[PATCH v2 11/33] FT: add IEEE vlan support (including tagged vlans)
M. Braun
michael-dev at fami-braun.de
Sat Sep 24 14:07:55 PDT 2016
From: Michael Braun <michael-dev at fami-braun.de>
This introduces set_vlan and get_vlan callbacks for wpa_auth
and uses them to fetch and configure vlan of sta.
The struct vlan_description is converted into a network encoding
(struct ft_vlan) for byter order reasons.
Signed-off-by: Michael Braun <michael-dev at fami-braun.de>
---
src/ap/ieee802_1x.c | 2 +-
src/ap/wpa_auth.h | 10 +-
src/ap/wpa_auth_ft.c | 254 ++++++++++++++++++++++++++++++++++++++++++++++---
src/ap/wpa_auth_glue.c | 61 ++++++++++++
4 files changed, 312 insertions(+), 15 deletions(-)
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 80ff996..5805758 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -1170,7 +1170,7 @@ void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta)
sta->eapol_sm->portValid = TRUE;
if (sta->eapol_sm->eap)
eap_sm_notify_cached(sta->eapol_sm->eap);
- /* TODO: get vlan_id from R0KH using RRB message */
+ ap_sta_bind_vlan(hapd, sta);
return;
}
#endif /* CONFIG_IEEE80211R */
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index d541f8d..aa7920a 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -13,6 +13,7 @@
#include "common/eapol_common.h"
#include "common/wpa_common.h"
#include "common/ieee802_11_defs.h"
+#include "vlan.h"
#define MAX_OWN_IE_OVERRIDE 256
@@ -75,6 +76,9 @@ struct ft_rrb_frame {
#define FT_RRB_PAIRWISE 10 /* le16 */
#define FT_RRB_EXPIRES_IN 11 /* le16 seconds */
+#define FT_RRB_VLAN_UNTAGGED 12 /* le16 */
+#define FT_RRB_VLAN_TAGGED 13 /* n times le16 */
+
struct ft_rrbv1_tlv {
le16 type;
le16 len;
@@ -83,7 +87,7 @@ struct ft_rrbv1_tlv {
/* session TLVs:
* required: [PMK_R1, PMK_R1_NAME, PAIRWISE]
- * optional: EXPIRES_IN
+ * optional: VLAN, EXPIRES_IN
*
* pull frame TLVs:
* required: NONCE, R0KH_ID, PMK_R0_NAME, R1KH_ID, S1KH_ID
@@ -219,6 +223,10 @@ struct wpa_auth_callbacks {
size_t data_len);
#ifdef CONFIG_IEEE80211R
struct wpa_state_machine * (*add_sta)(void *ctx, const u8 *sta_addr);
+ int (*set_vlan)(void *ctx, const u8 *sta_addr,
+ struct vlan_description *vlan);
+ int (*get_vlan)(void *ctx, const u8 *sta_addr,
+ struct vlan_description *vlan);
int (*send_ft_action)(void *ctx, const u8 *dst,
const u8 *data, size_t data_len);
int (*add_tspec)(void *ctx, const u8 *sta_addr, u8 *tspec_ie,
diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
index 15bf55e..89fbb63 100644
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -122,6 +122,87 @@ static int wpa_ft_rrb_get_tlv(const u8 *plain, const size_t plain_len,
}
+static int cmp_int(const void *a, const void *b)
+{
+ int x, y;
+
+ x = *((int *) a);
+ y = *((int *) b);
+ return (x - y);
+}
+
+
+static int wpa_ft_rrb_get_tlv_vlan(const u8 *plain, const size_t plain_len,
+ struct vlan_description *vlan)
+{
+ struct ft_rrbv1_tlv *f;
+ size_t left;
+ size_t len;
+ int taggedidx;
+ int vlan_id;
+ int type;
+
+ left = plain_len;
+ taggedidx = 0;
+ os_memset(vlan, 0, sizeof(*vlan));
+
+ while (left >= sizeof(*f)) {
+ f = (struct ft_rrbv1_tlv *) plain;
+
+ left -= sizeof(*f);
+ plain += sizeof(*f);
+
+ len = le_to_host16(f->len);
+ type = le_to_host16(f->type);
+
+ if (left < len)
+ return -1;
+
+ if (type != FT_RRB_VLAN_UNTAGGED &&
+ type != FT_RRB_VLAN_TAGGED)
+ goto skip;
+
+ if (type == FT_RRB_VLAN_UNTAGGED &&
+ len != sizeof(le16))
+ return -1;
+
+ if (type == FT_RRB_VLAN_TAGGED &&
+ len % sizeof(le16) != 0)
+ return -1;
+
+ while (len >= sizeof(le16)) {
+ vlan_id = WPA_GET_LE16(plain);
+ plain += sizeof(le16);
+ left -= sizeof(le16);
+ len -= sizeof(le16);
+
+ if (vlan_id <= 0 || vlan_id > MAX_VLAN_ID)
+ continue;
+
+ if (type == FT_RRB_VLAN_UNTAGGED)
+ vlan->untagged = vlan_id;
+
+ if (type == FT_RRB_VLAN_TAGGED &&
+ taggedidx < MAX_NUM_TAGGED_VLAN) {
+ vlan->tagged[taggedidx] = vlan_id;
+ taggedidx++;
+ }
+ }
+
+skip:
+ left -= len;
+ plain += len;
+ }
+
+ if (taggedidx)
+ qsort(vlan->tagged, taggedidx, sizeof(int), cmp_int);
+
+ vlan->notempty = vlan->untagged || vlan->tagged[0];
+
+ return 0;
+}
+
+
/**
* encrypt message
* @frame ft_rrb_frame
@@ -187,10 +268,83 @@ static inline size_t wpa_ft_tlv_lin(const struct tlv_list *tlvs, u8 *start,
return tlv_len;
}
+static inline size_t wpa_ft_vlan_len(const struct vlan_description *vlan)
+{
+ size_t tlv_len = 0;
+ int i;
+
+ if (!vlan || !vlan->notempty)
+ return 0;
+
+ if (vlan->untagged) {
+ tlv_len += sizeof(struct ft_rrbv1_tlv);
+ tlv_len += sizeof(le16);
+ }
+ if (vlan->tagged[0])
+ tlv_len += sizeof(struct ft_rrbv1_tlv);
+ for (i = 0; i < MAX_NUM_TAGGED_VLAN && vlan->tagged[i]; i++)
+ tlv_len += sizeof(le16);
+
+ return tlv_len;
+}
+
+static inline size_t wpa_ft_vlan_lin(const struct vlan_description *vlan,
+ u8 *start, u8 *endpos) {
+ size_t tlv_len;
+ int i, len;
+ struct ft_rrbv1_tlv *hdr;
+ u8 *pos = start;
+
+ if (!vlan || !vlan->notempty)
+ return 0;
+
+ tlv_len = 0;
+ if (vlan->untagged) {
+ tlv_len += sizeof(*hdr);
+ if (start + tlv_len > endpos)
+ return tlv_len;
+ hdr = (struct ft_rrbv1_tlv *) pos;
+ hdr->type = host_to_le16(FT_RRB_VLAN_UNTAGGED);
+ hdr->len = host_to_le16(sizeof(le16));
+ pos = start + tlv_len;
+
+ tlv_len += sizeof(le16);
+ if (start + tlv_len > endpos)
+ return tlv_len;
+ WPA_PUT_LE16(pos, vlan->untagged);
+ pos = start + tlv_len;
+ }
+
+ if (!vlan->tagged[0])
+ return tlv_len;
+
+ tlv_len += sizeof(*hdr);
+ if (start + tlv_len > endpos)
+ return tlv_len;
+ hdr = (struct ft_rrbv1_tlv *) pos;
+ hdr->type = host_to_le16(FT_RRB_VLAN_TAGGED);
+ len = 0; /* len is computed below */
+ pos = start + tlv_len;
+
+ for (i = 0; i < MAX_NUM_TAGGED_VLAN && vlan->tagged[i]; i++) {
+ tlv_len += sizeof(le16);
+ if (start + tlv_len > endpos)
+ break;
+ len += sizeof(le16);
+ WPA_PUT_LE16(pos, vlan->tagged[i]);
+ pos = start + tlv_len;
+ }
+
+ hdr->len = host_to_le16(len);
+
+ return tlv_len;
+}
+
static int wpa_ft_rrb_build(const u8 *kek, size_t kek_len,
const struct ft_rrb_frame *frame,
const struct tlv_list *tlvs1,
const struct tlv_list *tlvs2,
+ const struct vlan_description *vlan,
u8 **packet, size_t *packet_len)
{
u8 *plain, *pos, *crypt, *endpos;
@@ -203,6 +357,7 @@ static int wpa_ft_rrb_build(const u8 *kek, size_t kek_len,
tlv_len = 0;
tlv_len += wpa_ft_tlv_len(tlvs1);
tlv_len += wpa_ft_tlv_len(tlvs2);
+ tlv_len += wpa_ft_vlan_len(vlan);
pad_len = (8 - (tlv_len % 8)) % 8;
plain = os_zalloc(tlv_len + pad_len);
@@ -213,6 +368,7 @@ static int wpa_ft_rrb_build(const u8 *kek, size_t kek_len,
endpos = plain + tlv_len;
pos += wpa_ft_tlv_lin(tlvs1, pos, endpos);
pos += wpa_ft_tlv_lin(tlvs2, pos, endpos);
+ pos += wpa_ft_vlan_lin(vlan, pos, endpos);
/* sanity check */
if (pos != endpos) {
@@ -310,6 +466,26 @@ wpa_ft_add_sta(struct wpa_authenticator *wpa_auth, const u8 *sta_addr)
}
+static int
+wpa_ft_set_vlan(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
+ struct vlan_description *vlan)
+{
+ if (wpa_auth->cb.set_vlan == NULL)
+ return -1;
+ return wpa_auth->cb.set_vlan(wpa_auth->cb.ctx, sta_addr, vlan);
+}
+
+
+static int
+wpa_ft_get_vlan(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
+ struct vlan_description *vlan)
+{
+ if (wpa_auth->cb.get_vlan == NULL)
+ return -1;
+ return wpa_auth->cb.get_vlan(wpa_auth->cb.ctx, sta_addr, vlan);
+}
+
+
static int wpa_ft_add_tspec(struct wpa_authenticator *wpa_auth,
const u8 *sta_addr,
u8 *tspec_ie, size_t tspec_ielen)
@@ -398,6 +574,7 @@ struct wpa_ft_pmk_r0_sa {
u8 pmk_r0_name[WPA_PMK_NAME_LEN];
u8 spa[ETH_ALEN];
int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */
+ struct vlan_description *vlan;
os_time_t expiration; /* 0 for no expiration */
/* TODO: identity, radius_class, EAP type */
int pmk_r1_pushed;
@@ -409,7 +586,8 @@ struct wpa_ft_pmk_r1_sa {
u8 pmk_r1_name[WPA_PMK_NAME_LEN];
u8 spa[ETH_ALEN];
int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */
- /* TODO: expiration, identity, radius_class, EAP type, VLAN ID */
+ struct vlan_description *vlan;
+ /* TODO: expiration, identity, radius_class, EAP type */
};
struct wpa_ft_pmk_cache {
@@ -432,6 +610,7 @@ static void wpa_ft_free_pmk_r0(struct wpa_ft_pmk_r0_sa *r0)
eloop_cancel_timeout(wpa_ft_expire_pmk_r0, r0, NULL);
os_memset(r0->pmk_r0, 0, PMK_LEN);
+ os_free(r0->vlan);
os_free(r0);
}
@@ -471,6 +650,7 @@ static void wpa_ft_free_pmk_r1(struct wpa_ft_pmk_r1_sa *r1)
eloop_cancel_timeout(wpa_ft_expire_pmk_r1, r1, NULL);
os_memset(r1->pmk_r1, 0, PMK_LEN);
+ os_free(r1->vlan);
os_free(r1);
}
@@ -517,6 +697,7 @@ void wpa_ft_pmk_cache_deinit(struct wpa_ft_pmk_cache *cache)
static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth,
const u8 *spa, const u8 *pmk_r0,
const u8 *pmk_r0_name, int pairwise,
+ const struct vlan_description *vlan,
const int expires_in)
{
struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
@@ -536,6 +717,11 @@ static int wpa_ft_store_pmk_r0(struct wpa_authenticator *wpa_auth,
r0->pairwise = pairwise;
if (expires_in > 0)
r0->expiration = now.sec + expires_in;
+ if (vlan && vlan->notempty) {
+ r0->vlan = os_zalloc(sizeof(*vlan));
+ if (r0->vlan)
+ *r0->vlan = *vlan;
+ }
dl_list_add(&cache->pmk_r0, &r0->list);
@@ -573,6 +759,7 @@ static int wpa_ft_fetch_pmk_r0(struct wpa_authenticator *wpa_auth,
static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
const u8 *spa, const u8 *pmk_r1,
const u8 *pmk_r1_name, int pairwise,
+ const struct vlan_description *vlan,
int expires_in)
{
struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
@@ -588,6 +775,11 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
os_memcpy(r1->pmk_r1_name, pmk_r1_name, WPA_PMK_NAME_LEN);
os_memcpy(r1->spa, spa, ETH_ALEN);
r1->pairwise = pairwise;
+ if (vlan && vlan->notempty) {
+ r1->vlan = os_zalloc(sizeof(*vlan));
+ if (r1->vlan)
+ *r1->vlan = *vlan;
+ }
dl_list_add(&cache->pmk_r1, &r1->list);
@@ -601,7 +793,8 @@ static int wpa_ft_store_pmk_r1(struct wpa_authenticator *wpa_auth,
static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth,
const u8 *spa, const u8 *pmk_r1_name,
- u8 *pmk_r1, int *pairwise)
+ u8 *pmk_r1, int *pairwise,
+ struct vlan_description *vlan)
{
struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
struct wpa_ft_pmk_r1_sa *r1;
@@ -613,6 +806,10 @@ static int wpa_ft_fetch_pmk_r1(struct wpa_authenticator *wpa_auth,
os_memcpy(pmk_r1, r1->pmk_r1, PMK_LEN);
if (pairwise)
*pairwise = r1->pairwise;
+ if (vlan && r1->vlan)
+ *vlan = *r1->vlan;
+ if (vlan && !r1->vlan)
+ os_memset(vlan, 0, sizeof(*vlan));
return 0;
}
}
@@ -831,7 +1028,7 @@ static int wpa_ft_pull_pmk_r1(struct wpa_state_machine *sm,
};
if (wpa_ft_rrb_build(r0kh->key, sizeof(r0kh->key), &req_hdr,
- req_tlv, NULL, &packet, &packet_len) < 0) {
+ req_tlv, NULL, NULL, &packet, &packet_len) < 0) {
return -1;
}
@@ -868,6 +1065,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
size_t ssid_len = sm->wpa_auth->conf.ssid_len;
int psk_local = sm->wpa_auth->conf.ft_psk_generate_local;
int expires_in = sm->wpa_auth->conf.r0_key_lifetime * 60;
+ struct vlan_description vlan;
if (sm->xxkey_len == 0) {
wpa_printf(MSG_DEBUG, "FT: XXKey not available for key "
@@ -875,13 +1073,19 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
return -1;
}
+ if (wpa_ft_get_vlan(sm->wpa_auth, sm->addr, &vlan) < 0) {
+ wpa_printf(MSG_DEBUG, "FT: vlan not available for STA " MACSTR,
+ MAC2STR(sm->addr));
+ return -1;
+ }
+
wpa_derive_pmk_r0(sm->xxkey, sm->xxkey_len, ssid, ssid_len, mdid,
r0kh, r0kh_len, sm->addr, pmk_r0, pmk_r0_name);
wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, PMK_LEN);
wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN);
if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_name,
- sm->pairwise, expires_in);
+ sm->pairwise, &vlan, expires_in);
wpa_derive_pmk_r1(pmk_r0, pmk_r0_name, r1kh, sm->addr,
pmk_r1, sm->pmk_r1_name);
@@ -891,7 +1095,7 @@ int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, const u8 *pmk,
if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1,
sm->pmk_r1_name, sm->pairwise,
- expires_in);
+ &vlan, expires_in);
return wpa_pmk_r1_to_ptk(pmk_r1, sm->SNonce, sm->ANonce, sm->addr,
sm->wpa_auth->addr, sm->pmk_r1_name,
@@ -1297,7 +1501,8 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
*/
static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
const u8 *req_pmk_r1_name,
- u8 *out_pmk_r1, int *out_pairwise)
+ u8 *out_pmk_r1, int *out_pairwise,
+ struct vlan_description *out_vlan)
{
const u8 *pmk = NULL;
u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN];
@@ -1334,6 +1539,13 @@ static int wpa_ft_psk_pmk_r1(struct wpa_state_machine *sm,
os_memcpy(out_pmk_r1, pmk_r1, PMK_LEN);
if (out_pairwise)
*out_pairwise = pairwise;
+ if (out_vlan &&
+ wpa_ft_get_vlan(sm->wpa_auth, sm->addr, out_vlan) < 0) {
+ wpa_printf(MSG_DEBUG, "FT: vlan not available for STA "
+ MACSTR, MAC2STR(sm->addr));
+ return -1;
+ }
+
return 0;
}
@@ -1395,6 +1607,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
int ret;
u8 *pos, *end;
int pairwise;
+ struct vlan_description vlan;
*resp_ies = NULL;
*resp_ies_len = 0;
@@ -1455,11 +1668,11 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
if (conf->ft_psk_generate_local &&
wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
- if (wpa_ft_psk_pmk_r1(sm, pmk_r1_name, pmk_r1, &pairwise) < 0)
+ if (wpa_ft_psk_pmk_r1(sm, pmk_r1_name, pmk_r1, &pairwise,
+ &vlan) < 0)
return WLAN_STATUS_INVALID_PMKID;
- } else
- if (wpa_ft_fetch_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1_name, pmk_r1,
- &pairwise) < 0) {
+ } else if (wpa_ft_fetch_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1_name,
+ pmk_r1, &pairwise, &vlan) < 0) {
if (wpa_ft_pull_pmk_r1(sm, ies, ies_len, parse.rsn_pmkid) < 0) {
wpa_printf(MSG_DEBUG, "FT: Did not have matching "
"PMK-R1 and unknown R0KH-ID");
@@ -1494,6 +1707,11 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
sm->PTK_valid = TRUE;
wpa_ft_install_ptk(sm);
+ if (wpa_ft_set_vlan(sm->wpa_auth, sm->addr, &vlan) < 0) {
+ wpa_printf(MSG_DEBUG, "FT: Failed to configure VLAN");
+ return WLAN_STATUS_UNSPECIFIED_FAILURE;
+ }
+
buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
2 + FT_R1KH_ID_LEN + 200;
*resp_ies = os_zalloc(buflen);
@@ -1918,7 +2136,7 @@ static int wpa_ft_rrb_build_r0(const u8 *kek, size_t kek_len,
int ret;
if (!pmk_r0)
- return wpa_ft_rrb_build(kek, kek_len, frame, tlvs, NULL,
+ return wpa_ft_rrb_build(kek, kek_len, frame, tlvs, NULL, NULL,
packet, packet_len);
wpa_derive_pmk_r1(pmk_r0->pmk_r0, pmk_r0->pmk_r0_name, r1kh_id,
@@ -1949,7 +2167,7 @@ static int wpa_ft_rrb_build_r0(const u8 *kek, size_t kek_len,
};
ret = wpa_ft_rrb_build(kek, kek_len, frame, tlvs, sess_tlv,
- packet, packet_len);
+ pmk_r0->vlan, packet, packet_len);
os_memset(pmk_r1, 0, sizeof(pmk_r1));
@@ -2156,6 +2374,7 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth,
int ret = -1;
int expires_in;
int max_expires_in = wpa_auth->conf.r0_key_lifetime * 60;
+ struct vlan_description vlan;
RRB_GET(FT_RRB_R1KH_ID, r1kh_id, msgtype, FT_R1KH_ID_LEN);
if (os_memcmp_const(f_r1kh_id, wpa_auth->conf.r1_key_holder,
@@ -2195,11 +2414,20 @@ static int wpa_ft_rrb_rx_r1(struct wpa_authenticator *wpa_auth,
wpa_printf(MSG_DEBUG, "FT: PMK-R1 %s - expires_in=%d", msgtype,
expires_in);
+ if (wpa_ft_rrb_get_tlv_vlan(plain, plain_len, &vlan) < 0) {
+ wpa_printf(MSG_DEBUG, "FT: PMK-R1 %s without parseable vlan",
+ msgtype);
+ goto out;
+ }
+
+ wpa_printf(MSG_DEBUG, "FT: PMK-R1 %s - vlan %d%s", msgtype,
+ le_to_host16(vlan.untagged), vlan.tagged[0] ? "+" : "");
+
if (expires_in <= 0 || expires_in > max_expires_in)
expires_in = max_expires_in;
if (wpa_ft_store_pmk_r1(wpa_auth, f_s1kh_id, f_pmk_r1, f_pmk_r1_name,
- pairwise, expires_in) < 0)
+ pairwise, &vlan, expires_in) < 0)
return -1;
ret = 0;
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index fe926a4..aca88d2 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -573,6 +573,65 @@ hostapd_wpa_auth_add_sta(void *ctx, const u8 *sta_addr)
}
+
+static int hostapd_wpa_auth_set_vlan(void *ctx, const u8 *sta_addr,
+ struct vlan_description *vlan)
+{
+ struct hostapd_data *hapd = ctx;
+ struct sta_info *sta;
+
+ sta = ap_get_sta(hapd, sta_addr);
+ if (sta == NULL)
+ return -1;
+
+ if (!sta->wpa_sm)
+ return -1;
+
+ if (vlan->notempty &&
+ !hostapd_vlan_valid(hapd->conf->vlan, vlan)) {
+ hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
+ HOSTAPD_LEVEL_INFO, "Invalid VLAN "
+ "%d%s received from FT",
+ vlan->untagged,
+ vlan->tagged[0] ? "+" : "");
+ return -1;
+ }
+
+ if (ap_sta_set_vlan(hapd, sta, vlan) < 0)
+ return -1;
+ /* configure wpa_group for GTK but ignore error due to driver not
+ * knowing this sta
+ */
+ ap_sta_bind_vlan(hapd, sta);
+
+ if (sta->vlan_id)
+ hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
+ HOSTAPD_LEVEL_INFO, "VLAN ID %d", sta->vlan_id);
+
+ return 0;
+}
+
+
+static int
+hostapd_wpa_auth_get_vlan(void *ctx, const u8 *sta_addr,
+ struct vlan_description *vlan)
+{
+ struct hostapd_data *hapd = ctx;
+ struct sta_info *sta;
+
+ sta = ap_get_sta(hapd, sta_addr);
+ if (sta == NULL)
+ return -1;
+
+ if (sta->vlan_desc)
+ *vlan = *sta->vlan_desc;
+ else
+ os_memset(vlan, 0, sizeof(*vlan));
+
+ return 0;
+}
+
+
static void hostapd_rrb_receive(void *ctx, const u8 *src_addr, const u8 *buf,
size_t len)
{
@@ -632,6 +691,8 @@ int hostapd_setup_wpa(struct hostapd_data *hapd)
#ifdef CONFIG_IEEE80211R
cb.send_ft_action = hostapd_wpa_auth_send_ft_action;
cb.add_sta = hostapd_wpa_auth_add_sta;
+ cb.set_vlan = hostapd_wpa_auth_set_vlan;
+ cb.get_vlan = hostapd_wpa_auth_get_vlan;
cb.add_tspec = hostapd_wpa_auth_add_tspec;
#endif /* CONFIG_IEEE80211R */
hapd->wpa_auth = wpa_init(hapd->own_addr, &_conf, &cb);
--
2.1.4
More information about the Hostap
mailing list