Compare commits

..

6 commits

Author SHA1 Message Date
Tom Barthe
48e0ed037b Retrieve and use a per-PSK vlan_description
Signed-off-by: Tom Barthe <jeltz+hostap@auro.re>
2021-11-03 23:35:24 +01:00
Tom Barthe
0b17c48b9b Add default_radius_vlan in sta_info
Used to store the vlan_description corresponding to RADIUS tag 0.

Signed-off-by: Tom Barthe <jeltz+hostap@auro.re>
2021-11-03 23:35:15 +01:00
Tom Barthe
a6fc725f4b Fix selection of Tunnel* attributes by tag
The initial implementation was doing useless work.

Signed-off-by: Tom Barthe <jeltz+hostap@auro.re>
2021-10-11 04:56:57 +02:00
Tom Barthe
2ebf3674f5 Add a per PSK vlan_description
Signed-off-by: Tom Barthe <jeltz+hostap@auro.re>
2021-10-11 04:56:55 +02:00
Tom Barthe
12c14a8dd5 Replace some vlan_ids with vlan_descriptions
It should ease the integration of PPSK.

Signed-off-by: Tom Barthe <jeltz+hostap@auro.re>
2021-10-11 04:56:51 +02:00
Tom Barthe
7ac437a745 Support for RADIUS attributes filtering by tag
Signed-off-by: Tom Barthe <jeltz+hostap@auro.re>
2021-10-11 04:56:46 +02:00
13 changed files with 64 additions and 92 deletions

View file

@ -1094,16 +1094,28 @@ const char * hostapd_get_vlan_id_ifname(struct hostapd_vlan *vlan, int vlan_id)
}
static struct vlan_description vlan_desc_from_id(int vlan_id)
{
struct vlan_description vlan_desc;
os_memset(&vlan_desc, 0, sizeof(vlan_desc));
vlan_desc.notempty = 1;
vlan_desc.untagged = vlan_id;
return vlan_desc;
}
const u8 * hostapd_get_psk(const struct hostapd_bss_config *conf,
const u8 *addr, const u8 *p2p_dev_addr,
const u8 *prev_psk,
struct vlan_description *vlan_desc)
const u8 *prev_psk, struct vlan_description *vlan_desc)
{
struct hostapd_wpa_psk *psk;
int next_ok = prev_psk == NULL;
if (vlan_desc)
os_memset(vlan_desc, 0, sizeof(*vlan_desc));
vlan_desc->notempty = 0;
if (p2p_dev_addr && !is_zero_ether_addr(p2p_dev_addr)) {
wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR

View file

@ -2321,25 +2321,11 @@ ieee802_11_set_radius_info(struct hostapd_data *hapd, struct sta_info *sta,
{
u32 session_timeout = info->session_timeout;
u32 acct_interim_interval = info->acct_interim_interval;
struct vlan_description *vlan_id = &info->vlan_id;
struct hostapd_sta_wpa_psk_short *psk = info->psk;
char *identity = info->identity;
char *radius_cui = info->radius_cui;
if (vlan_id->notempty &&
!hostapd_vlan_valid(hapd->conf->vlan, vlan_id)) {
hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
HOSTAPD_LEVEL_INFO,
"Invalid VLAN %d%s received from RADIUS server",
vlan_id->untagged,
vlan_id->tagged[0] ? "+" : "");
return -1;
}
if (ap_sta_set_vlan(hapd, sta, vlan_id) < 0)
return -1;
if (sta->vlan_id)
hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_RADIUS,
HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
sta->default_radius_vlan = info->vlan_id;
hostapd_free_psk_list(sta->psk);
if (hapd->conf->wpa_psk_radius != PSK_RADIUS_IGNORED)

View file

@ -458,7 +458,7 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
struct radius_sta *info;
struct radius_hdr *hdr = radius_msg_get_hdr(msg);
struct hostapd_sta_wpa_psk_short *psk;
int vlan_psk_empty = 1;
int vlan_psk_notempty = 1;
query = hapd->acl_queries;
prev = NULL;
@ -523,12 +523,12 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
if (hapd->conf->ssid.dynamic_vlan != DYNAMIC_VLAN_DISABLED) {
/*
* Fill in the "default" VLAN (in case there is no
* tagged Tunnel* attribute associated with the PSK)
* Tunnel* attribute associated with the PSK)
*/
info->vlan_id.notempty = !!radius_msg_get_vlanid(
msg, &info->vlan_id.untagged,
MAX_NUM_TAGGED_VLAN, info->vlan_id.tagged, 0);
/* Fill in per-PSK VLAN descriptions */
/* Fill in per PSK VLAN descriptions */
for (psk = info->psk; psk; psk = psk->next) {
psk->vlan.notempty = !!radius_msg_get_vlanid(
msg, &psk->vlan.untagged,
@ -576,12 +576,12 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
psk->vlan.tagged[0] ? "+" : "");
os_memset(&psk->vlan, 0, sizeof(psk->vlan));
}
vlan_psk_empty &= !psk->vlan.notempty;
vlan_psk_notempty &= psk->vlan.notempty;
}
if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_REQUIRED &&
!info->vlan_id.notempty && vlan_psk_empty) {
!info->vlan_id.notempty && !vlan_psk_notempty)
cache->accepted = HOSTAPD_ACL_REJECT;
}
} else
cache->accepted = HOSTAPD_ACL_REJECT;
cache->next = hapd->acl_cache;

View file

@ -202,6 +202,7 @@ struct sta_info {
int vlan_id_bound; /* updated by ap_sta_bind_vlan() */
/* PSKs from RADIUS authentication server */
struct hostapd_sta_wpa_psk_short *psk;
struct vlan_description default_radius_vlan;
char *identity; /* User-Name from RADIUS */
char *radius_cui; /* Chargeable-User-Identity from RADIUS */

View file

@ -32,16 +32,3 @@ int vlan_compare(struct vlan_description *a, struct vlan_description *b)
}
return 0;
}
struct vlan_description
vlan_desc_from_id(int vlan_id)
{
struct vlan_description vlan_desc;
os_memset(&vlan_desc, 0, sizeof(vlan_desc));
vlan_desc.notempty = 1;
vlan_desc.untagged = vlan_id;
return vlan_desc;
}

View file

@ -19,23 +19,12 @@ struct vlan_description {
#ifndef CONFIG_NO_VLAN
int vlan_compare(struct vlan_description *a, struct vlan_description *b);
struct vlan_description vlan_desc_from_id(int vlan_id);
#else /* CONFIG_NO_VLAN */
static inline int
vlan_compare(struct vlan_description *a, struct vlan_description *b)
{
return 0;
}
static inline struct vlan_description
vlan_desc_from_id(int vlan_id)
{
struct vlan_description vlan_desc;
os_memset(&vlan_desc, 0, sizeof(vlan_desc));
return vlan_desc;
}
#endif /* CONFIG_NO_VLAN */
#endif /* VLAN_H */

View file

@ -940,8 +940,8 @@ static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
size_t pmk_len;
struct vlan_description vlan_desc;
os_memset(&PTK, 0, sizeof(PTK));
os_memset(&vlan_desc, 0, sizeof(vlan_desc));
os_memset(&PTK, 0, sizeof(PTK));
for (;;) {
if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
!wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
@ -990,8 +990,7 @@ static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
"WPA: Earlier SNonce resulted in matching MIC");
sm->alt_snonce_valid = 0;
if (vlan_desc.notempty && vlan_desc.untagged
&& wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
if (vlan_desc.notempty && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
wpa_auth_update_vlan(sm->wpa_auth, sm->addr, &vlan_desc) < 0)
return -1;
@ -2944,13 +2943,13 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
struct vlan_description vlan_desc;
int owe_ptk_workaround = !!wpa_auth->conf.owe_ptk_workaround;
os_memset(&vlan_desc, 0, sizeof(vlan_desc));
SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
sm->EAPOLKeyReceived = false;
sm->update_snonce = false;
os_memset(&PTK, 0, sizeof(PTK));
os_memset(&vlan_desc, 0, sizeof(vlan_desc));
mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
/* WPA with IEEE 802.1X: use the derived PMK from EAP
@ -3091,6 +3090,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
WLAN_REASON_PREV_AUTH_NOT_VALID);
return;
}
#ifdef CONFIG_OCV
if (wpa_auth_uses_ocv(sm)) {
struct wpa_channel_info ci;
@ -3194,8 +3194,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
}
#endif /* CONFIG_IEEE80211R_AP */
if (vlan_desc.notempty && vlan_desc.untagged &&
wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
if (vlan_desc.notempty && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
wpa_auth_update_vlan(wpa_auth, sm->addr, &vlan_desc) < 0) {
wpa_sta_disconnect(wpa_auth, sm->addr,
WLAN_REASON_PREV_AUTH_NOT_VALID);

View file

@ -296,7 +296,7 @@ struct wpa_auth_callbacks {
int (*get_eapol)(void *ctx, const u8 *addr, wpa_eapol_variable var);
const u8 * (*get_psk)(void *ctx, const u8 *addr, const u8 *p2p_dev_addr,
const u8 *prev_psk, size_t *psk_len,
struct vlan_description *vlan_desc);
struct vlan_description *vlan);
int (*get_msk)(void *ctx, const u8 *addr, u8 *msk, size_t *len);
int (*set_key)(void *ctx, int vlan_id, enum wpa_alg alg,
const u8 *addr, int idx, u8 *key, size_t key_len,
@ -314,7 +314,7 @@ struct wpa_auth_callbacks {
size_t data_len);
int (*channel_info)(void *ctx, struct wpa_channel_info *ci);
int (*update_vlan)(void *ctx, const u8 *addr,
struct vlan_description *vlan_desc);
struct vlan_description *vlan);
int (*get_sta_tx_params)(void *ctx, const u8 *addr,
int ap_max_chanwidth, int ap_seg1_idx,
int *bandwidth, int *seg1_idx);

View file

@ -337,8 +337,6 @@ static const u8 * hostapd_wpa_auth_get_psk(void *ctx, const u8 *addr,
struct vlan_description *vlan = NULL;
const u8 *psk;
if (vlan_desc)
os_memset(vlan_desc, 0, sizeof(*vlan_desc));
if (psk_len)
*psk_len = PMK_LEN;
@ -385,7 +383,7 @@ static const u8 * hostapd_wpa_auth_get_psk(void *ctx, const u8 *addr,
struct hostapd_sta_wpa_psk_short *pos;
if (vlan_desc)
os_memset(vlan_desc, 0, sizeof(*vlan_desc));
vlan_desc->notempty = 0;
psk = sta->psk->psk;
vlan = &sta->psk->vlan;
for (pos = sta->psk; pos; pos = pos->next) {
@ -403,8 +401,13 @@ static const u8 * hostapd_wpa_auth_get_psk(void *ctx, const u8 *addr,
}
}
}
if (vlan_desc && vlan)
if (vlan && vlan_desc) {
if (vlan && vlan->notempty)
*vlan_desc = *vlan;
else if (sta->default_radius_vlan.notempty)
*vlan_desc = sta->default_radius_vlan;
}
return psk;
}
@ -950,34 +953,34 @@ static int hostapd_wpa_auth_update_vlan(void *ctx, const u8 *addr,
#ifndef CONFIG_NO_VLAN
struct hostapd_data *hapd = ctx;
struct sta_info *sta;
int vlan_id = 0;
if (!hostapd_vlan_valid(hapd->conf->vlan, vlan_desc)) {
wpa_printf(MSG_INFO,
"Invalid VLAN ID %d",
vlan_desc->untagged);
return -1;
}
if (vlan_desc)
vlan_id = vlan_desc->untagged;
sta = ap_get_sta(hapd, addr);
if (!sta)
return -1;
if (!(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_VLAN_OFFLOAD)) {
if (!hostapd_vlan_valid(hapd->conf->vlan, vlan_desc)) {
wpa_printf(MSG_INFO, "Invalid VLAN ID %d", vlan_id);
return -1;
}
if (ap_sta_set_vlan(hapd, sta, vlan_desc) < 0) {
wpa_printf(MSG_INFO,
"Failed to assign VLAN ID %d to "
MACSTR, vlan_desc->untagged,
MAC2STR(sta->addr));
"Failed to assign VLAN ID %d to " MACSTR,
vlan_id, MAC2STR(sta->addr));
return -1;
}
} else {
/* TODO: tagged? */
sta->vlan_id = vlan_desc->untagged;
sta->vlan_id = vlan_id;
}
wpa_printf(MSG_INFO,
"Assigned VLAN ID %d to " MACSTR,
vlan_desc->untagged, MAC2STR(sta->addr));
"Assigned VLAN ID %d from to " MACSTR,
vlan_id, MAC2STR(sta->addr));
if ((sta->flags & WLAN_STA_ASSOC) &&
ap_sta_bind_vlan(hapd, sta) < 0)
return -1;

View file

@ -1483,7 +1483,7 @@ int radius_msg_get_vlanid(struct radius_msg *msg, int *untagged, int numtagged,
dlen = attr->length - sizeof(*attr);
if (attr->length < 3)
continue;
if (data[0] != tag)
if (tag_is_valid(tag) && data[0] != tag)
continue;
switch (attr->type) {
@ -1556,8 +1556,7 @@ int radius_msg_get_vlanid(struct radius_msg *msg, int *untagged, int numtagged,
*/
char * radius_msg_get_tunnel_password(struct radius_msg *msg, int *keylen,
const u8 *secret, size_t secret_len,
struct radius_msg *sent_msg, size_t n,
u8 *tag)
struct radius_msg *sent_msg, size_t n, u8 *tag)
{
u8 *buf = NULL;
size_t buflen;
@ -1595,7 +1594,7 @@ char * radius_msg_get_tunnel_password(struct radius_msg *msg, int *keylen,
if (j <= n)
continue;
if (tag && tag_is_valid(data[0]))
if (tag_is_valid(data[0]))
*tag = data[0];
fdata = data;

View file

@ -11,7 +11,6 @@
#include "utils/common.h"
#include "utils/eloop.h"
#include "ap/wpa_auth.h"
#include "ap/vlan.h"
#include "../fuzzer-common.h"
@ -149,7 +148,7 @@ static const u8 * auth_get_psk(void *ctx, const u8 *addr,
wpa_printf(MSG_DEBUG, "AUTH: %s (addr=" MACSTR " prev_psk=%p)",
__func__, MAC2STR(addr), prev_psk);
if (vlan_desc)
os_memset(vlan_desc, 0, sizeof(*vlan_desc));
vlan_desc->notempty = 0;
if (psk_len)
*psk_len = PMK_LEN;
if (prev_psk)

View file

@ -18,7 +18,6 @@
#include "wpa_supplicant_i.h"
#include "driver_i.h"
#include "common/ieee802_11_defs.h"
#include "ap/vlan.h"
#include "ibss_rsn.h"
@ -275,15 +274,14 @@ static void auth_logger(void *ctx, const u8 *addr, logger_level level,
static const u8 * auth_get_psk(void *ctx, const u8 *addr,
const u8 *p2p_dev_addr, const u8 *prev_psk,
size_t *psk_len,
struct vlan_description *vlan_desc)
size_t *psk_len, int *vlan_id)
{
struct ibss_rsn *ibss_rsn = ctx;
if (psk_len)
*psk_len = PMK_LEN;
if (vlan_desc)
os_memset(vlan_desc, 0, sizeof(*vlan_desc));
if (vlan_id)
*vlan_id = 0;
wpa_printf(MSG_DEBUG, "AUTH: %s (addr=" MACSTR " prev_psk=%p)",
__func__, MAC2STR(addr), prev_psk);
if (prev_psk)

View file

@ -76,8 +76,7 @@ static void auth_logger(void *ctx, const u8 *addr, logger_level level,
static const u8 *auth_get_psk(void *ctx, const u8 *addr,
const u8 *p2p_dev_addr, const u8 *prev_psk,
size_t *psk_len,
struct vlan_description *vlan_desc)
size_t *psk_len, int *vlan_id)
{
struct mesh_rsn *mesh_rsn = ctx;
struct hostapd_data *hapd = mesh_rsn->wpa_s->ifmsh->bss[0];
@ -85,8 +84,8 @@ static const u8 *auth_get_psk(void *ctx, const u8 *addr,
if (psk_len)
*psk_len = PMK_LEN;
if (vlan_desc)
os_memset(vlan_desc, 0, sizeof(*vlan_desc));
if (vlan_id)
*vlan_id = 0;
wpa_printf(MSG_DEBUG, "AUTH: %s (addr=" MACSTR " prev_psk=%p)",
__func__, MAC2STR(addr), prev_psk);