ieee802_1x.c revision 34af306c42b7ccf956508e7cd23f0ba90606e360
1/* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "crypto/md5.h" 14#include "crypto/crypto.h" 15#include "crypto/random.h" 16#include "common/ieee802_11_defs.h" 17#include "radius/radius.h" 18#include "radius/radius_client.h" 19#include "eap_server/eap.h" 20#include "eap_common/eap_wsc_common.h" 21#include "eapol_auth/eapol_auth_sm.h" 22#include "eapol_auth/eapol_auth_sm_i.h" 23#include "p2p/p2p.h" 24#include "hostapd.h" 25#include "accounting.h" 26#include "sta_info.h" 27#include "wpa_auth.h" 28#include "preauth_auth.h" 29#include "pmksa_cache_auth.h" 30#include "ap_config.h" 31#include "ap_drv_ops.h" 32#include "ieee802_1x.h" 33 34 35static void ieee802_1x_finished(struct hostapd_data *hapd, 36 struct sta_info *sta, int success); 37 38 39static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 40 u8 type, const u8 *data, size_t datalen) 41{ 42 u8 *buf; 43 struct ieee802_1x_hdr *xhdr; 44 size_t len; 45 int encrypt = 0; 46 47 len = sizeof(*xhdr) + datalen; 48 buf = os_zalloc(len); 49 if (buf == NULL) { 50 wpa_printf(MSG_ERROR, "malloc() failed for " 51 "ieee802_1x_send(len=%lu)", 52 (unsigned long) len); 53 return; 54 } 55 56 xhdr = (struct ieee802_1x_hdr *) buf; 57 xhdr->version = hapd->conf->eapol_version; 58 xhdr->type = type; 59 xhdr->length = host_to_be16(datalen); 60 61 if (datalen > 0 && data != NULL) 62 os_memcpy(xhdr + 1, data, datalen); 63 64 if (wpa_auth_pairwise_set(sta->wpa_sm)) 65 encrypt = 1; 66 if (sta->flags & WLAN_STA_PREAUTH) { 67 rsn_preauth_send(hapd, sta, buf, len); 68 } else { 69 hostapd_drv_hapd_send_eapol( 70 hapd, sta->addr, buf, len, 71 encrypt, hostapd_sta_flags_to_drv(sta->flags)); 72 } 73 74 os_free(buf); 75} 76 77 78void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 79 struct sta_info *sta, int authorized) 80{ 81 int res; 82 83 if (sta->flags & WLAN_STA_PREAUTH) 84 return; 85 86 if (authorized) { 87 ap_sta_set_authorized(hapd, sta, 1); 88 res = hostapd_set_authorized(hapd, sta, 1); 89 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 90 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 91 } else { 92 ap_sta_set_authorized(hapd, sta, 0); 93 res = hostapd_set_authorized(hapd, sta, 0); 94 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 95 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 96 } 97 98 if (res && errno != ENOENT) { 99 printf("Could not set station " MACSTR " flags for kernel " 100 "driver (errno=%d).\n", MAC2STR(sta->addr), errno); 101 } 102 103 if (authorized) { 104 os_get_time(&sta->connected_time); 105 accounting_sta_start(hapd, sta); 106 } 107} 108 109 110static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 111 struct sta_info *sta, 112 int idx, int broadcast, 113 u8 *key_data, size_t key_len) 114{ 115 u8 *buf, *ekey; 116 struct ieee802_1x_hdr *hdr; 117 struct ieee802_1x_eapol_key *key; 118 size_t len, ekey_len; 119 struct eapol_state_machine *sm = sta->eapol_sm; 120 121 if (sm == NULL) 122 return; 123 124 len = sizeof(*key) + key_len; 125 buf = os_zalloc(sizeof(*hdr) + len); 126 if (buf == NULL) 127 return; 128 129 hdr = (struct ieee802_1x_hdr *) buf; 130 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 131 key->type = EAPOL_KEY_TYPE_RC4; 132 WPA_PUT_BE16(key->key_length, key_len); 133 wpa_get_ntp_timestamp(key->replay_counter); 134 135 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 136 wpa_printf(MSG_ERROR, "Could not get random numbers"); 137 os_free(buf); 138 return; 139 } 140 141 key->key_index = idx | (broadcast ? 0 : BIT(7)); 142 if (hapd->conf->eapol_key_index_workaround) { 143 /* According to some information, WinXP Supplicant seems to 144 * interpret bit7 as an indication whether the key is to be 145 * activated, so make it possible to enable workaround that 146 * sets this bit for all keys. */ 147 key->key_index |= BIT(7); 148 } 149 150 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 151 * MSK[32..63] is used to sign the message. */ 152 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 153 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 154 "and signing EAPOL-Key"); 155 os_free(buf); 156 return; 157 } 158 os_memcpy((u8 *) (key + 1), key_data, key_len); 159 ekey_len = sizeof(key->key_iv) + 32; 160 ekey = os_malloc(ekey_len); 161 if (ekey == NULL) { 162 wpa_printf(MSG_ERROR, "Could not encrypt key"); 163 os_free(buf); 164 return; 165 } 166 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 167 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 168 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 169 os_free(ekey); 170 171 /* This header is needed here for HMAC-MD5, but it will be regenerated 172 * in ieee802_1x_send() */ 173 hdr->version = hapd->conf->eapol_version; 174 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 175 hdr->length = host_to_be16(len); 176 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 177 key->key_signature); 178 179 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 180 " (%s index=%d)", MAC2STR(sm->addr), 181 broadcast ? "broadcast" : "unicast", idx); 182 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 183 if (sta->eapol_sm) 184 sta->eapol_sm->dot1xAuthEapolFramesTx++; 185 os_free(buf); 186} 187 188 189#ifndef CONFIG_NO_VLAN 190static struct hostapd_wep_keys * 191ieee802_1x_group_alloc(struct hostapd_data *hapd, const char *ifname) 192{ 193 struct hostapd_wep_keys *key; 194 195 key = os_zalloc(sizeof(*key)); 196 if (key == NULL) 197 return NULL; 198 199 key->default_len = hapd->conf->default_wep_key_len; 200 201 if (key->idx >= hapd->conf->broadcast_key_idx_max || 202 key->idx < hapd->conf->broadcast_key_idx_min) 203 key->idx = hapd->conf->broadcast_key_idx_min; 204 else 205 key->idx++; 206 207 if (!key->key[key->idx]) 208 key->key[key->idx] = os_malloc(key->default_len); 209 if (key->key[key->idx] == NULL || 210 random_get_bytes(key->key[key->idx], key->default_len)) { 211 printf("Could not generate random WEP key (dynamic VLAN).\n"); 212 os_free(key->key[key->idx]); 213 key->key[key->idx] = NULL; 214 os_free(key); 215 return NULL; 216 } 217 key->len[key->idx] = key->default_len; 218 219 wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n", 220 ifname, key->idx); 221 wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)", 222 key->key[key->idx], key->len[key->idx]); 223 224 if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_WEP, 225 broadcast_ether_addr, key->idx, 1, 226 NULL, 0, key->key[key->idx], 227 key->len[key->idx])) 228 printf("Could not set dynamic VLAN WEP encryption key.\n"); 229 230 hostapd_set_drv_ieee8021x(hapd, ifname, 1); 231 232 return key; 233} 234 235 236static struct hostapd_wep_keys * 237ieee802_1x_get_group(struct hostapd_data *hapd, struct hostapd_ssid *ssid, 238 size_t vlan_id) 239{ 240 const char *ifname; 241 242 if (vlan_id == 0) 243 return &ssid->wep; 244 245 if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys && 246 ssid->dyn_vlan_keys[vlan_id]) 247 return ssid->dyn_vlan_keys[vlan_id]; 248 249 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group " 250 "state machine for VLAN ID %lu", 251 (unsigned long) vlan_id); 252 253 ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id); 254 if (ifname == NULL) { 255 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - " 256 "cannot create group key state machine", 257 (unsigned long) vlan_id); 258 return NULL; 259 } 260 261 if (ssid->dyn_vlan_keys == NULL) { 262 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 263 ssid->dyn_vlan_keys = os_zalloc(size); 264 if (ssid->dyn_vlan_keys == NULL) 265 return NULL; 266 ssid->max_dyn_vlan_keys = vlan_id; 267 } 268 269 if (ssid->max_dyn_vlan_keys < vlan_id) { 270 struct hostapd_wep_keys **na; 271 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 272 na = os_realloc(ssid->dyn_vlan_keys, size); 273 if (na == NULL) 274 return NULL; 275 ssid->dyn_vlan_keys = na; 276 os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0, 277 (vlan_id - ssid->max_dyn_vlan_keys) * 278 sizeof(ssid->dyn_vlan_keys[0])); 279 ssid->max_dyn_vlan_keys = vlan_id; 280 } 281 282 ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname); 283 284 return ssid->dyn_vlan_keys[vlan_id]; 285} 286#endif /* CONFIG_NO_VLAN */ 287 288 289void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 290{ 291 struct eapol_authenticator *eapol = hapd->eapol_auth; 292 struct eapol_state_machine *sm = sta->eapol_sm; 293#ifndef CONFIG_NO_VLAN 294 struct hostapd_wep_keys *key = NULL; 295 int vlan_id; 296#endif /* CONFIG_NO_VLAN */ 297 298 if (sm == NULL || !sm->eap_if->eapKeyData) 299 return; 300 301 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 302 MAC2STR(sta->addr)); 303 304#ifndef CONFIG_NO_VLAN 305 vlan_id = sta->vlan_id; 306 if (vlan_id < 0 || vlan_id > MAX_VLAN_ID) 307 vlan_id = 0; 308 309 if (vlan_id) { 310 key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id); 311 if (key && key->key[key->idx]) 312 ieee802_1x_tx_key_one(hapd, sta, key->idx, 1, 313 key->key[key->idx], 314 key->len[key->idx]); 315 } else 316#endif /* CONFIG_NO_VLAN */ 317 if (eapol->default_wep_key) { 318 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 319 eapol->default_wep_key, 320 hapd->conf->default_wep_key_len); 321 } 322 323 if (hapd->conf->individual_wep_key_len > 0) { 324 u8 *ikey; 325 ikey = os_malloc(hapd->conf->individual_wep_key_len); 326 if (ikey == NULL || 327 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 328 { 329 wpa_printf(MSG_ERROR, "Could not generate random " 330 "individual WEP key."); 331 os_free(ikey); 332 return; 333 } 334 335 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 336 ikey, hapd->conf->individual_wep_key_len); 337 338 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 339 hapd->conf->individual_wep_key_len); 340 341 /* TODO: set encryption in TX callback, i.e., only after STA 342 * has ACKed EAPOL-Key frame */ 343 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 344 sta->addr, 0, 1, NULL, 0, ikey, 345 hapd->conf->individual_wep_key_len)) { 346 wpa_printf(MSG_ERROR, "Could not set individual WEP " 347 "encryption."); 348 } 349 350 os_free(ikey); 351 } 352} 353 354 355const char *radius_mode_txt(struct hostapd_data *hapd) 356{ 357 switch (hapd->iface->conf->hw_mode) { 358 case HOSTAPD_MODE_IEEE80211AD: 359 return "802.11ad"; 360 case HOSTAPD_MODE_IEEE80211A: 361 return "802.11a"; 362 case HOSTAPD_MODE_IEEE80211G: 363 return "802.11g"; 364 case HOSTAPD_MODE_IEEE80211B: 365 default: 366 return "802.11b"; 367 } 368} 369 370 371int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 372{ 373 int i; 374 u8 rate = 0; 375 376 for (i = 0; i < sta->supported_rates_len; i++) 377 if ((sta->supported_rates[i] & 0x7f) > rate) 378 rate = sta->supported_rates[i] & 0x7f; 379 380 return rate; 381} 382 383 384#ifndef CONFIG_NO_RADIUS 385static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 386 struct eapol_state_machine *sm, 387 const u8 *eap, size_t len) 388{ 389 const u8 *identity; 390 size_t identity_len; 391 392 if (len <= sizeof(struct eap_hdr) || 393 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) 394 return; 395 396 identity = eap_get_identity(sm->eap, &identity_len); 397 if (identity == NULL) 398 return; 399 400 /* Save station identity for future RADIUS packets */ 401 os_free(sm->identity); 402 sm->identity = (u8 *) dup_binstr(identity, identity_len); 403 if (sm->identity == NULL) { 404 sm->identity_len = 0; 405 return; 406 } 407 408 sm->identity_len = identity_len; 409 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 410 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 411 sm->dot1xAuthEapolRespIdFramesRx++; 412} 413 414 415static int add_common_radius_sta_attr(struct hostapd_data *hapd, 416 struct hostapd_radius_attr *req_attr, 417 struct sta_info *sta, 418 struct radius_msg *msg) 419{ 420 char buf[128]; 421 422 if (!hostapd_config_get_radius_attr(req_attr, 423 RADIUS_ATTR_NAS_PORT) && 424 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 425 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 426 return -1; 427 } 428 429 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 430 MAC2STR(sta->addr)); 431 buf[sizeof(buf) - 1] = '\0'; 432 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 433 (u8 *) buf, os_strlen(buf))) { 434 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 435 return -1; 436 } 437 438 if (sta->flags & WLAN_STA_PREAUTH) { 439 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 440 sizeof(buf)); 441 } else { 442 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 443 radius_sta_rate(hapd, sta) / 2, 444 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 445 radius_mode_txt(hapd)); 446 buf[sizeof(buf) - 1] = '\0'; 447 } 448 if (!hostapd_config_get_radius_attr(req_attr, 449 RADIUS_ATTR_CONNECT_INFO) && 450 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 451 (u8 *) buf, os_strlen(buf))) { 452 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 453 return -1; 454 } 455 456 if (sta->acct_session_id_hi || sta->acct_session_id_lo) { 457 os_snprintf(buf, sizeof(buf), "%08X-%08X", 458 sta->acct_session_id_hi, sta->acct_session_id_lo); 459 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 460 (u8 *) buf, os_strlen(buf))) { 461 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 462 return -1; 463 } 464 } 465 466 return 0; 467} 468 469 470int add_common_radius_attr(struct hostapd_data *hapd, 471 struct hostapd_radius_attr *req_attr, 472 struct sta_info *sta, 473 struct radius_msg *msg) 474{ 475 char buf[128]; 476 struct hostapd_radius_attr *attr; 477 478 if (!hostapd_config_get_radius_attr(req_attr, 479 RADIUS_ATTR_NAS_IP_ADDRESS) && 480 hapd->conf->own_ip_addr.af == AF_INET && 481 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 482 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 483 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 484 return -1; 485 } 486 487#ifdef CONFIG_IPV6 488 if (!hostapd_config_get_radius_attr(req_attr, 489 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 490 hapd->conf->own_ip_addr.af == AF_INET6 && 491 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 492 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 493 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 494 return -1; 495 } 496#endif /* CONFIG_IPV6 */ 497 498 if (!hostapd_config_get_radius_attr(req_attr, 499 RADIUS_ATTR_NAS_IDENTIFIER) && 500 hapd->conf->nas_identifier && 501 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 502 (u8 *) hapd->conf->nas_identifier, 503 os_strlen(hapd->conf->nas_identifier))) { 504 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 505 return -1; 506 } 507 508 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 509 MAC2STR(hapd->own_addr), 510 wpa_ssid_txt(hapd->conf->ssid.ssid, 511 hapd->conf->ssid.ssid_len)); 512 buf[sizeof(buf) - 1] = '\0'; 513 if (!hostapd_config_get_radius_attr(req_attr, 514 RADIUS_ATTR_CALLED_STATION_ID) && 515 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 516 (u8 *) buf, os_strlen(buf))) { 517 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 518 return -1; 519 } 520 521 if (!hostapd_config_get_radius_attr(req_attr, 522 RADIUS_ATTR_NAS_PORT_TYPE) && 523 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 524 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 525 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 526 return -1; 527 } 528 529 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 530 return -1; 531 532 for (attr = req_attr; attr; attr = attr->next) { 533 if (!radius_msg_add_attr(msg, attr->type, 534 wpabuf_head(attr->val), 535 wpabuf_len(attr->val))) { 536 wpa_printf(MSG_ERROR, "Could not add RADIUS " 537 "attribute"); 538 return -1; 539 } 540 } 541 542 return 0; 543} 544 545 546static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 547 struct sta_info *sta, 548 const u8 *eap, size_t len) 549{ 550 struct radius_msg *msg; 551 struct eapol_state_machine *sm = sta->eapol_sm; 552 553 if (sm == NULL) 554 return; 555 556 ieee802_1x_learn_identity(hapd, sm, eap, len); 557 558 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 559 "packet"); 560 561 sm->radius_identifier = radius_client_get_id(hapd->radius); 562 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 563 sm->radius_identifier); 564 if (msg == NULL) { 565 printf("Could not create net RADIUS packet\n"); 566 return; 567 } 568 569 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 570 571 if (sm->identity && 572 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 573 sm->identity, sm->identity_len)) { 574 printf("Could not add User-Name\n"); 575 goto fail; 576 } 577 578 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 579 msg) < 0) 580 goto fail; 581 582 /* TODO: should probably check MTU from driver config; 2304 is max for 583 * IEEE 802.11, but use 1400 to avoid problems with too large packets 584 */ 585 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 586 RADIUS_ATTR_FRAMED_MTU) && 587 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 588 printf("Could not add Framed-MTU\n"); 589 goto fail; 590 } 591 592 if (eap && !radius_msg_add_eap(msg, eap, len)) { 593 printf("Could not add EAP-Message\n"); 594 goto fail; 595 } 596 597 /* State attribute must be copied if and only if this packet is 598 * Access-Request reply to the previous Access-Challenge */ 599 if (sm->last_recv_radius && 600 radius_msg_get_hdr(sm->last_recv_radius)->code == 601 RADIUS_CODE_ACCESS_CHALLENGE) { 602 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 603 RADIUS_ATTR_STATE); 604 if (res < 0) { 605 printf("Could not copy State attribute from previous " 606 "Access-Challenge\n"); 607 goto fail; 608 } 609 if (res > 0) { 610 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 611 } 612 } 613 614 if (hapd->conf->radius_request_cui) { 615 const u8 *cui; 616 size_t cui_len; 617 /* Add previously learned CUI or nul CUI to request CUI */ 618 if (sm->radius_cui) { 619 cui = wpabuf_head(sm->radius_cui); 620 cui_len = wpabuf_len(sm->radius_cui); 621 } else { 622 cui = (const u8 *) "\0"; 623 cui_len = 1; 624 } 625 if (!radius_msg_add_attr(msg, 626 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 627 cui, cui_len)) { 628 wpa_printf(MSG_ERROR, "Could not add CUI"); 629 goto fail; 630 } 631 } 632 633 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 634 goto fail; 635 636 return; 637 638 fail: 639 radius_msg_free(msg); 640} 641#endif /* CONFIG_NO_RADIUS */ 642 643 644static void handle_eap_response(struct hostapd_data *hapd, 645 struct sta_info *sta, struct eap_hdr *eap, 646 size_t len) 647{ 648 u8 type, *data; 649 struct eapol_state_machine *sm = sta->eapol_sm; 650 if (sm == NULL) 651 return; 652 653 data = (u8 *) (eap + 1); 654 655 if (len < sizeof(*eap) + 1) { 656 printf("handle_eap_response: too short response data\n"); 657 return; 658 } 659 660 sm->eap_type_supp = type = data[0]; 661 662 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 663 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 664 "id=%d len=%d) from STA: EAP Response-%s (%d)", 665 eap->code, eap->identifier, be_to_host16(eap->length), 666 eap_server_get_name(0, type), type); 667 668 sm->dot1xAuthEapolRespFramesRx++; 669 670 wpabuf_free(sm->eap_if->eapRespData); 671 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 672 sm->eapolEap = TRUE; 673} 674 675 676/* Process incoming EAP packet from Supplicant */ 677static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 678 u8 *buf, size_t len) 679{ 680 struct eap_hdr *eap; 681 u16 eap_len; 682 683 if (len < sizeof(*eap)) { 684 printf(" too short EAP packet\n"); 685 return; 686 } 687 688 eap = (struct eap_hdr *) buf; 689 690 eap_len = be_to_host16(eap->length); 691 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 692 eap->code, eap->identifier, eap_len); 693 if (eap_len < sizeof(*eap)) { 694 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 695 return; 696 } else if (eap_len > len) { 697 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 698 "packet"); 699 return; 700 } else if (eap_len < len) { 701 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 702 "packet", (unsigned long) len - eap_len); 703 } 704 705 switch (eap->code) { 706 case EAP_CODE_REQUEST: 707 wpa_printf(MSG_DEBUG, " (request)"); 708 return; 709 case EAP_CODE_RESPONSE: 710 wpa_printf(MSG_DEBUG, " (response)"); 711 handle_eap_response(hapd, sta, eap, eap_len); 712 break; 713 case EAP_CODE_SUCCESS: 714 wpa_printf(MSG_DEBUG, " (success)"); 715 return; 716 case EAP_CODE_FAILURE: 717 wpa_printf(MSG_DEBUG, " (failure)"); 718 return; 719 default: 720 wpa_printf(MSG_DEBUG, " (unknown code)"); 721 return; 722 } 723} 724 725 726static struct eapol_state_machine * 727ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 728{ 729 int flags = 0; 730 if (sta->flags & WLAN_STA_PREAUTH) 731 flags |= EAPOL_SM_PREAUTH; 732 if (sta->wpa_sm) { 733 flags |= EAPOL_SM_USES_WPA; 734 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 735 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 736 } 737 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 738 sta->wps_ie, sta->p2p_ie, sta, 739 sta->identity, sta->radius_cui); 740} 741 742 743/** 744 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 745 * @hapd: hostapd BSS data 746 * @sa: Source address (sender of the EAPOL frame) 747 * @buf: EAPOL frame 748 * @len: Length of buf in octets 749 * 750 * This function is called for each incoming EAPOL frame from the interface 751 */ 752void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 753 size_t len) 754{ 755 struct sta_info *sta; 756 struct ieee802_1x_hdr *hdr; 757 struct ieee802_1x_eapol_key *key; 758 u16 datalen; 759 struct rsn_pmksa_cache_entry *pmksa; 760 int key_mgmt; 761 762 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && 763 !hapd->conf->wps_state) 764 return; 765 766 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 767 (unsigned long) len, MAC2STR(sa)); 768 sta = ap_get_sta(hapd, sa); 769 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 770 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 771 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 772 "associated/Pre-authenticating STA"); 773 return; 774 } 775 776 if (len < sizeof(*hdr)) { 777 printf(" too short IEEE 802.1X packet\n"); 778 return; 779 } 780 781 hdr = (struct ieee802_1x_hdr *) buf; 782 datalen = be_to_host16(hdr->length); 783 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 784 hdr->version, hdr->type, datalen); 785 786 if (len - sizeof(*hdr) < datalen) { 787 printf(" frame too short for this IEEE 802.1X packet\n"); 788 if (sta->eapol_sm) 789 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 790 return; 791 } 792 if (len - sizeof(*hdr) > datalen) { 793 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 794 "IEEE 802.1X packet", 795 (unsigned long) len - sizeof(*hdr) - datalen); 796 } 797 798 if (sta->eapol_sm) { 799 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 800 sta->eapol_sm->dot1xAuthEapolFramesRx++; 801 } 802 803 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 804 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 805 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 806 (key->type == EAPOL_KEY_TYPE_WPA || 807 key->type == EAPOL_KEY_TYPE_RSN)) { 808 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 809 sizeof(*hdr) + datalen); 810 return; 811 } 812 813 if (!hapd->conf->ieee802_1x && 814 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 815 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 816 "802.1X not enabled and WPS not used"); 817 return; 818 } 819 820 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 821 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 822 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 823 "STA is using PSK"); 824 return; 825 } 826 827 if (!sta->eapol_sm) { 828 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 829 if (!sta->eapol_sm) 830 return; 831 832#ifdef CONFIG_WPS 833 if (!hapd->conf->ieee802_1x) { 834 u32 wflags = sta->flags & (WLAN_STA_WPS | 835 WLAN_STA_WPS2 | 836 WLAN_STA_MAYBE_WPS); 837 if (wflags == WLAN_STA_MAYBE_WPS || 838 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 839 /* 840 * Delay EAPOL frame transmission until a 841 * possible WPS STA initiates the handshake 842 * with EAPOL-Start. Only allow the wait to be 843 * skipped if the STA is known to support WPS 844 * 2.0. 845 */ 846 wpa_printf(MSG_DEBUG, "WPS: Do not start " 847 "EAPOL until EAPOL-Start is " 848 "received"); 849 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 850 } 851 } 852#endif /* CONFIG_WPS */ 853 854 sta->eapol_sm->eap_if->portEnabled = TRUE; 855 } 856 857 /* since we support version 1, we can ignore version field and proceed 858 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 859 /* TODO: actually, we are not version 1 anymore.. However, Version 2 860 * does not change frame contents, so should be ok to process frames 861 * more or less identically. Some changes might be needed for 862 * verification of fields. */ 863 864 switch (hdr->type) { 865 case IEEE802_1X_TYPE_EAP_PACKET: 866 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 867 break; 868 869 case IEEE802_1X_TYPE_EAPOL_START: 870 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 871 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 872 "from STA"); 873 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 874 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 875 if (pmksa) { 876 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 877 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 878 "available - ignore it since " 879 "STA sent EAPOL-Start"); 880 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 881 } 882 sta->eapol_sm->eapolStart = TRUE; 883 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 884 eap_server_clear_identity(sta->eapol_sm->eap); 885 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 886 break; 887 888 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 889 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 890 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 891 "from STA"); 892 sta->acct_terminate_cause = 893 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 894 accounting_sta_stop(hapd, sta); 895 sta->eapol_sm->eapolLogoff = TRUE; 896 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 897 eap_server_clear_identity(sta->eapol_sm->eap); 898 break; 899 900 case IEEE802_1X_TYPE_EAPOL_KEY: 901 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 902 if (!ap_sta_is_authorized(sta)) { 903 wpa_printf(MSG_DEBUG, " Dropped key data from " 904 "unauthorized Supplicant"); 905 break; 906 } 907 break; 908 909 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 910 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 911 /* TODO: implement support for this; show data */ 912 break; 913 914 default: 915 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 916 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 917 break; 918 } 919 920 eapol_auth_step(sta->eapol_sm); 921} 922 923 924/** 925 * ieee802_1x_new_station - Start IEEE 802.1X authentication 926 * @hapd: hostapd BSS data 927 * @sta: The station 928 * 929 * This function is called to start IEEE 802.1X authentication when a new 930 * station completes IEEE 802.11 association. 931 */ 932void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 933{ 934 struct rsn_pmksa_cache_entry *pmksa; 935 int reassoc = 1; 936 int force_1x = 0; 937 int key_mgmt; 938 939#ifdef CONFIG_WPS 940 if (hapd->conf->wps_state && hapd->conf->wpa && 941 (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 942 /* 943 * Need to enable IEEE 802.1X/EAPOL state machines for possible 944 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 945 * authentication in this BSS. 946 */ 947 force_1x = 1; 948 } 949#endif /* CONFIG_WPS */ 950 951 if (!force_1x && !hapd->conf->ieee802_1x) { 952 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 953 "802.1X not enabled or forced for WPS"); 954 /* 955 * Clear any possible EAPOL authenticator state to support 956 * reassociation change from WPS to PSK. 957 */ 958 ieee802_1x_free_station(sta); 959 return; 960 } 961 962 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 963 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 964 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 965 /* 966 * Clear any possible EAPOL authenticator state to support 967 * reassociation change from WPA-EAP to PSK. 968 */ 969 ieee802_1x_free_station(sta); 970 return; 971 } 972 973 if (sta->eapol_sm == NULL) { 974 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 975 HOSTAPD_LEVEL_DEBUG, "start authentication"); 976 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 977 if (sta->eapol_sm == NULL) { 978 hostapd_logger(hapd, sta->addr, 979 HOSTAPD_MODULE_IEEE8021X, 980 HOSTAPD_LEVEL_INFO, 981 "failed to allocate state machine"); 982 return; 983 } 984 reassoc = 0; 985 } 986 987#ifdef CONFIG_WPS 988 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 989 if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS2)) { 990 /* 991 * Delay EAPOL frame transmission until a possible WPS STA 992 * initiates the handshake with EAPOL-Start. Only allow the 993 * wait to be skipped if the STA is known to support WPS 2.0. 994 */ 995 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 996 "EAPOL-Start is received"); 997 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 998 } 999#endif /* CONFIG_WPS */ 1000 1001 sta->eapol_sm->eap_if->portEnabled = TRUE; 1002 1003#ifdef CONFIG_IEEE80211R 1004 if (sta->auth_alg == WLAN_AUTH_FT) { 1005 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1006 HOSTAPD_LEVEL_DEBUG, 1007 "PMK from FT - skip IEEE 802.1X/EAP"); 1008 /* Setup EAPOL state machines to already authenticated state 1009 * because of existing FT information from R0KH. */ 1010 sta->eapol_sm->keyRun = TRUE; 1011 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1012 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1013 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1014 sta->eapol_sm->authSuccess = TRUE; 1015 sta->eapol_sm->authFail = FALSE; 1016 if (sta->eapol_sm->eap) 1017 eap_sm_notify_cached(sta->eapol_sm->eap); 1018 /* TODO: get vlan_id from R0KH using RRB message */ 1019 return; 1020 } 1021#endif /* CONFIG_IEEE80211R */ 1022 1023 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1024 if (pmksa) { 1025 int old_vlanid; 1026 1027 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1028 HOSTAPD_LEVEL_DEBUG, 1029 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1030 /* Setup EAPOL state machines to already authenticated state 1031 * because of existing PMKSA information in the cache. */ 1032 sta->eapol_sm->keyRun = TRUE; 1033 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1034 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1035 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1036 sta->eapol_sm->authSuccess = TRUE; 1037 sta->eapol_sm->authFail = FALSE; 1038 if (sta->eapol_sm->eap) 1039 eap_sm_notify_cached(sta->eapol_sm->eap); 1040 old_vlanid = sta->vlan_id; 1041 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 1042 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1043 sta->vlan_id = 0; 1044 ap_sta_bind_vlan(hapd, sta, old_vlanid); 1045 } else { 1046 if (reassoc) { 1047 /* 1048 * Force EAPOL state machines to start 1049 * re-authentication without having to wait for the 1050 * Supplicant to send EAPOL-Start. 1051 */ 1052 sta->eapol_sm->reAuthenticate = TRUE; 1053 } 1054 eapol_auth_step(sta->eapol_sm); 1055 } 1056} 1057 1058 1059void ieee802_1x_free_station(struct sta_info *sta) 1060{ 1061 struct eapol_state_machine *sm = sta->eapol_sm; 1062 1063 if (sm == NULL) 1064 return; 1065 1066 sta->eapol_sm = NULL; 1067 1068#ifndef CONFIG_NO_RADIUS 1069 radius_msg_free(sm->last_recv_radius); 1070 radius_free_class(&sm->radius_class); 1071 wpabuf_free(sm->radius_cui); 1072#endif /* CONFIG_NO_RADIUS */ 1073 1074 os_free(sm->identity); 1075 eapol_auth_free(sm); 1076} 1077 1078 1079#ifndef CONFIG_NO_RADIUS 1080static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1081 struct sta_info *sta) 1082{ 1083 struct wpabuf *eap; 1084 const struct eap_hdr *hdr; 1085 int eap_type = -1; 1086 char buf[64]; 1087 struct radius_msg *msg; 1088 struct eapol_state_machine *sm = sta->eapol_sm; 1089 1090 if (sm == NULL || sm->last_recv_radius == NULL) { 1091 if (sm) 1092 sm->eap_if->aaaEapNoReq = TRUE; 1093 return; 1094 } 1095 1096 msg = sm->last_recv_radius; 1097 1098 eap = radius_msg_get_eap(msg); 1099 if (eap == NULL) { 1100 /* RFC 3579, Chap. 2.6.3: 1101 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1102 * attribute */ 1103 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1104 HOSTAPD_LEVEL_WARNING, "could not extract " 1105 "EAP-Message from RADIUS message"); 1106 sm->eap_if->aaaEapNoReq = TRUE; 1107 return; 1108 } 1109 1110 if (wpabuf_len(eap) < sizeof(*hdr)) { 1111 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1112 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1113 "received from authentication server"); 1114 wpabuf_free(eap); 1115 sm->eap_if->aaaEapNoReq = TRUE; 1116 return; 1117 } 1118 1119 if (wpabuf_len(eap) > sizeof(*hdr)) 1120 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1121 1122 hdr = wpabuf_head(eap); 1123 switch (hdr->code) { 1124 case EAP_CODE_REQUEST: 1125 if (eap_type >= 0) 1126 sm->eap_type_authsrv = eap_type; 1127 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1128 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1129 "??", 1130 eap_type); 1131 break; 1132 case EAP_CODE_RESPONSE: 1133 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1134 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1135 "??", 1136 eap_type); 1137 break; 1138 case EAP_CODE_SUCCESS: 1139 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1140 break; 1141 case EAP_CODE_FAILURE: 1142 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1143 break; 1144 default: 1145 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1146 break; 1147 } 1148 buf[sizeof(buf) - 1] = '\0'; 1149 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1150 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1151 "id=%d len=%d) from RADIUS server: %s", 1152 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1153 buf); 1154 sm->eap_if->aaaEapReq = TRUE; 1155 1156 wpabuf_free(sm->eap_if->aaaEapReqData); 1157 sm->eap_if->aaaEapReqData = eap; 1158} 1159 1160 1161static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1162 struct sta_info *sta, struct radius_msg *msg, 1163 struct radius_msg *req, 1164 const u8 *shared_secret, 1165 size_t shared_secret_len) 1166{ 1167 struct radius_ms_mppe_keys *keys; 1168 struct eapol_state_machine *sm = sta->eapol_sm; 1169 if (sm == NULL) 1170 return; 1171 1172 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1173 shared_secret_len); 1174 1175 if (keys && keys->send && keys->recv) { 1176 size_t len = keys->send_len + keys->recv_len; 1177 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1178 keys->send, keys->send_len); 1179 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1180 keys->recv, keys->recv_len); 1181 1182 os_free(sm->eap_if->aaaEapKeyData); 1183 sm->eap_if->aaaEapKeyData = os_malloc(len); 1184 if (sm->eap_if->aaaEapKeyData) { 1185 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1186 keys->recv_len); 1187 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1188 keys->send, keys->send_len); 1189 sm->eap_if->aaaEapKeyDataLen = len; 1190 sm->eap_if->aaaEapKeyAvailable = TRUE; 1191 } 1192 } 1193 1194 if (keys) { 1195 os_free(keys->send); 1196 os_free(keys->recv); 1197 os_free(keys); 1198 } 1199} 1200 1201 1202static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1203 struct sta_info *sta, 1204 struct radius_msg *msg) 1205{ 1206 u8 *class; 1207 size_t class_len; 1208 struct eapol_state_machine *sm = sta->eapol_sm; 1209 int count, i; 1210 struct radius_attr_data *nclass; 1211 size_t nclass_count; 1212 1213 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1214 sm == NULL) 1215 return; 1216 1217 radius_free_class(&sm->radius_class); 1218 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1219 if (count <= 0) 1220 return; 1221 1222 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1223 if (nclass == NULL) 1224 return; 1225 1226 nclass_count = 0; 1227 1228 class = NULL; 1229 for (i = 0; i < count; i++) { 1230 do { 1231 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1232 &class, &class_len, 1233 class) < 0) { 1234 i = count; 1235 break; 1236 } 1237 } while (class_len < 1); 1238 1239 nclass[nclass_count].data = os_malloc(class_len); 1240 if (nclass[nclass_count].data == NULL) 1241 break; 1242 1243 os_memcpy(nclass[nclass_count].data, class, class_len); 1244 nclass[nclass_count].len = class_len; 1245 nclass_count++; 1246 } 1247 1248 sm->radius_class.attr = nclass; 1249 sm->radius_class.count = nclass_count; 1250 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1251 "attributes for " MACSTR, 1252 (unsigned long) sm->radius_class.count, 1253 MAC2STR(sta->addr)); 1254} 1255 1256 1257/* Update sta->identity based on User-Name attribute in Access-Accept */ 1258static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1259 struct sta_info *sta, 1260 struct radius_msg *msg) 1261{ 1262 u8 *buf, *identity; 1263 size_t len; 1264 struct eapol_state_machine *sm = sta->eapol_sm; 1265 1266 if (sm == NULL) 1267 return; 1268 1269 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1270 NULL) < 0) 1271 return; 1272 1273 identity = (u8 *) dup_binstr(buf, len); 1274 if (identity == NULL) 1275 return; 1276 1277 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1278 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1279 "User-Name from Access-Accept '%s'", 1280 sm->identity ? (char *) sm->identity : "N/A", 1281 (char *) identity); 1282 1283 os_free(sm->identity); 1284 sm->identity = identity; 1285 sm->identity_len = len; 1286} 1287 1288 1289/* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1290static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1291 struct sta_info *sta, 1292 struct radius_msg *msg) 1293{ 1294 struct eapol_state_machine *sm = sta->eapol_sm; 1295 struct wpabuf *cui; 1296 u8 *buf; 1297 size_t len; 1298 1299 if (sm == NULL) 1300 return; 1301 1302 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1303 &buf, &len, NULL) < 0) 1304 return; 1305 1306 cui = wpabuf_alloc_copy(buf, len); 1307 if (cui == NULL) 1308 return; 1309 1310 wpabuf_free(sm->radius_cui); 1311 sm->radius_cui = cui; 1312} 1313 1314 1315struct sta_id_search { 1316 u8 identifier; 1317 struct eapol_state_machine *sm; 1318}; 1319 1320 1321static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1322 struct sta_info *sta, 1323 void *ctx) 1324{ 1325 struct sta_id_search *id_search = ctx; 1326 struct eapol_state_machine *sm = sta->eapol_sm; 1327 1328 if (sm && sm->radius_identifier >= 0 && 1329 sm->radius_identifier == id_search->identifier) { 1330 id_search->sm = sm; 1331 return 1; 1332 } 1333 return 0; 1334} 1335 1336 1337static struct eapol_state_machine * 1338ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1339{ 1340 struct sta_id_search id_search; 1341 id_search.identifier = identifier; 1342 id_search.sm = NULL; 1343 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1344 return id_search.sm; 1345} 1346 1347 1348/** 1349 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1350 * @msg: RADIUS response message 1351 * @req: RADIUS request message 1352 * @shared_secret: RADIUS shared secret 1353 * @shared_secret_len: Length of shared_secret in octets 1354 * @data: Context data (struct hostapd_data *) 1355 * Returns: Processing status 1356 */ 1357static RadiusRxResult 1358ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1359 const u8 *shared_secret, size_t shared_secret_len, 1360 void *data) 1361{ 1362 struct hostapd_data *hapd = data; 1363 struct sta_info *sta; 1364 u32 session_timeout = 0, termination_action, acct_interim_interval; 1365 int session_timeout_set, old_vlanid = 0; 1366 struct eapol_state_machine *sm; 1367 int override_eapReq = 0; 1368 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1369 1370 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1371 if (sm == NULL) { 1372 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1373 "station for this RADIUS message"); 1374 return RADIUS_RX_UNKNOWN; 1375 } 1376 sta = sm->sta; 1377 1378 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1379 * present when packet contains an EAP-Message attribute */ 1380 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1381 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1382 0) < 0 && 1383 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1384 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1385 "Message-Authenticator since it does not include " 1386 "EAP-Message"); 1387 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1388 req, 1)) { 1389 printf("Incoming RADIUS packet did not have correct " 1390 "Message-Authenticator - dropped\n"); 1391 return RADIUS_RX_INVALID_AUTHENTICATOR; 1392 } 1393 1394 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1395 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1396 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1397 printf("Unknown RADIUS message code\n"); 1398 return RADIUS_RX_UNKNOWN; 1399 } 1400 1401 sm->radius_identifier = -1; 1402 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1403 MAC2STR(sta->addr)); 1404 1405 radius_msg_free(sm->last_recv_radius); 1406 sm->last_recv_radius = msg; 1407 1408 session_timeout_set = 1409 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1410 &session_timeout); 1411 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1412 &termination_action)) 1413 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1414 1415 if (hapd->conf->acct_interim_interval == 0 && 1416 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1417 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1418 &acct_interim_interval) == 0) { 1419 if (acct_interim_interval < 60) { 1420 hostapd_logger(hapd, sta->addr, 1421 HOSTAPD_MODULE_IEEE8021X, 1422 HOSTAPD_LEVEL_INFO, 1423 "ignored too small " 1424 "Acct-Interim-Interval %d", 1425 acct_interim_interval); 1426 } else 1427 sta->acct_interim_interval = acct_interim_interval; 1428 } 1429 1430 1431 switch (hdr->code) { 1432 case RADIUS_CODE_ACCESS_ACCEPT: 1433 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1434 sta->vlan_id = 0; 1435#ifndef CONFIG_NO_VLAN 1436 else { 1437 old_vlanid = sta->vlan_id; 1438 sta->vlan_id = radius_msg_get_vlanid(msg); 1439 } 1440 if (sta->vlan_id > 0 && 1441 hostapd_vlan_id_valid(hapd->conf->vlan, sta->vlan_id)) { 1442 hostapd_logger(hapd, sta->addr, 1443 HOSTAPD_MODULE_RADIUS, 1444 HOSTAPD_LEVEL_INFO, 1445 "VLAN ID %d", sta->vlan_id); 1446 } else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) { 1447 sta->eapol_sm->authFail = TRUE; 1448 hostapd_logger(hapd, sta->addr, 1449 HOSTAPD_MODULE_IEEE8021X, 1450 HOSTAPD_LEVEL_INFO, "authentication " 1451 "server did not include required VLAN " 1452 "ID in Access-Accept"); 1453 break; 1454 } 1455#endif /* CONFIG_NO_VLAN */ 1456 1457 if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0) 1458 break; 1459 1460 /* RFC 3580, Ch. 3.17 */ 1461 if (session_timeout_set && termination_action == 1462 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1463 sm->reAuthPeriod = session_timeout; 1464 } else if (session_timeout_set) 1465 ap_sta_session_timeout(hapd, sta, session_timeout); 1466 1467 sm->eap_if->aaaSuccess = TRUE; 1468 override_eapReq = 1; 1469 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1470 shared_secret_len); 1471 ieee802_1x_store_radius_class(hapd, sta, msg); 1472 ieee802_1x_update_sta_identity(hapd, sta, msg); 1473 ieee802_1x_update_sta_cui(hapd, sta, msg); 1474 if (sm->eap_if->eapKeyAvailable && 1475 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1476 session_timeout_set ? 1477 (int) session_timeout : -1, sm) == 0) { 1478 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1479 HOSTAPD_LEVEL_DEBUG, 1480 "Added PMKSA cache entry"); 1481 } 1482 break; 1483 case RADIUS_CODE_ACCESS_REJECT: 1484 sm->eap_if->aaaFail = TRUE; 1485 override_eapReq = 1; 1486 break; 1487 case RADIUS_CODE_ACCESS_CHALLENGE: 1488 sm->eap_if->aaaEapReq = TRUE; 1489 if (session_timeout_set) { 1490 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1491 sm->eap_if->aaaMethodTimeout = session_timeout; 1492 hostapd_logger(hapd, sm->addr, 1493 HOSTAPD_MODULE_IEEE8021X, 1494 HOSTAPD_LEVEL_DEBUG, 1495 "using EAP timeout of %d seconds (from " 1496 "RADIUS)", 1497 sm->eap_if->aaaMethodTimeout); 1498 } else { 1499 /* 1500 * Use dynamic retransmission behavior per EAP 1501 * specification. 1502 */ 1503 sm->eap_if->aaaMethodTimeout = 0; 1504 } 1505 break; 1506 } 1507 1508 ieee802_1x_decapsulate_radius(hapd, sta); 1509 if (override_eapReq) 1510 sm->eap_if->aaaEapReq = FALSE; 1511 1512 eapol_auth_step(sm); 1513 1514 return RADIUS_RX_QUEUED; 1515} 1516#endif /* CONFIG_NO_RADIUS */ 1517 1518 1519void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1520{ 1521 struct eapol_state_machine *sm = sta->eapol_sm; 1522 if (sm == NULL) 1523 return; 1524 1525 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1526 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1527 1528#ifndef CONFIG_NO_RADIUS 1529 radius_msg_free(sm->last_recv_radius); 1530 sm->last_recv_radius = NULL; 1531#endif /* CONFIG_NO_RADIUS */ 1532 1533 if (sm->eap_if->eapTimeout) { 1534 /* 1535 * Disconnect the STA since it did not reply to the last EAP 1536 * request and we cannot continue EAP processing (EAP-Failure 1537 * could only be sent if the EAP peer actually replied). 1538 */ 1539 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1540 MAC2STR(sta->addr)); 1541 1542 sm->eap_if->portEnabled = FALSE; 1543 ap_sta_disconnect(hapd, sta, sta->addr, 1544 WLAN_REASON_PREV_AUTH_NOT_VALID); 1545 } 1546} 1547 1548 1549static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1550{ 1551 struct eapol_authenticator *eapol = hapd->eapol_auth; 1552 1553 if (hapd->conf->default_wep_key_len < 1) 1554 return 0; 1555 1556 os_free(eapol->default_wep_key); 1557 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1558 if (eapol->default_wep_key == NULL || 1559 random_get_bytes(eapol->default_wep_key, 1560 hapd->conf->default_wep_key_len)) { 1561 printf("Could not generate random WEP key.\n"); 1562 os_free(eapol->default_wep_key); 1563 eapol->default_wep_key = NULL; 1564 return -1; 1565 } 1566 1567 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1568 eapol->default_wep_key, 1569 hapd->conf->default_wep_key_len); 1570 1571 return 0; 1572} 1573 1574 1575static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1576 struct sta_info *sta, void *ctx) 1577{ 1578 if (sta->eapol_sm) { 1579 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1580 eapol_auth_step(sta->eapol_sm); 1581 } 1582 return 0; 1583} 1584 1585 1586static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1587{ 1588 struct hostapd_data *hapd = eloop_ctx; 1589 struct eapol_authenticator *eapol = hapd->eapol_auth; 1590 1591 if (eapol->default_wep_key_idx >= 3) 1592 eapol->default_wep_key_idx = 1593 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1594 else 1595 eapol->default_wep_key_idx++; 1596 1597 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1598 eapol->default_wep_key_idx); 1599 1600 if (ieee802_1x_rekey_broadcast(hapd)) { 1601 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1602 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1603 "new broadcast key"); 1604 os_free(eapol->default_wep_key); 1605 eapol->default_wep_key = NULL; 1606 return; 1607 } 1608 1609 /* TODO: Could setup key for RX here, but change default TX keyid only 1610 * after new broadcast key has been sent to all stations. */ 1611 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1612 broadcast_ether_addr, 1613 eapol->default_wep_key_idx, 1, NULL, 0, 1614 eapol->default_wep_key, 1615 hapd->conf->default_wep_key_len)) { 1616 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1617 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1618 "new broadcast key"); 1619 os_free(eapol->default_wep_key); 1620 eapol->default_wep_key = NULL; 1621 return; 1622 } 1623 1624 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1625 1626 if (hapd->conf->wep_rekeying_period > 0) { 1627 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1628 ieee802_1x_rekey, hapd, NULL); 1629 } 1630} 1631 1632 1633static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1634 const u8 *data, size_t datalen) 1635{ 1636#ifdef CONFIG_WPS 1637 struct sta_info *sta = sta_ctx; 1638 1639 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1640 WLAN_STA_MAYBE_WPS) { 1641 const u8 *identity; 1642 size_t identity_len; 1643 struct eapol_state_machine *sm = sta->eapol_sm; 1644 1645 identity = eap_get_identity(sm->eap, &identity_len); 1646 if (identity && 1647 ((identity_len == WSC_ID_ENROLLEE_LEN && 1648 os_memcmp(identity, WSC_ID_ENROLLEE, 1649 WSC_ID_ENROLLEE_LEN) == 0) || 1650 (identity_len == WSC_ID_REGISTRAR_LEN && 1651 os_memcmp(identity, WSC_ID_REGISTRAR, 1652 WSC_ID_REGISTRAR_LEN) == 0))) { 1653 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1654 "WLAN_STA_WPS"); 1655 sta->flags |= WLAN_STA_WPS; 1656 } 1657 } 1658#endif /* CONFIG_WPS */ 1659 1660 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1661} 1662 1663 1664static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1665 const u8 *data, size_t datalen) 1666{ 1667#ifndef CONFIG_NO_RADIUS 1668 struct hostapd_data *hapd = ctx; 1669 struct sta_info *sta = sta_ctx; 1670 1671 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1672#endif /* CONFIG_NO_RADIUS */ 1673} 1674 1675 1676static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1677 int preauth) 1678{ 1679 struct hostapd_data *hapd = ctx; 1680 struct sta_info *sta = sta_ctx; 1681 if (preauth) 1682 rsn_preauth_finished(hapd, sta, success); 1683 else 1684 ieee802_1x_finished(hapd, sta, success); 1685} 1686 1687 1688static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1689 size_t identity_len, int phase2, 1690 struct eap_user *user) 1691{ 1692 struct hostapd_data *hapd = ctx; 1693 const struct hostapd_eap_user *eap_user; 1694 int i; 1695 1696 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 1697 if (eap_user == NULL) 1698 return -1; 1699 1700 os_memset(user, 0, sizeof(*user)); 1701 user->phase2 = phase2; 1702 for (i = 0; i < EAP_MAX_METHODS; i++) { 1703 user->methods[i].vendor = eap_user->methods[i].vendor; 1704 user->methods[i].method = eap_user->methods[i].method; 1705 } 1706 1707 if (eap_user->password) { 1708 user->password = os_malloc(eap_user->password_len); 1709 if (user->password == NULL) 1710 return -1; 1711 os_memcpy(user->password, eap_user->password, 1712 eap_user->password_len); 1713 user->password_len = eap_user->password_len; 1714 user->password_hash = eap_user->password_hash; 1715 } 1716 user->force_version = eap_user->force_version; 1717 user->ttls_auth = eap_user->ttls_auth; 1718 1719 return 0; 1720} 1721 1722 1723static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1724{ 1725 struct hostapd_data *hapd = ctx; 1726 struct sta_info *sta; 1727 sta = ap_get_sta(hapd, addr); 1728 if (sta == NULL || sta->eapol_sm == NULL) 1729 return 0; 1730 return 1; 1731} 1732 1733 1734static void ieee802_1x_logger(void *ctx, const u8 *addr, 1735 eapol_logger_level level, const char *txt) 1736{ 1737#ifndef CONFIG_NO_HOSTAPD_LOGGER 1738 struct hostapd_data *hapd = ctx; 1739 int hlevel; 1740 1741 switch (level) { 1742 case EAPOL_LOGGER_WARNING: 1743 hlevel = HOSTAPD_LEVEL_WARNING; 1744 break; 1745 case EAPOL_LOGGER_INFO: 1746 hlevel = HOSTAPD_LEVEL_INFO; 1747 break; 1748 case EAPOL_LOGGER_DEBUG: 1749 default: 1750 hlevel = HOSTAPD_LEVEL_DEBUG; 1751 break; 1752 } 1753 1754 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 1755 txt); 1756#endif /* CONFIG_NO_HOSTAPD_LOGGER */ 1757} 1758 1759 1760static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 1761 int authorized) 1762{ 1763 struct hostapd_data *hapd = ctx; 1764 struct sta_info *sta = sta_ctx; 1765 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 1766} 1767 1768 1769static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 1770{ 1771 struct hostapd_data *hapd = ctx; 1772 struct sta_info *sta = sta_ctx; 1773 ieee802_1x_abort_auth(hapd, sta); 1774} 1775 1776 1777static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 1778{ 1779 struct hostapd_data *hapd = ctx; 1780 struct sta_info *sta = sta_ctx; 1781 ieee802_1x_tx_key(hapd, sta); 1782} 1783 1784 1785static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 1786 enum eapol_event type) 1787{ 1788 /* struct hostapd_data *hapd = ctx; */ 1789 struct sta_info *sta = sta_ctx; 1790 switch (type) { 1791 case EAPOL_AUTH_SM_CHANGE: 1792 wpa_auth_sm_notify(sta->wpa_sm); 1793 break; 1794 case EAPOL_AUTH_REAUTHENTICATE: 1795 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1796 break; 1797 } 1798} 1799 1800 1801int ieee802_1x_init(struct hostapd_data *hapd) 1802{ 1803 int i; 1804 struct eapol_auth_config conf; 1805 struct eapol_auth_cb cb; 1806 1807 os_memset(&conf, 0, sizeof(conf)); 1808 conf.ctx = hapd; 1809 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 1810 conf.wpa = hapd->conf->wpa; 1811 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 1812 conf.eap_server = hapd->conf->eap_server; 1813 conf.ssl_ctx = hapd->ssl_ctx; 1814 conf.msg_ctx = hapd->msg_ctx; 1815 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 1816 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 1817 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 1818 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 1819 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 1820 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 1821 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 1822 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 1823 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 1824 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 1825 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 1826 conf.tnc = hapd->conf->tnc; 1827 conf.wps = hapd->wps; 1828 conf.fragment_size = hapd->conf->fragment_size; 1829 conf.pwd_group = hapd->conf->pwd_group; 1830 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 1831 if (hapd->conf->server_id) { 1832 conf.server_id = (const u8 *) hapd->conf->server_id; 1833 conf.server_id_len = os_strlen(hapd->conf->server_id); 1834 } else { 1835 conf.server_id = (const u8 *) "hostapd"; 1836 conf.server_id_len = 7; 1837 } 1838 1839 os_memset(&cb, 0, sizeof(cb)); 1840 cb.eapol_send = ieee802_1x_eapol_send; 1841 cb.aaa_send = ieee802_1x_aaa_send; 1842 cb.finished = _ieee802_1x_finished; 1843 cb.get_eap_user = ieee802_1x_get_eap_user; 1844 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 1845 cb.logger = ieee802_1x_logger; 1846 cb.set_port_authorized = ieee802_1x_set_port_authorized; 1847 cb.abort_auth = _ieee802_1x_abort_auth; 1848 cb.tx_key = _ieee802_1x_tx_key; 1849 cb.eapol_event = ieee802_1x_eapol_event; 1850 1851 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 1852 if (hapd->eapol_auth == NULL) 1853 return -1; 1854 1855 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 1856 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 1857 return -1; 1858 1859#ifndef CONFIG_NO_RADIUS 1860 if (radius_client_register(hapd->radius, RADIUS_AUTH, 1861 ieee802_1x_receive_auth, hapd)) 1862 return -1; 1863#endif /* CONFIG_NO_RADIUS */ 1864 1865 if (hapd->conf->default_wep_key_len) { 1866 for (i = 0; i < 4; i++) 1867 hostapd_drv_set_key(hapd->conf->iface, hapd, 1868 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 1869 NULL, 0); 1870 1871 ieee802_1x_rekey(hapd, NULL); 1872 1873 if (hapd->eapol_auth->default_wep_key == NULL) 1874 return -1; 1875 } 1876 1877 return 0; 1878} 1879 1880 1881void ieee802_1x_deinit(struct hostapd_data *hapd) 1882{ 1883 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 1884 1885 if (hapd->driver != NULL && 1886 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 1887 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 1888 1889 eapol_auth_deinit(hapd->eapol_auth); 1890 hapd->eapol_auth = NULL; 1891} 1892 1893 1894int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1895 const u8 *buf, size_t len, int ack) 1896{ 1897 struct ieee80211_hdr *hdr; 1898 u8 *pos; 1899 const unsigned char rfc1042_hdr[ETH_ALEN] = 1900 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 1901 1902 if (sta == NULL) 1903 return -1; 1904 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 1905 return 0; 1906 1907 hdr = (struct ieee80211_hdr *) buf; 1908 pos = (u8 *) (hdr + 1); 1909 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 1910 return 0; 1911 pos += sizeof(rfc1042_hdr); 1912 if (WPA_GET_BE16(pos) != ETH_P_PAE) 1913 return 0; 1914 pos += 2; 1915 1916 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 1917 ack); 1918} 1919 1920 1921int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1922 const u8 *buf, int len, int ack) 1923{ 1924 const struct ieee802_1x_hdr *xhdr = 1925 (const struct ieee802_1x_hdr *) buf; 1926 const u8 *pos = buf + sizeof(*xhdr); 1927 struct ieee802_1x_eapol_key *key; 1928 1929 if (len < (int) sizeof(*xhdr)) 1930 return 0; 1931 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 1932 "type=%d length=%d - ack=%d", 1933 MAC2STR(sta->addr), xhdr->version, xhdr->type, 1934 be_to_host16(xhdr->length), ack); 1935 1936 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 1937 return 0; 1938 1939 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 1940 const struct wpa_eapol_key *wpa; 1941 wpa = (const struct wpa_eapol_key *) pos; 1942 if (wpa->type == EAPOL_KEY_TYPE_RSN || 1943 wpa->type == EAPOL_KEY_TYPE_WPA) 1944 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 1945 sta->wpa_sm, ack); 1946 } 1947 1948 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 1949 * or Authenticator state machines, but EAPOL-Key packets are not 1950 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 1951 * packets couple of times because otherwise STA keys become 1952 * unsynchronized with AP. */ 1953 if (!ack && pos + sizeof(*key) <= buf + len) { 1954 key = (struct ieee802_1x_eapol_key *) pos; 1955 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1956 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 1957 "frame (%scast index=%d)", 1958 key->key_index & BIT(7) ? "uni" : "broad", 1959 key->key_index & ~BIT(7)); 1960 /* TODO: re-send EAPOL-Key couple of times (with short delay 1961 * between them?). If all attempt fail, report error and 1962 * deauthenticate STA so that it will get new keys when 1963 * authenticating again (e.g., after returning in range). 1964 * Separate limit/transmit state needed both for unicast and 1965 * broadcast keys(?) */ 1966 } 1967 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 1968 * to here and change the key only if the EAPOL-Key packet was Acked. 1969 */ 1970 1971 return 1; 1972} 1973 1974 1975u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 1976{ 1977 if (sm == NULL || sm->identity == NULL) 1978 return NULL; 1979 1980 *len = sm->identity_len; 1981 return sm->identity; 1982} 1983 1984 1985u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 1986 int idx) 1987{ 1988 if (sm == NULL || sm->radius_class.attr == NULL || 1989 idx >= (int) sm->radius_class.count) 1990 return NULL; 1991 1992 *len = sm->radius_class.attr[idx].len; 1993 return sm->radius_class.attr[idx].data; 1994} 1995 1996 1997struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 1998{ 1999 if (sm == NULL) 2000 return NULL; 2001 return sm->radius_cui; 2002} 2003 2004 2005const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 2006{ 2007 *len = 0; 2008 if (sm == NULL) 2009 return NULL; 2010 2011 *len = sm->eap_if->eapKeyDataLen; 2012 return sm->eap_if->eapKeyData; 2013} 2014 2015 2016void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2017 int enabled) 2018{ 2019 if (sm == NULL) 2020 return; 2021 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 2022 eapol_auth_step(sm); 2023} 2024 2025 2026void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 2027 int valid) 2028{ 2029 if (sm == NULL) 2030 return; 2031 sm->portValid = valid ? TRUE : FALSE; 2032 eapol_auth_step(sm); 2033} 2034 2035 2036void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 2037{ 2038 if (sm == NULL) 2039 return; 2040 if (pre_auth) 2041 sm->flags |= EAPOL_SM_PREAUTH; 2042 else 2043 sm->flags &= ~EAPOL_SM_PREAUTH; 2044} 2045 2046 2047static const char * bool_txt(Boolean bool) 2048{ 2049 return bool ? "TRUE" : "FALSE"; 2050} 2051 2052 2053int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2054{ 2055 /* TODO */ 2056 return 0; 2057} 2058 2059 2060int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2061 char *buf, size_t buflen) 2062{ 2063 int len = 0, ret; 2064 struct eapol_state_machine *sm = sta->eapol_sm; 2065 struct os_time t; 2066 2067 if (sm == NULL) 2068 return 0; 2069 2070 ret = os_snprintf(buf + len, buflen - len, 2071 "dot1xPaePortNumber=%d\n" 2072 "dot1xPaePortProtocolVersion=%d\n" 2073 "dot1xPaePortCapabilities=1\n" 2074 "dot1xPaePortInitialize=%d\n" 2075 "dot1xPaePortReauthenticate=FALSE\n", 2076 sta->aid, 2077 EAPOL_VERSION, 2078 sm->initialize); 2079 if (ret < 0 || (size_t) ret >= buflen - len) 2080 return len; 2081 len += ret; 2082 2083 /* dot1xAuthConfigTable */ 2084 ret = os_snprintf(buf + len, buflen - len, 2085 "dot1xAuthPaeState=%d\n" 2086 "dot1xAuthBackendAuthState=%d\n" 2087 "dot1xAuthAdminControlledDirections=%d\n" 2088 "dot1xAuthOperControlledDirections=%d\n" 2089 "dot1xAuthAuthControlledPortStatus=%d\n" 2090 "dot1xAuthAuthControlledPortControl=%d\n" 2091 "dot1xAuthQuietPeriod=%u\n" 2092 "dot1xAuthServerTimeout=%u\n" 2093 "dot1xAuthReAuthPeriod=%u\n" 2094 "dot1xAuthReAuthEnabled=%s\n" 2095 "dot1xAuthKeyTxEnabled=%s\n", 2096 sm->auth_pae_state + 1, 2097 sm->be_auth_state + 1, 2098 sm->adminControlledDirections, 2099 sm->operControlledDirections, 2100 sm->authPortStatus, 2101 sm->portControl, 2102 sm->quietPeriod, 2103 sm->serverTimeout, 2104 sm->reAuthPeriod, 2105 bool_txt(sm->reAuthEnabled), 2106 bool_txt(sm->keyTxEnabled)); 2107 if (ret < 0 || (size_t) ret >= buflen - len) 2108 return len; 2109 len += ret; 2110 2111 /* dot1xAuthStatsTable */ 2112 ret = os_snprintf(buf + len, buflen - len, 2113 "dot1xAuthEapolFramesRx=%u\n" 2114 "dot1xAuthEapolFramesTx=%u\n" 2115 "dot1xAuthEapolStartFramesRx=%u\n" 2116 "dot1xAuthEapolLogoffFramesRx=%u\n" 2117 "dot1xAuthEapolRespIdFramesRx=%u\n" 2118 "dot1xAuthEapolRespFramesRx=%u\n" 2119 "dot1xAuthEapolReqIdFramesTx=%u\n" 2120 "dot1xAuthEapolReqFramesTx=%u\n" 2121 "dot1xAuthInvalidEapolFramesRx=%u\n" 2122 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2123 "dot1xAuthLastEapolFrameVersion=%u\n" 2124 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2125 sm->dot1xAuthEapolFramesRx, 2126 sm->dot1xAuthEapolFramesTx, 2127 sm->dot1xAuthEapolStartFramesRx, 2128 sm->dot1xAuthEapolLogoffFramesRx, 2129 sm->dot1xAuthEapolRespIdFramesRx, 2130 sm->dot1xAuthEapolRespFramesRx, 2131 sm->dot1xAuthEapolReqIdFramesTx, 2132 sm->dot1xAuthEapolReqFramesTx, 2133 sm->dot1xAuthInvalidEapolFramesRx, 2134 sm->dot1xAuthEapLengthErrorFramesRx, 2135 sm->dot1xAuthLastEapolFrameVersion, 2136 MAC2STR(sm->addr)); 2137 if (ret < 0 || (size_t) ret >= buflen - len) 2138 return len; 2139 len += ret; 2140 2141 /* dot1xAuthDiagTable */ 2142 ret = os_snprintf(buf + len, buflen - len, 2143 "dot1xAuthEntersConnecting=%u\n" 2144 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2145 "dot1xAuthEntersAuthenticating=%u\n" 2146 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2147 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2148 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2149 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2150 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2151 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2152 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2153 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2154 "dot1xAuthBackendResponses=%u\n" 2155 "dot1xAuthBackendAccessChallenges=%u\n" 2156 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2157 "dot1xAuthBackendAuthSuccesses=%u\n" 2158 "dot1xAuthBackendAuthFails=%u\n", 2159 sm->authEntersConnecting, 2160 sm->authEapLogoffsWhileConnecting, 2161 sm->authEntersAuthenticating, 2162 sm->authAuthSuccessesWhileAuthenticating, 2163 sm->authAuthTimeoutsWhileAuthenticating, 2164 sm->authAuthFailWhileAuthenticating, 2165 sm->authAuthEapStartsWhileAuthenticating, 2166 sm->authAuthEapLogoffWhileAuthenticating, 2167 sm->authAuthReauthsWhileAuthenticated, 2168 sm->authAuthEapStartsWhileAuthenticated, 2169 sm->authAuthEapLogoffWhileAuthenticated, 2170 sm->backendResponses, 2171 sm->backendAccessChallenges, 2172 sm->backendOtherRequestsToSupplicant, 2173 sm->backendAuthSuccesses, 2174 sm->backendAuthFails); 2175 if (ret < 0 || (size_t) ret >= buflen - len) 2176 return len; 2177 len += ret; 2178 2179 /* dot1xAuthSessionStatsTable */ 2180 os_get_time(&t); 2181 ret = os_snprintf(buf + len, buflen - len, 2182 /* TODO: dot1xAuthSessionOctetsRx */ 2183 /* TODO: dot1xAuthSessionOctetsTx */ 2184 /* TODO: dot1xAuthSessionFramesRx */ 2185 /* TODO: dot1xAuthSessionFramesTx */ 2186 "dot1xAuthSessionId=%08X-%08X\n" 2187 "dot1xAuthSessionAuthenticMethod=%d\n" 2188 "dot1xAuthSessionTime=%u\n" 2189 "dot1xAuthSessionTerminateCause=999\n" 2190 "dot1xAuthSessionUserName=%s\n", 2191 sta->acct_session_id_hi, sta->acct_session_id_lo, 2192 (wpa_key_mgmt_wpa_ieee8021x( 2193 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2194 1 : 2, 2195 (unsigned int) (t.sec - sta->acct_session_start), 2196 sm->identity); 2197 if (ret < 0 || (size_t) ret >= buflen - len) 2198 return len; 2199 len += ret; 2200 2201 return len; 2202} 2203 2204 2205static void ieee802_1x_finished(struct hostapd_data *hapd, 2206 struct sta_info *sta, int success) 2207{ 2208 const u8 *key; 2209 size_t len; 2210 /* TODO: get PMKLifetime from WPA parameters */ 2211 static const int dot11RSNAConfigPMKLifetime = 43200; 2212 2213 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2214 if (success && key && len >= PMK_LEN && 2215 wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime, 2216 sta->eapol_sm) == 0) { 2217 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2218 HOSTAPD_LEVEL_DEBUG, 2219 "Added PMKSA cache entry (IEEE 802.1X)"); 2220 } 2221 2222 if (!success) { 2223 /* 2224 * Many devices require deauthentication after WPS provisioning 2225 * and some may not be be able to do that themselves, so 2226 * disconnect the client here. In addition, this may also 2227 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2228 * the EAPOL PAE state machine would remain in HELD state for 2229 * considerable amount of time and some EAP methods, like 2230 * EAP-FAST with anonymous provisioning, may require another 2231 * EAPOL authentication to be started to complete connection. 2232 */ 2233 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2234 "disconnection after EAP-Failure"); 2235 /* Add a small sleep to increase likelihood of previously 2236 * requested EAP-Failure TX getting out before this should the 2237 * driver reorder operations. 2238 */ 2239 os_sleep(0, 10000); 2240#ifndef ANDROID_P2P 2241 /* We need not do this for driver. For AP-SME flags if we send this disassoc, 2242 * the p2p_client is gettig disassoc after it has completed the assoc 2243 */ 2244 ap_sta_disconnect(hapd, sta, sta->addr, 2245 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2246#endif 2247 } 2248} 2249