[PATCH v2 23/33] FT: add session_timeout to push/resp
M. Braun
michael-dev at fami-braun.de
Sat Sep 24 14:08:07 PDT 2016
From: Michael Braun <michael-dev at fami-braun.de>
This ensures a session timeout configured on R0 either using RADIUS-based
ACL or 802.1X authentication is copied over to the new R1.
As the session can be moved at any time, a timestamp needs to be kept so
the remaining session time can be computed by R0 when requested.
Signed-off-by: Michael Braun <michael-dev at fami-braun.de>
---
src/ap/ieee802_11.c | 9 +++-
src/ap/ieee802_1x.c | 16 ++++--
src/ap/sta_info.h | 3 +-
src/ap/wpa_auth.h | 6 ++-
src/ap/wpa_auth_ft.c | 139 +++++++++++++++++++++++++++++++++++++++++--------
src/ap/wpa_auth_glue.c | 49 +++++++++++++++++
6 files changed, 191 insertions(+), 31 deletions(-)
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index d0a7029..7da3784 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1043,10 +1043,15 @@ int handle_auth_cfg_sta(struct hostapd_data *hapd, struct sta_info *sta,
info->acct_interim_interval)
sta->acct_interim_interval = info->acct_interim_interval;
- if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT)
+ if (res == HOSTAPD_ACL_ACCEPT_TIMEOUT) {
+ sta->session_timeout_set = 1;
+ os_get_reltime(&sta->session_timeout);
+ sta->session_timeout.sec += info->session_timeout;
ap_sta_session_timeout(hapd, sta, info->session_timeout);
- else
+ } else {
+ sta->session_timeout_set = 0;
ap_sta_no_session_timeout(hapd, sta);
+ }
return 0;
}
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 5805758..e624b09 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -1788,14 +1788,17 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
break;
sta->session_timeout_set = !!session_timeout_set;
- sta->session_timeout = session_timeout;
+ os_get_reltime(&sta->session_timeout);
+ sta->session_timeout.sec += session_timeout;
/* RFC 3580, Ch. 3.17 */
if (session_timeout_set && termination_action ==
RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) {
sm->reAuthPeriod = session_timeout;
- } else if (session_timeout_set)
+ } else if (session_timeout_set) {
ap_sta_session_timeout(hapd, sta, session_timeout);
+ } else
+ ap_sta_no_session_timeout(hapd, sta);
sm->eap_if->aaaSuccess = TRUE;
override_eapReq = 1;
@@ -2655,6 +2658,7 @@ static void ieee802_1x_finished(struct hostapd_data *hapd,
/* TODO: get PMKLifetime from WPA parameters */
static const int dot11RSNAConfigPMKLifetime = 43200;
unsigned int session_timeout;
+ struct os_reltime now, remaining;
#ifdef CONFIG_HS20
if (remediation && !sta->remediation) {
@@ -2675,9 +2679,11 @@ static void ieee802_1x_finished(struct hostapd_data *hapd,
#endif /* CONFIG_HS20 */
key = ieee802_1x_get_key(sta->eapol_sm, &len);
- if (sta->session_timeout_set)
- session_timeout = sta->session_timeout;
- else
+ if (sta->session_timeout_set) {
+ os_get_reltime(&now);
+ os_reltime_sub(&sta->session_timeout, &now, &remaining);
+ session_timeout = (remaining.sec > 0) ? remaining.sec : 1;
+ } else
session_timeout = dot11RSNAConfigPMKLifetime;
if (success && key && len >= PMK_LEN && !sta->remediation &&
!sta->hs20_deauth_requested &&
diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h
index 29043a6..04808ac 100644
--- a/src/ap/sta_info.h
+++ b/src/ap/sta_info.h
@@ -197,7 +197,8 @@ struct sta_info {
unsigned int mesh_sae_pmksa_caching:1;
#endif /* CONFIG_SAE */
- u32 session_timeout; /* valid only if session_timeout_set == 1 */
+ /* valid only if session_timeout_set == 1 */
+ struct os_reltime session_timeout;
/* Last Authentication/(Re)Association Request/Action frame sequence
* control */
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 67ecdfb..5ec0343 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -81,6 +81,7 @@ struct ft_rrb_frame {
#define FT_RRB_IDENTITY 14
#define FT_RRB_RADIUS_CUI 15
+#define FT_RRB_SESSION_TIMEOUT 16 /* le32 seconds */
struct ft_rrbv1_tlv {
le16 type;
@@ -90,7 +91,7 @@ struct ft_rrbv1_tlv {
/* session TLVs:
* required: [PMK_R1, PMK_R1_NAME, PAIRWISE]
- * optional: VLAN, EXPIRES_IN, IDENTITY, RADIUS_CUI
+ * optional: VLAN, EXPIRES_IN, IDENTITY, RADIUS_CUI, SESSION_TIMEOUT
*
* pull frame TLVs:
* required: NONCE, R0KH_ID, PMK_R0_NAME, R1KH_ID, S1KH_ID
@@ -238,10 +239,13 @@ struct wpa_auth_callbacks {
struct vlan_description *vlan);
size_t (*get_identity)(void *ctx, const u8 *sta_addr, const u8 **buf);
size_t (*get_radius_cui)(void *ctx, const u8 *sta_addr, const u8 **buf);
+ int (*get_session_timeout)(void *ctx, const u8 *sta_addr);
void (*set_identity)(void *ctx, const u8 *sta_addr,
const u8 *identity, size_t identity_len);
void (*set_radius_cui)(void *ctx, const u8 *sta_addr,
const u8 *radius_cui, size_t radius_cui_len);
+ void (*set_session_timeout)(void *ctx, const u8 *sta_addr,
+ int session_timeout);
int (*send_ft_action)(void *ctx, const u8 *dst,
const u8 *data, size_t data_len);
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index eece61c..860de1e 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -496,6 +496,16 @@ wpa_ft_get_vlan(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
}
+static int
+wpa_ft_get_session_timeout(struct wpa_authenticator *wpa_auth,
+ const u8 *sta_addr)
+{
+ if (wpa_auth->cb.get_session_timeout == NULL)
+ return 0;
+ return wpa_auth->cb.get_session_timeout(wpa_auth->cb.ctx, sta_addr);
+}
+
+
static size_t
wpa_ft_get_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
const u8 **buf)
@@ -519,6 +529,17 @@ wpa_ft_get_radius_cui(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
static void
+wpa_ft_set_session_timeout(struct wpa_authenticator *wpa_auth,
+ const u8 *sta_addr, int session_timeout)
+{
+ if (wpa_auth->cb.set_session_timeout == NULL)
+ return;
+ wpa_auth->cb.set_session_timeout(wpa_auth->cb.ctx, sta_addr,
+ session_timeout);
+}
+
+
+static void
wpa_ft_set_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
const u8 *identity, size_t identity_len)
{
@@ -634,7 +655,8 @@ struct wpa_ft_pmk_r0_sa {
size_t identity_len;
u8 *radius_cui;
size_t radius_cui_len;
- /* TODO: radius_class, EAP type, expiration from EAPOL */
+ os_time_t session_timeout; /* 0 for no expiration */
+ /* TODO: radius_class, EAP type */
int pmk_r1_pushed;
};
@@ -649,7 +671,8 @@ struct wpa_ft_pmk_r1_sa {
size_t identity_len;
u8 *radius_cui;
size_t radius_cui_len;
- /* TODO: expiration from EAPOL, radius_class, EAP type */
+ os_time_t session_timeout; /* 0 for no expiration */
+ /* TODO: radius_class, EAP type */
};
struct wpa_ft_pmk_cache {
@@ -684,6 +707,7 @@ static void wpa_ft_expire_pmk_r0(void *eloop_ctx, void *timeout_ctx)
struct wpa_ft_pmk_r0_sa *r0 = eloop_ctx;
struct os_reltime now;
int expires_in;
+ int session_timeout;
os_get_reltime(&now);
@@ -691,13 +715,23 @@ static void wpa_ft_expire_pmk_r0(void *eloop_ctx, void *timeout_ctx)
return;
expires_in = r0->expiration - now.sec;
- if (expires_in > 0) {
+ session_timeout = r0->session_timeout - now.sec;
+ /* conditions to remove from cache:
+ * a) r0->expiration is set and hit
+ * -or-
+ * b) r0->session_timeout is set and hit
+ */
+ if ((!r0->expiration || expires_in > 0) &&
+ (!r0->session_timeout || session_timeout > 0)) {
wpa_printf(MSG_ERROR, "FT: wpa_ft_expire_pmk_r0 called for "
- "non-expired entry %p, delete in %ds",
- r0, expires_in);
+ "non-expired entry %p", r0);
eloop_cancel_timeout(wpa_ft_expire_pmk_r0, r0, NULL);
- eloop_register_timeout(expires_in + 1, 0,
- wpa_ft_expire_pmk_r0, r0, NULL);
+ if (r0->expiration && expires_in > 0)
+ eloop_register_timeout(expires_in + 1, 0,
+ wpa_ft_expire_pmk_r0, r0, NULL);
+ if (r0->session_timeout && session_timeout > 0)
+ eloop_register_timeout(session_timeout + 1, 0,
+ wpa_ft_expire_pmk_r0, r0, NULL);
return;
}
@@ -764,7 +798,7 @@ static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth,
const u8 *spa, const u8 *pmk_r0,
const u8 *pmk_r0_name, int pairwise,
const struct vlan_description *vlan,
- const int expires_in,
+ const int expires_in, const int session_timeout,
const u8 *identity, size_t identity_len,
const u8 *radius_cui, size_t radius_cui_len)
{
@@ -804,12 +838,17 @@ static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth,
r0->radius_cui_len = radius_cui_len;
}
}
+ if (session_timeout > 0)
+ r0->session_timeout = now.sec + session_timeout;
dl_list_add(&cache->pmk_r0, &r0->list);
if (expires_in > 0)
eloop_register_timeout(expires_in + 1, 0,
wpa_ft_expire_pmk_r0, r0, NULL);
+ if (session_timeout > 0)
+ eloop_register_timeout(session_timeout + 1, 0,
+ wpa_ft_expire_pmk_r0, r0, NULL);
return 0;
}
@@ -842,15 +881,17 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
const u8 *spa, const u8 *pmk_r1,
const u8 *pmk_r1_name, int pairwise,
const struct vlan_description *vlan,
- int expires_in,
+ int expires_in, const int session_timeout,
const u8 *identity, u8 identity_len,
const u8 *radius_cui, u8 radius_cui_len)
{
struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
int max_expires_in = wpa_auth->conf.r1_max_key_lifetime;
struct wpa_ft_pmk_r1_sa *r1;
+ struct os_reltime now;
/* TODO: add expiration and limit on number of entries in cache */
+ os_get_reltime(&now);
if (max_expires_in && (max_expires_in < expires_in || expires_in == 0))
expires_in = max_expires_in;
@@ -882,12 +923,17 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
r1->radius_cui_len = radius_cui_len;
}
}
+ if (session_timeout > 0)
+ r1->session_timeout = now.sec + session_timeout;
dl_list_add(&cache->pmk_r1, &r1->list);
if (expires_in > 0)
eloop_register_timeout(expires_in + 1, 0,
wpa_ft_expire_pmk_r1, r1, NULL);
+ if (session_timeout > 0)
+ eloop_register_timeout(session_timeout + 1, 0,
+ wpa_ft_expire_pmk_r1, r1, NULL);
return 0;
}
@@ -898,10 +944,14 @@ static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth,
u8 *pmk_r1, int *pairwise,
struct vlan_description *vlan,
const u8 **identity, size_t *identity_len,
- const u8 **radius_cui, size_t *radius_cui_len)
+ const u8 **radius_cui, size_t *radius_cui_len,
+ int *session_timeout)
{
struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
struct wpa_ft_pmk_r1_sa *r1;
+ struct os_reltime now;
+
+ os_get_reltime(&now);
dl_list_for_each(r1, &cache->pmk_r1, struct wpa_ft_pmk_r1_sa, list) {
if (os_memcmp(r1->spa, spa, ETH_ALEN) == 0 &&
@@ -922,6 +972,13 @@ static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth,
*radius_cui = r1->radius_cui;
*radius_cui_len = r1->radius_cui_len;
}
+ if (session_timeout && r1->session_timeout > now.sec)
+ *session_timeout = r1->session_timeout -
+ now.sec;
+ else if (session_timeout && r1->session_timeout)
+ *session_timeout = 1;
+ else
+ *session_timeout = 0;
return 0;
}
}
@@ -1180,6 +1237,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
struct vlan_description vlan;
const u8 *identity, *radius_cui;
int identity_len, radius_cui_len;
+ int session_timeout;
if (sm->xxkey_len == 0) {
wpa_printf(MSG_DEBUG, "FT: XXKey not available for key "
@@ -1195,6 +1253,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
identity_len = wpa_ft_get_identity(sm->wpa_auth, sm->addr, &identity);
radius_cui_len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr,
&radius_cui);
+ session_timeout = wpa_ft_get_session_timeout(sm->wpa_auth, sm->addr);
wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, ssid, ssid_len, mdid,
r0kh, r0kh_len, sm->addr, pmk_r0, pmk_r0_name);
@@ -1202,8 +1261,9 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN);
if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name,
- sm->pairwise, &vlan, expires_in, identity,
- identity_len, radius_cui, radius_cui_len);
+ sm->pairwise, &vlan, expires_in,
+ session_timeout, identity, identity_len,
+ radius_cui, radius_cui_len);
wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, r1kh, sm->addr,
pmk_r1, sm->pmk_r1_name);
@@ -1213,8 +1273,8 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1,
sm->pmk_r1_name, sm->pairwise, &vlan,
- expires_in, identity, identity_len,
- radius_cui, radius_cui_len);
+ expires_in, session_timeout, identity,
+ identity_len, radius_cui, radius_cui_len);
return wpa_pmk_r1_to_ptk(pmk_r1, sm->SNonce, sm->ANonce, sm->addr,
sm->wpa_auth->addr, sm->pmk_r1_name,
@@ -1624,7 +1684,8 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
struct vlan_description *out_vlan,
const u8 **out_identity, size_t *out_identity_len,
const u8 **out_radius_cui,
- size_t *out_radius_cui_len)
+ size_t *out_radius_cui_len,
+ int *out_session_timeout)
{
const u8 *pmk = NULL;
u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN];
@@ -1638,6 +1699,7 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
size_t ssid_len = wpa_auth->conf.ssid_len;
int pairwise;
u8 len;
+ int timeout;
pairwise = sm->pairwise;
@@ -1678,6 +1740,11 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
out_radius_cui);
*out_radius_cui_len = len;
}
+ if (out_session_timeout) {
+ timeout = wpa_ft_get_session_timeout(sm->wpa_auth,
+ sm->addr);
+ *out_session_timeout = timeout;
+ }
return 0;
}
@@ -1738,7 +1805,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
size_t buflen;
int ret;
u8 *pos, *end;
- int pairwise;
+ int pairwise, session_timeout;
struct vlan_description vlan;
const u8 *identity, *radius_cui;
size_t identity_len = 0, radius_cui_len = 0;
@@ -1804,12 +1871,13 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
if (wpa_ft_psk_pmk_r1(sm, pmk_r1_name, pmk_r1, &pairwise,
&vlan, &identity, &identity_len,
- &radius_cui, &radius_cui_len) < 0)
+ &radius_cui, &radius_cui_len,
+ &session_timeout) < 0)
return WLAN_STATUS_INVALID_PMKID;
} else if (wpa_ft_fetch_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1_name,
pmk_r1, &pairwise, &vlan, &identity,
&identity_len, &radius_cui,
- &radius_cui_len) < 0) {
+ &radius_cui_len, &session_timeout) < 0) {
if (wpa_ft_pull_pmk_r1(sm, ies, ies_len, parse.rsn_pmkid) < 0) {
wpa_printf(MSG_DEBUG, "FT: Did not have matching "
"PMK-R1 and unknown R0KH-ID");
@@ -1851,6 +1919,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
wpa_ft_set_identity(sm->wpa_auth, sm->addr, identity, identity_len);
wpa_ft_set_radius_cui(sm->wpa_auth, sm->addr, radius_cui,
radius_cui_len);
+ wpa_ft_set_session_timeout(sm->wpa_auth, sm->addr, session_timeout);
buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
2 + FT_R1KH_ID_LEN + 200;
@@ -2312,7 +2381,9 @@ static int wpa_ft_rrb_build_r0(const u8 *kek, size_t kek_len,
u8 pmk_r1_name[WPA_PMK_NAME_LEN];
u8 f_pairwise[sizeof(le16)];
u8 f_expires_in[sizeof(le16)];
+ u8 f_session_timeout[sizeof(le32)];
int expires_in;
+ int session_timeout;
struct os_reltime now;
int ret;
@@ -2327,6 +2398,7 @@ static int wpa_ft_rrb_build_r0(const u8 *kek, size_t kek_len,
WPA_PUT_LE16(f_pairwise, pmk_r0->pairwise);
os_get_reltime(&now);
+
if (pmk_r0->expiration > now.sec)
expires_in = pmk_r0->expiration - now.sec;
else if (pmk_r0->expiration)
@@ -2335,6 +2407,14 @@ static int wpa_ft_rrb_build_r0(const u8 *kek, size_t kek_len,
expires_in = 0;
WPA_PUT_LE16(f_expires_in, expires_in);
+ if (pmk_r0->session_timeout > now.sec)
+ session_timeout = pmk_r0->session_timeout - now.sec;
+ else if (pmk_r0->session_timeout)
+ session_timeout = 1;
+ else
+ session_timeout = 0;
+ WPA_PUT_LE32(f_session_timeout, session_timeout);
+
struct tlv_list sess_tlv[] = {
{ .type = FT_RRB_PMK_R1, .len = sizeof(pmk_r1),
.data = pmk_r1 },
@@ -2348,6 +2428,9 @@ static int wpa_ft_rrb_build_r0(const u8 *kek, size_t kek_len,
.data = pmk_r0->identity },
{ .type = FT_RRB_RADIUS_CUI, .len = pmk_r0->radius_cui_len,
.data = pmk_r0->radius_cui },
+ { .type = FT_RRB_SESSION_TIMEOUT,
+ .len = sizeof(f_session_timeout),
+ .data = f_session_timeout },
{ .type = FT_RRB_LAST_EMPTY, .len = 0, .data = NULL },
};
@@ -2372,7 +2455,6 @@ static int wpa_ft_rrb_rx_pull(struct wpa_authenticator *wpa_auth,
const u8 *f_nonce, *f_r0kh_id, *f_r1kh_id, *f_s1kh_id, *f_pmk_r0_name;
size_t f_nonce_len, f_r0kh_id_len, f_r1kh_id_len, f_s1kh_id_len;
size_t f_pmk_r0_name_len;
- struct tlv_list *sess_tlv = NULL;
const struct wpa_ft_pmk_r0_sa *r0;
wpa_printf(MSG_DEBUG, "FT: Received PMK-R1 pull request");
@@ -2461,7 +2543,6 @@ out:
os_free(plain); plain = NULL;
os_free(packet); packet = NULL;
- os_free(sess_tlv); sess_tlv = NULL;
return 0;
}
@@ -2553,14 +2634,17 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth,
const u8 *f_pmk_r1_name, *f_pairwise, *f_pmk_r1;
const u8 *f_expires_in;
const u8 *f_identity, *f_radius_cui;
+ const u8 *f_session_timeout;
size_t f_r1kh_id_len, f_s1kh_id_len;
size_t f_pmk_r1_name_len, f_pairwise_len, f_pmk_r1_len;
size_t f_expires_in_len;
size_t f_identity_len, f_radius_cui_len;
+ size_t f_session_timeout_len;
int pairwise;
int ret = -1;
int expires_in;
int max_expires_in = wpa_auth->conf.r0_key_lifetime * 60;
+ int session_timeout;
struct vlan_description vlan;
char buf[256];
@@ -2629,9 +2713,20 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth,
wpa_hexdump(MSG_DEBUG, buf, f_radius_cui, f_radius_cui_len);
}
+ RRB_GET_OPTIONAL(FT_RRB_SESSION_TIMEOUT, session_timeout, msgtype,
+ sizeof(le32));
+
+ if (f_session_timeout)
+ session_timeout = WPA_GET_LE32(f_session_timeout);
+ else
+ session_timeout = 0;
+
+ wpa_printf(MSG_DEBUG, "FT: PMK-R1 %s - session_timeout %d", msgtype,
+ session_timeout);
+
if (wpa_ft_store_pmk_r1(wpa_auth, f_s1kh_id, f_pmk_r1, f_pmk_r1_name,
- pairwise, &vlan, expires_in, f_identity,
- f_identity_len, f_radius_cui,
+ pairwise, &vlan, expires_in, session_timeout,
+ f_identity, f_identity_len, f_radius_cui,
f_radius_cui_len) < 0)
return -1;
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index ac0f085..2d9fd94 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -710,6 +710,31 @@ hostapd_wpa_auth_get_vlan(void *ctx, const u8 *sta_addr,
}
+static int
+hostapd_wpa_auth_get_session_timeout(void *ctx, const u8 *sta_addr)
+{
+ struct hostapd_data *hapd = ctx;
+ struct sta_info *sta;
+ struct os_reltime now, remaining;
+
+ sta = ap_get_sta(hapd, sta_addr);
+ if (sta == NULL)
+ return 0;
+
+ if (!sta->session_timeout_set)
+ return 0;
+
+ os_get_reltime(&now);
+ if (os_reltime_before(&sta->session_timeout, &now))
+ /* already expired, return >0 as timeout was set */
+ return 1;
+
+ os_reltime_sub(&sta->session_timeout, &now, &remaining);
+
+ return (remaining.sec > 0) ? remaining.sec : 1;
+}
+
+
static size_t
hostapd_wpa_auth_get_identity(void *ctx, const u8 *sta_addr, const u8 **buf)
{
@@ -775,6 +800,28 @@ hostapd_wpa_auth_get_radius_cui(void *ctx, const u8 *sta_addr, const u8 **buf)
static void
+hostapd_wpa_auth_set_session_timeout(void *ctx, const u8 *sta_addr,
+ int session_timeout)
+{
+ struct hostapd_data *hapd = ctx;
+ struct sta_info *sta;
+
+ sta = ap_get_sta(hapd, sta_addr);
+ if (sta == NULL)
+ return;
+
+ os_get_reltime(&sta->session_timeout);
+ sta->session_timeout.sec += session_timeout;
+ sta->session_timeout_set = !!session_timeout;
+
+ if (sta->session_timeout_set)
+ ap_sta_session_timeout(hapd, sta, session_timeout);
+ else
+ ap_sta_no_session_timeout(hapd, sta);
+}
+
+
+static void
hostapd_wpa_auth_set_identity(void *ctx, const u8 *sta_addr,
const u8 *identity, size_t identity_len)
{
@@ -914,8 +961,10 @@ int hostapd_setup_wpa(struct hostapd_data *hapd)
cb.add_sta = hostapd_wpa_auth_add_sta_auth;
cb.set_vlan = hostapd_wpa_auth_set_vlan;
cb.get_vlan = hostapd_wpa_auth_get_vlan;
+ cb.get_session_timeout = hostapd_wpa_auth_get_session_timeout;
cb.get_identity = hostapd_wpa_auth_get_identity;
cb.get_radius_cui = hostapd_wpa_auth_get_radius_cui;
+ cb.set_session_timeout = hostapd_wpa_auth_set_session_timeout;
cb.set_identity = hostapd_wpa_auth_set_identity;
cb.set_radius_cui = hostapd_wpa_auth_set_radius_cui;
cb.add_tspec = hostapd_wpa_auth_add_tspec;
--
2.1.4
More information about the Hostap
mailing list