	return wpa_pmk_r1_to_ptk(pmk_r1, sm->SNonce, sm->ANonce, sm->addr,
 				 sm->wpa_auth->addr, sm->pmk_r1_name,
@@ -1223,7 +1289,7 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
 			     u8 *out_pmk_r1, int *out_pairwise,
 			     struct ft_vlan *out_vlan, u8 *out_identity,
 			     u8 *out_identity_len, u8 *out_radius_cui,
-			     u8 *out_radius_cui_len)
+			     u8 *out_radius_cui_len, int *out_session_timeout)
 {
 	const u8 *pmk = NULL;
 	u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN];
@@ -1237,6 +1303,7 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
 	size_t ssid_len = wpa_auth->conf.ssid_len;
 	int pairwise;
 	u8 len;
+	int timeout;
 
 	pairwise = sm->pairwise;
 
@@ -1279,6 +1346,11 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
 						    FT_RADIUS_CUI_LEN);
 			*out_radius_cui_len = len;
 		}
+		if (out_session_timeout) {
+			timeout = wpa_ft_get_session_timeout(sm->wpa_auth,
+							     sm->addr);
+			*out_session_timeout = timeout;
+		}
 		return 0;
 	}
 
@@ -1339,7 +1411,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
 	size_t buflen;
 	int ret;
 	u8 *pos, *end;
-	int pairwise;
+	int pairwise, session_timeout;
 	struct ft_vlan vlan;
 	u8 identity[FT_IDENTITY_LEN], radius_cui[FT_RADIUS_CUI_LEN];
 	u8 identity_len = 0, radius_cui_len = 0;
@@ -1405,12 +1477,13 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
 	    wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
 		if (wpa_ft_psk_pmk_r1(sm, pmk_r1_name, pmk_r1, &pairwise,
 				      &vlan, identity, &identity_len,
-				      radius_cui, &radius_cui_len) < 0)
+				      radius_cui, &radius_cui_len,
+				      &session_timeout) < 0)
 			return WLAN_STATUS_INVALID_PMKID;
 	} else
 	if (wpa_ft_fetch_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1_name, pmk_r1,
-		    &pairwise, &vlan, identity, &identity_len, radius_cui,
-		    &radius_cui_len) < 0) {
+		    &pairwise, &vlan, &session_timeout, identity, &identity_len,
+		    radius_cui, &radius_cui_len) < 0) {
 		if (wpa_ft_pull_pmk_r1(sm, ies, ies_len, parse.rsn_pmkid) < 0) {
 			wpa_printf(MSG_DEBUG, "FT: Did not have matching "
 				   "PMK-R1 and unknown R0KH-ID");
@@ -1458,6 +1531,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
 	wpa_ft_set_identity(sm->wpa_auth, sm->addr, identity, identity_len);
 	wpa_ft_set_radius_cui(sm->wpa_auth, sm->addr, radius_cui,
 			      radius_cui_len);
+	wpa_ft_set_session_timeout(sm->wpa_auth, sm->addr, session_timeout);
 
 	buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
 		2 + FT_R1KH_ID_LEN + 200;
@@ -1921,8 +1995,7 @@ static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth,
 	struct ft_remote_r1kh *r1kh, *r1kh_wildcard = NULL;
 	struct ft_r0kh_r1kh_resp_frame resp, r;
 	u8 pmk_r0[PMK_LEN];
-	int pairwise;
-	int expiresIn;
+	int pairwise, expiresIn, session_timeout;
 
 	wpa_printf(MSG_DEBUG, "FT: Received PMK-R1 pull");
 
@@ -1993,7 +2066,7 @@ static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth,
 	os_memcpy(r.s1kh_id, f.s1kh_id, ETH_ALEN);
 	if (wpa_ft_fetch_pmk_r0(wpa_auth, f.s1kh_id, f.pmk_r0_name, pmk_r0,
 				&pairwise, &r.vlan, &expiresIn,
-				r.identity, &r.identity_len,
+				&session_timeout, r.identity, &r.identity_len,
 				r.radius_cui, &r.radius_cui_len) < 0) {
 		wpa_printf(MSG_DEBUG, "FT: No matching PMKR0Name found for "
 			   "PMK-R1 pull");
@@ -2011,8 +2084,11 @@ static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth,
 		wpa_printf(MSG_DEBUG, "FT: PMK-R1 - vlan %d%s",
 			   le_to_host16(r.vlan.untagged),
 			   r.vlan.tagged[0] ? "+" : "");
+		wpa_printf(MSG_DEBUG, "FT: PMK-R1 - session_timeout %d",
+			   session_timeout);
 		r.pairwise = host_to_le16(pairwise);
 		r.expiresIn = host_to_le16(expiresIn);
+		r.session_timeout = host_to_le32(session_timeout);
 	}
 	os_memset(r.pad, 0, sizeof(r.pad));
 
@@ -2111,8 +2187,7 @@ static int wpa_ft_rrb_rx_resp(struct wpa_authenticator *wpa_auth,
 	const u8 *crypt;
 	u8 *plain;
 	struct ft_remote_r0kh *r0kh, *r0kh_wildcard = NULL;
-	int pairwise, res;
-	int expiresIn;
+	int pairwise, res, expiresIn, session_timeout;
 	struct ft_pull_resp_cb_ctx ctx;
 	int maxExpiresIn = wpa_auth->conf.r0_key_lifetime * 60;
 
@@ -2172,6 +2247,7 @@ static int wpa_ft_rrb_rx_resp(struct wpa_authenticator *wpa_auth,
 			   MAC2STR(f.r1kh_id), MAC2STR(f.s1kh_id));
 	} else {
 		expiresIn = le_to_host16(f.expiresIn);
+		session_timeout = le_to_host32(f.session_timeout);
 		wpa_hexdump(MSG_DEBUG, "FT: PMK-R1 pull - nonce",
 			    f.nonce, sizeof(f.nonce));
 		wpa_printf(MSG_DEBUG, "FT: PMK-R1 pull - R1KH-ID=" MACSTR
@@ -2184,6 +2260,8 @@ static int wpa_ft_rrb_rx_resp(struct wpa_authenticator *wpa_auth,
 				f.pmk_r1_name, WPA_PMK_NAME_LEN);
 		wpa_hexdump(MSG_DEBUG, "FT: PMK-R1 pull - Identity",
 				f.identity, f.identity_len);
+		wpa_printf(MSG_DEBUG, "FT: PMK-R1 pull - session_timeout %d",
+				session_timeout);
 		wpa_hexdump(MSG_DEBUG, "FT: PMK-R1 pull - Cui",
 				f.radius_cui, f.radius_cui_len);
 		wpa_printf(MSG_DEBUG, "FT: PMK-R1 pull - vlan %d%s",
@@ -2194,7 +2272,7 @@ static int wpa_ft_rrb_rx_resp(struct wpa_authenticator *wpa_auth,
 			expiresIn = maxExpiresIn;
 		res = wpa_ft_store_pmk_r1(wpa_auth, f.s1kh_id, f.pmk_r1,
 					  f.pmk_r1_name, pairwise, f.vlan,
-					  expiresIn,
+					  expiresIn, session_timeout,
 					  f.identity, f.identity_len,
 					  f.radius_cui, f.radius_cui_len);
 	}
@@ -2222,8 +2300,7 @@ static int wpa_ft_rrb_rx_push(struct wpa_authenticator *wpa_auth,
 	struct ft_remote_r0kh *r0kh, *r0kh_wildcard = NULL;
 	struct os_time now;
 	os_time_t tsend;
-	int pairwise;
-	int expiresIn;
+	int pairwise, expiresIn, session_timeout;
 	int maxExpiresIn = wpa_auth->conf.r0_key_lifetime * 60;
 
 	wpa_printf(MSG_DEBUG, "FT: Received PMK-R1 push");
@@ -2287,6 +2364,7 @@ static int wpa_ft_rrb_rx_push(struct wpa_authenticator *wpa_auth,
 
 	pairwise = le_to_host16(f.pairwise);
 	expiresIn = le_to_host16(f.expiresIn);
+	session_timeout = le_to_host16(f.session_timeout);
 	wpa_printf(MSG_DEBUG, "FT: PMK-R1 push - R1KH-ID=" MACSTR " S1KH-ID="
 		   MACSTR " pairwise=0x%x expiresIn=%d",
 		   MAC2STR(f.r1kh_id), MAC2STR(f.s1kh_id), pairwise, expiresIn);
@@ -2296,6 +2374,8 @@ static int wpa_ft_rrb_rx_push(struct wpa_authenticator *wpa_auth,
 			f.pmk_r1_name, WPA_PMK_NAME_LEN);
 	wpa_hexdump(MSG_DEBUG, "FT: PMK-R1 push - Identity",
 			f.identity, f.identity_len);
+	wpa_printf(MSG_DEBUG, "FT: PMK-R1 push - session_timeout %d",
+			session_timeout);
 	wpa_hexdump(MSG_DEBUG, "FT: PMK-R1 push - Cui",
 			f.radius_cui, f.radius_cui_len);
 	wpa_printf(MSG_DEBUG, "FT: PMK-R1 push - vlan %d%s",
@@ -2305,8 +2385,9 @@ static int wpa_ft_rrb_rx_push(struct wpa_authenticator *wpa_auth,
 	if (expiresIn <= 0 || expiresIn > maxExpiresIn)
 		expiresIn = maxExpiresIn;
 	wpa_ft_store_pmk_r1(wpa_auth, f.s1kh_id, f.pmk_r1, f.pmk_r1_name,
-			    pairwise, f.vlan, expiresIn, f.identity,
-			    f.identity_len, f.radius_cui, f.radius_cui_len);
+			    pairwise, f.vlan, expiresIn, session_timeout,
+			    f.identity, f.identity_len, f.radius_cui,
+			    f.radius_cui_len);
 	os_memset(f.pmk_r1, 0, PMK_LEN);
 
 	return 0;
@@ -2442,7 +2523,7 @@ static void wpa_ft_generate_pmk_r1(struct wpa_authenticator *wpa_auth,
 				   struct wpa_ft_pmk_r0_sa *pmk_r0,
 				   struct ft_remote_r1kh *r1kh,
 				   const u8 *s1kh_id, int pairwise,
-				   int expiresIn)
+				   int expiresIn, int session_timeout)
 {
 	struct ft_r0kh_r1kh_push_frame frame, f;
 	struct os_time now;
@@ -2475,6 +2556,7 @@ static void wpa_ft_generate_pmk_r1(struct wpa_authenticator *wpa_auth,
 	f.identity_len = pmk_r0->identity_len;
 	os_memcpy(f.radius_cui, pmk_r0->radius_cui, pmk_r0->radius_cui_len);
 	f.radius_cui_len = pmk_r0->radius_cui_len;
+	f.session_timeout = host_to_le32(session_timeout);
 	os_memset(f.pad, 0, sizeof(f.pad));
 	plain = ((const u8 *) &f) + offsetof(struct ft_r0kh_r1kh_push_frame,
 					     timestamp);
@@ -2495,7 +2577,7 @@ void wpa_ft_push_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *addr)
 	struct wpa_ft_pmk_r0_sa *r0, *r0found = NULL;
 	struct ft_remote_r1kh *r1kh;
 	struct os_reltime now;
-	int expiresIn;
+	int expiresIn, session_timeout;
 
 	if (!wpa_auth->conf.pmk_r1_push)
 		return;
@@ -2514,7 +2596,18 @@ void wpa_ft_push_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *addr)
 		return;
 	r0->pmk_r1_pushed = 1;
 	os_get_reltime(&now);
-	expiresIn = r0->expiration - now.sec;
+	if (r0->expiration > 0 && r0->expiration > now.sec)
+		expiresIn = r0->expiration > now.sec;
+	else if (r0->expiration)
+		expiresIn = 1;
+	else
+		expiresIn = 0;
+	if (r0->session_timeout > 0 && r0->session_timeout > now.sec)
+		session_timeout = r0->session_timeout > now.sec;
+	else if (r0->session_timeout)
+		session_timeout = 1;
+	else
+		session_timeout = 0;
 
 	wpa_printf(MSG_DEBUG, "FT: Deriving and pushing PMK-R1 keys to R1KHs "
 		   "for STA " MACSTR, MAC2STR(addr));
@@ -2524,7 +2617,7 @@ void wpa_ft_push_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *addr)
 		    is_zero_ether_addr(r1kh->id))
 			continue;
 		wpa_ft_generate_pmk_r1(wpa_auth, r0, r1kh, addr, r0->pairwise,
-				       expiresIn);
+				       expiresIn, session_timeout);
 	}
 }
 
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 148367c..7a6fd26 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -765,6 +765,31 @@ hostapd_wpa_auth_get_vlan(void *ctx, const u8 *sta_addr,
 }
 
 
+static int
+hostapd_wpa_auth_get_session_timeout(void *ctx, const u8 *sta_addr)
+{
+	struct hostapd_data *hapd = ctx;
+	struct sta_info *sta;
+	struct os_reltime now, remaining;
+
+	sta = ap_get_sta(hapd, sta_addr);
+	if (sta == NULL)
+		return 0;
+
+	if (!sta->session_timeout_set)
+		return 0;
+
+	os_get_reltime(&now);
+	if (os_reltime_before(&sta->session_timeout, &now))
+		/* already expired, return >0 as timeout was set */
+		return 1;
+
+	os_reltime_sub(&sta->session_timeout, &now, &remaining);
+
+	return (remaining.sec > 0) ? remaining.sec : 1;
+}
+
+
 static size_t
 hostapd_wpa_auth_get_identity(void *ctx, const u8 *sta_addr, u8 *buf,
 			       size_t buflen)
@@ -837,6 +862,28 @@ hostapd_wpa_auth_get_radius_cui(void *ctx, const u8 *sta_addr, u8 *buf,
 
 
 static void
+hostapd_wpa_auth_set_session_timeout(void *ctx, const u8 *sta_addr,
+				      int session_timeout)
+{
+	struct hostapd_data *hapd = ctx;
+	struct sta_info *sta;
+
+	sta = ap_get_sta(hapd, sta_addr);
+	if (sta == NULL)
+		return;
+
+	os_get_reltime(&sta->session_timeout);
+	sta->session_timeout.sec += session_timeout;
+	sta->session_timeout_set = !!session_timeout;
+
+	if (sta->session_timeout_set)
+		ap_sta_session_timeout(hapd, sta, session_timeout);
+	else
+		ap_sta_no_session_timeout(hapd, sta);
+}
+
+
+static void
 hostapd_wpa_auth_set_identity(void *ctx, const u8 *sta_addr, u8 *identity,
 			       size_t identity_len)
 {
@@ -978,8 +1025,10 @@ int hostapd_setup_wpa(struct hostapd_data *hapd)
 	cb.add_sta = hostapd_wpa_auth_add_sta_auth;
 	cb.set_vlan = hostapd_wpa_auth_set_vlan;
 	cb.get_vlan = hostapd_wpa_auth_get_vlan;
+	cb.get_session_timeout = hostapd_wpa_auth_get_session_timeout;
 	cb.get_identity = hostapd_wpa_auth_get_identity;
 	cb.get_radius_cui = hostapd_wpa_auth_get_radius_cui;
+	cb.set_session_timeout = hostapd_wpa_auth_set_session_timeout;
 	cb.set_identity = hostapd_wpa_auth_set_identity;
 	cb.set_radius_cui = hostapd_wpa_auth_set_radius_cui;
 	cb.add_tspec = hostapd_wpa_auth_add_tspec;
-- 
1.9.1


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux