ieee802_1x.c revision 289549
178556Sobrien/* 278556Sobrien * hostapd / IEEE 802.1X-2004 Authenticator 378556Sobrien * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> 478556Sobrien * 578556Sobrien * This software may be distributed under the terms of the BSD license. 678556Sobrien * See README for more details. 7167974Sdelphij */ 8167974Sdelphij 9167974Sdelphij#include "utils/includes.h" 1078556Sobrien 11351008Sdelphij#include "utils/common.h" 12351008Sdelphij#include "utils/eloop.h" 1378556Sobrien#include "crypto/md5.h" 14167974Sdelphij#include "crypto/crypto.h" 15167974Sdelphij#include "crypto/random.h" 1678556Sobrien#include "common/ieee802_11_defs.h" 17167974Sdelphij#include "radius/radius.h" 18167974Sdelphij#include "radius/radius_client.h" 19167974Sdelphij#include "eap_server/eap.h" 2078556Sobrien#include "eap_common/eap_wsc_common.h" 2178556Sobrien#include "eapol_auth/eapol_auth_sm.h" 2278556Sobrien#include "eapol_auth/eapol_auth_sm_i.h" 2378556Sobrien#include "p2p/p2p.h" 2478556Sobrien#include "hostapd.h" 2578556Sobrien#include "accounting.h" 2678556Sobrien#include "sta_info.h" 2778556Sobrien#include "wpa_auth.h" 2878556Sobrien#include "preauth_auth.h" 2978556Sobrien#include "pmksa_cache_auth.h" 3078556Sobrien#include "ap_config.h" 3178556Sobrien#include "ap_drv_ops.h" 3278556Sobrien#include "wps_hostapd.h" 3378556Sobrien#include "hs20.h" 3478556Sobrien#include "ieee802_1x.h" 3578556Sobrien 3678556Sobrien 3778556Sobrienstatic void ieee802_1x_finished(struct hostapd_data *hapd, 3878556Sobrien struct sta_info *sta, int success, 3978556Sobrien int remediation); 4078556Sobrien 4178556Sobrien 4278556Sobrienstatic void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 4378556Sobrien u8 type, const u8 *data, size_t datalen) 4478556Sobrien{ 4578556Sobrien u8 *buf; 4678556Sobrien struct ieee802_1x_hdr *xhdr; 4778556Sobrien size_t len; 4878556Sobrien int encrypt = 0; 4978556Sobrien 5078556Sobrien len = sizeof(*xhdr) + datalen; 5178556Sobrien buf = os_zalloc(len); 5278556Sobrien if (buf == NULL) { 5378556Sobrien wpa_printf(MSG_ERROR, "malloc() failed for " 5478556Sobrien "ieee802_1x_send(len=%lu)", 5578556Sobrien (unsigned long) len); 5678556Sobrien return; 5778556Sobrien } 5878556Sobrien 5978556Sobrien xhdr = (struct ieee802_1x_hdr *) buf; 6078556Sobrien xhdr->version = hapd->conf->eapol_version; 6178556Sobrien xhdr->type = type; 6278556Sobrien xhdr->length = host_to_be16(datalen); 6378556Sobrien 6478556Sobrien if (datalen > 0 && data != NULL) 6578556Sobrien os_memcpy(xhdr + 1, data, datalen); 6678556Sobrien 6778556Sobrien if (wpa_auth_pairwise_set(sta->wpa_sm)) 6878556Sobrien encrypt = 1; 6978556Sobrien#ifdef CONFIG_TESTING_OPTIONS 7078556Sobrien if (hapd->ext_eapol_frame_io) { 7178556Sobrien size_t hex_len = 2 * len + 1; 7278556Sobrien char *hex = os_malloc(hex_len); 73146293Sobrien 7490067Ssobomax if (hex) { 7590067Ssobomax wpa_snprintf_hex(hex, hex_len, buf, len); 76146293Sobrien wpa_msg(hapd->msg_ctx, MSG_INFO, 7790067Ssobomax "EAPOL-TX " MACSTR " %s", 7878556Sobrien MAC2STR(sta->addr), hex); 7978556Sobrien os_free(hex); 8078556Sobrien } 8178556Sobrien } else 8278556Sobrien#endif /* CONFIG_TESTING_OPTIONS */ 8378556Sobrien if (sta->flags & WLAN_STA_PREAUTH) { 8478556Sobrien rsn_preauth_send(hapd, sta, buf, len); 8578556Sobrien } else { 8678556Sobrien hostapd_drv_hapd_send_eapol( 8778556Sobrien hapd, sta->addr, buf, len, 8878556Sobrien encrypt, hostapd_sta_flags_to_drv(sta->flags)); 8978556Sobrien } 9078556Sobrien 9178556Sobrien os_free(buf); 9278556Sobrien} 9378556Sobrien 9478556Sobrien 9578556Sobrienvoid ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 9678556Sobrien struct sta_info *sta, int authorized) 9778556Sobrien{ 9878556Sobrien int res; 9978556Sobrien 10078556Sobrien if (sta->flags & WLAN_STA_PREAUTH) 10178556Sobrien return; 10278556Sobrien 10378556Sobrien if (authorized) { 10478556Sobrien ap_sta_set_authorized(hapd, sta, 1); 10578556Sobrien res = hostapd_set_authorized(hapd, sta, 1); 10678556Sobrien hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 10778556Sobrien HOSTAPD_LEVEL_DEBUG, "authorizing port"); 10878556Sobrien } else { 10978556Sobrien ap_sta_set_authorized(hapd, sta, 0); 11078556Sobrien res = hostapd_set_authorized(hapd, sta, 0); 11178556Sobrien hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 11278556Sobrien HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 11378556Sobrien } 11478556Sobrien 11578556Sobrien if (res && errno != ENOENT) { 11678556Sobrien wpa_printf(MSG_DEBUG, "Could not set station " MACSTR 11778556Sobrien " flags for kernel driver (errno=%d).", 11878556Sobrien MAC2STR(sta->addr), errno); 11978556Sobrien } 12078556Sobrien 12178556Sobrien if (authorized) { 12278556Sobrien os_get_reltime(&sta->connected_time); 12378556Sobrien accounting_sta_start(hapd, sta); 12478556Sobrien } 12578556Sobrien} 12678556Sobrien 12778556Sobrien 12878556Sobrien#ifndef CONFIG_FIPS 12978556Sobrien#ifndef CONFIG_NO_RC4 13078556Sobrien 13178556Sobrienstatic void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 13278556Sobrien struct sta_info *sta, 13378556Sobrien int idx, int broadcast, 13478556Sobrien u8 *key_data, size_t key_len) 13578556Sobrien{ 13678556Sobrien u8 *buf, *ekey; 13778556Sobrien struct ieee802_1x_hdr *hdr; 13878556Sobrien struct ieee802_1x_eapol_key *key; 13978556Sobrien size_t len, ekey_len; 14078556Sobrien struct eapol_state_machine *sm = sta->eapol_sm; 14178556Sobrien 14278556Sobrien if (sm == NULL) 14378556Sobrien return; 14478556Sobrien 14578556Sobrien len = sizeof(*key) + key_len; 14678556Sobrien buf = os_zalloc(sizeof(*hdr) + len); 14778556Sobrien if (buf == NULL) 14878556Sobrien return; 14978556Sobrien 15078556Sobrien hdr = (struct ieee802_1x_hdr *) buf; 15178556Sobrien key = (struct ieee802_1x_eapol_key *) (hdr + 1); 15278556Sobrien key->type = EAPOL_KEY_TYPE_RC4; 15378556Sobrien WPA_PUT_BE16(key->key_length, key_len); 15478556Sobrien wpa_get_ntp_timestamp(key->replay_counter); 15578556Sobrien 15678556Sobrien if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 15778556Sobrien wpa_printf(MSG_ERROR, "Could not get random numbers"); 15878556Sobrien os_free(buf); 15978556Sobrien return; 16078556Sobrien } 16178556Sobrien 16278556Sobrien key->key_index = idx | (broadcast ? 0 : BIT(7)); 16378556Sobrien if (hapd->conf->eapol_key_index_workaround) { 16478556Sobrien /* According to some information, WinXP Supplicant seems to 16578556Sobrien * interpret bit7 as an indication whether the key is to be 16678556Sobrien * activated, so make it possible to enable workaround that 16778556Sobrien * sets this bit for all keys. */ 16878556Sobrien key->key_index |= BIT(7); 16978556Sobrien } 17078556Sobrien 17178556Sobrien /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 17278556Sobrien * MSK[32..63] is used to sign the message. */ 17378556Sobrien if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 17478556Sobrien wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 17578556Sobrien "and signing EAPOL-Key"); 17678556Sobrien os_free(buf); 17778556Sobrien return; 17878556Sobrien } 17978556Sobrien os_memcpy((u8 *) (key + 1), key_data, key_len); 18078556Sobrien ekey_len = sizeof(key->key_iv) + 32; 18178556Sobrien ekey = os_malloc(ekey_len); 18278556Sobrien if (ekey == NULL) { 18378556Sobrien wpa_printf(MSG_ERROR, "Could not encrypt key"); 18478556Sobrien os_free(buf); 18578556Sobrien return; 18678556Sobrien } 18778556Sobrien os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 18878556Sobrien os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 18978556Sobrien rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 19078556Sobrien os_free(ekey); 19178556Sobrien 19278556Sobrien /* This header is needed here for HMAC-MD5, but it will be regenerated 19378556Sobrien * in ieee802_1x_send() */ 19478556Sobrien hdr->version = hapd->conf->eapol_version; 19578556Sobrien hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 19678556Sobrien hdr->length = host_to_be16(len); 19778556Sobrien hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 19878556Sobrien key->key_signature); 19978556Sobrien 20078556Sobrien wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 20178556Sobrien " (%s index=%d)", MAC2STR(sm->addr), 20278556Sobrien broadcast ? "broadcast" : "unicast", idx); 20378556Sobrien ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 20478556Sobrien if (sta->eapol_sm) 20578556Sobrien sta->eapol_sm->dot1xAuthEapolFramesTx++; 20678556Sobrien os_free(buf); 20778556Sobrien} 20878556Sobrien 20978556Sobrien 21078556Sobrienstatic void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 21178556Sobrien{ 21278556Sobrien struct eapol_authenticator *eapol = hapd->eapol_auth; 21378556Sobrien struct eapol_state_machine *sm = sta->eapol_sm; 21478556Sobrien 21578556Sobrien if (sm == NULL || !sm->eap_if->eapKeyData) 21678556Sobrien return; 21778556Sobrien 21878556Sobrien wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 21978556Sobrien MAC2STR(sta->addr)); 22078556Sobrien 22178556Sobrien#ifndef CONFIG_NO_VLAN 22278556Sobrien if (sta->vlan_id > 0 && sta->vlan_id <= MAX_VLAN_ID) { 22378556Sobrien wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported."); 22478556Sobrien return; 225167974Sdelphij } 22678556Sobrien#endif /* CONFIG_NO_VLAN */ 22778556Sobrien 22878556Sobrien if (eapol->default_wep_key) { 22978556Sobrien ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 23078556Sobrien eapol->default_wep_key, 23178556Sobrien hapd->conf->default_wep_key_len); 23278556Sobrien } 23378556Sobrien 23478556Sobrien if (hapd->conf->individual_wep_key_len > 0) { 23578556Sobrien u8 *ikey; 23678556Sobrien ikey = os_malloc(hapd->conf->individual_wep_key_len); 23778556Sobrien if (ikey == NULL || 23878556Sobrien random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 23978556Sobrien { 24078556Sobrien wpa_printf(MSG_ERROR, "Could not generate random " 24178556Sobrien "individual WEP key."); 24278556Sobrien os_free(ikey); 24378556Sobrien return; 24478556Sobrien } 24578556Sobrien 24678556Sobrien wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 24778556Sobrien ikey, hapd->conf->individual_wep_key_len); 24878556Sobrien 24978556Sobrien ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 25078556Sobrien hapd->conf->individual_wep_key_len); 25178556Sobrien 25278556Sobrien /* TODO: set encryption in TX callback, i.e., only after STA 25378556Sobrien * has ACKed EAPOL-Key frame */ 25478556Sobrien if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 25578556Sobrien sta->addr, 0, 1, NULL, 0, ikey, 25678556Sobrien hapd->conf->individual_wep_key_len)) { 25778556Sobrien wpa_printf(MSG_ERROR, "Could not set individual WEP " 25878556Sobrien "encryption."); 25978556Sobrien } 26078556Sobrien 26178556Sobrien os_free(ikey); 26278556Sobrien } 26378556Sobrien} 26478556Sobrien 26578556Sobrien#endif /* CONFIG_NO_RC4 */ 26678556Sobrien#endif /* CONFIG_FIPS */ 26778556Sobrien 26878556Sobrien 26978556Sobrienconst char *radius_mode_txt(struct hostapd_data *hapd) 27078556Sobrien{ 27178556Sobrien switch (hapd->iface->conf->hw_mode) { 27278556Sobrien case HOSTAPD_MODE_IEEE80211AD: 27378556Sobrien return "802.11ad"; 27478556Sobrien case HOSTAPD_MODE_IEEE80211A: 27578556Sobrien return "802.11a"; 27678556Sobrien case HOSTAPD_MODE_IEEE80211G: 27778556Sobrien return "802.11g"; 27878556Sobrien case HOSTAPD_MODE_IEEE80211B: 27978556Sobrien default: 28078556Sobrien return "802.11b"; 28178556Sobrien } 28278556Sobrien} 283 284 285int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 286{ 287 int i; 288 u8 rate = 0; 289 290 for (i = 0; i < sta->supported_rates_len; i++) 291 if ((sta->supported_rates[i] & 0x7f) > rate) 292 rate = sta->supported_rates[i] & 0x7f; 293 294 return rate; 295} 296 297 298#ifndef CONFIG_NO_RADIUS 299static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 300 struct eapol_state_machine *sm, 301 const u8 *eap, size_t len) 302{ 303 const u8 *identity; 304 size_t identity_len; 305 const struct eap_hdr *hdr = (const struct eap_hdr *) eap; 306 307 if (len <= sizeof(struct eap_hdr) || 308 (hdr->code == EAP_CODE_RESPONSE && 309 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) || 310 (hdr->code == EAP_CODE_INITIATE && 311 eap[sizeof(struct eap_hdr)] != EAP_ERP_TYPE_REAUTH) || 312 (hdr->code != EAP_CODE_RESPONSE && 313 hdr->code != EAP_CODE_INITIATE)) 314 return; 315 316 identity = eap_get_identity(sm->eap, &identity_len); 317 if (identity == NULL) 318 return; 319 320 /* Save station identity for future RADIUS packets */ 321 os_free(sm->identity); 322 sm->identity = (u8 *) dup_binstr(identity, identity_len); 323 if (sm->identity == NULL) { 324 sm->identity_len = 0; 325 return; 326 } 327 328 sm->identity_len = identity_len; 329 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 330 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 331 sm->dot1xAuthEapolRespIdFramesRx++; 332} 333 334 335static int add_common_radius_sta_attr_rsn(struct hostapd_data *hapd, 336 struct hostapd_radius_attr *req_attr, 337 struct sta_info *sta, 338 struct radius_msg *msg) 339{ 340 u32 suite; 341 int ver, val; 342 343 ver = wpa_auth_sta_wpa_version(sta->wpa_sm); 344 val = wpa_auth_get_pairwise(sta->wpa_sm); 345 suite = wpa_cipher_to_suite(ver, val); 346 if (val != -1 && 347 !hostapd_config_get_radius_attr(req_attr, 348 RADIUS_ATTR_WLAN_PAIRWISE_CIPHER) && 349 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_PAIRWISE_CIPHER, 350 suite)) { 351 wpa_printf(MSG_ERROR, "Could not add WLAN-Pairwise-Cipher"); 352 return -1; 353 } 354 355 suite = wpa_cipher_to_suite(((hapd->conf->wpa & 0x2) || 356 hapd->conf->osen) ? 357 WPA_PROTO_RSN : WPA_PROTO_WPA, 358 hapd->conf->wpa_group); 359 if (!hostapd_config_get_radius_attr(req_attr, 360 RADIUS_ATTR_WLAN_GROUP_CIPHER) && 361 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_GROUP_CIPHER, 362 suite)) { 363 wpa_printf(MSG_ERROR, "Could not add WLAN-Group-Cipher"); 364 return -1; 365 } 366 367 val = wpa_auth_sta_key_mgmt(sta->wpa_sm); 368 suite = wpa_akm_to_suite(val); 369 if (val != -1 && 370 !hostapd_config_get_radius_attr(req_attr, 371 RADIUS_ATTR_WLAN_AKM_SUITE) && 372 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_AKM_SUITE, 373 suite)) { 374 wpa_printf(MSG_ERROR, "Could not add WLAN-AKM-Suite"); 375 return -1; 376 } 377 378#ifdef CONFIG_IEEE80211W 379 if (hapd->conf->ieee80211w != NO_MGMT_FRAME_PROTECTION) { 380 suite = wpa_cipher_to_suite(WPA_PROTO_RSN, 381 hapd->conf->group_mgmt_cipher); 382 if (!hostapd_config_get_radius_attr( 383 req_attr, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER) && 384 !radius_msg_add_attr_int32( 385 msg, RADIUS_ATTR_WLAN_GROUP_MGMT_CIPHER, suite)) { 386 wpa_printf(MSG_ERROR, 387 "Could not add WLAN-Group-Mgmt-Cipher"); 388 return -1; 389 } 390 } 391#endif /* CONFIG_IEEE80211W */ 392 393 return 0; 394} 395 396 397static int add_common_radius_sta_attr(struct hostapd_data *hapd, 398 struct hostapd_radius_attr *req_attr, 399 struct sta_info *sta, 400 struct radius_msg *msg) 401{ 402 char buf[128]; 403 404 if (!hostapd_config_get_radius_attr(req_attr, 405 RADIUS_ATTR_NAS_PORT) && 406 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 407 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 408 return -1; 409 } 410 411 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 412 MAC2STR(sta->addr)); 413 buf[sizeof(buf) - 1] = '\0'; 414 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 415 (u8 *) buf, os_strlen(buf))) { 416 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 417 return -1; 418 } 419 420 if (sta->flags & WLAN_STA_PREAUTH) { 421 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 422 sizeof(buf)); 423 } else { 424 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 425 radius_sta_rate(hapd, sta) / 2, 426 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 427 radius_mode_txt(hapd)); 428 buf[sizeof(buf) - 1] = '\0'; 429 } 430 if (!hostapd_config_get_radius_attr(req_attr, 431 RADIUS_ATTR_CONNECT_INFO) && 432 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 433 (u8 *) buf, os_strlen(buf))) { 434 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 435 return -1; 436 } 437 438 if (sta->acct_session_id_hi || sta->acct_session_id_lo) { 439 os_snprintf(buf, sizeof(buf), "%08X-%08X", 440 sta->acct_session_id_hi, sta->acct_session_id_lo); 441 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 442 (u8 *) buf, os_strlen(buf))) { 443 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 444 return -1; 445 } 446 } 447 448#ifdef CONFIG_IEEE80211R 449 if (hapd->conf->wpa && wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt) && 450 sta->wpa_sm && 451 (wpa_key_mgmt_ft(wpa_auth_sta_key_mgmt(sta->wpa_sm)) || 452 sta->auth_alg == WLAN_AUTH_FT) && 453 !hostapd_config_get_radius_attr(req_attr, 454 RADIUS_ATTR_MOBILITY_DOMAIN_ID) && 455 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_MOBILITY_DOMAIN_ID, 456 WPA_GET_BE16( 457 hapd->conf->mobility_domain))) { 458 wpa_printf(MSG_ERROR, "Could not add Mobility-Domain-Id"); 459 return -1; 460 } 461#endif /* CONFIG_IEEE80211R */ 462 463 if ((hapd->conf->wpa || hapd->conf->osen) && sta->wpa_sm && 464 add_common_radius_sta_attr_rsn(hapd, req_attr, sta, msg) < 0) 465 return -1; 466 467 return 0; 468} 469 470 471int add_common_radius_attr(struct hostapd_data *hapd, 472 struct hostapd_radius_attr *req_attr, 473 struct sta_info *sta, 474 struct radius_msg *msg) 475{ 476 char buf[128]; 477 struct hostapd_radius_attr *attr; 478 479 if (!hostapd_config_get_radius_attr(req_attr, 480 RADIUS_ATTR_NAS_IP_ADDRESS) && 481 hapd->conf->own_ip_addr.af == AF_INET && 482 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 483 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 484 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 485 return -1; 486 } 487 488#ifdef CONFIG_IPV6 489 if (!hostapd_config_get_radius_attr(req_attr, 490 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 491 hapd->conf->own_ip_addr.af == AF_INET6 && 492 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 493 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 494 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 495 return -1; 496 } 497#endif /* CONFIG_IPV6 */ 498 499 if (!hostapd_config_get_radius_attr(req_attr, 500 RADIUS_ATTR_NAS_IDENTIFIER) && 501 hapd->conf->nas_identifier && 502 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 503 (u8 *) hapd->conf->nas_identifier, 504 os_strlen(hapd->conf->nas_identifier))) { 505 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 506 return -1; 507 } 508 509 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 510 MAC2STR(hapd->own_addr), 511 wpa_ssid_txt(hapd->conf->ssid.ssid, 512 hapd->conf->ssid.ssid_len)); 513 buf[sizeof(buf) - 1] = '\0'; 514 if (!hostapd_config_get_radius_attr(req_attr, 515 RADIUS_ATTR_CALLED_STATION_ID) && 516 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 517 (u8 *) buf, os_strlen(buf))) { 518 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 519 return -1; 520 } 521 522 if (!hostapd_config_get_radius_attr(req_attr, 523 RADIUS_ATTR_NAS_PORT_TYPE) && 524 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 525 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 526 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 527 return -1; 528 } 529 530#ifdef CONFIG_INTERWORKING 531 if (hapd->conf->interworking && 532 !is_zero_ether_addr(hapd->conf->hessid)) { 533 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 534 MAC2STR(hapd->conf->hessid)); 535 buf[sizeof(buf) - 1] = '\0'; 536 if (!hostapd_config_get_radius_attr(req_attr, 537 RADIUS_ATTR_WLAN_HESSID) && 538 !radius_msg_add_attr(msg, RADIUS_ATTR_WLAN_HESSID, 539 (u8 *) buf, os_strlen(buf))) { 540 wpa_printf(MSG_ERROR, "Could not add WLAN-HESSID"); 541 return -1; 542 } 543 } 544#endif /* CONFIG_INTERWORKING */ 545 546 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 547 return -1; 548 549 for (attr = req_attr; attr; attr = attr->next) { 550 if (!radius_msg_add_attr(msg, attr->type, 551 wpabuf_head(attr->val), 552 wpabuf_len(attr->val))) { 553 wpa_printf(MSG_ERROR, "Could not add RADIUS " 554 "attribute"); 555 return -1; 556 } 557 } 558 559 return 0; 560} 561 562 563static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 564 struct sta_info *sta, 565 const u8 *eap, size_t len) 566{ 567 struct radius_msg *msg; 568 struct eapol_state_machine *sm = sta->eapol_sm; 569 570 if (sm == NULL) 571 return; 572 573 ieee802_1x_learn_identity(hapd, sm, eap, len); 574 575 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 576 "packet"); 577 578 sm->radius_identifier = radius_client_get_id(hapd->radius); 579 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 580 sm->radius_identifier); 581 if (msg == NULL) { 582 wpa_printf(MSG_INFO, "Could not create new RADIUS packet"); 583 return; 584 } 585 586 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 587 588 if (sm->identity && 589 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 590 sm->identity, sm->identity_len)) { 591 wpa_printf(MSG_INFO, "Could not add User-Name"); 592 goto fail; 593 } 594 595 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 596 msg) < 0) 597 goto fail; 598 599 /* TODO: should probably check MTU from driver config; 2304 is max for 600 * IEEE 802.11, but use 1400 to avoid problems with too large packets 601 */ 602 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 603 RADIUS_ATTR_FRAMED_MTU) && 604 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 605 wpa_printf(MSG_INFO, "Could not add Framed-MTU"); 606 goto fail; 607 } 608 609 if (!radius_msg_add_eap(msg, eap, len)) { 610 wpa_printf(MSG_INFO, "Could not add EAP-Message"); 611 goto fail; 612 } 613 614 /* State attribute must be copied if and only if this packet is 615 * Access-Request reply to the previous Access-Challenge */ 616 if (sm->last_recv_radius && 617 radius_msg_get_hdr(sm->last_recv_radius)->code == 618 RADIUS_CODE_ACCESS_CHALLENGE) { 619 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 620 RADIUS_ATTR_STATE); 621 if (res < 0) { 622 wpa_printf(MSG_INFO, "Could not copy State attribute from previous Access-Challenge"); 623 goto fail; 624 } 625 if (res > 0) { 626 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 627 } 628 } 629 630 if (hapd->conf->radius_request_cui) { 631 const u8 *cui; 632 size_t cui_len; 633 /* Add previously learned CUI or nul CUI to request CUI */ 634 if (sm->radius_cui) { 635 cui = wpabuf_head(sm->radius_cui); 636 cui_len = wpabuf_len(sm->radius_cui); 637 } else { 638 cui = (const u8 *) "\0"; 639 cui_len = 1; 640 } 641 if (!radius_msg_add_attr(msg, 642 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 643 cui, cui_len)) { 644 wpa_printf(MSG_ERROR, "Could not add CUI"); 645 goto fail; 646 } 647 } 648 649#ifdef CONFIG_HS20 650 if (hapd->conf->hs20) { 651 u8 ver = 1; /* Release 2 */ 652 if (!radius_msg_add_wfa( 653 msg, RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION, 654 &ver, 1)) { 655 wpa_printf(MSG_ERROR, "Could not add HS 2.0 AP " 656 "version"); 657 goto fail; 658 } 659 660 if (sta->hs20_ie && wpabuf_len(sta->hs20_ie) > 0) { 661 const u8 *pos; 662 u8 buf[3]; 663 u16 id; 664 pos = wpabuf_head_u8(sta->hs20_ie); 665 buf[0] = (*pos) >> 4; 666 if (((*pos) & HS20_PPS_MO_ID_PRESENT) && 667 wpabuf_len(sta->hs20_ie) >= 3) 668 id = WPA_GET_LE16(pos + 1); 669 else 670 id = 0; 671 WPA_PUT_BE16(buf + 1, id); 672 if (!radius_msg_add_wfa( 673 msg, 674 RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION, 675 buf, sizeof(buf))) { 676 wpa_printf(MSG_ERROR, "Could not add HS 2.0 " 677 "STA version"); 678 goto fail; 679 } 680 } 681 } 682#endif /* CONFIG_HS20 */ 683 684 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 685 goto fail; 686 687 return; 688 689 fail: 690 radius_msg_free(msg); 691} 692#endif /* CONFIG_NO_RADIUS */ 693 694 695static void handle_eap_response(struct hostapd_data *hapd, 696 struct sta_info *sta, struct eap_hdr *eap, 697 size_t len) 698{ 699 u8 type, *data; 700 struct eapol_state_machine *sm = sta->eapol_sm; 701 if (sm == NULL) 702 return; 703 704 data = (u8 *) (eap + 1); 705 706 if (len < sizeof(*eap) + 1) { 707 wpa_printf(MSG_INFO, "handle_eap_response: too short response data"); 708 return; 709 } 710 711 sm->eap_type_supp = type = data[0]; 712 713 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 714 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 715 "id=%d len=%d) from STA: EAP Response-%s (%d)", 716 eap->code, eap->identifier, be_to_host16(eap->length), 717 eap_server_get_name(0, type), type); 718 719 sm->dot1xAuthEapolRespFramesRx++; 720 721 wpabuf_free(sm->eap_if->eapRespData); 722 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 723 sm->eapolEap = TRUE; 724} 725 726 727static void handle_eap_initiate(struct hostapd_data *hapd, 728 struct sta_info *sta, struct eap_hdr *eap, 729 size_t len) 730{ 731#ifdef CONFIG_ERP 732 u8 type, *data; 733 struct eapol_state_machine *sm = sta->eapol_sm; 734 735 if (sm == NULL) 736 return; 737 738 if (len < sizeof(*eap) + 1) { 739 wpa_printf(MSG_INFO, 740 "handle_eap_initiate: too short response data"); 741 return; 742 } 743 744 data = (u8 *) (eap + 1); 745 type = data[0]; 746 747 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 748 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 749 "id=%d len=%d) from STA: EAP Initiate type %u", 750 eap->code, eap->identifier, be_to_host16(eap->length), 751 type); 752 753 wpabuf_free(sm->eap_if->eapRespData); 754 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 755 sm->eapolEap = TRUE; 756#endif /* CONFIG_ERP */ 757} 758 759 760/* Process incoming EAP packet from Supplicant */ 761static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 762 u8 *buf, size_t len) 763{ 764 struct eap_hdr *eap; 765 u16 eap_len; 766 767 if (len < sizeof(*eap)) { 768 wpa_printf(MSG_INFO, " too short EAP packet"); 769 return; 770 } 771 772 eap = (struct eap_hdr *) buf; 773 774 eap_len = be_to_host16(eap->length); 775 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 776 eap->code, eap->identifier, eap_len); 777 if (eap_len < sizeof(*eap)) { 778 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 779 return; 780 } else if (eap_len > len) { 781 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 782 "packet"); 783 return; 784 } else if (eap_len < len) { 785 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 786 "packet", (unsigned long) len - eap_len); 787 } 788 789 switch (eap->code) { 790 case EAP_CODE_REQUEST: 791 wpa_printf(MSG_DEBUG, " (request)"); 792 return; 793 case EAP_CODE_RESPONSE: 794 wpa_printf(MSG_DEBUG, " (response)"); 795 handle_eap_response(hapd, sta, eap, eap_len); 796 break; 797 case EAP_CODE_SUCCESS: 798 wpa_printf(MSG_DEBUG, " (success)"); 799 return; 800 case EAP_CODE_FAILURE: 801 wpa_printf(MSG_DEBUG, " (failure)"); 802 return; 803 case EAP_CODE_INITIATE: 804 wpa_printf(MSG_DEBUG, " (initiate)"); 805 handle_eap_initiate(hapd, sta, eap, eap_len); 806 break; 807 case EAP_CODE_FINISH: 808 wpa_printf(MSG_DEBUG, " (finish)"); 809 break; 810 default: 811 wpa_printf(MSG_DEBUG, " (unknown code)"); 812 return; 813 } 814} 815 816 817static struct eapol_state_machine * 818ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 819{ 820 int flags = 0; 821 if (sta->flags & WLAN_STA_PREAUTH) 822 flags |= EAPOL_SM_PREAUTH; 823 if (sta->wpa_sm) { 824 flags |= EAPOL_SM_USES_WPA; 825 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 826 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 827 } 828 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 829 sta->wps_ie, sta->p2p_ie, sta, 830 sta->identity, sta->radius_cui); 831} 832 833 834/** 835 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 836 * @hapd: hostapd BSS data 837 * @sa: Source address (sender of the EAPOL frame) 838 * @buf: EAPOL frame 839 * @len: Length of buf in octets 840 * 841 * This function is called for each incoming EAPOL frame from the interface 842 */ 843void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 844 size_t len) 845{ 846 struct sta_info *sta; 847 struct ieee802_1x_hdr *hdr; 848 struct ieee802_1x_eapol_key *key; 849 u16 datalen; 850 struct rsn_pmksa_cache_entry *pmksa; 851 int key_mgmt; 852 853 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && !hapd->conf->osen && 854 !hapd->conf->wps_state) 855 return; 856 857 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 858 (unsigned long) len, MAC2STR(sa)); 859 sta = ap_get_sta(hapd, sa); 860 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 861 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 862 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 863 "associated/Pre-authenticating STA"); 864 return; 865 } 866 867 if (len < sizeof(*hdr)) { 868 wpa_printf(MSG_INFO, " too short IEEE 802.1X packet"); 869 return; 870 } 871 872 hdr = (struct ieee802_1x_hdr *) buf; 873 datalen = be_to_host16(hdr->length); 874 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 875 hdr->version, hdr->type, datalen); 876 877 if (len - sizeof(*hdr) < datalen) { 878 wpa_printf(MSG_INFO, " frame too short for this IEEE 802.1X packet"); 879 if (sta->eapol_sm) 880 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 881 return; 882 } 883 if (len - sizeof(*hdr) > datalen) { 884 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 885 "IEEE 802.1X packet", 886 (unsigned long) len - sizeof(*hdr) - datalen); 887 } 888 889 if (sta->eapol_sm) { 890 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 891 sta->eapol_sm->dot1xAuthEapolFramesRx++; 892 } 893 894 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 895 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 896 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 897 (key->type == EAPOL_KEY_TYPE_WPA || 898 key->type == EAPOL_KEY_TYPE_RSN)) { 899 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 900 sizeof(*hdr) + datalen); 901 return; 902 } 903 904 if (!hapd->conf->ieee802_1x && !hapd->conf->osen && 905 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 906 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 907 "802.1X not enabled and WPS not used"); 908 return; 909 } 910 911 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 912 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 913 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 914 "STA is using PSK"); 915 return; 916 } 917 918 if (!sta->eapol_sm) { 919 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 920 if (!sta->eapol_sm) 921 return; 922 923#ifdef CONFIG_WPS 924 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state) { 925 u32 wflags = sta->flags & (WLAN_STA_WPS | 926 WLAN_STA_WPS2 | 927 WLAN_STA_MAYBE_WPS); 928 if (wflags == WLAN_STA_MAYBE_WPS || 929 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 930 /* 931 * Delay EAPOL frame transmission until a 932 * possible WPS STA initiates the handshake 933 * with EAPOL-Start. Only allow the wait to be 934 * skipped if the STA is known to support WPS 935 * 2.0. 936 */ 937 wpa_printf(MSG_DEBUG, "WPS: Do not start " 938 "EAPOL until EAPOL-Start is " 939 "received"); 940 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 941 } 942 } 943#endif /* CONFIG_WPS */ 944 945 sta->eapol_sm->eap_if->portEnabled = TRUE; 946 } 947 948 /* since we support version 1, we can ignore version field and proceed 949 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 950 /* TODO: actually, we are not version 1 anymore.. However, Version 2 951 * does not change frame contents, so should be ok to process frames 952 * more or less identically. Some changes might be needed for 953 * verification of fields. */ 954 955 switch (hdr->type) { 956 case IEEE802_1X_TYPE_EAP_PACKET: 957 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 958 break; 959 960 case IEEE802_1X_TYPE_EAPOL_START: 961 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 962 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 963 "from STA"); 964 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 965 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 966 if (pmksa) { 967 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 968 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 969 "available - ignore it since " 970 "STA sent EAPOL-Start"); 971 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 972 } 973 sta->eapol_sm->eapolStart = TRUE; 974 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 975 eap_server_clear_identity(sta->eapol_sm->eap); 976 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 977 break; 978 979 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 980 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 981 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 982 "from STA"); 983 sta->acct_terminate_cause = 984 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 985 accounting_sta_stop(hapd, sta); 986 sta->eapol_sm->eapolLogoff = TRUE; 987 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 988 eap_server_clear_identity(sta->eapol_sm->eap); 989 break; 990 991 case IEEE802_1X_TYPE_EAPOL_KEY: 992 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 993 if (!ap_sta_is_authorized(sta)) { 994 wpa_printf(MSG_DEBUG, " Dropped key data from " 995 "unauthorized Supplicant"); 996 break; 997 } 998 break; 999 1000 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 1001 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 1002 /* TODO: implement support for this; show data */ 1003 break; 1004 1005 default: 1006 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 1007 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 1008 break; 1009 } 1010 1011 eapol_auth_step(sta->eapol_sm); 1012} 1013 1014 1015/** 1016 * ieee802_1x_new_station - Start IEEE 802.1X authentication 1017 * @hapd: hostapd BSS data 1018 * @sta: The station 1019 * 1020 * This function is called to start IEEE 802.1X authentication when a new 1021 * station completes IEEE 802.11 association. 1022 */ 1023void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 1024{ 1025 struct rsn_pmksa_cache_entry *pmksa; 1026 int reassoc = 1; 1027 int force_1x = 0; 1028 int key_mgmt; 1029 1030#ifdef CONFIG_WPS 1031 if (hapd->conf->wps_state && 1032 ((hapd->conf->wpa && (sta->flags & WLAN_STA_MAYBE_WPS)) || 1033 (sta->flags & WLAN_STA_WPS))) { 1034 /* 1035 * Need to enable IEEE 802.1X/EAPOL state machines for possible 1036 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 1037 * authentication in this BSS. 1038 */ 1039 force_1x = 1; 1040 } 1041#endif /* CONFIG_WPS */ 1042 1043 if (!force_1x && !hapd->conf->ieee802_1x && !hapd->conf->osen) { 1044 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 1045 "802.1X not enabled or forced for WPS"); 1046 /* 1047 * Clear any possible EAPOL authenticator state to support 1048 * reassociation change from WPS to PSK. 1049 */ 1050 ieee802_1x_free_station(sta); 1051 return; 1052 } 1053 1054 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 1055 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 1056 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 1057 /* 1058 * Clear any possible EAPOL authenticator state to support 1059 * reassociation change from WPA-EAP to PSK. 1060 */ 1061 ieee802_1x_free_station(sta); 1062 return; 1063 } 1064 1065 if (sta->eapol_sm == NULL) { 1066 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1067 HOSTAPD_LEVEL_DEBUG, "start authentication"); 1068 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 1069 if (sta->eapol_sm == NULL) { 1070 hostapd_logger(hapd, sta->addr, 1071 HOSTAPD_MODULE_IEEE8021X, 1072 HOSTAPD_LEVEL_INFO, 1073 "failed to allocate state machine"); 1074 return; 1075 } 1076 reassoc = 0; 1077 } 1078 1079#ifdef CONFIG_WPS 1080 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 1081 if (!hapd->conf->ieee802_1x && hapd->conf->wps_state && 1082 !(sta->flags & WLAN_STA_WPS2)) { 1083 /* 1084 * Delay EAPOL frame transmission until a possible WPS STA 1085 * initiates the handshake with EAPOL-Start. Only allow the 1086 * wait to be skipped if the STA is known to support WPS 2.0. 1087 */ 1088 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 1089 "EAPOL-Start is received"); 1090 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 1091 } 1092#endif /* CONFIG_WPS */ 1093 1094 sta->eapol_sm->eap_if->portEnabled = TRUE; 1095 1096#ifdef CONFIG_IEEE80211R 1097 if (sta->auth_alg == WLAN_AUTH_FT) { 1098 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1099 HOSTAPD_LEVEL_DEBUG, 1100 "PMK from FT - skip IEEE 802.1X/EAP"); 1101 /* Setup EAPOL state machines to already authenticated state 1102 * because of existing FT information from R0KH. */ 1103 sta->eapol_sm->keyRun = TRUE; 1104 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1105 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1106 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1107 sta->eapol_sm->authSuccess = TRUE; 1108 sta->eapol_sm->authFail = FALSE; 1109 if (sta->eapol_sm->eap) 1110 eap_sm_notify_cached(sta->eapol_sm->eap); 1111 /* TODO: get vlan_id from R0KH using RRB message */ 1112 return; 1113 } 1114#endif /* CONFIG_IEEE80211R */ 1115 1116 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1117 if (pmksa) { 1118 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1119 HOSTAPD_LEVEL_DEBUG, 1120 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1121 /* Setup EAPOL state machines to already authenticated state 1122 * because of existing PMKSA information in the cache. */ 1123 sta->eapol_sm->keyRun = TRUE; 1124 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1125 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1126 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1127 sta->eapol_sm->authSuccess = TRUE; 1128 sta->eapol_sm->authFail = FALSE; 1129 if (sta->eapol_sm->eap) 1130 eap_sm_notify_cached(sta->eapol_sm->eap); 1131 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 1132 ap_sta_bind_vlan(hapd, sta); 1133 } else { 1134 if (reassoc) { 1135 /* 1136 * Force EAPOL state machines to start 1137 * re-authentication without having to wait for the 1138 * Supplicant to send EAPOL-Start. 1139 */ 1140 sta->eapol_sm->reAuthenticate = TRUE; 1141 } 1142 eapol_auth_step(sta->eapol_sm); 1143 } 1144} 1145 1146 1147void ieee802_1x_free_station(struct sta_info *sta) 1148{ 1149 struct eapol_state_machine *sm = sta->eapol_sm; 1150 1151 if (sm == NULL) 1152 return; 1153 1154 sta->eapol_sm = NULL; 1155 1156#ifndef CONFIG_NO_RADIUS 1157 radius_msg_free(sm->last_recv_radius); 1158 radius_free_class(&sm->radius_class); 1159 wpabuf_free(sm->radius_cui); 1160#endif /* CONFIG_NO_RADIUS */ 1161 1162 os_free(sm->identity); 1163 eapol_auth_free(sm); 1164} 1165 1166 1167#ifndef CONFIG_NO_RADIUS 1168static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1169 struct sta_info *sta) 1170{ 1171 struct wpabuf *eap; 1172 const struct eap_hdr *hdr; 1173 int eap_type = -1; 1174 char buf[64]; 1175 struct radius_msg *msg; 1176 struct eapol_state_machine *sm = sta->eapol_sm; 1177 1178 if (sm == NULL || sm->last_recv_radius == NULL) { 1179 if (sm) 1180 sm->eap_if->aaaEapNoReq = TRUE; 1181 return; 1182 } 1183 1184 msg = sm->last_recv_radius; 1185 1186 eap = radius_msg_get_eap(msg); 1187 if (eap == NULL) { 1188 /* RFC 3579, Chap. 2.6.3: 1189 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1190 * attribute */ 1191 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1192 HOSTAPD_LEVEL_WARNING, "could not extract " 1193 "EAP-Message from RADIUS message"); 1194 sm->eap_if->aaaEapNoReq = TRUE; 1195 return; 1196 } 1197 1198 if (wpabuf_len(eap) < sizeof(*hdr)) { 1199 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1200 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1201 "received from authentication server"); 1202 wpabuf_free(eap); 1203 sm->eap_if->aaaEapNoReq = TRUE; 1204 return; 1205 } 1206 1207 if (wpabuf_len(eap) > sizeof(*hdr)) 1208 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1209 1210 hdr = wpabuf_head(eap); 1211 switch (hdr->code) { 1212 case EAP_CODE_REQUEST: 1213 if (eap_type >= 0) 1214 sm->eap_type_authsrv = eap_type; 1215 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1216 eap_server_get_name(0, eap_type), eap_type); 1217 break; 1218 case EAP_CODE_RESPONSE: 1219 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1220 eap_server_get_name(0, eap_type), eap_type); 1221 break; 1222 case EAP_CODE_SUCCESS: 1223 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1224 break; 1225 case EAP_CODE_FAILURE: 1226 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1227 break; 1228 default: 1229 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1230 break; 1231 } 1232 buf[sizeof(buf) - 1] = '\0'; 1233 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1234 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1235 "id=%d len=%d) from RADIUS server: %s", 1236 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1237 buf); 1238 sm->eap_if->aaaEapReq = TRUE; 1239 1240 wpabuf_free(sm->eap_if->aaaEapReqData); 1241 sm->eap_if->aaaEapReqData = eap; 1242} 1243 1244 1245static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1246 struct sta_info *sta, struct radius_msg *msg, 1247 struct radius_msg *req, 1248 const u8 *shared_secret, 1249 size_t shared_secret_len) 1250{ 1251 struct radius_ms_mppe_keys *keys; 1252 struct eapol_state_machine *sm = sta->eapol_sm; 1253 if (sm == NULL) 1254 return; 1255 1256 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1257 shared_secret_len); 1258 1259 if (keys && keys->send && keys->recv) { 1260 size_t len = keys->send_len + keys->recv_len; 1261 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1262 keys->send, keys->send_len); 1263 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1264 keys->recv, keys->recv_len); 1265 1266 os_free(sm->eap_if->aaaEapKeyData); 1267 sm->eap_if->aaaEapKeyData = os_malloc(len); 1268 if (sm->eap_if->aaaEapKeyData) { 1269 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1270 keys->recv_len); 1271 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1272 keys->send, keys->send_len); 1273 sm->eap_if->aaaEapKeyDataLen = len; 1274 sm->eap_if->aaaEapKeyAvailable = TRUE; 1275 } 1276 } else { 1277 wpa_printf(MSG_DEBUG, 1278 "MS-MPPE: 1x_get_keys, could not get keys: %p send: %p recv: %p", 1279 keys, keys ? keys->send : NULL, 1280 keys ? keys->recv : NULL); 1281 } 1282 1283 if (keys) { 1284 os_free(keys->send); 1285 os_free(keys->recv); 1286 os_free(keys); 1287 } 1288} 1289 1290 1291static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1292 struct sta_info *sta, 1293 struct radius_msg *msg) 1294{ 1295 u8 *attr_class; 1296 size_t class_len; 1297 struct eapol_state_machine *sm = sta->eapol_sm; 1298 int count, i; 1299 struct radius_attr_data *nclass; 1300 size_t nclass_count; 1301 1302 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1303 sm == NULL) 1304 return; 1305 1306 radius_free_class(&sm->radius_class); 1307 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1308 if (count <= 0) 1309 return; 1310 1311 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1312 if (nclass == NULL) 1313 return; 1314 1315 nclass_count = 0; 1316 1317 attr_class = NULL; 1318 for (i = 0; i < count; i++) { 1319 do { 1320 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1321 &attr_class, &class_len, 1322 attr_class) < 0) { 1323 i = count; 1324 break; 1325 } 1326 } while (class_len < 1); 1327 1328 nclass[nclass_count].data = os_malloc(class_len); 1329 if (nclass[nclass_count].data == NULL) 1330 break; 1331 1332 os_memcpy(nclass[nclass_count].data, attr_class, class_len); 1333 nclass[nclass_count].len = class_len; 1334 nclass_count++; 1335 } 1336 1337 sm->radius_class.attr = nclass; 1338 sm->radius_class.count = nclass_count; 1339 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1340 "attributes for " MACSTR, 1341 (unsigned long) sm->radius_class.count, 1342 MAC2STR(sta->addr)); 1343} 1344 1345 1346/* Update sta->identity based on User-Name attribute in Access-Accept */ 1347static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1348 struct sta_info *sta, 1349 struct radius_msg *msg) 1350{ 1351 u8 *buf, *identity; 1352 size_t len; 1353 struct eapol_state_machine *sm = sta->eapol_sm; 1354 1355 if (sm == NULL) 1356 return; 1357 1358 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1359 NULL) < 0) 1360 return; 1361 1362 identity = (u8 *) dup_binstr(buf, len); 1363 if (identity == NULL) 1364 return; 1365 1366 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1367 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1368 "User-Name from Access-Accept '%s'", 1369 sm->identity ? (char *) sm->identity : "N/A", 1370 (char *) identity); 1371 1372 os_free(sm->identity); 1373 sm->identity = identity; 1374 sm->identity_len = len; 1375} 1376 1377 1378/* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1379static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1380 struct sta_info *sta, 1381 struct radius_msg *msg) 1382{ 1383 struct eapol_state_machine *sm = sta->eapol_sm; 1384 struct wpabuf *cui; 1385 u8 *buf; 1386 size_t len; 1387 1388 if (sm == NULL) 1389 return; 1390 1391 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1392 &buf, &len, NULL) < 0) 1393 return; 1394 1395 cui = wpabuf_alloc_copy(buf, len); 1396 if (cui == NULL) 1397 return; 1398 1399 wpabuf_free(sm->radius_cui); 1400 sm->radius_cui = cui; 1401} 1402 1403 1404#ifdef CONFIG_HS20 1405 1406static void ieee802_1x_hs20_sub_rem(struct sta_info *sta, u8 *pos, size_t len) 1407{ 1408 sta->remediation = 1; 1409 os_free(sta->remediation_url); 1410 if (len > 2) { 1411 sta->remediation_url = os_malloc(len); 1412 if (!sta->remediation_url) 1413 return; 1414 sta->remediation_method = pos[0]; 1415 os_memcpy(sta->remediation_url, pos + 1, len - 1); 1416 sta->remediation_url[len - 1] = '\0'; 1417 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1418 "for " MACSTR " - server method %u URL %s", 1419 MAC2STR(sta->addr), sta->remediation_method, 1420 sta->remediation_url); 1421 } else { 1422 sta->remediation_url = NULL; 1423 wpa_printf(MSG_DEBUG, "HS 2.0: Subscription remediation needed " 1424 "for " MACSTR, MAC2STR(sta->addr)); 1425 } 1426 /* TODO: assign the STA into remediation VLAN or add filtering */ 1427} 1428 1429 1430static void ieee802_1x_hs20_deauth_req(struct hostapd_data *hapd, 1431 struct sta_info *sta, u8 *pos, 1432 size_t len) 1433{ 1434 if (len < 3) 1435 return; /* Malformed information */ 1436 sta->hs20_deauth_requested = 1; 1437 wpa_printf(MSG_DEBUG, "HS 2.0: Deauthentication request - Code %u " 1438 "Re-auth Delay %u", 1439 *pos, WPA_GET_LE16(pos + 1)); 1440 wpabuf_free(sta->hs20_deauth_req); 1441 sta->hs20_deauth_req = wpabuf_alloc(len + 1); 1442 if (sta->hs20_deauth_req) { 1443 wpabuf_put_data(sta->hs20_deauth_req, pos, 3); 1444 wpabuf_put_u8(sta->hs20_deauth_req, len - 3); 1445 wpabuf_put_data(sta->hs20_deauth_req, pos + 3, len - 3); 1446 } 1447 ap_sta_session_timeout(hapd, sta, hapd->conf->hs20_deauth_req_timeout); 1448} 1449 1450 1451static void ieee802_1x_hs20_session_info(struct hostapd_data *hapd, 1452 struct sta_info *sta, u8 *pos, 1453 size_t len, int session_timeout) 1454{ 1455 unsigned int swt; 1456 int warning_time, beacon_int; 1457 1458 if (len < 1) 1459 return; /* Malformed information */ 1460 os_free(sta->hs20_session_info_url); 1461 sta->hs20_session_info_url = os_malloc(len); 1462 if (sta->hs20_session_info_url == NULL) 1463 return; 1464 swt = pos[0]; 1465 os_memcpy(sta->hs20_session_info_url, pos + 1, len - 1); 1466 sta->hs20_session_info_url[len - 1] = '\0'; 1467 wpa_printf(MSG_DEBUG, "HS 2.0: Session Information URL='%s' SWT=%u " 1468 "(session_timeout=%d)", 1469 sta->hs20_session_info_url, swt, session_timeout); 1470 if (session_timeout < 0) { 1471 wpa_printf(MSG_DEBUG, "HS 2.0: No Session-Timeout set - ignore session info URL"); 1472 return; 1473 } 1474 if (swt == 255) 1475 swt = 1; /* Use one minute as the AP selected value */ 1476 1477 if ((unsigned int) session_timeout < swt * 60) 1478 warning_time = 0; 1479 else 1480 warning_time = session_timeout - swt * 60; 1481 1482 beacon_int = hapd->iconf->beacon_int; 1483 if (beacon_int < 1) 1484 beacon_int = 100; /* best guess */ 1485 sta->hs20_disassoc_timer = swt * 60 * 1000 / beacon_int * 125 / 128; 1486 if (sta->hs20_disassoc_timer > 65535) 1487 sta->hs20_disassoc_timer = 65535; 1488 1489 ap_sta_session_warning_timeout(hapd, sta, warning_time); 1490} 1491 1492#endif /* CONFIG_HS20 */ 1493 1494 1495static void ieee802_1x_check_hs20(struct hostapd_data *hapd, 1496 struct sta_info *sta, 1497 struct radius_msg *msg, 1498 int session_timeout) 1499{ 1500#ifdef CONFIG_HS20 1501 u8 *buf, *pos, *end, type, sublen; 1502 size_t len; 1503 1504 buf = NULL; 1505 sta->remediation = 0; 1506 sta->hs20_deauth_requested = 0; 1507 1508 for (;;) { 1509 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, 1510 &buf, &len, buf) < 0) 1511 break; 1512 if (len < 6) 1513 continue; 1514 pos = buf; 1515 end = buf + len; 1516 if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA) 1517 continue; 1518 pos += 4; 1519 1520 type = *pos++; 1521 sublen = *pos++; 1522 if (sublen < 2) 1523 continue; /* invalid length */ 1524 sublen -= 2; /* skip header */ 1525 if (pos + sublen > end) 1526 continue; /* invalid WFA VSA */ 1527 1528 switch (type) { 1529 case RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION: 1530 ieee802_1x_hs20_sub_rem(sta, pos, sublen); 1531 break; 1532 case RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ: 1533 ieee802_1x_hs20_deauth_req(hapd, sta, pos, sublen); 1534 break; 1535 case RADIUS_VENDOR_ATTR_WFA_HS20_SESSION_INFO_URL: 1536 ieee802_1x_hs20_session_info(hapd, sta, pos, sublen, 1537 session_timeout); 1538 break; 1539 } 1540 } 1541#endif /* CONFIG_HS20 */ 1542} 1543 1544 1545struct sta_id_search { 1546 u8 identifier; 1547 struct eapol_state_machine *sm; 1548}; 1549 1550 1551static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1552 struct sta_info *sta, 1553 void *ctx) 1554{ 1555 struct sta_id_search *id_search = ctx; 1556 struct eapol_state_machine *sm = sta->eapol_sm; 1557 1558 if (sm && sm->radius_identifier >= 0 && 1559 sm->radius_identifier == id_search->identifier) { 1560 id_search->sm = sm; 1561 return 1; 1562 } 1563 return 0; 1564} 1565 1566 1567static struct eapol_state_machine * 1568ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1569{ 1570 struct sta_id_search id_search; 1571 id_search.identifier = identifier; 1572 id_search.sm = NULL; 1573 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1574 return id_search.sm; 1575} 1576 1577 1578/** 1579 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1580 * @msg: RADIUS response message 1581 * @req: RADIUS request message 1582 * @shared_secret: RADIUS shared secret 1583 * @shared_secret_len: Length of shared_secret in octets 1584 * @data: Context data (struct hostapd_data *) 1585 * Returns: Processing status 1586 */ 1587static RadiusRxResult 1588ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1589 const u8 *shared_secret, size_t shared_secret_len, 1590 void *data) 1591{ 1592 struct hostapd_data *hapd = data; 1593 struct sta_info *sta; 1594 u32 session_timeout = 0, termination_action, acct_interim_interval; 1595 int session_timeout_set, vlan_id = 0; 1596 struct eapol_state_machine *sm; 1597 int override_eapReq = 0; 1598 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1599 1600 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1601 if (sm == NULL) { 1602 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1603 "station for this RADIUS message"); 1604 return RADIUS_RX_UNKNOWN; 1605 } 1606 sta = sm->sta; 1607 1608 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1609 * present when packet contains an EAP-Message attribute */ 1610 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1611 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1612 0) < 0 && 1613 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1614 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1615 "Message-Authenticator since it does not include " 1616 "EAP-Message"); 1617 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1618 req, 1)) { 1619 wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); 1620 return RADIUS_RX_INVALID_AUTHENTICATOR; 1621 } 1622 1623 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1624 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1625 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1626 wpa_printf(MSG_INFO, "Unknown RADIUS message code"); 1627 return RADIUS_RX_UNKNOWN; 1628 } 1629 1630 sm->radius_identifier = -1; 1631 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1632 MAC2STR(sta->addr)); 1633 1634 radius_msg_free(sm->last_recv_radius); 1635 sm->last_recv_radius = msg; 1636 1637 session_timeout_set = 1638 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1639 &session_timeout); 1640 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1641 &termination_action)) 1642 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1643 1644 if (hapd->conf->acct_interim_interval == 0 && 1645 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1646 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1647 &acct_interim_interval) == 0) { 1648 if (acct_interim_interval < 60) { 1649 hostapd_logger(hapd, sta->addr, 1650 HOSTAPD_MODULE_IEEE8021X, 1651 HOSTAPD_LEVEL_INFO, 1652 "ignored too small " 1653 "Acct-Interim-Interval %d", 1654 acct_interim_interval); 1655 } else 1656 sta->acct_interim_interval = acct_interim_interval; 1657 } 1658 1659 1660 switch (hdr->code) { 1661 case RADIUS_CODE_ACCESS_ACCEPT: 1662 if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1663 vlan_id = 0; 1664#ifndef CONFIG_NO_VLAN 1665 else 1666 vlan_id = radius_msg_get_vlanid(msg); 1667 if (vlan_id > 0 && 1668 hostapd_vlan_id_valid(hapd->conf->vlan, vlan_id)) { 1669 hostapd_logger(hapd, sta->addr, 1670 HOSTAPD_MODULE_RADIUS, 1671 HOSTAPD_LEVEL_INFO, 1672 "VLAN ID %d", vlan_id); 1673 } else if (vlan_id > 0) { 1674 sta->eapol_sm->authFail = TRUE; 1675 hostapd_logger(hapd, sta->addr, 1676 HOSTAPD_MODULE_RADIUS, 1677 HOSTAPD_LEVEL_INFO, 1678 "Invalid VLAN ID %d received from RADIUS server", 1679 vlan_id); 1680 break; 1681 } else if (hapd->conf->ssid.dynamic_vlan == 1682 DYNAMIC_VLAN_REQUIRED) { 1683 sta->eapol_sm->authFail = TRUE; 1684 hostapd_logger(hapd, sta->addr, 1685 HOSTAPD_MODULE_IEEE8021X, 1686 HOSTAPD_LEVEL_INFO, "authentication " 1687 "server did not include required VLAN " 1688 "ID in Access-Accept"); 1689 break; 1690 } 1691#endif /* CONFIG_NO_VLAN */ 1692 1693 sta->vlan_id = vlan_id; 1694 if ((sta->flags & WLAN_STA_ASSOC) && 1695 ap_sta_bind_vlan(hapd, sta) < 0) 1696 break; 1697 1698 sta->session_timeout_set = !!session_timeout_set; 1699 sta->session_timeout = session_timeout; 1700 1701 /* RFC 3580, Ch. 3.17 */ 1702 if (session_timeout_set && termination_action == 1703 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1704 sm->reAuthPeriod = session_timeout; 1705 } else if (session_timeout_set) 1706 ap_sta_session_timeout(hapd, sta, session_timeout); 1707 1708 sm->eap_if->aaaSuccess = TRUE; 1709 override_eapReq = 1; 1710 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1711 shared_secret_len); 1712 ieee802_1x_store_radius_class(hapd, sta, msg); 1713 ieee802_1x_update_sta_identity(hapd, sta, msg); 1714 ieee802_1x_update_sta_cui(hapd, sta, msg); 1715 ieee802_1x_check_hs20(hapd, sta, msg, 1716 session_timeout_set ? 1717 (int) session_timeout : -1); 1718 if (sm->eap_if->eapKeyAvailable && !sta->remediation && 1719 !sta->hs20_deauth_requested && 1720 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1721 session_timeout_set ? 1722 (int) session_timeout : -1, sm) == 0) { 1723 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1724 HOSTAPD_LEVEL_DEBUG, 1725 "Added PMKSA cache entry"); 1726 } 1727 break; 1728 case RADIUS_CODE_ACCESS_REJECT: 1729 sm->eap_if->aaaFail = TRUE; 1730 override_eapReq = 1; 1731 break; 1732 case RADIUS_CODE_ACCESS_CHALLENGE: 1733 sm->eap_if->aaaEapReq = TRUE; 1734 if (session_timeout_set) { 1735 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1736 sm->eap_if->aaaMethodTimeout = session_timeout; 1737 hostapd_logger(hapd, sm->addr, 1738 HOSTAPD_MODULE_IEEE8021X, 1739 HOSTAPD_LEVEL_DEBUG, 1740 "using EAP timeout of %d seconds (from " 1741 "RADIUS)", 1742 sm->eap_if->aaaMethodTimeout); 1743 } else { 1744 /* 1745 * Use dynamic retransmission behavior per EAP 1746 * specification. 1747 */ 1748 sm->eap_if->aaaMethodTimeout = 0; 1749 } 1750 break; 1751 } 1752 1753 ieee802_1x_decapsulate_radius(hapd, sta); 1754 if (override_eapReq) 1755 sm->eap_if->aaaEapReq = FALSE; 1756 1757 eapol_auth_step(sm); 1758 1759 return RADIUS_RX_QUEUED; 1760} 1761#endif /* CONFIG_NO_RADIUS */ 1762 1763 1764void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1765{ 1766 struct eapol_state_machine *sm = sta->eapol_sm; 1767 if (sm == NULL) 1768 return; 1769 1770 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1771 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1772 1773#ifndef CONFIG_NO_RADIUS 1774 radius_msg_free(sm->last_recv_radius); 1775 sm->last_recv_radius = NULL; 1776#endif /* CONFIG_NO_RADIUS */ 1777 1778 if (sm->eap_if->eapTimeout) { 1779 /* 1780 * Disconnect the STA since it did not reply to the last EAP 1781 * request and we cannot continue EAP processing (EAP-Failure 1782 * could only be sent if the EAP peer actually replied). 1783 */ 1784 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1785 MAC2STR(sta->addr)); 1786 1787 sm->eap_if->portEnabled = FALSE; 1788 ap_sta_disconnect(hapd, sta, sta->addr, 1789 WLAN_REASON_PREV_AUTH_NOT_VALID); 1790 } 1791} 1792 1793 1794static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1795{ 1796 struct eapol_authenticator *eapol = hapd->eapol_auth; 1797 1798 if (hapd->conf->default_wep_key_len < 1) 1799 return 0; 1800 1801 os_free(eapol->default_wep_key); 1802 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1803 if (eapol->default_wep_key == NULL || 1804 random_get_bytes(eapol->default_wep_key, 1805 hapd->conf->default_wep_key_len)) { 1806 wpa_printf(MSG_INFO, "Could not generate random WEP key"); 1807 os_free(eapol->default_wep_key); 1808 eapol->default_wep_key = NULL; 1809 return -1; 1810 } 1811 1812 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1813 eapol->default_wep_key, 1814 hapd->conf->default_wep_key_len); 1815 1816 return 0; 1817} 1818 1819 1820static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1821 struct sta_info *sta, void *ctx) 1822{ 1823 if (sta->eapol_sm) { 1824 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1825 eapol_auth_step(sta->eapol_sm); 1826 } 1827 return 0; 1828} 1829 1830 1831static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1832{ 1833 struct hostapd_data *hapd = eloop_ctx; 1834 struct eapol_authenticator *eapol = hapd->eapol_auth; 1835 1836 if (eapol->default_wep_key_idx >= 3) 1837 eapol->default_wep_key_idx = 1838 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1839 else 1840 eapol->default_wep_key_idx++; 1841 1842 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1843 eapol->default_wep_key_idx); 1844 1845 if (ieee802_1x_rekey_broadcast(hapd)) { 1846 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1847 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1848 "new broadcast key"); 1849 os_free(eapol->default_wep_key); 1850 eapol->default_wep_key = NULL; 1851 return; 1852 } 1853 1854 /* TODO: Could setup key for RX here, but change default TX keyid only 1855 * after new broadcast key has been sent to all stations. */ 1856 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1857 broadcast_ether_addr, 1858 eapol->default_wep_key_idx, 1, NULL, 0, 1859 eapol->default_wep_key, 1860 hapd->conf->default_wep_key_len)) { 1861 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1862 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1863 "new broadcast key"); 1864 os_free(eapol->default_wep_key); 1865 eapol->default_wep_key = NULL; 1866 return; 1867 } 1868 1869 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1870 1871 if (hapd->conf->wep_rekeying_period > 0) { 1872 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1873 ieee802_1x_rekey, hapd, NULL); 1874 } 1875} 1876 1877 1878static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1879 const u8 *data, size_t datalen) 1880{ 1881#ifdef CONFIG_WPS 1882 struct sta_info *sta = sta_ctx; 1883 1884 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1885 WLAN_STA_MAYBE_WPS) { 1886 const u8 *identity; 1887 size_t identity_len; 1888 struct eapol_state_machine *sm = sta->eapol_sm; 1889 1890 identity = eap_get_identity(sm->eap, &identity_len); 1891 if (identity && 1892 ((identity_len == WSC_ID_ENROLLEE_LEN && 1893 os_memcmp(identity, WSC_ID_ENROLLEE, 1894 WSC_ID_ENROLLEE_LEN) == 0) || 1895 (identity_len == WSC_ID_REGISTRAR_LEN && 1896 os_memcmp(identity, WSC_ID_REGISTRAR, 1897 WSC_ID_REGISTRAR_LEN) == 0))) { 1898 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1899 "WLAN_STA_WPS"); 1900 sta->flags |= WLAN_STA_WPS; 1901 } 1902 } 1903#endif /* CONFIG_WPS */ 1904 1905 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1906} 1907 1908 1909static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1910 const u8 *data, size_t datalen) 1911{ 1912#ifndef CONFIG_NO_RADIUS 1913 struct hostapd_data *hapd = ctx; 1914 struct sta_info *sta = sta_ctx; 1915 1916 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1917#endif /* CONFIG_NO_RADIUS */ 1918} 1919 1920 1921static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1922 int preauth, int remediation) 1923{ 1924 struct hostapd_data *hapd = ctx; 1925 struct sta_info *sta = sta_ctx; 1926 if (preauth) 1927 rsn_preauth_finished(hapd, sta, success); 1928 else 1929 ieee802_1x_finished(hapd, sta, success, remediation); 1930} 1931 1932 1933static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1934 size_t identity_len, int phase2, 1935 struct eap_user *user) 1936{ 1937 struct hostapd_data *hapd = ctx; 1938 const struct hostapd_eap_user *eap_user; 1939 int i; 1940 int rv = -1; 1941 1942 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 1943 if (eap_user == NULL) 1944 goto out; 1945 1946 os_memset(user, 0, sizeof(*user)); 1947 user->phase2 = phase2; 1948 for (i = 0; i < EAP_MAX_METHODS; i++) { 1949 user->methods[i].vendor = eap_user->methods[i].vendor; 1950 user->methods[i].method = eap_user->methods[i].method; 1951 } 1952 1953 if (eap_user->password) { 1954 user->password = os_malloc(eap_user->password_len); 1955 if (user->password == NULL) 1956 goto out; 1957 os_memcpy(user->password, eap_user->password, 1958 eap_user->password_len); 1959 user->password_len = eap_user->password_len; 1960 user->password_hash = eap_user->password_hash; 1961 } 1962 user->force_version = eap_user->force_version; 1963 user->macacl = eap_user->macacl; 1964 user->ttls_auth = eap_user->ttls_auth; 1965 user->remediation = eap_user->remediation; 1966 rv = 0; 1967 1968out: 1969 if (rv) 1970 wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__); 1971 1972 return rv; 1973} 1974 1975 1976static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1977{ 1978 struct hostapd_data *hapd = ctx; 1979 struct sta_info *sta; 1980 sta = ap_get_sta(hapd, addr); 1981 if (sta == NULL || sta->eapol_sm == NULL) 1982 return 0; 1983 return 1; 1984} 1985 1986 1987static void ieee802_1x_logger(void *ctx, const u8 *addr, 1988 eapol_logger_level level, const char *txt) 1989{ 1990#ifndef CONFIG_NO_HOSTAPD_LOGGER 1991 struct hostapd_data *hapd = ctx; 1992 int hlevel; 1993 1994 switch (level) { 1995 case EAPOL_LOGGER_WARNING: 1996 hlevel = HOSTAPD_LEVEL_WARNING; 1997 break; 1998 case EAPOL_LOGGER_INFO: 1999 hlevel = HOSTAPD_LEVEL_INFO; 2000 break; 2001 case EAPOL_LOGGER_DEBUG: 2002 default: 2003 hlevel = HOSTAPD_LEVEL_DEBUG; 2004 break; 2005 } 2006 2007 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 2008 txt); 2009#endif /* CONFIG_NO_HOSTAPD_LOGGER */ 2010} 2011 2012 2013static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 2014 int authorized) 2015{ 2016 struct hostapd_data *hapd = ctx; 2017 struct sta_info *sta = sta_ctx; 2018 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 2019} 2020 2021 2022static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 2023{ 2024 struct hostapd_data *hapd = ctx; 2025 struct sta_info *sta = sta_ctx; 2026 ieee802_1x_abort_auth(hapd, sta); 2027} 2028 2029 2030static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 2031{ 2032#ifndef CONFIG_FIPS 2033#ifndef CONFIG_NO_RC4 2034 struct hostapd_data *hapd = ctx; 2035 struct sta_info *sta = sta_ctx; 2036 ieee802_1x_tx_key(hapd, sta); 2037#endif /* CONFIG_NO_RC4 */ 2038#endif /* CONFIG_FIPS */ 2039} 2040 2041 2042static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 2043 enum eapol_event type) 2044{ 2045 /* struct hostapd_data *hapd = ctx; */ 2046 struct sta_info *sta = sta_ctx; 2047 switch (type) { 2048 case EAPOL_AUTH_SM_CHANGE: 2049 wpa_auth_sm_notify(sta->wpa_sm); 2050 break; 2051 case EAPOL_AUTH_REAUTHENTICATE: 2052 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 2053 break; 2054 } 2055} 2056 2057 2058#ifdef CONFIG_ERP 2059 2060static struct eap_server_erp_key * 2061ieee802_1x_erp_get_key(void *ctx, const char *keyname) 2062{ 2063 struct hostapd_data *hapd = ctx; 2064 struct eap_server_erp_key *erp; 2065 2066 dl_list_for_each(erp, &hapd->erp_keys, struct eap_server_erp_key, 2067 list) { 2068 if (os_strcmp(erp->keyname_nai, keyname) == 0) 2069 return erp; 2070 } 2071 2072 return NULL; 2073} 2074 2075 2076static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp) 2077{ 2078 struct hostapd_data *hapd = ctx; 2079 2080 dl_list_add(&hapd->erp_keys, &erp->list); 2081 return 0; 2082} 2083 2084#endif /* CONFIG_ERP */ 2085 2086 2087int ieee802_1x_init(struct hostapd_data *hapd) 2088{ 2089 int i; 2090 struct eapol_auth_config conf; 2091 struct eapol_auth_cb cb; 2092 2093 dl_list_init(&hapd->erp_keys); 2094 2095 os_memset(&conf, 0, sizeof(conf)); 2096 conf.ctx = hapd; 2097 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 2098 conf.wpa = hapd->conf->wpa; 2099 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 2100 conf.eap_server = hapd->conf->eap_server; 2101 conf.ssl_ctx = hapd->ssl_ctx; 2102 conf.msg_ctx = hapd->msg_ctx; 2103 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 2104 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 2105 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 2106 conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start; 2107 conf.erp_domain = hapd->conf->erp_domain; 2108 conf.erp = hapd->conf->eap_server_erp; 2109 conf.tls_session_lifetime = hapd->conf->tls_session_lifetime; 2110 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 2111 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 2112 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 2113 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 2114 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 2115 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 2116 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 2117 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 2118 conf.tnc = hapd->conf->tnc; 2119 conf.wps = hapd->wps; 2120 conf.fragment_size = hapd->conf->fragment_size; 2121 conf.pwd_group = hapd->conf->pwd_group; 2122 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 2123 if (hapd->conf->server_id) { 2124 conf.server_id = (const u8 *) hapd->conf->server_id; 2125 conf.server_id_len = os_strlen(hapd->conf->server_id); 2126 } else { 2127 conf.server_id = (const u8 *) "hostapd"; 2128 conf.server_id_len = 7; 2129 } 2130 2131 os_memset(&cb, 0, sizeof(cb)); 2132 cb.eapol_send = ieee802_1x_eapol_send; 2133 cb.aaa_send = ieee802_1x_aaa_send; 2134 cb.finished = _ieee802_1x_finished; 2135 cb.get_eap_user = ieee802_1x_get_eap_user; 2136 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 2137 cb.logger = ieee802_1x_logger; 2138 cb.set_port_authorized = ieee802_1x_set_port_authorized; 2139 cb.abort_auth = _ieee802_1x_abort_auth; 2140 cb.tx_key = _ieee802_1x_tx_key; 2141 cb.eapol_event = ieee802_1x_eapol_event; 2142#ifdef CONFIG_ERP 2143 cb.erp_get_key = ieee802_1x_erp_get_key; 2144 cb.erp_add_key = ieee802_1x_erp_add_key; 2145#endif /* CONFIG_ERP */ 2146 2147 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 2148 if (hapd->eapol_auth == NULL) 2149 return -1; 2150 2151 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 2152 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 2153 return -1; 2154 2155#ifndef CONFIG_NO_RADIUS 2156 if (radius_client_register(hapd->radius, RADIUS_AUTH, 2157 ieee802_1x_receive_auth, hapd)) 2158 return -1; 2159#endif /* CONFIG_NO_RADIUS */ 2160 2161 if (hapd->conf->default_wep_key_len) { 2162 for (i = 0; i < 4; i++) 2163 hostapd_drv_set_key(hapd->conf->iface, hapd, 2164 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 2165 NULL, 0); 2166 2167 ieee802_1x_rekey(hapd, NULL); 2168 2169 if (hapd->eapol_auth->default_wep_key == NULL) 2170 return -1; 2171 } 2172 2173 return 0; 2174} 2175 2176 2177void ieee802_1x_erp_flush(struct hostapd_data *hapd) 2178{ 2179 struct eap_server_erp_key *erp; 2180 2181 while ((erp = dl_list_first(&hapd->erp_keys, struct eap_server_erp_key, 2182 list)) != NULL) { 2183 dl_list_del(&erp->list); 2184 bin_clear_free(erp, sizeof(*erp)); 2185 } 2186} 2187 2188 2189void ieee802_1x_deinit(struct hostapd_data *hapd) 2190{ 2191 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 2192 2193 if (hapd->driver != NULL && 2194 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 2195 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 2196 2197 eapol_auth_deinit(hapd->eapol_auth); 2198 hapd->eapol_auth = NULL; 2199 2200 ieee802_1x_erp_flush(hapd); 2201} 2202 2203 2204int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2205 const u8 *buf, size_t len, int ack) 2206{ 2207 struct ieee80211_hdr *hdr; 2208 u8 *pos; 2209 const unsigned char rfc1042_hdr[ETH_ALEN] = 2210 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 2211 2212 if (sta == NULL) 2213 return -1; 2214 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 2215 return 0; 2216 2217 hdr = (struct ieee80211_hdr *) buf; 2218 pos = (u8 *) (hdr + 1); 2219 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 2220 return 0; 2221 pos += sizeof(rfc1042_hdr); 2222 if (WPA_GET_BE16(pos) != ETH_P_PAE) 2223 return 0; 2224 pos += 2; 2225 2226 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 2227 ack); 2228} 2229 2230 2231int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 2232 const u8 *buf, int len, int ack) 2233{ 2234 const struct ieee802_1x_hdr *xhdr = 2235 (const struct ieee802_1x_hdr *) buf; 2236 const u8 *pos = buf + sizeof(*xhdr); 2237 struct ieee802_1x_eapol_key *key; 2238 2239 if (len < (int) sizeof(*xhdr)) 2240 return 0; 2241 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 2242 "type=%d length=%d - ack=%d", 2243 MAC2STR(sta->addr), xhdr->version, xhdr->type, 2244 be_to_host16(xhdr->length), ack); 2245 2246 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 2247 return 0; 2248 2249 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 2250 const struct wpa_eapol_key *wpa; 2251 wpa = (const struct wpa_eapol_key *) pos; 2252 if (wpa->type == EAPOL_KEY_TYPE_RSN || 2253 wpa->type == EAPOL_KEY_TYPE_WPA) 2254 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 2255 sta->wpa_sm, ack); 2256 } 2257 2258 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 2259 * or Authenticator state machines, but EAPOL-Key packets are not 2260 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 2261 * packets couple of times because otherwise STA keys become 2262 * unsynchronized with AP. */ 2263 if (!ack && pos + sizeof(*key) <= buf + len) { 2264 key = (struct ieee802_1x_eapol_key *) pos; 2265 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 2266 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 2267 "frame (%scast index=%d)", 2268 key->key_index & BIT(7) ? "uni" : "broad", 2269 key->key_index & ~BIT(7)); 2270 /* TODO: re-send EAPOL-Key couple of times (with short delay 2271 * between them?). If all attempt fail, report error and 2272 * deauthenticate STA so that it will get new keys when 2273 * authenticating again (e.g., after returning in range). 2274 * Separate limit/transmit state needed both for unicast and 2275 * broadcast keys(?) */ 2276 } 2277 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 2278 * to here and change the key only if the EAPOL-Key packet was Acked. 2279 */ 2280 2281 return 1; 2282} 2283 2284 2285u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 2286{ 2287 if (sm == NULL || sm->identity == NULL) 2288 return NULL; 2289 2290 *len = sm->identity_len; 2291 return sm->identity; 2292} 2293 2294 2295u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 2296 int idx) 2297{ 2298 if (sm == NULL || sm->radius_class.attr == NULL || 2299 idx >= (int) sm->radius_class.count) 2300 return NULL; 2301 2302 *len = sm->radius_class.attr[idx].len; 2303 return sm->radius_class.attr[idx].data; 2304} 2305 2306 2307struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 2308{ 2309 if (sm == NULL) 2310 return NULL; 2311 return sm->radius_cui; 2312} 2313 2314 2315const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 2316{ 2317 *len = 0; 2318 if (sm == NULL) 2319 return NULL; 2320 2321 *len = sm->eap_if->eapKeyDataLen; 2322 return sm->eap_if->eapKeyData; 2323} 2324 2325 2326void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2327 int enabled) 2328{ 2329 if (sm == NULL) 2330 return; 2331 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 2332 eapol_auth_step(sm); 2333} 2334 2335 2336void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 2337 int valid) 2338{ 2339 if (sm == NULL) 2340 return; 2341 sm->portValid = valid ? TRUE : FALSE; 2342 eapol_auth_step(sm); 2343} 2344 2345 2346void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 2347{ 2348 if (sm == NULL) 2349 return; 2350 if (pre_auth) 2351 sm->flags |= EAPOL_SM_PREAUTH; 2352 else 2353 sm->flags &= ~EAPOL_SM_PREAUTH; 2354} 2355 2356 2357static const char * bool_txt(Boolean val) 2358{ 2359 return val ? "TRUE" : "FALSE"; 2360} 2361 2362 2363int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2364{ 2365 /* TODO */ 2366 return 0; 2367} 2368 2369 2370int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2371 char *buf, size_t buflen) 2372{ 2373 int len = 0, ret; 2374 struct eapol_state_machine *sm = sta->eapol_sm; 2375 struct os_reltime diff; 2376 const char *name1; 2377 const char *name2; 2378 2379 if (sm == NULL) 2380 return 0; 2381 2382 ret = os_snprintf(buf + len, buflen - len, 2383 "dot1xPaePortNumber=%d\n" 2384 "dot1xPaePortProtocolVersion=%d\n" 2385 "dot1xPaePortCapabilities=1\n" 2386 "dot1xPaePortInitialize=%d\n" 2387 "dot1xPaePortReauthenticate=FALSE\n", 2388 sta->aid, 2389 EAPOL_VERSION, 2390 sm->initialize); 2391 if (os_snprintf_error(buflen - len, ret)) 2392 return len; 2393 len += ret; 2394 2395 /* dot1xAuthConfigTable */ 2396 ret = os_snprintf(buf + len, buflen - len, 2397 "dot1xAuthPaeState=%d\n" 2398 "dot1xAuthBackendAuthState=%d\n" 2399 "dot1xAuthAdminControlledDirections=%d\n" 2400 "dot1xAuthOperControlledDirections=%d\n" 2401 "dot1xAuthAuthControlledPortStatus=%d\n" 2402 "dot1xAuthAuthControlledPortControl=%d\n" 2403 "dot1xAuthQuietPeriod=%u\n" 2404 "dot1xAuthServerTimeout=%u\n" 2405 "dot1xAuthReAuthPeriod=%u\n" 2406 "dot1xAuthReAuthEnabled=%s\n" 2407 "dot1xAuthKeyTxEnabled=%s\n", 2408 sm->auth_pae_state + 1, 2409 sm->be_auth_state + 1, 2410 sm->adminControlledDirections, 2411 sm->operControlledDirections, 2412 sm->authPortStatus, 2413 sm->portControl, 2414 sm->quietPeriod, 2415 sm->serverTimeout, 2416 sm->reAuthPeriod, 2417 bool_txt(sm->reAuthEnabled), 2418 bool_txt(sm->keyTxEnabled)); 2419 if (os_snprintf_error(buflen - len, ret)) 2420 return len; 2421 len += ret; 2422 2423 /* dot1xAuthStatsTable */ 2424 ret = os_snprintf(buf + len, buflen - len, 2425 "dot1xAuthEapolFramesRx=%u\n" 2426 "dot1xAuthEapolFramesTx=%u\n" 2427 "dot1xAuthEapolStartFramesRx=%u\n" 2428 "dot1xAuthEapolLogoffFramesRx=%u\n" 2429 "dot1xAuthEapolRespIdFramesRx=%u\n" 2430 "dot1xAuthEapolRespFramesRx=%u\n" 2431 "dot1xAuthEapolReqIdFramesTx=%u\n" 2432 "dot1xAuthEapolReqFramesTx=%u\n" 2433 "dot1xAuthInvalidEapolFramesRx=%u\n" 2434 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2435 "dot1xAuthLastEapolFrameVersion=%u\n" 2436 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2437 sm->dot1xAuthEapolFramesRx, 2438 sm->dot1xAuthEapolFramesTx, 2439 sm->dot1xAuthEapolStartFramesRx, 2440 sm->dot1xAuthEapolLogoffFramesRx, 2441 sm->dot1xAuthEapolRespIdFramesRx, 2442 sm->dot1xAuthEapolRespFramesRx, 2443 sm->dot1xAuthEapolReqIdFramesTx, 2444 sm->dot1xAuthEapolReqFramesTx, 2445 sm->dot1xAuthInvalidEapolFramesRx, 2446 sm->dot1xAuthEapLengthErrorFramesRx, 2447 sm->dot1xAuthLastEapolFrameVersion, 2448 MAC2STR(sm->addr)); 2449 if (os_snprintf_error(buflen - len, ret)) 2450 return len; 2451 len += ret; 2452 2453 /* dot1xAuthDiagTable */ 2454 ret = os_snprintf(buf + len, buflen - len, 2455 "dot1xAuthEntersConnecting=%u\n" 2456 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2457 "dot1xAuthEntersAuthenticating=%u\n" 2458 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2459 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2460 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2461 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2462 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2463 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2464 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2465 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2466 "dot1xAuthBackendResponses=%u\n" 2467 "dot1xAuthBackendAccessChallenges=%u\n" 2468 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2469 "dot1xAuthBackendAuthSuccesses=%u\n" 2470 "dot1xAuthBackendAuthFails=%u\n", 2471 sm->authEntersConnecting, 2472 sm->authEapLogoffsWhileConnecting, 2473 sm->authEntersAuthenticating, 2474 sm->authAuthSuccessesWhileAuthenticating, 2475 sm->authAuthTimeoutsWhileAuthenticating, 2476 sm->authAuthFailWhileAuthenticating, 2477 sm->authAuthEapStartsWhileAuthenticating, 2478 sm->authAuthEapLogoffWhileAuthenticating, 2479 sm->authAuthReauthsWhileAuthenticated, 2480 sm->authAuthEapStartsWhileAuthenticated, 2481 sm->authAuthEapLogoffWhileAuthenticated, 2482 sm->backendResponses, 2483 sm->backendAccessChallenges, 2484 sm->backendOtherRequestsToSupplicant, 2485 sm->backendAuthSuccesses, 2486 sm->backendAuthFails); 2487 if (os_snprintf_error(buflen - len, ret)) 2488 return len; 2489 len += ret; 2490 2491 /* dot1xAuthSessionStatsTable */ 2492 os_reltime_age(&sta->acct_session_start, &diff); 2493 ret = os_snprintf(buf + len, buflen - len, 2494 /* TODO: dot1xAuthSessionOctetsRx */ 2495 /* TODO: dot1xAuthSessionOctetsTx */ 2496 /* TODO: dot1xAuthSessionFramesRx */ 2497 /* TODO: dot1xAuthSessionFramesTx */ 2498 "dot1xAuthSessionId=%08X-%08X\n" 2499 "dot1xAuthSessionAuthenticMethod=%d\n" 2500 "dot1xAuthSessionTime=%u\n" 2501 "dot1xAuthSessionTerminateCause=999\n" 2502 "dot1xAuthSessionUserName=%s\n", 2503 sta->acct_session_id_hi, sta->acct_session_id_lo, 2504 (wpa_key_mgmt_wpa_ieee8021x( 2505 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2506 1 : 2, 2507 (unsigned int) diff.sec, 2508 sm->identity); 2509 if (os_snprintf_error(buflen - len, ret)) 2510 return len; 2511 len += ret; 2512 2513 if (sm->acct_multi_session_id_hi) { 2514 ret = os_snprintf(buf + len, buflen - len, 2515 "authMultiSessionId=%08X+%08X\n", 2516 sm->acct_multi_session_id_hi, 2517 sm->acct_multi_session_id_lo); 2518 if (os_snprintf_error(buflen - len, ret)) 2519 return len; 2520 len += ret; 2521 } 2522 2523 name1 = eap_server_get_name(0, sm->eap_type_authsrv); 2524 name2 = eap_server_get_name(0, sm->eap_type_supp); 2525 ret = os_snprintf(buf + len, buflen - len, 2526 "last_eap_type_as=%d (%s)\n" 2527 "last_eap_type_sta=%d (%s)\n", 2528 sm->eap_type_authsrv, name1, 2529 sm->eap_type_supp, name2); 2530 if (os_snprintf_error(buflen - len, ret)) 2531 return len; 2532 len += ret; 2533 2534 return len; 2535} 2536 2537 2538static void ieee802_1x_finished(struct hostapd_data *hapd, 2539 struct sta_info *sta, int success, 2540 int remediation) 2541{ 2542 const u8 *key; 2543 size_t len; 2544 /* TODO: get PMKLifetime from WPA parameters */ 2545 static const int dot11RSNAConfigPMKLifetime = 43200; 2546 unsigned int session_timeout; 2547 2548#ifdef CONFIG_HS20 2549 if (remediation && !sta->remediation) { 2550 sta->remediation = 1; 2551 os_free(sta->remediation_url); 2552 sta->remediation_url = 2553 os_strdup(hapd->conf->subscr_remediation_url); 2554 sta->remediation_method = 1; /* SOAP-XML SPP */ 2555 } 2556 2557 if (success) { 2558 if (sta->remediation) { 2559 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification " 2560 "to " MACSTR " to indicate Subscription " 2561 "Remediation", 2562 MAC2STR(sta->addr)); 2563 hs20_send_wnm_notification(hapd, sta->addr, 2564 sta->remediation_method, 2565 sta->remediation_url); 2566 os_free(sta->remediation_url); 2567 sta->remediation_url = NULL; 2568 } 2569 2570 if (sta->hs20_deauth_req) { 2571 wpa_printf(MSG_DEBUG, "HS 2.0: Send WNM-Notification " 2572 "to " MACSTR " to indicate imminent " 2573 "deauthentication", MAC2STR(sta->addr)); 2574 hs20_send_wnm_notification_deauth_req( 2575 hapd, sta->addr, sta->hs20_deauth_req); 2576 } 2577 } 2578#endif /* CONFIG_HS20 */ 2579 2580 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2581 if (sta->session_timeout_set) 2582 session_timeout = sta->session_timeout; 2583 else 2584 session_timeout = dot11RSNAConfigPMKLifetime; 2585 if (success && key && len >= PMK_LEN && !sta->remediation && 2586 !sta->hs20_deauth_requested && 2587 wpa_auth_pmksa_add(sta->wpa_sm, key, session_timeout, 2588 sta->eapol_sm) == 0) { 2589 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2590 HOSTAPD_LEVEL_DEBUG, 2591 "Added PMKSA cache entry (IEEE 802.1X)"); 2592 } 2593 2594 if (!success) { 2595 /* 2596 * Many devices require deauthentication after WPS provisioning 2597 * and some may not be be able to do that themselves, so 2598 * disconnect the client here. In addition, this may also 2599 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2600 * the EAPOL PAE state machine would remain in HELD state for 2601 * considerable amount of time and some EAP methods, like 2602 * EAP-FAST with anonymous provisioning, may require another 2603 * EAPOL authentication to be started to complete connection. 2604 */ 2605 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2606 "disconnection after EAP-Failure"); 2607 /* Add a small sleep to increase likelihood of previously 2608 * requested EAP-Failure TX getting out before this should the 2609 * driver reorder operations. 2610 */ 2611 os_sleep(0, 10000); 2612 ap_sta_disconnect(hapd, sta, sta->addr, 2613 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2614 hostapd_wps_eap_completed(hapd); 2615 } 2616} 2617