ieee802_1x.c revision 9657139ca0bbea9a84e0a3c7e9438d1f53c9ed24
1/* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "crypto/md5.h" 14#include "crypto/crypto.h" 15#include "crypto/random.h" 16#include "common/ieee802_11_defs.h" 17#include "radius/radius.h" 18#include "radius/radius_client.h" 19#include "eap_server/eap.h" 20#include "eap_common/eap_wsc_common.h" 21#include "eapol_auth/eapol_auth_sm.h" 22#include "eapol_auth/eapol_auth_sm_i.h" 23#include "p2p/p2p.h" 24#include "hostapd.h" 25#include "accounting.h" 26#include "sta_info.h" 27#include "wpa_auth.h" 28#include "preauth_auth.h" 29#include "pmksa_cache_auth.h" 30#include "ap_config.h" 31#include "ap_drv_ops.h" 32#include "ieee802_1x.h" 33 34 35static void ieee802_1x_finished(struct hostapd_data *hapd, 36 struct sta_info *sta, int success); 37 38 39static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 40 u8 type, const u8 *data, size_t datalen) 41{ 42 u8 *buf; 43 struct ieee802_1x_hdr *xhdr; 44 size_t len; 45 int encrypt = 0; 46 47 len = sizeof(*xhdr) + datalen; 48 buf = os_zalloc(len); 49 if (buf == NULL) { 50 wpa_printf(MSG_ERROR, "malloc() failed for " 51 "ieee802_1x_send(len=%lu)", 52 (unsigned long) len); 53 return; 54 } 55 56 xhdr = (struct ieee802_1x_hdr *) buf; 57 xhdr->version = hapd->conf->eapol_version; 58 xhdr->type = type; 59 xhdr->length = host_to_be16(datalen); 60 61 if (datalen > 0 && data != NULL) 62 os_memcpy(xhdr + 1, data, datalen); 63 64 if (wpa_auth_pairwise_set(sta->wpa_sm)) 65 encrypt = 1; 66 if (sta->flags & WLAN_STA_PREAUTH) { 67 rsn_preauth_send(hapd, sta, buf, len); 68 } else { 69 hostapd_drv_hapd_send_eapol( 70 hapd, sta->addr, buf, len, 71 encrypt, hostapd_sta_flags_to_drv(sta->flags)); 72 } 73 74 os_free(buf); 75} 76 77 78void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 79 struct sta_info *sta, int authorized) 80{ 81 int res; 82 83 if (sta->flags & WLAN_STA_PREAUTH) 84 return; 85 86 if (authorized) { 87 ap_sta_set_authorized(hapd, sta, 1); 88 res = hostapd_set_authorized(hapd, sta, 1); 89 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 90 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 91 } else { 92 ap_sta_set_authorized(hapd, sta, 0); 93 res = hostapd_set_authorized(hapd, sta, 0); 94 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 95 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 96 } 97 98 if (res && errno != ENOENT) { 99 wpa_printf(MSG_DEBUG, "Could not set station " MACSTR 100 " flags for kernel driver (errno=%d).", 101 MAC2STR(sta->addr), errno); 102 } 103 104 if (authorized) { 105 os_get_time(&sta->connected_time); 106 accounting_sta_start(hapd, sta); 107 } 108} 109 110 111static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 112 struct sta_info *sta, 113 int idx, int broadcast, 114 u8 *key_data, size_t key_len) 115{ 116 u8 *buf, *ekey; 117 struct ieee802_1x_hdr *hdr; 118 struct ieee802_1x_eapol_key *key; 119 size_t len, ekey_len; 120 struct eapol_state_machine *sm = sta->eapol_sm; 121 122 if (sm == NULL) 123 return; 124 125 len = sizeof(*key) + key_len; 126 buf = os_zalloc(sizeof(*hdr) + len); 127 if (buf == NULL) 128 return; 129 130 hdr = (struct ieee802_1x_hdr *) buf; 131 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 132 key->type = EAPOL_KEY_TYPE_RC4; 133 WPA_PUT_BE16(key->key_length, key_len); 134 wpa_get_ntp_timestamp(key->replay_counter); 135 136 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 137 wpa_printf(MSG_ERROR, "Could not get random numbers"); 138 os_free(buf); 139 return; 140 } 141 142 key->key_index = idx | (broadcast ? 0 : BIT(7)); 143 if (hapd->conf->eapol_key_index_workaround) { 144 /* According to some information, WinXP Supplicant seems to 145 * interpret bit7 as an indication whether the key is to be 146 * activated, so make it possible to enable workaround that 147 * sets this bit for all keys. */ 148 key->key_index |= BIT(7); 149 } 150 151 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 152 * MSK[32..63] is used to sign the message. */ 153 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 154 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 155 "and signing EAPOL-Key"); 156 os_free(buf); 157 return; 158 } 159 os_memcpy((u8 *) (key + 1), key_data, key_len); 160 ekey_len = sizeof(key->key_iv) + 32; 161 ekey = os_malloc(ekey_len); 162 if (ekey == NULL) { 163 wpa_printf(MSG_ERROR, "Could not encrypt key"); 164 os_free(buf); 165 return; 166 } 167 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 168 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 169 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 170 os_free(ekey); 171 172 /* This header is needed here for HMAC-MD5, but it will be regenerated 173 * in ieee802_1x_send() */ 174 hdr->version = hapd->conf->eapol_version; 175 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 176 hdr->length = host_to_be16(len); 177 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 178 key->key_signature); 179 180 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 181 " (%s index=%d)", MAC2STR(sm->addr), 182 broadcast ? "broadcast" : "unicast", idx); 183 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 184 if (sta->eapol_sm) 185 sta->eapol_sm->dot1xAuthEapolFramesTx++; 186 os_free(buf); 187} 188 189 190void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 191{ 192 struct eapol_authenticator *eapol = hapd->eapol_auth; 193 struct eapol_state_machine *sm = sta->eapol_sm; 194 195 if (sm == NULL || !sm->eap_if->eapKeyData) 196 return; 197 198 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 199 MAC2STR(sta->addr)); 200 201#ifndef CONFIG_NO_VLAN 202 if (sta->vlan_id > 0 && sta->vlan_id <= MAX_VLAN_ID) { 203 wpa_printf(MSG_ERROR, "Using WEP with vlans is not supported."); 204 return; 205 } 206#endif /* CONFIG_NO_VLAN */ 207 208 if (eapol->default_wep_key) { 209 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 210 eapol->default_wep_key, 211 hapd->conf->default_wep_key_len); 212 } 213 214 if (hapd->conf->individual_wep_key_len > 0) { 215 u8 *ikey; 216 ikey = os_malloc(hapd->conf->individual_wep_key_len); 217 if (ikey == NULL || 218 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 219 { 220 wpa_printf(MSG_ERROR, "Could not generate random " 221 "individual WEP key."); 222 os_free(ikey); 223 return; 224 } 225 226 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 227 ikey, hapd->conf->individual_wep_key_len); 228 229 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 230 hapd->conf->individual_wep_key_len); 231 232 /* TODO: set encryption in TX callback, i.e., only after STA 233 * has ACKed EAPOL-Key frame */ 234 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 235 sta->addr, 0, 1, NULL, 0, ikey, 236 hapd->conf->individual_wep_key_len)) { 237 wpa_printf(MSG_ERROR, "Could not set individual WEP " 238 "encryption."); 239 } 240 241 os_free(ikey); 242 } 243} 244 245 246const char *radius_mode_txt(struct hostapd_data *hapd) 247{ 248 switch (hapd->iface->conf->hw_mode) { 249 case HOSTAPD_MODE_IEEE80211AD: 250 return "802.11ad"; 251 case HOSTAPD_MODE_IEEE80211A: 252 return "802.11a"; 253 case HOSTAPD_MODE_IEEE80211G: 254 return "802.11g"; 255 case HOSTAPD_MODE_IEEE80211B: 256 default: 257 return "802.11b"; 258 } 259} 260 261 262int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 263{ 264 int i; 265 u8 rate = 0; 266 267 for (i = 0; i < sta->supported_rates_len; i++) 268 if ((sta->supported_rates[i] & 0x7f) > rate) 269 rate = sta->supported_rates[i] & 0x7f; 270 271 return rate; 272} 273 274 275#ifndef CONFIG_NO_RADIUS 276static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 277 struct eapol_state_machine *sm, 278 const u8 *eap, size_t len) 279{ 280 const u8 *identity; 281 size_t identity_len; 282 283 if (len <= sizeof(struct eap_hdr) || 284 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) 285 return; 286 287 identity = eap_get_identity(sm->eap, &identity_len); 288 if (identity == NULL) 289 return; 290 291 /* Save station identity for future RADIUS packets */ 292 os_free(sm->identity); 293 sm->identity = (u8 *) dup_binstr(identity, identity_len); 294 if (sm->identity == NULL) { 295 sm->identity_len = 0; 296 return; 297 } 298 299 sm->identity_len = identity_len; 300 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 301 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 302 sm->dot1xAuthEapolRespIdFramesRx++; 303} 304 305 306static int add_common_radius_sta_attr(struct hostapd_data *hapd, 307 struct hostapd_radius_attr *req_attr, 308 struct sta_info *sta, 309 struct radius_msg *msg) 310{ 311 char buf[128]; 312 313 if (!hostapd_config_get_radius_attr(req_attr, 314 RADIUS_ATTR_NAS_PORT) && 315 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 316 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 317 return -1; 318 } 319 320 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 321 MAC2STR(sta->addr)); 322 buf[sizeof(buf) - 1] = '\0'; 323 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 324 (u8 *) buf, os_strlen(buf))) { 325 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 326 return -1; 327 } 328 329 if (sta->flags & WLAN_STA_PREAUTH) { 330 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 331 sizeof(buf)); 332 } else { 333 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 334 radius_sta_rate(hapd, sta) / 2, 335 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 336 radius_mode_txt(hapd)); 337 buf[sizeof(buf) - 1] = '\0'; 338 } 339 if (!hostapd_config_get_radius_attr(req_attr, 340 RADIUS_ATTR_CONNECT_INFO) && 341 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 342 (u8 *) buf, os_strlen(buf))) { 343 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 344 return -1; 345 } 346 347 if (sta->acct_session_id_hi || sta->acct_session_id_lo) { 348 os_snprintf(buf, sizeof(buf), "%08X-%08X", 349 sta->acct_session_id_hi, sta->acct_session_id_lo); 350 if (!radius_msg_add_attr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 351 (u8 *) buf, os_strlen(buf))) { 352 wpa_printf(MSG_ERROR, "Could not add Acct-Session-Id"); 353 return -1; 354 } 355 } 356 357 return 0; 358} 359 360 361int add_common_radius_attr(struct hostapd_data *hapd, 362 struct hostapd_radius_attr *req_attr, 363 struct sta_info *sta, 364 struct radius_msg *msg) 365{ 366 char buf[128]; 367 struct hostapd_radius_attr *attr; 368 369 if (!hostapd_config_get_radius_attr(req_attr, 370 RADIUS_ATTR_NAS_IP_ADDRESS) && 371 hapd->conf->own_ip_addr.af == AF_INET && 372 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 373 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 374 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 375 return -1; 376 } 377 378#ifdef CONFIG_IPV6 379 if (!hostapd_config_get_radius_attr(req_attr, 380 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 381 hapd->conf->own_ip_addr.af == AF_INET6 && 382 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 383 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 384 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 385 return -1; 386 } 387#endif /* CONFIG_IPV6 */ 388 389 if (!hostapd_config_get_radius_attr(req_attr, 390 RADIUS_ATTR_NAS_IDENTIFIER) && 391 hapd->conf->nas_identifier && 392 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 393 (u8 *) hapd->conf->nas_identifier, 394 os_strlen(hapd->conf->nas_identifier))) { 395 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 396 return -1; 397 } 398 399 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 400 MAC2STR(hapd->own_addr), 401 wpa_ssid_txt(hapd->conf->ssid.ssid, 402 hapd->conf->ssid.ssid_len)); 403 buf[sizeof(buf) - 1] = '\0'; 404 if (!hostapd_config_get_radius_attr(req_attr, 405 RADIUS_ATTR_CALLED_STATION_ID) && 406 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 407 (u8 *) buf, os_strlen(buf))) { 408 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 409 return -1; 410 } 411 412 if (!hostapd_config_get_radius_attr(req_attr, 413 RADIUS_ATTR_NAS_PORT_TYPE) && 414 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 415 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 416 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 417 return -1; 418 } 419 420 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 421 return -1; 422 423 for (attr = req_attr; attr; attr = attr->next) { 424 if (!radius_msg_add_attr(msg, attr->type, 425 wpabuf_head(attr->val), 426 wpabuf_len(attr->val))) { 427 wpa_printf(MSG_ERROR, "Could not add RADIUS " 428 "attribute"); 429 return -1; 430 } 431 } 432 433 return 0; 434} 435 436 437static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 438 struct sta_info *sta, 439 const u8 *eap, size_t len) 440{ 441 struct radius_msg *msg; 442 struct eapol_state_machine *sm = sta->eapol_sm; 443 444 if (sm == NULL) 445 return; 446 447 ieee802_1x_learn_identity(hapd, sm, eap, len); 448 449 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 450 "packet"); 451 452 sm->radius_identifier = radius_client_get_id(hapd->radius); 453 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 454 sm->radius_identifier); 455 if (msg == NULL) { 456 printf("Could not create net RADIUS packet\n"); 457 return; 458 } 459 460 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 461 462 if (sm->identity && 463 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 464 sm->identity, sm->identity_len)) { 465 printf("Could not add User-Name\n"); 466 goto fail; 467 } 468 469 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 470 msg) < 0) 471 goto fail; 472 473 /* TODO: should probably check MTU from driver config; 2304 is max for 474 * IEEE 802.11, but use 1400 to avoid problems with too large packets 475 */ 476 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 477 RADIUS_ATTR_FRAMED_MTU) && 478 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 479 printf("Could not add Framed-MTU\n"); 480 goto fail; 481 } 482 483 if (eap && !radius_msg_add_eap(msg, eap, len)) { 484 printf("Could not add EAP-Message\n"); 485 goto fail; 486 } 487 488 /* State attribute must be copied if and only if this packet is 489 * Access-Request reply to the previous Access-Challenge */ 490 if (sm->last_recv_radius && 491 radius_msg_get_hdr(sm->last_recv_radius)->code == 492 RADIUS_CODE_ACCESS_CHALLENGE) { 493 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 494 RADIUS_ATTR_STATE); 495 if (res < 0) { 496 printf("Could not copy State attribute from previous " 497 "Access-Challenge\n"); 498 goto fail; 499 } 500 if (res > 0) { 501 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 502 } 503 } 504 505 if (hapd->conf->radius_request_cui) { 506 const u8 *cui; 507 size_t cui_len; 508 /* Add previously learned CUI or nul CUI to request CUI */ 509 if (sm->radius_cui) { 510 cui = wpabuf_head(sm->radius_cui); 511 cui_len = wpabuf_len(sm->radius_cui); 512 } else { 513 cui = (const u8 *) "\0"; 514 cui_len = 1; 515 } 516 if (!radius_msg_add_attr(msg, 517 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 518 cui, cui_len)) { 519 wpa_printf(MSG_ERROR, "Could not add CUI"); 520 goto fail; 521 } 522 } 523 524 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 525 goto fail; 526 527 return; 528 529 fail: 530 radius_msg_free(msg); 531} 532#endif /* CONFIG_NO_RADIUS */ 533 534 535static void handle_eap_response(struct hostapd_data *hapd, 536 struct sta_info *sta, struct eap_hdr *eap, 537 size_t len) 538{ 539 u8 type, *data; 540 struct eapol_state_machine *sm = sta->eapol_sm; 541 if (sm == NULL) 542 return; 543 544 data = (u8 *) (eap + 1); 545 546 if (len < sizeof(*eap) + 1) { 547 printf("handle_eap_response: too short response data\n"); 548 return; 549 } 550 551 sm->eap_type_supp = type = data[0]; 552 553 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 554 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 555 "id=%d len=%d) from STA: EAP Response-%s (%d)", 556 eap->code, eap->identifier, be_to_host16(eap->length), 557 eap_server_get_name(0, type), type); 558 559 sm->dot1xAuthEapolRespFramesRx++; 560 561 wpabuf_free(sm->eap_if->eapRespData); 562 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 563 sm->eapolEap = TRUE; 564} 565 566 567/* Process incoming EAP packet from Supplicant */ 568static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 569 u8 *buf, size_t len) 570{ 571 struct eap_hdr *eap; 572 u16 eap_len; 573 574 if (len < sizeof(*eap)) { 575 printf(" too short EAP packet\n"); 576 return; 577 } 578 579 eap = (struct eap_hdr *) buf; 580 581 eap_len = be_to_host16(eap->length); 582 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 583 eap->code, eap->identifier, eap_len); 584 if (eap_len < sizeof(*eap)) { 585 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 586 return; 587 } else if (eap_len > len) { 588 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 589 "packet"); 590 return; 591 } else if (eap_len < len) { 592 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 593 "packet", (unsigned long) len - eap_len); 594 } 595 596 switch (eap->code) { 597 case EAP_CODE_REQUEST: 598 wpa_printf(MSG_DEBUG, " (request)"); 599 return; 600 case EAP_CODE_RESPONSE: 601 wpa_printf(MSG_DEBUG, " (response)"); 602 handle_eap_response(hapd, sta, eap, eap_len); 603 break; 604 case EAP_CODE_SUCCESS: 605 wpa_printf(MSG_DEBUG, " (success)"); 606 return; 607 case EAP_CODE_FAILURE: 608 wpa_printf(MSG_DEBUG, " (failure)"); 609 return; 610 default: 611 wpa_printf(MSG_DEBUG, " (unknown code)"); 612 return; 613 } 614} 615 616 617static struct eapol_state_machine * 618ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 619{ 620 int flags = 0; 621 if (sta->flags & WLAN_STA_PREAUTH) 622 flags |= EAPOL_SM_PREAUTH; 623 if (sta->wpa_sm) { 624 flags |= EAPOL_SM_USES_WPA; 625 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 626 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 627 } 628 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 629 sta->wps_ie, sta->p2p_ie, sta, 630 sta->identity, sta->radius_cui); 631} 632 633 634/** 635 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 636 * @hapd: hostapd BSS data 637 * @sa: Source address (sender of the EAPOL frame) 638 * @buf: EAPOL frame 639 * @len: Length of buf in octets 640 * 641 * This function is called for each incoming EAPOL frame from the interface 642 */ 643void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 644 size_t len) 645{ 646 struct sta_info *sta; 647 struct ieee802_1x_hdr *hdr; 648 struct ieee802_1x_eapol_key *key; 649 u16 datalen; 650 struct rsn_pmksa_cache_entry *pmksa; 651 int key_mgmt; 652 653 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && 654 !hapd->conf->wps_state) 655 return; 656 657 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 658 (unsigned long) len, MAC2STR(sa)); 659 sta = ap_get_sta(hapd, sa); 660 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 661 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 662 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 663 "associated/Pre-authenticating STA"); 664 return; 665 } 666 667 if (len < sizeof(*hdr)) { 668 printf(" too short IEEE 802.1X packet\n"); 669 return; 670 } 671 672 hdr = (struct ieee802_1x_hdr *) buf; 673 datalen = be_to_host16(hdr->length); 674 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 675 hdr->version, hdr->type, datalen); 676 677 if (len - sizeof(*hdr) < datalen) { 678 printf(" frame too short for this IEEE 802.1X packet\n"); 679 if (sta->eapol_sm) 680 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 681 return; 682 } 683 if (len - sizeof(*hdr) > datalen) { 684 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 685 "IEEE 802.1X packet", 686 (unsigned long) len - sizeof(*hdr) - datalen); 687 } 688 689 if (sta->eapol_sm) { 690 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 691 sta->eapol_sm->dot1xAuthEapolFramesRx++; 692 } 693 694 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 695 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 696 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 697 (key->type == EAPOL_KEY_TYPE_WPA || 698 key->type == EAPOL_KEY_TYPE_RSN)) { 699 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 700 sizeof(*hdr) + datalen); 701 return; 702 } 703 704 if (!hapd->conf->ieee802_1x && 705 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 706 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 707 "802.1X not enabled and WPS not used"); 708 return; 709 } 710 711 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 712 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 713 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 714 "STA is using PSK"); 715 return; 716 } 717 718 if (!sta->eapol_sm) { 719 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 720 if (!sta->eapol_sm) 721 return; 722 723#ifdef CONFIG_WPS 724 if (!hapd->conf->ieee802_1x) { 725 u32 wflags = sta->flags & (WLAN_STA_WPS | 726 WLAN_STA_WPS2 | 727 WLAN_STA_MAYBE_WPS); 728 if (wflags == WLAN_STA_MAYBE_WPS || 729 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 730 /* 731 * Delay EAPOL frame transmission until a 732 * possible WPS STA initiates the handshake 733 * with EAPOL-Start. Only allow the wait to be 734 * skipped if the STA is known to support WPS 735 * 2.0. 736 */ 737 wpa_printf(MSG_DEBUG, "WPS: Do not start " 738 "EAPOL until EAPOL-Start is " 739 "received"); 740 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 741 } 742 } 743#endif /* CONFIG_WPS */ 744 745 sta->eapol_sm->eap_if->portEnabled = TRUE; 746 } 747 748 /* since we support version 1, we can ignore version field and proceed 749 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 750 /* TODO: actually, we are not version 1 anymore.. However, Version 2 751 * does not change frame contents, so should be ok to process frames 752 * more or less identically. Some changes might be needed for 753 * verification of fields. */ 754 755 switch (hdr->type) { 756 case IEEE802_1X_TYPE_EAP_PACKET: 757 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 758 break; 759 760 case IEEE802_1X_TYPE_EAPOL_START: 761 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 762 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 763 "from STA"); 764 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 765 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 766 if (pmksa) { 767 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 768 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 769 "available - ignore it since " 770 "STA sent EAPOL-Start"); 771 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 772 } 773 sta->eapol_sm->eapolStart = TRUE; 774 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 775 eap_server_clear_identity(sta->eapol_sm->eap); 776 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 777 break; 778 779 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 780 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 781 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 782 "from STA"); 783 sta->acct_terminate_cause = 784 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 785 accounting_sta_stop(hapd, sta); 786 sta->eapol_sm->eapolLogoff = TRUE; 787 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 788 eap_server_clear_identity(sta->eapol_sm->eap); 789 break; 790 791 case IEEE802_1X_TYPE_EAPOL_KEY: 792 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 793 if (!ap_sta_is_authorized(sta)) { 794 wpa_printf(MSG_DEBUG, " Dropped key data from " 795 "unauthorized Supplicant"); 796 break; 797 } 798 break; 799 800 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 801 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 802 /* TODO: implement support for this; show data */ 803 break; 804 805 default: 806 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 807 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 808 break; 809 } 810 811 eapol_auth_step(sta->eapol_sm); 812} 813 814 815/** 816 * ieee802_1x_new_station - Start IEEE 802.1X authentication 817 * @hapd: hostapd BSS data 818 * @sta: The station 819 * 820 * This function is called to start IEEE 802.1X authentication when a new 821 * station completes IEEE 802.11 association. 822 */ 823void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 824{ 825 struct rsn_pmksa_cache_entry *pmksa; 826 int reassoc = 1; 827 int force_1x = 0; 828 int key_mgmt; 829 830#ifdef CONFIG_WPS 831 if (hapd->conf->wps_state && hapd->conf->wpa && 832 (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 833 /* 834 * Need to enable IEEE 802.1X/EAPOL state machines for possible 835 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 836 * authentication in this BSS. 837 */ 838 force_1x = 1; 839 } 840#endif /* CONFIG_WPS */ 841 842 if (!force_1x && !hapd->conf->ieee802_1x) { 843 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 844 "802.1X not enabled or forced for WPS"); 845 /* 846 * Clear any possible EAPOL authenticator state to support 847 * reassociation change from WPS to PSK. 848 */ 849 ieee802_1x_free_station(sta); 850 return; 851 } 852 853 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 854 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 855 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 856 /* 857 * Clear any possible EAPOL authenticator state to support 858 * reassociation change from WPA-EAP to PSK. 859 */ 860 ieee802_1x_free_station(sta); 861 return; 862 } 863 864 if (sta->eapol_sm == NULL) { 865 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 866 HOSTAPD_LEVEL_DEBUG, "start authentication"); 867 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 868 if (sta->eapol_sm == NULL) { 869 hostapd_logger(hapd, sta->addr, 870 HOSTAPD_MODULE_IEEE8021X, 871 HOSTAPD_LEVEL_INFO, 872 "failed to allocate state machine"); 873 return; 874 } 875 reassoc = 0; 876 } 877 878#ifdef CONFIG_WPS 879 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 880 if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS2)) { 881 /* 882 * Delay EAPOL frame transmission until a possible WPS STA 883 * initiates the handshake with EAPOL-Start. Only allow the 884 * wait to be skipped if the STA is known to support WPS 2.0. 885 */ 886 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 887 "EAPOL-Start is received"); 888 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 889 } 890#endif /* CONFIG_WPS */ 891 892 sta->eapol_sm->eap_if->portEnabled = TRUE; 893 894#ifdef CONFIG_IEEE80211R 895 if (sta->auth_alg == WLAN_AUTH_FT) { 896 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 897 HOSTAPD_LEVEL_DEBUG, 898 "PMK from FT - skip IEEE 802.1X/EAP"); 899 /* Setup EAPOL state machines to already authenticated state 900 * because of existing FT information from R0KH. */ 901 sta->eapol_sm->keyRun = TRUE; 902 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 903 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 904 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 905 sta->eapol_sm->authSuccess = TRUE; 906 sta->eapol_sm->authFail = FALSE; 907 if (sta->eapol_sm->eap) 908 eap_sm_notify_cached(sta->eapol_sm->eap); 909 /* TODO: get vlan_id from R0KH using RRB message */ 910 return; 911 } 912#endif /* CONFIG_IEEE80211R */ 913 914 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 915 if (pmksa) { 916 int old_vlanid; 917 918 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 919 HOSTAPD_LEVEL_DEBUG, 920 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 921 /* Setup EAPOL state machines to already authenticated state 922 * because of existing PMKSA information in the cache. */ 923 sta->eapol_sm->keyRun = TRUE; 924 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 925 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 926 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 927 sta->eapol_sm->authSuccess = TRUE; 928 sta->eapol_sm->authFail = FALSE; 929 if (sta->eapol_sm->eap) 930 eap_sm_notify_cached(sta->eapol_sm->eap); 931 old_vlanid = sta->vlan_id; 932 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 933 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 934 sta->vlan_id = 0; 935 ap_sta_bind_vlan(hapd, sta, old_vlanid); 936 } else { 937 if (reassoc) { 938 /* 939 * Force EAPOL state machines to start 940 * re-authentication without having to wait for the 941 * Supplicant to send EAPOL-Start. 942 */ 943 sta->eapol_sm->reAuthenticate = TRUE; 944 } 945 eapol_auth_step(sta->eapol_sm); 946 } 947} 948 949 950void ieee802_1x_free_station(struct sta_info *sta) 951{ 952 struct eapol_state_machine *sm = sta->eapol_sm; 953 954 if (sm == NULL) 955 return; 956 957 sta->eapol_sm = NULL; 958 959#ifndef CONFIG_NO_RADIUS 960 radius_msg_free(sm->last_recv_radius); 961 radius_free_class(&sm->radius_class); 962 wpabuf_free(sm->radius_cui); 963#endif /* CONFIG_NO_RADIUS */ 964 965 os_free(sm->identity); 966 eapol_auth_free(sm); 967} 968 969 970#ifndef CONFIG_NO_RADIUS 971static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 972 struct sta_info *sta) 973{ 974 struct wpabuf *eap; 975 const struct eap_hdr *hdr; 976 int eap_type = -1; 977 char buf[64]; 978 struct radius_msg *msg; 979 struct eapol_state_machine *sm = sta->eapol_sm; 980 981 if (sm == NULL || sm->last_recv_radius == NULL) { 982 if (sm) 983 sm->eap_if->aaaEapNoReq = TRUE; 984 return; 985 } 986 987 msg = sm->last_recv_radius; 988 989 eap = radius_msg_get_eap(msg); 990 if (eap == NULL) { 991 /* RFC 3579, Chap. 2.6.3: 992 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 993 * attribute */ 994 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 995 HOSTAPD_LEVEL_WARNING, "could not extract " 996 "EAP-Message from RADIUS message"); 997 sm->eap_if->aaaEapNoReq = TRUE; 998 return; 999 } 1000 1001 if (wpabuf_len(eap) < sizeof(*hdr)) { 1002 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1003 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1004 "received from authentication server"); 1005 wpabuf_free(eap); 1006 sm->eap_if->aaaEapNoReq = TRUE; 1007 return; 1008 } 1009 1010 if (wpabuf_len(eap) > sizeof(*hdr)) 1011 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1012 1013 hdr = wpabuf_head(eap); 1014 switch (hdr->code) { 1015 case EAP_CODE_REQUEST: 1016 if (eap_type >= 0) 1017 sm->eap_type_authsrv = eap_type; 1018 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1019 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1020 "??", 1021 eap_type); 1022 break; 1023 case EAP_CODE_RESPONSE: 1024 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1025 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1026 "??", 1027 eap_type); 1028 break; 1029 case EAP_CODE_SUCCESS: 1030 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1031 break; 1032 case EAP_CODE_FAILURE: 1033 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1034 break; 1035 default: 1036 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1037 break; 1038 } 1039 buf[sizeof(buf) - 1] = '\0'; 1040 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1041 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1042 "id=%d len=%d) from RADIUS server: %s", 1043 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1044 buf); 1045 sm->eap_if->aaaEapReq = TRUE; 1046 1047 wpabuf_free(sm->eap_if->aaaEapReqData); 1048 sm->eap_if->aaaEapReqData = eap; 1049} 1050 1051 1052static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1053 struct sta_info *sta, struct radius_msg *msg, 1054 struct radius_msg *req, 1055 const u8 *shared_secret, 1056 size_t shared_secret_len) 1057{ 1058 struct radius_ms_mppe_keys *keys; 1059 struct eapol_state_machine *sm = sta->eapol_sm; 1060 if (sm == NULL) 1061 return; 1062 1063 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1064 shared_secret_len); 1065 1066 if (keys && keys->send && keys->recv) { 1067 size_t len = keys->send_len + keys->recv_len; 1068 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1069 keys->send, keys->send_len); 1070 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1071 keys->recv, keys->recv_len); 1072 1073 os_free(sm->eap_if->aaaEapKeyData); 1074 sm->eap_if->aaaEapKeyData = os_malloc(len); 1075 if (sm->eap_if->aaaEapKeyData) { 1076 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1077 keys->recv_len); 1078 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1079 keys->send, keys->send_len); 1080 sm->eap_if->aaaEapKeyDataLen = len; 1081 sm->eap_if->aaaEapKeyAvailable = TRUE; 1082 } 1083 } 1084 1085 if (keys) { 1086 os_free(keys->send); 1087 os_free(keys->recv); 1088 os_free(keys); 1089 } 1090} 1091 1092 1093static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1094 struct sta_info *sta, 1095 struct radius_msg *msg) 1096{ 1097 u8 *class; 1098 size_t class_len; 1099 struct eapol_state_machine *sm = sta->eapol_sm; 1100 int count, i; 1101 struct radius_attr_data *nclass; 1102 size_t nclass_count; 1103 1104 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1105 sm == NULL) 1106 return; 1107 1108 radius_free_class(&sm->radius_class); 1109 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1110 if (count <= 0) 1111 return; 1112 1113 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1114 if (nclass == NULL) 1115 return; 1116 1117 nclass_count = 0; 1118 1119 class = NULL; 1120 for (i = 0; i < count; i++) { 1121 do { 1122 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1123 &class, &class_len, 1124 class) < 0) { 1125 i = count; 1126 break; 1127 } 1128 } while (class_len < 1); 1129 1130 nclass[nclass_count].data = os_malloc(class_len); 1131 if (nclass[nclass_count].data == NULL) 1132 break; 1133 1134 os_memcpy(nclass[nclass_count].data, class, class_len); 1135 nclass[nclass_count].len = class_len; 1136 nclass_count++; 1137 } 1138 1139 sm->radius_class.attr = nclass; 1140 sm->radius_class.count = nclass_count; 1141 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1142 "attributes for " MACSTR, 1143 (unsigned long) sm->radius_class.count, 1144 MAC2STR(sta->addr)); 1145} 1146 1147 1148/* Update sta->identity based on User-Name attribute in Access-Accept */ 1149static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1150 struct sta_info *sta, 1151 struct radius_msg *msg) 1152{ 1153 u8 *buf, *identity; 1154 size_t len; 1155 struct eapol_state_machine *sm = sta->eapol_sm; 1156 1157 if (sm == NULL) 1158 return; 1159 1160 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1161 NULL) < 0) 1162 return; 1163 1164 identity = (u8 *) dup_binstr(buf, len); 1165 if (identity == NULL) 1166 return; 1167 1168 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1169 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1170 "User-Name from Access-Accept '%s'", 1171 sm->identity ? (char *) sm->identity : "N/A", 1172 (char *) identity); 1173 1174 os_free(sm->identity); 1175 sm->identity = identity; 1176 sm->identity_len = len; 1177} 1178 1179 1180/* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1181static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1182 struct sta_info *sta, 1183 struct radius_msg *msg) 1184{ 1185 struct eapol_state_machine *sm = sta->eapol_sm; 1186 struct wpabuf *cui; 1187 u8 *buf; 1188 size_t len; 1189 1190 if (sm == NULL) 1191 return; 1192 1193 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1194 &buf, &len, NULL) < 0) 1195 return; 1196 1197 cui = wpabuf_alloc_copy(buf, len); 1198 if (cui == NULL) 1199 return; 1200 1201 wpabuf_free(sm->radius_cui); 1202 sm->radius_cui = cui; 1203} 1204 1205 1206struct sta_id_search { 1207 u8 identifier; 1208 struct eapol_state_machine *sm; 1209}; 1210 1211 1212static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1213 struct sta_info *sta, 1214 void *ctx) 1215{ 1216 struct sta_id_search *id_search = ctx; 1217 struct eapol_state_machine *sm = sta->eapol_sm; 1218 1219 if (sm && sm->radius_identifier >= 0 && 1220 sm->radius_identifier == id_search->identifier) { 1221 id_search->sm = sm; 1222 return 1; 1223 } 1224 return 0; 1225} 1226 1227 1228static struct eapol_state_machine * 1229ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1230{ 1231 struct sta_id_search id_search; 1232 id_search.identifier = identifier; 1233 id_search.sm = NULL; 1234 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1235 return id_search.sm; 1236} 1237 1238 1239/** 1240 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1241 * @msg: RADIUS response message 1242 * @req: RADIUS request message 1243 * @shared_secret: RADIUS shared secret 1244 * @shared_secret_len: Length of shared_secret in octets 1245 * @data: Context data (struct hostapd_data *) 1246 * Returns: Processing status 1247 */ 1248static RadiusRxResult 1249ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1250 const u8 *shared_secret, size_t shared_secret_len, 1251 void *data) 1252{ 1253 struct hostapd_data *hapd = data; 1254 struct sta_info *sta; 1255 u32 session_timeout = 0, termination_action, acct_interim_interval; 1256 int session_timeout_set, old_vlanid = 0; 1257 struct eapol_state_machine *sm; 1258 int override_eapReq = 0; 1259 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1260 1261 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1262 if (sm == NULL) { 1263 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1264 "station for this RADIUS message"); 1265 return RADIUS_RX_UNKNOWN; 1266 } 1267 sta = sm->sta; 1268 1269 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1270 * present when packet contains an EAP-Message attribute */ 1271 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1272 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1273 0) < 0 && 1274 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1275 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1276 "Message-Authenticator since it does not include " 1277 "EAP-Message"); 1278 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1279 req, 1)) { 1280 printf("Incoming RADIUS packet did not have correct " 1281 "Message-Authenticator - dropped\n"); 1282 return RADIUS_RX_INVALID_AUTHENTICATOR; 1283 } 1284 1285 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1286 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1287 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1288 printf("Unknown RADIUS message code\n"); 1289 return RADIUS_RX_UNKNOWN; 1290 } 1291 1292 sm->radius_identifier = -1; 1293 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1294 MAC2STR(sta->addr)); 1295 1296 radius_msg_free(sm->last_recv_radius); 1297 sm->last_recv_radius = msg; 1298 1299 session_timeout_set = 1300 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1301 &session_timeout); 1302 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1303 &termination_action)) 1304 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1305 1306 if (hapd->conf->acct_interim_interval == 0 && 1307 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1308 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1309 &acct_interim_interval) == 0) { 1310 if (acct_interim_interval < 60) { 1311 hostapd_logger(hapd, sta->addr, 1312 HOSTAPD_MODULE_IEEE8021X, 1313 HOSTAPD_LEVEL_INFO, 1314 "ignored too small " 1315 "Acct-Interim-Interval %d", 1316 acct_interim_interval); 1317 } else 1318 sta->acct_interim_interval = acct_interim_interval; 1319 } 1320 1321 1322 switch (hdr->code) { 1323 case RADIUS_CODE_ACCESS_ACCEPT: 1324 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1325 sta->vlan_id = 0; 1326#ifndef CONFIG_NO_VLAN 1327 else { 1328 old_vlanid = sta->vlan_id; 1329 sta->vlan_id = radius_msg_get_vlanid(msg); 1330 } 1331 if (sta->vlan_id > 0 && 1332 hostapd_vlan_id_valid(hapd->conf->vlan, sta->vlan_id)) { 1333 hostapd_logger(hapd, sta->addr, 1334 HOSTAPD_MODULE_RADIUS, 1335 HOSTAPD_LEVEL_INFO, 1336 "VLAN ID %d", sta->vlan_id); 1337 } else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) { 1338 sta->eapol_sm->authFail = TRUE; 1339 hostapd_logger(hapd, sta->addr, 1340 HOSTAPD_MODULE_IEEE8021X, 1341 HOSTAPD_LEVEL_INFO, "authentication " 1342 "server did not include required VLAN " 1343 "ID in Access-Accept"); 1344 break; 1345 } 1346#endif /* CONFIG_NO_VLAN */ 1347 1348 if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0) 1349 break; 1350 1351 /* RFC 3580, Ch. 3.17 */ 1352 if (session_timeout_set && termination_action == 1353 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1354 sm->reAuthPeriod = session_timeout; 1355 } else if (session_timeout_set) 1356 ap_sta_session_timeout(hapd, sta, session_timeout); 1357 1358 sm->eap_if->aaaSuccess = TRUE; 1359 override_eapReq = 1; 1360 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1361 shared_secret_len); 1362 ieee802_1x_store_radius_class(hapd, sta, msg); 1363 ieee802_1x_update_sta_identity(hapd, sta, msg); 1364 ieee802_1x_update_sta_cui(hapd, sta, msg); 1365 if (sm->eap_if->eapKeyAvailable && 1366 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1367 session_timeout_set ? 1368 (int) session_timeout : -1, sm) == 0) { 1369 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1370 HOSTAPD_LEVEL_DEBUG, 1371 "Added PMKSA cache entry"); 1372 } 1373 break; 1374 case RADIUS_CODE_ACCESS_REJECT: 1375 sm->eap_if->aaaFail = TRUE; 1376 override_eapReq = 1; 1377 break; 1378 case RADIUS_CODE_ACCESS_CHALLENGE: 1379 sm->eap_if->aaaEapReq = TRUE; 1380 if (session_timeout_set) { 1381 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1382 sm->eap_if->aaaMethodTimeout = session_timeout; 1383 hostapd_logger(hapd, sm->addr, 1384 HOSTAPD_MODULE_IEEE8021X, 1385 HOSTAPD_LEVEL_DEBUG, 1386 "using EAP timeout of %d seconds (from " 1387 "RADIUS)", 1388 sm->eap_if->aaaMethodTimeout); 1389 } else { 1390 /* 1391 * Use dynamic retransmission behavior per EAP 1392 * specification. 1393 */ 1394 sm->eap_if->aaaMethodTimeout = 0; 1395 } 1396 break; 1397 } 1398 1399 ieee802_1x_decapsulate_radius(hapd, sta); 1400 if (override_eapReq) 1401 sm->eap_if->aaaEapReq = FALSE; 1402 1403 eapol_auth_step(sm); 1404 1405 return RADIUS_RX_QUEUED; 1406} 1407#endif /* CONFIG_NO_RADIUS */ 1408 1409 1410void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1411{ 1412 struct eapol_state_machine *sm = sta->eapol_sm; 1413 if (sm == NULL) 1414 return; 1415 1416 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1417 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1418 1419#ifndef CONFIG_NO_RADIUS 1420 radius_msg_free(sm->last_recv_radius); 1421 sm->last_recv_radius = NULL; 1422#endif /* CONFIG_NO_RADIUS */ 1423 1424 if (sm->eap_if->eapTimeout) { 1425 /* 1426 * Disconnect the STA since it did not reply to the last EAP 1427 * request and we cannot continue EAP processing (EAP-Failure 1428 * could only be sent if the EAP peer actually replied). 1429 */ 1430 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1431 MAC2STR(sta->addr)); 1432 1433 sm->eap_if->portEnabled = FALSE; 1434 ap_sta_disconnect(hapd, sta, sta->addr, 1435 WLAN_REASON_PREV_AUTH_NOT_VALID); 1436 } 1437} 1438 1439 1440static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1441{ 1442 struct eapol_authenticator *eapol = hapd->eapol_auth; 1443 1444 if (hapd->conf->default_wep_key_len < 1) 1445 return 0; 1446 1447 os_free(eapol->default_wep_key); 1448 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1449 if (eapol->default_wep_key == NULL || 1450 random_get_bytes(eapol->default_wep_key, 1451 hapd->conf->default_wep_key_len)) { 1452 printf("Could not generate random WEP key.\n"); 1453 os_free(eapol->default_wep_key); 1454 eapol->default_wep_key = NULL; 1455 return -1; 1456 } 1457 1458 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1459 eapol->default_wep_key, 1460 hapd->conf->default_wep_key_len); 1461 1462 return 0; 1463} 1464 1465 1466static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1467 struct sta_info *sta, void *ctx) 1468{ 1469 if (sta->eapol_sm) { 1470 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1471 eapol_auth_step(sta->eapol_sm); 1472 } 1473 return 0; 1474} 1475 1476 1477static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1478{ 1479 struct hostapd_data *hapd = eloop_ctx; 1480 struct eapol_authenticator *eapol = hapd->eapol_auth; 1481 1482 if (eapol->default_wep_key_idx >= 3) 1483 eapol->default_wep_key_idx = 1484 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1485 else 1486 eapol->default_wep_key_idx++; 1487 1488 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1489 eapol->default_wep_key_idx); 1490 1491 if (ieee802_1x_rekey_broadcast(hapd)) { 1492 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1493 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1494 "new broadcast key"); 1495 os_free(eapol->default_wep_key); 1496 eapol->default_wep_key = NULL; 1497 return; 1498 } 1499 1500 /* TODO: Could setup key for RX here, but change default TX keyid only 1501 * after new broadcast key has been sent to all stations. */ 1502 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1503 broadcast_ether_addr, 1504 eapol->default_wep_key_idx, 1, NULL, 0, 1505 eapol->default_wep_key, 1506 hapd->conf->default_wep_key_len)) { 1507 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1508 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1509 "new broadcast key"); 1510 os_free(eapol->default_wep_key); 1511 eapol->default_wep_key = NULL; 1512 return; 1513 } 1514 1515 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1516 1517 if (hapd->conf->wep_rekeying_period > 0) { 1518 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1519 ieee802_1x_rekey, hapd, NULL); 1520 } 1521} 1522 1523 1524static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1525 const u8 *data, size_t datalen) 1526{ 1527#ifdef CONFIG_WPS 1528 struct sta_info *sta = sta_ctx; 1529 1530 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1531 WLAN_STA_MAYBE_WPS) { 1532 const u8 *identity; 1533 size_t identity_len; 1534 struct eapol_state_machine *sm = sta->eapol_sm; 1535 1536 identity = eap_get_identity(sm->eap, &identity_len); 1537 if (identity && 1538 ((identity_len == WSC_ID_ENROLLEE_LEN && 1539 os_memcmp(identity, WSC_ID_ENROLLEE, 1540 WSC_ID_ENROLLEE_LEN) == 0) || 1541 (identity_len == WSC_ID_REGISTRAR_LEN && 1542 os_memcmp(identity, WSC_ID_REGISTRAR, 1543 WSC_ID_REGISTRAR_LEN) == 0))) { 1544 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1545 "WLAN_STA_WPS"); 1546 sta->flags |= WLAN_STA_WPS; 1547 } 1548 } 1549#endif /* CONFIG_WPS */ 1550 1551 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1552} 1553 1554 1555static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1556 const u8 *data, size_t datalen) 1557{ 1558#ifndef CONFIG_NO_RADIUS 1559 struct hostapd_data *hapd = ctx; 1560 struct sta_info *sta = sta_ctx; 1561 1562 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1563#endif /* CONFIG_NO_RADIUS */ 1564} 1565 1566 1567static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1568 int preauth) 1569{ 1570 struct hostapd_data *hapd = ctx; 1571 struct sta_info *sta = sta_ctx; 1572 if (preauth) 1573 rsn_preauth_finished(hapd, sta, success); 1574 else 1575 ieee802_1x_finished(hapd, sta, success); 1576} 1577 1578 1579static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1580 size_t identity_len, int phase2, 1581 struct eap_user *user) 1582{ 1583 struct hostapd_data *hapd = ctx; 1584 const struct hostapd_eap_user *eap_user; 1585 int i; 1586 1587 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 1588 if (eap_user == NULL) 1589 return -1; 1590 1591 os_memset(user, 0, sizeof(*user)); 1592 user->phase2 = phase2; 1593 for (i = 0; i < EAP_MAX_METHODS; i++) { 1594 user->methods[i].vendor = eap_user->methods[i].vendor; 1595 user->methods[i].method = eap_user->methods[i].method; 1596 } 1597 1598 if (eap_user->password) { 1599 user->password = os_malloc(eap_user->password_len); 1600 if (user->password == NULL) 1601 return -1; 1602 os_memcpy(user->password, eap_user->password, 1603 eap_user->password_len); 1604 user->password_len = eap_user->password_len; 1605 user->password_hash = eap_user->password_hash; 1606 } 1607 user->force_version = eap_user->force_version; 1608 user->ttls_auth = eap_user->ttls_auth; 1609 1610 return 0; 1611} 1612 1613 1614static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1615{ 1616 struct hostapd_data *hapd = ctx; 1617 struct sta_info *sta; 1618 sta = ap_get_sta(hapd, addr); 1619 if (sta == NULL || sta->eapol_sm == NULL) 1620 return 0; 1621 return 1; 1622} 1623 1624 1625static void ieee802_1x_logger(void *ctx, const u8 *addr, 1626 eapol_logger_level level, const char *txt) 1627{ 1628#ifndef CONFIG_NO_HOSTAPD_LOGGER 1629 struct hostapd_data *hapd = ctx; 1630 int hlevel; 1631 1632 switch (level) { 1633 case EAPOL_LOGGER_WARNING: 1634 hlevel = HOSTAPD_LEVEL_WARNING; 1635 break; 1636 case EAPOL_LOGGER_INFO: 1637 hlevel = HOSTAPD_LEVEL_INFO; 1638 break; 1639 case EAPOL_LOGGER_DEBUG: 1640 default: 1641 hlevel = HOSTAPD_LEVEL_DEBUG; 1642 break; 1643 } 1644 1645 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 1646 txt); 1647#endif /* CONFIG_NO_HOSTAPD_LOGGER */ 1648} 1649 1650 1651static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 1652 int authorized) 1653{ 1654 struct hostapd_data *hapd = ctx; 1655 struct sta_info *sta = sta_ctx; 1656 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 1657} 1658 1659 1660static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 1661{ 1662 struct hostapd_data *hapd = ctx; 1663 struct sta_info *sta = sta_ctx; 1664 ieee802_1x_abort_auth(hapd, sta); 1665} 1666 1667 1668static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 1669{ 1670 struct hostapd_data *hapd = ctx; 1671 struct sta_info *sta = sta_ctx; 1672 ieee802_1x_tx_key(hapd, sta); 1673} 1674 1675 1676static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 1677 enum eapol_event type) 1678{ 1679 /* struct hostapd_data *hapd = ctx; */ 1680 struct sta_info *sta = sta_ctx; 1681 switch (type) { 1682 case EAPOL_AUTH_SM_CHANGE: 1683 wpa_auth_sm_notify(sta->wpa_sm); 1684 break; 1685 case EAPOL_AUTH_REAUTHENTICATE: 1686 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1687 break; 1688 } 1689} 1690 1691 1692int ieee802_1x_init(struct hostapd_data *hapd) 1693{ 1694 int i; 1695 struct eapol_auth_config conf; 1696 struct eapol_auth_cb cb; 1697 1698 os_memset(&conf, 0, sizeof(conf)); 1699 conf.ctx = hapd; 1700 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 1701 conf.wpa = hapd->conf->wpa; 1702 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 1703 conf.eap_server = hapd->conf->eap_server; 1704 conf.ssl_ctx = hapd->ssl_ctx; 1705 conf.msg_ctx = hapd->msg_ctx; 1706 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 1707 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 1708 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 1709 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 1710 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 1711 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 1712 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 1713 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 1714 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 1715 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 1716 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 1717 conf.tnc = hapd->conf->tnc; 1718 conf.wps = hapd->wps; 1719 conf.fragment_size = hapd->conf->fragment_size; 1720 conf.pwd_group = hapd->conf->pwd_group; 1721 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 1722 if (hapd->conf->server_id) { 1723 conf.server_id = (const u8 *) hapd->conf->server_id; 1724 conf.server_id_len = os_strlen(hapd->conf->server_id); 1725 } else { 1726 conf.server_id = (const u8 *) "hostapd"; 1727 conf.server_id_len = 7; 1728 } 1729 1730 os_memset(&cb, 0, sizeof(cb)); 1731 cb.eapol_send = ieee802_1x_eapol_send; 1732 cb.aaa_send = ieee802_1x_aaa_send; 1733 cb.finished = _ieee802_1x_finished; 1734 cb.get_eap_user = ieee802_1x_get_eap_user; 1735 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 1736 cb.logger = ieee802_1x_logger; 1737 cb.set_port_authorized = ieee802_1x_set_port_authorized; 1738 cb.abort_auth = _ieee802_1x_abort_auth; 1739 cb.tx_key = _ieee802_1x_tx_key; 1740 cb.eapol_event = ieee802_1x_eapol_event; 1741 1742 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 1743 if (hapd->eapol_auth == NULL) 1744 return -1; 1745 1746 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 1747 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 1748 return -1; 1749 1750#ifndef CONFIG_NO_RADIUS 1751 if (radius_client_register(hapd->radius, RADIUS_AUTH, 1752 ieee802_1x_receive_auth, hapd)) 1753 return -1; 1754#endif /* CONFIG_NO_RADIUS */ 1755 1756 if (hapd->conf->default_wep_key_len) { 1757 for (i = 0; i < 4; i++) 1758 hostapd_drv_set_key(hapd->conf->iface, hapd, 1759 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 1760 NULL, 0); 1761 1762 ieee802_1x_rekey(hapd, NULL); 1763 1764 if (hapd->eapol_auth->default_wep_key == NULL) 1765 return -1; 1766 } 1767 1768 return 0; 1769} 1770 1771 1772void ieee802_1x_deinit(struct hostapd_data *hapd) 1773{ 1774 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 1775 1776 if (hapd->driver != NULL && 1777 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 1778 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 1779 1780 eapol_auth_deinit(hapd->eapol_auth); 1781 hapd->eapol_auth = NULL; 1782} 1783 1784 1785int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1786 const u8 *buf, size_t len, int ack) 1787{ 1788 struct ieee80211_hdr *hdr; 1789 u8 *pos; 1790 const unsigned char rfc1042_hdr[ETH_ALEN] = 1791 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 1792 1793 if (sta == NULL) 1794 return -1; 1795 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 1796 return 0; 1797 1798 hdr = (struct ieee80211_hdr *) buf; 1799 pos = (u8 *) (hdr + 1); 1800 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 1801 return 0; 1802 pos += sizeof(rfc1042_hdr); 1803 if (WPA_GET_BE16(pos) != ETH_P_PAE) 1804 return 0; 1805 pos += 2; 1806 1807 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 1808 ack); 1809} 1810 1811 1812int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1813 const u8 *buf, int len, int ack) 1814{ 1815 const struct ieee802_1x_hdr *xhdr = 1816 (const struct ieee802_1x_hdr *) buf; 1817 const u8 *pos = buf + sizeof(*xhdr); 1818 struct ieee802_1x_eapol_key *key; 1819 1820 if (len < (int) sizeof(*xhdr)) 1821 return 0; 1822 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 1823 "type=%d length=%d - ack=%d", 1824 MAC2STR(sta->addr), xhdr->version, xhdr->type, 1825 be_to_host16(xhdr->length), ack); 1826 1827 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 1828 return 0; 1829 1830 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 1831 const struct wpa_eapol_key *wpa; 1832 wpa = (const struct wpa_eapol_key *) pos; 1833 if (wpa->type == EAPOL_KEY_TYPE_RSN || 1834 wpa->type == EAPOL_KEY_TYPE_WPA) 1835 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 1836 sta->wpa_sm, ack); 1837 } 1838 1839 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 1840 * or Authenticator state machines, but EAPOL-Key packets are not 1841 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 1842 * packets couple of times because otherwise STA keys become 1843 * unsynchronized with AP. */ 1844 if (!ack && pos + sizeof(*key) <= buf + len) { 1845 key = (struct ieee802_1x_eapol_key *) pos; 1846 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1847 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 1848 "frame (%scast index=%d)", 1849 key->key_index & BIT(7) ? "uni" : "broad", 1850 key->key_index & ~BIT(7)); 1851 /* TODO: re-send EAPOL-Key couple of times (with short delay 1852 * between them?). If all attempt fail, report error and 1853 * deauthenticate STA so that it will get new keys when 1854 * authenticating again (e.g., after returning in range). 1855 * Separate limit/transmit state needed both for unicast and 1856 * broadcast keys(?) */ 1857 } 1858 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 1859 * to here and change the key only if the EAPOL-Key packet was Acked. 1860 */ 1861 1862 return 1; 1863} 1864 1865 1866u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 1867{ 1868 if (sm == NULL || sm->identity == NULL) 1869 return NULL; 1870 1871 *len = sm->identity_len; 1872 return sm->identity; 1873} 1874 1875 1876u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 1877 int idx) 1878{ 1879 if (sm == NULL || sm->radius_class.attr == NULL || 1880 idx >= (int) sm->radius_class.count) 1881 return NULL; 1882 1883 *len = sm->radius_class.attr[idx].len; 1884 return sm->radius_class.attr[idx].data; 1885} 1886 1887 1888struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 1889{ 1890 if (sm == NULL) 1891 return NULL; 1892 return sm->radius_cui; 1893} 1894 1895 1896const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 1897{ 1898 *len = 0; 1899 if (sm == NULL) 1900 return NULL; 1901 1902 *len = sm->eap_if->eapKeyDataLen; 1903 return sm->eap_if->eapKeyData; 1904} 1905 1906 1907void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 1908 int enabled) 1909{ 1910 if (sm == NULL) 1911 return; 1912 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 1913 eapol_auth_step(sm); 1914} 1915 1916 1917void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 1918 int valid) 1919{ 1920 if (sm == NULL) 1921 return; 1922 sm->portValid = valid ? TRUE : FALSE; 1923 eapol_auth_step(sm); 1924} 1925 1926 1927void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 1928{ 1929 if (sm == NULL) 1930 return; 1931 if (pre_auth) 1932 sm->flags |= EAPOL_SM_PREAUTH; 1933 else 1934 sm->flags &= ~EAPOL_SM_PREAUTH; 1935} 1936 1937 1938static const char * bool_txt(Boolean bool) 1939{ 1940 return bool ? "TRUE" : "FALSE"; 1941} 1942 1943 1944int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 1945{ 1946 /* TODO */ 1947 return 0; 1948} 1949 1950 1951int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 1952 char *buf, size_t buflen) 1953{ 1954 int len = 0, ret; 1955 struct eapol_state_machine *sm = sta->eapol_sm; 1956 struct os_time t; 1957 1958 if (sm == NULL) 1959 return 0; 1960 1961 ret = os_snprintf(buf + len, buflen - len, 1962 "dot1xPaePortNumber=%d\n" 1963 "dot1xPaePortProtocolVersion=%d\n" 1964 "dot1xPaePortCapabilities=1\n" 1965 "dot1xPaePortInitialize=%d\n" 1966 "dot1xPaePortReauthenticate=FALSE\n", 1967 sta->aid, 1968 EAPOL_VERSION, 1969 sm->initialize); 1970 if (ret < 0 || (size_t) ret >= buflen - len) 1971 return len; 1972 len += ret; 1973 1974 /* dot1xAuthConfigTable */ 1975 ret = os_snprintf(buf + len, buflen - len, 1976 "dot1xAuthPaeState=%d\n" 1977 "dot1xAuthBackendAuthState=%d\n" 1978 "dot1xAuthAdminControlledDirections=%d\n" 1979 "dot1xAuthOperControlledDirections=%d\n" 1980 "dot1xAuthAuthControlledPortStatus=%d\n" 1981 "dot1xAuthAuthControlledPortControl=%d\n" 1982 "dot1xAuthQuietPeriod=%u\n" 1983 "dot1xAuthServerTimeout=%u\n" 1984 "dot1xAuthReAuthPeriod=%u\n" 1985 "dot1xAuthReAuthEnabled=%s\n" 1986 "dot1xAuthKeyTxEnabled=%s\n", 1987 sm->auth_pae_state + 1, 1988 sm->be_auth_state + 1, 1989 sm->adminControlledDirections, 1990 sm->operControlledDirections, 1991 sm->authPortStatus, 1992 sm->portControl, 1993 sm->quietPeriod, 1994 sm->serverTimeout, 1995 sm->reAuthPeriod, 1996 bool_txt(sm->reAuthEnabled), 1997 bool_txt(sm->keyTxEnabled)); 1998 if (ret < 0 || (size_t) ret >= buflen - len) 1999 return len; 2000 len += ret; 2001 2002 /* dot1xAuthStatsTable */ 2003 ret = os_snprintf(buf + len, buflen - len, 2004 "dot1xAuthEapolFramesRx=%u\n" 2005 "dot1xAuthEapolFramesTx=%u\n" 2006 "dot1xAuthEapolStartFramesRx=%u\n" 2007 "dot1xAuthEapolLogoffFramesRx=%u\n" 2008 "dot1xAuthEapolRespIdFramesRx=%u\n" 2009 "dot1xAuthEapolRespFramesRx=%u\n" 2010 "dot1xAuthEapolReqIdFramesTx=%u\n" 2011 "dot1xAuthEapolReqFramesTx=%u\n" 2012 "dot1xAuthInvalidEapolFramesRx=%u\n" 2013 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2014 "dot1xAuthLastEapolFrameVersion=%u\n" 2015 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2016 sm->dot1xAuthEapolFramesRx, 2017 sm->dot1xAuthEapolFramesTx, 2018 sm->dot1xAuthEapolStartFramesRx, 2019 sm->dot1xAuthEapolLogoffFramesRx, 2020 sm->dot1xAuthEapolRespIdFramesRx, 2021 sm->dot1xAuthEapolRespFramesRx, 2022 sm->dot1xAuthEapolReqIdFramesTx, 2023 sm->dot1xAuthEapolReqFramesTx, 2024 sm->dot1xAuthInvalidEapolFramesRx, 2025 sm->dot1xAuthEapLengthErrorFramesRx, 2026 sm->dot1xAuthLastEapolFrameVersion, 2027 MAC2STR(sm->addr)); 2028 if (ret < 0 || (size_t) ret >= buflen - len) 2029 return len; 2030 len += ret; 2031 2032 /* dot1xAuthDiagTable */ 2033 ret = os_snprintf(buf + len, buflen - len, 2034 "dot1xAuthEntersConnecting=%u\n" 2035 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2036 "dot1xAuthEntersAuthenticating=%u\n" 2037 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2038 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2039 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2040 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2041 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2042 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2043 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2044 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2045 "dot1xAuthBackendResponses=%u\n" 2046 "dot1xAuthBackendAccessChallenges=%u\n" 2047 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2048 "dot1xAuthBackendAuthSuccesses=%u\n" 2049 "dot1xAuthBackendAuthFails=%u\n", 2050 sm->authEntersConnecting, 2051 sm->authEapLogoffsWhileConnecting, 2052 sm->authEntersAuthenticating, 2053 sm->authAuthSuccessesWhileAuthenticating, 2054 sm->authAuthTimeoutsWhileAuthenticating, 2055 sm->authAuthFailWhileAuthenticating, 2056 sm->authAuthEapStartsWhileAuthenticating, 2057 sm->authAuthEapLogoffWhileAuthenticating, 2058 sm->authAuthReauthsWhileAuthenticated, 2059 sm->authAuthEapStartsWhileAuthenticated, 2060 sm->authAuthEapLogoffWhileAuthenticated, 2061 sm->backendResponses, 2062 sm->backendAccessChallenges, 2063 sm->backendOtherRequestsToSupplicant, 2064 sm->backendAuthSuccesses, 2065 sm->backendAuthFails); 2066 if (ret < 0 || (size_t) ret >= buflen - len) 2067 return len; 2068 len += ret; 2069 2070 /* dot1xAuthSessionStatsTable */ 2071 os_get_time(&t); 2072 ret = os_snprintf(buf + len, buflen - len, 2073 /* TODO: dot1xAuthSessionOctetsRx */ 2074 /* TODO: dot1xAuthSessionOctetsTx */ 2075 /* TODO: dot1xAuthSessionFramesRx */ 2076 /* TODO: dot1xAuthSessionFramesTx */ 2077 "dot1xAuthSessionId=%08X-%08X\n" 2078 "dot1xAuthSessionAuthenticMethod=%d\n" 2079 "dot1xAuthSessionTime=%u\n" 2080 "dot1xAuthSessionTerminateCause=999\n" 2081 "dot1xAuthSessionUserName=%s\n", 2082 sta->acct_session_id_hi, sta->acct_session_id_lo, 2083 (wpa_key_mgmt_wpa_ieee8021x( 2084 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2085 1 : 2, 2086 (unsigned int) (t.sec - sta->acct_session_start), 2087 sm->identity); 2088 if (ret < 0 || (size_t) ret >= buflen - len) 2089 return len; 2090 len += ret; 2091 2092 return len; 2093} 2094 2095 2096static void ieee802_1x_finished(struct hostapd_data *hapd, 2097 struct sta_info *sta, int success) 2098{ 2099 const u8 *key; 2100 size_t len; 2101 /* TODO: get PMKLifetime from WPA parameters */ 2102 static const int dot11RSNAConfigPMKLifetime = 43200; 2103 2104 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2105 if (success && key && len >= PMK_LEN && 2106 wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime, 2107 sta->eapol_sm) == 0) { 2108 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2109 HOSTAPD_LEVEL_DEBUG, 2110 "Added PMKSA cache entry (IEEE 802.1X)"); 2111 } 2112 2113 if (!success) { 2114 /* 2115 * Many devices require deauthentication after WPS provisioning 2116 * and some may not be be able to do that themselves, so 2117 * disconnect the client here. In addition, this may also 2118 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2119 * the EAPOL PAE state machine would remain in HELD state for 2120 * considerable amount of time and some EAP methods, like 2121 * EAP-FAST with anonymous provisioning, may require another 2122 * EAPOL authentication to be started to complete connection. 2123 */ 2124 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2125 "disconnection after EAP-Failure"); 2126 /* Add a small sleep to increase likelihood of previously 2127 * requested EAP-Failure TX getting out before this should the 2128 * driver reorder operations. 2129 */ 2130 os_sleep(0, 10000); 2131#ifndef ANDROID_P2P 2132 /* We need not do this for driver. For AP-SME flags if we send this disassoc, 2133 * the p2p_client is gettig disassoc after it has completed the assoc 2134 */ 2135 ap_sta_disconnect(hapd, sta, sta->addr, 2136 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2137#endif 2138 } 2139} 2140