ieee802_1x.c revision 214734
1/* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15#include "utils/includes.h" 16 17#include "utils/common.h" 18#include "utils/eloop.h" 19#include "crypto/md5.h" 20#include "crypto/crypto.h" 21#include "common/ieee802_11_defs.h" 22#include "common/wpa_ctrl.h" 23#include "radius/radius.h" 24#include "radius/radius_client.h" 25#include "eap_server/eap.h" 26#include "eap_common/eap_wsc_common.h" 27#include "eapol_auth/eapol_auth_sm.h" 28#include "eapol_auth/eapol_auth_sm_i.h" 29#include "hostapd.h" 30#include "accounting.h" 31#include "sta_info.h" 32#include "wpa_auth.h" 33#include "preauth_auth.h" 34#include "pmksa_cache_auth.h" 35#include "ap_config.h" 36#include "ieee802_1x.h" 37 38 39static void ieee802_1x_finished(struct hostapd_data *hapd, 40 struct sta_info *sta, int success); 41 42 43static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 44 u8 type, const u8 *data, size_t datalen) 45{ 46 u8 *buf; 47 struct ieee802_1x_hdr *xhdr; 48 size_t len; 49 int encrypt = 0; 50 51 len = sizeof(*xhdr) + datalen; 52 buf = os_zalloc(len); 53 if (buf == NULL) { 54 wpa_printf(MSG_ERROR, "malloc() failed for " 55 "ieee802_1x_send(len=%lu)", 56 (unsigned long) len); 57 return; 58 } 59 60 xhdr = (struct ieee802_1x_hdr *) buf; 61 xhdr->version = hapd->conf->eapol_version; 62 xhdr->type = type; 63 xhdr->length = host_to_be16(datalen); 64 65 if (datalen > 0 && data != NULL) 66 os_memcpy(xhdr + 1, data, datalen); 67 68 if (wpa_auth_pairwise_set(sta->wpa_sm)) 69 encrypt = 1; 70 if (sta->flags & WLAN_STA_PREAUTH) { 71 rsn_preauth_send(hapd, sta, buf, len); 72 } else { 73 hapd->drv.send_eapol(hapd, sta->addr, buf, len, encrypt); 74 } 75 76 os_free(buf); 77} 78 79 80void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 81 struct sta_info *sta, int authorized) 82{ 83 int res; 84 85 if (sta->flags & WLAN_STA_PREAUTH) 86 return; 87 88 if (authorized) { 89 if (!(sta->flags & WLAN_STA_AUTHORIZED)) 90 wpa_msg(hapd->msg_ctx, MSG_INFO, 91 AP_STA_CONNECTED MACSTR, MAC2STR(sta->addr)); 92 sta->flags |= WLAN_STA_AUTHORIZED; 93 res = hapd->drv.set_authorized(hapd, sta, 1); 94 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 95 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 96 } else { 97 if ((sta->flags & (WLAN_STA_AUTHORIZED | WLAN_STA_ASSOC)) == 98 (WLAN_STA_AUTHORIZED | WLAN_STA_ASSOC)) 99 wpa_msg(hapd->msg_ctx, MSG_INFO, 100 AP_STA_DISCONNECTED MACSTR, 101 MAC2STR(sta->addr)); 102 sta->flags &= ~WLAN_STA_AUTHORIZED; 103 res = hapd->drv.set_authorized(hapd, sta, 0); 104 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 105 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 106 } 107 108 if (res && errno != ENOENT) { 109 printf("Could not set station " MACSTR " flags for kernel " 110 "driver (errno=%d).\n", MAC2STR(sta->addr), errno); 111 } 112 113 if (authorized) 114 accounting_sta_start(hapd, sta); 115} 116 117 118static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 119 struct sta_info *sta, 120 int idx, int broadcast, 121 u8 *key_data, size_t key_len) 122{ 123 u8 *buf, *ekey; 124 struct ieee802_1x_hdr *hdr; 125 struct ieee802_1x_eapol_key *key; 126 size_t len, ekey_len; 127 struct eapol_state_machine *sm = sta->eapol_sm; 128 129 if (sm == NULL) 130 return; 131 132 len = sizeof(*key) + key_len; 133 buf = os_zalloc(sizeof(*hdr) + len); 134 if (buf == NULL) 135 return; 136 137 hdr = (struct ieee802_1x_hdr *) buf; 138 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 139 key->type = EAPOL_KEY_TYPE_RC4; 140 key->key_length = htons(key_len); 141 wpa_get_ntp_timestamp(key->replay_counter); 142 143 if (os_get_random(key->key_iv, sizeof(key->key_iv))) { 144 wpa_printf(MSG_ERROR, "Could not get random numbers"); 145 os_free(buf); 146 return; 147 } 148 149 key->key_index = idx | (broadcast ? 0 : BIT(7)); 150 if (hapd->conf->eapol_key_index_workaround) { 151 /* According to some information, WinXP Supplicant seems to 152 * interpret bit7 as an indication whether the key is to be 153 * activated, so make it possible to enable workaround that 154 * sets this bit for all keys. */ 155 key->key_index |= BIT(7); 156 } 157 158 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 159 * MSK[32..63] is used to sign the message. */ 160 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 161 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 162 "and signing EAPOL-Key"); 163 os_free(buf); 164 return; 165 } 166 os_memcpy((u8 *) (key + 1), key_data, key_len); 167 ekey_len = sizeof(key->key_iv) + 32; 168 ekey = os_malloc(ekey_len); 169 if (ekey == NULL) { 170 wpa_printf(MSG_ERROR, "Could not encrypt key"); 171 os_free(buf); 172 return; 173 } 174 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 175 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 176 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 177 os_free(ekey); 178 179 /* This header is needed here for HMAC-MD5, but it will be regenerated 180 * in ieee802_1x_send() */ 181 hdr->version = hapd->conf->eapol_version; 182 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 183 hdr->length = host_to_be16(len); 184 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 185 key->key_signature); 186 187 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 188 " (%s index=%d)", MAC2STR(sm->addr), 189 broadcast ? "broadcast" : "unicast", idx); 190 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 191 if (sta->eapol_sm) 192 sta->eapol_sm->dot1xAuthEapolFramesTx++; 193 os_free(buf); 194} 195 196 197#ifndef CONFIG_NO_VLAN 198static struct hostapd_wep_keys * 199ieee802_1x_group_alloc(struct hostapd_data *hapd, const char *ifname) 200{ 201 struct hostapd_wep_keys *key; 202 203 key = os_zalloc(sizeof(*key)); 204 if (key == NULL) 205 return NULL; 206 207 key->default_len = hapd->conf->default_wep_key_len; 208 209 if (key->idx >= hapd->conf->broadcast_key_idx_max || 210 key->idx < hapd->conf->broadcast_key_idx_min) 211 key->idx = hapd->conf->broadcast_key_idx_min; 212 else 213 key->idx++; 214 215 if (!key->key[key->idx]) 216 key->key[key->idx] = os_malloc(key->default_len); 217 if (key->key[key->idx] == NULL || 218 os_get_random(key->key[key->idx], key->default_len)) { 219 printf("Could not generate random WEP key (dynamic VLAN).\n"); 220 os_free(key->key[key->idx]); 221 key->key[key->idx] = NULL; 222 os_free(key); 223 return NULL; 224 } 225 key->len[key->idx] = key->default_len; 226 227 wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n", 228 ifname, key->idx); 229 wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)", 230 key->key[key->idx], key->len[key->idx]); 231 232 if (hapd->drv.set_key(ifname, hapd, WPA_ALG_WEP, NULL, key->idx, 1, 233 NULL, 0, key->key[key->idx], key->len[key->idx])) 234 printf("Could not set dynamic VLAN WEP encryption key.\n"); 235 236 hapd->drv.set_drv_ieee8021x(hapd, ifname, 1); 237 238 return key; 239} 240 241 242static struct hostapd_wep_keys * 243ieee802_1x_get_group(struct hostapd_data *hapd, struct hostapd_ssid *ssid, 244 size_t vlan_id) 245{ 246 const char *ifname; 247 248 if (vlan_id == 0) 249 return &ssid->wep; 250 251 if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys && 252 ssid->dyn_vlan_keys[vlan_id]) 253 return ssid->dyn_vlan_keys[vlan_id]; 254 255 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group " 256 "state machine for VLAN ID %lu", 257 (unsigned long) vlan_id); 258 259 ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id); 260 if (ifname == NULL) { 261 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - " 262 "cannot create group key state machine", 263 (unsigned long) vlan_id); 264 return NULL; 265 } 266 267 if (ssid->dyn_vlan_keys == NULL) { 268 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 269 ssid->dyn_vlan_keys = os_zalloc(size); 270 if (ssid->dyn_vlan_keys == NULL) 271 return NULL; 272 ssid->max_dyn_vlan_keys = vlan_id; 273 } 274 275 if (ssid->max_dyn_vlan_keys < vlan_id) { 276 struct hostapd_wep_keys **na; 277 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 278 na = os_realloc(ssid->dyn_vlan_keys, size); 279 if (na == NULL) 280 return NULL; 281 ssid->dyn_vlan_keys = na; 282 os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0, 283 (vlan_id - ssid->max_dyn_vlan_keys) * 284 sizeof(ssid->dyn_vlan_keys[0])); 285 ssid->max_dyn_vlan_keys = vlan_id; 286 } 287 288 ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname); 289 290 return ssid->dyn_vlan_keys[vlan_id]; 291} 292#endif /* CONFIG_NO_VLAN */ 293 294 295void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 296{ 297 struct eapol_authenticator *eapol = hapd->eapol_auth; 298 struct eapol_state_machine *sm = sta->eapol_sm; 299#ifndef CONFIG_NO_VLAN 300 struct hostapd_wep_keys *key = NULL; 301 int vlan_id; 302#endif /* CONFIG_NO_VLAN */ 303 304 if (sm == NULL || !sm->eap_if->eapKeyData) 305 return; 306 307 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 308 MAC2STR(sta->addr)); 309 310#ifndef CONFIG_NO_VLAN 311 vlan_id = sta->vlan_id; 312 if (vlan_id < 0 || vlan_id > MAX_VLAN_ID) 313 vlan_id = 0; 314 315 if (vlan_id) { 316 key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id); 317 if (key && key->key[key->idx]) 318 ieee802_1x_tx_key_one(hapd, sta, key->idx, 1, 319 key->key[key->idx], 320 key->len[key->idx]); 321 } else 322#endif /* CONFIG_NO_VLAN */ 323 if (eapol->default_wep_key) { 324 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 325 eapol->default_wep_key, 326 hapd->conf->default_wep_key_len); 327 } 328 329 if (hapd->conf->individual_wep_key_len > 0) { 330 u8 *ikey; 331 ikey = os_malloc(hapd->conf->individual_wep_key_len); 332 if (ikey == NULL || 333 os_get_random(ikey, hapd->conf->individual_wep_key_len)) { 334 wpa_printf(MSG_ERROR, "Could not generate random " 335 "individual WEP key."); 336 os_free(ikey); 337 return; 338 } 339 340 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 341 ikey, hapd->conf->individual_wep_key_len); 342 343 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 344 hapd->conf->individual_wep_key_len); 345 346 /* TODO: set encryption in TX callback, i.e., only after STA 347 * has ACKed EAPOL-Key frame */ 348 if (hapd->drv.set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 349 sta->addr, 0, 1, NULL, 0, ikey, 350 hapd->conf->individual_wep_key_len)) { 351 wpa_printf(MSG_ERROR, "Could not set individual WEP " 352 "encryption."); 353 } 354 355 os_free(ikey); 356 } 357} 358 359 360const char *radius_mode_txt(struct hostapd_data *hapd) 361{ 362 switch (hapd->iface->conf->hw_mode) { 363 case HOSTAPD_MODE_IEEE80211A: 364 return "802.11a"; 365 case HOSTAPD_MODE_IEEE80211G: 366 return "802.11g"; 367 case HOSTAPD_MODE_IEEE80211B: 368 default: 369 return "802.11b"; 370 } 371} 372 373 374int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 375{ 376 int i; 377 u8 rate = 0; 378 379 for (i = 0; i < sta->supported_rates_len; i++) 380 if ((sta->supported_rates[i] & 0x7f) > rate) 381 rate = sta->supported_rates[i] & 0x7f; 382 383 return rate; 384} 385 386 387#ifndef CONFIG_NO_RADIUS 388static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 389 struct eapol_state_machine *sm, 390 const u8 *eap, size_t len) 391{ 392 const u8 *identity; 393 size_t identity_len; 394 395 if (len <= sizeof(struct eap_hdr) || 396 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) 397 return; 398 399 identity = eap_get_identity(sm->eap, &identity_len); 400 if (identity == NULL) 401 return; 402 403 /* Save station identity for future RADIUS packets */ 404 os_free(sm->identity); 405 sm->identity = os_malloc(identity_len + 1); 406 if (sm->identity == NULL) { 407 sm->identity_len = 0; 408 return; 409 } 410 411 os_memcpy(sm->identity, identity, identity_len); 412 sm->identity_len = identity_len; 413 sm->identity[identity_len] = '\0'; 414 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 415 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 416 sm->dot1xAuthEapolRespIdFramesRx++; 417} 418 419 420static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 421 struct sta_info *sta, 422 const u8 *eap, size_t len) 423{ 424 struct radius_msg *msg; 425 char buf[128]; 426 struct eapol_state_machine *sm = sta->eapol_sm; 427 428 if (sm == NULL) 429 return; 430 431 ieee802_1x_learn_identity(hapd, sm, eap, len); 432 433 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 434 "packet"); 435 436 sm->radius_identifier = radius_client_get_id(hapd->radius); 437 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 438 sm->radius_identifier); 439 if (msg == NULL) { 440 printf("Could not create net RADIUS packet\n"); 441 return; 442 } 443 444 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 445 446 if (sm->identity && 447 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 448 sm->identity, sm->identity_len)) { 449 printf("Could not add User-Name\n"); 450 goto fail; 451 } 452 453 if (hapd->conf->own_ip_addr.af == AF_INET && 454 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 455 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 456 printf("Could not add NAS-IP-Address\n"); 457 goto fail; 458 } 459 460#ifdef CONFIG_IPV6 461 if (hapd->conf->own_ip_addr.af == AF_INET6 && 462 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 463 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 464 printf("Could not add NAS-IPv6-Address\n"); 465 goto fail; 466 } 467#endif /* CONFIG_IPV6 */ 468 469 if (hapd->conf->nas_identifier && 470 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 471 (u8 *) hapd->conf->nas_identifier, 472 os_strlen(hapd->conf->nas_identifier))) { 473 printf("Could not add NAS-Identifier\n"); 474 goto fail; 475 } 476 477 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 478 printf("Could not add NAS-Port\n"); 479 goto fail; 480 } 481 482 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 483 MAC2STR(hapd->own_addr), hapd->conf->ssid.ssid); 484 buf[sizeof(buf) - 1] = '\0'; 485 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 486 (u8 *) buf, os_strlen(buf))) { 487 printf("Could not add Called-Station-Id\n"); 488 goto fail; 489 } 490 491 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 492 MAC2STR(sta->addr)); 493 buf[sizeof(buf) - 1] = '\0'; 494 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 495 (u8 *) buf, os_strlen(buf))) { 496 printf("Could not add Calling-Station-Id\n"); 497 goto fail; 498 } 499 500 /* TODO: should probably check MTU from driver config; 2304 is max for 501 * IEEE 802.11, but use 1400 to avoid problems with too large packets 502 */ 503 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 504 printf("Could not add Framed-MTU\n"); 505 goto fail; 506 } 507 508 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 509 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 510 printf("Could not add NAS-Port-Type\n"); 511 goto fail; 512 } 513 514 if (sta->flags & WLAN_STA_PREAUTH) { 515 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 516 sizeof(buf)); 517 } else { 518 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 519 radius_sta_rate(hapd, sta) / 2, 520 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 521 radius_mode_txt(hapd)); 522 buf[sizeof(buf) - 1] = '\0'; 523 } 524 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 525 (u8 *) buf, os_strlen(buf))) { 526 printf("Could not add Connect-Info\n"); 527 goto fail; 528 } 529 530 if (eap && !radius_msg_add_eap(msg, eap, len)) { 531 printf("Could not add EAP-Message\n"); 532 goto fail; 533 } 534 535 /* State attribute must be copied if and only if this packet is 536 * Access-Request reply to the previous Access-Challenge */ 537 if (sm->last_recv_radius && 538 radius_msg_get_hdr(sm->last_recv_radius)->code == 539 RADIUS_CODE_ACCESS_CHALLENGE) { 540 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 541 RADIUS_ATTR_STATE); 542 if (res < 0) { 543 printf("Could not copy State attribute from previous " 544 "Access-Challenge\n"); 545 goto fail; 546 } 547 if (res > 0) { 548 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 549 } 550 } 551 552 radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr); 553 return; 554 555 fail: 556 radius_msg_free(msg); 557} 558#endif /* CONFIG_NO_RADIUS */ 559 560 561static void handle_eap_response(struct hostapd_data *hapd, 562 struct sta_info *sta, struct eap_hdr *eap, 563 size_t len) 564{ 565 u8 type, *data; 566 struct eapol_state_machine *sm = sta->eapol_sm; 567 if (sm == NULL) 568 return; 569 570 data = (u8 *) (eap + 1); 571 572 if (len < sizeof(*eap) + 1) { 573 printf("handle_eap_response: too short response data\n"); 574 return; 575 } 576 577 sm->eap_type_supp = type = data[0]; 578 579 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 580 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 581 "id=%d len=%d) from STA: EAP Response-%s (%d)", 582 eap->code, eap->identifier, be_to_host16(eap->length), 583 eap_server_get_name(0, type), type); 584 585 sm->dot1xAuthEapolRespFramesRx++; 586 587 wpabuf_free(sm->eap_if->eapRespData); 588 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 589 sm->eapolEap = TRUE; 590} 591 592 593/* Process incoming EAP packet from Supplicant */ 594static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 595 u8 *buf, size_t len) 596{ 597 struct eap_hdr *eap; 598 u16 eap_len; 599 600 if (len < sizeof(*eap)) { 601 printf(" too short EAP packet\n"); 602 return; 603 } 604 605 eap = (struct eap_hdr *) buf; 606 607 eap_len = be_to_host16(eap->length); 608 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 609 eap->code, eap->identifier, eap_len); 610 if (eap_len < sizeof(*eap)) { 611 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 612 return; 613 } else if (eap_len > len) { 614 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 615 "packet"); 616 return; 617 } else if (eap_len < len) { 618 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 619 "packet", (unsigned long) len - eap_len); 620 } 621 622 switch (eap->code) { 623 case EAP_CODE_REQUEST: 624 wpa_printf(MSG_DEBUG, " (request)"); 625 return; 626 case EAP_CODE_RESPONSE: 627 wpa_printf(MSG_DEBUG, " (response)"); 628 handle_eap_response(hapd, sta, eap, eap_len); 629 break; 630 case EAP_CODE_SUCCESS: 631 wpa_printf(MSG_DEBUG, " (success)"); 632 return; 633 case EAP_CODE_FAILURE: 634 wpa_printf(MSG_DEBUG, " (failure)"); 635 return; 636 default: 637 wpa_printf(MSG_DEBUG, " (unknown code)"); 638 return; 639 } 640} 641 642 643static struct eapol_state_machine * 644ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 645{ 646 int flags = 0; 647 if (sta->flags & WLAN_STA_PREAUTH) 648 flags |= EAPOL_SM_PREAUTH; 649 if (sta->wpa_sm) { 650 flags |= EAPOL_SM_USES_WPA; 651 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 652 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 653 } 654 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 655 sta->wps_ie, sta); 656} 657 658 659/** 660 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 661 * @hapd: hostapd BSS data 662 * @sa: Source address (sender of the EAPOL frame) 663 * @buf: EAPOL frame 664 * @len: Length of buf in octets 665 * 666 * This function is called for each incoming EAPOL frame from the interface 667 */ 668void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 669 size_t len) 670{ 671 struct sta_info *sta; 672 struct ieee802_1x_hdr *hdr; 673 struct ieee802_1x_eapol_key *key; 674 u16 datalen; 675 struct rsn_pmksa_cache_entry *pmksa; 676 677 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && 678 !hapd->conf->wps_state) 679 return; 680 681 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 682 (unsigned long) len, MAC2STR(sa)); 683 sta = ap_get_sta(hapd, sa); 684 if (!sta || !(sta->flags & WLAN_STA_ASSOC)) { 685 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 686 "associated STA"); 687 return; 688 } 689 690 if (len < sizeof(*hdr)) { 691 printf(" too short IEEE 802.1X packet\n"); 692 return; 693 } 694 695 hdr = (struct ieee802_1x_hdr *) buf; 696 datalen = be_to_host16(hdr->length); 697 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 698 hdr->version, hdr->type, datalen); 699 700 if (len - sizeof(*hdr) < datalen) { 701 printf(" frame too short for this IEEE 802.1X packet\n"); 702 if (sta->eapol_sm) 703 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 704 return; 705 } 706 if (len - sizeof(*hdr) > datalen) { 707 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 708 "IEEE 802.1X packet", 709 (unsigned long) len - sizeof(*hdr) - datalen); 710 } 711 712 if (sta->eapol_sm) { 713 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 714 sta->eapol_sm->dot1xAuthEapolFramesRx++; 715 } 716 717 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 718 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 719 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 720 (key->type == EAPOL_KEY_TYPE_WPA || 721 key->type == EAPOL_KEY_TYPE_RSN)) { 722 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 723 sizeof(*hdr) + datalen); 724 return; 725 } 726 727 if ((!hapd->conf->ieee802_1x && 728 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) || 729 wpa_key_mgmt_wpa_psk(wpa_auth_sta_key_mgmt(sta->wpa_sm))) 730 return; 731 732 if (!sta->eapol_sm) { 733 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 734 if (!sta->eapol_sm) 735 return; 736 737#ifdef CONFIG_WPS 738 if (!hapd->conf->ieee802_1x && 739 ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 740 WLAN_STA_MAYBE_WPS)) { 741 /* 742 * Delay EAPOL frame transmission until a possible WPS 743 * STA initiates the handshake with EAPOL-Start. 744 */ 745 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 746 } 747#endif /* CONFIG_WPS */ 748 749 sta->eapol_sm->eap_if->portEnabled = TRUE; 750 } 751 752 /* since we support version 1, we can ignore version field and proceed 753 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 754 /* TODO: actually, we are not version 1 anymore.. However, Version 2 755 * does not change frame contents, so should be ok to process frames 756 * more or less identically. Some changes might be needed for 757 * verification of fields. */ 758 759 switch (hdr->type) { 760 case IEEE802_1X_TYPE_EAP_PACKET: 761 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 762 break; 763 764 case IEEE802_1X_TYPE_EAPOL_START: 765 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 766 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 767 "from STA"); 768 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 769 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 770 if (pmksa) { 771 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 772 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 773 "available - ignore it since " 774 "STA sent EAPOL-Start"); 775 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 776 } 777 sta->eapol_sm->eapolStart = TRUE; 778 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 779 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 780 break; 781 782 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 783 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 784 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 785 "from STA"); 786 sta->acct_terminate_cause = 787 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 788 accounting_sta_stop(hapd, sta); 789 sta->eapol_sm->eapolLogoff = TRUE; 790 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 791 break; 792 793 case IEEE802_1X_TYPE_EAPOL_KEY: 794 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 795 if (!(sta->flags & WLAN_STA_AUTHORIZED)) { 796 wpa_printf(MSG_DEBUG, " Dropped key data from " 797 "unauthorized Supplicant"); 798 break; 799 } 800 break; 801 802 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 803 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 804 /* TODO: implement support for this; show data */ 805 break; 806 807 default: 808 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 809 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 810 break; 811 } 812 813 eapol_auth_step(sta->eapol_sm); 814} 815 816 817/** 818 * ieee802_1x_new_station - Start IEEE 802.1X authentication 819 * @hapd: hostapd BSS data 820 * @sta: The station 821 * 822 * This function is called to start IEEE 802.1X authentication when a new 823 * station completes IEEE 802.11 association. 824 */ 825void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 826{ 827 struct rsn_pmksa_cache_entry *pmksa; 828 int reassoc = 1; 829 int force_1x = 0; 830 831#ifdef CONFIG_WPS 832 if (hapd->conf->wps_state && hapd->conf->wpa && 833 (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 834 /* 835 * Need to enable IEEE 802.1X/EAPOL state machines for possible 836 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 837 * authentication in this BSS. 838 */ 839 force_1x = 1; 840 } 841#endif /* CONFIG_WPS */ 842 843 if ((!force_1x && !hapd->conf->ieee802_1x) || 844 wpa_key_mgmt_wpa_psk(wpa_auth_sta_key_mgmt(sta->wpa_sm))) 845 return; 846 847 if (sta->eapol_sm == NULL) { 848 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 849 HOSTAPD_LEVEL_DEBUG, "start authentication"); 850 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 851 if (sta->eapol_sm == NULL) { 852 hostapd_logger(hapd, sta->addr, 853 HOSTAPD_MODULE_IEEE8021X, 854 HOSTAPD_LEVEL_INFO, 855 "failed to allocate state machine"); 856 return; 857 } 858 reassoc = 0; 859 } 860 861#ifdef CONFIG_WPS 862 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 863 if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS)) { 864 /* 865 * Delay EAPOL frame transmission until a possible WPS 866 * initiates the handshake with EAPOL-Start. 867 */ 868 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 869 } 870#endif /* CONFIG_WPS */ 871 872 sta->eapol_sm->eap_if->portEnabled = TRUE; 873 874 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 875 if (pmksa) { 876 int old_vlanid; 877 878 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 879 HOSTAPD_LEVEL_DEBUG, 880 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 881 /* Setup EAPOL state machines to already authenticated state 882 * because of existing PMKSA information in the cache. */ 883 sta->eapol_sm->keyRun = TRUE; 884 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 885 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 886 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 887 sta->eapol_sm->authSuccess = TRUE; 888 if (sta->eapol_sm->eap) 889 eap_sm_notify_cached(sta->eapol_sm->eap); 890 old_vlanid = sta->vlan_id; 891 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 892 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 893 sta->vlan_id = 0; 894 ap_sta_bind_vlan(hapd, sta, old_vlanid); 895 } else { 896 if (reassoc) { 897 /* 898 * Force EAPOL state machines to start 899 * re-authentication without having to wait for the 900 * Supplicant to send EAPOL-Start. 901 */ 902 sta->eapol_sm->reAuthenticate = TRUE; 903 } 904 eapol_auth_step(sta->eapol_sm); 905 } 906} 907 908 909void ieee802_1x_free_station(struct sta_info *sta) 910{ 911 struct eapol_state_machine *sm = sta->eapol_sm; 912 913 if (sm == NULL) 914 return; 915 916 sta->eapol_sm = NULL; 917 918#ifndef CONFIG_NO_RADIUS 919 radius_msg_free(sm->last_recv_radius); 920 radius_free_class(&sm->radius_class); 921#endif /* CONFIG_NO_RADIUS */ 922 923 os_free(sm->identity); 924 eapol_auth_free(sm); 925} 926 927 928#ifndef CONFIG_NO_RADIUS 929static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 930 struct sta_info *sta) 931{ 932 u8 *eap; 933 size_t len; 934 struct eap_hdr *hdr; 935 int eap_type = -1; 936 char buf[64]; 937 struct radius_msg *msg; 938 struct eapol_state_machine *sm = sta->eapol_sm; 939 940 if (sm == NULL || sm->last_recv_radius == NULL) { 941 if (sm) 942 sm->eap_if->aaaEapNoReq = TRUE; 943 return; 944 } 945 946 msg = sm->last_recv_radius; 947 948 eap = radius_msg_get_eap(msg, &len); 949 if (eap == NULL) { 950 /* RFC 3579, Chap. 2.6.3: 951 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 952 * attribute */ 953 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 954 HOSTAPD_LEVEL_WARNING, "could not extract " 955 "EAP-Message from RADIUS message"); 956 sm->eap_if->aaaEapNoReq = TRUE; 957 return; 958 } 959 960 if (len < sizeof(*hdr)) { 961 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 962 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 963 "received from authentication server"); 964 os_free(eap); 965 sm->eap_if->aaaEapNoReq = TRUE; 966 return; 967 } 968 969 if (len > sizeof(*hdr)) 970 eap_type = eap[sizeof(*hdr)]; 971 972 hdr = (struct eap_hdr *) eap; 973 switch (hdr->code) { 974 case EAP_CODE_REQUEST: 975 if (eap_type >= 0) 976 sm->eap_type_authsrv = eap_type; 977 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 978 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 979 "??", 980 eap_type); 981 break; 982 case EAP_CODE_RESPONSE: 983 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 984 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 985 "??", 986 eap_type); 987 break; 988 case EAP_CODE_SUCCESS: 989 os_strlcpy(buf, "EAP Success", sizeof(buf)); 990 break; 991 case EAP_CODE_FAILURE: 992 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 993 break; 994 default: 995 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 996 break; 997 } 998 buf[sizeof(buf) - 1] = '\0'; 999 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1000 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1001 "id=%d len=%d) from RADIUS server: %s", 1002 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1003 buf); 1004 sm->eap_if->aaaEapReq = TRUE; 1005 1006 wpabuf_free(sm->eap_if->aaaEapReqData); 1007 sm->eap_if->aaaEapReqData = wpabuf_alloc_ext_data(eap, len); 1008} 1009 1010 1011static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1012 struct sta_info *sta, struct radius_msg *msg, 1013 struct radius_msg *req, 1014 const u8 *shared_secret, 1015 size_t shared_secret_len) 1016{ 1017 struct radius_ms_mppe_keys *keys; 1018 struct eapol_state_machine *sm = sta->eapol_sm; 1019 if (sm == NULL) 1020 return; 1021 1022 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1023 shared_secret_len); 1024 1025 if (keys && keys->send && keys->recv) { 1026 size_t len = keys->send_len + keys->recv_len; 1027 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1028 keys->send, keys->send_len); 1029 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1030 keys->recv, keys->recv_len); 1031 1032 os_free(sm->eap_if->aaaEapKeyData); 1033 sm->eap_if->aaaEapKeyData = os_malloc(len); 1034 if (sm->eap_if->aaaEapKeyData) { 1035 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1036 keys->recv_len); 1037 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1038 keys->send, keys->send_len); 1039 sm->eap_if->aaaEapKeyDataLen = len; 1040 sm->eap_if->aaaEapKeyAvailable = TRUE; 1041 } 1042 } 1043 1044 if (keys) { 1045 os_free(keys->send); 1046 os_free(keys->recv); 1047 os_free(keys); 1048 } 1049} 1050 1051 1052static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1053 struct sta_info *sta, 1054 struct radius_msg *msg) 1055{ 1056 u8 *class; 1057 size_t class_len; 1058 struct eapol_state_machine *sm = sta->eapol_sm; 1059 int count, i; 1060 struct radius_attr_data *nclass; 1061 size_t nclass_count; 1062 1063 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1064 sm == NULL) 1065 return; 1066 1067 radius_free_class(&sm->radius_class); 1068 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1069 if (count <= 0) 1070 return; 1071 1072 nclass = os_zalloc(count * sizeof(struct radius_attr_data)); 1073 if (nclass == NULL) 1074 return; 1075 1076 nclass_count = 0; 1077 1078 class = NULL; 1079 for (i = 0; i < count; i++) { 1080 do { 1081 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1082 &class, &class_len, 1083 class) < 0) { 1084 i = count; 1085 break; 1086 } 1087 } while (class_len < 1); 1088 1089 nclass[nclass_count].data = os_malloc(class_len); 1090 if (nclass[nclass_count].data == NULL) 1091 break; 1092 1093 os_memcpy(nclass[nclass_count].data, class, class_len); 1094 nclass[nclass_count].len = class_len; 1095 nclass_count++; 1096 } 1097 1098 sm->radius_class.attr = nclass; 1099 sm->radius_class.count = nclass_count; 1100 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1101 "attributes for " MACSTR, 1102 (unsigned long) sm->radius_class.count, 1103 MAC2STR(sta->addr)); 1104} 1105 1106 1107/* Update sta->identity based on User-Name attribute in Access-Accept */ 1108static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1109 struct sta_info *sta, 1110 struct radius_msg *msg) 1111{ 1112 u8 *buf, *identity; 1113 size_t len; 1114 struct eapol_state_machine *sm = sta->eapol_sm; 1115 1116 if (sm == NULL) 1117 return; 1118 1119 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1120 NULL) < 0) 1121 return; 1122 1123 identity = os_malloc(len + 1); 1124 if (identity == NULL) 1125 return; 1126 1127 os_memcpy(identity, buf, len); 1128 identity[len] = '\0'; 1129 1130 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1131 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1132 "User-Name from Access-Accept '%s'", 1133 sm->identity ? (char *) sm->identity : "N/A", 1134 (char *) identity); 1135 1136 os_free(sm->identity); 1137 sm->identity = identity; 1138 sm->identity_len = len; 1139} 1140 1141 1142struct sta_id_search { 1143 u8 identifier; 1144 struct eapol_state_machine *sm; 1145}; 1146 1147 1148static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1149 struct sta_info *sta, 1150 void *ctx) 1151{ 1152 struct sta_id_search *id_search = ctx; 1153 struct eapol_state_machine *sm = sta->eapol_sm; 1154 1155 if (sm && sm->radius_identifier >= 0 && 1156 sm->radius_identifier == id_search->identifier) { 1157 id_search->sm = sm; 1158 return 1; 1159 } 1160 return 0; 1161} 1162 1163 1164static struct eapol_state_machine * 1165ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1166{ 1167 struct sta_id_search id_search; 1168 id_search.identifier = identifier; 1169 id_search.sm = NULL; 1170 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1171 return id_search.sm; 1172} 1173 1174 1175/** 1176 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1177 * @msg: RADIUS response message 1178 * @req: RADIUS request message 1179 * @shared_secret: RADIUS shared secret 1180 * @shared_secret_len: Length of shared_secret in octets 1181 * @data: Context data (struct hostapd_data *) 1182 * Returns: Processing status 1183 */ 1184static RadiusRxResult 1185ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1186 const u8 *shared_secret, size_t shared_secret_len, 1187 void *data) 1188{ 1189 struct hostapd_data *hapd = data; 1190 struct sta_info *sta; 1191 u32 session_timeout = 0, termination_action, acct_interim_interval; 1192 int session_timeout_set, old_vlanid = 0; 1193 struct eapol_state_machine *sm; 1194 int override_eapReq = 0; 1195 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1196 1197 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1198 if (sm == NULL) { 1199 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1200 "station for this RADIUS message"); 1201 return RADIUS_RX_UNKNOWN; 1202 } 1203 sta = sm->sta; 1204 1205 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1206 * present when packet contains an EAP-Message attribute */ 1207 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1208 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1209 0) < 0 && 1210 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1211 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1212 "Message-Authenticator since it does not include " 1213 "EAP-Message"); 1214 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1215 req, 1)) { 1216 printf("Incoming RADIUS packet did not have correct " 1217 "Message-Authenticator - dropped\n"); 1218 return RADIUS_RX_INVALID_AUTHENTICATOR; 1219 } 1220 1221 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1222 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1223 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1224 printf("Unknown RADIUS message code\n"); 1225 return RADIUS_RX_UNKNOWN; 1226 } 1227 1228 sm->radius_identifier = -1; 1229 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1230 MAC2STR(sta->addr)); 1231 1232 radius_msg_free(sm->last_recv_radius); 1233 sm->last_recv_radius = msg; 1234 1235 session_timeout_set = 1236 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1237 &session_timeout); 1238 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1239 &termination_action)) 1240 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1241 1242 if (hapd->conf->acct_interim_interval == 0 && 1243 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1244 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1245 &acct_interim_interval) == 0) { 1246 if (acct_interim_interval < 60) { 1247 hostapd_logger(hapd, sta->addr, 1248 HOSTAPD_MODULE_IEEE8021X, 1249 HOSTAPD_LEVEL_INFO, 1250 "ignored too small " 1251 "Acct-Interim-Interval %d", 1252 acct_interim_interval); 1253 } else 1254 sta->acct_interim_interval = acct_interim_interval; 1255 } 1256 1257 1258 switch (hdr->code) { 1259 case RADIUS_CODE_ACCESS_ACCEPT: 1260 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1261 sta->vlan_id = 0; 1262#ifndef CONFIG_NO_VLAN 1263 else { 1264 old_vlanid = sta->vlan_id; 1265 sta->vlan_id = radius_msg_get_vlanid(msg); 1266 } 1267 if (sta->vlan_id > 0 && 1268 hostapd_get_vlan_id_ifname(hapd->conf->vlan, 1269 sta->vlan_id)) { 1270 hostapd_logger(hapd, sta->addr, 1271 HOSTAPD_MODULE_RADIUS, 1272 HOSTAPD_LEVEL_INFO, 1273 "VLAN ID %d", sta->vlan_id); 1274 } else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) { 1275 sta->eapol_sm->authFail = TRUE; 1276 hostapd_logger(hapd, sta->addr, 1277 HOSTAPD_MODULE_IEEE8021X, 1278 HOSTAPD_LEVEL_INFO, "authentication " 1279 "server did not include required VLAN " 1280 "ID in Access-Accept"); 1281 break; 1282 } 1283#endif /* CONFIG_NO_VLAN */ 1284 1285 if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0) 1286 break; 1287 1288 /* RFC 3580, Ch. 3.17 */ 1289 if (session_timeout_set && termination_action == 1290 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1291 sm->reAuthPeriod = session_timeout; 1292 } else if (session_timeout_set) 1293 ap_sta_session_timeout(hapd, sta, session_timeout); 1294 1295 sm->eap_if->aaaSuccess = TRUE; 1296 override_eapReq = 1; 1297 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1298 shared_secret_len); 1299 ieee802_1x_store_radius_class(hapd, sta, msg); 1300 ieee802_1x_update_sta_identity(hapd, sta, msg); 1301 if (sm->eap_if->eapKeyAvailable && 1302 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1303 session_timeout_set ? 1304 (int) session_timeout : -1, sm) == 0) { 1305 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1306 HOSTAPD_LEVEL_DEBUG, 1307 "Added PMKSA cache entry"); 1308 } 1309 break; 1310 case RADIUS_CODE_ACCESS_REJECT: 1311 sm->eap_if->aaaFail = TRUE; 1312 override_eapReq = 1; 1313 break; 1314 case RADIUS_CODE_ACCESS_CHALLENGE: 1315 sm->eap_if->aaaEapReq = TRUE; 1316 if (session_timeout_set) { 1317 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1318 sm->eap_if->aaaMethodTimeout = session_timeout; 1319 hostapd_logger(hapd, sm->addr, 1320 HOSTAPD_MODULE_IEEE8021X, 1321 HOSTAPD_LEVEL_DEBUG, 1322 "using EAP timeout of %d seconds (from " 1323 "RADIUS)", 1324 sm->eap_if->aaaMethodTimeout); 1325 } else { 1326 /* 1327 * Use dynamic retransmission behavior per EAP 1328 * specification. 1329 */ 1330 sm->eap_if->aaaMethodTimeout = 0; 1331 } 1332 break; 1333 } 1334 1335 ieee802_1x_decapsulate_radius(hapd, sta); 1336 if (override_eapReq) 1337 sm->eap_if->aaaEapReq = FALSE; 1338 1339 eapol_auth_step(sm); 1340 1341 return RADIUS_RX_QUEUED; 1342} 1343#endif /* CONFIG_NO_RADIUS */ 1344 1345 1346void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1347{ 1348 struct eapol_state_machine *sm = sta->eapol_sm; 1349 if (sm == NULL) 1350 return; 1351 1352 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1353 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1354 1355#ifndef CONFIG_NO_RADIUS 1356 radius_msg_free(sm->last_recv_radius); 1357 sm->last_recv_radius = NULL; 1358#endif /* CONFIG_NO_RADIUS */ 1359 1360 if (sm->eap_if->eapTimeout) { 1361 /* 1362 * Disconnect the STA since it did not reply to the last EAP 1363 * request and we cannot continue EAP processing (EAP-Failure 1364 * could only be sent if the EAP peer actually replied). 1365 */ 1366 sm->eap_if->portEnabled = FALSE; 1367 ap_sta_disconnect(hapd, sta, sta->addr, 1368 WLAN_REASON_PREV_AUTH_NOT_VALID); 1369 } 1370} 1371 1372 1373static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1374{ 1375 struct eapol_authenticator *eapol = hapd->eapol_auth; 1376 1377 if (hapd->conf->default_wep_key_len < 1) 1378 return 0; 1379 1380 os_free(eapol->default_wep_key); 1381 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1382 if (eapol->default_wep_key == NULL || 1383 os_get_random(eapol->default_wep_key, 1384 hapd->conf->default_wep_key_len)) { 1385 printf("Could not generate random WEP key.\n"); 1386 os_free(eapol->default_wep_key); 1387 eapol->default_wep_key = NULL; 1388 return -1; 1389 } 1390 1391 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1392 eapol->default_wep_key, 1393 hapd->conf->default_wep_key_len); 1394 1395 return 0; 1396} 1397 1398 1399static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1400 struct sta_info *sta, void *ctx) 1401{ 1402 if (sta->eapol_sm) { 1403 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1404 eapol_auth_step(sta->eapol_sm); 1405 } 1406 return 0; 1407} 1408 1409 1410static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1411{ 1412 struct hostapd_data *hapd = eloop_ctx; 1413 struct eapol_authenticator *eapol = hapd->eapol_auth; 1414 1415 if (eapol->default_wep_key_idx >= 3) 1416 eapol->default_wep_key_idx = 1417 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1418 else 1419 eapol->default_wep_key_idx++; 1420 1421 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1422 eapol->default_wep_key_idx); 1423 1424 if (ieee802_1x_rekey_broadcast(hapd)) { 1425 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1426 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1427 "new broadcast key"); 1428 os_free(eapol->default_wep_key); 1429 eapol->default_wep_key = NULL; 1430 return; 1431 } 1432 1433 /* TODO: Could setup key for RX here, but change default TX keyid only 1434 * after new broadcast key has been sent to all stations. */ 1435 if (hapd->drv.set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, NULL, 1436 eapol->default_wep_key_idx, 1, NULL, 0, 1437 eapol->default_wep_key, 1438 hapd->conf->default_wep_key_len)) { 1439 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1440 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1441 "new broadcast key"); 1442 os_free(eapol->default_wep_key); 1443 eapol->default_wep_key = NULL; 1444 return; 1445 } 1446 1447 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1448 1449 if (hapd->conf->wep_rekeying_period > 0) { 1450 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1451 ieee802_1x_rekey, hapd, NULL); 1452 } 1453} 1454 1455 1456static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1457 const u8 *data, size_t datalen) 1458{ 1459#ifdef CONFIG_WPS 1460 struct sta_info *sta = sta_ctx; 1461 1462 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1463 WLAN_STA_MAYBE_WPS) { 1464 const u8 *identity; 1465 size_t identity_len; 1466 struct eapol_state_machine *sm = sta->eapol_sm; 1467 1468 identity = eap_get_identity(sm->eap, &identity_len); 1469 if (identity && 1470 ((identity_len == WSC_ID_ENROLLEE_LEN && 1471 os_memcmp(identity, WSC_ID_ENROLLEE, 1472 WSC_ID_ENROLLEE_LEN) == 0) || 1473 (identity_len == WSC_ID_REGISTRAR_LEN && 1474 os_memcmp(identity, WSC_ID_REGISTRAR, 1475 WSC_ID_REGISTRAR_LEN) == 0))) { 1476 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1477 "WLAN_STA_WPS"); 1478 sta->flags |= WLAN_STA_WPS; 1479 } 1480 } 1481#endif /* CONFIG_WPS */ 1482 1483 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1484} 1485 1486 1487static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1488 const u8 *data, size_t datalen) 1489{ 1490#ifndef CONFIG_NO_RADIUS 1491 struct hostapd_data *hapd = ctx; 1492 struct sta_info *sta = sta_ctx; 1493 1494 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1495#endif /* CONFIG_NO_RADIUS */ 1496} 1497 1498 1499static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1500 int preauth) 1501{ 1502 struct hostapd_data *hapd = ctx; 1503 struct sta_info *sta = sta_ctx; 1504 if (preauth) 1505 rsn_preauth_finished(hapd, sta, success); 1506 else 1507 ieee802_1x_finished(hapd, sta, success); 1508} 1509 1510 1511static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1512 size_t identity_len, int phase2, 1513 struct eap_user *user) 1514{ 1515 struct hostapd_data *hapd = ctx; 1516 const struct hostapd_eap_user *eap_user; 1517 int i, count; 1518 1519 eap_user = hostapd_get_eap_user(hapd->conf, identity, 1520 identity_len, phase2); 1521 if (eap_user == NULL) 1522 return -1; 1523 1524 os_memset(user, 0, sizeof(*user)); 1525 user->phase2 = phase2; 1526 count = EAP_USER_MAX_METHODS; 1527 if (count > EAP_MAX_METHODS) 1528 count = EAP_MAX_METHODS; 1529 for (i = 0; i < count; i++) { 1530 user->methods[i].vendor = eap_user->methods[i].vendor; 1531 user->methods[i].method = eap_user->methods[i].method; 1532 } 1533 1534 if (eap_user->password) { 1535 user->password = os_malloc(eap_user->password_len); 1536 if (user->password == NULL) 1537 return -1; 1538 os_memcpy(user->password, eap_user->password, 1539 eap_user->password_len); 1540 user->password_len = eap_user->password_len; 1541 } 1542 user->force_version = eap_user->force_version; 1543 user->ttls_auth = eap_user->ttls_auth; 1544 1545 return 0; 1546} 1547 1548 1549static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1550{ 1551 struct hostapd_data *hapd = ctx; 1552 struct sta_info *sta; 1553 sta = ap_get_sta(hapd, addr); 1554 if (sta == NULL || sta->eapol_sm == NULL) 1555 return 0; 1556 return 1; 1557} 1558 1559 1560static void ieee802_1x_logger(void *ctx, const u8 *addr, 1561 eapol_logger_level level, const char *txt) 1562{ 1563#ifndef CONFIG_NO_HOSTAPD_LOGGER 1564 struct hostapd_data *hapd = ctx; 1565 int hlevel; 1566 1567 switch (level) { 1568 case EAPOL_LOGGER_WARNING: 1569 hlevel = HOSTAPD_LEVEL_WARNING; 1570 break; 1571 case EAPOL_LOGGER_INFO: 1572 hlevel = HOSTAPD_LEVEL_INFO; 1573 break; 1574 case EAPOL_LOGGER_DEBUG: 1575 default: 1576 hlevel = HOSTAPD_LEVEL_DEBUG; 1577 break; 1578 } 1579 1580 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 1581 txt); 1582#endif /* CONFIG_NO_HOSTAPD_LOGGER */ 1583} 1584 1585 1586static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 1587 int authorized) 1588{ 1589 struct hostapd_data *hapd = ctx; 1590 struct sta_info *sta = sta_ctx; 1591 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 1592} 1593 1594 1595static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 1596{ 1597 struct hostapd_data *hapd = ctx; 1598 struct sta_info *sta = sta_ctx; 1599 ieee802_1x_abort_auth(hapd, sta); 1600} 1601 1602 1603static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 1604{ 1605 struct hostapd_data *hapd = ctx; 1606 struct sta_info *sta = sta_ctx; 1607 ieee802_1x_tx_key(hapd, sta); 1608} 1609 1610 1611static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 1612 enum eapol_event type) 1613{ 1614 /* struct hostapd_data *hapd = ctx; */ 1615 struct sta_info *sta = sta_ctx; 1616 switch (type) { 1617 case EAPOL_AUTH_SM_CHANGE: 1618 wpa_auth_sm_notify(sta->wpa_sm); 1619 break; 1620 case EAPOL_AUTH_REAUTHENTICATE: 1621 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1622 break; 1623 } 1624} 1625 1626 1627int ieee802_1x_init(struct hostapd_data *hapd) 1628{ 1629 int i; 1630 struct eapol_auth_config conf; 1631 struct eapol_auth_cb cb; 1632 1633 os_memset(&conf, 0, sizeof(conf)); 1634 conf.ctx = hapd; 1635 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 1636 conf.wpa = hapd->conf->wpa; 1637 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 1638 conf.eap_server = hapd->conf->eap_server; 1639 conf.ssl_ctx = hapd->ssl_ctx; 1640 conf.msg_ctx = hapd->msg_ctx; 1641 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 1642 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 1643 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 1644 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 1645 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 1646 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 1647 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 1648 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 1649 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 1650 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 1651 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 1652 conf.tnc = hapd->conf->tnc; 1653 conf.wps = hapd->wps; 1654 1655 os_memset(&cb, 0, sizeof(cb)); 1656 cb.eapol_send = ieee802_1x_eapol_send; 1657 cb.aaa_send = ieee802_1x_aaa_send; 1658 cb.finished = _ieee802_1x_finished; 1659 cb.get_eap_user = ieee802_1x_get_eap_user; 1660 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 1661 cb.logger = ieee802_1x_logger; 1662 cb.set_port_authorized = ieee802_1x_set_port_authorized; 1663 cb.abort_auth = _ieee802_1x_abort_auth; 1664 cb.tx_key = _ieee802_1x_tx_key; 1665 cb.eapol_event = ieee802_1x_eapol_event; 1666 1667 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 1668 if (hapd->eapol_auth == NULL) 1669 return -1; 1670 1671 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 1672 hapd->drv.set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 1673 return -1; 1674 1675#ifndef CONFIG_NO_RADIUS 1676 if (radius_client_register(hapd->radius, RADIUS_AUTH, 1677 ieee802_1x_receive_auth, hapd)) 1678 return -1; 1679#endif /* CONFIG_NO_RADIUS */ 1680 1681 if (hapd->conf->default_wep_key_len) { 1682 for (i = 0; i < 4; i++) 1683 hapd->drv.set_key(hapd->conf->iface, hapd, 1684 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 1685 NULL, 0); 1686 1687 ieee802_1x_rekey(hapd, NULL); 1688 1689 if (hapd->eapol_auth->default_wep_key == NULL) 1690 return -1; 1691 } 1692 1693 return 0; 1694} 1695 1696 1697void ieee802_1x_deinit(struct hostapd_data *hapd) 1698{ 1699 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 1700 1701 if (hapd->driver != NULL && 1702 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 1703 hapd->drv.set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 1704 1705 eapol_auth_deinit(hapd->eapol_auth); 1706 hapd->eapol_auth = NULL; 1707} 1708 1709 1710int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1711 const u8 *buf, size_t len, int ack) 1712{ 1713 struct ieee80211_hdr *hdr; 1714 struct ieee802_1x_hdr *xhdr; 1715 struct ieee802_1x_eapol_key *key; 1716 u8 *pos; 1717 const unsigned char rfc1042_hdr[ETH_ALEN] = 1718 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 1719 1720 if (sta == NULL) 1721 return -1; 1722 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2 + sizeof(*xhdr)) 1723 return 0; 1724 1725 hdr = (struct ieee80211_hdr *) buf; 1726 pos = (u8 *) (hdr + 1); 1727 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 1728 return 0; 1729 pos += sizeof(rfc1042_hdr); 1730 if (WPA_GET_BE16(pos) != ETH_P_PAE) 1731 return 0; 1732 pos += 2; 1733 1734 xhdr = (struct ieee802_1x_hdr *) pos; 1735 pos += sizeof(*xhdr); 1736 1737 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 1738 "type=%d length=%d - ack=%d", 1739 MAC2STR(sta->addr), xhdr->version, xhdr->type, 1740 be_to_host16(xhdr->length), ack); 1741 1742 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 1743 * or Authenticator state machines, but EAPOL-Key packets are not 1744 * retransmitted in case of failure. Try to re-sent failed EAPOL-Key 1745 * packets couple of times because otherwise STA keys become 1746 * unsynchronized with AP. */ 1747 if (xhdr->type == IEEE802_1X_TYPE_EAPOL_KEY && !ack && 1748 pos + sizeof(*key) <= buf + len) { 1749 key = (struct ieee802_1x_eapol_key *) pos; 1750 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1751 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 1752 "frame (%scast index=%d)", 1753 key->key_index & BIT(7) ? "uni" : "broad", 1754 key->key_index & ~BIT(7)); 1755 /* TODO: re-send EAPOL-Key couple of times (with short delay 1756 * between them?). If all attempt fail, report error and 1757 * deauthenticate STA so that it will get new keys when 1758 * authenticating again (e.g., after returning in range). 1759 * Separate limit/transmit state needed both for unicast and 1760 * broadcast keys(?) */ 1761 } 1762 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 1763 * to here and change the key only if the EAPOL-Key packet was Acked. 1764 */ 1765 1766 return 1; 1767} 1768 1769 1770u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 1771{ 1772 if (sm == NULL || sm->identity == NULL) 1773 return NULL; 1774 1775 *len = sm->identity_len; 1776 return sm->identity; 1777} 1778 1779 1780u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 1781 int idx) 1782{ 1783 if (sm == NULL || sm->radius_class.attr == NULL || 1784 idx >= (int) sm->radius_class.count) 1785 return NULL; 1786 1787 *len = sm->radius_class.attr[idx].len; 1788 return sm->radius_class.attr[idx].data; 1789} 1790 1791 1792const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 1793{ 1794 if (sm == NULL) 1795 return NULL; 1796 1797 *len = sm->eap_if->eapKeyDataLen; 1798 return sm->eap_if->eapKeyData; 1799} 1800 1801 1802void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 1803 int enabled) 1804{ 1805 if (sm == NULL) 1806 return; 1807 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 1808 eapol_auth_step(sm); 1809} 1810 1811 1812void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 1813 int valid) 1814{ 1815 if (sm == NULL) 1816 return; 1817 sm->portValid = valid ? TRUE : FALSE; 1818 eapol_auth_step(sm); 1819} 1820 1821 1822void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 1823{ 1824 if (sm == NULL) 1825 return; 1826 if (pre_auth) 1827 sm->flags |= EAPOL_SM_PREAUTH; 1828 else 1829 sm->flags &= ~EAPOL_SM_PREAUTH; 1830} 1831 1832 1833static const char * bool_txt(Boolean bool) 1834{ 1835 return bool ? "TRUE" : "FALSE"; 1836} 1837 1838 1839int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 1840{ 1841 /* TODO */ 1842 return 0; 1843} 1844 1845 1846int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 1847 char *buf, size_t buflen) 1848{ 1849 int len = 0, ret; 1850 struct eapol_state_machine *sm = sta->eapol_sm; 1851 1852 if (sm == NULL) 1853 return 0; 1854 1855 ret = os_snprintf(buf + len, buflen - len, 1856 "dot1xPaePortNumber=%d\n" 1857 "dot1xPaePortProtocolVersion=%d\n" 1858 "dot1xPaePortCapabilities=1\n" 1859 "dot1xPaePortInitialize=%d\n" 1860 "dot1xPaePortReauthenticate=FALSE\n", 1861 sta->aid, 1862 EAPOL_VERSION, 1863 sm->initialize); 1864 if (ret < 0 || (size_t) ret >= buflen - len) 1865 return len; 1866 len += ret; 1867 1868 /* dot1xAuthConfigTable */ 1869 ret = os_snprintf(buf + len, buflen - len, 1870 "dot1xAuthPaeState=%d\n" 1871 "dot1xAuthBackendAuthState=%d\n" 1872 "dot1xAuthAdminControlledDirections=%d\n" 1873 "dot1xAuthOperControlledDirections=%d\n" 1874 "dot1xAuthAuthControlledPortStatus=%d\n" 1875 "dot1xAuthAuthControlledPortControl=%d\n" 1876 "dot1xAuthQuietPeriod=%u\n" 1877 "dot1xAuthServerTimeout=%u\n" 1878 "dot1xAuthReAuthPeriod=%u\n" 1879 "dot1xAuthReAuthEnabled=%s\n" 1880 "dot1xAuthKeyTxEnabled=%s\n", 1881 sm->auth_pae_state + 1, 1882 sm->be_auth_state + 1, 1883 sm->adminControlledDirections, 1884 sm->operControlledDirections, 1885 sm->authPortStatus, 1886 sm->portControl, 1887 sm->quietPeriod, 1888 sm->serverTimeout, 1889 sm->reAuthPeriod, 1890 bool_txt(sm->reAuthEnabled), 1891 bool_txt(sm->keyTxEnabled)); 1892 if (ret < 0 || (size_t) ret >= buflen - len) 1893 return len; 1894 len += ret; 1895 1896 /* dot1xAuthStatsTable */ 1897 ret = os_snprintf(buf + len, buflen - len, 1898 "dot1xAuthEapolFramesRx=%u\n" 1899 "dot1xAuthEapolFramesTx=%u\n" 1900 "dot1xAuthEapolStartFramesRx=%u\n" 1901 "dot1xAuthEapolLogoffFramesRx=%u\n" 1902 "dot1xAuthEapolRespIdFramesRx=%u\n" 1903 "dot1xAuthEapolRespFramesRx=%u\n" 1904 "dot1xAuthEapolReqIdFramesTx=%u\n" 1905 "dot1xAuthEapolReqFramesTx=%u\n" 1906 "dot1xAuthInvalidEapolFramesRx=%u\n" 1907 "dot1xAuthEapLengthErrorFramesRx=%u\n" 1908 "dot1xAuthLastEapolFrameVersion=%u\n" 1909 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 1910 sm->dot1xAuthEapolFramesRx, 1911 sm->dot1xAuthEapolFramesTx, 1912 sm->dot1xAuthEapolStartFramesRx, 1913 sm->dot1xAuthEapolLogoffFramesRx, 1914 sm->dot1xAuthEapolRespIdFramesRx, 1915 sm->dot1xAuthEapolRespFramesRx, 1916 sm->dot1xAuthEapolReqIdFramesTx, 1917 sm->dot1xAuthEapolReqFramesTx, 1918 sm->dot1xAuthInvalidEapolFramesRx, 1919 sm->dot1xAuthEapLengthErrorFramesRx, 1920 sm->dot1xAuthLastEapolFrameVersion, 1921 MAC2STR(sm->addr)); 1922 if (ret < 0 || (size_t) ret >= buflen - len) 1923 return len; 1924 len += ret; 1925 1926 /* dot1xAuthDiagTable */ 1927 ret = os_snprintf(buf + len, buflen - len, 1928 "dot1xAuthEntersConnecting=%u\n" 1929 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 1930 "dot1xAuthEntersAuthenticating=%u\n" 1931 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 1932 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 1933 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 1934 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 1935 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 1936 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 1937 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 1938 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 1939 "dot1xAuthBackendResponses=%u\n" 1940 "dot1xAuthBackendAccessChallenges=%u\n" 1941 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 1942 "dot1xAuthBackendAuthSuccesses=%u\n" 1943 "dot1xAuthBackendAuthFails=%u\n", 1944 sm->authEntersConnecting, 1945 sm->authEapLogoffsWhileConnecting, 1946 sm->authEntersAuthenticating, 1947 sm->authAuthSuccessesWhileAuthenticating, 1948 sm->authAuthTimeoutsWhileAuthenticating, 1949 sm->authAuthFailWhileAuthenticating, 1950 sm->authAuthEapStartsWhileAuthenticating, 1951 sm->authAuthEapLogoffWhileAuthenticating, 1952 sm->authAuthReauthsWhileAuthenticated, 1953 sm->authAuthEapStartsWhileAuthenticated, 1954 sm->authAuthEapLogoffWhileAuthenticated, 1955 sm->backendResponses, 1956 sm->backendAccessChallenges, 1957 sm->backendOtherRequestsToSupplicant, 1958 sm->backendAuthSuccesses, 1959 sm->backendAuthFails); 1960 if (ret < 0 || (size_t) ret >= buflen - len) 1961 return len; 1962 len += ret; 1963 1964 /* dot1xAuthSessionStatsTable */ 1965 ret = os_snprintf(buf + len, buflen - len, 1966 /* TODO: dot1xAuthSessionOctetsRx */ 1967 /* TODO: dot1xAuthSessionOctetsTx */ 1968 /* TODO: dot1xAuthSessionFramesRx */ 1969 /* TODO: dot1xAuthSessionFramesTx */ 1970 "dot1xAuthSessionId=%08X-%08X\n" 1971 "dot1xAuthSessionAuthenticMethod=%d\n" 1972 "dot1xAuthSessionTime=%u\n" 1973 "dot1xAuthSessionTerminateCause=999\n" 1974 "dot1xAuthSessionUserName=%s\n", 1975 sta->acct_session_id_hi, sta->acct_session_id_lo, 1976 (wpa_key_mgmt_wpa_ieee8021x( 1977 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 1978 1 : 2, 1979 (unsigned int) (time(NULL) - 1980 sta->acct_session_start), 1981 sm->identity); 1982 if (ret < 0 || (size_t) ret >= buflen - len) 1983 return len; 1984 len += ret; 1985 1986 return len; 1987} 1988 1989 1990static void ieee802_1x_finished(struct hostapd_data *hapd, 1991 struct sta_info *sta, int success) 1992{ 1993 const u8 *key; 1994 size_t len; 1995 /* TODO: get PMKLifetime from WPA parameters */ 1996 static const int dot11RSNAConfigPMKLifetime = 43200; 1997 1998 key = ieee802_1x_get_key(sta->eapol_sm, &len); 1999 if (success && key && len >= PMK_LEN && 2000 wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime, 2001 sta->eapol_sm) == 0) { 2002 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2003 HOSTAPD_LEVEL_DEBUG, 2004 "Added PMKSA cache entry (IEEE 802.1X)"); 2005 } 2006 2007#ifdef CONFIG_WPS 2008 if (!success && (sta->flags & WLAN_STA_WPS)) { 2009 /* 2010 * Many devices require deauthentication after WPS provisioning 2011 * and some may not be be able to do that themselves, so 2012 * disconnect the client here. 2013 */ 2014 wpa_printf(MSG_DEBUG, "WPS: Force disconnection after " 2015 "EAP-Failure"); 2016 /* Add a small sleep to increase likelihood of previously 2017 * requested EAP-Failure TX getting out before this should the 2018 * driver reorder operations. 2019 */ 2020 os_sleep(0, 10000); 2021 ap_sta_disconnect(hapd, sta, sta->addr, 2022 WLAN_REASON_PREV_AUTH_NOT_VALID); 2023 } 2024#endif /* CONFIG_WPS */ 2025} 2026