From: Michael Braun <michael-dev@xxxxxxxxxxxxx> This ensures a session timeout configured on R0 either using RADIUS-based ACL or 802.1X authentication is copied over to the new R1. As the session can be moved at any time, a timestamp needs to be kept so the remaining session time can be computed by R0 when requested. Signed-off-by: Michael Braun <michael-dev@xxxxxxxxxxxxx> --- src/ap/ieee802_11.c | 9 ++- src/ap/ieee802_1x.c | 16 +++-- src/ap/sta_info.h | 3 +- src/ap/wpa_auth.h | 9 ++- src/ap/wpa_auth_ft.c | 163 ++++++++++++++++++++++++++++++++++++++----------- src/ap/wpa_auth_glue.c | 49 +++++++++++++++ 6 files changed, 204 insertions(+), 45 deletions(-) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index 0486923..2bbbf99 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -970,10 +970,15 @@ int handle_auth_cfg_sta(struct hostapd_data *hapd, struct sta_info *sta, info->acct_interim_interval) sta->acct_interim_interval = info->acct_interim_interval; - if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) + if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) { + sta->session_timeout_set = 1; + os_get_reltime(&sta->session_timeout); + sta->session_timeout.sec += info->session_timeout; ap_sta_session_timeout(hapd, sta, info->session_timeout); - else + } else { + sta->session_timeout_set = 0; ap_sta_no_session_timeout(hapd, sta); + } return 0; } diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index c774d5c..f28ada8 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -1751,14 +1751,17 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, break; sta->session_timeout_set = !!session_timeout_set; - sta->session_timeout = session_timeout; + os_get_reltime(&sta->session_timeout); + sta->session_timeout.sec += session_timeout; /* RFC 3580, Ch. 3.17 */ if (session_timeout_set && termination_action == RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { sm->reAuthPeriod = session_timeout; - } else if (session_timeout_set) + } else if (session_timeout_set) { ap_sta_session_timeout(hapd, sta, session_timeout); + } else + ap_sta_no_session_timeout(hapd, sta); sm->eap_if->aaaSuccess = TRUE; override_eapReq = 1; @@ -2618,6 +2621,7 @@ static void ieee802_1x_finished(struct hostapd_data *hapd, /* TODO: get PMKLifetime from WPA parameters */ static const int dot11RSNAConfigPMKLifetime = 43200; unsigned int session_timeout; + struct os_reltime now, remaining; #ifdef CONFIG_HS20 if (remediation && !sta->remediation) { @@ -2638,9 +2642,11 @@ static void ieee802_1x_finished(struct hostapd_data *hapd, #endif /* CONFIG_HS20 */ key = ieee802_1x_get_key(sta->eapol_sm, &len); - if (sta->session_timeout_set) - session_timeout = sta->session_timeout; - else + if (sta->session_timeout_set) { + os_get_reltime(&now); + os_reltime_sub(&sta->session_timeout, &now, &remaining); + session_timeout = (remaining.sec > 0) ? remaining.sec : 1; + } else session_timeout = dot11RSNAConfigPMKLifetime; if (success && key && len >= PMK_LEN && !sta->remediation && !sta->hs20_deauth_requested && diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h index abb207c..8437b84 100644 --- a/src/ap/sta_info.h +++ b/src/ap/sta_info.h @@ -178,7 +178,8 @@ struct sta_info { struct sae_data *sae; #endif /* CONFIG_SAE */ - u32 session_timeout; /* valid only if session_timeout_set == 1 */ + /* valid only if session_timeout_set == 1 */ + struct os_reltime session_timeout; /* Last Authentication/(Re)Association Request/Action frame sequence * control */ diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index 3b27760..63178c9 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -82,7 +82,7 @@ struct ft_r0kh_r1kh_pull_frame { FT_R1KH_ID_LEN + ETH_ALEN + PMK_LEN + \ WPA_PMK_NAME_LEN + 2 + 2 + \ FT_VLAN_DATA_LEN + 1 + FT_IDENTITY_LEN + \ - 1 + FT_RADIUS_CUI_LEN) + 1 + FT_RADIUS_CUI_LEN + 4) #define FT_R0KH_R1KH_RESP_PAD_LEN (8 - FT_R0KH_R1KH_RESP_DATA_LEN % 8) struct ft_r0kh_r1kh_resp_frame { u8 frame_type; /* RSN_REMOTE_FRAME_TYPE_FT_RRB */ @@ -102,6 +102,7 @@ struct ft_r0kh_r1kh_resp_frame { u8 identity[FT_IDENTITY_LEN]; u8 radius_cui_len; u8 radius_cui[FT_RADIUS_CUI_LEN]; + le32 session_timeout; u8 pad[FT_R0KH_R1KH_RESP_PAD_LEN]; /* 8-octet boundary for AES block */ u8 key_wrap_extra[8]; } STRUCT_PACKED; @@ -110,7 +111,7 @@ struct ft_r0kh_r1kh_resp_frame { WPA_PMK_NAME_LEN + PMK_LEN + \ WPA_PMK_NAME_LEN + 2 + 2 + \ FT_VLAN_DATA_LEN + 1 + FT_IDENTITY_LEN + \ - 1 + FT_RADIUS_CUI_LEN) + 1 + FT_RADIUS_CUI_LEN + 4) #define FT_R0KH_R1KH_PUSH_PAD_LEN (8 - FT_R0KH_R1KH_PUSH_DATA_LEN % 8) struct ft_r0kh_r1kh_push_frame { u8 frame_type; /* RSN_REMOTE_FRAME_TYPE_FT_RRB */ @@ -133,6 +134,7 @@ struct ft_r0kh_r1kh_push_frame { u8 identity[FT_IDENTITY_LEN]; u8 radius_cui_len; u8 radius_cui[FT_RADIUS_CUI_LEN]; + le32 session_timeout; u8 pad[FT_R0KH_R1KH_PUSH_PAD_LEN]; /* 8-octet boundary for AES block */ u8 key_wrap_extra[8]; } STRUCT_PACKED; @@ -270,10 +272,13 @@ struct wpa_auth_callbacks { size_t buflen); size_t (*get_radius_cui)(void *ctx, const u8 *sta_addr, u8 *buf, size_t buflen); + int (*get_session_timeout)(void *ctx, const u8 *sta_addr); void (*set_identity)(void *ctx, const u8 *sta_addr, u8 *identity, size_t identity_len); void (*set_radius_cui)(void *ctx, const u8 *sta_addr, u8 *radius_cui, size_t radius_cui_len); + void (*set_session_timeout)(void *ctx, const u8 *sta_addr, + int session_timeout); int (*send_ft_action)(void *ctx, const u8 *dst, const u8 *data, size_t data_len); diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c index 2f68d45..beeeca7 100644 --- a/src/ap/wpa_auth_ft.c +++ b/src/ap/wpa_auth_ft.c @@ -103,6 +103,16 @@ wpa_ft_get_vlan(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, } +static int +wpa_ft_get_session_timeout(struct wpa_authenticator *wpa_auth, + const u8 *sta_addr) +{ + if (wpa_auth->cb.get_session_timeout == NULL) + return 0; + return wpa_auth->cb.get_session_timeout(wpa_auth->cb.ctx, sta_addr); +} + + static size_t wpa_ft_get_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, u8 *buf, size_t buflen) @@ -126,6 +136,17 @@ wpa_ft_get_radius_cui(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, static void +wpa_ft_set_session_timeout(struct wpa_authenticator *wpa_auth, + const u8 *sta_addr, int session_timeout) +{ + if (wpa_auth->cb.set_session_timeout == NULL) + return; + wpa_auth->cb.set_session_timeout(wpa_auth->cb.ctx, sta_addr, + session_timeout); +} + + +static void wpa_ft_set_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr, u8 *identity, size_t identity_len) { @@ -241,7 +262,8 @@ struct wpa_ft_pmk_r0_sa { u8 identity_len; u8 radius_cui[FT_RADIUS_CUI_LEN]; u8 radius_cui_len; - /* TODO: radius_class, EAP type, expiration from EAPOL */ + os_time_t session_timeout; /* 0 for no expiration */ + /* TODO: radius_class, EAP type */ int pmk_r1_pushed; }; @@ -256,7 +278,8 @@ struct wpa_ft_pmk_r1_sa { u8 identity_len; u8 radius_cui[FT_RADIUS_CUI_LEN]; u8 radius_cui_len; - /* TODO: expiration from EAPOL, radius_class, EAP type */ + os_time_t session_timeout; /* 0 for no expiration */ + /* TODO: radius_class, EAP type */ }; struct wpa_ft_pmk_cache { @@ -288,6 +311,7 @@ static void wpa_ft_expire_pmk_r0(void *eloop_ctx, void *timeout_ctx) struct wpa_ft_pmk_r0_sa *r0 = eloop_ctx; struct os_reltime now; int expiresIn; + int session_timeout; os_get_reltime(&now); @@ -295,13 +319,23 @@ static void wpa_ft_expire_pmk_r0(void *eloop_ctx, void *timeout_ctx) return; expiresIn = r0->expiration - now.sec; - if (expiresIn > 0) { + session_timeout = r0->session_timeout - now.sec; + /* conditions to remove from cache: + * a) r0->expiration is set and hit + * -or- + * b) r0->session_timeout is set and hit + */ + if ((!r0->expiration || expiresIn > 0) && + (!r0->session_timeout || session_timeout > 0)) { wpa_printf(MSG_ERROR, "FT: wpa_ft_expire_pmk_r0 called for " - "non-expired entry %p, delete in %ds", - r0, expiresIn); + "non-expired entry %p", r0); eloop_cancel_timeout(wpa_ft_expire_pmk_r0, r0, NULL); - eloop_register_timeout(expiresIn + 1, 0, - wpa_ft_expire_pmk_r0, r0, NULL); + if (r0->expiration && expiresIn > 0) + eloop_register_timeout(expiresIn + 1, 0, + wpa_ft_expire_pmk_r0, r0, NULL); + if (r0->session_timeout && session_timeout > 0) + eloop_register_timeout(session_timeout + 1, 0, + wpa_ft_expire_pmk_r0, r0, NULL); return; } @@ -365,7 +399,7 @@ static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth, const u8 *spa, const u8 *pmk_r0, const u8 *pmk_r0_name, int pairwise, const struct ft_vlan vlan, - const int expiresIn, + const int expiresIn, const int session_timeout, const u8 *identity, u8 identity_len, const u8 *radius_cui, u8 radius_cui_len) { @@ -395,12 +429,17 @@ static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth, os_memcpy(r0->radius_cui, radius_cui, radius_cui_len); r0->radius_cui_len = radius_cui_len; } + if (session_timeout > 0) + r0->session_timeout = now.sec + session_timeout; dl_list_add(&cache->pmk_r0, &r0->list); if (expiresIn > 0) eloop_register_timeout(expiresIn + 1, 0, wpa_ft_expire_pmk_r0, r0, NULL); + if (session_timeout > 0) + eloop_register_timeout(session_timeout + 1, 0, + wpa_ft_expire_pmk_r0, r0, NULL); return 0; } @@ -414,8 +453,9 @@ static int wpa_ft_fetch_pmk_r0(struct wpa_authenticator *wpa_auth, const u8 *spa, const u8 *pmk_r0_name, u8 *pmk_r0, int *pairwise, struct ft_vlan *vlan, int *expiresIn, - u8 *identity, u8 *identity_len, - u8 *radius_cui, u8 *radius_cui_len) + int *session_timeout, u8 *identity, + u8 *identity_len, u8 *radius_cui, + u8 *radius_cui_len) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; struct wpa_ft_pmk_r0_sa *r0; @@ -447,6 +487,13 @@ static int wpa_ft_fetch_pmk_r0(struct wpa_authenticator *wpa_auth, r0->radius_cui_len); *radius_cui_len = r0->radius_cui_len; } + if (session_timeout && r0->session_timeout > now.sec) + *session_timeout = r0->session_timeout - + now.sec; + else if (session_timeout && r0->session_timeout) + *session_timeout = 1; + else + *session_timeout = 0; return 0; } @@ -460,14 +507,16 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *spa, const u8 *pmk_r1, const u8 *pmk_r1_name, int pairwise, const struct ft_vlan vlan, - int expiresIn, + int expiresIn, const int session_timeout, const u8 *identity, u8 identity_len, const u8 *radius_cui, u8 radius_cui_len) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; struct wpa_ft_pmk_r1_sa *r1; + struct os_reltime now; /* TODO: add expiration and limit on number of entries in cache */ + os_get_reltime(&now); r1 = os_zalloc(sizeof(*r1)); if (r1 == NULL) @@ -486,12 +535,17 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, os_memcpy(r1->radius_cui, radius_cui, radius_cui_len); r1->radius_cui_len = radius_cui_len; } + if (session_timeout > 0) + r1->session_timeout = now.sec + session_timeout; dl_list_add(&cache->pmk_r1, &r1->list); if (expiresIn > 0) eloop_register_timeout(expiresIn + 1, 0, wpa_ft_expire_pmk_r1, r1, NULL); + if (session_timeout > 0) + eloop_register_timeout(session_timeout + 1, 0, + wpa_ft_expire_pmk_r1, r1, NULL); return 0; } @@ -500,12 +554,15 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth, static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *spa, const u8 *pmk_r1_name, u8 *pmk_r1, int *pairwise, - struct ft_vlan *vlan, + struct ft_vlan *vlan, int *session_timeout, u8 *identity, u8 *identity_len, u8 *radius_cui, u8 *radius_cui_len) { struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache; struct wpa_ft_pmk_r1_sa *r1; + struct os_reltime now; + + os_get_reltime(&now); dl_list_for_each(r1, &cache->pmk_r1, struct wpa_ft_pmk_r1_sa, list) { if (os_memcmp(r1->spa, spa, ETH_ALEN) == 0 && @@ -526,6 +583,13 @@ static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth, r1->radius_cui_len); *radius_cui_len = r1->radius_cui_len; } + if (session_timeout && r1->session_timeout > now.sec) + *session_timeout = r1->session_timeout - + now.sec; + else if (session_timeout && r1->session_timeout) + *session_timeout = 1; + else + *session_timeout = 0; return 0; } } @@ -778,6 +842,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, struct ft_vlan vlan; u8 identity[FT_IDENTITY_LEN], radius_cui[FT_RADIUS_CUI_LEN]; int identity_len, radius_cui_len; + int session_timeout; if (sm->xxkey_len == 0) { wpa_printf(MSG_DEBUG, "FT: XXKey not available for key " @@ -794,6 +859,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, sizeof(identity)); radius_cui_len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr, radius_cui, sizeof(radius_cui)); + session_timeout = wpa_ft_get_session_timeout(sm->wpa_auth, sm->addr); wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, ssid, ssid_len, mdid, r0kh, r0kh_len, sm->addr, pmk_r0, pmk_r0_name); @@ -802,8 +868,8 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name, sm->pairwise, vlan, expiresIn, - identity, identity_len, radius_cui, - radius_cui_len); + session_timeout, identity, identity_len, + radius_cui, radius_cui_len); wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, r1kh, sm->addr, pmk_r1, sm->pmk_r1_name); @@ -813,8 +879,8 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk, if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1, sm->pmk_r1_name, sm->pairwise, vlan, - expiresIn, identity, identity_len, - radius_cui, radius_cui_len); + expiresIn, session_timeout, identity, + identity_len, radius_cui, radius_cui_len); return wpa_pmk_r1_to_ptk(pmk_r1, sm->SNonce, sm->ANonce, sm->addr, sm->wpa_auth->addr, sm->pmk_r1_name, @@ -1223,7 +1289,7 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm, u8 *out_pmk_r1, int *out_pairwise, struct ft_vlan *out_vlan, u8 *out_identity, u8 *out_identity_len, u8 *out_radius_cui, - u8 *out_radius_cui_len) + u8 *out_radius_cui_len, int *out_session_timeout) { const u8 *pmk = NULL; u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN]; @@ -1237,6 +1303,7 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm, size_t ssid_len = wpa_auth->conf.ssid_len; int pairwise; u8 len; + int timeout; pairwise = sm->pairwise; @@ -1279,6 +1346,11 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm, FT_RADIUS_CUI_LEN); *out_radius_cui_len = len; } + if (out_session_timeout) { + timeout = wpa_ft_get_session_timeout(sm->wpa_auth, + sm->addr); + *out_session_timeout = timeout; + } return 0; } @@ -1339,7 +1411,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, size_t buflen; int ret; u8 *pos, *end; - int pairwise; + int pairwise, session_timeout; struct ft_vlan vlan; u8 identity[FT_IDENTITY_LEN], radius_cui[FT_RADIUS_CUI_LEN]; u8 identity_len = 0, radius_cui_len = 0; @@ -1405,12 +1477,13 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) { if (wpa_ft_psk_pmk_r1(sm, pmk_r1_name, pmk_r1, &pairwise, &vlan, identity, &identity_len, - radius_cui, &radius_cui_len) < 0) + radius_cui, &radius_cui_len, + &session_timeout) < 0) return WLAN_STATUS_INVALID_PMKID; } else if (wpa_ft_fetch_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1_name, pmk_r1, - &pairwise, &vlan, identity, &identity_len, radius_cui, - &radius_cui_len) < 0) { + &pairwise, &vlan, &session_timeout, identity, &identity_len, + radius_cui, &radius_cui_len) < 0) { if (wpa_ft_pull_pmk_r1(sm, ies, ies_len, parse.rsn_pmkid) < 0) { wpa_printf(MSG_DEBUG, "FT: Did not have matching " "PMK-R1 and unknown R0KH-ID"); @@ -1458,6 +1531,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm, wpa_ft_set_identity(sm->wpa_auth, sm->addr, identity, identity_len); wpa_ft_set_radius_cui(sm->wpa_auth, sm->addr, radius_cui, radius_cui_len); + wpa_ft_set_session_timeout(sm->wpa_auth, sm->addr, session_timeout); buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) + 2 + FT_R1KH_ID_LEN + 200; @@ -1921,8 +1995,7 @@ static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth, struct ft_remote_r1kh *r1kh, *r1kh_wildcard = NULL; struct ft_r0kh_r1kh_resp_frame resp, r; u8 pmk_r0[PMK_LEN]; - int pairwise; - int expiresIn; + int pairwise, expiresIn, session_timeout; wpa_printf(MSG_DEBUG, "FT: Received PMK-R1 pull"); @@ -1993,7 +2066,7 @@ static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth, os_memcpy(r.s1kh_id, f.s1kh_id, ETH_ALEN); if (wpa_ft_fetch_pmk_r0(wpa_auth, f.s1kh_id, f.pmk_r0_name, pmk_r0, &pairwise, &r.vlan, &expiresIn, - r.identity, &r.identity_len, + &session_timeout, r.identity, &r.identity_len, r.radius_cui, &r.radius_cui_len) < 0) { wpa_printf(MSG_DEBUG, "FT: No matching PMKR0Name found for " "PMK-R1 pull"); @@ -2011,8 +2084,11 @@ static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth, wpa_printf(MSG_DEBUG, "FT: PMK-R1 - vlan %d%s", le_to_host16(r.vlan.untagged), r.vlan.tagged[0] ? "+" : ""); + wpa_printf(MSG_DEBUG, "FT: PMK-R1 - session_timeout %d", + session_timeout); r.pairwise = host_to_le16(pairwise); r.expiresIn = host_to_le16(expiresIn); + r.session_timeout = host_to_le32(session_timeout); } os_memset(r.pad, 0, sizeof(r.pad)); @@ -2111,8 +2187,7 @@ static int wpa_ft_rrb_rx_resp(struct wpa_authenticator *wpa_auth, const u8 *crypt; u8 *plain; struct ft_remote_r0kh *r0kh, *r0kh_wildcard = NULL; - int pairwise, res; - int expiresIn; + int pairwise, res, expiresIn, session_timeout; struct ft_pull_resp_cb_ctx ctx; int maxExpiresIn = wpa_auth->conf.r0_key_lifetime * 60; @@ -2172,6 +2247,7 @@ static int wpa_ft_rrb_rx_resp(struct wpa_authenticator *wpa_auth, MAC2STR(f.r1kh_id), MAC2STR(f.s1kh_id)); } else { expiresIn = le_to_host16(f.expiresIn); + session_timeout = le_to_host32(f.session_timeout); wpa_hexdump(MSG_DEBUG, "FT: PMK-R1 pull - nonce", f.nonce, sizeof(f.nonce)); wpa_printf(MSG_DEBUG, "FT: PMK-R1 pull - R1KH-ID=" MACSTR @@ -2184,6 +2260,8 @@ static int wpa_ft_rrb_rx_resp(struct wpa_authenticator *wpa_auth, f.pmk_r1_name, WPA_PMK_NAME_LEN); wpa_hexdump(MSG_DEBUG, "FT: PMK-R1 pull - Identity", f.identity, f.identity_len); + wpa_printf(MSG_DEBUG, "FT: PMK-R1 pull - session_timeout %d", + session_timeout); wpa_hexdump(MSG_DEBUG, "FT: PMK-R1 pull - Cui", f.radius_cui, f.radius_cui_len); wpa_printf(MSG_DEBUG, "FT: PMK-R1 pull - vlan %d%s", @@ -2194,7 +2272,7 @@ static int wpa_ft_rrb_rx_resp(struct wpa_authenticator *wpa_auth, expiresIn = maxExpiresIn; res = wpa_ft_store_pmk_r1(wpa_auth, f.s1kh_id, f.pmk_r1, f.pmk_r1_name, pairwise, f.vlan, - expiresIn, + expiresIn, session_timeout, f.identity, f.identity_len, f.radius_cui, f.radius_cui_len); } @@ -2222,8 +2300,7 @@ static int wpa_ft_rrb_rx_push(struct wpa_authenticator *wpa_auth, struct ft_remote_r0kh *r0kh, *r0kh_wildcard = NULL; struct os_time now; os_time_t tsend; - int pairwise; - int expiresIn; + int pairwise, expiresIn, session_timeout; int maxExpiresIn = wpa_auth->conf.r0_key_lifetime * 60; wpa_printf(MSG_DEBUG, "FT: Received PMK-R1 push"); @@ -2287,6 +2364,7 @@ static int wpa_ft_rrb_rx_push(struct wpa_authenticator *wpa_auth, pairwise = le_to_host16(f.pairwise); expiresIn = le_to_host16(f.expiresIn); + session_timeout = le_to_host16(f.session_timeout); wpa_printf(MSG_DEBUG, "FT: PMK-R1 push - R1KH-ID=" MACSTR " S1KH-ID=" MACSTR " pairwise=0x%x expiresIn=%d", MAC2STR(f.r1kh_id), MAC2STR(f.s1kh_id), pairwise, expiresIn); @@ -2296,6 +2374,8 @@ static int wpa_ft_rrb_rx_push(struct wpa_authenticator *wpa_auth, f.pmk_r1_name, WPA_PMK_NAME_LEN); wpa_hexdump(MSG_DEBUG, "FT: PMK-R1 push - Identity", f.identity, f.identity_len); + wpa_printf(MSG_DEBUG, "FT: PMK-R1 push - session_timeout %d", + session_timeout); wpa_hexdump(MSG_DEBUG, "FT: PMK-R1 push - Cui", f.radius_cui, f.radius_cui_len); wpa_printf(MSG_DEBUG, "FT: PMK-R1 push - vlan %d%s", @@ -2305,8 +2385,9 @@ static int wpa_ft_rrb_rx_push(struct wpa_authenticator *wpa_auth, if (expiresIn <= 0 || expiresIn > maxExpiresIn) expiresIn = maxExpiresIn; wpa_ft_store_pmk_r1(wpa_auth, f.s1kh_id, f.pmk_r1, f.pmk_r1_name, - pairwise, f.vlan, expiresIn, f.identity, - f.identity_len, f.radius_cui, f.radius_cui_len); + pairwise, f.vlan, expiresIn, session_timeout, + f.identity, f.identity_len, f.radius_cui, + f.radius_cui_len); os_memset(f.pmk_r1, 0, PMK_LEN); return 0; @@ -2442,7 +2523,7 @@ static void wpa_ft_generate_pmk_r1(struct wpa_authenticator *wpa_auth, struct wpa_ft_pmk_r0_sa *pmk_r0, struct ft_remote_r1kh *r1kh, const u8 *s1kh_id, int pairwise, - int expiresIn) + int expiresIn, int session_timeout) { struct ft_r0kh_r1kh_push_frame frame, f; struct os_time now; @@ -2475,6 +2556,7 @@ static void wpa_ft_generate_pmk_r1(struct wpa_authenticator *wpa_auth, f.identity_len = pmk_r0->identity_len; os_memcpy(f.radius_cui, pmk_r0->radius_cui, pmk_r0->radius_cui_len); f.radius_cui_len = pmk_r0->radius_cui_len; + f.session_timeout = host_to_le32(session_timeout); os_memset(f.pad, 0, sizeof(f.pad)); plain = ((const u8 *) &f) + offsetof(struct ft_r0kh_r1kh_push_frame, timestamp); @@ -2495,7 +2577,7 @@ void wpa_ft_push_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *addr) struct wpa_ft_pmk_r0_sa *r0, *r0found = NULL; struct ft_remote_r1kh *r1kh; struct os_reltime now; - int expiresIn; + int expiresIn, session_timeout; if (!wpa_auth->conf.pmk_r1_push) return; @@ -2514,7 +2596,18 @@ void wpa_ft_push_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *addr) return; r0->pmk_r1_pushed = 1; os_get_reltime(&now); - expiresIn = r0->expiration - now.sec; + if (r0->expiration > 0 && r0->expiration > now.sec) + expiresIn = r0->expiration > now.sec; + else if (r0->expiration) + expiresIn = 1; + else + expiresIn = 0; + if (r0->session_timeout > 0 && r0->session_timeout > now.sec) + session_timeout = r0->session_timeout > now.sec; + else if (r0->session_timeout) + session_timeout = 1; + else + session_timeout = 0; wpa_printf(MSG_DEBUG, "FT: Deriving and pushing PMK-R1 keys to R1KHs " "for STA " MACSTR, MAC2STR(addr)); @@ -2524,7 +2617,7 @@ void wpa_ft_push_pmk_r1(struct wpa_authenticator *wpa_auth, const u8 *addr) is_zero_ether_addr(r1kh->id)) continue; wpa_ft_generate_pmk_r1(wpa_auth, r0, r1kh, addr, r0->pairwise, - expiresIn); + expiresIn, session_timeout); } } diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index 148367c..7a6fd26 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -765,6 +765,31 @@ hostapd_wpa_auth_get_vlan(void *ctx, const u8 *sta_addr, } +static int +hostapd_wpa_auth_get_session_timeout(void *ctx, const u8 *sta_addr) +{ + struct hostapd_data *hapd = ctx; + struct sta_info *sta; + struct os_reltime now, remaining; + + sta = ap_get_sta(hapd, sta_addr); + if (sta == NULL) + return 0; + + if (!sta->session_timeout_set) + return 0; + + os_get_reltime(&now); + if (os_reltime_before(&sta->session_timeout, &now)) + /* already expired, return >0 as timeout was set */ + return 1; + + os_reltime_sub(&sta->session_timeout, &now, &remaining); + + return (remaining.sec > 0) ? remaining.sec : 1; +} + + static size_t hostapd_wpa_auth_get_identity(void *ctx, const u8 *sta_addr, u8 *buf, size_t buflen) @@ -837,6 +862,28 @@ hostapd_wpa_auth_get_radius_cui(void *ctx, const u8 *sta_addr, u8 *buf, static void +hostapd_wpa_auth_set_session_timeout(void *ctx, const u8 *sta_addr, + int session_timeout) +{ + struct hostapd_data *hapd = ctx; + struct sta_info *sta; + + sta = ap_get_sta(hapd, sta_addr); + if (sta == NULL) + return; + + os_get_reltime(&sta->session_timeout); + sta->session_timeout.sec += session_timeout; + sta->session_timeout_set = !!session_timeout; + + if (sta->session_timeout_set) + ap_sta_session_timeout(hapd, sta, session_timeout); + else + ap_sta_no_session_timeout(hapd, sta); +} + + +static void hostapd_wpa_auth_set_identity(void *ctx, const u8 *sta_addr, u8 *identity, size_t identity_len) { @@ -978,8 +1025,10 @@ int hostapd_setup_wpa(struct hostapd_data *hapd) cb.add_sta = hostapd_wpa_auth_add_sta_auth; cb.set_vlan = hostapd_wpa_auth_set_vlan; cb.get_vlan = hostapd_wpa_auth_get_vlan; + cb.get_session_timeout = hostapd_wpa_auth_get_session_timeout; cb.get_identity = hostapd_wpa_auth_get_identity; cb.get_radius_cui = hostapd_wpa_auth_get_radius_cui; + cb.set_session_timeout = hostapd_wpa_auth_set_session_timeout; cb.set_identity = hostapd_wpa_auth_set_identity; cb.set_radius_cui = hostapd_wpa_auth_set_radius_cui; cb.add_tspec = hostapd_wpa_auth_add_tspec; -- 1.9.1 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap