ieee802_1x.c revision d5e4923d04122f81300fa68fb07d64ede28fd44d
1/* 2 * hostapd / IEEE 802.1X-2004 Authenticator 3 * Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "utils/includes.h" 10 11#include "utils/common.h" 12#include "utils/eloop.h" 13#include "crypto/md5.h" 14#include "crypto/crypto.h" 15#include "crypto/random.h" 16#include "common/ieee802_11_defs.h" 17#include "radius/radius.h" 18#include "radius/radius_client.h" 19#include "eap_server/eap.h" 20#include "eap_common/eap_wsc_common.h" 21#include "eapol_auth/eapol_auth_sm.h" 22#include "eapol_auth/eapol_auth_sm_i.h" 23#include "p2p/p2p.h" 24#include "hostapd.h" 25#include "accounting.h" 26#include "sta_info.h" 27#include "wpa_auth.h" 28#include "preauth_auth.h" 29#include "pmksa_cache_auth.h" 30#include "ap_config.h" 31#include "ap_drv_ops.h" 32#include "ieee802_1x.h" 33 34 35static void ieee802_1x_finished(struct hostapd_data *hapd, 36 struct sta_info *sta, int success); 37 38 39static void ieee802_1x_send(struct hostapd_data *hapd, struct sta_info *sta, 40 u8 type, const u8 *data, size_t datalen) 41{ 42 u8 *buf; 43 struct ieee802_1x_hdr *xhdr; 44 size_t len; 45 int encrypt = 0; 46 47 len = sizeof(*xhdr) + datalen; 48 buf = os_zalloc(len); 49 if (buf == NULL) { 50 wpa_printf(MSG_ERROR, "malloc() failed for " 51 "ieee802_1x_send(len=%lu)", 52 (unsigned long) len); 53 return; 54 } 55 56 xhdr = (struct ieee802_1x_hdr *) buf; 57 xhdr->version = hapd->conf->eapol_version; 58 xhdr->type = type; 59 xhdr->length = host_to_be16(datalen); 60 61 if (datalen > 0 && data != NULL) 62 os_memcpy(xhdr + 1, data, datalen); 63 64 if (wpa_auth_pairwise_set(sta->wpa_sm)) 65 encrypt = 1; 66 if (sta->flags & WLAN_STA_PREAUTH) { 67 rsn_preauth_send(hapd, sta, buf, len); 68 } else { 69 hostapd_drv_hapd_send_eapol(hapd, sta->addr, buf, len, 70 encrypt, sta->flags); 71 } 72 73 os_free(buf); 74} 75 76 77void ieee802_1x_set_sta_authorized(struct hostapd_data *hapd, 78 struct sta_info *sta, int authorized) 79{ 80 int res; 81 82 if (sta->flags & WLAN_STA_PREAUTH) 83 return; 84 85 if (authorized) { 86 ap_sta_set_authorized(hapd, sta, 1); 87 res = hostapd_set_authorized(hapd, sta, 1); 88 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 89 HOSTAPD_LEVEL_DEBUG, "authorizing port"); 90 } else { 91 ap_sta_set_authorized(hapd, sta, 0); 92 res = hostapd_set_authorized(hapd, sta, 0); 93 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 94 HOSTAPD_LEVEL_DEBUG, "unauthorizing port"); 95 } 96 97 if (res && errno != ENOENT) { 98 printf("Could not set station " MACSTR " flags for kernel " 99 "driver (errno=%d).\n", MAC2STR(sta->addr), errno); 100 } 101 102 if (authorized) { 103 os_get_time(&sta->connected_time); 104 accounting_sta_start(hapd, sta); 105 } 106} 107 108 109static void ieee802_1x_tx_key_one(struct hostapd_data *hapd, 110 struct sta_info *sta, 111 int idx, int broadcast, 112 u8 *key_data, size_t key_len) 113{ 114 u8 *buf, *ekey; 115 struct ieee802_1x_hdr *hdr; 116 struct ieee802_1x_eapol_key *key; 117 size_t len, ekey_len; 118 struct eapol_state_machine *sm = sta->eapol_sm; 119 120 if (sm == NULL) 121 return; 122 123 len = sizeof(*key) + key_len; 124 buf = os_zalloc(sizeof(*hdr) + len); 125 if (buf == NULL) 126 return; 127 128 hdr = (struct ieee802_1x_hdr *) buf; 129 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 130 key->type = EAPOL_KEY_TYPE_RC4; 131 WPA_PUT_BE16(key->key_length, key_len); 132 wpa_get_ntp_timestamp(key->replay_counter); 133 134 if (random_get_bytes(key->key_iv, sizeof(key->key_iv))) { 135 wpa_printf(MSG_ERROR, "Could not get random numbers"); 136 os_free(buf); 137 return; 138 } 139 140 key->key_index = idx | (broadcast ? 0 : BIT(7)); 141 if (hapd->conf->eapol_key_index_workaround) { 142 /* According to some information, WinXP Supplicant seems to 143 * interpret bit7 as an indication whether the key is to be 144 * activated, so make it possible to enable workaround that 145 * sets this bit for all keys. */ 146 key->key_index |= BIT(7); 147 } 148 149 /* Key is encrypted using "Key-IV + MSK[0..31]" as the RC4-key and 150 * MSK[32..63] is used to sign the message. */ 151 if (sm->eap_if->eapKeyData == NULL || sm->eap_if->eapKeyDataLen < 64) { 152 wpa_printf(MSG_ERROR, "No eapKeyData available for encrypting " 153 "and signing EAPOL-Key"); 154 os_free(buf); 155 return; 156 } 157 os_memcpy((u8 *) (key + 1), key_data, key_len); 158 ekey_len = sizeof(key->key_iv) + 32; 159 ekey = os_malloc(ekey_len); 160 if (ekey == NULL) { 161 wpa_printf(MSG_ERROR, "Could not encrypt key"); 162 os_free(buf); 163 return; 164 } 165 os_memcpy(ekey, key->key_iv, sizeof(key->key_iv)); 166 os_memcpy(ekey + sizeof(key->key_iv), sm->eap_if->eapKeyData, 32); 167 rc4_skip(ekey, ekey_len, 0, (u8 *) (key + 1), key_len); 168 os_free(ekey); 169 170 /* This header is needed here for HMAC-MD5, but it will be regenerated 171 * in ieee802_1x_send() */ 172 hdr->version = hapd->conf->eapol_version; 173 hdr->type = IEEE802_1X_TYPE_EAPOL_KEY; 174 hdr->length = host_to_be16(len); 175 hmac_md5(sm->eap_if->eapKeyData + 32, 32, buf, sizeof(*hdr) + len, 176 key->key_signature); 177 178 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key to " MACSTR 179 " (%s index=%d)", MAC2STR(sm->addr), 180 broadcast ? "broadcast" : "unicast", idx); 181 ieee802_1x_send(hapd, sta, IEEE802_1X_TYPE_EAPOL_KEY, (u8 *) key, len); 182 if (sta->eapol_sm) 183 sta->eapol_sm->dot1xAuthEapolFramesTx++; 184 os_free(buf); 185} 186 187 188#ifndef CONFIG_NO_VLAN 189static struct hostapd_wep_keys * 190ieee802_1x_group_alloc(struct hostapd_data *hapd, const char *ifname) 191{ 192 struct hostapd_wep_keys *key; 193 194 key = os_zalloc(sizeof(*key)); 195 if (key == NULL) 196 return NULL; 197 198 key->default_len = hapd->conf->default_wep_key_len; 199 200 if (key->idx >= hapd->conf->broadcast_key_idx_max || 201 key->idx < hapd->conf->broadcast_key_idx_min) 202 key->idx = hapd->conf->broadcast_key_idx_min; 203 else 204 key->idx++; 205 206 if (!key->key[key->idx]) 207 key->key[key->idx] = os_malloc(key->default_len); 208 if (key->key[key->idx] == NULL || 209 random_get_bytes(key->key[key->idx], key->default_len)) { 210 printf("Could not generate random WEP key (dynamic VLAN).\n"); 211 os_free(key->key[key->idx]); 212 key->key[key->idx] = NULL; 213 os_free(key); 214 return NULL; 215 } 216 key->len[key->idx] = key->default_len; 217 218 wpa_printf(MSG_DEBUG, "%s: Default WEP idx %d for dynamic VLAN\n", 219 ifname, key->idx); 220 wpa_hexdump_key(MSG_DEBUG, "Default WEP key (dynamic VLAN)", 221 key->key[key->idx], key->len[key->idx]); 222 223 if (hostapd_drv_set_key(ifname, hapd, WPA_ALG_WEP, 224 broadcast_ether_addr, key->idx, 1, 225 NULL, 0, key->key[key->idx], 226 key->len[key->idx])) 227 printf("Could not set dynamic VLAN WEP encryption key.\n"); 228 229 hostapd_set_drv_ieee8021x(hapd, ifname, 1); 230 231 return key; 232} 233 234 235static struct hostapd_wep_keys * 236ieee802_1x_get_group(struct hostapd_data *hapd, struct hostapd_ssid *ssid, 237 size_t vlan_id) 238{ 239 const char *ifname; 240 241 if (vlan_id == 0) 242 return &ssid->wep; 243 244 if (vlan_id <= ssid->max_dyn_vlan_keys && ssid->dyn_vlan_keys && 245 ssid->dyn_vlan_keys[vlan_id]) 246 return ssid->dyn_vlan_keys[vlan_id]; 247 248 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Creating new group " 249 "state machine for VLAN ID %lu", 250 (unsigned long) vlan_id); 251 252 ifname = hostapd_get_vlan_id_ifname(hapd->conf->vlan, vlan_id); 253 if (ifname == NULL) { 254 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Unknown VLAN ID %lu - " 255 "cannot create group key state machine", 256 (unsigned long) vlan_id); 257 return NULL; 258 } 259 260 if (ssid->dyn_vlan_keys == NULL) { 261 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 262 ssid->dyn_vlan_keys = os_zalloc(size); 263 if (ssid->dyn_vlan_keys == NULL) 264 return NULL; 265 ssid->max_dyn_vlan_keys = vlan_id; 266 } 267 268 if (ssid->max_dyn_vlan_keys < vlan_id) { 269 struct hostapd_wep_keys **na; 270 int size = (vlan_id + 1) * sizeof(ssid->dyn_vlan_keys[0]); 271 na = os_realloc(ssid->dyn_vlan_keys, size); 272 if (na == NULL) 273 return NULL; 274 ssid->dyn_vlan_keys = na; 275 os_memset(&ssid->dyn_vlan_keys[ssid->max_dyn_vlan_keys + 1], 0, 276 (vlan_id - ssid->max_dyn_vlan_keys) * 277 sizeof(ssid->dyn_vlan_keys[0])); 278 ssid->max_dyn_vlan_keys = vlan_id; 279 } 280 281 ssid->dyn_vlan_keys[vlan_id] = ieee802_1x_group_alloc(hapd, ifname); 282 283 return ssid->dyn_vlan_keys[vlan_id]; 284} 285#endif /* CONFIG_NO_VLAN */ 286 287 288void ieee802_1x_tx_key(struct hostapd_data *hapd, struct sta_info *sta) 289{ 290 struct eapol_authenticator *eapol = hapd->eapol_auth; 291 struct eapol_state_machine *sm = sta->eapol_sm; 292#ifndef CONFIG_NO_VLAN 293 struct hostapd_wep_keys *key = NULL; 294 int vlan_id; 295#endif /* CONFIG_NO_VLAN */ 296 297 if (sm == NULL || !sm->eap_if->eapKeyData) 298 return; 299 300 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Sending EAPOL-Key(s) to " MACSTR, 301 MAC2STR(sta->addr)); 302 303#ifndef CONFIG_NO_VLAN 304 vlan_id = sta->vlan_id; 305 if (vlan_id < 0 || vlan_id > MAX_VLAN_ID) 306 vlan_id = 0; 307 308 if (vlan_id) { 309 key = ieee802_1x_get_group(hapd, sta->ssid, vlan_id); 310 if (key && key->key[key->idx]) 311 ieee802_1x_tx_key_one(hapd, sta, key->idx, 1, 312 key->key[key->idx], 313 key->len[key->idx]); 314 } else 315#endif /* CONFIG_NO_VLAN */ 316 if (eapol->default_wep_key) { 317 ieee802_1x_tx_key_one(hapd, sta, eapol->default_wep_key_idx, 1, 318 eapol->default_wep_key, 319 hapd->conf->default_wep_key_len); 320 } 321 322 if (hapd->conf->individual_wep_key_len > 0) { 323 u8 *ikey; 324 ikey = os_malloc(hapd->conf->individual_wep_key_len); 325 if (ikey == NULL || 326 random_get_bytes(ikey, hapd->conf->individual_wep_key_len)) 327 { 328 wpa_printf(MSG_ERROR, "Could not generate random " 329 "individual WEP key."); 330 os_free(ikey); 331 return; 332 } 333 334 wpa_hexdump_key(MSG_DEBUG, "Individual WEP key", 335 ikey, hapd->conf->individual_wep_key_len); 336 337 ieee802_1x_tx_key_one(hapd, sta, 0, 0, ikey, 338 hapd->conf->individual_wep_key_len); 339 340 /* TODO: set encryption in TX callback, i.e., only after STA 341 * has ACKed EAPOL-Key frame */ 342 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 343 sta->addr, 0, 1, NULL, 0, ikey, 344 hapd->conf->individual_wep_key_len)) { 345 wpa_printf(MSG_ERROR, "Could not set individual WEP " 346 "encryption."); 347 } 348 349 os_free(ikey); 350 } 351} 352 353 354const char *radius_mode_txt(struct hostapd_data *hapd) 355{ 356 switch (hapd->iface->conf->hw_mode) { 357 case HOSTAPD_MODE_IEEE80211A: 358 return "802.11a"; 359 case HOSTAPD_MODE_IEEE80211G: 360 return "802.11g"; 361 case HOSTAPD_MODE_IEEE80211B: 362 default: 363 return "802.11b"; 364 } 365} 366 367 368int radius_sta_rate(struct hostapd_data *hapd, struct sta_info *sta) 369{ 370 int i; 371 u8 rate = 0; 372 373 for (i = 0; i < sta->supported_rates_len; i++) 374 if ((sta->supported_rates[i] & 0x7f) > rate) 375 rate = sta->supported_rates[i] & 0x7f; 376 377 return rate; 378} 379 380 381#ifndef CONFIG_NO_RADIUS 382static void ieee802_1x_learn_identity(struct hostapd_data *hapd, 383 struct eapol_state_machine *sm, 384 const u8 *eap, size_t len) 385{ 386 const u8 *identity; 387 size_t identity_len; 388 389 if (len <= sizeof(struct eap_hdr) || 390 eap[sizeof(struct eap_hdr)] != EAP_TYPE_IDENTITY) 391 return; 392 393 identity = eap_get_identity(sm->eap, &identity_len); 394 if (identity == NULL) 395 return; 396 397 /* Save station identity for future RADIUS packets */ 398 os_free(sm->identity); 399 sm->identity = os_malloc(identity_len + 1); 400 if (sm->identity == NULL) { 401 sm->identity_len = 0; 402 return; 403 } 404 405 os_memcpy(sm->identity, identity, identity_len); 406 sm->identity_len = identity_len; 407 sm->identity[identity_len] = '\0'; 408 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 409 HOSTAPD_LEVEL_DEBUG, "STA identity '%s'", sm->identity); 410 sm->dot1xAuthEapolRespIdFramesRx++; 411} 412 413 414static int add_common_radius_sta_attr(struct hostapd_data *hapd, 415 struct hostapd_radius_attr *req_attr, 416 struct sta_info *sta, 417 struct radius_msg *msg) 418{ 419 char buf[128]; 420 421 if (!hostapd_config_get_radius_attr(req_attr, 422 RADIUS_ATTR_NAS_PORT) && 423 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT, sta->aid)) { 424 wpa_printf(MSG_ERROR, "Could not add NAS-Port"); 425 return -1; 426 } 427 428 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT, 429 MAC2STR(sta->addr)); 430 buf[sizeof(buf) - 1] = '\0'; 431 if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID, 432 (u8 *) buf, os_strlen(buf))) { 433 wpa_printf(MSG_ERROR, "Could not add Calling-Station-Id"); 434 return -1; 435 } 436 437 if (sta->flags & WLAN_STA_PREAUTH) { 438 os_strlcpy(buf, "IEEE 802.11i Pre-Authentication", 439 sizeof(buf)); 440 } else { 441 os_snprintf(buf, sizeof(buf), "CONNECT %d%sMbps %s", 442 radius_sta_rate(hapd, sta) / 2, 443 (radius_sta_rate(hapd, sta) & 1) ? ".5" : "", 444 radius_mode_txt(hapd)); 445 buf[sizeof(buf) - 1] = '\0'; 446 } 447 if (!hostapd_config_get_radius_attr(req_attr, 448 RADIUS_ATTR_CONNECT_INFO) && 449 !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO, 450 (u8 *) buf, os_strlen(buf))) { 451 wpa_printf(MSG_ERROR, "Could not add Connect-Info"); 452 return -1; 453 } 454 455 return 0; 456} 457 458 459int add_common_radius_attr(struct hostapd_data *hapd, 460 struct hostapd_radius_attr *req_attr, 461 struct sta_info *sta, 462 struct radius_msg *msg) 463{ 464 char buf[128]; 465 struct hostapd_radius_attr *attr; 466 467 if (!hostapd_config_get_radius_attr(req_attr, 468 RADIUS_ATTR_NAS_IP_ADDRESS) && 469 hapd->conf->own_ip_addr.af == AF_INET && 470 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 471 (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) { 472 wpa_printf(MSG_ERROR, "Could not add NAS-IP-Address"); 473 return -1; 474 } 475 476#ifdef CONFIG_IPV6 477 if (!hostapd_config_get_radius_attr(req_attr, 478 RADIUS_ATTR_NAS_IPV6_ADDRESS) && 479 hapd->conf->own_ip_addr.af == AF_INET6 && 480 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 481 (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) { 482 wpa_printf(MSG_ERROR, "Could not add NAS-IPv6-Address"); 483 return -1; 484 } 485#endif /* CONFIG_IPV6 */ 486 487 if (!hostapd_config_get_radius_attr(req_attr, 488 RADIUS_ATTR_NAS_IDENTIFIER) && 489 hapd->conf->nas_identifier && 490 !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 491 (u8 *) hapd->conf->nas_identifier, 492 os_strlen(hapd->conf->nas_identifier))) { 493 wpa_printf(MSG_ERROR, "Could not add NAS-Identifier"); 494 return -1; 495 } 496 497 os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s", 498 MAC2STR(hapd->own_addr), 499 wpa_ssid_txt(hapd->conf->ssid.ssid, 500 hapd->conf->ssid.ssid_len)); 501 buf[sizeof(buf) - 1] = '\0'; 502 if (!hostapd_config_get_radius_attr(req_attr, 503 RADIUS_ATTR_CALLED_STATION_ID) && 504 !radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID, 505 (u8 *) buf, os_strlen(buf))) { 506 wpa_printf(MSG_ERROR, "Could not add Called-Station-Id"); 507 return -1; 508 } 509 510 if (!hostapd_config_get_radius_attr(req_attr, 511 RADIUS_ATTR_NAS_PORT_TYPE) && 512 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE, 513 RADIUS_NAS_PORT_TYPE_IEEE_802_11)) { 514 wpa_printf(MSG_ERROR, "Could not add NAS-Port-Type"); 515 return -1; 516 } 517 518 if (sta && add_common_radius_sta_attr(hapd, req_attr, sta, msg) < 0) 519 return -1; 520 521 for (attr = req_attr; attr; attr = attr->next) { 522 if (!radius_msg_add_attr(msg, attr->type, 523 wpabuf_head(attr->val), 524 wpabuf_len(attr->val))) { 525 wpa_printf(MSG_ERROR, "Could not add RADIUS " 526 "attribute"); 527 return -1; 528 } 529 } 530 531 return 0; 532} 533 534 535static void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, 536 struct sta_info *sta, 537 const u8 *eap, size_t len) 538{ 539 struct radius_msg *msg; 540 struct eapol_state_machine *sm = sta->eapol_sm; 541 542 if (sm == NULL) 543 return; 544 545 ieee802_1x_learn_identity(hapd, sm, eap, len); 546 547 wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS " 548 "packet"); 549 550 sm->radius_identifier = radius_client_get_id(hapd->radius); 551 msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, 552 sm->radius_identifier); 553 if (msg == NULL) { 554 printf("Could not create net RADIUS packet\n"); 555 return; 556 } 557 558 radius_msg_make_authenticator(msg, (u8 *) sta, sizeof(*sta)); 559 560 if (sm->identity && 561 !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, 562 sm->identity, sm->identity_len)) { 563 printf("Could not add User-Name\n"); 564 goto fail; 565 } 566 567 if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr, sta, 568 msg) < 0) 569 goto fail; 570 571 /* TODO: should probably check MTU from driver config; 2304 is max for 572 * IEEE 802.11, but use 1400 to avoid problems with too large packets 573 */ 574 if (!hostapd_config_get_radius_attr(hapd->conf->radius_auth_req_attr, 575 RADIUS_ATTR_FRAMED_MTU) && 576 !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) { 577 printf("Could not add Framed-MTU\n"); 578 goto fail; 579 } 580 581 if (eap && !radius_msg_add_eap(msg, eap, len)) { 582 printf("Could not add EAP-Message\n"); 583 goto fail; 584 } 585 586 /* State attribute must be copied if and only if this packet is 587 * Access-Request reply to the previous Access-Challenge */ 588 if (sm->last_recv_radius && 589 radius_msg_get_hdr(sm->last_recv_radius)->code == 590 RADIUS_CODE_ACCESS_CHALLENGE) { 591 int res = radius_msg_copy_attr(msg, sm->last_recv_radius, 592 RADIUS_ATTR_STATE); 593 if (res < 0) { 594 printf("Could not copy State attribute from previous " 595 "Access-Challenge\n"); 596 goto fail; 597 } 598 if (res > 0) { 599 wpa_printf(MSG_DEBUG, "Copied RADIUS State Attribute"); 600 } 601 } 602 603 if (hapd->conf->radius_request_cui) { 604 const u8 *cui; 605 size_t cui_len; 606 /* Add previously learned CUI or nul CUI to request CUI */ 607 if (sm->radius_cui) { 608 cui = wpabuf_head(sm->radius_cui); 609 cui_len = wpabuf_len(sm->radius_cui); 610 } else { 611 cui = (const u8 *) "\0"; 612 cui_len = 1; 613 } 614 if (!radius_msg_add_attr(msg, 615 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 616 cui, cui_len)) { 617 wpa_printf(MSG_ERROR, "Could not add CUI"); 618 goto fail; 619 } 620 } 621 622 if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, sta->addr) < 0) 623 goto fail; 624 625 return; 626 627 fail: 628 radius_msg_free(msg); 629} 630#endif /* CONFIG_NO_RADIUS */ 631 632 633static void handle_eap_response(struct hostapd_data *hapd, 634 struct sta_info *sta, struct eap_hdr *eap, 635 size_t len) 636{ 637 u8 type, *data; 638 struct eapol_state_machine *sm = sta->eapol_sm; 639 if (sm == NULL) 640 return; 641 642 data = (u8 *) (eap + 1); 643 644 if (len < sizeof(*eap) + 1) { 645 printf("handle_eap_response: too short response data\n"); 646 return; 647 } 648 649 sm->eap_type_supp = type = data[0]; 650 651 hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 652 HOSTAPD_LEVEL_DEBUG, "received EAP packet (code=%d " 653 "id=%d len=%d) from STA: EAP Response-%s (%d)", 654 eap->code, eap->identifier, be_to_host16(eap->length), 655 eap_server_get_name(0, type), type); 656 657 sm->dot1xAuthEapolRespFramesRx++; 658 659 wpabuf_free(sm->eap_if->eapRespData); 660 sm->eap_if->eapRespData = wpabuf_alloc_copy(eap, len); 661 sm->eapolEap = TRUE; 662} 663 664 665/* Process incoming EAP packet from Supplicant */ 666static void handle_eap(struct hostapd_data *hapd, struct sta_info *sta, 667 u8 *buf, size_t len) 668{ 669 struct eap_hdr *eap; 670 u16 eap_len; 671 672 if (len < sizeof(*eap)) { 673 printf(" too short EAP packet\n"); 674 return; 675 } 676 677 eap = (struct eap_hdr *) buf; 678 679 eap_len = be_to_host16(eap->length); 680 wpa_printf(MSG_DEBUG, "EAP: code=%d identifier=%d length=%d", 681 eap->code, eap->identifier, eap_len); 682 if (eap_len < sizeof(*eap)) { 683 wpa_printf(MSG_DEBUG, " Invalid EAP length"); 684 return; 685 } else if (eap_len > len) { 686 wpa_printf(MSG_DEBUG, " Too short frame to contain this EAP " 687 "packet"); 688 return; 689 } else if (eap_len < len) { 690 wpa_printf(MSG_DEBUG, " Ignoring %lu extra bytes after EAP " 691 "packet", (unsigned long) len - eap_len); 692 } 693 694 switch (eap->code) { 695 case EAP_CODE_REQUEST: 696 wpa_printf(MSG_DEBUG, " (request)"); 697 return; 698 case EAP_CODE_RESPONSE: 699 wpa_printf(MSG_DEBUG, " (response)"); 700 handle_eap_response(hapd, sta, eap, eap_len); 701 break; 702 case EAP_CODE_SUCCESS: 703 wpa_printf(MSG_DEBUG, " (success)"); 704 return; 705 case EAP_CODE_FAILURE: 706 wpa_printf(MSG_DEBUG, " (failure)"); 707 return; 708 default: 709 wpa_printf(MSG_DEBUG, " (unknown code)"); 710 return; 711 } 712} 713 714 715static struct eapol_state_machine * 716ieee802_1x_alloc_eapol_sm(struct hostapd_data *hapd, struct sta_info *sta) 717{ 718 int flags = 0; 719 if (sta->flags & WLAN_STA_PREAUTH) 720 flags |= EAPOL_SM_PREAUTH; 721 if (sta->wpa_sm) { 722 flags |= EAPOL_SM_USES_WPA; 723 if (wpa_auth_sta_get_pmksa(sta->wpa_sm)) 724 flags |= EAPOL_SM_FROM_PMKSA_CACHE; 725 } 726 return eapol_auth_alloc(hapd->eapol_auth, sta->addr, flags, 727 sta->wps_ie, sta->p2p_ie, sta, 728 sta->identity, sta->radius_cui); 729} 730 731 732/** 733 * ieee802_1x_receive - Process the EAPOL frames from the Supplicant 734 * @hapd: hostapd BSS data 735 * @sa: Source address (sender of the EAPOL frame) 736 * @buf: EAPOL frame 737 * @len: Length of buf in octets 738 * 739 * This function is called for each incoming EAPOL frame from the interface 740 */ 741void ieee802_1x_receive(struct hostapd_data *hapd, const u8 *sa, const u8 *buf, 742 size_t len) 743{ 744 struct sta_info *sta; 745 struct ieee802_1x_hdr *hdr; 746 struct ieee802_1x_eapol_key *key; 747 u16 datalen; 748 struct rsn_pmksa_cache_entry *pmksa; 749 int key_mgmt; 750 751 if (!hapd->conf->ieee802_1x && !hapd->conf->wpa && 752 !hapd->conf->wps_state) 753 return; 754 755 wpa_printf(MSG_DEBUG, "IEEE 802.1X: %lu bytes from " MACSTR, 756 (unsigned long) len, MAC2STR(sa)); 757 sta = ap_get_sta(hapd, sa); 758 if (!sta || (!(sta->flags & (WLAN_STA_ASSOC | WLAN_STA_PREAUTH)) && 759 !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED))) { 760 wpa_printf(MSG_DEBUG, "IEEE 802.1X data frame from not " 761 "associated/Pre-authenticating STA"); 762 return; 763 } 764 765 if (len < sizeof(*hdr)) { 766 printf(" too short IEEE 802.1X packet\n"); 767 return; 768 } 769 770 hdr = (struct ieee802_1x_hdr *) buf; 771 datalen = be_to_host16(hdr->length); 772 wpa_printf(MSG_DEBUG, " IEEE 802.1X: version=%d type=%d length=%d", 773 hdr->version, hdr->type, datalen); 774 775 if (len - sizeof(*hdr) < datalen) { 776 printf(" frame too short for this IEEE 802.1X packet\n"); 777 if (sta->eapol_sm) 778 sta->eapol_sm->dot1xAuthEapLengthErrorFramesRx++; 779 return; 780 } 781 if (len - sizeof(*hdr) > datalen) { 782 wpa_printf(MSG_DEBUG, " ignoring %lu extra octets after " 783 "IEEE 802.1X packet", 784 (unsigned long) len - sizeof(*hdr) - datalen); 785 } 786 787 if (sta->eapol_sm) { 788 sta->eapol_sm->dot1xAuthLastEapolFrameVersion = hdr->version; 789 sta->eapol_sm->dot1xAuthEapolFramesRx++; 790 } 791 792 key = (struct ieee802_1x_eapol_key *) (hdr + 1); 793 if (datalen >= sizeof(struct ieee802_1x_eapol_key) && 794 hdr->type == IEEE802_1X_TYPE_EAPOL_KEY && 795 (key->type == EAPOL_KEY_TYPE_WPA || 796 key->type == EAPOL_KEY_TYPE_RSN)) { 797 wpa_receive(hapd->wpa_auth, sta->wpa_sm, (u8 *) hdr, 798 sizeof(*hdr) + datalen); 799 return; 800 } 801 802 if (!hapd->conf->ieee802_1x && 803 !(sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 804 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 805 "802.1X not enabled and WPS not used"); 806 return; 807 } 808 809 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 810 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 811 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore EAPOL message - " 812 "STA is using PSK"); 813 return; 814 } 815 816 if (!sta->eapol_sm) { 817 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 818 if (!sta->eapol_sm) 819 return; 820 821#ifdef CONFIG_WPS 822 if (!hapd->conf->ieee802_1x) { 823 u32 wflags = sta->flags & (WLAN_STA_WPS | 824 WLAN_STA_WPS2 | 825 WLAN_STA_MAYBE_WPS); 826 if (wflags == WLAN_STA_MAYBE_WPS || 827 wflags == (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) { 828 /* 829 * Delay EAPOL frame transmission until a 830 * possible WPS STA initiates the handshake 831 * with EAPOL-Start. Only allow the wait to be 832 * skipped if the STA is known to support WPS 833 * 2.0. 834 */ 835 wpa_printf(MSG_DEBUG, "WPS: Do not start " 836 "EAPOL until EAPOL-Start is " 837 "received"); 838 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 839 } 840 } 841#endif /* CONFIG_WPS */ 842 843 sta->eapol_sm->eap_if->portEnabled = TRUE; 844 } 845 846 /* since we support version 1, we can ignore version field and proceed 847 * as specified in version 1 standard [IEEE Std 802.1X-2001, 7.5.5] */ 848 /* TODO: actually, we are not version 1 anymore.. However, Version 2 849 * does not change frame contents, so should be ok to process frames 850 * more or less identically. Some changes might be needed for 851 * verification of fields. */ 852 853 switch (hdr->type) { 854 case IEEE802_1X_TYPE_EAP_PACKET: 855 handle_eap(hapd, sta, (u8 *) (hdr + 1), datalen); 856 break; 857 858 case IEEE802_1X_TYPE_EAPOL_START: 859 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 860 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Start " 861 "from STA"); 862 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 863 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 864 if (pmksa) { 865 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 866 HOSTAPD_LEVEL_DEBUG, "cached PMKSA " 867 "available - ignore it since " 868 "STA sent EAPOL-Start"); 869 wpa_auth_sta_clear_pmksa(sta->wpa_sm, pmksa); 870 } 871 sta->eapol_sm->eapolStart = TRUE; 872 sta->eapol_sm->dot1xAuthEapolStartFramesRx++; 873 eap_server_clear_identity(sta->eapol_sm->eap); 874 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 875 break; 876 877 case IEEE802_1X_TYPE_EAPOL_LOGOFF: 878 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 879 HOSTAPD_LEVEL_DEBUG, "received EAPOL-Logoff " 880 "from STA"); 881 sta->acct_terminate_cause = 882 RADIUS_ACCT_TERMINATE_CAUSE_USER_REQUEST; 883 accounting_sta_stop(hapd, sta); 884 sta->eapol_sm->eapolLogoff = TRUE; 885 sta->eapol_sm->dot1xAuthEapolLogoffFramesRx++; 886 eap_server_clear_identity(sta->eapol_sm->eap); 887 break; 888 889 case IEEE802_1X_TYPE_EAPOL_KEY: 890 wpa_printf(MSG_DEBUG, " EAPOL-Key"); 891 if (!ap_sta_is_authorized(sta)) { 892 wpa_printf(MSG_DEBUG, " Dropped key data from " 893 "unauthorized Supplicant"); 894 break; 895 } 896 break; 897 898 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT: 899 wpa_printf(MSG_DEBUG, " EAPOL-Encapsulated-ASF-Alert"); 900 /* TODO: implement support for this; show data */ 901 break; 902 903 default: 904 wpa_printf(MSG_DEBUG, " unknown IEEE 802.1X packet type"); 905 sta->eapol_sm->dot1xAuthInvalidEapolFramesRx++; 906 break; 907 } 908 909 eapol_auth_step(sta->eapol_sm); 910} 911 912 913/** 914 * ieee802_1x_new_station - Start IEEE 802.1X authentication 915 * @hapd: hostapd BSS data 916 * @sta: The station 917 * 918 * This function is called to start IEEE 802.1X authentication when a new 919 * station completes IEEE 802.11 association. 920 */ 921void ieee802_1x_new_station(struct hostapd_data *hapd, struct sta_info *sta) 922{ 923 struct rsn_pmksa_cache_entry *pmksa; 924 int reassoc = 1; 925 int force_1x = 0; 926 int key_mgmt; 927 928#ifdef CONFIG_WPS 929 if (hapd->conf->wps_state && hapd->conf->wpa && 930 (sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS))) { 931 /* 932 * Need to enable IEEE 802.1X/EAPOL state machines for possible 933 * WPS handshake even if IEEE 802.1X/EAPOL is not used for 934 * authentication in this BSS. 935 */ 936 force_1x = 1; 937 } 938#endif /* CONFIG_WPS */ 939 940 if (!force_1x && !hapd->conf->ieee802_1x) { 941 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - " 942 "802.1X not enabled or forced for WPS"); 943 /* 944 * Clear any possible EAPOL authenticator state to support 945 * reassociation change from WPS to PSK. 946 */ 947 ieee802_1x_free_station(sta); 948 return; 949 } 950 951 key_mgmt = wpa_auth_sta_key_mgmt(sta->wpa_sm); 952 if (key_mgmt != -1 && wpa_key_mgmt_wpa_psk(key_mgmt)) { 953 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Ignore STA - using PSK"); 954 /* 955 * Clear any possible EAPOL authenticator state to support 956 * reassociation change from WPA-EAP to PSK. 957 */ 958 ieee802_1x_free_station(sta); 959 return; 960 } 961 962 if (sta->eapol_sm == NULL) { 963 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 964 HOSTAPD_LEVEL_DEBUG, "start authentication"); 965 sta->eapol_sm = ieee802_1x_alloc_eapol_sm(hapd, sta); 966 if (sta->eapol_sm == NULL) { 967 hostapd_logger(hapd, sta->addr, 968 HOSTAPD_MODULE_IEEE8021X, 969 HOSTAPD_LEVEL_INFO, 970 "failed to allocate state machine"); 971 return; 972 } 973 reassoc = 0; 974 } 975 976#ifdef CONFIG_WPS 977 sta->eapol_sm->flags &= ~EAPOL_SM_WAIT_START; 978 if (!hapd->conf->ieee802_1x && !(sta->flags & WLAN_STA_WPS2)) { 979 /* 980 * Delay EAPOL frame transmission until a possible WPS STA 981 * initiates the handshake with EAPOL-Start. Only allow the 982 * wait to be skipped if the STA is known to support WPS 2.0. 983 */ 984 wpa_printf(MSG_DEBUG, "WPS: Do not start EAPOL until " 985 "EAPOL-Start is received"); 986 sta->eapol_sm->flags |= EAPOL_SM_WAIT_START; 987 } 988#endif /* CONFIG_WPS */ 989 990 sta->eapol_sm->eap_if->portEnabled = TRUE; 991 992#ifdef CONFIG_IEEE80211R 993 if (sta->auth_alg == WLAN_AUTH_FT) { 994 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 995 HOSTAPD_LEVEL_DEBUG, 996 "PMK from FT - skip IEEE 802.1X/EAP"); 997 /* Setup EAPOL state machines to already authenticated state 998 * because of existing FT information from R0KH. */ 999 sta->eapol_sm->keyRun = TRUE; 1000 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1001 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1002 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1003 sta->eapol_sm->authSuccess = TRUE; 1004 sta->eapol_sm->authFail = FALSE; 1005 if (sta->eapol_sm->eap) 1006 eap_sm_notify_cached(sta->eapol_sm->eap); 1007 /* TODO: get vlan_id from R0KH using RRB message */ 1008 return; 1009 } 1010#endif /* CONFIG_IEEE80211R */ 1011 1012 pmksa = wpa_auth_sta_get_pmksa(sta->wpa_sm); 1013 if (pmksa) { 1014 int old_vlanid; 1015 1016 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1017 HOSTAPD_LEVEL_DEBUG, 1018 "PMK from PMKSA cache - skip IEEE 802.1X/EAP"); 1019 /* Setup EAPOL state machines to already authenticated state 1020 * because of existing PMKSA information in the cache. */ 1021 sta->eapol_sm->keyRun = TRUE; 1022 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1023 sta->eapol_sm->auth_pae_state = AUTH_PAE_AUTHENTICATING; 1024 sta->eapol_sm->be_auth_state = BE_AUTH_SUCCESS; 1025 sta->eapol_sm->authSuccess = TRUE; 1026 sta->eapol_sm->authFail = FALSE; 1027 if (sta->eapol_sm->eap) 1028 eap_sm_notify_cached(sta->eapol_sm->eap); 1029 old_vlanid = sta->vlan_id; 1030 pmksa_cache_to_eapol_data(pmksa, sta->eapol_sm); 1031 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1032 sta->vlan_id = 0; 1033 ap_sta_bind_vlan(hapd, sta, old_vlanid); 1034 } else { 1035 if (reassoc) { 1036 /* 1037 * Force EAPOL state machines to start 1038 * re-authentication without having to wait for the 1039 * Supplicant to send EAPOL-Start. 1040 */ 1041 sta->eapol_sm->reAuthenticate = TRUE; 1042 } 1043 eapol_auth_step(sta->eapol_sm); 1044 } 1045} 1046 1047 1048void ieee802_1x_free_station(struct sta_info *sta) 1049{ 1050 struct eapol_state_machine *sm = sta->eapol_sm; 1051 1052 if (sm == NULL) 1053 return; 1054 1055 sta->eapol_sm = NULL; 1056 1057#ifndef CONFIG_NO_RADIUS 1058 radius_msg_free(sm->last_recv_radius); 1059 radius_free_class(&sm->radius_class); 1060 wpabuf_free(sm->radius_cui); 1061#endif /* CONFIG_NO_RADIUS */ 1062 1063 os_free(sm->identity); 1064 eapol_auth_free(sm); 1065} 1066 1067 1068#ifndef CONFIG_NO_RADIUS 1069static void ieee802_1x_decapsulate_radius(struct hostapd_data *hapd, 1070 struct sta_info *sta) 1071{ 1072 struct wpabuf *eap; 1073 const struct eap_hdr *hdr; 1074 int eap_type = -1; 1075 char buf[64]; 1076 struct radius_msg *msg; 1077 struct eapol_state_machine *sm = sta->eapol_sm; 1078 1079 if (sm == NULL || sm->last_recv_radius == NULL) { 1080 if (sm) 1081 sm->eap_if->aaaEapNoReq = TRUE; 1082 return; 1083 } 1084 1085 msg = sm->last_recv_radius; 1086 1087 eap = radius_msg_get_eap(msg); 1088 if (eap == NULL) { 1089 /* RFC 3579, Chap. 2.6.3: 1090 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message 1091 * attribute */ 1092 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1093 HOSTAPD_LEVEL_WARNING, "could not extract " 1094 "EAP-Message from RADIUS message"); 1095 sm->eap_if->aaaEapNoReq = TRUE; 1096 return; 1097 } 1098 1099 if (wpabuf_len(eap) < sizeof(*hdr)) { 1100 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1101 HOSTAPD_LEVEL_WARNING, "too short EAP packet " 1102 "received from authentication server"); 1103 wpabuf_free(eap); 1104 sm->eap_if->aaaEapNoReq = TRUE; 1105 return; 1106 } 1107 1108 if (wpabuf_len(eap) > sizeof(*hdr)) 1109 eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)]; 1110 1111 hdr = wpabuf_head(eap); 1112 switch (hdr->code) { 1113 case EAP_CODE_REQUEST: 1114 if (eap_type >= 0) 1115 sm->eap_type_authsrv = eap_type; 1116 os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)", 1117 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1118 "??", 1119 eap_type); 1120 break; 1121 case EAP_CODE_RESPONSE: 1122 os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)", 1123 eap_type >= 0 ? eap_server_get_name(0, eap_type) : 1124 "??", 1125 eap_type); 1126 break; 1127 case EAP_CODE_SUCCESS: 1128 os_strlcpy(buf, "EAP Success", sizeof(buf)); 1129 break; 1130 case EAP_CODE_FAILURE: 1131 os_strlcpy(buf, "EAP Failure", sizeof(buf)); 1132 break; 1133 default: 1134 os_strlcpy(buf, "unknown EAP code", sizeof(buf)); 1135 break; 1136 } 1137 buf[sizeof(buf) - 1] = '\0'; 1138 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1139 HOSTAPD_LEVEL_DEBUG, "decapsulated EAP packet (code=%d " 1140 "id=%d len=%d) from RADIUS server: %s", 1141 hdr->code, hdr->identifier, be_to_host16(hdr->length), 1142 buf); 1143 sm->eap_if->aaaEapReq = TRUE; 1144 1145 wpabuf_free(sm->eap_if->aaaEapReqData); 1146 sm->eap_if->aaaEapReqData = eap; 1147} 1148 1149 1150static void ieee802_1x_get_keys(struct hostapd_data *hapd, 1151 struct sta_info *sta, struct radius_msg *msg, 1152 struct radius_msg *req, 1153 const u8 *shared_secret, 1154 size_t shared_secret_len) 1155{ 1156 struct radius_ms_mppe_keys *keys; 1157 struct eapol_state_machine *sm = sta->eapol_sm; 1158 if (sm == NULL) 1159 return; 1160 1161 keys = radius_msg_get_ms_keys(msg, req, shared_secret, 1162 shared_secret_len); 1163 1164 if (keys && keys->send && keys->recv) { 1165 size_t len = keys->send_len + keys->recv_len; 1166 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key", 1167 keys->send, keys->send_len); 1168 wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key", 1169 keys->recv, keys->recv_len); 1170 1171 os_free(sm->eap_if->aaaEapKeyData); 1172 sm->eap_if->aaaEapKeyData = os_malloc(len); 1173 if (sm->eap_if->aaaEapKeyData) { 1174 os_memcpy(sm->eap_if->aaaEapKeyData, keys->recv, 1175 keys->recv_len); 1176 os_memcpy(sm->eap_if->aaaEapKeyData + keys->recv_len, 1177 keys->send, keys->send_len); 1178 sm->eap_if->aaaEapKeyDataLen = len; 1179 sm->eap_if->aaaEapKeyAvailable = TRUE; 1180 } 1181 } 1182 1183 if (keys) { 1184 os_free(keys->send); 1185 os_free(keys->recv); 1186 os_free(keys); 1187 } 1188} 1189 1190 1191static void ieee802_1x_store_radius_class(struct hostapd_data *hapd, 1192 struct sta_info *sta, 1193 struct radius_msg *msg) 1194{ 1195 u8 *class; 1196 size_t class_len; 1197 struct eapol_state_machine *sm = sta->eapol_sm; 1198 int count, i; 1199 struct radius_attr_data *nclass; 1200 size_t nclass_count; 1201 1202 if (!hapd->conf->radius->acct_server || hapd->radius == NULL || 1203 sm == NULL) 1204 return; 1205 1206 radius_free_class(&sm->radius_class); 1207 count = radius_msg_count_attr(msg, RADIUS_ATTR_CLASS, 1); 1208 if (count <= 0) 1209 return; 1210 1211 nclass = os_calloc(count, sizeof(struct radius_attr_data)); 1212 if (nclass == NULL) 1213 return; 1214 1215 nclass_count = 0; 1216 1217 class = NULL; 1218 for (i = 0; i < count; i++) { 1219 do { 1220 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CLASS, 1221 &class, &class_len, 1222 class) < 0) { 1223 i = count; 1224 break; 1225 } 1226 } while (class_len < 1); 1227 1228 nclass[nclass_count].data = os_malloc(class_len); 1229 if (nclass[nclass_count].data == NULL) 1230 break; 1231 1232 os_memcpy(nclass[nclass_count].data, class, class_len); 1233 nclass[nclass_count].len = class_len; 1234 nclass_count++; 1235 } 1236 1237 sm->radius_class.attr = nclass; 1238 sm->radius_class.count = nclass_count; 1239 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Stored %lu RADIUS Class " 1240 "attributes for " MACSTR, 1241 (unsigned long) sm->radius_class.count, 1242 MAC2STR(sta->addr)); 1243} 1244 1245 1246/* Update sta->identity based on User-Name attribute in Access-Accept */ 1247static void ieee802_1x_update_sta_identity(struct hostapd_data *hapd, 1248 struct sta_info *sta, 1249 struct radius_msg *msg) 1250{ 1251 u8 *buf, *identity; 1252 size_t len; 1253 struct eapol_state_machine *sm = sta->eapol_sm; 1254 1255 if (sm == NULL) 1256 return; 1257 1258 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, 1259 NULL) < 0) 1260 return; 1261 1262 identity = os_malloc(len + 1); 1263 if (identity == NULL) 1264 return; 1265 1266 os_memcpy(identity, buf, len); 1267 identity[len] = '\0'; 1268 1269 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1270 HOSTAPD_LEVEL_DEBUG, "old identity '%s' updated with " 1271 "User-Name from Access-Accept '%s'", 1272 sm->identity ? (char *) sm->identity : "N/A", 1273 (char *) identity); 1274 1275 os_free(sm->identity); 1276 sm->identity = identity; 1277 sm->identity_len = len; 1278} 1279 1280 1281/* Update CUI based on Chargeable-User-Identity attribute in Access-Accept */ 1282static void ieee802_1x_update_sta_cui(struct hostapd_data *hapd, 1283 struct sta_info *sta, 1284 struct radius_msg *msg) 1285{ 1286 struct eapol_state_machine *sm = sta->eapol_sm; 1287 struct wpabuf *cui; 1288 u8 *buf; 1289 size_t len; 1290 1291 if (sm == NULL) 1292 return; 1293 1294 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 1295 &buf, &len, NULL) < 0) 1296 return; 1297 1298 cui = wpabuf_alloc_copy(buf, len); 1299 if (cui == NULL) 1300 return; 1301 1302 wpabuf_free(sm->radius_cui); 1303 sm->radius_cui = cui; 1304} 1305 1306 1307struct sta_id_search { 1308 u8 identifier; 1309 struct eapol_state_machine *sm; 1310}; 1311 1312 1313static int ieee802_1x_select_radius_identifier(struct hostapd_data *hapd, 1314 struct sta_info *sta, 1315 void *ctx) 1316{ 1317 struct sta_id_search *id_search = ctx; 1318 struct eapol_state_machine *sm = sta->eapol_sm; 1319 1320 if (sm && sm->radius_identifier >= 0 && 1321 sm->radius_identifier == id_search->identifier) { 1322 id_search->sm = sm; 1323 return 1; 1324 } 1325 return 0; 1326} 1327 1328 1329static struct eapol_state_machine * 1330ieee802_1x_search_radius_identifier(struct hostapd_data *hapd, u8 identifier) 1331{ 1332 struct sta_id_search id_search; 1333 id_search.identifier = identifier; 1334 id_search.sm = NULL; 1335 ap_for_each_sta(hapd, ieee802_1x_select_radius_identifier, &id_search); 1336 return id_search.sm; 1337} 1338 1339 1340/** 1341 * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server 1342 * @msg: RADIUS response message 1343 * @req: RADIUS request message 1344 * @shared_secret: RADIUS shared secret 1345 * @shared_secret_len: Length of shared_secret in octets 1346 * @data: Context data (struct hostapd_data *) 1347 * Returns: Processing status 1348 */ 1349static RadiusRxResult 1350ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, 1351 const u8 *shared_secret, size_t shared_secret_len, 1352 void *data) 1353{ 1354 struct hostapd_data *hapd = data; 1355 struct sta_info *sta; 1356 u32 session_timeout = 0, termination_action, acct_interim_interval; 1357 int session_timeout_set, old_vlanid = 0; 1358 struct eapol_state_machine *sm; 1359 int override_eapReq = 0; 1360 struct radius_hdr *hdr = radius_msg_get_hdr(msg); 1361 1362 sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier); 1363 if (sm == NULL) { 1364 wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching " 1365 "station for this RADIUS message"); 1366 return RADIUS_RX_UNKNOWN; 1367 } 1368 sta = sm->sta; 1369 1370 /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be 1371 * present when packet contains an EAP-Message attribute */ 1372 if (hdr->code == RADIUS_CODE_ACCESS_REJECT && 1373 radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, 1374 0) < 0 && 1375 radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { 1376 wpa_printf(MSG_DEBUG, "Allowing RADIUS Access-Reject without " 1377 "Message-Authenticator since it does not include " 1378 "EAP-Message"); 1379 } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, 1380 req, 1)) { 1381 printf("Incoming RADIUS packet did not have correct " 1382 "Message-Authenticator - dropped\n"); 1383 return RADIUS_RX_INVALID_AUTHENTICATOR; 1384 } 1385 1386 if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && 1387 hdr->code != RADIUS_CODE_ACCESS_REJECT && 1388 hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) { 1389 printf("Unknown RADIUS message code\n"); 1390 return RADIUS_RX_UNKNOWN; 1391 } 1392 1393 sm->radius_identifier = -1; 1394 wpa_printf(MSG_DEBUG, "RADIUS packet matching with station " MACSTR, 1395 MAC2STR(sta->addr)); 1396 1397 radius_msg_free(sm->last_recv_radius); 1398 sm->last_recv_radius = msg; 1399 1400 session_timeout_set = 1401 !radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT, 1402 &session_timeout); 1403 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_TERMINATION_ACTION, 1404 &termination_action)) 1405 termination_action = RADIUS_TERMINATION_ACTION_DEFAULT; 1406 1407 if (hapd->conf->acct_interim_interval == 0 && 1408 hdr->code == RADIUS_CODE_ACCESS_ACCEPT && 1409 radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, 1410 &acct_interim_interval) == 0) { 1411 if (acct_interim_interval < 60) { 1412 hostapd_logger(hapd, sta->addr, 1413 HOSTAPD_MODULE_IEEE8021X, 1414 HOSTAPD_LEVEL_INFO, 1415 "ignored too small " 1416 "Acct-Interim-Interval %d", 1417 acct_interim_interval); 1418 } else 1419 sta->acct_interim_interval = acct_interim_interval; 1420 } 1421 1422 1423 switch (hdr->code) { 1424 case RADIUS_CODE_ACCESS_ACCEPT: 1425 if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED) 1426 sta->vlan_id = 0; 1427#ifndef CONFIG_NO_VLAN 1428 else { 1429 old_vlanid = sta->vlan_id; 1430 sta->vlan_id = radius_msg_get_vlanid(msg); 1431 } 1432 if (sta->vlan_id > 0 && 1433 hostapd_get_vlan_id_ifname(hapd->conf->vlan, 1434 sta->vlan_id)) { 1435 hostapd_logger(hapd, sta->addr, 1436 HOSTAPD_MODULE_RADIUS, 1437 HOSTAPD_LEVEL_INFO, 1438 "VLAN ID %d", sta->vlan_id); 1439 } else if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_REQUIRED) { 1440 sta->eapol_sm->authFail = TRUE; 1441 hostapd_logger(hapd, sta->addr, 1442 HOSTAPD_MODULE_IEEE8021X, 1443 HOSTAPD_LEVEL_INFO, "authentication " 1444 "server did not include required VLAN " 1445 "ID in Access-Accept"); 1446 break; 1447 } 1448#endif /* CONFIG_NO_VLAN */ 1449 1450 if (ap_sta_bind_vlan(hapd, sta, old_vlanid) < 0) 1451 break; 1452 1453 /* RFC 3580, Ch. 3.17 */ 1454 if (session_timeout_set && termination_action == 1455 RADIUS_TERMINATION_ACTION_RADIUS_REQUEST) { 1456 sm->reAuthPeriod = session_timeout; 1457 } else if (session_timeout_set) 1458 ap_sta_session_timeout(hapd, sta, session_timeout); 1459 1460 sm->eap_if->aaaSuccess = TRUE; 1461 override_eapReq = 1; 1462 ieee802_1x_get_keys(hapd, sta, msg, req, shared_secret, 1463 shared_secret_len); 1464 ieee802_1x_store_radius_class(hapd, sta, msg); 1465 ieee802_1x_update_sta_identity(hapd, sta, msg); 1466 ieee802_1x_update_sta_cui(hapd, sta, msg); 1467 if (sm->eap_if->eapKeyAvailable && 1468 wpa_auth_pmksa_add(sta->wpa_sm, sm->eapol_key_crypt, 1469 session_timeout_set ? 1470 (int) session_timeout : -1, sm) == 0) { 1471 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 1472 HOSTAPD_LEVEL_DEBUG, 1473 "Added PMKSA cache entry"); 1474 } 1475 break; 1476 case RADIUS_CODE_ACCESS_REJECT: 1477 sm->eap_if->aaaFail = TRUE; 1478 override_eapReq = 1; 1479 break; 1480 case RADIUS_CODE_ACCESS_CHALLENGE: 1481 sm->eap_if->aaaEapReq = TRUE; 1482 if (session_timeout_set) { 1483 /* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */ 1484 sm->eap_if->aaaMethodTimeout = session_timeout; 1485 hostapd_logger(hapd, sm->addr, 1486 HOSTAPD_MODULE_IEEE8021X, 1487 HOSTAPD_LEVEL_DEBUG, 1488 "using EAP timeout of %d seconds (from " 1489 "RADIUS)", 1490 sm->eap_if->aaaMethodTimeout); 1491 } else { 1492 /* 1493 * Use dynamic retransmission behavior per EAP 1494 * specification. 1495 */ 1496 sm->eap_if->aaaMethodTimeout = 0; 1497 } 1498 break; 1499 } 1500 1501 ieee802_1x_decapsulate_radius(hapd, sta); 1502 if (override_eapReq) 1503 sm->eap_if->aaaEapReq = FALSE; 1504 1505 eapol_auth_step(sm); 1506 1507 return RADIUS_RX_QUEUED; 1508} 1509#endif /* CONFIG_NO_RADIUS */ 1510 1511 1512void ieee802_1x_abort_auth(struct hostapd_data *hapd, struct sta_info *sta) 1513{ 1514 struct eapol_state_machine *sm = sta->eapol_sm; 1515 if (sm == NULL) 1516 return; 1517 1518 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1519 HOSTAPD_LEVEL_DEBUG, "aborting authentication"); 1520 1521#ifndef CONFIG_NO_RADIUS 1522 radius_msg_free(sm->last_recv_radius); 1523 sm->last_recv_radius = NULL; 1524#endif /* CONFIG_NO_RADIUS */ 1525 1526 if (sm->eap_if->eapTimeout) { 1527 /* 1528 * Disconnect the STA since it did not reply to the last EAP 1529 * request and we cannot continue EAP processing (EAP-Failure 1530 * could only be sent if the EAP peer actually replied). 1531 */ 1532 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "EAP Timeout, STA " MACSTR, 1533 MAC2STR(sta->addr)); 1534 1535 sm->eap_if->portEnabled = FALSE; 1536 ap_sta_disconnect(hapd, sta, sta->addr, 1537 WLAN_REASON_PREV_AUTH_NOT_VALID); 1538 } 1539} 1540 1541 1542static int ieee802_1x_rekey_broadcast(struct hostapd_data *hapd) 1543{ 1544 struct eapol_authenticator *eapol = hapd->eapol_auth; 1545 1546 if (hapd->conf->default_wep_key_len < 1) 1547 return 0; 1548 1549 os_free(eapol->default_wep_key); 1550 eapol->default_wep_key = os_malloc(hapd->conf->default_wep_key_len); 1551 if (eapol->default_wep_key == NULL || 1552 random_get_bytes(eapol->default_wep_key, 1553 hapd->conf->default_wep_key_len)) { 1554 printf("Could not generate random WEP key.\n"); 1555 os_free(eapol->default_wep_key); 1556 eapol->default_wep_key = NULL; 1557 return -1; 1558 } 1559 1560 wpa_hexdump_key(MSG_DEBUG, "IEEE 802.1X: New default WEP key", 1561 eapol->default_wep_key, 1562 hapd->conf->default_wep_key_len); 1563 1564 return 0; 1565} 1566 1567 1568static int ieee802_1x_sta_key_available(struct hostapd_data *hapd, 1569 struct sta_info *sta, void *ctx) 1570{ 1571 if (sta->eapol_sm) { 1572 sta->eapol_sm->eap_if->eapKeyAvailable = TRUE; 1573 eapol_auth_step(sta->eapol_sm); 1574 } 1575 return 0; 1576} 1577 1578 1579static void ieee802_1x_rekey(void *eloop_ctx, void *timeout_ctx) 1580{ 1581 struct hostapd_data *hapd = eloop_ctx; 1582 struct eapol_authenticator *eapol = hapd->eapol_auth; 1583 1584 if (eapol->default_wep_key_idx >= 3) 1585 eapol->default_wep_key_idx = 1586 hapd->conf->individual_wep_key_len > 0 ? 1 : 0; 1587 else 1588 eapol->default_wep_key_idx++; 1589 1590 wpa_printf(MSG_DEBUG, "IEEE 802.1X: New default WEP key index %d", 1591 eapol->default_wep_key_idx); 1592 1593 if (ieee802_1x_rekey_broadcast(hapd)) { 1594 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1595 HOSTAPD_LEVEL_WARNING, "failed to generate a " 1596 "new broadcast key"); 1597 os_free(eapol->default_wep_key); 1598 eapol->default_wep_key = NULL; 1599 return; 1600 } 1601 1602 /* TODO: Could setup key for RX here, but change default TX keyid only 1603 * after new broadcast key has been sent to all stations. */ 1604 if (hostapd_drv_set_key(hapd->conf->iface, hapd, WPA_ALG_WEP, 1605 broadcast_ether_addr, 1606 eapol->default_wep_key_idx, 1, NULL, 0, 1607 eapol->default_wep_key, 1608 hapd->conf->default_wep_key_len)) { 1609 hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE8021X, 1610 HOSTAPD_LEVEL_WARNING, "failed to configure a " 1611 "new broadcast key"); 1612 os_free(eapol->default_wep_key); 1613 eapol->default_wep_key = NULL; 1614 return; 1615 } 1616 1617 ap_for_each_sta(hapd, ieee802_1x_sta_key_available, NULL); 1618 1619 if (hapd->conf->wep_rekeying_period > 0) { 1620 eloop_register_timeout(hapd->conf->wep_rekeying_period, 0, 1621 ieee802_1x_rekey, hapd, NULL); 1622 } 1623} 1624 1625 1626static void ieee802_1x_eapol_send(void *ctx, void *sta_ctx, u8 type, 1627 const u8 *data, size_t datalen) 1628{ 1629#ifdef CONFIG_WPS 1630 struct sta_info *sta = sta_ctx; 1631 1632 if ((sta->flags & (WLAN_STA_WPS | WLAN_STA_MAYBE_WPS)) == 1633 WLAN_STA_MAYBE_WPS) { 1634 const u8 *identity; 1635 size_t identity_len; 1636 struct eapol_state_machine *sm = sta->eapol_sm; 1637 1638 identity = eap_get_identity(sm->eap, &identity_len); 1639 if (identity && 1640 ((identity_len == WSC_ID_ENROLLEE_LEN && 1641 os_memcmp(identity, WSC_ID_ENROLLEE, 1642 WSC_ID_ENROLLEE_LEN) == 0) || 1643 (identity_len == WSC_ID_REGISTRAR_LEN && 1644 os_memcmp(identity, WSC_ID_REGISTRAR, 1645 WSC_ID_REGISTRAR_LEN) == 0))) { 1646 wpa_printf(MSG_DEBUG, "WPS: WLAN_STA_MAYBE_WPS -> " 1647 "WLAN_STA_WPS"); 1648 sta->flags |= WLAN_STA_WPS; 1649 } 1650 } 1651#endif /* CONFIG_WPS */ 1652 1653 ieee802_1x_send(ctx, sta_ctx, type, data, datalen); 1654} 1655 1656 1657static void ieee802_1x_aaa_send(void *ctx, void *sta_ctx, 1658 const u8 *data, size_t datalen) 1659{ 1660#ifndef CONFIG_NO_RADIUS 1661 struct hostapd_data *hapd = ctx; 1662 struct sta_info *sta = sta_ctx; 1663 1664 ieee802_1x_encapsulate_radius(hapd, sta, data, datalen); 1665#endif /* CONFIG_NO_RADIUS */ 1666} 1667 1668 1669static void _ieee802_1x_finished(void *ctx, void *sta_ctx, int success, 1670 int preauth) 1671{ 1672 struct hostapd_data *hapd = ctx; 1673 struct sta_info *sta = sta_ctx; 1674 if (preauth) 1675 rsn_preauth_finished(hapd, sta, success); 1676 else 1677 ieee802_1x_finished(hapd, sta, success); 1678} 1679 1680 1681static int ieee802_1x_get_eap_user(void *ctx, const u8 *identity, 1682 size_t identity_len, int phase2, 1683 struct eap_user *user) 1684{ 1685 struct hostapd_data *hapd = ctx; 1686 const struct hostapd_eap_user *eap_user; 1687 int i; 1688 1689 eap_user = hostapd_get_eap_user(hapd, identity, identity_len, phase2); 1690 if (eap_user == NULL) 1691 return -1; 1692 1693 os_memset(user, 0, sizeof(*user)); 1694 user->phase2 = phase2; 1695 for (i = 0; i < EAP_MAX_METHODS; i++) { 1696 user->methods[i].vendor = eap_user->methods[i].vendor; 1697 user->methods[i].method = eap_user->methods[i].method; 1698 } 1699 1700 if (eap_user->password) { 1701 user->password = os_malloc(eap_user->password_len); 1702 if (user->password == NULL) 1703 return -1; 1704 os_memcpy(user->password, eap_user->password, 1705 eap_user->password_len); 1706 user->password_len = eap_user->password_len; 1707 user->password_hash = eap_user->password_hash; 1708 } 1709 user->force_version = eap_user->force_version; 1710 user->ttls_auth = eap_user->ttls_auth; 1711 1712 return 0; 1713} 1714 1715 1716static int ieee802_1x_sta_entry_alive(void *ctx, const u8 *addr) 1717{ 1718 struct hostapd_data *hapd = ctx; 1719 struct sta_info *sta; 1720 sta = ap_get_sta(hapd, addr); 1721 if (sta == NULL || sta->eapol_sm == NULL) 1722 return 0; 1723 return 1; 1724} 1725 1726 1727static void ieee802_1x_logger(void *ctx, const u8 *addr, 1728 eapol_logger_level level, const char *txt) 1729{ 1730#ifndef CONFIG_NO_HOSTAPD_LOGGER 1731 struct hostapd_data *hapd = ctx; 1732 int hlevel; 1733 1734 switch (level) { 1735 case EAPOL_LOGGER_WARNING: 1736 hlevel = HOSTAPD_LEVEL_WARNING; 1737 break; 1738 case EAPOL_LOGGER_INFO: 1739 hlevel = HOSTAPD_LEVEL_INFO; 1740 break; 1741 case EAPOL_LOGGER_DEBUG: 1742 default: 1743 hlevel = HOSTAPD_LEVEL_DEBUG; 1744 break; 1745 } 1746 1747 hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE8021X, hlevel, "%s", 1748 txt); 1749#endif /* CONFIG_NO_HOSTAPD_LOGGER */ 1750} 1751 1752 1753static void ieee802_1x_set_port_authorized(void *ctx, void *sta_ctx, 1754 int authorized) 1755{ 1756 struct hostapd_data *hapd = ctx; 1757 struct sta_info *sta = sta_ctx; 1758 ieee802_1x_set_sta_authorized(hapd, sta, authorized); 1759} 1760 1761 1762static void _ieee802_1x_abort_auth(void *ctx, void *sta_ctx) 1763{ 1764 struct hostapd_data *hapd = ctx; 1765 struct sta_info *sta = sta_ctx; 1766 ieee802_1x_abort_auth(hapd, sta); 1767} 1768 1769 1770static void _ieee802_1x_tx_key(void *ctx, void *sta_ctx) 1771{ 1772 struct hostapd_data *hapd = ctx; 1773 struct sta_info *sta = sta_ctx; 1774 ieee802_1x_tx_key(hapd, sta); 1775} 1776 1777 1778static void ieee802_1x_eapol_event(void *ctx, void *sta_ctx, 1779 enum eapol_event type) 1780{ 1781 /* struct hostapd_data *hapd = ctx; */ 1782 struct sta_info *sta = sta_ctx; 1783 switch (type) { 1784 case EAPOL_AUTH_SM_CHANGE: 1785 wpa_auth_sm_notify(sta->wpa_sm); 1786 break; 1787 case EAPOL_AUTH_REAUTHENTICATE: 1788 wpa_auth_sm_event(sta->wpa_sm, WPA_REAUTH_EAPOL); 1789 break; 1790 } 1791} 1792 1793 1794int ieee802_1x_init(struct hostapd_data *hapd) 1795{ 1796 int i; 1797 struct eapol_auth_config conf; 1798 struct eapol_auth_cb cb; 1799 1800 os_memset(&conf, 0, sizeof(conf)); 1801 conf.ctx = hapd; 1802 conf.eap_reauth_period = hapd->conf->eap_reauth_period; 1803 conf.wpa = hapd->conf->wpa; 1804 conf.individual_wep_key_len = hapd->conf->individual_wep_key_len; 1805 conf.eap_server = hapd->conf->eap_server; 1806 conf.ssl_ctx = hapd->ssl_ctx; 1807 conf.msg_ctx = hapd->msg_ctx; 1808 conf.eap_sim_db_priv = hapd->eap_sim_db_priv; 1809 conf.eap_req_id_text = hapd->conf->eap_req_id_text; 1810 conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len; 1811 conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key; 1812 conf.eap_fast_a_id = hapd->conf->eap_fast_a_id; 1813 conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 1814 conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info; 1815 conf.eap_fast_prov = hapd->conf->eap_fast_prov; 1816 conf.pac_key_lifetime = hapd->conf->pac_key_lifetime; 1817 conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 1818 conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 1819 conf.tnc = hapd->conf->tnc; 1820 conf.wps = hapd->wps; 1821 conf.fragment_size = hapd->conf->fragment_size; 1822 conf.pwd_group = hapd->conf->pwd_group; 1823 conf.pbc_in_m1 = hapd->conf->pbc_in_m1; 1824 1825 os_memset(&cb, 0, sizeof(cb)); 1826 cb.eapol_send = ieee802_1x_eapol_send; 1827 cb.aaa_send = ieee802_1x_aaa_send; 1828 cb.finished = _ieee802_1x_finished; 1829 cb.get_eap_user = ieee802_1x_get_eap_user; 1830 cb.sta_entry_alive = ieee802_1x_sta_entry_alive; 1831 cb.logger = ieee802_1x_logger; 1832 cb.set_port_authorized = ieee802_1x_set_port_authorized; 1833 cb.abort_auth = _ieee802_1x_abort_auth; 1834 cb.tx_key = _ieee802_1x_tx_key; 1835 cb.eapol_event = ieee802_1x_eapol_event; 1836 1837 hapd->eapol_auth = eapol_auth_init(&conf, &cb); 1838 if (hapd->eapol_auth == NULL) 1839 return -1; 1840 1841 if ((hapd->conf->ieee802_1x || hapd->conf->wpa) && 1842 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 1)) 1843 return -1; 1844 1845#ifndef CONFIG_NO_RADIUS 1846 if (radius_client_register(hapd->radius, RADIUS_AUTH, 1847 ieee802_1x_receive_auth, hapd)) 1848 return -1; 1849#endif /* CONFIG_NO_RADIUS */ 1850 1851 if (hapd->conf->default_wep_key_len) { 1852 for (i = 0; i < 4; i++) 1853 hostapd_drv_set_key(hapd->conf->iface, hapd, 1854 WPA_ALG_NONE, NULL, i, 0, NULL, 0, 1855 NULL, 0); 1856 1857 ieee802_1x_rekey(hapd, NULL); 1858 1859 if (hapd->eapol_auth->default_wep_key == NULL) 1860 return -1; 1861 } 1862 1863 return 0; 1864} 1865 1866 1867void ieee802_1x_deinit(struct hostapd_data *hapd) 1868{ 1869 eloop_cancel_timeout(ieee802_1x_rekey, hapd, NULL); 1870 1871 if (hapd->driver != NULL && 1872 (hapd->conf->ieee802_1x || hapd->conf->wpa)) 1873 hostapd_set_drv_ieee8021x(hapd, hapd->conf->iface, 0); 1874 1875 eapol_auth_deinit(hapd->eapol_auth); 1876 hapd->eapol_auth = NULL; 1877} 1878 1879 1880int ieee802_1x_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1881 const u8 *buf, size_t len, int ack) 1882{ 1883 struct ieee80211_hdr *hdr; 1884 u8 *pos; 1885 const unsigned char rfc1042_hdr[ETH_ALEN] = 1886 { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; 1887 1888 if (sta == NULL) 1889 return -1; 1890 if (len < sizeof(*hdr) + sizeof(rfc1042_hdr) + 2) 1891 return 0; 1892 1893 hdr = (struct ieee80211_hdr *) buf; 1894 pos = (u8 *) (hdr + 1); 1895 if (os_memcmp(pos, rfc1042_hdr, sizeof(rfc1042_hdr)) != 0) 1896 return 0; 1897 pos += sizeof(rfc1042_hdr); 1898 if (WPA_GET_BE16(pos) != ETH_P_PAE) 1899 return 0; 1900 pos += 2; 1901 1902 return ieee802_1x_eapol_tx_status(hapd, sta, pos, buf + len - pos, 1903 ack); 1904} 1905 1906 1907int ieee802_1x_eapol_tx_status(struct hostapd_data *hapd, struct sta_info *sta, 1908 const u8 *buf, int len, int ack) 1909{ 1910 const struct ieee802_1x_hdr *xhdr = 1911 (const struct ieee802_1x_hdr *) buf; 1912 const u8 *pos = buf + sizeof(*xhdr); 1913 struct ieee802_1x_eapol_key *key; 1914 1915 if (len < (int) sizeof(*xhdr)) 1916 return 0; 1917 wpa_printf(MSG_DEBUG, "IEEE 802.1X: " MACSTR " TX status - version=%d " 1918 "type=%d length=%d - ack=%d", 1919 MAC2STR(sta->addr), xhdr->version, xhdr->type, 1920 be_to_host16(xhdr->length), ack); 1921 1922 if (xhdr->type != IEEE802_1X_TYPE_EAPOL_KEY) 1923 return 0; 1924 1925 if (pos + sizeof(struct wpa_eapol_key) <= buf + len) { 1926 const struct wpa_eapol_key *wpa; 1927 wpa = (const struct wpa_eapol_key *) pos; 1928 if (wpa->type == EAPOL_KEY_TYPE_RSN || 1929 wpa->type == EAPOL_KEY_TYPE_WPA) 1930 wpa_auth_eapol_key_tx_status(hapd->wpa_auth, 1931 sta->wpa_sm, ack); 1932 } 1933 1934 /* EAPOL EAP-Packet packets are eventually re-sent by either Supplicant 1935 * or Authenticator state machines, but EAPOL-Key packets are not 1936 * retransmitted in case of failure. Try to re-send failed EAPOL-Key 1937 * packets couple of times because otherwise STA keys become 1938 * unsynchronized with AP. */ 1939 if (!ack && pos + sizeof(*key) <= buf + len) { 1940 key = (struct ieee802_1x_eapol_key *) pos; 1941 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X, 1942 HOSTAPD_LEVEL_DEBUG, "did not Ack EAPOL-Key " 1943 "frame (%scast index=%d)", 1944 key->key_index & BIT(7) ? "uni" : "broad", 1945 key->key_index & ~BIT(7)); 1946 /* TODO: re-send EAPOL-Key couple of times (with short delay 1947 * between them?). If all attempt fail, report error and 1948 * deauthenticate STA so that it will get new keys when 1949 * authenticating again (e.g., after returning in range). 1950 * Separate limit/transmit state needed both for unicast and 1951 * broadcast keys(?) */ 1952 } 1953 /* TODO: could move unicast key configuration from ieee802_1x_tx_key() 1954 * to here and change the key only if the EAPOL-Key packet was Acked. 1955 */ 1956 1957 return 1; 1958} 1959 1960 1961u8 * ieee802_1x_get_identity(struct eapol_state_machine *sm, size_t *len) 1962{ 1963 if (sm == NULL || sm->identity == NULL) 1964 return NULL; 1965 1966 *len = sm->identity_len; 1967 return sm->identity; 1968} 1969 1970 1971u8 * ieee802_1x_get_radius_class(struct eapol_state_machine *sm, size_t *len, 1972 int idx) 1973{ 1974 if (sm == NULL || sm->radius_class.attr == NULL || 1975 idx >= (int) sm->radius_class.count) 1976 return NULL; 1977 1978 *len = sm->radius_class.attr[idx].len; 1979 return sm->radius_class.attr[idx].data; 1980} 1981 1982 1983struct wpabuf * ieee802_1x_get_radius_cui(struct eapol_state_machine *sm) 1984{ 1985 if (sm == NULL) 1986 return NULL; 1987 return sm->radius_cui; 1988} 1989 1990 1991const u8 * ieee802_1x_get_key(struct eapol_state_machine *sm, size_t *len) 1992{ 1993 *len = 0; 1994 if (sm == NULL) 1995 return NULL; 1996 1997 *len = sm->eap_if->eapKeyDataLen; 1998 return sm->eap_if->eapKeyData; 1999} 2000 2001 2002void ieee802_1x_notify_port_enabled(struct eapol_state_machine *sm, 2003 int enabled) 2004{ 2005 if (sm == NULL) 2006 return; 2007 sm->eap_if->portEnabled = enabled ? TRUE : FALSE; 2008 eapol_auth_step(sm); 2009} 2010 2011 2012void ieee802_1x_notify_port_valid(struct eapol_state_machine *sm, 2013 int valid) 2014{ 2015 if (sm == NULL) 2016 return; 2017 sm->portValid = valid ? TRUE : FALSE; 2018 eapol_auth_step(sm); 2019} 2020 2021 2022void ieee802_1x_notify_pre_auth(struct eapol_state_machine *sm, int pre_auth) 2023{ 2024 if (sm == NULL) 2025 return; 2026 if (pre_auth) 2027 sm->flags |= EAPOL_SM_PREAUTH; 2028 else 2029 sm->flags &= ~EAPOL_SM_PREAUTH; 2030} 2031 2032 2033static const char * bool_txt(Boolean bool) 2034{ 2035 return bool ? "TRUE" : "FALSE"; 2036} 2037 2038 2039int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) 2040{ 2041 /* TODO */ 2042 return 0; 2043} 2044 2045 2046int ieee802_1x_get_mib_sta(struct hostapd_data *hapd, struct sta_info *sta, 2047 char *buf, size_t buflen) 2048{ 2049 int len = 0, ret; 2050 struct eapol_state_machine *sm = sta->eapol_sm; 2051 struct os_time t; 2052 2053 if (sm == NULL) 2054 return 0; 2055 2056 ret = os_snprintf(buf + len, buflen - len, 2057 "dot1xPaePortNumber=%d\n" 2058 "dot1xPaePortProtocolVersion=%d\n" 2059 "dot1xPaePortCapabilities=1\n" 2060 "dot1xPaePortInitialize=%d\n" 2061 "dot1xPaePortReauthenticate=FALSE\n", 2062 sta->aid, 2063 EAPOL_VERSION, 2064 sm->initialize); 2065 if (ret < 0 || (size_t) ret >= buflen - len) 2066 return len; 2067 len += ret; 2068 2069 /* dot1xAuthConfigTable */ 2070 ret = os_snprintf(buf + len, buflen - len, 2071 "dot1xAuthPaeState=%d\n" 2072 "dot1xAuthBackendAuthState=%d\n" 2073 "dot1xAuthAdminControlledDirections=%d\n" 2074 "dot1xAuthOperControlledDirections=%d\n" 2075 "dot1xAuthAuthControlledPortStatus=%d\n" 2076 "dot1xAuthAuthControlledPortControl=%d\n" 2077 "dot1xAuthQuietPeriod=%u\n" 2078 "dot1xAuthServerTimeout=%u\n" 2079 "dot1xAuthReAuthPeriod=%u\n" 2080 "dot1xAuthReAuthEnabled=%s\n" 2081 "dot1xAuthKeyTxEnabled=%s\n", 2082 sm->auth_pae_state + 1, 2083 sm->be_auth_state + 1, 2084 sm->adminControlledDirections, 2085 sm->operControlledDirections, 2086 sm->authPortStatus, 2087 sm->portControl, 2088 sm->quietPeriod, 2089 sm->serverTimeout, 2090 sm->reAuthPeriod, 2091 bool_txt(sm->reAuthEnabled), 2092 bool_txt(sm->keyTxEnabled)); 2093 if (ret < 0 || (size_t) ret >= buflen - len) 2094 return len; 2095 len += ret; 2096 2097 /* dot1xAuthStatsTable */ 2098 ret = os_snprintf(buf + len, buflen - len, 2099 "dot1xAuthEapolFramesRx=%u\n" 2100 "dot1xAuthEapolFramesTx=%u\n" 2101 "dot1xAuthEapolStartFramesRx=%u\n" 2102 "dot1xAuthEapolLogoffFramesRx=%u\n" 2103 "dot1xAuthEapolRespIdFramesRx=%u\n" 2104 "dot1xAuthEapolRespFramesRx=%u\n" 2105 "dot1xAuthEapolReqIdFramesTx=%u\n" 2106 "dot1xAuthEapolReqFramesTx=%u\n" 2107 "dot1xAuthInvalidEapolFramesRx=%u\n" 2108 "dot1xAuthEapLengthErrorFramesRx=%u\n" 2109 "dot1xAuthLastEapolFrameVersion=%u\n" 2110 "dot1xAuthLastEapolFrameSource=" MACSTR "\n", 2111 sm->dot1xAuthEapolFramesRx, 2112 sm->dot1xAuthEapolFramesTx, 2113 sm->dot1xAuthEapolStartFramesRx, 2114 sm->dot1xAuthEapolLogoffFramesRx, 2115 sm->dot1xAuthEapolRespIdFramesRx, 2116 sm->dot1xAuthEapolRespFramesRx, 2117 sm->dot1xAuthEapolReqIdFramesTx, 2118 sm->dot1xAuthEapolReqFramesTx, 2119 sm->dot1xAuthInvalidEapolFramesRx, 2120 sm->dot1xAuthEapLengthErrorFramesRx, 2121 sm->dot1xAuthLastEapolFrameVersion, 2122 MAC2STR(sm->addr)); 2123 if (ret < 0 || (size_t) ret >= buflen - len) 2124 return len; 2125 len += ret; 2126 2127 /* dot1xAuthDiagTable */ 2128 ret = os_snprintf(buf + len, buflen - len, 2129 "dot1xAuthEntersConnecting=%u\n" 2130 "dot1xAuthEapLogoffsWhileConnecting=%u\n" 2131 "dot1xAuthEntersAuthenticating=%u\n" 2132 "dot1xAuthAuthSuccessesWhileAuthenticating=%u\n" 2133 "dot1xAuthAuthTimeoutsWhileAuthenticating=%u\n" 2134 "dot1xAuthAuthFailWhileAuthenticating=%u\n" 2135 "dot1xAuthAuthEapStartsWhileAuthenticating=%u\n" 2136 "dot1xAuthAuthEapLogoffWhileAuthenticating=%u\n" 2137 "dot1xAuthAuthReauthsWhileAuthenticated=%u\n" 2138 "dot1xAuthAuthEapStartsWhileAuthenticated=%u\n" 2139 "dot1xAuthAuthEapLogoffWhileAuthenticated=%u\n" 2140 "dot1xAuthBackendResponses=%u\n" 2141 "dot1xAuthBackendAccessChallenges=%u\n" 2142 "dot1xAuthBackendOtherRequestsToSupplicant=%u\n" 2143 "dot1xAuthBackendAuthSuccesses=%u\n" 2144 "dot1xAuthBackendAuthFails=%u\n", 2145 sm->authEntersConnecting, 2146 sm->authEapLogoffsWhileConnecting, 2147 sm->authEntersAuthenticating, 2148 sm->authAuthSuccessesWhileAuthenticating, 2149 sm->authAuthTimeoutsWhileAuthenticating, 2150 sm->authAuthFailWhileAuthenticating, 2151 sm->authAuthEapStartsWhileAuthenticating, 2152 sm->authAuthEapLogoffWhileAuthenticating, 2153 sm->authAuthReauthsWhileAuthenticated, 2154 sm->authAuthEapStartsWhileAuthenticated, 2155 sm->authAuthEapLogoffWhileAuthenticated, 2156 sm->backendResponses, 2157 sm->backendAccessChallenges, 2158 sm->backendOtherRequestsToSupplicant, 2159 sm->backendAuthSuccesses, 2160 sm->backendAuthFails); 2161 if (ret < 0 || (size_t) ret >= buflen - len) 2162 return len; 2163 len += ret; 2164 2165 /* dot1xAuthSessionStatsTable */ 2166 os_get_time(&t); 2167 ret = os_snprintf(buf + len, buflen - len, 2168 /* TODO: dot1xAuthSessionOctetsRx */ 2169 /* TODO: dot1xAuthSessionOctetsTx */ 2170 /* TODO: dot1xAuthSessionFramesRx */ 2171 /* TODO: dot1xAuthSessionFramesTx */ 2172 "dot1xAuthSessionId=%08X-%08X\n" 2173 "dot1xAuthSessionAuthenticMethod=%d\n" 2174 "dot1xAuthSessionTime=%u\n" 2175 "dot1xAuthSessionTerminateCause=999\n" 2176 "dot1xAuthSessionUserName=%s\n", 2177 sta->acct_session_id_hi, sta->acct_session_id_lo, 2178 (wpa_key_mgmt_wpa_ieee8021x( 2179 wpa_auth_sta_key_mgmt(sta->wpa_sm))) ? 2180 1 : 2, 2181 (unsigned int) (t.sec - sta->acct_session_start), 2182 sm->identity); 2183 if (ret < 0 || (size_t) ret >= buflen - len) 2184 return len; 2185 len += ret; 2186 2187 return len; 2188} 2189 2190 2191static void ieee802_1x_finished(struct hostapd_data *hapd, 2192 struct sta_info *sta, int success) 2193{ 2194 const u8 *key; 2195 size_t len; 2196 /* TODO: get PMKLifetime from WPA parameters */ 2197 static const int dot11RSNAConfigPMKLifetime = 43200; 2198 2199 key = ieee802_1x_get_key(sta->eapol_sm, &len); 2200 if (success && key && len >= PMK_LEN && 2201 wpa_auth_pmksa_add(sta->wpa_sm, key, dot11RSNAConfigPMKLifetime, 2202 sta->eapol_sm) == 0) { 2203 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_WPA, 2204 HOSTAPD_LEVEL_DEBUG, 2205 "Added PMKSA cache entry (IEEE 802.1X)"); 2206 } 2207 2208 if (!success) { 2209 /* 2210 * Many devices require deauthentication after WPS provisioning 2211 * and some may not be be able to do that themselves, so 2212 * disconnect the client here. In addition, this may also 2213 * benefit IEEE 802.1X/EAPOL authentication cases, too since 2214 * the EAPOL PAE state machine would remain in HELD state for 2215 * considerable amount of time and some EAP methods, like 2216 * EAP-FAST with anonymous provisioning, may require another 2217 * EAPOL authentication to be started to complete connection. 2218 */ 2219 wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "IEEE 802.1X: Force " 2220 "disconnection after EAP-Failure"); 2221 /* Add a small sleep to increase likelihood of previously 2222 * requested EAP-Failure TX getting out before this should the 2223 * driver reorder operations. 2224 */ 2225 os_sleep(0, 10000); 2226#ifndef ANDROID_P2P 2227 /* We need not do this for driver. For AP-SME flags if we send this disassoc, 2228 * the p2p_client is gettig disassoc after it has completed the assoc 2229 */ 2230 ap_sta_disconnect(hapd, sta, sta->addr, 2231 WLAN_REASON_IEEE_802_1X_AUTH_FAILED); 2232#endif 2233 } 2234} 2235