ieee802_1x.c revision 4b06059785b935dd1f4f09314e4e12c417d2c6a4
1/* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "crypto/md5.h" 14#include "crypto/crypto.h" 15#include "crypto/random.h" 16#include "common/ieee802_11_defs.h" 17#include "radius/radius.h" 18#include "radius/radius_client.h" 19#include "eap_server/eap.h" 20#include "eap_common/eap_wsc_common.h" 21#include "eapol_auth/eapol_auth_sm.h" 22#include "eapol_auth/eapol_auth_sm_i.h" 23#include "p2p/p2p.h" 24#include "hostapd.h" 25#include "accounting.h" 26#include "sta_info.h" 27#include "wpa_auth.h" 28#include "preauth_auth.h" 29#include "pmksa_cache_auth.h" 30#include "ap_config.h" 31#include "ap_drv_ops.h" 32#include "ieee802_1x.h" 33 34 35static void ieee802_1x_finished(struct hostapd_data *hapd, 36 struct sta_info *sta, int success); 37 38 39static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 40 u8 type, const u8 *data, size_t datalen) 41{ 42 u8 *buf; 43 struct ieee802_1x_hdr *xhdr; 44 size_t len; 45 int encrypt = 0; 46 47 len = sizeof(*xhdr) + datalen; 48 buf = os_zalloc(len); 49 if (buf == NULL) { 50 wpa_printf(MSG_ERROR, "malloc() failed for " 51 "ieee802_1x_send(len=%lu)", 52 (unsigned long) len); 53 return; 54 } 55 56 xhdr = (struct ieee802_1x_hdr *) buf; 57 xhdr->version = hapd->conf->eapol_version; 58 xhdr->type = type; 59 xhdr->length = host_to_be16(datalen); 60 61 if (datalen > 0 && data != NULL) 62 os_memcpy(xhdr + 1, data, datalen); 63 64 if (wpa_auth_pairwise_set(sta->wpa_sm)) 65 encrypt = 1; 66 if (sta->flags & WLAN_STA_PREAUTH) { 67 rsn_preauth_send(hapd, sta, buf, len); 68 } else { 69 hostapd_drv_hapd_send_eapol( 70 hapd, sta->addr, buf, len, 71 encrypt, hostapd_sta_flags_to_drv(sta->flags)); 72 } 73 74 os_free(buf); 75} 76 77 78void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 79 struct sta_info *sta, int authorized) 80{ 81 int res; 82 83 if (sta->flags & WLAN_STA_PREAUTH) 84 return; 85 86 if (authorized) { 87 ap_sta_set_authorized(hapd, sta, 1); 88 res = hostapd_set_authorized(hapd, sta, 1); 89 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 90 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 91 } else { 92 ap_sta_set_authorized(hapd, sta, 0); 93 res = hostapd_set_authorized(hapd, sta, 0); 94 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 95 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 96 } 97 98 if (res && errno != ENOENT) { 99 printf("Could not set station " MACSTR " flags for kernel " 100 "driver (errno=%d).\n", MAC2STR(sta->addr), errno); 101 } 102 103 if (authorized) { 104 os_get_time(&sta->connected_time); 105 accounting_sta_start(hapd, sta); 106 } 107} 108 109 110static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 111 struct sta_info *sta, 112 int idx, int broadcast, 113 u8 *key_data, size_t key_len) 114{ 115 u8 *buf, *ekey; 116 struct ieee802_1x_hdr *hdr; 117 struct ieee802_1x_eapol_key *key; 118 size_t len, ekey_len; 119 struct eapol_state_machine *sm = sta->eapol_sm; 120 121 if (sm == NULL) 122 return; 123 124 len = sizeof(*key) + key_len; 125 buf = os_zalloc(sizeof(*hdr) + len); 126 if (buf == NULL) 127 return; 128 129 hdr = (struct ieee802_1x_hdr *) buf; 130 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 131 key->type = EAPOL_KEY_TYPE_RC4; 132 WPA_PUT_BE16(key->key_length, key_len); 133 wpa_get_ntp_timestamp(key->replay_counter); 134 135 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 136 wpa_printf(MSG_ERROR, "Could not get random numbers"); 137 os_free(buf); 138 return; 139 } 140 141 key->key_index = idx | (broadcast ? 0 : BIT(7)); 142 if (hapd->conf->eapol_key_index_workaround) { 143 /* According to some information, WinXP Supplicant seems to 144 * interpret bit7 as an indication whether the key is to be 145 * activated, so make it possible to enable workaround that 146 * sets this bit for all keys. */ 147 key->key_index |= BIT(7); 148 } 149 150 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 151 * MSK[32..63] is used to sign the message. */ 152 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 153 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 154 "and signing EAPOL-Key"); 155 os_free(buf); 156 return; 157 } 158 os_memcpy((u8 *) (key + 1), key_data, key_len); 159 ekey_len = sizeof(key->key_iv) + 32; 160 ekey = os_malloc(ekey_len); 161 if (ekey == NULL) { 162 wpa_printf(MSG_ERROR, "Could not encrypt key"); 163 os_free(buf); 164 return; 165 } 166 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 167 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 168 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 169 os_free(ekey); 170 171 /* This header is needed here for HMAC-MD5, but it will be regenerated 172 * in ieee802_1x_send() */ 173 hdr->version = hapd->conf->eapol_version; 174 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 175 hdr->length = host_to_be16(len); 176 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 177 key->key_signature); 178 179 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 180 " (%s index=%d)", MAC2STR(sm->addr), 181 broadcast ? "broadcast" : "unicast", idx); 182 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 183 if (sta->eapol_sm) 184 sta->eapol_sm->dot1xAuthEapolFramesTx++; 185 os_free(buf); 186} 187 188 189#ifndef CONFIG_NO_VLAN 190static struct hostapd_wep_keys * 191ieee802_1x_group_alloc(struct hostapd_data *hapd, const char *ifname) 192{ 193 struct hostapd_wep_keys *key; 194 195 key = os_zalloc(sizeof(*key)); 196 if (key == NULL) 197 return NULL; 198 199 key->default_len = hapd->conf->default_wep_key_len; 200 201 if (key->idx >= hapd->conf->broadcast_key_idx_max || 202 key->idx < hapd->conf->broadcast_key_idx_min) 203 key->idx = hapd->conf->broadcast_key_idx_min; 204 else 205 key->idx++; 206 207 if (!key->key[key->idx]) 208 key->key[key->idx] = os_malloc(key->default_len); 209 if (key->key[key->idx] == NULL || 210 random_get_bytes(key->key[key->idx], key->default_len)) { 211 printf("Could not generate random WEP key (dynamic VLAN).\n"); 212 os_free(key->key[key->idx]); 213 key->key[key->idx] = NULL; 214 os_free(key); 215 return NULL; 216 } 217 key->len[key->idx] = key->default_len; 218 219 wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n", 220 ifname, key->idx); 221 wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)", 222 key->key[key->idx], key->len[key->idx]); 223 224 if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_WEP, 225 broadcast_ether_addr, key->idx, 1, 226 NULL, 0, key->key[key->idx], 227 key->len[key->idx])) 228 printf("Could not set dynamic VLAN WEP encryption key.\n"); 229 230 hostapd_set_drv_ieee8021x(hapd, ifname, 1); 231 232 return key; 233} 234 235 236static struct hostapd_wep_keys * 237ieee802_1x_get_group(struct hostapd_data *hapd, struct hostapd_ssid *ssid, 238 size_t vlan_id) 239{ 240 const char *ifname; 241 242 if (vlan_id == 0) 243 return &ssid->wep; 244 245 if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys && 246 ssid->dyn_vlan_keys[vlan_id]) 247 return ssid->dyn_vlan_keys[vlan_id]; 248 249 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group " 250 "state machine for VLAN ID %lu", 251 (unsigned long) vlan_id); 252 253 ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id); 254 if (ifname == NULL) { 255 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - " 256 "cannot create group key state machine", 257 (unsigned long) vlan_id); 258 return NULL; 259 } 260 261 if (ssid->dyn_vlan_keys == NULL) { 262 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 263 ssid->dyn_vlan_keys = os_zalloc(size); 264 if (ssid->dyn_vlan_keys == NULL) 265 return NULL; 266 ssid->max_dyn_vlan_keys = vlan_id; 267 } 268 269 if (ssid->max_dyn_vlan_keys < vlan_id) { 270 struct hostapd_wep_keys **na; 271 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 272 na = os_realloc(ssid->dyn_vlan_keys, size); 273 if (na == NULL) 274 return NULL; 275 ssid->dyn_vlan_keys = na; 276 os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0, 277 (vlan_id - ssid->max_dyn_vlan_keys) * 278 sizeof(ssid->dyn_vlan_keys[0])); 279 ssid->max_dyn_vlan_keys = vlan_id; 280 } 281 282 ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname); 283 284 return ssid->dyn_vlan_keys[vlan_id]; 285} 286#endif /* CONFIG_NO_VLAN */ 287 288 289void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 290{ 291 struct eapol_authenticator *eapol = hapd->eapol_auth; 292 struct eapol_state_machine *sm = sta->eapol_sm; 293#ifndef CONFIG_NO_VLAN 294 struct hostapd_wep_keys *key = NULL; 295 int vlan_id; 296#endif /* CONFIG_NO_VLAN */ 297 298 if (sm == NULL || !sm->eap_if->eapKeyData) 299 return; 300 301 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 302 MAC2STR(sta->addr)); 303 304#ifndef CONFIG_NO_VLAN 305 vlan_id = sta->vlan_id; 306 if (vlan_id < 0 || vlan_id > MAX_VLAN_ID) 307 vlan_id = 0; 308 309 if (vlan_id) { 310 key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id); 311 if (key && key->key[key->idx]) 312 ieee802_1x_tx_key_one(hapd, sta, key->idx, 1, 313 key->key[key->idx], 314 key->len[key->idx]); 315 } else 316#endif /* CONFIG_NO_VLAN */ 317 if (eapol->default_wep_key) { 318 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 319 eapol->default_wep_key, 320 hapd->conf->default_wep_key_len); 321 } 322 323 if (hapd->conf->individual_wep_key_len > 0) { 324 u8 *ikey; 325 ikey = os_malloc(hapd->conf->individual_wep_key_len); 326 if (ikey == NULL || 327 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 328 { 329 wpa_printf(MSG_ERROR, "Could not generate random " 330 "individual WEP key."); 331 os_free(ikey); 332 return; 333 } 334 335 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 336 ikey, hapd->conf->individual_wep_key_len); 337 338 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 339 hapd->conf->individual_wep_key_len); 340 341 /* TODO: set encryption in TX callback, i.e., only after STA 342 * has ACKed EAPOL-Key frame */ 343 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 344 sta->addr, 0, 1, NULL, 0, ikey, 345 hapd->conf->individual_wep_key_len)) { 346 wpa_printf(MSG_ERROR, "Could not set individual WEP " 347 "encryption."); 348 } 349 350 os_free(ikey); 351 } 352} 353 354 355const char *radius_mode_txt(struct hostapd_data *hapd) 356{ 357 switch (hapd->iface->conf->hw_mode) { 358 case HOSTAPD_MODE_IEEE80211AD: 359 return "802.11ad"; 360 case HOSTAPD_MODE_IEEE80211A: 361 return "802.11a"; 362 case HOSTAPD_MODE_IEEE80211G: 363 return "802.11g"; 364 case HOSTAPD_MODE_IEEE80211B: 365 default: 366 return "802.11b"; 367 } 368} 369 370 371int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 372{ 373 int i; 374 u8 rate = 0; 375 376 for (i = 0; i < sta->supported_rates_len; i++) 377 if ((sta->supported_rates[i] & 0x7f) > rate) 378 rate = sta->supported_rates[i] & 0x7f; 379 380 return rate; 381} 382 383 384#ifndef CONFIG_NO_RADIUS 385static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 386 struct eapol_state_machine *sm, 387 const u8 *eap, size_t len) 388{ 389 const u8 *identity; 390 size_t identity_len; 391 392 if (len <= sizeof(struct eap_hdr) || 393 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) 394 return; 395 396 identity = eap_get_identity(sm->eap, &identity_len); 397 if (identity == NULL) 398 return; 399 400 /* Save station identity for future RADIUS packets */ 401 os_free(sm->identity); 402 sm->identity = (u8 *) dup_binstr(identity, identity_len); 403 if (sm->identity == NULL) { 404 sm->identity_len = 0; 405 return; 406 } 407 408 sm->identity_len = identity_len; 409 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 410 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 411 sm->dot1xAuthEapolRespIdFramesRx++; 412} 413 414 415static int add_common_radius_sta_attr(struct hostapd_data *hapd, 416 struct hostapd_radius_attr *req_attr, 417 struct sta_info *sta, 418 struct radius_msg *msg) 419{ 420 char buf[128]; 421 422 if (!hostapd_config_get_radius_attr(req_attr, 423 RADIUS_ATTR_NAS_PORT) && 424 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 425 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 426 return -1; 427 } 428 429 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 430 MAC2STR(sta->addr)); 431 buf[sizeof(buf) - 1] = '\0'; 432 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 433 (u8 *) buf, os_strlen(buf))) { 434 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 435 return -1; 436 } 437 438 if (sta->flags & WLAN_STA_PREAUTH) { 439 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 440 sizeof(buf)); 441 } else { 442 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 443 radius_sta_rate(hapd, sta) / 2, 444 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 445 radius_mode_txt(hapd)); 446 buf[sizeof(buf) - 1] = '\0'; 447 } 448 if (!hostapd_config_get_radius_attr(req_attr, 449 RADIUS_ATTR_CONNECT_INFO) && 450 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 451 (u8 *) buf, os_strlen(buf))) { 452 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 453 return -1; 454 } 455 456 if (sta->acct_session_id_hi || sta->acct_session_id_lo) { 457 os_snprintf(buf, sizeof(buf), "%08X-%08X", 458 sta->acct_session_id_hi, sta->acct_session_id_lo); 459 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 460 (u8 *) buf, os_strlen(buf))) { 461 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 462 return -1; 463 } 464 } 465 466 return 0; 467} 468 469 470int add_common_radius_attr(struct hostapd_data *hapd, 471 struct hostapd_radius_attr *req_attr, 472 struct sta_info *sta, 473 struct radius_msg *msg) 474{ 475 char buf[128]; 476 struct hostapd_radius_attr *attr; 477 478 if (!hostapd_config_get_radius_attr(req_attr, 479 RADIUS_ATTR_NAS_IP_ADDRESS) && 480 hapd->conf->own_ip_addr.af == AF_INET && 481 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 482 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 483 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 484 return -1; 485 } 486 487#ifdef CONFIG_IPV6 488 if (!hostapd_config_get_radius_attr(req_attr, 489 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 490 hapd->conf->own_ip_addr.af == AF_INET6 && 491 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 492 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 493 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 494 return -1; 495 } 496#endif /* CONFIG_IPV6 */ 497 498 if (!hostapd_config_get_radius_attr(req_attr, 499 RADIUS_ATTR_NAS_IDENTIFIER) && 500 hapd->conf->nas_identifier && 501 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 502 (u8 *) hapd->conf->nas_identifier, 503 os_strlen(hapd->conf->nas_identifier))) { 504 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 505 return -1; 506 } 507 508 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 509 MAC2STR(hapd->own_addr), 510 wpa_ssid_txt(hapd->conf->ssid.ssid, 511 hapd->conf->ssid.ssid_len)); 512 buf[sizeof(buf) - 1] = '\0'; 513 if (!hostapd_config_get_radius_attr(req_attr, 514 RADIUS_ATTR_CALLED_STATION_ID) && 515 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 516 (u8 *) buf, os_strlen(buf))) { 517 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 518 return -1; 519 } 520 521 if (!hostapd_config_get_radius_attr(req_attr, 522 RADIUS_ATTR_NAS_PORT_TYPE) && 523 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 524 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 525 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 526 return -1; 527 } 528 529 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 530 return -1; 531 532 for (attr = req_attr; attr; attr = attr->next) { 533 if (!radius_msg_add_attr(msg, attr->type, 534 wpabuf_head(attr->val), 535 wpabuf_len(attr->val))) { 536 wpa_printf(MSG_ERROR, "Could not add RADIUS " 537 "attribute"); 538 return -1; 539 } 540 } 541 542 return 0; 543} 544 545 546static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 547 struct sta_info *sta, 548 const u8 *eap, size_t len) 549{ 550 struct radius_msg *msg; 551 struct eapol_state_machine *sm = sta->eapol_sm; 552 553 if (sm == NULL) 554 return; 555 556 ieee802_1x_learn_identity(hapd, sm, eap, len); 557 558 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 559 "packet"); 560 561 sm->radius_identifier = radius_client_get_id(hapd->radius); 562 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 563 sm->radius_identifier); 564 if (msg == NULL) { 565 printf("Could not create net RADIUS packet\n"); 566 return; 567 } 568 569 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 570 571 if (sm->identity && 572 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 573 sm->identity, sm->identity_len)) { 574 printf("Could not add User-Name\n"); 575 goto fail; 576 } 577 578 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 579 msg) < 0) 580 goto fail; 581 582 /* TODO: should probably check MTU from driver config; 2304 is max for 583 * IEEE 802.11, but use 1400 to avoid problems with too large packets 584 */ 585 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 586 RADIUS_ATTR_FRAMED_MTU) && 587 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 588 printf("Could not add Framed-MTU\n"); 589 goto fail; 590 } 591 592 if (eap && !radius_msg_add_eap(msg, eap, len)) { 593 printf("Could not add EAP-Message\n"); 594 goto fail; 595 } 596 597 /* State attribute must be copied if and only if this packet is 598 * Access-Request reply to the previous Access-Challenge */ 599 if (sm->last_recv_radius && 600 radius_msg_get_hdr(sm->last_recv_radius)->code == 601 RADIUS_CODE_ACCESS_CHALLENGE) { 602 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 603 RADIUS_ATTR_STATE); 604 if (res < 0) { 605 printf("Could not copy State attribute from previous " 606 "Access-Challenge\n"); 607 goto fail; 608 } 609 if (res > 0) { 610 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 611 } 612 } 613 614 if (hapd->conf->radius_request_cui) { 615 const u8 *cui; 616 size_t cui_len; 617 /* Add previously learned CUI or nul CUI to request CUI */ 618 if (sm->radius_cui) { 619 cui = wpabuf_head(sm->radius_cui); 620 cui_len = wpabuf_len(sm->radius_cui); 621 } else { 622 cui = (const u8 *) "\0"; 623 cui_len = 1; 624 } 625 if (!radius_msg_add_attr(msg, 626 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 627 cui, cui_len)) { 628 wpa_printf(MSG_ERROR, "Could not add CUI"); 629 goto fail; 630 } 631 } 632 633 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 634 goto fail; 635 636 return; 637 638 fail: 639 radius_msg_free(msg); 640} 641#endif /* CONFIG_NO_RADIUS */ 642 643 644static void handle_eap_response(struct hostapd_data *hapd, 645 struct sta_info *sta, struct eap_hdr *eap, 646 size_t len) 647{ 648 u8 type, *data; 649 struct eapol_state_machine *sm = sta->eapol_sm; 650 if (sm == NULL) 651 return; 652 653 data = (u8 *) (eap + 1); 654 655 if (len < sizeof(*eap) + 1) { 656 printf("handle_eap_response: too short response data\n"); 657 return; 658 } 659 660 sm->eap_type_supp = type = data[0]; 661 662 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 663 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 664 "id=%d len=%d) from STA: EAP Response-%s (%d)", 665 eap->code, eap->identifier, be_to_host16(eap->length), 666 eap_server_get_name(0, type), type); 667 668 sm->dot1xAuthEapolRespFramesRx++; 669 670 wpabuf_free(sm->eap_if->eapRespData); 671 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 672 sm->eapolEap = TRUE; 673} 674 675 676/* Process incoming EAP packet from Supplicant */ 677static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 678 u8 *buf, size_t len) 679{ 680 struct eap_hdr *eap; 681 u16 eap_len; 682 683 if (len < sizeof(*eap)) { 684 printf(" too short EAP packet\n"); 685 return; 686 } 687 688 eap = (struct eap_hdr *) buf; 689 690 eap_len = be_to_host16(eap->length); 691 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 692 eap->code, eap->identifier, eap_len); 693 if (eap_len < sizeof(*eap)) { 694 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 695 return; 696 } else if (eap_len > len) { 697 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 698 "packet"); 699 return; 700 } else if (eap_len < len) { 701 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 702 "packet", (unsigned long) len - eap_len); 703 } 704 705 switch (eap->code) { 706 case EAP_CODE_REQUEST: 707 wpa_printf(MSG_DEBUG, " (request)"); 708 return; 709 case EAP_CODE_RESPONSE: 710 wpa_printf(MSG_DEBUG, " (response)"); 711 handle_eap_response(hapd, sta, eap, eap_len); 712 break; 713 case EAP_CODE_SUCCESS: 714 wpa_printf(MSG_DEBUG, " (success)"); 715 return; 716 case EAP_CODE_FAILURE: 717 wpa_printf(MSG_DEBUG, " (failure)"); 718 return; 719 default: 720 wpa_printf(MSG_DEBUG, " (unknown code)"); 721 return; 722 } 723} 724 725 726static struct eapol_state_machine * 727ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 728{ 729 int flags = 0; 730 if (sta->flags & WLAN_STA_PREAUTH) 731 flags |= EAPOL_SM_PREAUTH; 732 if (sta->wpa_sm) { 733 flags |= EAPOL_SM_USES_WPA; 734 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 735 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 736 } 737 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 738 sta->wps_ie, sta->p2p_ie, sta, 739 sta->identity, sta->radius_cui); 740} 741 742 743/** 744 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 745 * @hapd: hostapd BSS data 746 * @sa: Source address (sender of the EAPOL frame) 747 * @buf: EAPOL frame 748 * @len: Length of buf in octets 749 * 750 * This function is called for each incoming EAPOL frame from the interface 751 */ 752void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 753 size_t len) 754{ 755 struct sta_info *sta; 756 struct ieee802_1x_hdr *hdr; 757 struct ieee802_1x_eapol_key *key; 758 u16 datalen; 759 struct rsn_pmksa_cache_entry *pmksa; 760 int key_mgmt; 761 762 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && 763 !hapd->conf->wps_state) 764 return; 765 766 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 767 (unsigned long) len, MAC2STR(sa)); 768 sta = ap_get_sta(hapd, sa); 769 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 770 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 771 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 772 "associated/Pre-authenticating STA"); 773 return; 774 } 775 776 if (len < sizeof(*hdr)) { 777 printf(" too short IEEE 802.1X packet\n"); 778 return; 779 } 780 781 hdr = (struct ieee802_1x_hdr *) buf; 782 datalen = be_to_host16(hdr->length); 783 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 784 hdr->version, hdr->type, datalen); 785 786 if (len - sizeof(*hdr) < datalen) { 787 printf(" frame too short for this IEEE 802.1X packet\n"); 788 if (sta->eapol_sm) 789 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 790 return; 791 } 792 if (len - sizeof(*hdr) > datalen) { 793 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 794 "IEEE 802.1X packet", 795 (unsigned long) len - sizeof(*hdr) - datalen); 796 } 797 798 if (sta->eapol_sm) { 799 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 800 sta->eapol_sm->dot1xAuthEapolFramesRx++; 801 } 802 803 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 804 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 805 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 806 (key->type == EAPOL_KEY_TYPE_WPA || 807 key->type == EAPOL_KEY_TYPE_RSN)) { 808 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 809 sizeof(*hdr) + datalen); 810 return; 811 } 812 813 if (!hapd->conf->ieee802_1x && 814 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 815 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 816 "802.1X not enabled and WPS not used"); 817 return; 818 } 819 820 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 821 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 822 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 823 "STA is using PSK"); 824 return; 825 } 826 827 if (!sta->eapol_sm) { 828 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 829 if (!sta->eapol_sm) 830 return; 831 832#ifdef CONFIG_WPS 833 if (!hapd->conf->ieee802_1x) { 834 u32 wflags = sta->flags & (WLAN_STA_WPS | 835 WLAN_STA_WPS2 | 836 WLAN_STA_MAYBE_WPS); 837 if (wflags == WLAN_STA_MAYBE_WPS || 838 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 839 /* 840 * Delay EAPOL frame transmission until a 841 * possible WPS STA initiates the handshake 842 * with EAPOL-Start. Only allow the wait to be 843 * skipped if the STA is known to support WPS 844 * 2.0. 845 */ 846 wpa_printf(MSG_DEBUG, "WPS: Do not start " 847 "EAPOL until EAPOL-Start is " 848 "received"); 849 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 850 } 851 } 852#endif /* CONFIG_WPS */ 853 854 sta->eapol_sm->eap_if->portEnabled = TRUE; 855 } 856 857 /* since we support version 1, we can ignore version field and proceed 858 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 859 /* TODO: actually, we are not version 1 anymore.. However, Version 2 860 * does not change frame contents, so should be ok to process frames 861 * more or less identically. Some changes might be needed for 862 * verification of fields. */ 863 864 switch (hdr->type) { 865 case IEEE802_1X_TYPE_EAP_PACKET: 866 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 867 break; 868 869 case IEEE802_1X_TYPE_EAPOL_START: 870 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 871 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 872 "from STA"); 873 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 874 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 875 if (pmksa) { 876 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 877 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 878 "available - ignore it since " 879 "STA sent EAPOL-Start"); 880 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 881 } 882 sta->eapol_sm->eapolStart = TRUE; 883 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 884 eap_server_clear_identity(sta->eapol_sm->eap); 885 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 886 break; 887 888 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 889 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 890 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 891 "from STA"); 892 sta->acct_terminate_cause = 893 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 894 accounting_sta_stop(hapd, sta); 895 sta->eapol_sm->eapolLogoff = TRUE; 896 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 897 eap_server_clear_identity(sta->eapol_sm->eap); 898 break; 899 900 case IEEE802_1X_TYPE_EAPOL_KEY: 901 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 902 if (!ap_sta_is_authorized(sta)) { 903 wpa_printf(MSG_DEBUG, " Dropped key data from " 904 "unauthorized Supplicant"); 905 break; 906 } 907 break; 908 909 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 910 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 911 /* TODO: implement support for this; show data */ 912 break; 913 914 default: 915 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 916 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 917 break; 918 } 919 920 eapol_auth_step(sta->eapol_sm); 921} 922 923 924/** 925 * ieee802_1x_new_station - Start IEEE 802.1X authentication 926 * @hapd: hostapd BSS data 927 * @sta: The station 928 * 929 * This function is called to start IEEE 802.1X authentication when a new 930 * station completes IEEE 802.11 association. 931 */ 932void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 933{ 934 struct rsn_pmksa_cache_entry *pmksa; 935 int reassoc = 1; 936 int force_1x = 0; 937 int key_mgmt; 938 939#ifdef CONFIG_WPS 940 if (hapd->conf->wps_state && hapd->conf->wpa && 941 (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 942 /* 943 * Need to enable IEEE 802.1X/EAPOL state machines for possible 944 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 945 * authentication in this BSS. 946 */ 947 force_1x = 1; 948 } 949#endif /* CONFIG_WPS */ 950 951 if (!force_1x && !hapd->conf->ieee802_1x) { 952 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 953 "802.1X not enabled or forced for WPS"); 954 /* 955 * Clear any possible EAPOL authenticator state to support 956 * reassociation change from WPS to PSK. 957 */ 958 ieee802_1x_free_station(sta); 959 return; 960 } 961 962 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 963 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 964 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 965 /* 966 * Clear any possible EAPOL authenticator state to support 967 * reassociation change from WPA-EAP to PSK. 968 */ 969 ieee802_1x_free_station(sta); 970 return; 971 } 972 973 if (sta->eapol_sm == NULL) { 974 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 975 HOSTAPD_LEVEL_DEBUG, "start authentication"); 976 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 977 if (sta->eapol_sm == NULL) { 978 hostapd_logger(hapd, sta->addr, 979 HOSTAPD_MODULE_IEEE8021X, 980 HOSTAPD_LEVEL_INFO, 981 "failed to allocate state machine"); 982 return; 983 } 984 reassoc = 0; 985 } 986 987#ifdef CONFIG_WPS 988 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 989 if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS2)) { 990 /* 991 * Delay EAPOL frame transmission until a possible WPS STA 992 * initiates the handshake with EAPOL-Start. Only allow the 993 * wait to be skipped if the STA is known to support WPS 2.0. 994 */ 995 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 996 "EAPOL-Start is received"); 997 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 998 } 999#endif /* CONFIG_WPS */ 1000 1001 sta->eapol_sm->eap_if->portEnabled = TRUE; 1002 1003#ifdef CONFIG_IEEE80211R 1004 if (sta->auth_alg == WLAN_AUTH_FT) { 1005 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1006 HOSTAPD_LEVEL_DEBUG, 1007 "PMK from FT - skip IEEE 802.1X/EAP"); 1008 /* Setup EAPOL state machines to already authenticated state 1009 * because of existing FT information from R0KH. */ 1010 sta->eapol_sm->keyRun = TRUE; 1011 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1012 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1013 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1014 sta->eapol_sm->authSuccess = TRUE; 1015 sta->eapol_sm->authFail = FALSE; 1016 if (sta->eapol_sm->eap) 1017 eap_sm_notify_cached(sta->eapol_sm->eap); 1018 /* TODO: get vlan_id from R0KH using RRB message */ 1019 return; 1020 } 1021#endif /* CONFIG_IEEE80211R */ 1022 1023 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1024 if (pmksa) { 1025 int old_vlanid; 1026 1027 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1028 HOSTAPD_LEVEL_DEBUG, 1029 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1030 /* Setup EAPOL state machines to already authenticated state 1031 * because of existing PMKSA information in the cache. */ 1032 sta->eapol_sm->keyRun = TRUE; 1033 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1034 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1035 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1036 sta->eapol_sm->authSuccess = TRUE; 1037 sta->eapol_sm->authFail = FALSE; 1038 if (sta->eapol_sm->eap) 1039 eap_sm_notify_cached(sta->eapol_sm->eap); 1040 old_vlanid = sta->vlan_id; 1041 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 1042 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1043 sta->vlan_id = 0; 1044 ap_sta_bind_vlan(hapd, sta, old_vlanid); 1045 } else { 1046 if (reassoc) { 1047 /* 1048 * Force EAPOL state machines to start 1049 * re-authentication without having to wait for the 1050 * Supplicant to send EAPOL-Start. 1051 */ 1052 sta->eapol_sm->reAuthenticate = TRUE; 1053 } 1054 eapol_auth_step(sta->eapol_sm); 1055 } 1056} 1057 1058 1059void ieee802_1x_free_station(struct sta_info *sta) 1060{ 1061 struct eapol_state_machine *sm = sta->eapol_sm; 1062 1063 if (sm == NULL) 1064 return; 1065 1066 sta->eapol_sm = NULL; 1067 1068#ifndef CONFIG_NO_RADIUS 1069 radius_msg_free(sm->last_recv_radius); 1070 radius_free_class(&sm->radius_class); 1071 wpabuf_free(sm->radius_cui); 1072#endif /* CONFIG_NO_RADIUS */ 1073 1074 os_free(sm->identity); 1075 eapol_auth_free(sm); 1076} 1077 1078 1079#ifndef CONFIG_NO_RADIUS 1080static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1081 struct sta_info *sta) 1082{ 1083 struct wpabuf *eap; 1084 const struct eap_hdr *hdr; 1085 int eap_type = -1; 1086 char buf[64]; 1087 struct radius_msg *msg; 1088 struct eapol_state_machine *sm = sta->eapol_sm; 1089 1090 if (sm == NULL || sm->last_recv_radius == NULL) { 1091 if (sm) 1092 sm->eap_if->aaaEapNoReq = TRUE; 1093 return; 1094 } 1095 1096 msg = sm->last_recv_radius; 1097 1098 eap = radius_msg_get_eap(msg); 1099 if (eap == NULL) { 1100 /* RFC 3579, Chap. 2.6.3: 1101 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1102 * attribute */ 1103 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1104 HOSTAPD_LEVEL_WARNING, "could not extract " 1105 "EAP-Message from RADIUS message"); 1106 sm->eap_if->aaaEapNoReq = TRUE; 1107 return; 1108 } 1109 1110 if (wpabuf_len(eap) < sizeof(*hdr)) { 1111 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1112 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1113 "received from authentication server"); 1114 wpabuf_free(eap); 1115 sm->eap_if->aaaEapNoReq = TRUE; 1116 return; 1117 } 1118 1119 if (wpabuf_len(eap) > sizeof(*hdr)) 1120 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1121 1122 hdr = wpabuf_head(eap); 1123 switch (hdr->code) { 1124 case EAP_CODE_REQUEST: 1125 if (eap_type >= 0) 1126 sm->eap_type_authsrv = eap_type; 1127 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1128 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1129 "??", 1130 eap_type); 1131 break; 1132 case EAP_CODE_RESPONSE: 1133 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1134 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1135 "??", 1136 eap_type); 1137 break; 1138 case EAP_CODE_SUCCESS: 1139 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1140 break; 1141 case EAP_CODE_FAILURE: 1142 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1143 break; 1144 default: 1145 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1146 break; 1147 } 1148 buf[sizeof(buf) - 1] = '\0'; 1149 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1150 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1151 "id=%d len=%d) from RADIUS server: %s", 1152 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1153 buf); 1154 sm->eap_if->aaaEapReq = TRUE; 1155 1156 wpabuf_free(sm->eap_if->aaaEapReqData); 1157 sm->eap_if->aaaEapReqData = eap; 1158} 1159 1160 1161static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1162 struct sta_info *sta, struct radius_msg *msg, 1163 struct radius_msg *req, 1164 const u8 *shared_secret, 1165 size_t shared_secret_len) 1166{ 1167 struct radius_ms_mppe_keys *keys; 1168 struct eapol_state_machine *sm = sta->eapol_sm; 1169 if (sm == NULL) 1170 return; 1171 1172 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1173 shared_secret_len); 1174 1175 if (keys && keys->send && keys->recv) { 1176 size_t len = keys->send_len + keys->recv_len; 1177 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1178 keys->send, keys->send_len); 1179 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1180 keys->recv, keys->recv_len); 1181 1182 os_free(sm->eap_if->aaaEapKeyData); 1183 sm->eap_if->aaaEapKeyData = os_malloc(len); 1184 if (sm->eap_if->aaaEapKeyData) { 1185 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1186 keys->recv_len); 1187 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1188 keys->send, keys->send_len); 1189 sm->eap_if->aaaEapKeyDataLen = len; 1190 sm->eap_if->aaaEapKeyAvailable = TRUE; 1191 } 1192 } 1193 1194 if (keys) { 1195 os_free(keys->send); 1196 os_free(keys->recv); 1197 os_free(keys); 1198 } 1199} 1200 1201 1202static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1203 struct sta_info *sta, 1204 struct radius_msg *msg) 1205{ 1206 u8 *class; 1207 size_t class_len; 1208 struct eapol_state_machine *sm = sta->eapol_sm; 1209 int count, i; 1210 struct radius_attr_data *nclass; 1211 size_t nclass_count; 1212 1213 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1214 sm == NULL) 1215 return; 1216 1217 radius_free_class(&sm->radius_class); 1218 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1219 if (count <= 0) 1220 return; 1221 1222 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1223 if (nclass == NULL) 1224 return; 1225 1226 nclass_count = 0; 1227 1228 class = NULL; 1229 for (i = 0; i < count; i++) { 1230 do { 1231 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1232 &class, &class_len, 1233 class) < 0) { 1234 i = count; 1235 break; 1236 } 1237 } while (class_len < 1); 1238 1239 nclass[nclass_count].data = os_malloc(class_len); 1240 if (nclass[nclass_count].data == NULL) 1241 break; 1242 1243 os_memcpy(nclass[nclass_count].data, class, class_len); 1244 nclass[nclass_count].len = class_len; 1245 nclass_count++; 1246 } 1247 1248 sm->radius_class.attr = nclass; 1249 sm->radius_class.count = nclass_count; 1250 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1251 "attributes for " MACSTR, 1252 (unsigned long) sm->radius_class.count, 1253 MAC2STR(sta->addr)); 1254} 1255 1256 1257/* Update sta->identity based on User-Name attribute in Access-Accept */ 1258static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1259 struct sta_info *sta, 1260 struct radius_msg *msg) 1261{ 1262 u8 *buf, *identity; 1263 size_t len; 1264 struct eapol_state_machine *sm = sta->eapol_sm; 1265 1266 if (sm == NULL) 1267 return; 1268 1269 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1270 NULL) < 0) 1271 return; 1272 1273 identity = (u8 *) dup_binstr(buf, len); 1274 if (identity == NULL) 1275 return; 1276 1277 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1278 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1279 "User-Name from Access-Accept '%s'", 1280 sm->identity ? (char *) sm->identity : "N/A", 1281 (char *) identity); 1282 1283 os_free(sm->identity); 1284 sm->identity = identity; 1285 sm->identity_len = len; 1286} 1287 1288 1289/* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1290static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1291 struct sta_info *sta, 1292 struct radius_msg *msg) 1293{ 1294 struct eapol_state_machine *sm = sta->eapol_sm; 1295 struct wpabuf *cui; 1296 u8 *buf; 1297 size_t len; 1298 1299 if (sm == NULL) 1300 return; 1301 1302 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1303 &buf, &len, NULL) < 0) 1304 return; 1305 1306 cui = wpabuf_alloc_copy(buf, len); 1307 if (cui == NULL) 1308 return; 1309 1310 wpabuf_free(sm->radius_cui); 1311 sm->radius_cui = cui; 1312} 1313 1314 1315struct sta_id_search { 1316 u8 identifier; 1317 struct eapol_state_machine *sm; 1318}; 1319 1320 1321static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1322 struct sta_info *sta, 1323 void *ctx) 1324{ 1325 struct sta_id_search *id_search = ctx; 1326 struct eapol_state_machine *sm = sta->eapol_sm; 1327 1328 if (sm && sm->radius_identifier >= 0 && 1329 sm->radius_identifier == id_search->identifier) { 1330 id_search->sm = sm; 1331 return 1; 1332 } 1333 return 0; 1334} 1335 1336 1337static struct eapol_state_machine * 1338ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1339{ 1340 struct sta_id_search id_search; 1341 id_search.identifier = identifier; 1342 id_search.sm = NULL; 1343 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1344 return id_search.sm; 1345} 1346 1347 1348/** 1349 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1350 * @msg: RADIUS response message 1351 * @req: RADIUS request message 1352 * @shared_secret: RADIUS shared secret 1353 * @shared_secret_len: Length of shared_secret in octets 1354 * @data: Context data (struct hostapd_data *) 1355 * Returns: Processing status 1356 */ 1357static RadiusRxResult 1358ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1359 const u8 *shared_secret, size_t shared_secret_len, 1360 void *data) 1361{ 1362 struct hostapd_data *hapd = data; 1363 struct sta_info *sta; 1364 u32 session_timeout = 0, termination_action, acct_interim_interval; 1365 int session_timeout_set, old_vlanid = 0; 1366 struct eapol_state_machine *sm; 1367 int override_eapReq = 0; 1368 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1369 1370 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1371 if (sm == NULL) { 1372 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1373 "station for this RADIUS message"); 1374 return RADIUS_RX_UNKNOWN; 1375 } 1376 sta = sm->sta; 1377 1378 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1379 * present when packet contains an EAP-Message attribute */ 1380 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1381 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1382 0) < 0 && 1383 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1384 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1385 "Message-Authenticator since it does not include " 1386 "EAP-Message"); 1387 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1388 req, 1)) { 1389 printf("Incoming RADIUS packet did not have correct " 1390 "Message-Authenticator - dropped\n"); 1391 return RADIUS_RX_INVALID_AUTHENTICATOR; 1392 } 1393 1394 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1395 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1396 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1397 printf("Unknown RADIUS message code\n"); 1398 return RADIUS_RX_UNKNOWN; 1399 } 1400 1401 sm->radius_identifier = -1; 1402 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1403 MAC2STR(sta->addr)); 1404 1405 radius_msg_free(sm->last_recv_radius); 1406 sm->last_recv_radius = msg; 1407 1408 session_timeout_set = 1409 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1410 &session_timeout); 1411 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1412 &termination_action)) 1413 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1414 1415 if (hapd->conf->acct_interim_interval == 0 && 1416 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1417 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1418 &acct_interim_interval) == 0) { 1419 if (acct_interim_interval < 60) { 1420 hostapd_logger(hapd, sta->addr, 1421 HOSTAPD_MODULE_IEEE8021X, 1422 HOSTAPD_LEVEL_INFO, 1423 "ignored too small " 1424 "Acct-Interim-Interval %d", 1425 acct_interim_interval); 1426 } else 1427 sta->acct_interim_interval = acct_interim_interval; 1428 } 1429 1430 1431 switch (hdr->code) { 1432 case RADIUS_CODE_ACCESS_ACCEPT: 1433 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1434 sta->vlan_id = 0; 1435#ifndef CONFIG_NO_VLAN 1436 else { 1437 old_vlanid = sta->vlan_id; 1438 sta->vlan_id = radius_msg_get_vlanid(msg); 1439 } 1440 if (sta->vlan_id > 0 && 1441 hostapd_get_vlan_id_ifname(hapd->conf->vlan, 1442 sta->vlan_id)) { 1443 hostapd_logger(hapd, sta->addr, 1444 HOSTAPD_MODULE_RADIUS, 1445 HOSTAPD_LEVEL_INFO, 1446 "VLAN ID %d", sta->vlan_id); 1447 } else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) { 1448 sta->eapol_sm->authFail = TRUE; 1449 hostapd_logger(hapd, sta->addr, 1450 HOSTAPD_MODULE_IEEE8021X, 1451 HOSTAPD_LEVEL_INFO, "authentication " 1452 "server did not include required VLAN " 1453 "ID in Access-Accept"); 1454 break; 1455 } 1456#endif /* CONFIG_NO_VLAN */ 1457 1458 if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0) 1459 break; 1460 1461 /* RFC 3580, Ch. 3.17 */ 1462 if (session_timeout_set && termination_action == 1463 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1464 sm->reAuthPeriod = session_timeout; 1465 } else if (session_timeout_set) 1466 ap_sta_session_timeout(hapd, sta, session_timeout); 1467 1468 sm->eap_if->aaaSuccess = TRUE; 1469 override_eapReq = 1; 1470 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1471 shared_secret_len); 1472 ieee802_1x_store_radius_class(hapd, sta, msg); 1473 ieee802_1x_update_sta_identity(hapd, sta, msg); 1474 ieee802_1x_update_sta_cui(hapd, sta, msg); 1475 if (sm->eap_if->eapKeyAvailable && 1476 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1477 session_timeout_set ? 1478 (int) session_timeout : -1, sm) == 0) { 1479 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1480 HOSTAPD_LEVEL_DEBUG, 1481 "Added PMKSA cache entry"); 1482 } 1483 break; 1484 case RADIUS_CODE_ACCESS_REJECT: 1485 sm->eap_if->aaaFail = TRUE; 1486 override_eapReq = 1; 1487 break; 1488 case RADIUS_CODE_ACCESS_CHALLENGE: 1489 sm->eap_if->aaaEapReq = TRUE; 1490 if (session_timeout_set) { 1491 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1492 sm->eap_if->aaaMethodTimeout = session_timeout; 1493 hostapd_logger(hapd, sm->addr, 1494 HOSTAPD_MODULE_IEEE8021X, 1495 HOSTAPD_LEVEL_DEBUG, 1496 "using EAP timeout of %d seconds (from " 1497 "RADIUS)", 1498 sm->eap_if->aaaMethodTimeout); 1499 } else { 1500 /* 1501 * Use dynamic retransmission behavior per EAP 1502 * specification. 1503 */ 1504 sm->eap_if->aaaMethodTimeout = 0; 1505 } 1506 break; 1507 } 1508 1509 ieee802_1x_decapsulate_radius(hapd, sta); 1510 if (override_eapReq) 1511 sm->eap_if->aaaEapReq = FALSE; 1512 1513 eapol_auth_step(sm); 1514 1515 return RADIUS_RX_QUEUED; 1516} 1517#endif /* CONFIG_NO_RADIUS */ 1518 1519 1520void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1521{ 1522 struct eapol_state_machine *sm = sta->eapol_sm; 1523 if (sm == NULL) 1524 return; 1525 1526 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1527 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1528 1529#ifndef CONFIG_NO_RADIUS 1530 radius_msg_free(sm->last_recv_radius); 1531 sm->last_recv_radius = NULL; 1532#endif /* CONFIG_NO_RADIUS */ 1533 1534 if (sm->eap_if->eapTimeout) { 1535 /* 1536 * Disconnect the STA since it did not reply to the last EAP 1537 * request and we cannot continue EAP processing (EAP-Failure 1538 * could only be sent if the EAP peer actually replied). 1539 */ 1540 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1541 MAC2STR(sta->addr)); 1542 1543 sm->eap_if->portEnabled = FALSE; 1544 ap_sta_disconnect(hapd, sta, sta->addr, 1545 WLAN_REASON_PREV_AUTH_NOT_VALID); 1546 } 1547} 1548 1549 1550static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1551{ 1552 struct eapol_authenticator *eapol = hapd->eapol_auth; 1553 1554 if (hapd->conf->default_wep_key_len < 1) 1555 return 0; 1556 1557 os_free(eapol->default_wep_key); 1558 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1559 if (eapol->default_wep_key == NULL || 1560 random_get_bytes(eapol->default_wep_key, 1561 hapd->conf->default_wep_key_len)) { 1562 printf("Could not generate random WEP key.\n"); 1563 os_free(eapol->default_wep_key); 1564 eapol->default_wep_key = NULL; 1565 return -1; 1566 } 1567 1568 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1569 eapol->default_wep_key, 1570 hapd->conf->default_wep_key_len); 1571 1572 return 0; 1573} 1574 1575 1576static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1577 struct sta_info *sta, void *ctx) 1578{ 1579 if (sta->eapol_sm) { 1580 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1581 eapol_auth_step(sta->eapol_sm); 1582 } 1583 return 0; 1584} 1585 1586 1587static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1588{ 1589 struct hostapd_data *hapd = eloop_ctx; 1590 struct eapol_authenticator *eapol = hapd->eapol_auth; 1591 1592 if (eapol->default_wep_key_idx >= 3) 1593 eapol->default_wep_key_idx = 1594 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1595 else 1596 eapol->default_wep_key_idx++; 1597 1598 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1599 eapol->default_wep_key_idx); 1600 1601 if (ieee802_1x_rekey_broadcast(hapd)) { 1602 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1603 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1604 "new broadcast key"); 1605 os_free(eapol->default_wep_key); 1606 eapol->default_wep_key = NULL; 1607 return; 1608 } 1609 1610 /* TODO: Could setup key for RX here, but change default TX keyid only 1611 * after new broadcast key has been sent to all stations. */ 1612 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1613 broadcast_ether_addr, 1614 eapol->default_wep_key_idx, 1, NULL, 0, 1615 eapol->default_wep_key, 1616 hapd->conf->default_wep_key_len)) { 1617 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1618 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1619 "new broadcast key"); 1620 os_free(eapol->default_wep_key); 1621 eapol->default_wep_key = NULL; 1622 return; 1623 } 1624 1625 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1626 1627 if (hapd->conf->wep_rekeying_period > 0) { 1628 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1629 ieee802_1x_rekey, hapd, NULL); 1630 } 1631} 1632 1633 1634static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1635 const u8 *data, size_t datalen) 1636{ 1637#ifdef CONFIG_WPS 1638 struct sta_info *sta = sta_ctx; 1639 1640 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1641 WLAN_STA_MAYBE_WPS) { 1642 const u8 *identity; 1643 size_t identity_len; 1644 struct eapol_state_machine *sm = sta->eapol_sm; 1645 1646 identity = eap_get_identity(sm->eap, &identity_len); 1647 if (identity && 1648 ((identity_len == WSC_ID_ENROLLEE_LEN && 1649 os_memcmp(identity, WSC_ID_ENROLLEE, 1650 WSC_ID_ENROLLEE_LEN) == 0) || 1651 (identity_len == WSC_ID_REGISTRAR_LEN && 1652 os_memcmp(identity, WSC_ID_REGISTRAR, 1653 WSC_ID_REGISTRAR_LEN) == 0))) { 1654 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1655 "WLAN_STA_WPS"); 1656 sta->flags |= WLAN_STA_WPS; 1657 } 1658 } 1659#endif /* CONFIG_WPS */ 1660 1661 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1662} 1663 1664 1665static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1666 const u8 *data, size_t datalen) 1667{ 1668#ifndef CONFIG_NO_RADIUS 1669 struct hostapd_data *hapd = ctx; 1670 struct sta_info *sta = sta_ctx; 1671 1672 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1673#endif /* CONFIG_NO_RADIUS */ 1674} 1675 1676 1677static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1678 int preauth) 1679{ 1680 struct hostapd_data *hapd = ctx; 1681 struct sta_info *sta = sta_ctx; 1682 if (preauth) 1683 rsn_preauth_finished(hapd, sta, success); 1684 else 1685 ieee802_1x_finished(hapd, sta, success); 1686} 1687 1688 1689static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1690 size_t identity_len, int phase2, 1691 struct eap_user *user) 1692{ 1693 struct hostapd_data *hapd = ctx; 1694 const struct hostapd_eap_user *eap_user; 1695 int i; 1696 1697 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 1698 if (eap_user == NULL) 1699 return -1; 1700 1701 os_memset(user, 0, sizeof(*user)); 1702 user->phase2 = phase2; 1703 for (i = 0; i < EAP_MAX_METHODS; i++) { 1704 user->methods[i].vendor = eap_user->methods[i].vendor; 1705 user->methods[i].method = eap_user->methods[i].method; 1706 } 1707 1708 if (eap_user->password) { 1709 user->password = os_malloc(eap_user->password_len); 1710 if (user->password == NULL) 1711 return -1; 1712 os_memcpy(user->password, eap_user->password, 1713 eap_user->password_len); 1714 user->password_len = eap_user->password_len; 1715 user->password_hash = eap_user->password_hash; 1716 } 1717 user->force_version = eap_user->force_version; 1718 user->ttls_auth = eap_user->ttls_auth; 1719 1720 return 0; 1721} 1722 1723 1724static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1725{ 1726 struct hostapd_data *hapd = ctx; 1727 struct sta_info *sta; 1728 sta = ap_get_sta(hapd, addr); 1729 if (sta == NULL || sta->eapol_sm == NULL) 1730 return 0; 1731 return 1; 1732} 1733 1734 1735static void ieee802_1x_logger(void *ctx, const u8 *addr, 1736 eapol_logger_level level, const char *txt) 1737{ 1738#ifndef CONFIG_NO_HOSTAPD_LOGGER 1739 struct hostapd_data *hapd = ctx; 1740 int hlevel; 1741 1742 switch (level) { 1743 case EAPOL_LOGGER_WARNING: 1744 hlevel = HOSTAPD_LEVEL_WARNING; 1745 break; 1746 case EAPOL_LOGGER_INFO: 1747 hlevel = HOSTAPD_LEVEL_INFO; 1748 break; 1749 case EAPOL_LOGGER_DEBUG: 1750 default: 1751 hlevel = HOSTAPD_LEVEL_DEBUG; 1752 break; 1753 } 1754 1755 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 1756 txt); 1757#endif /* CONFIG_NO_HOSTAPD_LOGGER */ 1758} 1759 1760 1761static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 1762 int authorized) 1763{ 1764 struct hostapd_data *hapd = ctx; 1765 struct sta_info *sta = sta_ctx; 1766 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 1767} 1768 1769 1770static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 1771{ 1772 struct hostapd_data *hapd = ctx; 1773 struct sta_info *sta = sta_ctx; 1774 ieee802_1x_abort_auth(hapd, sta); 1775} 1776 1777 1778static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 1779{ 1780 struct hostapd_data *hapd = ctx; 1781 struct sta_info *sta = sta_ctx; 1782 ieee802_1x_tx_key(hapd, sta); 1783} 1784 1785 1786static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 1787 enum eapol_event type) 1788{ 1789 /* struct hostapd_data *hapd = ctx; */ 1790 struct sta_info *sta = sta_ctx; 1791 switch (type) { 1792 case EAPOL_AUTH_SM_CHANGE: 1793 wpa_auth_sm_notify(sta->wpa_sm); 1794 break; 1795 case EAPOL_AUTH_REAUTHENTICATE: 1796 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1797 break; 1798 } 1799} 1800 1801 1802int ieee802_1x_init(struct hostapd_data *hapd) 1803{ 1804 int i; 1805 struct eapol_auth_config conf; 1806 struct eapol_auth_cb cb; 1807 1808 os_memset(&conf, 0, sizeof(conf)); 1809 conf.ctx = hapd; 1810 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 1811 conf.wpa = hapd->conf->wpa; 1812 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 1813 conf.eap_server = hapd->conf->eap_server; 1814 conf.ssl_ctx = hapd->ssl_ctx; 1815 conf.msg_ctx = hapd->msg_ctx; 1816 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 1817 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 1818 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 1819 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 1820 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 1821 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 1822 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 1823 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 1824 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 1825 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 1826 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 1827 conf.tnc = hapd->conf->tnc; 1828 conf.wps = hapd->wps; 1829 conf.fragment_size = hapd->conf->fragment_size; 1830 conf.pwd_group = hapd->conf->pwd_group; 1831 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 1832 1833 os_memset(&cb, 0, sizeof(cb)); 1834 cb.eapol_send = ieee802_1x_eapol_send; 1835 cb.aaa_send = ieee802_1x_aaa_send; 1836 cb.finished = _ieee802_1x_finished; 1837 cb.get_eap_user = ieee802_1x_get_eap_user; 1838 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 1839 cb.logger = ieee802_1x_logger; 1840 cb.set_port_authorized = ieee802_1x_set_port_authorized; 1841 cb.abort_auth = _ieee802_1x_abort_auth; 1842 cb.tx_key = _ieee802_1x_tx_key; 1843 cb.eapol_event = ieee802_1x_eapol_event; 1844 1845 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 1846 if (hapd->eapol_auth == NULL) 1847 return -1; 1848 1849 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 1850 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 1851 return -1; 1852 1853#ifndef CONFIG_NO_RADIUS 1854 if (radius_client_register(hapd->radius, RADIUS_AUTH, 1855 ieee802_1x_receive_auth, hapd)) 1856 return -1; 1857#endif /* CONFIG_NO_RADIUS */ 1858 1859 if (hapd->conf->default_wep_key_len) { 1860 for (i = 0; i < 4; i++) 1861 hostapd_drv_set_key(hapd->conf->iface, hapd, 1862 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 1863 NULL, 0); 1864 1865 ieee802_1x_rekey(hapd, NULL); 1866 1867 if (hapd->eapol_auth->default_wep_key == NULL) 1868 return -1; 1869 } 1870 1871 return 0; 1872} 1873 1874 1875void ieee802_1x_deinit(struct hostapd_data *hapd) 1876{ 1877 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 1878 1879 if (hapd->driver != NULL && 1880 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 1881 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 1882 1883 eapol_auth_deinit(hapd->eapol_auth); 1884 hapd->eapol_auth = NULL; 1885} 1886 1887 1888int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1889 const u8 *buf, size_t len, int ack) 1890{ 1891 struct ieee80211_hdr *hdr; 1892 u8 *pos; 1893 const unsigned char rfc1042_hdr[ETH_ALEN] = 1894 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 1895 1896 if (sta == NULL) 1897 return -1; 1898 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 1899 return 0; 1900 1901 hdr = (struct ieee80211_hdr *) buf; 1902 pos = (u8 *) (hdr + 1); 1903 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 1904 return 0; 1905 pos += sizeof(rfc1042_hdr); 1906 if (WPA_GET_BE16(pos) != ETH_P_PAE) 1907 return 0; 1908 pos += 2; 1909 1910 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 1911 ack); 1912} 1913 1914 1915int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1916 const u8 *buf, int len, int ack) 1917{ 1918 const struct ieee802_1x_hdr *xhdr = 1919 (const struct ieee802_1x_hdr *) buf; 1920 const u8 *pos = buf + sizeof(*xhdr); 1921 struct ieee802_1x_eapol_key *key; 1922 1923 if (len < (int) sizeof(*xhdr)) 1924 return 0; 1925 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 1926 "type=%d length=%d - ack=%d", 1927 MAC2STR(sta->addr), xhdr->version, xhdr->type, 1928 be_to_host16(xhdr->length), ack); 1929 1930 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 1931 return 0; 1932 1933 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 1934 const struct wpa_eapol_key *wpa; 1935 wpa = (const struct wpa_eapol_key *) pos; 1936 if (wpa->type == EAPOL_KEY_TYPE_RSN || 1937 wpa->type == EAPOL_KEY_TYPE_WPA) 1938 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 1939 sta->wpa_sm, ack); 1940 } 1941 1942 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 1943 * or Authenticator state machines, but EAPOL-Key packets are not 1944 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 1945 * packets couple of times because otherwise STA keys become 1946 * unsynchronized with AP. */ 1947 if (!ack && pos + sizeof(*key) <= buf + len) { 1948 key = (struct ieee802_1x_eapol_key *) pos; 1949 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1950 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 1951 "frame (%scast index=%d)", 1952 key->key_index & BIT(7) ? "uni" : "broad", 1953 key->key_index & ~BIT(7)); 1954 /* TODO: re-send EAPOL-Key couple of times (with short delay 1955 * between them?). If all attempt fail, report error and 1956 * deauthenticate STA so that it will get new keys when 1957 * authenticating again (e.g., after returning in range). 1958 * Separate limit/transmit state needed both for unicast and 1959 * broadcast keys(?) */ 1960 } 1961 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 1962 * to here and change the key only if the EAPOL-Key packet was Acked. 1963 */ 1964 1965 return 1; 1966} 1967 1968 1969u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 1970{ 1971 if (sm == NULL || sm->identity == NULL) 1972 return NULL; 1973 1974 *len = sm->identity_len; 1975 return sm->identity; 1976} 1977 1978 1979u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 1980 int idx) 1981{ 1982 if (sm == NULL || sm->radius_class.attr == NULL || 1983 idx >= (int) sm->radius_class.count) 1984 return NULL; 1985 1986 *len = sm->radius_class.attr[idx].len; 1987 return sm->radius_class.attr[idx].data; 1988} 1989 1990 1991struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 1992{ 1993 if (sm == NULL) 1994 return NULL; 1995 return sm->radius_cui; 1996} 1997 1998 1999const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 2000{ 2001 *len = 0; 2002 if (sm == NULL) 2003 return NULL; 2004 2005 *len = sm->eap_if->eapKeyDataLen; 2006 return sm->eap_if->eapKeyData; 2007} 2008 2009 2010void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2011 int enabled) 2012{ 2013 if (sm == NULL) 2014 return; 2015 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 2016 eapol_auth_step(sm); 2017} 2018 2019 2020void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 2021 int valid) 2022{ 2023 if (sm == NULL) 2024 return; 2025 sm->portValid = valid ? TRUE : FALSE; 2026 eapol_auth_step(sm); 2027} 2028 2029 2030void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 2031{ 2032 if (sm == NULL) 2033 return; 2034 if (pre_auth) 2035 sm->flags |= EAPOL_SM_PREAUTH; 2036 else 2037 sm->flags &= ~EAPOL_SM_PREAUTH; 2038} 2039 2040 2041static const char * bool_txt(Boolean bool) 2042{ 2043 return bool ? "TRUE" : "FALSE"; 2044} 2045 2046 2047int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2048{ 2049 /* TODO */ 2050 return 0; 2051} 2052 2053 2054int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2055 char *buf, size_t buflen) 2056{ 2057 int len = 0, ret; 2058 struct eapol_state_machine *sm = sta->eapol_sm; 2059 struct os_time t; 2060 2061 if (sm == NULL) 2062 return 0; 2063 2064 ret = os_snprintf(buf + len, buflen - len, 2065 "dot1xPaePortNumber=%d\n" 2066 "dot1xPaePortProtocolVersion=%d\n" 2067 "dot1xPaePortCapabilities=1\n" 2068 "dot1xPaePortInitialize=%d\n" 2069 "dot1xPaePortReauthenticate=FALSE\n", 2070 sta->aid, 2071 EAPOL_VERSION, 2072 sm->initialize); 2073 if (ret < 0 || (size_t) ret >= buflen - len) 2074 return len; 2075 len += ret; 2076 2077 /* dot1xAuthConfigTable */ 2078 ret = os_snprintf(buf + len, buflen - len, 2079 "dot1xAuthPaeState=%d\n" 2080 "dot1xAuthBackendAuthState=%d\n" 2081 "dot1xAuthAdminControlledDirections=%d\n" 2082 "dot1xAuthOperControlledDirections=%d\n" 2083 "dot1xAuthAuthControlledPortStatus=%d\n" 2084 "dot1xAuthAuthControlledPortControl=%d\n" 2085 "dot1xAuthQuietPeriod=%u\n" 2086 "dot1xAuthServerTimeout=%u\n" 2087 "dot1xAuthReAuthPeriod=%u\n" 2088 "dot1xAuthReAuthEnabled=%s\n" 2089 "dot1xAuthKeyTxEnabled=%s\n", 2090 sm->auth_pae_state + 1, 2091 sm->be_auth_state + 1, 2092 sm->adminControlledDirections, 2093 sm->operControlledDirections, 2094 sm->authPortStatus, 2095 sm->portControl, 2096 sm->quietPeriod, 2097 sm->serverTimeout, 2098 sm->reAuthPeriod, 2099 bool_txt(sm->reAuthEnabled), 2100 bool_txt(sm->keyTxEnabled)); 2101 if (ret < 0 || (size_t) ret >= buflen - len) 2102 return len; 2103 len += ret; 2104 2105 /* dot1xAuthStatsTable */ 2106 ret = os_snprintf(buf + len, buflen - len, 2107 "dot1xAuthEapolFramesRx=%u\n" 2108 "dot1xAuthEapolFramesTx=%u\n" 2109 "dot1xAuthEapolStartFramesRx=%u\n" 2110 "dot1xAuthEapolLogoffFramesRx=%u\n" 2111 "dot1xAuthEapolRespIdFramesRx=%u\n" 2112 "dot1xAuthEapolRespFramesRx=%u\n" 2113 "dot1xAuthEapolReqIdFramesTx=%u\n" 2114 "dot1xAuthEapolReqFramesTx=%u\n" 2115 "dot1xAuthInvalidEapolFramesRx=%u\n" 2116 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2117 "dot1xAuthLastEapolFrameVersion=%u\n" 2118 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2119 sm->dot1xAuthEapolFramesRx, 2120 sm->dot1xAuthEapolFramesTx, 2121 sm->dot1xAuthEapolStartFramesRx, 2122 sm->dot1xAuthEapolLogoffFramesRx, 2123 sm->dot1xAuthEapolRespIdFramesRx, 2124 sm->dot1xAuthEapolRespFramesRx, 2125 sm->dot1xAuthEapolReqIdFramesTx, 2126 sm->dot1xAuthEapolReqFramesTx, 2127 sm->dot1xAuthInvalidEapolFramesRx, 2128 sm->dot1xAuthEapLengthErrorFramesRx, 2129 sm->dot1xAuthLastEapolFrameVersion, 2130 MAC2STR(sm->addr)); 2131 if (ret < 0 || (size_t) ret >= buflen - len) 2132 return len; 2133 len += ret; 2134 2135 /* dot1xAuthDiagTable */ 2136 ret = os_snprintf(buf + len, buflen - len, 2137 "dot1xAuthEntersConnecting=%u\n" 2138 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2139 "dot1xAuthEntersAuthenticating=%u\n" 2140 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2141 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2142 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2143 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2144 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2145 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2146 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2147 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2148 "dot1xAuthBackendResponses=%u\n" 2149 "dot1xAuthBackendAccessChallenges=%u\n" 2150 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2151 "dot1xAuthBackendAuthSuccesses=%u\n" 2152 "dot1xAuthBackendAuthFails=%u\n", 2153 sm->authEntersConnecting, 2154 sm->authEapLogoffsWhileConnecting, 2155 sm->authEntersAuthenticating, 2156 sm->authAuthSuccessesWhileAuthenticating, 2157 sm->authAuthTimeoutsWhileAuthenticating, 2158 sm->authAuthFailWhileAuthenticating, 2159 sm->authAuthEapStartsWhileAuthenticating, 2160 sm->authAuthEapLogoffWhileAuthenticating, 2161 sm->authAuthReauthsWhileAuthenticated, 2162 sm->authAuthEapStartsWhileAuthenticated, 2163 sm->authAuthEapLogoffWhileAuthenticated, 2164 sm->backendResponses, 2165 sm->backendAccessChallenges, 2166 sm->backendOtherRequestsToSupplicant, 2167 sm->backendAuthSuccesses, 2168 sm->backendAuthFails); 2169 if (ret < 0 || (size_t) ret >= buflen - len) 2170 return len; 2171 len += ret; 2172 2173 /* dot1xAuthSessionStatsTable */ 2174 os_get_time(&t); 2175 ret = os_snprintf(buf + len, buflen - len, 2176 /* TODO: dot1xAuthSessionOctetsRx */ 2177 /* TODO: dot1xAuthSessionOctetsTx */ 2178 /* TODO: dot1xAuthSessionFramesRx */ 2179 /* TODO: dot1xAuthSessionFramesTx */ 2180 "dot1xAuthSessionId=%08X-%08X\n" 2181 "dot1xAuthSessionAuthenticMethod=%d\n" 2182 "dot1xAuthSessionTime=%u\n" 2183 "dot1xAuthSessionTerminateCause=999\n" 2184 "dot1xAuthSessionUserName=%s\n", 2185 sta->acct_session_id_hi, sta->acct_session_id_lo, 2186 (wpa_key_mgmt_wpa_ieee8021x( 2187 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2188 1 : 2, 2189 (unsigned int) (t.sec - sta->acct_session_start), 2190 sm->identity); 2191 if (ret < 0 || (size_t) ret >= buflen - len) 2192 return len; 2193 len += ret; 2194 2195 return len; 2196} 2197 2198 2199static void ieee802_1x_finished(struct hostapd_data *hapd, 2200 struct sta_info *sta, int success) 2201{ 2202 const u8 *key; 2203 size_t len; 2204 /* TODO: get PMKLifetime from WPA parameters */ 2205 static const int dot11RSNAConfigPMKLifetime = 43200; 2206 2207 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2208 if (success && key && len >= PMK_LEN && 2209 wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime, 2210 sta->eapol_sm) == 0) { 2211 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2212 HOSTAPD_LEVEL_DEBUG, 2213 "Added PMKSA cache entry (IEEE 802.1X)"); 2214 } 2215 2216 if (!success) { 2217 /* 2218 * Many devices require deauthentication after WPS provisioning 2219 * and some may not be be able to do that themselves, so 2220 * disconnect the client here. In addition, this may also 2221 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2222 * the EAPOL PAE state machine would remain in HELD state for 2223 * considerable amount of time and some EAP methods, like 2224 * EAP-FAST with anonymous provisioning, may require another 2225 * EAPOL authentication to be started to complete connection. 2226 */ 2227 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2228 "disconnection after EAP-Failure"); 2229 /* Add a small sleep to increase likelihood of previously 2230 * requested EAP-Failure TX getting out before this should the 2231 * driver reorder operations. 2232 */ 2233 os_sleep(0, 10000); 2234#ifndef ANDROID_P2P 2235 /* We need not do this for driver. For AP-SME flags if we send this disassoc, 2236 * the p2p_client is gettig disassoc after it has completed the assoc 2237 */ 2238 ap_sta_disconnect(hapd, sta, sta->addr, 2239 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2240#endif 2241 } 2242} 2243