ieee802_1x.c revision 87fd279308af3f806848c8f2ab65ef18c6ac4c30
1/* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2011, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15#include "utils/includes.h" 16 17#include "utils/common.h" 18#include "utils/eloop.h" 19#include "crypto/md5.h" 20#include "crypto/crypto.h" 21#include "crypto/random.h" 22#include "common/ieee802_11_defs.h" 23#include "common/wpa_ctrl.h" 24#include "radius/radius.h" 25#include "radius/radius_client.h" 26#include "eap_server/eap.h" 27#include "eap_common/eap_wsc_common.h" 28#include "eapol_auth/eapol_auth_sm.h" 29#include "eapol_auth/eapol_auth_sm_i.h" 30#include "hostapd.h" 31#include "accounting.h" 32#include "sta_info.h" 33#include "wpa_auth.h" 34#include "preauth_auth.h" 35#include "pmksa_cache_auth.h" 36#include "ap_config.h" 37#include "ap_drv_ops.h" 38#include "ieee802_1x.h" 39 40 41static void ieee802_1x_finished(struct hostapd_data *hapd, 42 struct sta_info *sta, int success); 43 44 45static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 46 u8 type, const u8 *data, size_t datalen) 47{ 48 u8 *buf; 49 struct ieee802_1x_hdr *xhdr; 50 size_t len; 51 int encrypt = 0; 52 53 len = sizeof(*xhdr) + datalen; 54 buf = os_zalloc(len); 55 if (buf == NULL) { 56 wpa_printf(MSG_ERROR, "malloc() failed for " 57 "ieee802_1x_send(len=%lu)", 58 (unsigned long) len); 59 return; 60 } 61 62 xhdr = (struct ieee802_1x_hdr *) buf; 63 xhdr->version = hapd->conf->eapol_version; 64 xhdr->type = type; 65 xhdr->length = host_to_be16(datalen); 66 67 if (datalen > 0 && data != NULL) 68 os_memcpy(xhdr + 1, data, datalen); 69 70 if (wpa_auth_pairwise_set(sta->wpa_sm)) 71 encrypt = 1; 72 if (sta->flags & WLAN_STA_PREAUTH) { 73 rsn_preauth_send(hapd, sta, buf, len); 74 } else { 75 hostapd_drv_hapd_send_eapol(hapd, sta->addr, buf, len, 76 encrypt, sta->flags); 77 } 78 79 os_free(buf); 80} 81 82 83void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 84 struct sta_info *sta, int authorized) 85{ 86 int res; 87 88 if (sta->flags & WLAN_STA_PREAUTH) 89 return; 90 91 if (authorized) { 92 if (!ap_sta_is_authorized(sta)) 93 wpa_msg(hapd->msg_ctx, MSG_INFO, 94 AP_STA_CONNECTED MACSTR, MAC2STR(sta->addr)); 95 ap_sta_set_authorized(hapd, sta, 1); 96 res = hostapd_set_authorized(hapd, sta, 1); 97 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 98 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 99 } else { 100 if (ap_sta_is_authorized(sta) && (sta->flags & WLAN_STA_ASSOC)) 101 wpa_msg(hapd->msg_ctx, MSG_INFO, 102 AP_STA_DISCONNECTED MACSTR, 103 MAC2STR(sta->addr)); 104 ap_sta_set_authorized(hapd, sta, 0); 105 res = hostapd_set_authorized(hapd, sta, 0); 106 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 107 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 108 } 109 110 if (res && errno != ENOENT) { 111 printf("Could not set station " MACSTR " flags for kernel " 112 "driver (errno=%d).\n", MAC2STR(sta->addr), errno); 113 } 114 115 if (authorized) 116 accounting_sta_start(hapd, sta); 117} 118 119 120static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 121 struct sta_info *sta, 122 int idx, int broadcast, 123 u8 *key_data, size_t key_len) 124{ 125 u8 *buf, *ekey; 126 struct ieee802_1x_hdr *hdr; 127 struct ieee802_1x_eapol_key *key; 128 size_t len, ekey_len; 129 struct eapol_state_machine *sm = sta->eapol_sm; 130 131 if (sm == NULL) 132 return; 133 134 len = sizeof(*key) + key_len; 135 buf = os_zalloc(sizeof(*hdr) + len); 136 if (buf == NULL) 137 return; 138 139 hdr = (struct ieee802_1x_hdr *) buf; 140 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 141 key->type = EAPOL_KEY_TYPE_RC4; 142 key->key_length = htons(key_len); 143 wpa_get_ntp_timestamp(key->replay_counter); 144 145 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 146 wpa_printf(MSG_ERROR, "Could not get random numbers"); 147 os_free(buf); 148 return; 149 } 150 151 key->key_index = idx | (broadcast ? 0 : BIT(7)); 152 if (hapd->conf->eapol_key_index_workaround) { 153 /* According to some information, WinXP Supplicant seems to 154 * interpret bit7 as an indication whether the key is to be 155 * activated, so make it possible to enable workaround that 156 * sets this bit for all keys. */ 157 key->key_index |= BIT(7); 158 } 159 160 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 161 * MSK[32..63] is used to sign the message. */ 162 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 163 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 164 "and signing EAPOL-Key"); 165 os_free(buf); 166 return; 167 } 168 os_memcpy((u8 *) (key + 1), key_data, key_len); 169 ekey_len = sizeof(key->key_iv) + 32; 170 ekey = os_malloc(ekey_len); 171 if (ekey == NULL) { 172 wpa_printf(MSG_ERROR, "Could not encrypt key"); 173 os_free(buf); 174 return; 175 } 176 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 177 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 178 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 179 os_free(ekey); 180 181 /* This header is needed here for HMAC-MD5, but it will be regenerated 182 * in ieee802_1x_send() */ 183 hdr->version = hapd->conf->eapol_version; 184 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 185 hdr->length = host_to_be16(len); 186 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 187 key->key_signature); 188 189 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 190 " (%s index=%d)", MAC2STR(sm->addr), 191 broadcast ? "broadcast" : "unicast", idx); 192 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 193 if (sta->eapol_sm) 194 sta->eapol_sm->dot1xAuthEapolFramesTx++; 195 os_free(buf); 196} 197 198 199#ifndef CONFIG_NO_VLAN 200static struct hostapd_wep_keys * 201ieee802_1x_group_alloc(struct hostapd_data *hapd, const char *ifname) 202{ 203 struct hostapd_wep_keys *key; 204 205 key = os_zalloc(sizeof(*key)); 206 if (key == NULL) 207 return NULL; 208 209 key->default_len = hapd->conf->default_wep_key_len; 210 211 if (key->idx >= hapd->conf->broadcast_key_idx_max || 212 key->idx < hapd->conf->broadcast_key_idx_min) 213 key->idx = hapd->conf->broadcast_key_idx_min; 214 else 215 key->idx++; 216 217 if (!key->key[key->idx]) 218 key->key[key->idx] = os_malloc(key->default_len); 219 if (key->key[key->idx] == NULL || 220 random_get_bytes(key->key[key->idx], key->default_len)) { 221 printf("Could not generate random WEP key (dynamic VLAN).\n"); 222 os_free(key->key[key->idx]); 223 key->key[key->idx] = NULL; 224 os_free(key); 225 return NULL; 226 } 227 key->len[key->idx] = key->default_len; 228 229 wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n", 230 ifname, key->idx); 231 wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)", 232 key->key[key->idx], key->len[key->idx]); 233 234 if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_WEP, 235 broadcast_ether_addr, key->idx, 1, 236 NULL, 0, key->key[key->idx], 237 key->len[key->idx])) 238 printf("Could not set dynamic VLAN WEP encryption key.\n"); 239 240 hostapd_set_drv_ieee8021x(hapd, ifname, 1); 241 242 return key; 243} 244 245 246static struct hostapd_wep_keys * 247ieee802_1x_get_group(struct hostapd_data *hapd, struct hostapd_ssid *ssid, 248 size_t vlan_id) 249{ 250 const char *ifname; 251 252 if (vlan_id == 0) 253 return &ssid->wep; 254 255 if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys && 256 ssid->dyn_vlan_keys[vlan_id]) 257 return ssid->dyn_vlan_keys[vlan_id]; 258 259 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group " 260 "state machine for VLAN ID %lu", 261 (unsigned long) vlan_id); 262 263 ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id); 264 if (ifname == NULL) { 265 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - " 266 "cannot create group key state machine", 267 (unsigned long) vlan_id); 268 return NULL; 269 } 270 271 if (ssid->dyn_vlan_keys == NULL) { 272 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 273 ssid->dyn_vlan_keys = os_zalloc(size); 274 if (ssid->dyn_vlan_keys == NULL) 275 return NULL; 276 ssid->max_dyn_vlan_keys = vlan_id; 277 } 278 279 if (ssid->max_dyn_vlan_keys < vlan_id) { 280 struct hostapd_wep_keys **na; 281 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 282 na = os_realloc(ssid->dyn_vlan_keys, size); 283 if (na == NULL) 284 return NULL; 285 ssid->dyn_vlan_keys = na; 286 os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0, 287 (vlan_id - ssid->max_dyn_vlan_keys) * 288 sizeof(ssid->dyn_vlan_keys[0])); 289 ssid->max_dyn_vlan_keys = vlan_id; 290 } 291 292 ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname); 293 294 return ssid->dyn_vlan_keys[vlan_id]; 295} 296#endif /* CONFIG_NO_VLAN */ 297 298 299void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 300{ 301 struct eapol_authenticator *eapol = hapd->eapol_auth; 302 struct eapol_state_machine *sm = sta->eapol_sm; 303#ifndef CONFIG_NO_VLAN 304 struct hostapd_wep_keys *key = NULL; 305 int vlan_id; 306#endif /* CONFIG_NO_VLAN */ 307 308 if (sm == NULL || !sm->eap_if->eapKeyData) 309 return; 310 311 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 312 MAC2STR(sta->addr)); 313 314#ifndef CONFIG_NO_VLAN 315 vlan_id = sta->vlan_id; 316 if (vlan_id < 0 || vlan_id > MAX_VLAN_ID) 317 vlan_id = 0; 318 319 if (vlan_id) { 320 key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id); 321 if (key && key->key[key->idx]) 322 ieee802_1x_tx_key_one(hapd, sta, key->idx, 1, 323 key->key[key->idx], 324 key->len[key->idx]); 325 } else 326#endif /* CONFIG_NO_VLAN */ 327 if (eapol->default_wep_key) { 328 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 329 eapol->default_wep_key, 330 hapd->conf->default_wep_key_len); 331 } 332 333 if (hapd->conf->individual_wep_key_len > 0) { 334 u8 *ikey; 335 ikey = os_malloc(hapd->conf->individual_wep_key_len); 336 if (ikey == NULL || 337 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 338 { 339 wpa_printf(MSG_ERROR, "Could not generate random " 340 "individual WEP key."); 341 os_free(ikey); 342 return; 343 } 344 345 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 346 ikey, hapd->conf->individual_wep_key_len); 347 348 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 349 hapd->conf->individual_wep_key_len); 350 351 /* TODO: set encryption in TX callback, i.e., only after STA 352 * has ACKed EAPOL-Key frame */ 353 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 354 sta->addr, 0, 1, NULL, 0, ikey, 355 hapd->conf->individual_wep_key_len)) { 356 wpa_printf(MSG_ERROR, "Could not set individual WEP " 357 "encryption."); 358 } 359 360 os_free(ikey); 361 } 362} 363 364 365const char *radius_mode_txt(struct hostapd_data *hapd) 366{ 367 switch (hapd->iface->conf->hw_mode) { 368 case HOSTAPD_MODE_IEEE80211A: 369 return "802.11a"; 370 case HOSTAPD_MODE_IEEE80211G: 371 return "802.11g"; 372 case HOSTAPD_MODE_IEEE80211B: 373 default: 374 return "802.11b"; 375 } 376} 377 378 379int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 380{ 381 int i; 382 u8 rate = 0; 383 384 for (i = 0; i < sta->supported_rates_len; i++) 385 if ((sta->supported_rates[i] & 0x7f) > rate) 386 rate = sta->supported_rates[i] & 0x7f; 387 388 return rate; 389} 390 391 392#ifndef CONFIG_NO_RADIUS 393static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 394 struct eapol_state_machine *sm, 395 const u8 *eap, size_t len) 396{ 397 const u8 *identity; 398 size_t identity_len; 399 400 if (len <= sizeof(struct eap_hdr) || 401 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) 402 return; 403 404 identity = eap_get_identity(sm->eap, &identity_len); 405 if (identity == NULL) 406 return; 407 408 /* Save station identity for future RADIUS packets */ 409 os_free(sm->identity); 410 sm->identity = os_malloc(identity_len + 1); 411 if (sm->identity == NULL) { 412 sm->identity_len = 0; 413 return; 414 } 415 416 os_memcpy(sm->identity, identity, identity_len); 417 sm->identity_len = identity_len; 418 sm->identity[identity_len] = '\0'; 419 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 420 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 421 sm->dot1xAuthEapolRespIdFramesRx++; 422} 423 424 425static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 426 struct sta_info *sta, 427 const u8 *eap, size_t len) 428{ 429 struct radius_msg *msg; 430 char buf[128]; 431 struct eapol_state_machine *sm = sta->eapol_sm; 432 433 if (sm == NULL) 434 return; 435 436 ieee802_1x_learn_identity(hapd, sm, eap, len); 437 438 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 439 "packet"); 440 441 sm->radius_identifier = radius_client_get_id(hapd->radius); 442 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 443 sm->radius_identifier); 444 if (msg == NULL) { 445 printf("Could not create net RADIUS packet\n"); 446 return; 447 } 448 449 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 450 451 if (sm->identity && 452 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 453 sm->identity, sm->identity_len)) { 454 printf("Could not add User-Name\n"); 455 goto fail; 456 } 457 458 if (hapd->conf->own_ip_addr.af == AF_INET && 459 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 460 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 461 printf("Could not add NAS-IP-Address\n"); 462 goto fail; 463 } 464 465#ifdef CONFIG_IPV6 466 if (hapd->conf->own_ip_addr.af == AF_INET6 && 467 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 468 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 469 printf("Could not add NAS-IPv6-Address\n"); 470 goto fail; 471 } 472#endif /* CONFIG_IPV6 */ 473 474 if (hapd->conf->nas_identifier && 475 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 476 (u8 *) hapd->conf->nas_identifier, 477 os_strlen(hapd->conf->nas_identifier))) { 478 printf("Could not add NAS-Identifier\n"); 479 goto fail; 480 } 481 482 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 483 printf("Could not add NAS-Port\n"); 484 goto fail; 485 } 486 487 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 488 MAC2STR(hapd->own_addr), hapd->conf->ssid.ssid); 489 buf[sizeof(buf) - 1] = '\0'; 490 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 491 (u8 *) buf, os_strlen(buf))) { 492 printf("Could not add Called-Station-Id\n"); 493 goto fail; 494 } 495 496 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 497 MAC2STR(sta->addr)); 498 buf[sizeof(buf) - 1] = '\0'; 499 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 500 (u8 *) buf, os_strlen(buf))) { 501 printf("Could not add Calling-Station-Id\n"); 502 goto fail; 503 } 504 505 /* TODO: should probably check MTU from driver config; 2304 is max for 506 * IEEE 802.11, but use 1400 to avoid problems with too large packets 507 */ 508 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 509 printf("Could not add Framed-MTU\n"); 510 goto fail; 511 } 512 513 if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 514 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 515 printf("Could not add NAS-Port-Type\n"); 516 goto fail; 517 } 518 519 if (sta->flags & WLAN_STA_PREAUTH) { 520 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 521 sizeof(buf)); 522 } else { 523 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 524 radius_sta_rate(hapd, sta) / 2, 525 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 526 radius_mode_txt(hapd)); 527 buf[sizeof(buf) - 1] = '\0'; 528 } 529 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 530 (u8 *) buf, os_strlen(buf))) { 531 printf("Could not add Connect-Info\n"); 532 goto fail; 533 } 534 535 if (eap && !radius_msg_add_eap(msg, eap, len)) { 536 printf("Could not add EAP-Message\n"); 537 goto fail; 538 } 539 540 /* State attribute must be copied if and only if this packet is 541 * Access-Request reply to the previous Access-Challenge */ 542 if (sm->last_recv_radius && 543 radius_msg_get_hdr(sm->last_recv_radius)->code == 544 RADIUS_CODE_ACCESS_CHALLENGE) { 545 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 546 RADIUS_ATTR_STATE); 547 if (res < 0) { 548 printf("Could not copy State attribute from previous " 549 "Access-Challenge\n"); 550 goto fail; 551 } 552 if (res > 0) { 553 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 554 } 555 } 556 557 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 558 goto fail; 559 560 return; 561 562 fail: 563 radius_msg_free(msg); 564} 565#endif /* CONFIG_NO_RADIUS */ 566 567 568static void handle_eap_response(struct hostapd_data *hapd, 569 struct sta_info *sta, struct eap_hdr *eap, 570 size_t len) 571{ 572 u8 type, *data; 573 struct eapol_state_machine *sm = sta->eapol_sm; 574 if (sm == NULL) 575 return; 576 577 data = (u8 *) (eap + 1); 578 579 if (len < sizeof(*eap) + 1) { 580 printf("handle_eap_response: too short response data\n"); 581 return; 582 } 583 584 sm->eap_type_supp = type = data[0]; 585 586 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 587 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 588 "id=%d len=%d) from STA: EAP Response-%s (%d)", 589 eap->code, eap->identifier, be_to_host16(eap->length), 590 eap_server_get_name(0, type), type); 591 592 sm->dot1xAuthEapolRespFramesRx++; 593 594 wpabuf_free(sm->eap_if->eapRespData); 595 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 596 sm->eapolEap = TRUE; 597} 598 599 600/* Process incoming EAP packet from Supplicant */ 601static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 602 u8 *buf, size_t len) 603{ 604 struct eap_hdr *eap; 605 u16 eap_len; 606 607 if (len < sizeof(*eap)) { 608 printf(" too short EAP packet\n"); 609 return; 610 } 611 612 eap = (struct eap_hdr *) buf; 613 614 eap_len = be_to_host16(eap->length); 615 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 616 eap->code, eap->identifier, eap_len); 617 if (eap_len < sizeof(*eap)) { 618 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 619 return; 620 } else if (eap_len > len) { 621 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 622 "packet"); 623 return; 624 } else if (eap_len < len) { 625 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 626 "packet", (unsigned long) len - eap_len); 627 } 628 629 switch (eap->code) { 630 case EAP_CODE_REQUEST: 631 wpa_printf(MSG_DEBUG, " (request)"); 632 return; 633 case EAP_CODE_RESPONSE: 634 wpa_printf(MSG_DEBUG, " (response)"); 635 handle_eap_response(hapd, sta, eap, eap_len); 636 break; 637 case EAP_CODE_SUCCESS: 638 wpa_printf(MSG_DEBUG, " (success)"); 639 return; 640 case EAP_CODE_FAILURE: 641 wpa_printf(MSG_DEBUG, " (failure)"); 642 return; 643 default: 644 wpa_printf(MSG_DEBUG, " (unknown code)"); 645 return; 646 } 647} 648 649 650static struct eapol_state_machine * 651ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 652{ 653 int flags = 0; 654 if (sta->flags & WLAN_STA_PREAUTH) 655 flags |= EAPOL_SM_PREAUTH; 656 if (sta->wpa_sm) { 657 flags |= EAPOL_SM_USES_WPA; 658 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 659 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 660 } 661 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 662 sta->wps_ie, sta->p2p_ie, sta); 663} 664 665 666/** 667 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 668 * @hapd: hostapd BSS data 669 * @sa: Source address (sender of the EAPOL frame) 670 * @buf: EAPOL frame 671 * @len: Length of buf in octets 672 * 673 * This function is called for each incoming EAPOL frame from the interface 674 */ 675void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 676 size_t len) 677{ 678 struct sta_info *sta; 679 struct ieee802_1x_hdr *hdr; 680 struct ieee802_1x_eapol_key *key; 681 u16 datalen; 682 struct rsn_pmksa_cache_entry *pmksa; 683 int key_mgmt; 684 685 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && 686 !hapd->conf->wps_state) 687 return; 688 689 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 690 (unsigned long) len, MAC2STR(sa)); 691 sta = ap_get_sta(hapd, sa); 692 if (!sta || !(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH))) { 693 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 694 "associated/Pre-authenticating STA"); 695 return; 696 } 697 698 if (len < sizeof(*hdr)) { 699 printf(" too short IEEE 802.1X packet\n"); 700 return; 701 } 702 703 hdr = (struct ieee802_1x_hdr *) buf; 704 datalen = be_to_host16(hdr->length); 705 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 706 hdr->version, hdr->type, datalen); 707 708 if (len - sizeof(*hdr) < datalen) { 709 printf(" frame too short for this IEEE 802.1X packet\n"); 710 if (sta->eapol_sm) 711 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 712 return; 713 } 714 if (len - sizeof(*hdr) > datalen) { 715 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 716 "IEEE 802.1X packet", 717 (unsigned long) len - sizeof(*hdr) - datalen); 718 } 719 720 if (sta->eapol_sm) { 721 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 722 sta->eapol_sm->dot1xAuthEapolFramesRx++; 723 } 724 725 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 726 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 727 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 728 (key->type == EAPOL_KEY_TYPE_WPA || 729 key->type == EAPOL_KEY_TYPE_RSN)) { 730 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 731 sizeof(*hdr) + datalen); 732 return; 733 } 734 735 if (!hapd->conf->ieee802_1x && 736 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 737 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 738 "802.1X not enabled and WPS not used"); 739 return; 740 } 741 742 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 743 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 744 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 745 "STA is using PSK"); 746 return; 747 } 748 749 if (!sta->eapol_sm) { 750 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 751 if (!sta->eapol_sm) 752 return; 753 754#ifdef CONFIG_WPS 755 if (!hapd->conf->ieee802_1x && 756 ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 757 WLAN_STA_MAYBE_WPS)) { 758 /* 759 * Delay EAPOL frame transmission until a possible WPS 760 * STA initiates the handshake with EAPOL-Start. 761 */ 762 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 763 } 764#endif /* CONFIG_WPS */ 765 766 sta->eapol_sm->eap_if->portEnabled = TRUE; 767 } 768 769 /* since we support version 1, we can ignore version field and proceed 770 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 771 /* TODO: actually, we are not version 1 anymore.. However, Version 2 772 * does not change frame contents, so should be ok to process frames 773 * more or less identically. Some changes might be needed for 774 * verification of fields. */ 775 776 switch (hdr->type) { 777 case IEEE802_1X_TYPE_EAP_PACKET: 778 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 779 break; 780 781 case IEEE802_1X_TYPE_EAPOL_START: 782 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 783 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 784 "from STA"); 785 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 786 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 787 if (pmksa) { 788 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 789 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 790 "available - ignore it since " 791 "STA sent EAPOL-Start"); 792 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 793 } 794 sta->eapol_sm->eapolStart = TRUE; 795 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 796 eap_server_clear_identity(sta->eapol_sm->eap); 797 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 798 break; 799 800 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 801 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 802 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 803 "from STA"); 804 sta->acct_terminate_cause = 805 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 806 accounting_sta_stop(hapd, sta); 807 sta->eapol_sm->eapolLogoff = TRUE; 808 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 809 eap_server_clear_identity(sta->eapol_sm->eap); 810 break; 811 812 case IEEE802_1X_TYPE_EAPOL_KEY: 813 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 814 if (!ap_sta_is_authorized(sta)) { 815 wpa_printf(MSG_DEBUG, " Dropped key data from " 816 "unauthorized Supplicant"); 817 break; 818 } 819 break; 820 821 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 822 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 823 /* TODO: implement support for this; show data */ 824 break; 825 826 default: 827 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 828 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 829 break; 830 } 831 832 eapol_auth_step(sta->eapol_sm); 833} 834 835 836/** 837 * ieee802_1x_new_station - Start IEEE 802.1X authentication 838 * @hapd: hostapd BSS data 839 * @sta: The station 840 * 841 * This function is called to start IEEE 802.1X authentication when a new 842 * station completes IEEE 802.11 association. 843 */ 844void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 845{ 846 struct rsn_pmksa_cache_entry *pmksa; 847 int reassoc = 1; 848 int force_1x = 0; 849 int key_mgmt; 850 851#ifdef CONFIG_WPS 852 if (hapd->conf->wps_state && hapd->conf->wpa && 853 (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 854 /* 855 * Need to enable IEEE 802.1X/EAPOL state machines for possible 856 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 857 * authentication in this BSS. 858 */ 859 force_1x = 1; 860 } 861#endif /* CONFIG_WPS */ 862 863 if (!force_1x && !hapd->conf->ieee802_1x) { 864 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 865 "802.1X not enabled or forced for WPS"); 866 return; 867 } 868 869 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 870 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 871 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 872 return; 873 } 874 875 if (sta->eapol_sm == NULL) { 876 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 877 HOSTAPD_LEVEL_DEBUG, "start authentication"); 878 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 879 if (sta->eapol_sm == NULL) { 880 hostapd_logger(hapd, sta->addr, 881 HOSTAPD_MODULE_IEEE8021X, 882 HOSTAPD_LEVEL_INFO, 883 "failed to allocate state machine"); 884 return; 885 } 886 reassoc = 0; 887 } 888 889#ifdef CONFIG_WPS 890 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 891 if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS)) { 892 /* 893 * Delay EAPOL frame transmission until a possible WPS 894 * initiates the handshake with EAPOL-Start. 895 */ 896 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 897 } 898#endif /* CONFIG_WPS */ 899 900 sta->eapol_sm->eap_if->portEnabled = TRUE; 901 902#ifdef CONFIG_IEEE80211R 903 if (sta->auth_alg == WLAN_AUTH_FT) { 904 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 905 HOSTAPD_LEVEL_DEBUG, 906 "PMK from FT - skip IEEE 802.1X/EAP"); 907 /* Setup EAPOL state machines to already authenticated state 908 * because of existing FT information from R0KH. */ 909 sta->eapol_sm->keyRun = TRUE; 910 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 911 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 912 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 913 sta->eapol_sm->authSuccess = TRUE; 914 if (sta->eapol_sm->eap) 915 eap_sm_notify_cached(sta->eapol_sm->eap); 916 /* TODO: get vlan_id from R0KH using RRB message */ 917 return; 918 } 919#endif /* CONFIG_IEEE80211R */ 920 921 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 922 if (pmksa) { 923 int old_vlanid; 924 925 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 926 HOSTAPD_LEVEL_DEBUG, 927 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 928 /* Setup EAPOL state machines to already authenticated state 929 * because of existing PMKSA information in the cache. */ 930 sta->eapol_sm->keyRun = TRUE; 931 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 932 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 933 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 934 sta->eapol_sm->authSuccess = TRUE; 935 if (sta->eapol_sm->eap) 936 eap_sm_notify_cached(sta->eapol_sm->eap); 937 old_vlanid = sta->vlan_id; 938 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 939 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 940 sta->vlan_id = 0; 941 ap_sta_bind_vlan(hapd, sta, old_vlanid); 942 } else { 943 if (reassoc) { 944 /* 945 * Force EAPOL state machines to start 946 * re-authentication without having to wait for the 947 * Supplicant to send EAPOL-Start. 948 */ 949 sta->eapol_sm->reAuthenticate = TRUE; 950 } 951 eapol_auth_step(sta->eapol_sm); 952 } 953} 954 955 956void ieee802_1x_free_station(struct sta_info *sta) 957{ 958 struct eapol_state_machine *sm = sta->eapol_sm; 959 960 if (sm == NULL) 961 return; 962 963 sta->eapol_sm = NULL; 964 965#ifndef CONFIG_NO_RADIUS 966 radius_msg_free(sm->last_recv_radius); 967 radius_free_class(&sm->radius_class); 968#endif /* CONFIG_NO_RADIUS */ 969 970 os_free(sm->identity); 971 eapol_auth_free(sm); 972} 973 974 975#ifndef CONFIG_NO_RADIUS 976static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 977 struct sta_info *sta) 978{ 979 u8 *eap; 980 size_t len; 981 struct eap_hdr *hdr; 982 int eap_type = -1; 983 char buf[64]; 984 struct radius_msg *msg; 985 struct eapol_state_machine *sm = sta->eapol_sm; 986 987 if (sm == NULL || sm->last_recv_radius == NULL) { 988 if (sm) 989 sm->eap_if->aaaEapNoReq = TRUE; 990 return; 991 } 992 993 msg = sm->last_recv_radius; 994 995 eap = radius_msg_get_eap(msg, &len); 996 if (eap == NULL) { 997 /* RFC 3579, Chap. 2.6.3: 998 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 999 * attribute */ 1000 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1001 HOSTAPD_LEVEL_WARNING, "could not extract " 1002 "EAP-Message from RADIUS message"); 1003 sm->eap_if->aaaEapNoReq = TRUE; 1004 return; 1005 } 1006 1007 if (len < sizeof(*hdr)) { 1008 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1009 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1010 "received from authentication server"); 1011 os_free(eap); 1012 sm->eap_if->aaaEapNoReq = TRUE; 1013 return; 1014 } 1015 1016 if (len > sizeof(*hdr)) 1017 eap_type = eap[sizeof(*hdr)]; 1018 1019 hdr = (struct eap_hdr *) eap; 1020 switch (hdr->code) { 1021 case EAP_CODE_REQUEST: 1022 if (eap_type >= 0) 1023 sm->eap_type_authsrv = eap_type; 1024 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1025 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1026 "??", 1027 eap_type); 1028 break; 1029 case EAP_CODE_RESPONSE: 1030 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1031 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1032 "??", 1033 eap_type); 1034 break; 1035 case EAP_CODE_SUCCESS: 1036 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1037 break; 1038 case EAP_CODE_FAILURE: 1039 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1040 break; 1041 default: 1042 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1043 break; 1044 } 1045 buf[sizeof(buf) - 1] = '\0'; 1046 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1047 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1048 "id=%d len=%d) from RADIUS server: %s", 1049 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1050 buf); 1051 sm->eap_if->aaaEapReq = TRUE; 1052 1053 wpabuf_free(sm->eap_if->aaaEapReqData); 1054 sm->eap_if->aaaEapReqData = wpabuf_alloc_ext_data(eap, len); 1055} 1056 1057 1058static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1059 struct sta_info *sta, struct radius_msg *msg, 1060 struct radius_msg *req, 1061 const u8 *shared_secret, 1062 size_t shared_secret_len) 1063{ 1064 struct radius_ms_mppe_keys *keys; 1065 struct eapol_state_machine *sm = sta->eapol_sm; 1066 if (sm == NULL) 1067 return; 1068 1069 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1070 shared_secret_len); 1071 1072 if (keys && keys->send && keys->recv) { 1073 size_t len = keys->send_len + keys->recv_len; 1074 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1075 keys->send, keys->send_len); 1076 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1077 keys->recv, keys->recv_len); 1078 1079 os_free(sm->eap_if->aaaEapKeyData); 1080 sm->eap_if->aaaEapKeyData = os_malloc(len); 1081 if (sm->eap_if->aaaEapKeyData) { 1082 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1083 keys->recv_len); 1084 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1085 keys->send, keys->send_len); 1086 sm->eap_if->aaaEapKeyDataLen = len; 1087 sm->eap_if->aaaEapKeyAvailable = TRUE; 1088 } 1089 } 1090 1091 if (keys) { 1092 os_free(keys->send); 1093 os_free(keys->recv); 1094 os_free(keys); 1095 } 1096} 1097 1098 1099static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1100 struct sta_info *sta, 1101 struct radius_msg *msg) 1102{ 1103 u8 *class; 1104 size_t class_len; 1105 struct eapol_state_machine *sm = sta->eapol_sm; 1106 int count, i; 1107 struct radius_attr_data *nclass; 1108 size_t nclass_count; 1109 1110 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1111 sm == NULL) 1112 return; 1113 1114 radius_free_class(&sm->radius_class); 1115 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1116 if (count <= 0) 1117 return; 1118 1119 nclass = os_zalloc(count * sizeof(struct radius_attr_data)); 1120 if (nclass == NULL) 1121 return; 1122 1123 nclass_count = 0; 1124 1125 class = NULL; 1126 for (i = 0; i < count; i++) { 1127 do { 1128 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1129 &class, &class_len, 1130 class) < 0) { 1131 i = count; 1132 break; 1133 } 1134 } while (class_len < 1); 1135 1136 nclass[nclass_count].data = os_malloc(class_len); 1137 if (nclass[nclass_count].data == NULL) 1138 break; 1139 1140 os_memcpy(nclass[nclass_count].data, class, class_len); 1141 nclass[nclass_count].len = class_len; 1142 nclass_count++; 1143 } 1144 1145 sm->radius_class.attr = nclass; 1146 sm->radius_class.count = nclass_count; 1147 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1148 "attributes for " MACSTR, 1149 (unsigned long) sm->radius_class.count, 1150 MAC2STR(sta->addr)); 1151} 1152 1153 1154/* Update sta->identity based on User-Name attribute in Access-Accept */ 1155static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1156 struct sta_info *sta, 1157 struct radius_msg *msg) 1158{ 1159 u8 *buf, *identity; 1160 size_t len; 1161 struct eapol_state_machine *sm = sta->eapol_sm; 1162 1163 if (sm == NULL) 1164 return; 1165 1166 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1167 NULL) < 0) 1168 return; 1169 1170 identity = os_malloc(len + 1); 1171 if (identity == NULL) 1172 return; 1173 1174 os_memcpy(identity, buf, len); 1175 identity[len] = '\0'; 1176 1177 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1178 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1179 "User-Name from Access-Accept '%s'", 1180 sm->identity ? (char *) sm->identity : "N/A", 1181 (char *) identity); 1182 1183 os_free(sm->identity); 1184 sm->identity = identity; 1185 sm->identity_len = len; 1186} 1187 1188 1189struct sta_id_search { 1190 u8 identifier; 1191 struct eapol_state_machine *sm; 1192}; 1193 1194 1195static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1196 struct sta_info *sta, 1197 void *ctx) 1198{ 1199 struct sta_id_search *id_search = ctx; 1200 struct eapol_state_machine *sm = sta->eapol_sm; 1201 1202 if (sm && sm->radius_identifier >= 0 && 1203 sm->radius_identifier == id_search->identifier) { 1204 id_search->sm = sm; 1205 return 1; 1206 } 1207 return 0; 1208} 1209 1210 1211static struct eapol_state_machine * 1212ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1213{ 1214 struct sta_id_search id_search; 1215 id_search.identifier = identifier; 1216 id_search.sm = NULL; 1217 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1218 return id_search.sm; 1219} 1220 1221 1222/** 1223 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1224 * @msg: RADIUS response message 1225 * @req: RADIUS request message 1226 * @shared_secret: RADIUS shared secret 1227 * @shared_secret_len: Length of shared_secret in octets 1228 * @data: Context data (struct hostapd_data *) 1229 * Returns: Processing status 1230 */ 1231static RadiusRxResult 1232ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1233 const u8 *shared_secret, size_t shared_secret_len, 1234 void *data) 1235{ 1236 struct hostapd_data *hapd = data; 1237 struct sta_info *sta; 1238 u32 session_timeout = 0, termination_action, acct_interim_interval; 1239 int session_timeout_set, old_vlanid = 0; 1240 struct eapol_state_machine *sm; 1241 int override_eapReq = 0; 1242 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1243 1244 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1245 if (sm == NULL) { 1246 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1247 "station for this RADIUS message"); 1248 return RADIUS_RX_UNKNOWN; 1249 } 1250 sta = sm->sta; 1251 1252 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1253 * present when packet contains an EAP-Message attribute */ 1254 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1255 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1256 0) < 0 && 1257 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1258 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1259 "Message-Authenticator since it does not include " 1260 "EAP-Message"); 1261 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1262 req, 1)) { 1263 printf("Incoming RADIUS packet did not have correct " 1264 "Message-Authenticator - dropped\n"); 1265 return RADIUS_RX_INVALID_AUTHENTICATOR; 1266 } 1267 1268 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1269 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1270 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1271 printf("Unknown RADIUS message code\n"); 1272 return RADIUS_RX_UNKNOWN; 1273 } 1274 1275 sm->radius_identifier = -1; 1276 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1277 MAC2STR(sta->addr)); 1278 1279 radius_msg_free(sm->last_recv_radius); 1280 sm->last_recv_radius = msg; 1281 1282 session_timeout_set = 1283 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1284 &session_timeout); 1285 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1286 &termination_action)) 1287 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1288 1289 if (hapd->conf->acct_interim_interval == 0 && 1290 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1291 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1292 &acct_interim_interval) == 0) { 1293 if (acct_interim_interval < 60) { 1294 hostapd_logger(hapd, sta->addr, 1295 HOSTAPD_MODULE_IEEE8021X, 1296 HOSTAPD_LEVEL_INFO, 1297 "ignored too small " 1298 "Acct-Interim-Interval %d", 1299 acct_interim_interval); 1300 } else 1301 sta->acct_interim_interval = acct_interim_interval; 1302 } 1303 1304 1305 switch (hdr->code) { 1306 case RADIUS_CODE_ACCESS_ACCEPT: 1307 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1308 sta->vlan_id = 0; 1309#ifndef CONFIG_NO_VLAN 1310 else { 1311 old_vlanid = sta->vlan_id; 1312 sta->vlan_id = radius_msg_get_vlanid(msg); 1313 } 1314 if (sta->vlan_id > 0 && 1315 hostapd_get_vlan_id_ifname(hapd->conf->vlan, 1316 sta->vlan_id)) { 1317 hostapd_logger(hapd, sta->addr, 1318 HOSTAPD_MODULE_RADIUS, 1319 HOSTAPD_LEVEL_INFO, 1320 "VLAN ID %d", sta->vlan_id); 1321 } else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) { 1322 sta->eapol_sm->authFail = TRUE; 1323 hostapd_logger(hapd, sta->addr, 1324 HOSTAPD_MODULE_IEEE8021X, 1325 HOSTAPD_LEVEL_INFO, "authentication " 1326 "server did not include required VLAN " 1327 "ID in Access-Accept"); 1328 break; 1329 } 1330#endif /* CONFIG_NO_VLAN */ 1331 1332 if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0) 1333 break; 1334 1335 /* RFC 3580, Ch. 3.17 */ 1336 if (session_timeout_set && termination_action == 1337 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1338 sm->reAuthPeriod = session_timeout; 1339 } else if (session_timeout_set) 1340 ap_sta_session_timeout(hapd, sta, session_timeout); 1341 1342 sm->eap_if->aaaSuccess = TRUE; 1343 override_eapReq = 1; 1344 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1345 shared_secret_len); 1346 ieee802_1x_store_radius_class(hapd, sta, msg); 1347 ieee802_1x_update_sta_identity(hapd, sta, msg); 1348 if (sm->eap_if->eapKeyAvailable && 1349 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1350 session_timeout_set ? 1351 (int) session_timeout : -1, sm) == 0) { 1352 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1353 HOSTAPD_LEVEL_DEBUG, 1354 "Added PMKSA cache entry"); 1355 } 1356 break; 1357 case RADIUS_CODE_ACCESS_REJECT: 1358 sm->eap_if->aaaFail = TRUE; 1359 override_eapReq = 1; 1360 break; 1361 case RADIUS_CODE_ACCESS_CHALLENGE: 1362 sm->eap_if->aaaEapReq = TRUE; 1363 if (session_timeout_set) { 1364 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1365 sm->eap_if->aaaMethodTimeout = session_timeout; 1366 hostapd_logger(hapd, sm->addr, 1367 HOSTAPD_MODULE_IEEE8021X, 1368 HOSTAPD_LEVEL_DEBUG, 1369 "using EAP timeout of %d seconds (from " 1370 "RADIUS)", 1371 sm->eap_if->aaaMethodTimeout); 1372 } else { 1373 /* 1374 * Use dynamic retransmission behavior per EAP 1375 * specification. 1376 */ 1377 sm->eap_if->aaaMethodTimeout = 0; 1378 } 1379 break; 1380 } 1381 1382 ieee802_1x_decapsulate_radius(hapd, sta); 1383 if (override_eapReq) 1384 sm->eap_if->aaaEapReq = FALSE; 1385 1386 eapol_auth_step(sm); 1387 1388 return RADIUS_RX_QUEUED; 1389} 1390#endif /* CONFIG_NO_RADIUS */ 1391 1392 1393void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1394{ 1395 struct eapol_state_machine *sm = sta->eapol_sm; 1396 if (sm == NULL) 1397 return; 1398 1399 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1400 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1401 1402#ifndef CONFIG_NO_RADIUS 1403 radius_msg_free(sm->last_recv_radius); 1404 sm->last_recv_radius = NULL; 1405#endif /* CONFIG_NO_RADIUS */ 1406 1407 if (sm->eap_if->eapTimeout) { 1408 /* 1409 * Disconnect the STA since it did not reply to the last EAP 1410 * request and we cannot continue EAP processing (EAP-Failure 1411 * could only be sent if the EAP peer actually replied). 1412 */ 1413 sm->eap_if->portEnabled = FALSE; 1414 ap_sta_disconnect(hapd, sta, sta->addr, 1415 WLAN_REASON_PREV_AUTH_NOT_VALID); 1416 } 1417} 1418 1419 1420static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1421{ 1422 struct eapol_authenticator *eapol = hapd->eapol_auth; 1423 1424 if (hapd->conf->default_wep_key_len < 1) 1425 return 0; 1426 1427 os_free(eapol->default_wep_key); 1428 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1429 if (eapol->default_wep_key == NULL || 1430 random_get_bytes(eapol->default_wep_key, 1431 hapd->conf->default_wep_key_len)) { 1432 printf("Could not generate random WEP key.\n"); 1433 os_free(eapol->default_wep_key); 1434 eapol->default_wep_key = NULL; 1435 return -1; 1436 } 1437 1438 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1439 eapol->default_wep_key, 1440 hapd->conf->default_wep_key_len); 1441 1442 return 0; 1443} 1444 1445 1446static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1447 struct sta_info *sta, void *ctx) 1448{ 1449 if (sta->eapol_sm) { 1450 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1451 eapol_auth_step(sta->eapol_sm); 1452 } 1453 return 0; 1454} 1455 1456 1457static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1458{ 1459 struct hostapd_data *hapd = eloop_ctx; 1460 struct eapol_authenticator *eapol = hapd->eapol_auth; 1461 1462 if (eapol->default_wep_key_idx >= 3) 1463 eapol->default_wep_key_idx = 1464 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1465 else 1466 eapol->default_wep_key_idx++; 1467 1468 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1469 eapol->default_wep_key_idx); 1470 1471 if (ieee802_1x_rekey_broadcast(hapd)) { 1472 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1473 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1474 "new broadcast key"); 1475 os_free(eapol->default_wep_key); 1476 eapol->default_wep_key = NULL; 1477 return; 1478 } 1479 1480 /* TODO: Could setup key for RX here, but change default TX keyid only 1481 * after new broadcast key has been sent to all stations. */ 1482 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1483 broadcast_ether_addr, 1484 eapol->default_wep_key_idx, 1, NULL, 0, 1485 eapol->default_wep_key, 1486 hapd->conf->default_wep_key_len)) { 1487 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1488 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1489 "new broadcast key"); 1490 os_free(eapol->default_wep_key); 1491 eapol->default_wep_key = NULL; 1492 return; 1493 } 1494 1495 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1496 1497 if (hapd->conf->wep_rekeying_period > 0) { 1498 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1499 ieee802_1x_rekey, hapd, NULL); 1500 } 1501} 1502 1503 1504static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1505 const u8 *data, size_t datalen) 1506{ 1507#ifdef CONFIG_WPS 1508 struct sta_info *sta = sta_ctx; 1509 1510 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1511 WLAN_STA_MAYBE_WPS) { 1512 const u8 *identity; 1513 size_t identity_len; 1514 struct eapol_state_machine *sm = sta->eapol_sm; 1515 1516 identity = eap_get_identity(sm->eap, &identity_len); 1517 if (identity && 1518 ((identity_len == WSC_ID_ENROLLEE_LEN && 1519 os_memcmp(identity, WSC_ID_ENROLLEE, 1520 WSC_ID_ENROLLEE_LEN) == 0) || 1521 (identity_len == WSC_ID_REGISTRAR_LEN && 1522 os_memcmp(identity, WSC_ID_REGISTRAR, 1523 WSC_ID_REGISTRAR_LEN) == 0))) { 1524 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1525 "WLAN_STA_WPS"); 1526 sta->flags |= WLAN_STA_WPS; 1527 } 1528 } 1529#endif /* CONFIG_WPS */ 1530 1531 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1532} 1533 1534 1535static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1536 const u8 *data, size_t datalen) 1537{ 1538#ifndef CONFIG_NO_RADIUS 1539 struct hostapd_data *hapd = ctx; 1540 struct sta_info *sta = sta_ctx; 1541 1542 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1543#endif /* CONFIG_NO_RADIUS */ 1544} 1545 1546 1547static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1548 int preauth) 1549{ 1550 struct hostapd_data *hapd = ctx; 1551 struct sta_info *sta = sta_ctx; 1552 if (preauth) 1553 rsn_preauth_finished(hapd, sta, success); 1554 else 1555 ieee802_1x_finished(hapd, sta, success); 1556} 1557 1558 1559static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1560 size_t identity_len, int phase2, 1561 struct eap_user *user) 1562{ 1563 struct hostapd_data *hapd = ctx; 1564 const struct hostapd_eap_user *eap_user; 1565 int i, count; 1566 1567 eap_user = hostapd_get_eap_user(hapd->conf, identity, 1568 identity_len, phase2); 1569 if (eap_user == NULL) 1570 return -1; 1571 1572 os_memset(user, 0, sizeof(*user)); 1573 user->phase2 = phase2; 1574 count = EAP_USER_MAX_METHODS; 1575 if (count > EAP_MAX_METHODS) 1576 count = EAP_MAX_METHODS; 1577 for (i = 0; i < count; i++) { 1578 user->methods[i].vendor = eap_user->methods[i].vendor; 1579 user->methods[i].method = eap_user->methods[i].method; 1580 } 1581 1582 if (eap_user->password) { 1583 user->password = os_malloc(eap_user->password_len); 1584 if (user->password == NULL) 1585 return -1; 1586 os_memcpy(user->password, eap_user->password, 1587 eap_user->password_len); 1588 user->password_len = eap_user->password_len; 1589 } 1590 user->force_version = eap_user->force_version; 1591 user->ttls_auth = eap_user->ttls_auth; 1592 1593 return 0; 1594} 1595 1596 1597static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1598{ 1599 struct hostapd_data *hapd = ctx; 1600 struct sta_info *sta; 1601 sta = ap_get_sta(hapd, addr); 1602 if (sta == NULL || sta->eapol_sm == NULL) 1603 return 0; 1604 return 1; 1605} 1606 1607 1608static void ieee802_1x_logger(void *ctx, const u8 *addr, 1609 eapol_logger_level level, const char *txt) 1610{ 1611#ifndef CONFIG_NO_HOSTAPD_LOGGER 1612 struct hostapd_data *hapd = ctx; 1613 int hlevel; 1614 1615 switch (level) { 1616 case EAPOL_LOGGER_WARNING: 1617 hlevel = HOSTAPD_LEVEL_WARNING; 1618 break; 1619 case EAPOL_LOGGER_INFO: 1620 hlevel = HOSTAPD_LEVEL_INFO; 1621 break; 1622 case EAPOL_LOGGER_DEBUG: 1623 default: 1624 hlevel = HOSTAPD_LEVEL_DEBUG; 1625 break; 1626 } 1627 1628 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 1629 txt); 1630#endif /* CONFIG_NO_HOSTAPD_LOGGER */ 1631} 1632 1633 1634static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 1635 int authorized) 1636{ 1637 struct hostapd_data *hapd = ctx; 1638 struct sta_info *sta = sta_ctx; 1639 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 1640} 1641 1642 1643static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 1644{ 1645 struct hostapd_data *hapd = ctx; 1646 struct sta_info *sta = sta_ctx; 1647 ieee802_1x_abort_auth(hapd, sta); 1648} 1649 1650 1651static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 1652{ 1653 struct hostapd_data *hapd = ctx; 1654 struct sta_info *sta = sta_ctx; 1655 ieee802_1x_tx_key(hapd, sta); 1656} 1657 1658 1659static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 1660 enum eapol_event type) 1661{ 1662 /* struct hostapd_data *hapd = ctx; */ 1663 struct sta_info *sta = sta_ctx; 1664 switch (type) { 1665 case EAPOL_AUTH_SM_CHANGE: 1666 wpa_auth_sm_notify(sta->wpa_sm); 1667 break; 1668 case EAPOL_AUTH_REAUTHENTICATE: 1669 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1670 break; 1671 } 1672} 1673 1674 1675int ieee802_1x_init(struct hostapd_data *hapd) 1676{ 1677 int i; 1678 struct eapol_auth_config conf; 1679 struct eapol_auth_cb cb; 1680 1681 os_memset(&conf, 0, sizeof(conf)); 1682 conf.ctx = hapd; 1683 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 1684 conf.wpa = hapd->conf->wpa; 1685 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 1686 conf.eap_server = hapd->conf->eap_server; 1687 conf.ssl_ctx = hapd->ssl_ctx; 1688 conf.msg_ctx = hapd->msg_ctx; 1689 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 1690 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 1691 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 1692 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 1693 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 1694 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 1695 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 1696 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 1697 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 1698 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 1699 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 1700 conf.tnc = hapd->conf->tnc; 1701 conf.wps = hapd->wps; 1702 conf.fragment_size = hapd->conf->fragment_size; 1703 conf.pwd_group = hapd->conf->pwd_group; 1704 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 1705 1706 os_memset(&cb, 0, sizeof(cb)); 1707 cb.eapol_send = ieee802_1x_eapol_send; 1708 cb.aaa_send = ieee802_1x_aaa_send; 1709 cb.finished = _ieee802_1x_finished; 1710 cb.get_eap_user = ieee802_1x_get_eap_user; 1711 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 1712 cb.logger = ieee802_1x_logger; 1713 cb.set_port_authorized = ieee802_1x_set_port_authorized; 1714 cb.abort_auth = _ieee802_1x_abort_auth; 1715 cb.tx_key = _ieee802_1x_tx_key; 1716 cb.eapol_event = ieee802_1x_eapol_event; 1717 1718 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 1719 if (hapd->eapol_auth == NULL) 1720 return -1; 1721 1722 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 1723 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 1724 return -1; 1725 1726#ifndef CONFIG_NO_RADIUS 1727 if (radius_client_register(hapd->radius, RADIUS_AUTH, 1728 ieee802_1x_receive_auth, hapd)) 1729 return -1; 1730#endif /* CONFIG_NO_RADIUS */ 1731 1732 if (hapd->conf->default_wep_key_len) { 1733 for (i = 0; i < 4; i++) 1734 hostapd_drv_set_key(hapd->conf->iface, hapd, 1735 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 1736 NULL, 0); 1737 1738 ieee802_1x_rekey(hapd, NULL); 1739 1740 if (hapd->eapol_auth->default_wep_key == NULL) 1741 return -1; 1742 } 1743 1744 return 0; 1745} 1746 1747 1748void ieee802_1x_deinit(struct hostapd_data *hapd) 1749{ 1750 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 1751 1752 if (hapd->driver != NULL && 1753 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 1754 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 1755 1756 eapol_auth_deinit(hapd->eapol_auth); 1757 hapd->eapol_auth = NULL; 1758} 1759 1760 1761int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1762 const u8 *buf, size_t len, int ack) 1763{ 1764 struct ieee80211_hdr *hdr; 1765 struct ieee802_1x_hdr *xhdr; 1766 struct ieee802_1x_eapol_key *key; 1767 u8 *pos; 1768 const unsigned char rfc1042_hdr[ETH_ALEN] = 1769 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 1770 1771 if (sta == NULL) 1772 return -1; 1773 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2 + sizeof(*xhdr)) 1774 return 0; 1775 1776 hdr = (struct ieee80211_hdr *) buf; 1777 pos = (u8 *) (hdr + 1); 1778 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 1779 return 0; 1780 pos += sizeof(rfc1042_hdr); 1781 if (WPA_GET_BE16(pos) != ETH_P_PAE) 1782 return 0; 1783 pos += 2; 1784 1785 xhdr = (struct ieee802_1x_hdr *) pos; 1786 pos += sizeof(*xhdr); 1787 1788 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 1789 "type=%d length=%d - ack=%d", 1790 MAC2STR(sta->addr), xhdr->version, xhdr->type, 1791 be_to_host16(xhdr->length), ack); 1792 1793 if (xhdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 1794 pos + sizeof(struct wpa_eapol_key) <= buf + len) { 1795 const struct wpa_eapol_key *wpa; 1796 wpa = (const struct wpa_eapol_key *) pos; 1797 if (wpa->type == EAPOL_KEY_TYPE_RSN || 1798 wpa->type == EAPOL_KEY_TYPE_WPA) 1799 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 1800 sta->wpa_sm, ack); 1801 } 1802 1803 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 1804 * or Authenticator state machines, but EAPOL-Key packets are not 1805 * retransmitted in case of failure. Try to re-sent failed EAPOL-Key 1806 * packets couple of times because otherwise STA keys become 1807 * unsynchronized with AP. */ 1808 if (xhdr->type == IEEE802_1X_TYPE_EAPOL_KEY && !ack && 1809 pos + sizeof(*key) <= buf + len) { 1810 key = (struct ieee802_1x_eapol_key *) pos; 1811 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1812 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 1813 "frame (%scast index=%d)", 1814 key->key_index & BIT(7) ? "uni" : "broad", 1815 key->key_index & ~BIT(7)); 1816 /* TODO: re-send EAPOL-Key couple of times (with short delay 1817 * between them?). If all attempt fail, report error and 1818 * deauthenticate STA so that it will get new keys when 1819 * authenticating again (e.g., after returning in range). 1820 * Separate limit/transmit state needed both for unicast and 1821 * broadcast keys(?) */ 1822 } 1823 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 1824 * to here and change the key only if the EAPOL-Key packet was Acked. 1825 */ 1826 1827 return 1; 1828} 1829 1830 1831u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 1832{ 1833 if (sm == NULL || sm->identity == NULL) 1834 return NULL; 1835 1836 *len = sm->identity_len; 1837 return sm->identity; 1838} 1839 1840 1841u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 1842 int idx) 1843{ 1844 if (sm == NULL || sm->radius_class.attr == NULL || 1845 idx >= (int) sm->radius_class.count) 1846 return NULL; 1847 1848 *len = sm->radius_class.attr[idx].len; 1849 return sm->radius_class.attr[idx].data; 1850} 1851 1852 1853const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 1854{ 1855 if (sm == NULL) 1856 return NULL; 1857 1858 *len = sm->eap_if->eapKeyDataLen; 1859 return sm->eap_if->eapKeyData; 1860} 1861 1862 1863void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 1864 int enabled) 1865{ 1866 if (sm == NULL) 1867 return; 1868 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 1869 eapol_auth_step(sm); 1870} 1871 1872 1873void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 1874 int valid) 1875{ 1876 if (sm == NULL) 1877 return; 1878 sm->portValid = valid ? TRUE : FALSE; 1879 eapol_auth_step(sm); 1880} 1881 1882 1883void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 1884{ 1885 if (sm == NULL) 1886 return; 1887 if (pre_auth) 1888 sm->flags |= EAPOL_SM_PREAUTH; 1889 else 1890 sm->flags &= ~EAPOL_SM_PREAUTH; 1891} 1892 1893 1894static const char * bool_txt(Boolean bool) 1895{ 1896 return bool ? "TRUE" : "FALSE"; 1897} 1898 1899 1900int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 1901{ 1902 /* TODO */ 1903 return 0; 1904} 1905 1906 1907int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 1908 char *buf, size_t buflen) 1909{ 1910 int len = 0, ret; 1911 struct eapol_state_machine *sm = sta->eapol_sm; 1912 1913 if (sm == NULL) 1914 return 0; 1915 1916 ret = os_snprintf(buf + len, buflen - len, 1917 "dot1xPaePortNumber=%d\n" 1918 "dot1xPaePortProtocolVersion=%d\n" 1919 "dot1xPaePortCapabilities=1\n" 1920 "dot1xPaePortInitialize=%d\n" 1921 "dot1xPaePortReauthenticate=FALSE\n", 1922 sta->aid, 1923 EAPOL_VERSION, 1924 sm->initialize); 1925 if (ret < 0 || (size_t) ret >= buflen - len) 1926 return len; 1927 len += ret; 1928 1929 /* dot1xAuthConfigTable */ 1930 ret = os_snprintf(buf + len, buflen - len, 1931 "dot1xAuthPaeState=%d\n" 1932 "dot1xAuthBackendAuthState=%d\n" 1933 "dot1xAuthAdminControlledDirections=%d\n" 1934 "dot1xAuthOperControlledDirections=%d\n" 1935 "dot1xAuthAuthControlledPortStatus=%d\n" 1936 "dot1xAuthAuthControlledPortControl=%d\n" 1937 "dot1xAuthQuietPeriod=%u\n" 1938 "dot1xAuthServerTimeout=%u\n" 1939 "dot1xAuthReAuthPeriod=%u\n" 1940 "dot1xAuthReAuthEnabled=%s\n" 1941 "dot1xAuthKeyTxEnabled=%s\n", 1942 sm->auth_pae_state + 1, 1943 sm->be_auth_state + 1, 1944 sm->adminControlledDirections, 1945 sm->operControlledDirections, 1946 sm->authPortStatus, 1947 sm->portControl, 1948 sm->quietPeriod, 1949 sm->serverTimeout, 1950 sm->reAuthPeriod, 1951 bool_txt(sm->reAuthEnabled), 1952 bool_txt(sm->keyTxEnabled)); 1953 if (ret < 0 || (size_t) ret >= buflen - len) 1954 return len; 1955 len += ret; 1956 1957 /* dot1xAuthStatsTable */ 1958 ret = os_snprintf(buf + len, buflen - len, 1959 "dot1xAuthEapolFramesRx=%u\n" 1960 "dot1xAuthEapolFramesTx=%u\n" 1961 "dot1xAuthEapolStartFramesRx=%u\n" 1962 "dot1xAuthEapolLogoffFramesRx=%u\n" 1963 "dot1xAuthEapolRespIdFramesRx=%u\n" 1964 "dot1xAuthEapolRespFramesRx=%u\n" 1965 "dot1xAuthEapolReqIdFramesTx=%u\n" 1966 "dot1xAuthEapolReqFramesTx=%u\n" 1967 "dot1xAuthInvalidEapolFramesRx=%u\n" 1968 "dot1xAuthEapLengthErrorFramesRx=%u\n" 1969 "dot1xAuthLastEapolFrameVersion=%u\n" 1970 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 1971 sm->dot1xAuthEapolFramesRx, 1972 sm->dot1xAuthEapolFramesTx, 1973 sm->dot1xAuthEapolStartFramesRx, 1974 sm->dot1xAuthEapolLogoffFramesRx, 1975 sm->dot1xAuthEapolRespIdFramesRx, 1976 sm->dot1xAuthEapolRespFramesRx, 1977 sm->dot1xAuthEapolReqIdFramesTx, 1978 sm->dot1xAuthEapolReqFramesTx, 1979 sm->dot1xAuthInvalidEapolFramesRx, 1980 sm->dot1xAuthEapLengthErrorFramesRx, 1981 sm->dot1xAuthLastEapolFrameVersion, 1982 MAC2STR(sm->addr)); 1983 if (ret < 0 || (size_t) ret >= buflen - len) 1984 return len; 1985 len += ret; 1986 1987 /* dot1xAuthDiagTable */ 1988 ret = os_snprintf(buf + len, buflen - len, 1989 "dot1xAuthEntersConnecting=%u\n" 1990 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 1991 "dot1xAuthEntersAuthenticating=%u\n" 1992 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 1993 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 1994 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 1995 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 1996 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 1997 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 1998 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 1999 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2000 "dot1xAuthBackendResponses=%u\n" 2001 "dot1xAuthBackendAccessChallenges=%u\n" 2002 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2003 "dot1xAuthBackendAuthSuccesses=%u\n" 2004 "dot1xAuthBackendAuthFails=%u\n", 2005 sm->authEntersConnecting, 2006 sm->authEapLogoffsWhileConnecting, 2007 sm->authEntersAuthenticating, 2008 sm->authAuthSuccessesWhileAuthenticating, 2009 sm->authAuthTimeoutsWhileAuthenticating, 2010 sm->authAuthFailWhileAuthenticating, 2011 sm->authAuthEapStartsWhileAuthenticating, 2012 sm->authAuthEapLogoffWhileAuthenticating, 2013 sm->authAuthReauthsWhileAuthenticated, 2014 sm->authAuthEapStartsWhileAuthenticated, 2015 sm->authAuthEapLogoffWhileAuthenticated, 2016 sm->backendResponses, 2017 sm->backendAccessChallenges, 2018 sm->backendOtherRequestsToSupplicant, 2019 sm->backendAuthSuccesses, 2020 sm->backendAuthFails); 2021 if (ret < 0 || (size_t) ret >= buflen - len) 2022 return len; 2023 len += ret; 2024 2025 /* dot1xAuthSessionStatsTable */ 2026 ret = os_snprintf(buf + len, buflen - len, 2027 /* TODO: dot1xAuthSessionOctetsRx */ 2028 /* TODO: dot1xAuthSessionOctetsTx */ 2029 /* TODO: dot1xAuthSessionFramesRx */ 2030 /* TODO: dot1xAuthSessionFramesTx */ 2031 "dot1xAuthSessionId=%08X-%08X\n" 2032 "dot1xAuthSessionAuthenticMethod=%d\n" 2033 "dot1xAuthSessionTime=%u\n" 2034 "dot1xAuthSessionTerminateCause=999\n" 2035 "dot1xAuthSessionUserName=%s\n", 2036 sta->acct_session_id_hi, sta->acct_session_id_lo, 2037 (wpa_key_mgmt_wpa_ieee8021x( 2038 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2039 1 : 2, 2040 (unsigned int) (time(NULL) - 2041 sta->acct_session_start), 2042 sm->identity); 2043 if (ret < 0 || (size_t) ret >= buflen - len) 2044 return len; 2045 len += ret; 2046 2047 return len; 2048} 2049 2050 2051static void ieee802_1x_finished(struct hostapd_data *hapd, 2052 struct sta_info *sta, int success) 2053{ 2054 const u8 *key; 2055 size_t len; 2056 /* TODO: get PMKLifetime from WPA parameters */ 2057 static const int dot11RSNAConfigPMKLifetime = 43200; 2058 2059 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2060 if (success && key && len >= PMK_LEN && 2061 wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime, 2062 sta->eapol_sm) == 0) { 2063 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2064 HOSTAPD_LEVEL_DEBUG, 2065 "Added PMKSA cache entry (IEEE 802.1X)"); 2066 } 2067 2068#ifdef CONFIG_WPS 2069 if (!success && (sta->flags & WLAN_STA_WPS)) { 2070 /* 2071 * Many devices require deauthentication after WPS provisioning 2072 * and some may not be be able to do that themselves, so 2073 * disconnect the client here. 2074 */ 2075 wpa_printf(MSG_DEBUG, "WPS: Force disconnection after " 2076 "EAP-Failure"); 2077 /* Add a small sleep to increase likelihood of previously 2078 * requested EAP-Failure TX getting out before this should the 2079 * driver reorder operations. 2080 */ 2081 os_sleep(0, 10000); 2082 ap_sta_disconnect(hapd, sta, sta->addr, 2083 WLAN_REASON_PREV_AUTH_NOT_VALID); 2084 } 2085#endif /* CONFIG_WPS */ 2086} 2087