ieee802_1x.c revision 1f69aa52ea2e0a73ac502565df8c666ee49cab6a
1/* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15#include "utils/includes.h" 16 17#include "utils/common.h" 18#include "utils/eloop.h" 19#include "crypto/md5.h" 20#include "crypto/crypto.h" 21#include "crypto/random.h" 22#include "common/ieee802_11_defs.h" 23#include "radius/radius.h" 24#include "radius/radius_client.h" 25#include "eap_server/eap.h" 26#include "eap_common/eap_wsc_common.h" 27#include "eapol_auth/eapol_auth_sm.h" 28#include "eapol_auth/eapol_auth_sm_i.h" 29#include "p2p/p2p.h" 30#include "hostapd.h" 31#include "accounting.h" 32#include "sta_info.h" 33#include "wpa_auth.h" 34#include "preauth_auth.h" 35#include "pmksa_cache_auth.h" 36#include "ap_config.h" 37#include "ap_drv_ops.h" 38#include "ieee802_1x.h" 39 40 41static void ieee802_1x_finished(struct hostapd_data *hapd, 42 struct sta_info *sta, int success); 43 44 45static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 46 u8 type, const u8 *data, size_t datalen) 47{ 48 u8 *buf; 49 struct ieee802_1x_hdr *xhdr; 50 size_t len; 51 int encrypt = 0; 52 53 len = sizeof(*xhdr) + datalen; 54 buf = os_zalloc(len); 55 if (buf == NULL) { 56 wpa_printf(MSG_ERROR, "malloc() failed for " 57 "ieee802_1x_send(len=%lu)", 58 (unsigned long) len); 59 return; 60 } 61 62 xhdr = (struct ieee802_1x_hdr *) buf; 63 xhdr->version = hapd->conf->eapol_version; 64 xhdr->type = type; 65 xhdr->length = host_to_be16(datalen); 66 67 if (datalen > 0 && data != NULL) 68 os_memcpy(xhdr + 1, data, datalen); 69 70 if (wpa_auth_pairwise_set(sta->wpa_sm)) 71 encrypt = 1; 72 if (sta->flags & WLAN_STA_PREAUTH) { 73 rsn_preauth_send(hapd, sta, buf, len); 74 } else { 75 hostapd_drv_hapd_send_eapol(hapd, sta->addr, buf, len, 76 encrypt, sta->flags); 77 } 78 79 os_free(buf); 80} 81 82 83void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 84 struct sta_info *sta, int authorized) 85{ 86 int res; 87 88 if (sta->flags & WLAN_STA_PREAUTH) 89 return; 90 91 if (authorized) { 92 ap_sta_set_authorized(hapd, sta, 1); 93 res = hostapd_set_authorized(hapd, sta, 1); 94 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 95 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 96 } else { 97 ap_sta_set_authorized(hapd, sta, 0); 98 res = hostapd_set_authorized(hapd, sta, 0); 99 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 100 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 101 } 102 103 if (res && errno != ENOENT) { 104 printf("Could not set station " MACSTR " flags for kernel " 105 "driver (errno=%d).\n", MAC2STR(sta->addr), errno); 106 } 107 108 if (authorized) 109 accounting_sta_start(hapd, sta); 110} 111 112 113static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 114 struct sta_info *sta, 115 int idx, int broadcast, 116 u8 *key_data, size_t key_len) 117{ 118 u8 *buf, *ekey; 119 struct ieee802_1x_hdr *hdr; 120 struct ieee802_1x_eapol_key *key; 121 size_t len, ekey_len; 122 struct eapol_state_machine *sm = sta->eapol_sm; 123 124 if (sm == NULL) 125 return; 126 127 len = sizeof(*key) + key_len; 128 buf = os_zalloc(sizeof(*hdr) + len); 129 if (buf == NULL) 130 return; 131 132 hdr = (struct ieee802_1x_hdr *) buf; 133 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 134 key->type = EAPOL_KEY_TYPE_RC4; 135 key->key_length = htons(key_len); 136 wpa_get_ntp_timestamp(key->replay_counter); 137 138 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 139 wpa_printf(MSG_ERROR, "Could not get random numbers"); 140 os_free(buf); 141 return; 142 } 143 144 key->key_index = idx | (broadcast ? 0 : BIT(7)); 145 if (hapd->conf->eapol_key_index_workaround) { 146 /* According to some information, WinXP Supplicant seems to 147 * interpret bit7 as an indication whether the key is to be 148 * activated, so make it possible to enable workaround that 149 * sets this bit for all keys. */ 150 key->key_index |= BIT(7); 151 } 152 153 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 154 * MSK[32..63] is used to sign the message. */ 155 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 156 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 157 "and signing EAPOL-Key"); 158 os_free(buf); 159 return; 160 } 161 os_memcpy((u8 *) (key + 1), key_data, key_len); 162 ekey_len = sizeof(key->key_iv) + 32; 163 ekey = os_malloc(ekey_len); 164 if (ekey == NULL) { 165 wpa_printf(MSG_ERROR, "Could not encrypt key"); 166 os_free(buf); 167 return; 168 } 169 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 170 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 171 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 172 os_free(ekey); 173 174 /* This header is needed here for HMAC-MD5, but it will be regenerated 175 * in ieee802_1x_send() */ 176 hdr->version = hapd->conf->eapol_version; 177 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 178 hdr->length = host_to_be16(len); 179 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 180 key->key_signature); 181 182 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 183 " (%s index=%d)", MAC2STR(sm->addr), 184 broadcast ? "broadcast" : "unicast", idx); 185 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 186 if (sta->eapol_sm) 187 sta->eapol_sm->dot1xAuthEapolFramesTx++; 188 os_free(buf); 189} 190 191 192#ifndef CONFIG_NO_VLAN 193static struct hostapd_wep_keys * 194ieee802_1x_group_alloc(struct hostapd_data *hapd, const char *ifname) 195{ 196 struct hostapd_wep_keys *key; 197 198 key = os_zalloc(sizeof(*key)); 199 if (key == NULL) 200 return NULL; 201 202 key->default_len = hapd->conf->default_wep_key_len; 203 204 if (key->idx >= hapd->conf->broadcast_key_idx_max || 205 key->idx < hapd->conf->broadcast_key_idx_min) 206 key->idx = hapd->conf->broadcast_key_idx_min; 207 else 208 key->idx++; 209 210 if (!key->key[key->idx]) 211 key->key[key->idx] = os_malloc(key->default_len); 212 if (key->key[key->idx] == NULL || 213 random_get_bytes(key->key[key->idx], key->default_len)) { 214 printf("Could not generate random WEP key (dynamic VLAN).\n"); 215 os_free(key->key[key->idx]); 216 key->key[key->idx] = NULL; 217 os_free(key); 218 return NULL; 219 } 220 key->len[key->idx] = key->default_len; 221 222 wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n", 223 ifname, key->idx); 224 wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)", 225 key->key[key->idx], key->len[key->idx]); 226 227 if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_WEP, 228 broadcast_ether_addr, key->idx, 1, 229 NULL, 0, key->key[key->idx], 230 key->len[key->idx])) 231 printf("Could not set dynamic VLAN WEP encryption key.\n"); 232 233 hostapd_set_drv_ieee8021x(hapd, ifname, 1); 234 235 return key; 236} 237 238 239static struct hostapd_wep_keys * 240ieee802_1x_get_group(struct hostapd_data *hapd, struct hostapd_ssid *ssid, 241 size_t vlan_id) 242{ 243 const char *ifname; 244 245 if (vlan_id == 0) 246 return &ssid->wep; 247 248 if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys && 249 ssid->dyn_vlan_keys[vlan_id]) 250 return ssid->dyn_vlan_keys[vlan_id]; 251 252 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group " 253 "state machine for VLAN ID %lu", 254 (unsigned long) vlan_id); 255 256 ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id); 257 if (ifname == NULL) { 258 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - " 259 "cannot create group key state machine", 260 (unsigned long) vlan_id); 261 return NULL; 262 } 263 264 if (ssid->dyn_vlan_keys == NULL) { 265 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 266 ssid->dyn_vlan_keys = os_zalloc(size); 267 if (ssid->dyn_vlan_keys == NULL) 268 return NULL; 269 ssid->max_dyn_vlan_keys = vlan_id; 270 } 271 272 if (ssid->max_dyn_vlan_keys < vlan_id) { 273 struct hostapd_wep_keys **na; 274 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 275 na = os_realloc(ssid->dyn_vlan_keys, size); 276 if (na == NULL) 277 return NULL; 278 ssid->dyn_vlan_keys = na; 279 os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0, 280 (vlan_id - ssid->max_dyn_vlan_keys) * 281 sizeof(ssid->dyn_vlan_keys[0])); 282 ssid->max_dyn_vlan_keys = vlan_id; 283 } 284 285 ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname); 286 287 return ssid->dyn_vlan_keys[vlan_id]; 288} 289#endif /* CONFIG_NO_VLAN */ 290 291 292void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 293{ 294 struct eapol_authenticator *eapol = hapd->eapol_auth; 295 struct eapol_state_machine *sm = sta->eapol_sm; 296#ifndef CONFIG_NO_VLAN 297 struct hostapd_wep_keys *key = NULL; 298 int vlan_id; 299#endif /* CONFIG_NO_VLAN */ 300 301 if (sm == NULL || !sm->eap_if->eapKeyData) 302 return; 303 304 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 305 MAC2STR(sta->addr)); 306 307#ifndef CONFIG_NO_VLAN 308 vlan_id = sta->vlan_id; 309 if (vlan_id < 0 || vlan_id > MAX_VLAN_ID) 310 vlan_id = 0; 311 312 if (vlan_id) { 313 key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id); 314 if (key && key->key[key->idx]) 315 ieee802_1x_tx_key_one(hapd, sta, key->idx, 1, 316 key->key[key->idx], 317 key->len[key->idx]); 318 } else 319#endif /* CONFIG_NO_VLAN */ 320 if (eapol->default_wep_key) { 321 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 322 eapol->default_wep_key, 323 hapd->conf->default_wep_key_len); 324 } 325 326 if (hapd->conf->individual_wep_key_len > 0) { 327 u8 *ikey; 328 ikey = os_malloc(hapd->conf->individual_wep_key_len); 329 if (ikey == NULL || 330 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 331 { 332 wpa_printf(MSG_ERROR, "Could not generate random " 333 "individual WEP key."); 334 os_free(ikey); 335 return; 336 } 337 338 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 339 ikey, hapd->conf->individual_wep_key_len); 340 341 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 342 hapd->conf->individual_wep_key_len); 343 344 /* TODO: set encryption in TX callback, i.e., only after STA 345 * has ACKed EAPOL-Key frame */ 346 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 347 sta->addr, 0, 1, NULL, 0, ikey, 348 hapd->conf->individual_wep_key_len)) { 349 wpa_printf(MSG_ERROR, "Could not set individual WEP " 350 "encryption."); 351 } 352 353 os_free(ikey); 354 } 355} 356 357 358const char *radius_mode_txt(struct hostapd_data *hapd) 359{ 360 switch (hapd->iface->conf->hw_mode) { 361 case HOSTAPD_MODE_IEEE80211A: 362 return "802.11a"; 363 case HOSTAPD_MODE_IEEE80211G: 364 return "802.11g"; 365 case HOSTAPD_MODE_IEEE80211B: 366 default: 367 return "802.11b"; 368 } 369} 370 371 372int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 373{ 374 int i; 375 u8 rate = 0; 376 377 for (i = 0; i < sta->supported_rates_len; i++) 378 if ((sta->supported_rates[i] & 0x7f) > rate) 379 rate = sta->supported_rates[i] & 0x7f; 380 381 return rate; 382} 383 384 385#ifndef CONFIG_NO_RADIUS 386static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 387 struct eapol_state_machine *sm, 388 const u8 *eap, size_t len) 389{ 390 const u8 *identity; 391 size_t identity_len; 392 393 if (len <= sizeof(struct eap_hdr) || 394 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) 395 return; 396 397 identity = eap_get_identity(sm->eap, &identity_len); 398 if (identity == NULL) 399 return; 400 401 /* Save station identity for future RADIUS packets */ 402 os_free(sm->identity); 403 sm->identity = os_malloc(identity_len + 1); 404 if (sm->identity == NULL) { 405 sm->identity_len = 0; 406 return; 407 } 408 409 os_memcpy(sm->identity, identity, identity_len); 410 sm->identity_len = identity_len; 411 sm->identity[identity_len] = '\0'; 412 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 413 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 414 sm->dot1xAuthEapolRespIdFramesRx++; 415} 416 417 418static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 419 struct sta_info *sta, 420 const u8 *eap, size_t len) 421{ 422 struct radius_msg *msg; 423 char buf[128]; 424 struct eapol_state_machine *sm = sta->eapol_sm; 425 426 if (sm == NULL) 427 return; 428 429 ieee802_1x_learn_identity(hapd, sm, eap, len); 430 431 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 432 "packet"); 433 434 sm->radius_identifier = radius_client_get_id(hapd->radius); 435 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 436 sm->radius_identifier); 437 if (msg == NULL) { 438 printf("Could not create net RADIUS packet\n"); 439 return; 440 } 441 442 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 443 444 if (sm->identity && 445 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 446 sm->identity, sm->identity_len)) { 447 printf("Could not add User-Name\n"); 448 goto fail; 449 } 450 451 if (hapd->conf->own_ip_addr.af == AF_INET && 452 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 453 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 454 printf("Could not add NAS-IP-Address\n"); 455 goto fail; 456 } 457 458#ifdef CONFIG_IPV6 459 if (hapd->conf->own_ip_addr.af == AF_INET6 && 460 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 461 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 462 printf("Could not add NAS-IPv6-Address\n"); 463 goto fail; 464 } 465#endif /* CONFIG_IPV6 */ 466 467 if (hapd->conf->nas_identifier && 468 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 469 (u8 *) hapd->conf->nas_identifier, 470 os_strlen(hapd->conf->nas_identifier))) { 471 printf("Could not add NAS-Identifier\n"); 472 goto fail; 473 } 474 475 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 476 printf("Could not add NAS-Port\n"); 477 goto fail; 478 } 479 480 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 481 MAC2STR(hapd->own_addr), hapd->conf->ssid.ssid); 482 buf[sizeof(buf) - 1] = '\0'; 483 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 484 (u8 *) buf, os_strlen(buf))) { 485 printf("Could not add Called-Station-Id\n"); 486 goto fail; 487 } 488 489 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 490 MAC2STR(sta->addr)); 491 buf[sizeof(buf) - 1] = '\0'; 492 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 493 (u8 *) buf, os_strlen(buf))) { 494 printf("Could not add Calling-Station-Id\n"); 495 goto fail; 496 } 497 498 /* TODO: should probably check MTU from driver config; 2304 is max for 499 * IEEE 802.11, but use 1400 to avoid problems with too large packets 500 */ 501 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 502 printf("Could not add Framed-MTU\n"); 503 goto fail; 504 } 505 506 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 507 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 508 printf("Could not add NAS-Port-Type\n"); 509 goto fail; 510 } 511 512 if (sta->flags & WLAN_STA_PREAUTH) { 513 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 514 sizeof(buf)); 515 } else { 516 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 517 radius_sta_rate(hapd, sta) / 2, 518 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 519 radius_mode_txt(hapd)); 520 buf[sizeof(buf) - 1] = '\0'; 521 } 522 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 523 (u8 *) buf, os_strlen(buf))) { 524 printf("Could not add Connect-Info\n"); 525 goto fail; 526 } 527 528 if (eap && !radius_msg_add_eap(msg, eap, len)) { 529 printf("Could not add EAP-Message\n"); 530 goto fail; 531 } 532 533 /* State attribute must be copied if and only if this packet is 534 * Access-Request reply to the previous Access-Challenge */ 535 if (sm->last_recv_radius && 536 radius_msg_get_hdr(sm->last_recv_radius)->code == 537 RADIUS_CODE_ACCESS_CHALLENGE) { 538 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 539 RADIUS_ATTR_STATE); 540 if (res < 0) { 541 printf("Could not copy State attribute from previous " 542 "Access-Challenge\n"); 543 goto fail; 544 } 545 if (res > 0) { 546 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 547 } 548 } 549 550 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 551 goto fail; 552 553 return; 554 555 fail: 556 radius_msg_free(msg); 557} 558#endif /* CONFIG_NO_RADIUS */ 559 560 561static void handle_eap_response(struct hostapd_data *hapd, 562 struct sta_info *sta, struct eap_hdr *eap, 563 size_t len) 564{ 565 u8 type, *data; 566 struct eapol_state_machine *sm = sta->eapol_sm; 567 if (sm == NULL) 568 return; 569 570 data = (u8 *) (eap + 1); 571 572 if (len < sizeof(*eap) + 1) { 573 printf("handle_eap_response: too short response data\n"); 574 return; 575 } 576 577 sm->eap_type_supp = type = data[0]; 578 579 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 580 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 581 "id=%d len=%d) from STA: EAP Response-%s (%d)", 582 eap->code, eap->identifier, be_to_host16(eap->length), 583 eap_server_get_name(0, type), type); 584 585 sm->dot1xAuthEapolRespFramesRx++; 586 587 wpabuf_free(sm->eap_if->eapRespData); 588 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 589 sm->eapolEap = TRUE; 590} 591 592 593/* Process incoming EAP packet from Supplicant */ 594static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 595 u8 *buf, size_t len) 596{ 597 struct eap_hdr *eap; 598 u16 eap_len; 599 600 if (len < sizeof(*eap)) { 601 printf(" too short EAP packet\n"); 602 return; 603 } 604 605 eap = (struct eap_hdr *) buf; 606 607 eap_len = be_to_host16(eap->length); 608 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 609 eap->code, eap->identifier, eap_len); 610 if (eap_len < sizeof(*eap)) { 611 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 612 return; 613 } else if (eap_len > len) { 614 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 615 "packet"); 616 return; 617 } else if (eap_len < len) { 618 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 619 "packet", (unsigned long) len - eap_len); 620 } 621 622 switch (eap->code) { 623 case EAP_CODE_REQUEST: 624 wpa_printf(MSG_DEBUG, " (request)"); 625 return; 626 case EAP_CODE_RESPONSE: 627 wpa_printf(MSG_DEBUG, " (response)"); 628 handle_eap_response(hapd, sta, eap, eap_len); 629 break; 630 case EAP_CODE_SUCCESS: 631 wpa_printf(MSG_DEBUG, " (success)"); 632 return; 633 case EAP_CODE_FAILURE: 634 wpa_printf(MSG_DEBUG, " (failure)"); 635 return; 636 default: 637 wpa_printf(MSG_DEBUG, " (unknown code)"); 638 return; 639 } 640} 641 642 643static struct eapol_state_machine * 644ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 645{ 646 int flags = 0; 647 if (sta->flags & WLAN_STA_PREAUTH) 648 flags |= EAPOL_SM_PREAUTH; 649 if (sta->wpa_sm) { 650 flags |= EAPOL_SM_USES_WPA; 651 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 652 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 653 } 654 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 655 sta->wps_ie, sta->p2p_ie, sta); 656} 657 658 659/** 660 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 661 * @hapd: hostapd BSS data 662 * @sa: Source address (sender of the EAPOL frame) 663 * @buf: EAPOL frame 664 * @len: Length of buf in octets 665 * 666 * This function is called for each incoming EAPOL frame from the interface 667 */ 668void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 669 size_t len) 670{ 671 struct sta_info *sta; 672 struct ieee802_1x_hdr *hdr; 673 struct ieee802_1x_eapol_key *key; 674 u16 datalen; 675 struct rsn_pmksa_cache_entry *pmksa; 676 int key_mgmt; 677 678 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && 679 !hapd->conf->wps_state) 680 return; 681 682 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 683 (unsigned long) len, MAC2STR(sa)); 684 sta = ap_get_sta(hapd, sa); 685 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 686 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 687 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 688 "associated/Pre-authenticating STA"); 689 return; 690 } 691 692 if (len < sizeof(*hdr)) { 693 printf(" too short IEEE 802.1X packet\n"); 694 return; 695 } 696 697 hdr = (struct ieee802_1x_hdr *) buf; 698 datalen = be_to_host16(hdr->length); 699 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 700 hdr->version, hdr->type, datalen); 701 702 if (len - sizeof(*hdr) < datalen) { 703 printf(" frame too short for this IEEE 802.1X packet\n"); 704 if (sta->eapol_sm) 705 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 706 return; 707 } 708 if (len - sizeof(*hdr) > datalen) { 709 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 710 "IEEE 802.1X packet", 711 (unsigned long) len - sizeof(*hdr) - datalen); 712 } 713 714 if (sta->eapol_sm) { 715 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 716 sta->eapol_sm->dot1xAuthEapolFramesRx++; 717 } 718 719 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 720 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 721 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 722 (key->type == EAPOL_KEY_TYPE_WPA || 723 key->type == EAPOL_KEY_TYPE_RSN)) { 724 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 725 sizeof(*hdr) + datalen); 726 return; 727 } 728 729 if (!hapd->conf->ieee802_1x && 730 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 731 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 732 "802.1X not enabled and WPS not used"); 733 return; 734 } 735 736 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 737 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 738 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 739 "STA is using PSK"); 740 return; 741 } 742 743 if (!sta->eapol_sm) { 744 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 745 if (!sta->eapol_sm) 746 return; 747 748#ifdef CONFIG_WPS 749 if (!hapd->conf->ieee802_1x) { 750 u32 wflags = sta->flags & (WLAN_STA_WPS | 751 WLAN_STA_WPS2 | 752 WLAN_STA_MAYBE_WPS); 753 if (wflags == WLAN_STA_MAYBE_WPS || 754 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 755 /* 756 * Delay EAPOL frame transmission until a 757 * possible WPS STA initiates the handshake 758 * with EAPOL-Start. Only allow the wait to be 759 * skipped if the STA is known to support WPS 760 * 2.0. 761 */ 762 wpa_printf(MSG_DEBUG, "WPS: Do not start " 763 "EAPOL until EAPOL-Start is " 764 "received"); 765 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 766 } 767 } 768#endif /* CONFIG_WPS */ 769 770 sta->eapol_sm->eap_if->portEnabled = TRUE; 771 } 772 773 /* since we support version 1, we can ignore version field and proceed 774 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 775 /* TODO: actually, we are not version 1 anymore.. However, Version 2 776 * does not change frame contents, so should be ok to process frames 777 * more or less identically. Some changes might be needed for 778 * verification of fields. */ 779 780 switch (hdr->type) { 781 case IEEE802_1X_TYPE_EAP_PACKET: 782 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 783 break; 784 785 case IEEE802_1X_TYPE_EAPOL_START: 786 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 787 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 788 "from STA"); 789 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 790 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 791 if (pmksa) { 792 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 793 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 794 "available - ignore it since " 795 "STA sent EAPOL-Start"); 796 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 797 } 798 sta->eapol_sm->eapolStart = TRUE; 799 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 800 eap_server_clear_identity(sta->eapol_sm->eap); 801 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 802 break; 803 804 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 805 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 806 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 807 "from STA"); 808 sta->acct_terminate_cause = 809 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 810 accounting_sta_stop(hapd, sta); 811 sta->eapol_sm->eapolLogoff = TRUE; 812 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 813 eap_server_clear_identity(sta->eapol_sm->eap); 814 break; 815 816 case IEEE802_1X_TYPE_EAPOL_KEY: 817 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 818 if (!ap_sta_is_authorized(sta)) { 819 wpa_printf(MSG_DEBUG, " Dropped key data from " 820 "unauthorized Supplicant"); 821 break; 822 } 823 break; 824 825 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 826 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 827 /* TODO: implement support for this; show data */ 828 break; 829 830 default: 831 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 832 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 833 break; 834 } 835 836 eapol_auth_step(sta->eapol_sm); 837} 838 839 840/** 841 * ieee802_1x_new_station - Start IEEE 802.1X authentication 842 * @hapd: hostapd BSS data 843 * @sta: The station 844 * 845 * This function is called to start IEEE 802.1X authentication when a new 846 * station completes IEEE 802.11 association. 847 */ 848void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 849{ 850 struct rsn_pmksa_cache_entry *pmksa; 851 int reassoc = 1; 852 int force_1x = 0; 853 int key_mgmt; 854 855#ifdef CONFIG_WPS 856 if (hapd->conf->wps_state && hapd->conf->wpa && 857 (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 858 /* 859 * Need to enable IEEE 802.1X/EAPOL state machines for possible 860 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 861 * authentication in this BSS. 862 */ 863 force_1x = 1; 864 } 865#endif /* CONFIG_WPS */ 866 867 if (!force_1x && !hapd->conf->ieee802_1x) { 868 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 869 "802.1X not enabled or forced for WPS"); 870 return; 871 } 872 873 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 874 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 875 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 876 return; 877 } 878 879 if (sta->eapol_sm == NULL) { 880 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 881 HOSTAPD_LEVEL_DEBUG, "start authentication"); 882 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 883 if (sta->eapol_sm == NULL) { 884 hostapd_logger(hapd, sta->addr, 885 HOSTAPD_MODULE_IEEE8021X, 886 HOSTAPD_LEVEL_INFO, 887 "failed to allocate state machine"); 888 return; 889 } 890 reassoc = 0; 891 } 892 893#ifdef CONFIG_WPS 894 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 895 if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS2)) { 896 /* 897 * Delay EAPOL frame transmission until a possible WPS STA 898 * initiates the handshake with EAPOL-Start. Only allow the 899 * wait to be skipped if the STA is known to support WPS 2.0. 900 */ 901 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 902 "EAPOL-Start is received"); 903 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 904 } 905#endif /* CONFIG_WPS */ 906 907 sta->eapol_sm->eap_if->portEnabled = TRUE; 908 909#ifdef CONFIG_IEEE80211R 910 if (sta->auth_alg == WLAN_AUTH_FT) { 911 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 912 HOSTAPD_LEVEL_DEBUG, 913 "PMK from FT - skip IEEE 802.1X/EAP"); 914 /* Setup EAPOL state machines to already authenticated state 915 * because of existing FT information from R0KH. */ 916 sta->eapol_sm->keyRun = TRUE; 917 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 918 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 919 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 920 sta->eapol_sm->authSuccess = TRUE; 921 if (sta->eapol_sm->eap) 922 eap_sm_notify_cached(sta->eapol_sm->eap); 923 /* TODO: get vlan_id from R0KH using RRB message */ 924 return; 925 } 926#endif /* CONFIG_IEEE80211R */ 927 928 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 929 if (pmksa) { 930 int old_vlanid; 931 932 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 933 HOSTAPD_LEVEL_DEBUG, 934 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 935 /* Setup EAPOL state machines to already authenticated state 936 * because of existing PMKSA information in the cache. */ 937 sta->eapol_sm->keyRun = TRUE; 938 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 939 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 940 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 941 sta->eapol_sm->authSuccess = TRUE; 942 if (sta->eapol_sm->eap) 943 eap_sm_notify_cached(sta->eapol_sm->eap); 944 old_vlanid = sta->vlan_id; 945 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 946 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 947 sta->vlan_id = 0; 948 ap_sta_bind_vlan(hapd, sta, old_vlanid); 949 } else { 950 if (reassoc) { 951 /* 952 * Force EAPOL state machines to start 953 * re-authentication without having to wait for the 954 * Supplicant to send EAPOL-Start. 955 */ 956 sta->eapol_sm->reAuthenticate = TRUE; 957 } 958 eapol_auth_step(sta->eapol_sm); 959 } 960} 961 962 963void ieee802_1x_free_station(struct sta_info *sta) 964{ 965 struct eapol_state_machine *sm = sta->eapol_sm; 966 967 if (sm == NULL) 968 return; 969 970 sta->eapol_sm = NULL; 971 972#ifndef CONFIG_NO_RADIUS 973 radius_msg_free(sm->last_recv_radius); 974 radius_free_class(&sm->radius_class); 975#endif /* CONFIG_NO_RADIUS */ 976 977 os_free(sm->identity); 978 eapol_auth_free(sm); 979} 980 981 982#ifndef CONFIG_NO_RADIUS 983static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 984 struct sta_info *sta) 985{ 986 u8 *eap; 987 size_t len; 988 struct eap_hdr *hdr; 989 int eap_type = -1; 990 char buf[64]; 991 struct radius_msg *msg; 992 struct eapol_state_machine *sm = sta->eapol_sm; 993 994 if (sm == NULL || sm->last_recv_radius == NULL) { 995 if (sm) 996 sm->eap_if->aaaEapNoReq = TRUE; 997 return; 998 } 999 1000 msg = sm->last_recv_radius; 1001 1002 eap = radius_msg_get_eap(msg, &len); 1003 if (eap == NULL) { 1004 /* RFC 3579, Chap. 2.6.3: 1005 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1006 * attribute */ 1007 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1008 HOSTAPD_LEVEL_WARNING, "could not extract " 1009 "EAP-Message from RADIUS message"); 1010 sm->eap_if->aaaEapNoReq = TRUE; 1011 return; 1012 } 1013 1014 if (len < sizeof(*hdr)) { 1015 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1016 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1017 "received from authentication server"); 1018 os_free(eap); 1019 sm->eap_if->aaaEapNoReq = TRUE; 1020 return; 1021 } 1022 1023 if (len > sizeof(*hdr)) 1024 eap_type = eap[sizeof(*hdr)]; 1025 1026 hdr = (struct eap_hdr *) eap; 1027 switch (hdr->code) { 1028 case EAP_CODE_REQUEST: 1029 if (eap_type >= 0) 1030 sm->eap_type_authsrv = eap_type; 1031 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1032 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1033 "??", 1034 eap_type); 1035 break; 1036 case EAP_CODE_RESPONSE: 1037 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1038 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1039 "??", 1040 eap_type); 1041 break; 1042 case EAP_CODE_SUCCESS: 1043 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1044 break; 1045 case EAP_CODE_FAILURE: 1046 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1047 break; 1048 default: 1049 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1050 break; 1051 } 1052 buf[sizeof(buf) - 1] = '\0'; 1053 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1054 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1055 "id=%d len=%d) from RADIUS server: %s", 1056 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1057 buf); 1058 sm->eap_if->aaaEapReq = TRUE; 1059 1060 wpabuf_free(sm->eap_if->aaaEapReqData); 1061 sm->eap_if->aaaEapReqData = wpabuf_alloc_ext_data(eap, len); 1062} 1063 1064 1065static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1066 struct sta_info *sta, struct radius_msg *msg, 1067 struct radius_msg *req, 1068 const u8 *shared_secret, 1069 size_t shared_secret_len) 1070{ 1071 struct radius_ms_mppe_keys *keys; 1072 struct eapol_state_machine *sm = sta->eapol_sm; 1073 if (sm == NULL) 1074 return; 1075 1076 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1077 shared_secret_len); 1078 1079 if (keys && keys->send && keys->recv) { 1080 size_t len = keys->send_len + keys->recv_len; 1081 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1082 keys->send, keys->send_len); 1083 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1084 keys->recv, keys->recv_len); 1085 1086 os_free(sm->eap_if->aaaEapKeyData); 1087 sm->eap_if->aaaEapKeyData = os_malloc(len); 1088 if (sm->eap_if->aaaEapKeyData) { 1089 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1090 keys->recv_len); 1091 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1092 keys->send, keys->send_len); 1093 sm->eap_if->aaaEapKeyDataLen = len; 1094 sm->eap_if->aaaEapKeyAvailable = TRUE; 1095 } 1096 } 1097 1098 if (keys) { 1099 os_free(keys->send); 1100 os_free(keys->recv); 1101 os_free(keys); 1102 } 1103} 1104 1105 1106static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1107 struct sta_info *sta, 1108 struct radius_msg *msg) 1109{ 1110 u8 *class; 1111 size_t class_len; 1112 struct eapol_state_machine *sm = sta->eapol_sm; 1113 int count, i; 1114 struct radius_attr_data *nclass; 1115 size_t nclass_count; 1116 1117 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1118 sm == NULL) 1119 return; 1120 1121 radius_free_class(&sm->radius_class); 1122 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1123 if (count <= 0) 1124 return; 1125 1126 nclass = os_zalloc(count * sizeof(struct radius_attr_data)); 1127 if (nclass == NULL) 1128 return; 1129 1130 nclass_count = 0; 1131 1132 class = NULL; 1133 for (i = 0; i < count; i++) { 1134 do { 1135 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1136 &class, &class_len, 1137 class) < 0) { 1138 i = count; 1139 break; 1140 } 1141 } while (class_len < 1); 1142 1143 nclass[nclass_count].data = os_malloc(class_len); 1144 if (nclass[nclass_count].data == NULL) 1145 break; 1146 1147 os_memcpy(nclass[nclass_count].data, class, class_len); 1148 nclass[nclass_count].len = class_len; 1149 nclass_count++; 1150 } 1151 1152 sm->radius_class.attr = nclass; 1153 sm->radius_class.count = nclass_count; 1154 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1155 "attributes for " MACSTR, 1156 (unsigned long) sm->radius_class.count, 1157 MAC2STR(sta->addr)); 1158} 1159 1160 1161/* Update sta->identity based on User-Name attribute in Access-Accept */ 1162static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1163 struct sta_info *sta, 1164 struct radius_msg *msg) 1165{ 1166 u8 *buf, *identity; 1167 size_t len; 1168 struct eapol_state_machine *sm = sta->eapol_sm; 1169 1170 if (sm == NULL) 1171 return; 1172 1173 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1174 NULL) < 0) 1175 return; 1176 1177 identity = os_malloc(len + 1); 1178 if (identity == NULL) 1179 return; 1180 1181 os_memcpy(identity, buf, len); 1182 identity[len] = '\0'; 1183 1184 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1185 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1186 "User-Name from Access-Accept '%s'", 1187 sm->identity ? (char *) sm->identity : "N/A", 1188 (char *) identity); 1189 1190 os_free(sm->identity); 1191 sm->identity = identity; 1192 sm->identity_len = len; 1193} 1194 1195 1196struct sta_id_search { 1197 u8 identifier; 1198 struct eapol_state_machine *sm; 1199}; 1200 1201 1202static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1203 struct sta_info *sta, 1204 void *ctx) 1205{ 1206 struct sta_id_search *id_search = ctx; 1207 struct eapol_state_machine *sm = sta->eapol_sm; 1208 1209 if (sm && sm->radius_identifier >= 0 && 1210 sm->radius_identifier == id_search->identifier) { 1211 id_search->sm = sm; 1212 return 1; 1213 } 1214 return 0; 1215} 1216 1217 1218static struct eapol_state_machine * 1219ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1220{ 1221 struct sta_id_search id_search; 1222 id_search.identifier = identifier; 1223 id_search.sm = NULL; 1224 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1225 return id_search.sm; 1226} 1227 1228 1229/** 1230 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1231 * @msg: RADIUS response message 1232 * @req: RADIUS request message 1233 * @shared_secret: RADIUS shared secret 1234 * @shared_secret_len: Length of shared_secret in octets 1235 * @data: Context data (struct hostapd_data *) 1236 * Returns: Processing status 1237 */ 1238static RadiusRxResult 1239ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1240 const u8 *shared_secret, size_t shared_secret_len, 1241 void *data) 1242{ 1243 struct hostapd_data *hapd = data; 1244 struct sta_info *sta; 1245 u32 session_timeout = 0, termination_action, acct_interim_interval; 1246 int session_timeout_set, old_vlanid = 0; 1247 struct eapol_state_machine *sm; 1248 int override_eapReq = 0; 1249 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1250 1251 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1252 if (sm == NULL) { 1253 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1254 "station for this RADIUS message"); 1255 return RADIUS_RX_UNKNOWN; 1256 } 1257 sta = sm->sta; 1258 1259 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1260 * present when packet contains an EAP-Message attribute */ 1261 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1262 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1263 0) < 0 && 1264 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1265 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1266 "Message-Authenticator since it does not include " 1267 "EAP-Message"); 1268 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1269 req, 1)) { 1270 printf("Incoming RADIUS packet did not have correct " 1271 "Message-Authenticator - dropped\n"); 1272 return RADIUS_RX_INVALID_AUTHENTICATOR; 1273 } 1274 1275 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1276 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1277 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1278 printf("Unknown RADIUS message code\n"); 1279 return RADIUS_RX_UNKNOWN; 1280 } 1281 1282 sm->radius_identifier = -1; 1283 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1284 MAC2STR(sta->addr)); 1285 1286 radius_msg_free(sm->last_recv_radius); 1287 sm->last_recv_radius = msg; 1288 1289 session_timeout_set = 1290 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1291 &session_timeout); 1292 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1293 &termination_action)) 1294 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1295 1296 if (hapd->conf->acct_interim_interval == 0 && 1297 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1298 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1299 &acct_interim_interval) == 0) { 1300 if (acct_interim_interval < 60) { 1301 hostapd_logger(hapd, sta->addr, 1302 HOSTAPD_MODULE_IEEE8021X, 1303 HOSTAPD_LEVEL_INFO, 1304 "ignored too small " 1305 "Acct-Interim-Interval %d", 1306 acct_interim_interval); 1307 } else 1308 sta->acct_interim_interval = acct_interim_interval; 1309 } 1310 1311 1312 switch (hdr->code) { 1313 case RADIUS_CODE_ACCESS_ACCEPT: 1314 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1315 sta->vlan_id = 0; 1316#ifndef CONFIG_NO_VLAN 1317 else { 1318 old_vlanid = sta->vlan_id; 1319 sta->vlan_id = radius_msg_get_vlanid(msg); 1320 } 1321 if (sta->vlan_id > 0 && 1322 hostapd_get_vlan_id_ifname(hapd->conf->vlan, 1323 sta->vlan_id)) { 1324 hostapd_logger(hapd, sta->addr, 1325 HOSTAPD_MODULE_RADIUS, 1326 HOSTAPD_LEVEL_INFO, 1327 "VLAN ID %d", sta->vlan_id); 1328 } else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) { 1329 sta->eapol_sm->authFail = TRUE; 1330 hostapd_logger(hapd, sta->addr, 1331 HOSTAPD_MODULE_IEEE8021X, 1332 HOSTAPD_LEVEL_INFO, "authentication " 1333 "server did not include required VLAN " 1334 "ID in Access-Accept"); 1335 break; 1336 } 1337#endif /* CONFIG_NO_VLAN */ 1338 1339 if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0) 1340 break; 1341 1342 /* RFC 3580, Ch. 3.17 */ 1343 if (session_timeout_set && termination_action == 1344 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1345 sm->reAuthPeriod = session_timeout; 1346 } else if (session_timeout_set) 1347 ap_sta_session_timeout(hapd, sta, session_timeout); 1348 1349 sm->eap_if->aaaSuccess = TRUE; 1350 override_eapReq = 1; 1351 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1352 shared_secret_len); 1353 ieee802_1x_store_radius_class(hapd, sta, msg); 1354 ieee802_1x_update_sta_identity(hapd, sta, msg); 1355 if (sm->eap_if->eapKeyAvailable && 1356 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1357 session_timeout_set ? 1358 (int) session_timeout : -1, sm) == 0) { 1359 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1360 HOSTAPD_LEVEL_DEBUG, 1361 "Added PMKSA cache entry"); 1362 } 1363 break; 1364 case RADIUS_CODE_ACCESS_REJECT: 1365 sm->eap_if->aaaFail = TRUE; 1366 override_eapReq = 1; 1367 break; 1368 case RADIUS_CODE_ACCESS_CHALLENGE: 1369 sm->eap_if->aaaEapReq = TRUE; 1370 if (session_timeout_set) { 1371 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1372 sm->eap_if->aaaMethodTimeout = session_timeout; 1373 hostapd_logger(hapd, sm->addr, 1374 HOSTAPD_MODULE_IEEE8021X, 1375 HOSTAPD_LEVEL_DEBUG, 1376 "using EAP timeout of %d seconds (from " 1377 "RADIUS)", 1378 sm->eap_if->aaaMethodTimeout); 1379 } else { 1380 /* 1381 * Use dynamic retransmission behavior per EAP 1382 * specification. 1383 */ 1384 sm->eap_if->aaaMethodTimeout = 0; 1385 } 1386 break; 1387 } 1388 1389 ieee802_1x_decapsulate_radius(hapd, sta); 1390 if (override_eapReq) 1391 sm->eap_if->aaaEapReq = FALSE; 1392 1393 eapol_auth_step(sm); 1394 1395 return RADIUS_RX_QUEUED; 1396} 1397#endif /* CONFIG_NO_RADIUS */ 1398 1399 1400void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1401{ 1402 struct eapol_state_machine *sm = sta->eapol_sm; 1403 if (sm == NULL) 1404 return; 1405 1406 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1407 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1408 1409#ifndef CONFIG_NO_RADIUS 1410 radius_msg_free(sm->last_recv_radius); 1411 sm->last_recv_radius = NULL; 1412#endif /* CONFIG_NO_RADIUS */ 1413 1414 if (sm->eap_if->eapTimeout) { 1415 /* 1416 * Disconnect the STA since it did not reply to the last EAP 1417 * request and we cannot continue EAP processing (EAP-Failure 1418 * could only be sent if the EAP peer actually replied). 1419 */ 1420 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1421 MAC2STR(sta->addr)); 1422 1423 sm->eap_if->portEnabled = FALSE; 1424 ap_sta_disconnect(hapd, sta, sta->addr, 1425 WLAN_REASON_PREV_AUTH_NOT_VALID); 1426 } 1427} 1428 1429 1430static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1431{ 1432 struct eapol_authenticator *eapol = hapd->eapol_auth; 1433 1434 if (hapd->conf->default_wep_key_len < 1) 1435 return 0; 1436 1437 os_free(eapol->default_wep_key); 1438 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1439 if (eapol->default_wep_key == NULL || 1440 random_get_bytes(eapol->default_wep_key, 1441 hapd->conf->default_wep_key_len)) { 1442 printf("Could not generate random WEP key.\n"); 1443 os_free(eapol->default_wep_key); 1444 eapol->default_wep_key = NULL; 1445 return -1; 1446 } 1447 1448 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1449 eapol->default_wep_key, 1450 hapd->conf->default_wep_key_len); 1451 1452 return 0; 1453} 1454 1455 1456static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1457 struct sta_info *sta, void *ctx) 1458{ 1459 if (sta->eapol_sm) { 1460 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1461 eapol_auth_step(sta->eapol_sm); 1462 } 1463 return 0; 1464} 1465 1466 1467static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1468{ 1469 struct hostapd_data *hapd = eloop_ctx; 1470 struct eapol_authenticator *eapol = hapd->eapol_auth; 1471 1472 if (eapol->default_wep_key_idx >= 3) 1473 eapol->default_wep_key_idx = 1474 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1475 else 1476 eapol->default_wep_key_idx++; 1477 1478 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1479 eapol->default_wep_key_idx); 1480 1481 if (ieee802_1x_rekey_broadcast(hapd)) { 1482 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1483 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1484 "new broadcast key"); 1485 os_free(eapol->default_wep_key); 1486 eapol->default_wep_key = NULL; 1487 return; 1488 } 1489 1490 /* TODO: Could setup key for RX here, but change default TX keyid only 1491 * after new broadcast key has been sent to all stations. */ 1492 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1493 broadcast_ether_addr, 1494 eapol->default_wep_key_idx, 1, NULL, 0, 1495 eapol->default_wep_key, 1496 hapd->conf->default_wep_key_len)) { 1497 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1498 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1499 "new broadcast key"); 1500 os_free(eapol->default_wep_key); 1501 eapol->default_wep_key = NULL; 1502 return; 1503 } 1504 1505 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1506 1507 if (hapd->conf->wep_rekeying_period > 0) { 1508 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1509 ieee802_1x_rekey, hapd, NULL); 1510 } 1511} 1512 1513 1514static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1515 const u8 *data, size_t datalen) 1516{ 1517#ifdef CONFIG_WPS 1518 struct sta_info *sta = sta_ctx; 1519 1520 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1521 WLAN_STA_MAYBE_WPS) { 1522 const u8 *identity; 1523 size_t identity_len; 1524 struct eapol_state_machine *sm = sta->eapol_sm; 1525 1526 identity = eap_get_identity(sm->eap, &identity_len); 1527 if (identity && 1528 ((identity_len == WSC_ID_ENROLLEE_LEN && 1529 os_memcmp(identity, WSC_ID_ENROLLEE, 1530 WSC_ID_ENROLLEE_LEN) == 0) || 1531 (identity_len == WSC_ID_REGISTRAR_LEN && 1532 os_memcmp(identity, WSC_ID_REGISTRAR, 1533 WSC_ID_REGISTRAR_LEN) == 0))) { 1534 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1535 "WLAN_STA_WPS"); 1536 sta->flags |= WLAN_STA_WPS; 1537 } 1538 } 1539#endif /* CONFIG_WPS */ 1540 1541 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1542} 1543 1544 1545static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1546 const u8 *data, size_t datalen) 1547{ 1548#ifndef CONFIG_NO_RADIUS 1549 struct hostapd_data *hapd = ctx; 1550 struct sta_info *sta = sta_ctx; 1551 1552 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1553#endif /* CONFIG_NO_RADIUS */ 1554} 1555 1556 1557static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1558 int preauth) 1559{ 1560 struct hostapd_data *hapd = ctx; 1561 struct sta_info *sta = sta_ctx; 1562 if (preauth) 1563 rsn_preauth_finished(hapd, sta, success); 1564 else 1565 ieee802_1x_finished(hapd, sta, success); 1566} 1567 1568 1569static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1570 size_t identity_len, int phase2, 1571 struct eap_user *user) 1572{ 1573 struct hostapd_data *hapd = ctx; 1574 const struct hostapd_eap_user *eap_user; 1575 int i; 1576 1577 eap_user = hostapd_get_eap_user(hapd->conf, identity, 1578 identity_len, phase2); 1579 if (eap_user == NULL) 1580 return -1; 1581 1582 os_memset(user, 0, sizeof(*user)); 1583 user->phase2 = phase2; 1584 for (i = 0; i < EAP_MAX_METHODS; i++) { 1585 user->methods[i].vendor = eap_user->methods[i].vendor; 1586 user->methods[i].method = eap_user->methods[i].method; 1587 } 1588 1589 if (eap_user->password) { 1590 user->password = os_malloc(eap_user->password_len); 1591 if (user->password == NULL) 1592 return -1; 1593 os_memcpy(user->password, eap_user->password, 1594 eap_user->password_len); 1595 user->password_len = eap_user->password_len; 1596 user->password_hash = eap_user->password_hash; 1597 } 1598 user->force_version = eap_user->force_version; 1599 user->ttls_auth = eap_user->ttls_auth; 1600 1601 return 0; 1602} 1603 1604 1605static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1606{ 1607 struct hostapd_data *hapd = ctx; 1608 struct sta_info *sta; 1609 sta = ap_get_sta(hapd, addr); 1610 if (sta == NULL || sta->eapol_sm == NULL) 1611 return 0; 1612 return 1; 1613} 1614 1615 1616static void ieee802_1x_logger(void *ctx, const u8 *addr, 1617 eapol_logger_level level, const char *txt) 1618{ 1619#ifndef CONFIG_NO_HOSTAPD_LOGGER 1620 struct hostapd_data *hapd = ctx; 1621 int hlevel; 1622 1623 switch (level) { 1624 case EAPOL_LOGGER_WARNING: 1625 hlevel = HOSTAPD_LEVEL_WARNING; 1626 break; 1627 case EAPOL_LOGGER_INFO: 1628 hlevel = HOSTAPD_LEVEL_INFO; 1629 break; 1630 case EAPOL_LOGGER_DEBUG: 1631 default: 1632 hlevel = HOSTAPD_LEVEL_DEBUG; 1633 break; 1634 } 1635 1636 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 1637 txt); 1638#endif /* CONFIG_NO_HOSTAPD_LOGGER */ 1639} 1640 1641 1642static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 1643 int authorized) 1644{ 1645 struct hostapd_data *hapd = ctx; 1646 struct sta_info *sta = sta_ctx; 1647 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 1648} 1649 1650 1651static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 1652{ 1653 struct hostapd_data *hapd = ctx; 1654 struct sta_info *sta = sta_ctx; 1655 ieee802_1x_abort_auth(hapd, sta); 1656} 1657 1658 1659static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 1660{ 1661 struct hostapd_data *hapd = ctx; 1662 struct sta_info *sta = sta_ctx; 1663 ieee802_1x_tx_key(hapd, sta); 1664} 1665 1666 1667static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 1668 enum eapol_event type) 1669{ 1670 /* struct hostapd_data *hapd = ctx; */ 1671 struct sta_info *sta = sta_ctx; 1672 switch (type) { 1673 case EAPOL_AUTH_SM_CHANGE: 1674 wpa_auth_sm_notify(sta->wpa_sm); 1675 break; 1676 case EAPOL_AUTH_REAUTHENTICATE: 1677 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1678 break; 1679 } 1680} 1681 1682 1683int ieee802_1x_init(struct hostapd_data *hapd) 1684{ 1685 int i; 1686 struct eapol_auth_config conf; 1687 struct eapol_auth_cb cb; 1688 1689 os_memset(&conf, 0, sizeof(conf)); 1690 conf.ctx = hapd; 1691 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 1692 conf.wpa = hapd->conf->wpa; 1693 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 1694 conf.eap_server = hapd->conf->eap_server; 1695 conf.ssl_ctx = hapd->ssl_ctx; 1696 conf.msg_ctx = hapd->msg_ctx; 1697 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 1698 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 1699 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 1700 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 1701 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 1702 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 1703 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 1704 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 1705 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 1706 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 1707 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 1708 conf.tnc = hapd->conf->tnc; 1709 conf.wps = hapd->wps; 1710 conf.fragment_size = hapd->conf->fragment_size; 1711 conf.pwd_group = hapd->conf->pwd_group; 1712 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 1713 1714 os_memset(&cb, 0, sizeof(cb)); 1715 cb.eapol_send = ieee802_1x_eapol_send; 1716 cb.aaa_send = ieee802_1x_aaa_send; 1717 cb.finished = _ieee802_1x_finished; 1718 cb.get_eap_user = ieee802_1x_get_eap_user; 1719 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 1720 cb.logger = ieee802_1x_logger; 1721 cb.set_port_authorized = ieee802_1x_set_port_authorized; 1722 cb.abort_auth = _ieee802_1x_abort_auth; 1723 cb.tx_key = _ieee802_1x_tx_key; 1724 cb.eapol_event = ieee802_1x_eapol_event; 1725 1726 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 1727 if (hapd->eapol_auth == NULL) 1728 return -1; 1729 1730 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 1731 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 1732 return -1; 1733 1734#ifndef CONFIG_NO_RADIUS 1735 if (radius_client_register(hapd->radius, RADIUS_AUTH, 1736 ieee802_1x_receive_auth, hapd)) 1737 return -1; 1738#endif /* CONFIG_NO_RADIUS */ 1739 1740 if (hapd->conf->default_wep_key_len) { 1741 for (i = 0; i < 4; i++) 1742 hostapd_drv_set_key(hapd->conf->iface, hapd, 1743 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 1744 NULL, 0); 1745 1746 ieee802_1x_rekey(hapd, NULL); 1747 1748 if (hapd->eapol_auth->default_wep_key == NULL) 1749 return -1; 1750 } 1751 1752 return 0; 1753} 1754 1755 1756void ieee802_1x_deinit(struct hostapd_data *hapd) 1757{ 1758 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 1759 1760 if (hapd->driver != NULL && 1761 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 1762 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 1763 1764 eapol_auth_deinit(hapd->eapol_auth); 1765 hapd->eapol_auth = NULL; 1766} 1767 1768 1769int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1770 const u8 *buf, size_t len, int ack) 1771{ 1772 struct ieee80211_hdr *hdr; 1773 u8 *pos; 1774 const unsigned char rfc1042_hdr[ETH_ALEN] = 1775 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 1776 1777 if (sta == NULL) 1778 return -1; 1779 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 1780 return 0; 1781 1782 hdr = (struct ieee80211_hdr *) buf; 1783 pos = (u8 *) (hdr + 1); 1784 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 1785 return 0; 1786 pos += sizeof(rfc1042_hdr); 1787 if (WPA_GET_BE16(pos) != ETH_P_PAE) 1788 return 0; 1789 pos += 2; 1790 1791 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 1792 ack); 1793} 1794 1795 1796int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1797 const u8 *buf, int len, int ack) 1798{ 1799 const struct ieee802_1x_hdr *xhdr = 1800 (const struct ieee802_1x_hdr *) buf; 1801 const u8 *pos = buf + sizeof(*xhdr); 1802 struct ieee802_1x_eapol_key *key; 1803 1804 if (len < (int) sizeof(*xhdr)) 1805 return 0; 1806 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 1807 "type=%d length=%d - ack=%d", 1808 MAC2STR(sta->addr), xhdr->version, xhdr->type, 1809 be_to_host16(xhdr->length), ack); 1810 1811 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 1812 return 0; 1813 1814 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 1815 const struct wpa_eapol_key *wpa; 1816 wpa = (const struct wpa_eapol_key *) pos; 1817 if (wpa->type == EAPOL_KEY_TYPE_RSN || 1818 wpa->type == EAPOL_KEY_TYPE_WPA) 1819 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 1820 sta->wpa_sm, ack); 1821 } 1822 1823 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 1824 * or Authenticator state machines, but EAPOL-Key packets are not 1825 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 1826 * packets couple of times because otherwise STA keys become 1827 * unsynchronized with AP. */ 1828 if (!ack && pos + sizeof(*key) <= buf + len) { 1829 key = (struct ieee802_1x_eapol_key *) pos; 1830 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1831 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 1832 "frame (%scast index=%d)", 1833 key->key_index & BIT(7) ? "uni" : "broad", 1834 key->key_index & ~BIT(7)); 1835 /* TODO: re-send EAPOL-Key couple of times (with short delay 1836 * between them?). If all attempt fail, report error and 1837 * deauthenticate STA so that it will get new keys when 1838 * authenticating again (e.g., after returning in range). 1839 * Separate limit/transmit state needed both for unicast and 1840 * broadcast keys(?) */ 1841 } 1842 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 1843 * to here and change the key only if the EAPOL-Key packet was Acked. 1844 */ 1845 1846 return 1; 1847} 1848 1849 1850u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 1851{ 1852 if (sm == NULL || sm->identity == NULL) 1853 return NULL; 1854 1855 *len = sm->identity_len; 1856 return sm->identity; 1857} 1858 1859 1860u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 1861 int idx) 1862{ 1863 if (sm == NULL || sm->radius_class.attr == NULL || 1864 idx >= (int) sm->radius_class.count) 1865 return NULL; 1866 1867 *len = sm->radius_class.attr[idx].len; 1868 return sm->radius_class.attr[idx].data; 1869} 1870 1871 1872const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 1873{ 1874 *len = 0; 1875 if (sm == NULL) 1876 return NULL; 1877 1878 *len = sm->eap_if->eapKeyDataLen; 1879 return sm->eap_if->eapKeyData; 1880} 1881 1882 1883void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 1884 int enabled) 1885{ 1886 if (sm == NULL) 1887 return; 1888 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 1889 eapol_auth_step(sm); 1890} 1891 1892 1893void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 1894 int valid) 1895{ 1896 if (sm == NULL) 1897 return; 1898 sm->portValid = valid ? TRUE : FALSE; 1899 eapol_auth_step(sm); 1900} 1901 1902 1903void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 1904{ 1905 if (sm == NULL) 1906 return; 1907 if (pre_auth) 1908 sm->flags |= EAPOL_SM_PREAUTH; 1909 else 1910 sm->flags &= ~EAPOL_SM_PREAUTH; 1911} 1912 1913 1914static const char * bool_txt(Boolean bool) 1915{ 1916 return bool ? "TRUE" : "FALSE"; 1917} 1918 1919 1920int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 1921{ 1922 /* TODO */ 1923 return 0; 1924} 1925 1926 1927int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 1928 char *buf, size_t buflen) 1929{ 1930 int len = 0, ret; 1931 struct eapol_state_machine *sm = sta->eapol_sm; 1932 struct os_time t; 1933 1934 if (sm == NULL) 1935 return 0; 1936 1937 ret = os_snprintf(buf + len, buflen - len, 1938 "dot1xPaePortNumber=%d\n" 1939 "dot1xPaePortProtocolVersion=%d\n" 1940 "dot1xPaePortCapabilities=1\n" 1941 "dot1xPaePortInitialize=%d\n" 1942 "dot1xPaePortReauthenticate=FALSE\n", 1943 sta->aid, 1944 EAPOL_VERSION, 1945 sm->initialize); 1946 if (ret < 0 || (size_t) ret >= buflen - len) 1947 return len; 1948 len += ret; 1949 1950 /* dot1xAuthConfigTable */ 1951 ret = os_snprintf(buf + len, buflen - len, 1952 "dot1xAuthPaeState=%d\n" 1953 "dot1xAuthBackendAuthState=%d\n" 1954 "dot1xAuthAdminControlledDirections=%d\n" 1955 "dot1xAuthOperControlledDirections=%d\n" 1956 "dot1xAuthAuthControlledPortStatus=%d\n" 1957 "dot1xAuthAuthControlledPortControl=%d\n" 1958 "dot1xAuthQuietPeriod=%u\n" 1959 "dot1xAuthServerTimeout=%u\n" 1960 "dot1xAuthReAuthPeriod=%u\n" 1961 "dot1xAuthReAuthEnabled=%s\n" 1962 "dot1xAuthKeyTxEnabled=%s\n", 1963 sm->auth_pae_state + 1, 1964 sm->be_auth_state + 1, 1965 sm->adminControlledDirections, 1966 sm->operControlledDirections, 1967 sm->authPortStatus, 1968 sm->portControl, 1969 sm->quietPeriod, 1970 sm->serverTimeout, 1971 sm->reAuthPeriod, 1972 bool_txt(sm->reAuthEnabled), 1973 bool_txt(sm->keyTxEnabled)); 1974 if (ret < 0 || (size_t) ret >= buflen - len) 1975 return len; 1976 len += ret; 1977 1978 /* dot1xAuthStatsTable */ 1979 ret = os_snprintf(buf + len, buflen - len, 1980 "dot1xAuthEapolFramesRx=%u\n" 1981 "dot1xAuthEapolFramesTx=%u\n" 1982 "dot1xAuthEapolStartFramesRx=%u\n" 1983 "dot1xAuthEapolLogoffFramesRx=%u\n" 1984 "dot1xAuthEapolRespIdFramesRx=%u\n" 1985 "dot1xAuthEapolRespFramesRx=%u\n" 1986 "dot1xAuthEapolReqIdFramesTx=%u\n" 1987 "dot1xAuthEapolReqFramesTx=%u\n" 1988 "dot1xAuthInvalidEapolFramesRx=%u\n" 1989 "dot1xAuthEapLengthErrorFramesRx=%u\n" 1990 "dot1xAuthLastEapolFrameVersion=%u\n" 1991 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 1992 sm->dot1xAuthEapolFramesRx, 1993 sm->dot1xAuthEapolFramesTx, 1994 sm->dot1xAuthEapolStartFramesRx, 1995 sm->dot1xAuthEapolLogoffFramesRx, 1996 sm->dot1xAuthEapolRespIdFramesRx, 1997 sm->dot1xAuthEapolRespFramesRx, 1998 sm->dot1xAuthEapolReqIdFramesTx, 1999 sm->dot1xAuthEapolReqFramesTx, 2000 sm->dot1xAuthInvalidEapolFramesRx, 2001 sm->dot1xAuthEapLengthErrorFramesRx, 2002 sm->dot1xAuthLastEapolFrameVersion, 2003 MAC2STR(sm->addr)); 2004 if (ret < 0 || (size_t) ret >= buflen - len) 2005 return len; 2006 len += ret; 2007 2008 /* dot1xAuthDiagTable */ 2009 ret = os_snprintf(buf + len, buflen - len, 2010 "dot1xAuthEntersConnecting=%u\n" 2011 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2012 "dot1xAuthEntersAuthenticating=%u\n" 2013 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2014 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2015 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2016 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2017 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2018 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2019 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2020 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2021 "dot1xAuthBackendResponses=%u\n" 2022 "dot1xAuthBackendAccessChallenges=%u\n" 2023 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2024 "dot1xAuthBackendAuthSuccesses=%u\n" 2025 "dot1xAuthBackendAuthFails=%u\n", 2026 sm->authEntersConnecting, 2027 sm->authEapLogoffsWhileConnecting, 2028 sm->authEntersAuthenticating, 2029 sm->authAuthSuccessesWhileAuthenticating, 2030 sm->authAuthTimeoutsWhileAuthenticating, 2031 sm->authAuthFailWhileAuthenticating, 2032 sm->authAuthEapStartsWhileAuthenticating, 2033 sm->authAuthEapLogoffWhileAuthenticating, 2034 sm->authAuthReauthsWhileAuthenticated, 2035 sm->authAuthEapStartsWhileAuthenticated, 2036 sm->authAuthEapLogoffWhileAuthenticated, 2037 sm->backendResponses, 2038 sm->backendAccessChallenges, 2039 sm->backendOtherRequestsToSupplicant, 2040 sm->backendAuthSuccesses, 2041 sm->backendAuthFails); 2042 if (ret < 0 || (size_t) ret >= buflen - len) 2043 return len; 2044 len += ret; 2045 2046 /* dot1xAuthSessionStatsTable */ 2047 os_get_time(&t); 2048 ret = os_snprintf(buf + len, buflen - len, 2049 /* TODO: dot1xAuthSessionOctetsRx */ 2050 /* TODO: dot1xAuthSessionOctetsTx */ 2051 /* TODO: dot1xAuthSessionFramesRx */ 2052 /* TODO: dot1xAuthSessionFramesTx */ 2053 "dot1xAuthSessionId=%08X-%08X\n" 2054 "dot1xAuthSessionAuthenticMethod=%d\n" 2055 "dot1xAuthSessionTime=%u\n" 2056 "dot1xAuthSessionTerminateCause=999\n" 2057 "dot1xAuthSessionUserName=%s\n", 2058 sta->acct_session_id_hi, sta->acct_session_id_lo, 2059 (wpa_key_mgmt_wpa_ieee8021x( 2060 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2061 1 : 2, 2062 (unsigned int) (t.sec - sta->acct_session_start), 2063 sm->identity); 2064 if (ret < 0 || (size_t) ret >= buflen - len) 2065 return len; 2066 len += ret; 2067 2068 return len; 2069} 2070 2071 2072static void ieee802_1x_finished(struct hostapd_data *hapd, 2073 struct sta_info *sta, int success) 2074{ 2075 const u8 *key; 2076 size_t len; 2077 /* TODO: get PMKLifetime from WPA parameters */ 2078 static const int dot11RSNAConfigPMKLifetime = 43200; 2079 2080 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2081 if (success && key && len >= PMK_LEN && 2082 wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime, 2083 sta->eapol_sm) == 0) { 2084 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2085 HOSTAPD_LEVEL_DEBUG, 2086 "Added PMKSA cache entry (IEEE 802.1X)"); 2087 } 2088 2089 if (!success) { 2090 /* 2091 * Many devices require deauthentication after WPS provisioning 2092 * and some may not be be able to do that themselves, so 2093 * disconnect the client here. In addition, this may also 2094 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2095 * the EAPOL PAE state machine would remain in HELD state for 2096 * considerable amount of time and some EAP methods, like 2097 * EAP-FAST with anonymous provisioning, may require another 2098 * EAPOL authentication to be started to complete connection. 2099 */ 2100 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2101 "disconnection after EAP-Failure"); 2102 /* Add a small sleep to increase likelihood of previously 2103 * requested EAP-Failure TX getting out before this should the 2104 * driver reorder operations. 2105 */ 2106 os_sleep(0, 10000); 2107 ap_sta_disconnect(hapd, sta, sta->addr, 2108 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2109 } 2110} 2111